SF21VEU - 04 Automate your Analysis: tshark, the Swiss army knife (André Luyer)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay welcome everybody to this session about how to make your analysis using t-shark if you've got questions you can put in there in the q a and depending on the time i will answer them in between the sessions or afterwards my name is andre laur i'm doing a session today from my home in the netherlands and over the years i've done a lot of troubleshooting using wireshark and before that using ethereal and before that even sniffer pro yes i'm that old i'm also a trainer right in-house uh why shot bootcamp course and i'm involved in uh ddos testing so being the red team basically using all kinds of tools and if you want to contact me you can find me at twitter you can find me on linkedin and if you want to send me an email you can look it up in whiteshark under help about office okay if you have this okay that's it so back to the basic question why should you automate your analysis or why would you well in my case when you do a lot of troubleshooting you get a lot of uh similar questions uh for instance you get a question that has been solved right now yes or no and then you can do the same analysis again and then it becomes easier to make some scripts to do the same analysis over and over again and that's actually how it started with me i started with the handy scripts and that ended up in a complete tool that users can use for their reporting and you can also use it for to scan for issues and anomalies for instance is the the encryption version used outdated and safe especially if the security issues what's safe today may be unsafe tomorrow so that's cut to mars where it's basically and you can also trigger on certificates that's about the expiry another thing is we're using more statistics look for trends and performance issues for instance you can look at application turns you can look if the overhead is too large or something like that and it can be part of a ci pipeline i see that more often nowadays okay so what we're talking about is uh about network knowledge plus coding skills so that's today's story but first let's start at the beginning i can show you how to zoom in with how to use t-shirt like this the right use the option r to read from a file and we can use the option capital y to enter a display filter like dls and i use the option c here to limit the output and what you can see now let's make a bit more hey what you can see is that the output is limited and you can do exactly the same in one shot by the way by changing t-shirt into one shark it should open now and as you can see it's about the same uh difference uh there are a few like you can see the same headers here as used over here right what you also see here let's go back is that the output is a bit different here it is in a relative time here it is an absolute time that's because of the setting you can change that by adding the option t for timeline and say you want to see it in absolute time now it will display time in the same way as in line sharp so why should architecture share the same basis the same core support dissecting um i can show you that using uh using a terminal here something up okay just moments oh yeah if you change the layout here once you do like this oh it opens let's move it to there like this and you run d-shark again you'll see that now also has changed here you see here it is there also so when you automate things you're getting different outputs and that may be uh something you don't want to have the reason for that is over here is that using the default profile but a few ways to cover that you can either change the profile so that you don't change the output of t-shirt or you can add the d-sharp the option capital c and provide another profile name and what you see here is that why sharks um this is designed for my manual analysis and t-check also so uh that is also the using the same engine underneath so what you see is that if you run the shark let's say demo [Music] and you want to write it to another file and do some filtering address oops i'll show your resource run for a while so when you run it like this [Music] make a typo sorry huh okay there goes my test demo i have to do it on a big file [Music] and we'll see what happens you'll see now that it is consuming uh one core you can see here oh now you can see it's using up one core because it's dissecting using a single thread it's the same way as a wine shark and you also see the memory going up quite large and that's the way it's designed it's designed like uh here comes set this morning to to analyze relatively small files if you're doing big files it takes longer more time i've breaked off so if you change it to speed down for instance and change the filter into a capture filter sign it [Music] sorry i missed it you'll see it runs a lot faster because uh capture filter works on a packet by packet basis so it's going a bit fast here let's leave it like that okay so there are a lot of things you can do with the shark outbox also you can add options on the command line you can do that with wirecheck also and as you can see it will definitely save the configuration but djack does not so that's a big difference and to avoid different settings in your analysis you can use either a different profile or use a different system for instance that's what i do i usually when my analysis on a separate linux server and do my manual work on a workstation that's so we're using a linux or workstation is faster anyway so that's next so if you can uh open this mentee then i can uh figure out what what systems are you using or would like to know uh tali can you share the link in the in the chat yes it's shared okay thank you let's see okay at the moment the majority is windows let's let's run it for a while i also doing this presentation on windows so that should be okay other in the meantime any questions sorry so far uh not yet but yet yeah okay it's also the beginning it starts so i would be surprised if they were in yeah actually okay let's um so the majority here is windows this uh 25 linux that's more than expected actually and unless uh using mac os okay let's continue move this away thank you for sharing your results so um next to t-shack there are a lot of command line tools which gets installed when you install the and when i do my training sessions and notice that a lot of people do know why but don't know that there are that's uh to come online tools like this we can go over them over them for now let's let's go to [Music] the directory where it's installed and let's do it like this and it's installed in program files directly in weinstein see that next to the let's zoom in next to the executables there's also an html file so here you see d-shock texture pcap reorder cap and so a lot of tools uh in in the in the directory where y-sharp is installed and then you can use the view [Music] at this uh directory to your path you can uh use this directly i believe it works out of the box for linux and i think also for mac os which i'm not quite sure about that and um if you go out by the the tools you have in the front let's sort it by type just a moment you've got the infos this is basically the same information you get if you use the information in the tab just like this in [Music] then you can see the output basically the same oh by the way you can also shorten the output of let's say we want only to see the beginning in the end and then you get only the select information and if you use that to rename the files or whatever also in there is a tool called dump cap this one that's the one that does actual capturing so if you click on capture in wireshark or use t-shirts for capturing moment slides so if you use wine sugar t-shark then it actually calls dumb cup for the actual uh capturing well for one second that's okay but if you're working on the command line anyway so when using t-shirt that's probably a better idea to pull them from directly also if you want to do long running captures that's the better way to do that and capturing tool use the capture filter and the capture filter is sent to the driver or the actual capturing and we can use the display filter or the wheat filter oh yeah i can show the wheat filters by the way but you probably have noticed that before go to wineshark and say open then here here is a wheat filter i think that is one of the least used features of wireshark but in case of t-sharp it could be useful that means that you're filtering up front or not like i can quickly different demo for that so here let's go back here we do the the display filter which is after reading the file and you can change that into a read filter if we do that you get an error because that has to do two passes so if you add two to it i will do this you can now see it outputs yeah 20 packages instead of the view before oh what happened back to it i lost control let's do it again so if you use only this one then sorry one one now you see that it's only outputs four and if i change it to the read filter it will actually change this to 20 because when you read use the read filter the packet sketch renumbered so if you want to upload only exactly one you can do that by changing this to one and it will only output one regardless the position in the file or none if it's not present of course um [Music] another thing might be handy to know is uh no that's there are other other tools and one is called edit cap you can use that to take a time frame out of your capture or to split it or to snap packets or to convert into another format or de-duplicate and since version 3.0 you can also use it to insert your ssl key log file information another one is quite handy by the way because then you can just share one file containing the sequence so you can read the contents straight away for instance there is see that's there you can split the files you can merge them there's also a tool called war warshark which is a bit strange too it's also used for reading from pipelines i've never used that one we got a reorder cap and a tool called text to pcap so you can convert an extent into the bigger file if you want to okay so by default on windows users let's see what the score is now still is 60 windows users online here when you use the installer the the path is not set by the installer in other words if you go to the command line it doesn't work you cannot enter a t-shirt or whenever for the other tools to start it up two ways to to to handle this of course you can uh either uh set it and the command or if you kind of for powershell you can use this one to set the temporary so you can just use it on the command line and you can set it in the control panel for permanent basis and as always you can also use the full path but since the directory program files contains a space you have to quote it otherwise it won't work but if you do that and i've done it here on my machine um i'll start then you can run it from online and also these help files are online and windows has a nice feature that if you enter the help file it will open up in a different spoon just a moment there it is it'll open your your help file uh and you can read it offline which which is quite handy this also works from the start menu by the way this is uh what i find more useful and more handy than using the manual page on uh as you can see here it's exactly the same information but yeah i prefer the browser output because it's a bit more readable by the way on a linux in this system and you can do that also okay shark.html type out just a moment and there it is and just launch a browser with this one oh it took a while sorry and as you can see that's exactly the same information it's also the same information you can see online on wineshop.org docs i believe and well i prefer this way because now you can have it in a separate window next to your command window or your terminal window as you check where you do your stuff so that's a nice feature windows let's move this out of the way okay let's uh t-shirt has a lot of possible outputs i will show you a few um this one you already saw and this is basically the default for the print mode so if you use the option print then it will show the same thing and if if you compare this to wireshark this output the print output is the same as the packet pane in wireshark you can also use the v option and if you do that it will output the same information as here in the factory pane with all expanders this is the same information if you use the fee option well that's usually a bit too much but you can also trim it down and you can say capital o for output only and let's say dls then it only outputs the tls data for that file so that's some ways to to control what's being output and if you add the mine that x option for a dump there you go sorry [Music] then we'll also output the hex dump pane which is this one but if you got here i want to open another one that's better but in here you can see that's also outputting hexagons of decrypted and decompressed if you use the x option that will be shown here also as three sections another nice feature of uh teaching page you can and here in one shot you have all kinds of statistics and you can do that also in t-sharing for example you can use the io stats zero here means uh the interval of zero or on in other words i want the data of the whole file you can select columns you want to see and you can specify which display filter it should be used and then what you want to do in this case count or average whatever you can see what the possibilities are of course in the online help somewhere down here a lot of options you can see the ielts that's how you're looking for that sense as you can see there's a lot of options yeah this is our outside you have to count you've got some minimum minimum maximum average or load average and you have to supply the field where to apply this this calculation on and the display filter to select so most of the time you will simply have to repeat the field and the filter name to do the statistics on that one okay next also have an option called t capital t and that allows you to give you um different outputs for instance in json format um let's do that let's make read filter [Music] as you now can see it's one big json it's actually outputting one line per packet which is nice for many tools you don't have to add spaces you can do that also if you use the json option then you'll see the same information in the same json now what they call predictions with spaces and you can see here the name and the value for example but if you say i want the json wall then it will exclude the names of the fields as you can see you know now get the shortened version okay i can also upload an xml well that's just more of the same for me and we already saw the text version which nope sorry the text version we also that's the default setting and you can also change it to tabs now it's in here separate by spaces one or more spaces if you then it's a bit more easy to process you've got the ps option to output in postcard format and if you output the passcode you can convert it to a pdf and we have the fields options and if you use the field options then you have to specify what you want to see let's say number for example let's do it like that feels sorry and you can see it outputs now only one thing of course you cannot remember at top we had what the fields are called because there are over 200 000 fields in wine shark there's an easy trick so let's say you want this field you can yes copy the field name can you see that field name here here it is but for visibility i will do prepare nice and snug prepare selected and now you can see in top the head and the name you should use if you want to print that field so that's the especially if you just started the easiest way to to get some output and there are some special ones it's called underscore ws let's say info this info has to label capital i info and if i repeat it here then it will use that one also oops of course oh i see it should be in the square i said that this one apparently didn't type it and now you can see it has outputs the info column only so this way you can control uh the output and this is handy for post processing the output of the track into your own automation tools um okay and many more options and you can also go back here control the fields uh let's say um to show the a p six address good luck yes [Music] okay different one sorry now you can see here now there's a comma in between and that means that there are two fields that confirm this to this this filter and this is of course uh the source and destination address um if you don't want to come to become separated you can specify that by using the e capital e options and say separa let's say same column typo and now you can see the columns are now separated by semicolon you can also change this one and you can say if you want to have a header edit output also headers exactly etcetera all exact settings you can find in the help file let's leave it like that okay i'll show you the fields options and there is some issue with that because it's not related to how do you say it there's no history so i showed it show you live what i mean so let's go over this command line um well open here the file with the file and we want to output only the tls layer and do it read filter shape type 11 is the system scripts this means i want to output the the less information and i want only the the first certificate right let's grab it [Music] for four lines or not so what you now see is two fields which has the same subfields that that can also be um there it is there are two types in that field that can be used there [Music] so you can also have a generalized type so if you supply the t this is what i showed you the generalized type is of a different uh field name than the utc time you'd see time is spelled from 1950 to 2049 so anything outside that just use the generalized type but if you use the the fields for that you won't be able to tell which is before which is after because it can be mixed in the output there's no uh here when you output that field something to remember that if you want to use that one okay well let's go for a practical uh example let's generate the host files from the keeper pickup file itself because we first lookups may not provide useful information anymore either because the website is how to say host in the cloud so when you do a reverse lookup you've got a very strange name or dynamic dns is used and the names has been changed between the time you captured it and between the time you started analyzing on for the old days uh website using multiple website used host on one server slash one ip address so we've got what can we do we can get the files out of the host file out of the pickup file itself and generate our host file let's do that let's first show you how you can get oops hmm i want to just use this one if you don't so you can't have the output here let's filter on http.host [Music] so you can find that filter in your files let's show it in mineshark use the same file here if you go to http get here here on the host file and so on a bit this entry combined with the destination address it's like physics address by the way these two well if you combine these two then you get an entry you can use in your host file and you can use that for the http which you can also use it for the tls level layer in the client hello here you can see a server name will prepare there you can see it also name you can use that one the server name and then the fire to lift that one up okay and if you continue and you can output this information like this and you can see the two names outputted like here one is captured from the http request and one is captured from the tls client allow and you can use the sort options using the options you for your unique to to de-duplicate and i to ignore spaces and then you get only two entries which you can then add to t-shark using the minus h option so if you store this one then you can use that one in t shark to import use that host file like this page close the text right and now it will use that name wherever it finds it another way to do is you can store it you know a new file and then we have to use the option w and and for network and then it will create a new file containing these hosts in that file and if then if you open it up in the wine shack new you will see that it uses this host here oops as you can see here right i know a few more protocols that can do that now it goes um you can also do it for the quick do a portable you can also do it for dhp all these four the client side will send the name that things it's talking to in the nj but to limit the outputs that you don't get blank lines or better lines with only tabs because if the field is not present it will not fill it but it will still get separated by taps by default we use the display filter here okay and then you can output it i showed you i can reopen it and store it in a bigger file like i showed you okay okay let's go for a practical more practical uh example i have to speed up actually for analysis is usually best to to have a complete php session so in case of a protocol that uses dcb which is the most most of them and so you want to to filter out all incomplete streams which are typically at the beginning or the end to capture now let's start simple let's start with only the start of the caption after the session this visa stream and you want to filter out any any streams which has no these synth packet the way you can do that is you can output the tcp stream and filter it on the synflex set and use that output for us input for the next d-sharp to create a new file let's go over that one so let's do it simple first just copy paste it speed it up a bit so you could like this you've got a file it's got three streams that contains synth packets and here you see two one for the scene and one for the synagogue let's show you the score as you can see here you got the sin and the synax um that's a bad thing now it could be more than two of course if you've got retransmissions and you can also have one if you happen to miss the sim that's not really a problem you can sort it like this now you got three things and we can store that into a variable i do it in two steps now or readability like this and just show you what stored like this and then you can use this output to create the new file by using this output variable uh oh yeah that's because i'm using uh windows um i'm using a sequin here which is in the timeline wanna get shell on windows but it calls the windows native t-shirts so the output contains uh checks and line features so i'm just linux do it again now it will work and i can open this file like this and so i only have the one two or three if i started on tcp stream z only we left okay that's a way to filter out incomplete streams okay next step well what you want to have is a complete stream so from tcpcn to thin or reset logical use would be we use the string number as an index we go the syn packet and record the thinner reset and in the end the output the the ones that match the criteria so so to capture the all three what i've done here out to the tcp stream and i outputted the the syn flag so you can see sometimes the synth lag is present sometimes it's not meaning that it's either a pin or reset i'll show you you go to wise shark and go to the tcp layer max i use here a boolean and and seven seven is means the lower three bits set and guess what the lower three bits fins in the reset so that's the way you filter on those three there's one way to do it anyway okay so this output we can use in our application and let's use walk we know it's tap separated so let's have the tab set wait and for each packet if the second value is set then store the stream number now ah and if and otherwise if you see a reset or a fin you want to mark it as a complete session or one let's do like this and finally you want to output that one copy paste it for to speed it up a bit so yeah you go through the loop and everything that matches you print out then add the syntax [Music] so now you have this these fields again but you know for sure it's only a complete session from beginning from the end and you can use the same method to create a new file only containing these complete steps yes oh and by the way by storing it in this way you don't have to sort output and depending on the program language uh twice or could be fast than what i just did you know so this is how we did it okay so one thing to note is that you have to provide all the information for t-shirt on the command line so if you generate filters like that it can grow big very fast especially if your big files let's say thousands of tcp connections then the the filter will for quite fast if you go work on a linux machine then the command line can be about two megabytes for macos it's in the order of 265 kilobyte and the windows is smallest you can have 32k on powershell and if you use commands even smaller so that's something you have to keep in mind and sometimes you have to optimize your queries also a compiled uh capture filter that's also a limit which is one memory page or four kilobyte so if you if you're using uh the dumbcap capturing or participate done for a capture filtering type there's also a limit out there okay but you can optimize it by using the stream operator and uh it's this this double dot i'll go a bit faster the the trick is you go through the uh through the array and for every match you find you determine if there is a a range or a look for the first gap and if the range the length of the wrench is larger than three 44 thank you storage operator okay so if you do that the the logic is same the same you can see here i won't show you because with time you got you look through [Music] the results if it's a match then you look for the end of the range and if so you output it as a range other questions by the way um not yet but we can invite people to ask questions if they want okay um would you go all back to the mentee and uh uh answer the question uh what operating system are you using okay so um let's do what's your preferred programming language i would like to know that is it still working that comes in so the first response that python python is an interpreted language by the way which is not really an issue because just i used ark and it's also interrupted typically most of the work is done by t-shirt and what you're doing is relatively easy so i also see pro assembly a golang which is a nice uh language for multi-threading we don't see java know whether you was in japan no writing is nice if you want to use the json output of t-shirt okay thank you for responding let's continue so normally what we do is we use the output of uh of of t shark to read into your own program to do a national additional analyst uh some of you said c well for that you can use the good old p open it stands for p open pipe open you want to be on the receiving end from reading output for guys you use go yes this command function to read output t-shark pro you use this this indicates you that you can indicate you want to use pipe to reach the output uh what's the python also yes this that is called sub process p open again for pipe open etc so most of the time we're using pipes for reading the output if you use pipes by the way then the outputs get perfect so and the typically buffer is 64k on most machines so let me see normally the output to the terminal is line with it and post on it error it's in perfect i can demonstrate that and so basically is it weird so when i type something here it will uh echo it back when i hit enter i can see that right so this one is line perfectly but if i use a pipeline then it gets fully buffered so when i type something in you don't see the output because it's now perfect and only when i do contradict when file you get the account that's because it's perfect is that bad for t-shark no usually not because most of the time it slops in the the data in memory uh that does is filtering and then starts outputting so the the time it starts outputting it's always quite fast but if you want to you can force the shark to output it online by lane basis or to be exact on a packet by packet basis just option minus l i don't see it where is it there it is as you can see you can force it to flush the output after each packet this is pretty much only useful if you do live capturing otherwise don't use it it's not really optimizing your output right okay and also if you want to do analysis uh on your own you can make your life simpler for you if you uh can process a stream by stream so if you can if you normally if you have a capture file uh let's pick one then you see uh these streams in intervened at least what's the name but if you can also sort it and then way you can process it steamresting i'll show you how to do that let's open up so let's just pick a file and fields fields let's say this in here also the one i'll put the tcp screen and let's say [Music] the time okay so what you got here is the the stream number informed and the time in depth time uh for post processing it's easier to have at machine time than in human readable because then you have to convert it back to machine time to do some fancy things and for this we can add some extra information aside source and yeah now you'll see it outputs this one now this output we can now sort like this and she can see let's make it bigger and as you can see it's now sorted you get the first stream first then it switches to the next one and the third one etc by the way i i did sort it uh without any options that means that the whole line is treated as a single character array click the string and that that works because yeah uh you only have to detect the change for the stream number and the epoch time well it will take uh at least seven years for the next rollover for in case of 32-bit version this is the p-cap and the p-cap ng it takes over 200 years before you get the next glitch itself but you can force it to to use the numeric version the numbered sorting i'll look like this now you force it to sort it numerically on the first two and the output is in this case the same uh andre do you want to take a question yes the question yeah so there's a question from oh it's a bit of topic about about the best shell right yeah what i'm using here is called sequin you can go to sigmund.com let's see yeah and you can install from here and then you can use the best shell straight away from the command line the nice i used this because i use a lot of linux servers a lot of other systems and having the same shell on all my machines makes life a lot easier i don't have to reinvent the description there's also a gotcha because we've got this environment variable called time zone which is different from linux than windows understands let's do a little so if you oh yeah one [Music] so you can see here the time here uh gets mixed up if the time zone is not set correctly i can show you like this then it will pass the zf variable on to the windows executable so the trick is to make sure that the time zone variable is not set if you do that then it will give you the correct time okay back to the streams oh i just told you that and then you can have this output open up time yes okay there were also people using pearl let's go pro and normally you would use here an array to specify a command and here are using a string that's if you do that then it will use a shell to launch command in between but i do that because i want both t-shirt and shorts command executed and only the output short command in my loop and in your while loop you can then read the outputs you just specified that's the benefit of using these field options and in perl you can give it a nice name to process it further yes and you can recognize a new stream by change of the first column tcp screen number and you can do then some post processing or resetting counters for the next stream etc [Music] if you run this script like this i will give you this output i'll show you let's show the output description itself okay [Music] and here oh zoom in here we have this example i just showed you and here i do some processing and when i call this function it outputs the time as you can see the input was uh time but we can output it in any format we want to using the functions to do that okay and you can do your own pre-improvements process so that's the basic concept of processing the output of t-shirt into your own tooling okay another nice well you can do a lot of processing you can think of one that most people don't think of is called data after tcp syn or vsat this protocol itself allows you to have a half open connection meaning you can send the tcp thin then you can no longer send data but you can still receive one and vice versa if you you cannot respond if you're close to a session so that's not useful for most applications practically all so in practice half open connections are not used right so when they are used when you do see it in your pcap and your network caption then it's a strong indication that something went wrong not on the network level but on the application network right so that's a nice thing to look for there's one exception which is the so-called tls alert because it sends close notify then closes the tcp stream and you get close notified back from the other end i can just show you here here you can see it i have to remove the filter you can see it's it's just built from filtered out oh this one as you can see it sends an alert sends a pin down from the other end you should set should receive a placement close enough also not in this example anyway so normally half of connections indicates there's a problem and why is that uh it can be because of a so-called slow backhand so what you can see here in the front and you have a client that sends a hp request after doing the dls setup that server or microserver or whatever sets up a backend call to to get a gather extra information and normally i get an answer and that allows him to send response to the client but what happens if this backhand is slow well if client times out or is terminated or whatever then the connection gets closed we'll see in the in the capture a closed notify but if the server does not respond to that and keeps waiting for the back end and what you see now is that it will send we forward the response then respond to the closure but by then the the the client is already gone close the connection or close the socket or was crashed killed whatever and then the operating system will send tcp resets so you see here you have a tls clause followed by data indicating a problem other reasons it could be of course that there is a small time delay and the round trip time that's not normally not the case so how do you catch that one well for every packet look for the fin or reset if that's present mark close the started phase then the next packet if the the length is greater than zero so there is data on php level and the closest started and it's not an alert then mark that this is data after final reset and if you want you can exclude the time between round three times just be sure in practice that's not really necessary and when the tcp streams changed in the data i mean you know we're really finished and then you can issue a warning or a critical message that something went wrong here okay okay um no question supply no no more questions okay um not yet if anyone wants to ask we have just a few minutes left so now is the chance yes i've got time okay so for me it changed from handy scraps to fully automated tooling allowing novice uses to upload pcap file and get a report generated and so she's used as part of performance promised load testing to see if everything is working as it should be because sometimes the application builder doesn't see especially a tls layer if this change has that consequence or some performance okay so this is why we automated we need to pass the feedback the trick we do is we upload pickup file to the automate system we use a sanity check to see if the file is correct you don't want corrupted files or too many packages or low volume what we do next is we split the files up into known protocols so you don't have to supply a huge filters on your command line every time and also makes life easier and faster small files will be processed faster than big files and then you can process all the applications and protocols you found and you generate a report looks a bit like this okay oh sorry one okay now let's skip it so this is an example of how you can check for invalid files you can you run the dshire command with the file we want no output on the statistics and no network translation address translation etc you can look for problems by the way if you do capturing on virtual machines you may see negative delta times and that has to do with the way the data is captured from the incoming and outcoming data that's done on different levels so if you see negative delta times then it's probably a ring buffer over and occurred in a kernel and you can take it like this and for a io stats you can process it by looking for the the data okay split again 15 minutes yes like i said splitting up into known protocols makes life a lot easier for instance if you see a web server running on a high part number uh then maybe when maybe an issue but you can also look at the data what's being sent and say okay that's a splunk agent and not a normal web server so you can go from more specific to less specific filters to split them up into known protocols so and you create a new file using the not filter the exclude filter and then you can go through the hill file again and again it gets smaller and smaller and what's left and the final is the ones you don't recognize okay um network capture should perform for statistical analysis should contain enough data so at least five minutes is my advice and not pre-filtered so if you sketch your filters in one way you won't you won't see the problem um give an example um what happened really happened is that there was an application and it was on web servers basically they captured the traffic of the application and they could not figure out

Info

Channel: SharkFest Wireshark Developer and User Conference

Views: 626

Rating: undefined out of 5

Keywords:

Id: 1TxAq1xIj1M

Channel Id: undefined

Length: 75min 55sec (4555 seconds)

Published: Tue Jun 29 2021