Navigating with Wireshark

I get a lot of requests from people asking how to use Wireshark, what to look for, and what filters to use. Most people said that they didn’t have time for a five-day course and wanted tips and tricks on how to get going.

Even though I created a 20 minute, $20 course in January (https://www.udemy.com/wireshark-2-fundementals/learn/v4/overview) which was well received, I got requests for the same topics asking for more specifics.

It is important to separate ping and ICMP. Even though ping uses ICMP, ICMP can be used as an error reporting protocol sent by servers, routers, firewalls, etc. I've seen many analysts blindly filter out or ignore ICMP packets, missing valuable clues in their troubleshooting. ICMP can also ‘fix' your applications quietly in the background which can easily break if someone decides to block it without doing his or her homework.

In this video take you through how I captured packets and how to start analyzing ICMP, DNS, and ping packets. I figured I would pick two of the most common protocols that you would encounter in the field. ICMP, DNS, and ping is also something you can play with at home or on most networks.

I cover DNS transaction IDs and how to find/jump to the response packet to determine response time.

I plan to do more articles explaining troubleshooting scenarios and my methodology.