Packet Class

Wireshark Packet Class

A Didier Stevens Labs' Training

Wireshark is the number one network security tool according to top 125 Network Security Tools survey.

Register for Wireshark Packet Class BRUCON 2014

But did you ever spend time to familiarize yourself with the many powerful features of this excellent security tool? If you did not, then now is your chance to learn as much as you can in this class and receive several unpublished tools (like a Lua dissector generator), scripts and dissectors specially developed by Didier for Wireshark.

This training is for the novice and intermediate Wireshark user.

  • First, Didier will familiarize you with the user interface of Wireshark. •
  • Then, we will touch upon the art of capturing traffic. You might think that you just need to install Wireshark on your machine to capture traffic, but that is just one way to do it. We will also look at ways to capture traffic at different points in the network, using network devices and dedicated hardware. •
  • Learning about capture filters will help you control the size of your capture files on busy networks. Knowing capture filters is an important skill for security professionals. Capture filters are not only used by Wireshark, but many other (security) tools you will encounter in your career. •
  • Colorizing traffic and using display filters (not to be confused with capture filters) are key in finding the interesting packets hiding in your capture files. •
  • Your head will spin when you see all the build-in statistics. Wireshark comes with many statistical reports that help you drill down into your captures. Many of these statistical tools support display filters, allowing you to customize your reports. And when we say reports, we talk about graphics too: Wireshark can produce graphical representations of your network traffic. When you master this feature, you will be able to grasp aspects of your network traffic with the blink of an eye. •
  • Data send over a network is split-up in several packets and can adopt many protocols. It can be a hard task figure out what all these packets mean. But Wireshark understands this and can reassemble these packets into streams so that you can view and extract the data you are interested in, so that you get an abstracted view and are no longer “lost in packets”. •
  • We will also learn about Wireshark's expert system, an often overlooked feature that can save you many hours of peaking at packets. 

Once we are familiar with Wireshark's many important features, we will look at all types of traffic. Regular day-to-day traffic like DNS, TCP/IP, HTTP, SMTP, WLAN, … but, of course, also the irregular traffic like network scans (nmap anyone?) and network discovery, and traffic from hacker tools and malware like botnets. Network forensics is an important skill to master, and Wireshark is an essential tool to help you master this skill.


As an experienced Wireshark user, Didier has come to hit some limits of Wireshark, and has worked past these limitations using command-line tools like Tshark and specialized scripts. In this training, Didier will share with you how he has gone beyond “simple” Wireshark. For example, say that you have traffic captures worth a couple of Gigabytes. Just using Wireshark to look at this traffic becomes virtually impossible, unless you have an insanely specced-out machine that your boss will never give you. But using the right command-line tools, together with some specialized Python scripts, Didier will learn you how to take this hurdle.

Wireshark can also be extended using the C and Lua programming languages. In this class, we will look into Lua taps and dissectors to help you analyze traffic that “pure” Wireshark does not understand. Wireshark dissectors are often designed to analyze a network protocol. Say you are reversing a botnet, then you can develop your own dissector that analyses the custom network protocol that the botnet uses to communicate between the C&C and the clients. But custom dissectors can help you even with known network protocols. For example, Didier will teach you the inner workings of a simple custom dissector he developed in Lua to analyze HTTP cookies. This simple dissector is very useful to filter-out traffic according to server sessions, like PHP or ASP sessions.

In a nutshell, this packed training will teach you both simple and advanced Wireshark skills that are essential for security professionals and hackers.

You do not need any prior exposure to Wireshark to attend this training, but a basic understanding of networking is required. Programming in Lua is not a required skill for this training, we will explain all you need to know about Lua in this training. But some basic scripting experience is useful, just not to feel overwhelmed when we discuss custom dissectors. If you know what an if-statement and a for-loop is, you will be fine. 

Register for Wireshark Packet Class BRUCON 2014

Didier Stevens is an IT security professional well known for his security and forensic tools, like the Network Appliance Forensic Toolkit (NAFT).

Didier is an experienced Wireshark user, he started using it when it was still known as Ethereal. Didier holds many IT certifications and is an MVP Security. Relevant to this training are his CCNP/Security certification (Cisco Certified Networking Professional) and the fact that he is working towards obtaining the Wireshark Certified Network Analyst certification.

You can find his tools on his security blog

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation.