Trace file - ARP poisoning process - map it out. Referenced in the Hacked Hosts: Network Forensics course.

When users complain about poor network performance, capture their traffic (from as close to their systems as possible so you get round trip time values from their perspective). Set the Time column value to show you from the end of one packet to the end of the next packet by selecting View > Time Display Format > Seconds Since Previously Displayed Packet. Now you can sort this column to see where there are large gaps in time in the trace file.

iPhone video: Laura opens a trace file from an infected host, identifying the evidence of the compromise and demonstrating how to create a butt ugly filter to spot unusual DNS responses.

Full-size video: Laura opens a trace file from an infected host, identifying the evidence of the compromise and demonstrating how to create a butt ugly color filter to spot unusual DNS responses.

Video - full size: Laura demonstrates the creation and use of her butt ugly color filters to distinguish unusual network communications.

Ron Nutter (TechBytes) interviews Laura Chappell to learn more about the new CACE Wifi Pilot product. Laura explains the elements that make CACE Wifi Pilot a boon to WLAN integrators and support technicians.

Trace file - Character Generator (chargen) process. Referenced in the Hacked Hosts: Network Forensics course.

Ron Nutter (TechBytes) chats with Thomas Quilty, CEO of BD Consulting and Investigations, about first evidence collection procedures after a breach has occurred. Tom describes what to document during the collection process, maintaining a chain of custody and storing the evidence for potential use in Court. Thomas Quilty has over twenty five years experience in law enforcement, including ten years investigating Federal and State of California High Technology Crimes.

Ron Nutter (TechBytes) chats with Thomas Quilty, CEO of BD Consulting and Investigations, about what to do when you have had (or think you have had) a data breach. Tom explains the need for a ‘breach plan’ to prepare for the dreaded day and how important full understanding of the network interconnections can save your hide someday. Thomas Quilty has over twenty five years experience in law enforcement, including ten years investigating Federal and State of California High Technology Crimes.

Trace file used in the Bot-Infected Host Analysis video. Check it out yourself.

Ron Nutter (TechBytes) talks with Gerald Combs about the development progress on CACE Pilot, the graphical and reporting tool that integrates with Wireshark.

Ron talks with Laura Stack, the Productivity Pro, about where to start in the process of getting organized. Knowing techies are overwhelmed everyday by network and user demands, Laura discusses when mobile devices are the best answer and when paper solutions are the right answer. Laura discusses her use of the PRODUCTIVE acronym (being Prepared, Reducing timewasters, becoming Organized, being Disciplined, removing Unease/stress, Concentrating, using your Time effectively, managing Information, reviving your Vitality, focusing on your Equilibrium). Learn more about Laura Stack at theproductivitypro.com.

Trace file - client boots and CPU hits 100% in just a few minutes. Referenced in the Hacked Hosts: Network Forensics course.

Look for unusual traffic in this trace file to see what happened to this host. Referenced in the Hacked Hosts: Network Forensics course.

Trace file - scans from this host alerted the admin that something was wrong. Referenced in the Hacked Hosts: Network Forensics course.

(Referenced in the Trace File Analysis Session 2 course at chappellseminars.com) Trace file of a web browsing session to www.aol.com.

(Referenced in the Trace File Analysis Session 2 course at chappellseminars.com) Trace file of a web browsing session including GET and POST.

(Referenced in the Trace File Analysis Session 2 course at chappellseminars.com) This client has more than one connection to a streaming video server, but nothing happens when they begin the stream viewing process. A quick review of the trace file indicates that the client rudely sends TCP RST packets [P28] [P29] to shut down the connections. The fault is at the client. Most likely a popup blocker process is getting in the way.

(Referenced in the Trace File Analysis Session 2 course at chappellseminars.com) How ugly can it get? Check out the flow graph of this connection to www.espn.com.

(Referenced in the Trace File Analysis Session 2 course at chappellseminars.com) Although this company has a nice feedback form online, when you fill out the form and click submit they rudely send an (Referenced in the Trace File Analysis Session 2 course at chappellseminars.com) HTTP error code 403 [P10] [P13]. Someone needs to let the webmaster know the form is broken!

(Referenced in the Trace File Analysis Session 2 course at chappellseminars.com) Browsing to www.msn.com is more complicated than it seems. When reviewing this trace, consider running Statistics > HTTP > Requests (do not apply a filter) to see how many systems the client actually connects to.

(Referenced in the Trace File Analysis Session 2 course at chappellseminars.com) HTTP allows us to retrieve partial content of a file loaded on a web server. For example, perhaps we just want to get the artist information for an MP3 file, but we don''t want to download the entire file yet. This trace depicts a user sending a partial content query as noted by the ''Range: bytes=x-y'' header field. Cool!

(Referenced in the Trace File Analysis Session 2 course at chappellseminars.com) This trace shows a McAfee update process (preceded by the "McAfee dance") and use of POST operations.

Ron Nutter (TechBytes) talks with Laura Chappell about the latest findings regarding Internet safety for kids. Laura dispells the myth that social media sites are key dangers of the ''''''''net.

TechBytes Podcast - Ron Nutter interviews Laura Chappell to learn more about spectrum analysis using Metageek WiSpy adapters and Chanalyzer software.

Ron Nutter (TechBytes) chats with Thomas Quilty, CEO of BD Consulting and Investigations, about looking objectively at the corporate network to determine where risks are greatest. Discussing the need for ‘outside talent’ to objectively perform due diligence, Ron and Tom talk about how important certain tasks are to maintain credibility with clients, investors and the public. Thomas Quilty has over twenty five years experience in law enforcement, including ten years investigating Federal and State of California High Technology Crimes.

Trace file of a UDP-based multicast going through a queuing device. Look at the IO graph after changing the X axis to 0.01 to see the holds in the queue.

Trace file - Standard Nessus scan on a target. Referenced in the Hacked Hosts: Network Forensics course.

Ron Nutter (TechBytes) talks with Gerald Combs, creator of Wireshark (formerly Ethereal) and Director of Open Source Projects at CACE Technologies about feature requests and upcoming features such as 64-bit windows, better MAC OS X support, triggers and more. In addition, Gerald talks about how to request features and add your own by contributing code.

Ron Nutter (TechBytes) talks with Laura about the features of Nmap and the newly-added Zenmap graphical element. Laura raves about the Nmap book written by Gordon Lyons (creator of Nmap).

Ron Nutter (TechBytes) talks with Kirk Thomas, creator of NetScanTools Pro (www.netscantools.com), about how to perform OS fingerprinting to identify devices on the network. Kirk explains how NetScanTools uses various types of ICMP packets to perform OS fingerprinting on a network and the issues that firewalls cause when sending these packets to the target. ICMP packets include Echo Requests'', '' Address Mask Requests'', '' Information Requests and Timestamp Requests. Kirk also explains how WinPcap is used to bypass the firewall as well and how fingerprinting can help locate rogue devices on the network. Finally, Kirk explains how banners can give away the identity of a host. Ron reminds listeners that you must be careful before running these tools on the network.

Trace file of an ICMP-based OS fingerprinting operation. Look for illegal ping packets (icmp.type==8 && !icmp.code==0).

Trace file of a port scan process - something you really never want to see on your network unless you are in charge of the process.

Ron Nutter (TechBytes) chats with Thomas Quilty, CEO of BD Consulting and Investigations, about the importance of building strong relationships with legal representatives and law enforcement BEFORE a breach occurs. Tom explains the role of HTCIA (High Technology Crime Investigation Association) in preparation of a breach. Thomas Quilty has over twenty five years experience in law enforcement, including ten years investigating Federal and State of California High Technology Crimes.

Ron Nutter (TechBytes) talks with Cynthia Navarro, Principal of Finnigan''s Way (www.finnegans-way.com), a private investigation firm that deals with various types of cybercrime cases about defining what you want in your private investigator''s report and defining expectations up front when hiring the private investigator. Cynthia references elements such as time tracking, order of interviews, Court documents referenced and confidential informant interviews. In addition, Cynthia stresses the importance of signing an NDA at the first meeting with the investigator to protect corporate trade secrets and confidentiality.

Video - iPhone: Laura got an eCard that prompted her to do some research on the sender. You''''ll see her use NetScanTools Pro to do a batch RBL (realtime black list) check on the sender, examine the response from Spamhaus and then analyze the method NetScanTools Pro used to perform this RBL check. Sign up for her newsletter at chappellseminars.com to get links to the trace file used in this video and the bot-infected host video. Enjoy!

Trace file showing the realtime blacklist check process used by NetScanTools to research a company that sent Laura a greeting card via email.

Kirk Thomas, creator of NetScanTools Pro (www.netscantools.com), talks with Ron about how Real Time Blacklist (RBL) servers work and how companies get on the list (a very painful experience for an innocent company). Kirk explains how to customize the RBL server list in NetScanTools and how to enable/disable RBL servers. Ron and Kirk discuss how companies can mistakenly get onto blacklists and how to check to see if your company has been put on a blacklist and how to validate spam is coming from a blacklisted address.

Ron Nutter (TechBytes) chats with Thomas Quilty, CEO of BD Consulting and Investigations, about the ongoing process of risk assessment including building a full inventory of network elements and prioritizing potential target information. Risk assessment is not a one-time task and requires diligence and consistency in an ever-changing business environment. Thomas Quilty has over twenty five years experience in law enforcement, including ten years investigating Federal and State of California High Technology Crimes.

Laura demonstrates how to set up and use Wireshark''s GeoIP feature to map IP addresses to their geographic location on a global map.

TechBytes Podcast - Ron Nutter interviews Laura to hear the types of traffic that make her skin crawl - from IRC sessions to unusual DNS responses and more.

See http://seclists.org/fulldisclosure/2009/Sep/0039.html. See chappellseminars.com/projects for details on catching unusual SMB Negotiate Protocol Request packets. (See also smb_protocol-request-reply.pcap) [Submitted by Laura Chappell, chappellu.com on 090809]

See http://seclists.org/fulldisclosure/2009/Sep/0039.html. See chappellseminars.com/projects for details on catching unusual SMB Negotiate Protocol Request packets. (See also smb_protocol-request-reply.pcap) [Submitted by Laura Chappell, chappellu.com on 090809]

iPhone video: Laura shows how to capture traffic and reassemble the TCP stream to easily see the FTP username and password in clear text.

Ron Nutter (TechBytes) talks with Kirk Thomas, creator of NetScanTools Pro (www.netscantools.com) and Switch Port Mapper, about the port detail that Switch Port Mapper can perform discovery on and the information you can gather. Kirk then explains how Switch Port Mapper works with a variety of managed switches in the industry including HP, Cisco, Dell, NetGear, Nortel, DLink, 3Com, Linksys and more and gives some hints on mapping your network devices using SNMP read community strings. Finally, Kirk explains how Switch Port Mapper can be used on a regular basis and data can be exported for further analysis. The podcast closes with security warnings.

Ron Nutter (TechBytes) and Laura talk about their favorite troubleshooting tools.

Tshark is the command-line capture tool that comes with Wireshark (look in the Wireshark program directory and consider adding this directory to your path so you can run Tshark from your trace file directory). Type tshark -D (must be a capital "D") to view the interface list. If you want to capture traffic on the third interface listed, you would use tshark -i 3 (the "i" parameter indicates the interface number you want to capture on).

Ron Nutter (TechBytes) chats with Thomas Quilty, CEO of BD Consulting and Investigations, about the fact that it is impossible to completely stop a breach from occurring. Tom reiterates the need for risk analysis and management and explains the difference between a disaster recovery plan and a breach plan. Your first reactions may be defined by legal requirements and this information should be known in advance to save face with investors, clients and the public. Who is going to be the leader during the reactive process after a breach? What about legal counsel and the directory of investigation/security management? What about the marketing director – do they have a roll in the reaction? The key here is to ‘stop the bleeding’ and begin resolving the problem. Thomas Quilty has over twenty five years experience in law enforcement, including ten years investigating Federal and State of California High Technology Crimes.

Ron Nutter (TechBytes) talks with Cynthia Navarro, Principal of Finnigan''s Way (www.finnegans-way.com), a private investigation firm that deals with various types of cybercrime cases including intellectual property, unauthorized distribution, internal employee theft, corporate espionage, identity theft and more. Cynthia explains how to contact a private investigator and define the case before the hiring takes place.

Gerald Combs, creator of Wireshark (formerly Ethereal) and Director of Open Source Projects at CACE Technologies, talks with Ron about capturing traffic in a virtual environment, such as VMware Workstation'', '' Fusion and Server platforms. Not for the faint of heart'', '' Gerald explains the VMnet interface and issues in packet capture. Gerald introduces VMnet Sniffer or Vnet Sniffer utilities and warns of their limitations and how the OS affects the capture process.

Ron Nutter (TechBytes) talks with Gerald Combs, creator of Wireshark (formerly Ethereal) and Director of Open Source Projects at CACE Technologies, about capturing traffic in a virtual environment, such as VMware Workstation'', '' Fusion and Server platforms. Not for the faint of heart'', '' Gerald explains the VMnet interface and issues in packet capture. Gerald introduces VMnet Sniffer or Vnet Sniffer utilities and warns of their limitations and how the OS affects the capture process.

Ron Nutter (TechBytes) talks with Laura about the tremendously successful Jumpstart series launched in May 2009.

Trace file of an 802.11 PPI header.

Trace File of an 802.11 packet showing the Radiotap header.

So much for "turn off the wireless feature" on those planes, eh? This trace was taken on a flight from LAX to SJC after the TechEd conference.

Trace file - Xprobe2 running against a target. Referenced in the Hacked Hosts: Network Forensics course.