SEC582: Mastering TShark Packet Analysis

Provided by

Enquire about this course

About the course

With SEC582, you will master performing packet analysis through TShark and learn how to solve real-world problems through 19 different labs, demos, and challenges. This is the most in-depth, hands-on packet analysis course available through SANS.

With SEC582, you will master performing packet analysis through TShark and learn how to solve real-world problems through 19 different labs, demos, and challenges. This is the most in-depth, hands-on packet analysis course available through SANS.

What You Will Learn
With system compromises and data breaches being reported almost daily and more of our activities are moved online, it is imperative that network defenders ensure they have the relevant tools and skillset to detect these compromises sooner rather than later. While attackers (advanced or not) may make every attempt to hide their suspicious activities on the compromised host, the reality is, all their activities leave breadcrumbs on the network. This is true whether reconnaissance activity is being performed or actions and objectives are being achieved, according to the Lockheed Martin Cyber Kill Chain. Basically, there are packets or it did not happen.

With SEC582, you will master performing packet analysis through TShark and learn how to solve real-world problems through 19 different labs, demos, and challenges. This is the most in-depth, hands-on packet analysis course available.

Course author Nik Alleyne has hands-on experience supporting and monitoring network infrastructures in organizations that spans verticals such as financial, education, media, scientific services, etc., using both commercial and open-source solutions to detect threats. In this course, he teaches you how to use one of his favorite tools, TShark. Using TShark, he moves you from beginner level, where you capture your first packet, to more advanced level, where you are detecting buffer overflows, exfiltration, passwords, decrypting TLS and WPA2-PSK traffic, along with setting up TShark for continuous monitoring and ultimately, using TShark along with Python to perform threat intelligence against packet data.

Syllabus (12 CPEs)

  • SEC582.1: Introduction to TShark
  • SEC582.2: Beyond the basics of TShark

Prerequisites

  • Experience with Linux from the command line
  • A baseline understanding of cyber security topics
  • A baseline understanding of TCP/IP and networking concepts
  • A baseline understanding of application layer protocols
  • A baseline knowledge of packet capturing tools

Laptop Requirements
Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

You will need to run two copies of the supplied Linux VMware images on your laptop for the hands-on exercises that will be performed in class. Some familiarity and comfort with Linux and entering commands via the command line will facilitate your experience with the hands-on exercises.

You can use any version of Windows, Mac OSX, or Linux, as long as your core operating system can install and run current VMware virtualization products. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course. You also must have 8 GB of RAM or higher for the VM to function properly in the class, in addition to at least 40 gigabytes of free hard disk space.

Please download and install one of the following: VMware Workstation or VMware Fusion on your system prior to the beginning of the class. If you do not own a licensed copy of VMware Workstation or VMware Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Operating System

Students must bring a laptop to class running any of the following OS families:

Windows 7, 8.1, or 10
MacOS Mavericks, Yosemite, El Capitan, or Sierra
Linux-based distributions
For troubleshooting reasons, please ensure you have local administrator privileges on your laptop
Hardware

x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
4 GB RAM minimum with 8 GB or higher recommended
A wireless network adapter
10 GB available hard-drive space
As a best practice, it is strongly advised that you do not bring a system storing any sensitive data to this course.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

Author Statement
"While my career has spanned multiple verticals, it is without a doubt, that my past few years at a Managed Security Service Provider (MSSP) is what has given me the visibility across a larger set of organizations. This experience puts me in a position to gain insights into what is being done or not done for monitoring. It is as a result of this insight that I’m ecstatic about leading a course which talks about monitoring using the free and open-source solution TShark.

SANS SEC582 is the course you need to give you the knowledge and confidence to perform packet analysis. This is true whether you are a network engineer or a network forensic analyst."

-- Nik Alleyne

Ways to Learn
Live Online
Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Who Should Attend SEC582?
Network Forensic Analysts looking to improve their existing skillset or validate their existing knowledge. Especially if new to the role, this training will take you from zero to hero as you gain critical skills related to packet analysis.
Security architects and security engineers who want to better understand how to implement continuous monitoring
Red teamers and penetration testers who want to understand how their activities can be detected via both cleartext and encrypted protocols, basically how their breadcrumbs can be used by defenders.
Technical security managers who want to gain insights into how to take advantage of packet data
Security Operations Center analysts and engineers looking to understand packet analysis, so that they can provide the appropriate perspective on detected threats.
Individuals looking to expand their knowledge of TShark and or packet analysis.

Enquire

Start date Location / delivery
27 May 2021 Online Book now
07 Jul 2021 Online Book now

Related article

IT professionals in Manchester next month may want to head to a dedicated cyber security training event. Information security training provider The...