I’ve taken my time and enjoyed the exercises in Lab 1 of the Wireshark Workbook. It contained 25 questions to work through, and I was pleased with my own results.
As I work through the labs and questions, I’m using OneNote to really try and “show my work”, document my thoughts for how I’m reaching an answer.
This is helping as I go back and review my work. When I finished with all the questions for lab 1, I then go one question at a time, read the answer and compare how I did.
There were two interesting things I learned out of this lab. The first was how to reassemble / download / view objects captured in a PCAP file. One of the labs had me download an image and report what words were there. For this one, I literally had no idea after poking around, so finally had to resort to looking it up online.
The second interesting thing I learned was a default subdissector setting around reassembling TCP streams. This is enabled by default, which isn’t a problem unless you’re looking for actual response times for things. I’ll explain through the use of this highly professional diagram:
If the HTTP request is to download an image, then with the reassemble TCP streams enabled (the default), the “Time since request” value will be the time from the request to the end of the object download (the red line above). With reassemble TCP streams disabled, the “Time since request” measure only the time between request and initial server response (the blue line above). It’s interesting, and something I didn’t know.
Looking forward to what the next set of labs will be and what else I’ll learn!