I love packet analysis

Do you love packet analysis as much as I do?  If so, then you'll probably remember the scene in the movie "The Matrix" where Neo is looking at the Matrix over one of the analysts' shoulders and asks what's on the screen.  The analyst responds (I'm paraphrasing here) "All you see is ones and zeros.  But what I see is a blonde.  I see a brunette."  The analyst was bragging about his packet analysis skills - his ability to look beyond each bitwise field and see the bigger picture. 

The key event for such packet analysis professionals is Sharkfest.  It is a multiday conference focused on both wireless and wired packet analysis with the Wireshark protocol analyzer. Wireshark is available as a free download for Windows, Macintosh, Linux, and others.  In fact, version 1.2 of the software was released the first day of the conference. 

Last month, I attended the second annual Sharkfest conference , which was held June 15^th -18^th at Stanford University.  The conference was broken up into three tracks - one for basic users, another for advanced users, and yet another for developers.  Each track had awesome presenters, including Mike Kershaw (creator of Kismet), Ryan Woodings (Chief Geek at MetaGeek), and Laura Chappell (Founder of Wireshark University). 

I identified two themes throughout the presentations I attended.  The first is the importance of having a good baseline.  Several presenters suggested that you do a baseline packet capture of a known-good environment to see what the packet flow looks like when everything is working.  This makes it easier to indentify when there are notable security or performance events occurring on the network. 

The second theme I noted was the importance of using profiles and color schemes within Wireshark.  You can create custom colors to highlight certain characteristics of the packets.  For example, in the wireless networking space, you could assign all data packets one color, management packets a second color, and control packets a third.  This would help you analyze large amounts of data more effectively. 

One complimentary tool to Wireshark that was demonstrated in several sessions was the Wi-Fi Pilot tool.   In the spirit of full disclosure, both Wireshark and Wi-Fi Pilot are managed by the same company, CACE Technologies (who also hosted Sharkfest).  Wi-Fi Pilot allows packet analysts to create numerous charts and graphs, which are called "views".  There are currently over 30 views built in the current version of Wi-Fi Pilot and additional views are planned for future releases.  A couple of my favorite views are "Channel Utilization vs. Time" and "Retransmission Overview".   See?  I really *do* love packet analysis. 

Beyond all the great instructors, it was nice to meet all the other attendees.   Personally, I was excited to meet "The WLAN Iconclast", Keith Parsons.  Keith writes an excellent wireless blog at http://wlaniconoclast.blogspot.com/ and micro-blogs on Twitter @keithparsons

If you are bummed that you missed this year's event, consolation prizes are available - all of the Sharkfest presentations are available online.  You can also do a Twitter search for the event hashtag  (#sharkfest) to review all the live micro-blogging that took place in near real time. 

Douglas J. Haider is a Principal Technologist with Xirrus. He hosts a personal blog at WiFiJedi.com, and micro-blogs on Twitter @wifijedi