Overview

• Wireshark is a free tool that supports the parsing of network packet captures.  This makes it easy to read and review the contents of packet captures, but it's up to YOU to identify the normal or anomalous behavior. (Note: Intrusion detection systems can be used for this purpose as well, that was covered in CIS4360). Here I review some intrusion detection rules, use tcpdump for capturing and reviewing packets, and then provide an introduction to Wireshark as well as the use of Wireshark filters. 

Videos 

Right click and 'Save As...'

• Wireshark
• Wireshark Filters

Resources

• Windump and Winpcap (if you *really must* use Windows)

Reference Materials

• Guide to Network Defense and Countermeasures - Chapter 4
• Wireshark 1.9 manual 
• Network Signature Intrusion Detection (part 1: Symantec) 
• Network Signature Intrusion Detection (part 2: Symantec) 
• Network Signature Intrusion Detection (part 3: Symantec)