Inside Laura's Lab

Enough is Enough! No More Broken Windows

2009-08-25T10:33:00.000-07:00

No... I'm not Microsoft-bashing (today)... not really. After all, this issue is seen on other operating systems as well. I recorded information about this in the things that perplexes many new and experienced analysts.

You may be aware that Wireshark has an Expert Info Composite entry for "Window is Full" and "Frozen Window" but unfortunately, this condition can be occurring on your network without Wireshark catching it.

You can set up a butt-ugly color filter and a display filter to alert you to this condition. Let me explain...

In the picture above, I've added column for the receive window size value set in the TCP headers of each packet. It's a custom column using the syntax tcp.window_size. I also added a column for the tcp.len value so I can see how much data is contained in each packet.

Notice in packet 361 that 10.0.52.164 is advertising a window size of 2,920 bytes - enough for two 1460-byte segments to fill as Wireshark notes in packet 363 [TCP Window Full]. The full receive buffer leads the client to begin advertising a receive window size of 0. Ok... duh... We can spot that one easily!

Now look at this screenshot. This delay is caused by a window sized problem as well - but this time the window size field didn't go alt the way down to zero - its at 536 (packet 374). That's too small for the queued up TCP segment at the other side so you might as well have said "shut up" with a window zero setting.

So what can we do about this? How can we easily see that we are having this problem when Wireshark doesn't have an Expert Notification for this? Aha! Here's where your butt-uglies come into play. Make a butt ugly filter for:

(tcp.window_size < reset ="="">

Check out the Trace File Analysis: TCP In-Depth course for more information on working with TCP traffic!

Laura
Enjoy life one bit at a time!

Sexy Spread Spectrum Signals

2009-08-17T09:25:00.000-07:00

In the WLAN Analysis 101 course last month, I showed the effects of a cheap 2.4GHz phone on the wireless network by knocking myself off the network during my live video feed. Duh... I hope it made a point.

If I hadn't been picking up the RF signals around me, the death of my network connection would have been a mystery. After all, the cutoff was so sudden and folks in other locations around weren't having any problems at all.

The live course viewers saw the sudden spike in the signal as I'd told them to watch the Chanalyzer Spectral View. begin to climb near channel 1 and then SCREECH! The video came to a halt and my voice (fed through VoIP on my end) became scratchy and my words almost impossible to decipher.

The figure above shows their view at the time I attacked myself! Wow! What a hot, my connection to the online seminar engine, it felt like real life - this is what really happens in the WLAN world - and we got to experience it together.

I love looking at the Chanalyzer Spectral View - it consists of time across the X axis and frequency/channel across the Y axis. The color coding is based on signal amplitude. The closer to red, the stronger the signal. Vertical stripping indicates a consistent signal on a specific frequency. Manipulating the time controller at the bottom of the Chanalyzer window enables me to focus in on a specific area of time for a clearer picture.

The Chanalyzer/Wi-Spy Adapter products are some of the sexiest products that have come around in the industry in a long time. Displaying the live RF signals around me prior to making a presentation at a conference is like wearing a hot pair of steel stilettos. Attention-getting and very sexy (in a sick and twisted geeky way).

We've now partnered with the Metageek folks on the upcoming WLAN Analysis 101 course on September 10th - if you purchase the 2.4x or DBx Wi-Spy adapters, you'll get into the live class for free. If you already own their products, you should receive a 50% off coupon via their newsletter. As soon as we record the course, you'll also receive one-week unlimited access to the recorded course.

It's a good time to get the adapter... c'mon... you know you want one! You can order the products at www.metageek.net.

Laura
Enjoy life one bit at a time!

Ethereal is Dead!

2009-08-11T09:19:00.000-07:00

Gerald Combs created Ethereal over 11 years ago when his boss wouldn't buy him a brand spanking new Sniffer box - something about budgets and all... so Gerald told his Sniffer rep that he was going to write his own packet sniffing tool. While that Sniffer rep was still rolling around laughing, Gerald started working on Ethereal.

The name? Yeah - the name Ethereal was always an issue - how do you pronounce it? Ethereal (play wav) or Ethereal (play wav)? Many a late night has been spent huddled over pizzas in the cabling closet debating that issue. The answer - Ethereal (play wav).

Notes:

Download the latest version of Wireshark
Watch a video on how to set up the GeoIP feature at SecuityTube.
Peruse through the videos, trace files and podcasts on our media roll.
Register for the live or recorded Wireshark Jumpstart course.

It surprises me to find many folks haven't moved up to Wireshark - it is, after all, the successor to Ethereal. The same developers, the same creator, the same base code set, the same development directory structure. I can only assume those folks also have 8-track tape players and beam with pride when talking about their 'vinyl collection.

For fun, I went to visit the old ethereal.com website - I thought the old Ethereal website was taken down ages ago, but imagine that NIS is still reaping some benefit from all the misguided hits. Looking at the stats in Alexa was pretty interesting - you can see the dramatic move to Wireshark at the end of the first quarter of 2008 - but what the heck is happening with Ethereal.com in 2009?

Why are people still even hitting that site? Is everyone writing a blog entry about 'dead' software projects? Did some of my old articles and courses get reissued? Who are these Neanderthals walking among us?

It's time to upgrade to Wireshark folks. Wireshark v1.2.1 was released just a few weeks ago and fixed numerous bugs in the v1.2 release. There are still a few uglies in there, but would you rather be in a car that has a window that slowly rolls up or take a bicycle on that long drive along the network analysis road?

So perhaps today is the day to throw away those old bell bottom jeans and that mood ring (and perhaps dump those Shaper Image gift cards and Clear cards as well).

Come on - get with the times! Oh... one more thing - and you pronounce Wireshark like this (play mp3).

Laura
Enjoy life one bit at a time!

Out of Sight, Out of Mind?

2009-08-05T15:07:00.000-07:00

Embedded OS Security Issues
This month seems to be "medical industry month" around here. My email has been loaded up with various hospitals and medical facilities. One of the topics that is hot right now is 'embedded OS' security issues. For example, the three devices shown in the image above all contain Microsoft embedded operating systems - Windows Embedded CE. (See http://www.microsoft.com/windowsembedded/en-us/default.mspx)

How many hosts on your network support an embedded OS? Is the vendor keeping those hosts up-to-date with patches and security fixes? An interesting question... this is a great reason to run OS fingerprinting against the range of IP addresses supported on your network (with permission of course) to find out where the addressable devices are. Listen to the network traffic and check out the endpoint listing that Wireshark provides. Any unusual devices around?

Some of our office printers have embedded OSes in them and can tell you they've never been updated by the vendor. What outdated OS is hanging around on those boxes? We're tapping into the nets now and doing some OS fingerprinting to see what we're up against - I suggest you do the same!

Laura
Have fun one bit at a time...

One Key Sign of QoS Problems

2009-07-24T21:08:00.000-07:00

There are some trace files that SCREAM at you! If you stand too closely you can feel spit hitting your face!

In the "Top 10 Reasons Your Network is Slow" online course (course abstract), we examine one of the causes of slow network performance. We look at a trace file of traffic that has passed through a router set up with QoS. You may not be aware how obvious QoS issues can be when analyzing traffic - feed a nice steady stream through that puppy and catch the traffic on the other side to see how it performed its duties.

Look for an EKG Pattern
In a datastream that is 'steady' - as in the video streaming example shown in the picture, we look for an "EKG pattern" in data coming through the router. This pattern is seen when data is held in the queue temporarily and then released (causing the sudden jump in the IO). As you can see in the image above, we can also spot packets that are droped by the queue. (Make sure you take a trace on the other side of the router to compare the IO graphs - you want to be certain a steady stream of data is traveling towards the QoS device and any alteration in the IO pattern has not already occurred.)

Get the Trace File
Go ahead - try checking it out yourself. Open up mcaststream-queued2.pcap in Wireshark. Select Statistics > IO Graph.

What? It's not screaming at you? Aha! That is because the X axis is too large - you are looking at ants from space! Change the X axis value to 0.01 seconds.

SCREAM!!!!
Do you see it? Right around 1.10 seconds into the trace - the EKG pattern! If users are not complaining about performance then dont' sweat it. Keep an eye on times when the line drops and doesn't jump up above the average point - those are dropped packets.

I'll be teaching the "Top 10 Reasons Your Network is Slow" on July 30th - it's a fun class to teach (although last time I was demonstrating the process of jamming a wireless network and nearly killed my own seminar hosting connection - duh). Register here.

Enjoy the trace! See you online!

Laura

Brad and the Top-Secret Bl-Ear Project

2009-07-18T09:48:00.000-07:00

Brad Pitt on the cover of wired poo-pooing the bluetooth look? No way! They aren't going pre-announce an invention that I already pre-announced at TechEd?! I quickly blew through the pages of Wired Magazine's August issue to find a picture of Brad texting at the urinals with a bourbon close by (page 89).

Whew! No mention of the Bl-Ear - the exciting beta-phase invention in bluetooth beauty and buffness. It's tough to stay ahead of the game (and game mags) in technology. Sometimes you have to be... well... inventive.

Let's face it - there are tons of products we'd love to see out there - the Bl-Ear fills a need to reduce the high Nerdlook-Factor (NF) of walking around with that bluetooth device hanging off your head - don't even start spewing the "jawbone is sexy" defense with me. No one (not even Brad) looks good with electronics hanging off their aural lobes.

Bluetooth devices are the new pocket-protectors, folks. And you need to admit it.

As you may have missed the TechEd presentation in May, I've put up a short video showing the Bl-ear over at the Chappell Seminars Projects page.

Before you go out the door today, look in the mirror. Laptop - check. iPhone - check. Starbucks card - check. Bluetooth adapter - check. Now remember - accessorize, then minimize - take off the ear-tech that screams "I hope someone wants to talk to me today".

Sign up for the Bl-Ear and watch your NF drop to near-normal levels. Oh... and just wait 'til you see their upcoming Ear-Bluds! I can hardly wait.

Laura
The Bl-ear and Blear Corporation are bunk. All rights reserved.

Parents, 'Puters and Painkillers

2009-07-12T16:02:00.000-07:00

"Hi hon! How are you? How are the kids? I can't print"...

Being a technologist these days is like being the family doctor in the olden days (ok, well, family doctors are still of value but mostly for prescription drugs for fun I think.)

You know what it's like - your second cousin once removed calls - you haven't seen her since that embarrassing Thanksgiving when they pulled you into singing "Muscrat Love" with them while your inebriated Aunt tried to play the piano ("I haven't played since I was a child" - no kidding?!). [That's another story.]. "Hey... are you still into computers?" Uh... no. I'm now working at a humane beef ranch as an ozone protection analyst. Sorry.

In this case, my father was calling for help with printing. Guiding him to view the print queue won't work - the print queue icon seems invisible to him and the Start button is out of the question ("The start button... you mean the power button? Ok. I clicked it, but my computer screen is blank now."). First things first. Do you see a light on in the front of the printer ("Yes, honey. My desk lamp is always on.")? It would be a long, slow and painful process (looking for the real family doctor for those fun meds now) to guide my father to eventually unplug and replug in the printer USB cable on his laptop ("no, Dad... the printer cable doesn't plug into the wall socket...get out from under the table before you hurt yourself.").

The printer sprung to life and began printing the 32 copies of the 70-page document he'd sent to it before calling me. Rather than try to guide him through the process of clearing the print queue I just told him that there wasn't anything he could do about it. "Just get out the recycling bin, Dad." (Making notes to give Dad reams of paper next birthday and go out to plant something green while acknowledging the guilt of prioritizing my sanity over the environment).

You must have a certain level of compassion and empathy to work in the field of technical support. I really don't know how people take calls from someone like my father every day and still maintain a life of sobriety and love towards mankind. I think the key must be... Hang on... gotta cut this blog short... my Dad's calling... ("Honey... I've just downloaded Wireshark and I have a couple questions...") Gulp.

Laura
Family... can't live with 'em... can't DoS 'em (legally)

Did That Tech Just Tell Me to Go Ping Myself?

2009-07-05T15:31:00.000-07:00

"Ping 127.0.0.1 and let's look for packet loss."

"Let's reinstall the operating system."

"Oh my gawd - didn't you know ping is illegal?"

"Ping takes away the addresses of others on the network."

"Not all laptops support networking, so that might be the problem."

"Did you plug in the wireless cable yet?"

Oh yes... I keep track of the amazing comments I've heard from hotel network technicians and most recently Comcast. Many of you know the story of "Bob, the Comcast technician from hell" who ended up being a trainer for the other network technicans. I can only hope Bob is now flipping burgers somewhere.

When one of my network connections began feeling last week I pulled out my tools and began to work on identifying where the problem was. I grabbed my traffic with Wireshark and noted the high rate of packet loss. Since I know that packet loss most often occurs at an inter-network device, I began running the graphical ping in NetScanTools. I could see the rate of packet loss was around 40%. Next I began a series of traceroute operations to see where I was losing packets - and BOOM! There it was. One of the routers consistently dropped packets along the path. I even went through that target to other hosts.

All I needed to do was let the Comcast technician know which router was the problem... right?

When the Comcast technician asked me to "ping 127.0.0.1", I tried not to gag. How could this 'technician' not know the basics of TCP/IP? She pronounced traceroute as "trace-ert" with absolutely no awareness that her ignorance was spilling out over the phone.

What I experienced here is the result of skipping basic training - it's really not her fault. I blame Comcast. And guess what...? Right now we are seeing companies restrict training budgets for the folks running their networks. We're going to pay a big price in the future with unskilled and out-of-date IT professionals.

Is your company restricting training? What are you doing to keep up? Does your management know the end result of de-valuing training? Where will we be in a few months... years?

I hope the free Wireshark training courses are helping out. We are focusing on getting sponsors to open up more free online training. Let your favorite vendors know they can do something great for the industry by sponsoring a free training course.

Now off to finish the Wireshark 101 handouts for class on Tuesday! Gerald (the creator of Wireshark) will be online again to answer your questions. I hope to see you there! Register at http://www.chappellseminars.com today.

Laura

July 7th - Wireshark Jumpstart Free (Sponsored by NetOptics)

2009-07-04T22:44:00.000-07:00

The July 7th Wireshark 101 Jumpstart is sponsored by NetOptics. I approached NetOptics because my lab is filled with NetOptics taps... the Teeny Tap, my 10/100 aggregating tap, my 10/100/1000 regenerating tap and more.

In this Wireshark 101 Jumpstart, I'll be demonstrating the following features of Wireshark:

Tapping into traffic
Choosing the interface
Capture filtering
Display filtering
Capturing to file sets
Capturing with a ring buffer
Altering the time column
Display filtering
Using the Expert Info Composite
Defining profiles
Reassembling streams

We already have over 1,000 registrations and only 1,000 people will be allowed to access the live online seminar. We'll open up the 'waiting room' online approximately 20 minutes before the session to allow you to get a place in the course.

See you on Tuesday, July 7th.

Laura

Laughing at Twitter Traffic!

2009-06-27T10:00:00.000-07:00

It's true... I was laughing out loud today... at packets!

This project came out of thin air almost... I was preparing for a podcast with the ChannelWeb group (you can listen to it at http://community.crn.com/docs/DOC-1082). I was on the phone line early with the moderator and interviewers and making small talk.

I mentioned that I'd tried to do some Tweeting that morning and there were problems. I explained how I used Wireshark to determine the problem had nothing to do with my system. There seemed to be a problem with the twitter.com website.

When the interview started, Ed Moltzen (a very impressive Tweeter and interviewer) led the discussion back to my early morning problems with twitter.com. As I talked about the problem, it suddenly occurred to me that people might like to know what Tweet traffic looks like. I told Ed that I'd do an analysis of a Tweet after the podcast.

I did... I immediately got working on a clean trace showing just the Tweet. That was no easy feat since my host spewed all sorts of background traffic for unrelated processes. I began identifying and whittling away traffic that was unrelated. Finally - I sent my sample Tweet and created my analysis report. But I wasn't done...

TweetDeck was ripe for an analysis... and here's when life got really fun. It turns out that when you upload your Twitter picture it is placed on an Amazon Web Server (AWS) under the original file name. Each user has a unique user ID and the image is placed in that directory under a directory called profile_images. The picture names were hysterical!

WhatSheWants
MeNoWife
Spoon_too_big

You can read the entire report at www.chappellseminars.com/projects.html. I also released the MAC World Domination project details at that location.

Register for the newsletter over at www.chappellseminars.com/newsletter.html to keep up with the latest projects in my lab.

Now - off I go... the packets are calling!

Laura

iPhone: You're Sexy, but You Talk Too Much

2009-06-21T14:00:00.000-07:00

Last week at Sharkfest I blabbered on a bit about the chatty nature of my iPhone (3G). I equated it to a yapping Chihuahua on the network. I'm still playing around a bit with numerous trace files and will have some to give away soon, but I wanted to explain how to capture your iPhone traffic and understand one of the packets that you'll see over and over and over and (you get it) again in your traffic.

I'm hanging out today on my Vista 64 system that I host the live seminars from. (No... I do not have a sexy MAC on my desk - but I do have two televisions within 10 feet of me to constantly feed me my much-needed background noise through the day.)

Before launching Wireshark or turning on my iPhone - here's what I did:

1. I hooked up a powered USB hub and populated it with three AirPcap adapters.
2. I opened the AirPcap control panel and configured each adapter to listen to a different channel - channels 1, 6 and 11.
3. I added my encryption keys in AirPcap.

Now I launched Wireshark and selected the AirPcap Multi-Channel Aggregator interface for my capture. Then I turned on my sweet, sexy-looking iPhone and...

OUCH! I watched my iPhone locate the WLAN APs, but it did not make an authentication/association until 60 seconds after I entered my passcode. Perhaps it wanted a bit more of a commitment from me? Or flowers? Or a new case?

During the startup sequence there were some unique DHCP and ARP happenings (we'll cover in a later blog) and a slew of mDNS packets. So, you ask... what the heck is mDNS and do I want 'em on my WLAN? mDNS stands for multicast DNS and is used to discover local devices as part of the zeroconfig project definition (Apple calls it Bonjour - they are so cool!). You don't need a DNS server to discover mDNS-capable devices. mDNS runs over UDP port 5353. Just use a udp.port==5353 filter or the dns display filter in Wireshark to see all mDNS and DNS traffic or build a filter for all ip.addr==224.0.0.251 traffic (the IPv4 mDNS multicast address) or ipv6.addr==FF02::FB, in the case of IPv6.

Want to try it out? On your iPhone, search in the AppStore for mDNS Watch. It's free so install it and watch it list all the mDNS-capable devices around you. In my lab it discovered my HP Officejet Pro L7700 printer and it showed me the three ports that were open on that printer - ports 513, 80 and 9100. Hmmm... this could be interesting, couldn't it?

For more information on mDNS, visit http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt.

Now... back to that hot, sexy and really verbose iPhone to work on the strange DHCP and ARP behavior (much of which is related to Bonjour).

Wireshark v1.2 Enhancements

2009-06-12T23:29:00.000-07:00

In this week's newsletter I got carried away with details about the next version of Wireshark - it almost became a book. This blog details some of the enhancements in Wireshark v1.2.

One of the hot features that many will be thrilled about is auto-completion of display filters! HALLELUJAH! Bad typicsts rejoice (I meant to make that mistake...). Type in "i" and possible filters are shown in a drop-down list. Add a "p" and a period ("ip.") and all the possible variations of filters starting with "ip." show up. This is going to save us all a lot of time!

I already talked a bit about the GeoIP stuff in the Newletter and I'll be blogging/teaching about this a bit in the coming weeks.

There are a few changes that might sneak up on you - for example, in the Expert Info Composite area, "Window is Zero" and "Window Full" have moved to Warnings, but "Retransmissions" was not moved over - "Fast Retransmissions" are already in the Warnings area. It would be nice to have both types of retransmissions in the same window. We do now have the individual item count as well as the summary count in the tabs now, which is really nice.

There were some usability enhancements as well. For example, Wireshark v1.2 now remembers you column widths and opens up with the last configuration profile you used (watch out for this one if you're accustomed to always starting with the default profile and having to switch over).

As far as bug fixes go, the NetFlow dissector bug that could "run off with your dog, crash your truck, and write a country music song about the experience" has been fixed. No kidding - that is in the 1.2 rc1 release notes from Gerald.

Something that you may not take advantage of quite yet (but we'll cover in future newletters and online training over at chappellseminars.com is the new support for pcap-ng, the next-generation capture file format. These trace files typically end in the extension .ntar, but the recommended extension is .pcapng. This new trace file will enable us to add metadata to our trace files.

Again... the developers did a great job with this version - kudos to them all!

I'll be moving over to the new version of Wireshark for all the chappellseminars.com courses as soon as the "official" release is completed. Register for a course today!

Note: [25% Discount Code: bcbsab - use for the new Wireshark Command-Line Tools: From Editcap to Tshark - July 13, 2009 @ 10:00AM PDT/GMT-7

Survey: Chappell Seminars "Take the Reigns"

Twitter: LauraChappell

Facebook: Laura Chappell

You Can't Hide!

2009-06-01T15:08:00.000-07:00

You may be familiar with the standard old traceroute that relies on ICMP echo request and echo reply packets to identify the path to a target and verify the target reachability. If so... how many times have you not reached the target because they filter ICMP echo replies?

An example of this would be when you try to traceroute to http://www.microsoft.com/. You'll see right after you hit the msn.net domain routers you are left in the dust. It really isn't that unusual to block ICMP echo requests at servers - no one should be pinging them anyway, right?

Using TCP Traceroute
Using NetScanTools Pro, I typically use TCP traceroutes. In the Traceroute tool, click the Setup button and choose TCP (WinPcap). You can define the starting hop, timeout in miliseconds, and retries at this point, but I go directly down to the TCP Trace Specific area.

Here's how the TCP Traceroute works - NetScanTools sends out a series of TCP SYN (handshake) packets to the target. It increments the Time-to-Live (TTL) value in the IP header (just as an ICMP traceroute does) to locate routers along the path who respond with ICMP Time to Live Exceeded in Transit messages. When the hop count is high enough to allow the TCP SYN to make it to the target, that target MUST respond - hey those are the rules of TCP. The target must respond with either a TCP SYN/ACK (indicating the target port is open) or a RST (reset, indicating the target port is closed). In this case, we don't really care if the target port is open or closed - we're just trying to get the roundtrip time using traceroute.

Firewalled/Blocked Targets
Now we know the specs for TCP say the target must respond... but what if it doesn't? What could have happened. Well... either your TCP SYN packet never made it there or the TCP SYN/ACK or RST never made it back. Make sure you run your TCP traceroute a few times to ensure sporadic packet loss isn't to blame. Most likely it is likely a firewall or some other blocking device that in your way. You couldn't find the roundtrip time, but you did find a protected host.

FYI - NetScanTools Pro 2-for-1 Price
As you may know, NetScanTools is on my 'must have' list of tools for IT professionals. The new version (updated today) is available at www.netscantools.com. There is also a 2-for-1 sale online through June 15, 2009.

Learn More
In the upcoming "Trace Back to a Suspect Host" course (June 4) I'll demonstrate each form of traceroute along with numerous other invasive/non-invasive techniques for testing connectivity, paths, identities and relationships of targets. Register online at www.chappellseminars.com/sem-traceback.html.

Laura

Analyzing Video Spews

2009-05-24T09:42:00.000-07:00

[Follow me at www.twitter.com/laurachappell]

Have you analyzed your application traffic today?

As we prepare for the online seminar this week (see http://tinyurl.com/pputte), I played around a bit with adding video feeds to the training. GoToWebinar (our hosting solution at this time) does not support video feeds as iLinc and others do, but we found a workaround by having the LifeCam video window up in the background and showing th entire desktop.

[Personally I am not to keen on feeding video... there are many eves when I work until 3am, get up with the kids at 6am and the thought of putting on being seen in my comfy "Big Dogs" sweatshirt makes me cringe. I can't wait until virtual avatars can be synced with a voice!]

To set up this analysis I simply created a new online seminar, joined as a speaker on one computer and joined as an attendee on a second computer. I launched Wireshark on my speaker computer and started up the seminar. I joined the seminar as an attendee on the second computer.

Here's what I found about the datastream -

- When just showing the entrance slide the traffic rate averaged less than 500,000 bits/second.
- When I moved through a slide deck or showed Wiershark screens, the IO jumped infrequencly up to 2,000,000 bits/second.
- When I launched the video and showed no movement (camera pointed at the wall), the stream reached an almost steady 2,500,000 bits/second. Showing my kids jumping on the trampoline had no effect on the video stream rate - it's always sending out the current image regardless of the level of change to the video image.

I tweeted the full-size image of this over at www.twitter.com/laurachappell - you can look at it at http://twitpic.com/5ust4.

Next I'll look at iLinc's traffic with and without video enabled...

Laura

Potential Lives Where...?

2009-05-21T11:23:00.000-07:00

[Follow me at www.twitter.com/laurachappell]

I captured this image at TechEd last week.

Walking into the TechEd Live taping session I noticed the video crew was a bit more high-tech than in past years - this year they would capture the video directly to disk and reduce the video-to-production time down to less than 48 hours! Nicely done!

When I approached the video console area, I noticed the vidiots (an endearing term for those AV geeks whom I respect tremendously now...) were running on MACs. Microsoft had likely asked them to cover the MAC logo on their computer, but failed to realize the Apple logo is backlit. This made for a very interesting image when the Microsoft slogan "Potential Lives Here --->" pointed directly to the Apple logo.

One of the many interesting moments at TechEd North America - don't even get me started on the beach ball geekfest party!

Laura

Twitter Spitter

2009-05-21T08:56:00.000-07:00

The dreaded email crossed my desk just minutes ago...

My friend Wil M. asked... "Are you on Twitter yet? You need to be! :-)"

Don't even try to placate me with your old-fashioned emoticon that blatantly acknowledges that I am comfy in my old habits! I know what you want me to do - spit out my life in little twit-turds?

Who wants to read that? (Hmmm... well I am going to spend a bit of time programming my new dual-trunking scanner this morning... and then I'm analyzing the impact of adding video to an online seminar to determine minimum throughput requirements if we add video streaming to the online seminars... hmmm... that's kinda geeky, isn't it?)

Will this be a big time-suck or a productive way to keep folks up-to-date on what's happening in the lab and upcoming events? Should I keep to techie topics or give you a glimpse into my somewhat twisted life of work, motherhood, amateur race car driver, balloon-shaper, hot tubber, sock collector, people watcher and closet nun-o-phile?

You tell me... should I kill the "Bluebird of Blabbering" or feed it pellets for a bit and see if the cage cleaning process is too much... (hmm... I wonder if it would be easier to cook than turkey...)

Laura

What a Waste of an Ear!

2009-05-02T11:42:00.000-07:00

[Warning! Make sure you haven’t eaten recently before reading this blog entry.]

“The Body is Obsolete” is the claim made by freak-show “artist” Stelarc, the Australian entertainer who works primarily in Japan, Europe and the US (What? The Aussies probably can’t drink enough to keep this guy in business in the homeland?) Don’t get your bits in a bunch because I call him an entertainer – his own website offers glimpses into his “performances.” This guy is a definitely a Trekkie gone extreme.

Stelarc’s latest venture includes grafting an ear onto his forearm with plans of implanting a microphone and Bluetooth transmitter into the ear so he can ‘hear’ what his arm-ear is hearing. Why? How far away from your biological ears is your forearm, buddy? Why not implant something really useful like… an iPod? Or maybe a breathalizer? Or a real muscle so you can carry your bags of money to the bank?

Stelarc’s selection of body part and usage indicates that his is… as we say… an “AOL user.” He could have done some really cool stuff if he knew a bit more about mobile technology and constant need for speed and information. Here are some cyber-bio ideas that I hope to jot off and send to him (under the email addressing of Nurse Chappell, of course):

WiFi Interference Arm: Implant a Wi-Spy adapter in your arm (complete with antenna). Wire internally to your ‘funny bone’ so you can immediately detect strong WiFi signals or even interference (ouch!) nearby.

Storage Stomach: Since many folks are already getting their stomach’s stapled and all, there my be a bit of extra use to few drives in there – connector would be routed through your belly button so you can jack-in through that nifty belt that connects to your production machine. Hey - maybe we can use skinny people for extra off-line storage for others who have run out of room... hmmm...no wait! Instead of breast implants, we could have 'bits implants' - now that's thinking! Sexy storage!

Voice Recognition Nose: Mumble your thoughts and this nose picks up (now it’s doing the picking!) your ramblings and translates it into text format to store on the drive in your stomach or later offloading. (A hypo-allergenic version would be most desirable.)

I bet you can come up with all sorts of cyber-bio combos that would be waaaay more handy than an ear/mic in your forearm! Why isn’t this guy taking some classes in technology so he can create something we really WANT to see?

Just my 2 bits.

Laura

Free AirPcap Adapters at Sharkfest!

2009-02-17T22:38:00.000-08:00

Two things have been foremost on my plate this week - Sharkfest registration opened and the Chappell University beta program launched. I'll blog about Chappell University next - first, I want to make sure you know how to get a free AirPcap adapter to capture wireless traffic with Wireshark!

Did you catch last year's Sharkfest Developer and Users Conference? Set in a laid back campus and swarming with Wireshark developers and fantatics, Sharkfest '08 gave us all a chance to mingle, discuss Wireshark tips and tricks, banter about ideas for enhancements and toast to the 10th anniversary and growth of a simple packet capture tool called Ethereal into the industry-leading analyzer Wireshark!

Sharkfest '09 will be held at Stanford University in Palo Alto, California on June 15-18th and CACE Technologies is giving every registered attendee a FREE AIRPCAP CLASSIC ADAPTER! This is a great deal considering the conference is less than $200/day and the initial session offering is filled with basic through advanced analysis techniques for wired and wireless networking.

Check out www.cacetech.com/sharkfest.09 for details on the event and register today to get your free AirPcap adapter!

See you at Sharkfest!

Laura

BrainShare... End of an Era or Time to Change?

2008-12-17T13:13:00.000-08:00

Just moments ago I heard the final decision - BrainShare 2009 is cancelled. A wave of sadness passed through me... I thought back to the early days at the University of Utah, the Port 'o Call, speaking in the keynote room (just once), Meet the Experts partying, the concerts, the many friends I'd meet just one a year in Salt Lake City, Utah.

Novell's cancellation of BrainShare 2009 definitely marks the end of an era for me - I've presented at every BrainShare since 1998 - since before my kids were born and my hair went grey and I lived in a packet-driven world of analysis. Back in 1998 I was a young whippersnapper skulking around Novell's hallways looking for the secrets behind this networking geek lab. Ray Norda was shuffling his way down the hallway keeping an eye on things and LANalyzer was still a hardware solution owned by Excelan Corporation (which Novell would soon purchase). I was the only girl hanging around the technical support guys (for professional reasons) and truly enamored with the SuperSet guys.

Novell's announcement (and Apple pulling out of MacWorld in 2010) are indicative of our need to accept and move to a virtual world in more facets of our lives.

If you got my most recent newsletter, you saw our survey regarding virtual conferences. Times have changed, folks... no training budgets, no travel budgets and likely absolutely no conference budgets in 2009.

Can virtual conferences replace physical ones? Can we replace the human interaction and still walk away (albeit only a couple of feet) to feel satisfied that we've learned a lot in our time 'away' from the office? Can we replace the human networking aspect with something just as satisfying personally and professionally? Time will tell.

Yes... it's the end of an era... or maybe the beginning of something new and exciting... regardless, I want to thank Novell for putting on one hell of a classy show each year - one that I looked forward to participating in swore I would be at until the day they said 'don't come.'

Laura

Turkey Technology

2008-11-27T09:31:00.000-08:00

It's here again... the dreaded 'Turkey Day'. Time to be humiliated in the kitchen once again...

Three times now I have been thwarted by technology in my attempts to cook the perfect turkey.

Year 1: Bought frozen turkey; put in refrigerator to thaw. Tough getting the thermometer into the dang bird (nearly broke the hammer I used to get it in). After 3 hours, thermometer never moved off '0' - figured the thing was broken. After 4 hours and a nicely browned skin in view, pulled turkey out and dressed it up for serving only to find that the bird must have still been frozen and there were bags o' turkey guts/neck still thawing inside the bird - whoops. Chinese restaurant open today. I am thankful for Mu Shu Pork!

Year 2: Thermometer got a bad rap last year. Thawed turkey completely; pulled out all bags o' bunk; into the oven it went. After 4 hours and a nicely browned bird, the thermometer wasn't up to the desired 165 degrees. Gave it another 2 hours and it still didn't get to 165... smell indicated something wasn't right. Removed charred and whithered bird and threw away thermometer. Papa John's is open today. I am thankful for pizza!

Year 3: Martha Stewart's 'high-heat' turkey would only take 2 hours to cook an 18 pounder - no thermometer needed - guaranteed by Martha. Bought the Martha roasting pan, cranked up oven to 475 degrees and threw the damn bird in. Set timer for 2 hours and relaxed with a glass of wine. Determined not to fret over bird. After two hours, opened oven to find the turkey took the heat quite well, but Martha's roasting pan didn't - flakey pieces of some coating material wafted up in the air and was stuck to the outside of the turkey, spotting it with silver 'snowflakes' of faux aluminum or some other toxic substance. Pulled out batch of spaghetti sauce I'd made that morning just in case. MMMM.... a home cooked meal on Thanksgiving! I'm thankful for foresight and decent chardonnay from a local winery.

This Year: After 3 years of humbling experienes and technology failures, friends have stepped up to invite my family to 'stop by' on Thanksgiving. Kids a bit to excited over the idea. Hmmm... Planning on going house to house bringing store-made pies and wine. My family and I will mooch our way through Thanksgiving and hope to spare the life of one turkey this year. No technology to count on other than my car. I expect my friends will share my 'turkey travails' with all the guests - I hear it's a good dinner story... I am thankful for my friends.

Next Year: Premade turkey with lasagna as a back-up (in case the bird doesn't fit in the microwave for reheating - the oven is retired and now stores kitchen items I'll never use again).

Happy Thanksgiving to all who celebrate.

Laura

Summit08 Wraps!

2008-11-12T20:49:00.000-08:00

Puff, puff... It's a heck of a lot of work putting on a conference - hats off to the folks who do it year in and year out and actually smile through the process (they must have some strong meds). You are a sick lot, you know! Anyone care to guess how many pieces of bacon, sodas and beers were downed during the two-day Troubleshooting and Security Summit08 conference (November 4-5)? Me neither.

One of the highlights of the conference was having Gerald Combs (creator of Wireshark) join us to talk about capturing traffic in a virtual environment and Tom Quilty (BD Investigations) talking about the steps to take before and after a network breach occurs. Who ya gonna call?

It was great sitting around a table at the vendor party with those two as well as Ron Nutter from Network World as we swapped geeky war stories and shared some of the inside scoop on cybercrime events and Wireshark development (which are mutually exclusive topics, by the way). He he...

For those of you who didn't join us, you missed a great time. We played with VoIP reassembly, some ugly WLAN communications, loads of ugly file transfers caused by packet loss/high latency, a DHCP server gone awry, nasty SNMP traffic (that we configured to see using the MIB printer configuration), problems with autonegotiation, SMB2 protocol negotiation during a Vista client/Server 2008 connection, lost packets, totally pathetic websites, evidence of a "DNS walking" application, a redirector infection, SNMP scanning host and traffic hidden through port swapping.

Two nights before the conference I added a set of trace files taken at a client and a server - I really wanted to show how to alter the timestamps because one analyzer was off on the timesync and then merge the two traces together, colorizing the two sets to differentiate them. I love this stuff!

Now my days are spent buiding the Summit 08 Wrap-Up site - if you attended Summit 08 you will receive your login credentials by the end of the week. I've put together four videos covering the MS08-067 vulnerability, the trace file merging process, building and sending custom packets and the Summit 08 Wrap-Up Checklist. In addition, I have a discount code for NetScanTools Pro and Pilot/Pilot+AirPcap EX3 bundle also going up on your Wrap-Up site (you already should have the code for 50% off the Wireshark University self-paced courses - good through December 31st).

So... would we ever do the conference again? Absolutely! We've already started planning based on the feedback we received. Register for notification at http://www.chappellsummit.com/ and I'll send you an email when Summit 09 registration opens and details on the Early Bird Special pricing. Alumnae will get special discounted pricing on Summit 09.

Now... just a couple more days until I head off to Portugal for the Vantagem conference. After that, it's the ATT Live conferences in Salt Lake City and then... well... then it's 2009 and time to start development on Summit 09!

Laura

[off to the Wrath of the Lich King launch party... 2 hours and counting...]

Pimping Podcasts and Packets

2008-09-23T20:00:00.000-07:00

Well... with a title like that you just have to read this, don't ya?

Ok... there are really two subjects here - one is pimping podcasts and the other is packets, but they came together this evening with a new podcast series I am developing and a quick analysis of some podcasting traffic.

Pimping podcasts? This title came to mind as I searched for some lead-in/closing music for the upcoming podcast series. After searching for royalty-free music for a bit, I found a little ditty that turned my head (including my ears). The music was described as "70's, pimp-stylin, funkin', porn music. If prostitution is a victimless crime, then where's my wallet?"

I HAD to listen to this music!

Sure enough - this was some seriously funky music - it dripped of sexual innuendo with loads of wawawa slipping through dadum dadum with a funk beat - this could have been background music for Shaft! I could honestly imagine myself following that attitude-adjusting swank with a serious conversation about the If-Modified-Since HTTP header field! What a mood setter!

Note: We'll cover the importance of that header field in the upcoming Summit 08 (http://www.chappellsummit.com/) when analyzing web browsing traffic.

So what do packets have to do with this? Well... since I was on the topic of podcasting, I thought I'd check out the traffic rate of the recent podcast I did with Ron Nutter's Help Desk Toolchest over at Network World (http://www.networkworld.com/podcasts/nutter/) - I found that the podcast MP3 file was 31,640,580 bytes and downloaded in just over 30 seconds at an average rate of 8.77 Mbit/s. This was waaaaay bigger than the Internet radio trace I'd taken a while back when studying streaming methods and bandwidth usage. Ron's podcast runs for 65 minutes and 55 seconds. When there I injected traffic into the network to cause packet loss and higher latency, I didn't notice it at all.

Tomorrow I should finish my analysis of Spore's network traffic and have the signatures to spot and eradicate that little primordial slime off the network (oh, sure... play it at home all you want!).

Laura
Don't forget - register for the Summit by September 30th for the Early Bird Special!
http://www.chappellsummit.com/

Where the *(@#$# Have I Been?

2008-09-19T17:10:00.002-07:00

It's been ages since my last post - so where on Earth have I been (assuming I've been on Earth, of course). Good question...

I've been halfway around the world in Canberra, Australia (snoooooooze) and assorted places in the US. Mostly, however, I have been buried in the deep, dark and exotic... lab! Playing around with the VoIP analysis functions in Wireshark, cool enhancements in NetScanTools Pro and wireless views in Pilot. I'm also enjoying playing with systems that have been left naked and exposed on the Internet (eek!) - analyzing the methods used to compromise those systems.

I've also been writing a series of articles on topics ranging from "Optimize Your Network Regardless of IT Budget Cuts" (www.chappellsummit.com) to "Getting More Pool Time (aka Graphing Wireless Network Behavior with Pilot™)" (searchnetworking.techtarget.com) and "Enhancing Windows® XP Performance with RFC 1323" (also searchnetworking.techtarget.com) and a few podcasts with my friend Ron Nutter were we discussed DNS security faults, strange traffic on the network (check out the live analysis results of going to www.usatoday.com - yucko!), and Microsoft's TCP enhancements in Vista/Server 2008 (all three to air at www.networkworld.com/podcasts/nutter/).

Most excitingly, however, I've been working on the Student Manuals for the Summit (Network Analysis and Network Forensics Training) that takes place November 4-5 (www.chappellsummit.com) - I extended the Early Bird registration price until September 30th because of the hardships caused by Ike and the roller coaster ride we call the Stock Market.

Over the next two weeks I'll be releasing some of the lab information for the Summit - giving you a taste of the hands-on labs that we'll tackle together. Oh, yeah... we'll definitely do some VoIP playback and work in the wireless world! Join us for accelerated analysis/forensics training at the Summit.

Better go - it's 5:30pm and I have a few more hours-worth of trace files I want to review this evening! Yippie!

Laura

Summit 08 Registration Brings Nausea...

2008-08-15T10:15:00.000-07:00

At typical conferences, I only have a 1 hour 15 minute time slot to present information - hardly enough to do more than whet your appetite for packet-level life. It is very frustrating when I really want to ensure attendees grasp concepts and walk out with solid skills for immediate gratification. So... I cancelled most of my remaining conferences this year to focus on development of my Troubleshooting and Security Summit on November 4-5th in Las Colinas, Texas (near DFW). Visit www.chappellsummit.com or www.wiresharkU.com.

Geez... it takes a ton of work to put on a Summit/Conference! Reviewing the contract with the hotel nearly made me gag! We did select a fantastic hotel and we hope to take over the entire ballroom/meeting room area - giving us plenty of room to spread out with our laptops and great visibility for all attendees. Hey - if you're going to head out and spend time geeking out with us, you might as well be someplace nice (sorry, Detroit Days Inn... I just couldn't do it!).

I am working on the student kits and the new sets of trace files. I am most excited to work together on the new Microsoft TCP/IP stack stuff, optimization of XP communications and then the compromised host evidence area. In addition, we'll get to work with new trace files of unusual/suspicious traffic to locate their signatures and figure out how to block this crap from the network. Users get more bold every day with the dirty applications they try to run on network!

There was a major change made from the time we polled the mailing list to the current time - I want to give all attendees a copy of the WSU03: Troubleshooting Network Performance self-paced DVD course instead of the WSU02: Analyzing TCP/IP Communications. The WSU02 stuff is the perfect prerequisite to ensure you get the most out of the conference.

New trace files - new toys (uh, er... I mean tools) - hands-on labs! It's gonna be a blast! Make sure you register before September 1st to get the Early Bird Special. Ideally, I'd like to have enough attendees to ensure we take over the hotel. Oh, yeah - and hotel room discount rates are only available until October 20th.

Get the full outline and details at www.chappellsummit.com and let me know your thoughts!

Laura

No One Wipes Blood Off Their Own Face in Movies!

2008-06-30T00:10:00.000-07:00

Well... it's another late night for me... insomnia rules my world at times and I've spent the day working with the new video training interface and the lab exercises for the Pilot beta course (which is debuting on July 18th - check out the calendar page for details).

I am finally settling in to watch a movie (oh, and blogging...) - "The Interpreter" is on... a smarmy show with beautiful-but-quesionable-actress Nicole Kidman and amazingly-talented-but-no-one-I'd-let-stay-in-my-house Sean Penn. The scene that just played had Sean Penn grabbing a paper towel, wetting it down and wiping the blood off Nicole Kidman's face. Now why is it that in movies no one can wipe the blood off their own face or put a simple bandage on their cuts? Geez... if we acted the same way I'm sure we'd all be walking around with oozing wounds and blood-stained faces, hands and feet. Ok... Hollywood is not reality (I want you all to remember that when the "Mother of Invention" movie comes out - if it ever does).

On that note... I've received numerous queries about the film. Last week I spoke with the main writer - the script is on it's 10th rewrite. He asked me some questions (I'm Technical Consultant on the film) about Navy Seals and intercepting radio-control signals. Now what the hell does that have to do with my life? Oh, wait... I'm not supposed to talk about those jobs... Seriously folks... when the film does come out it will have little relationship to my real life (except for that diaper-packed suitcase scene - believe it or not - that is true).

So back to the Pilot labs now - it's just past 12:15 am and I have another 3 hours or so of energy and focus left. I'm excited about this new course - as excited as I am with Pilot. If you don't know about Pilot, check out CACE Technologies' website. I just saved myself about 10 hours creating a report for a customer by using Pilot.

Oh... gotta go - final scenes coming up - helicopters and all... hey, wait a minute! I didn't see any helicopters in my film script!!! Time to make some calls... someone in Hollywood's gonna need some Bandaids!

Laura