Whether you’re a network engineer or security analyst at some point you’re going to need to dive into the packets to help solve a problem.Story Time:Shortly after I earned my CCIE I was faced with a packet analysis challenge. I was on-site visiting with some team mates who managed a customer’s ne...

---

Published on June 05, 2022 | 10 min read

pcap Wireshark tcpdump

For a project I was doing (building a custom VyOS ISO) I wanted to try running a container using Docker in my WSL environment on my laptop. I was told this works and read many examples on how to achieve this.While, I do fancy myself as someone who pays close attention to detail, this time I was b...

---

Published on March 01, 2022 | 3 min read

docker WSL WSL2

SharkFest the anual wireshark developer conference has just concluded and I had an absolute blast! I bought a pass to all 3 pre-conference training classes (spanning 4-days) and also a full-conference pass: 2-Day Network Analysis and TCP Deep Dive with Wireshark (Chris Greer) Next Generation Pr...

---

Published on September 20, 2021 | 7 min read

wireshark sharkfest tcp 2021

In this post I’m going to walk through building a best-in-class, in-line, fail-open, IPS using a Suricata container running on a VyOS router.After reading a recent blog from the VyOS dev team demonstrating an example of supporting containers natively from the VyOS CLI, I knew I had to try it with...

---

Published on June 13, 2021 | 11 min read

suricata vyos ips intrusion prevention

GIAC: Network Forensic Analyst (NFA)tl;dr This is not a humble brag but if you have good experience and are a professional in at least 1 or more related fields, it might not be too difficult.On Monday (March 29, 2021) I passed my GIAC: Network Forensic Analyst certification exam with a 92%. For s...

---

Published on April 19, 2021 | 6 min read

sans giac certifications network forensics

tl;dr By manually changing the Linktype using a hex editor in the Interface Description Block (IDB) of the PCAPng file will convince the packet analysis software that only 1 type of interfaces were available at the time of capture.WARNING: Throughout this post I reference “PCAP” and “PCAPng” int...

---

Published on April 14, 2021 | 9 min read

pcap hex zeek suricata brim

The ProblemSometimes when loading a PCAP into various tools you get a cryptic error: an interface has a type 1 different from the type of the first interface. I had one PCAP that would generate various errors in different tools.The EvidenceBrim:See this Github issue I raised.Zeek:root@server:~/ct...

---

Published on April 12, 2021 | 3 min read

pcap tracewrangler tcpdump

tl;dr This blog post was for documentation purposes. Nothing to see here.Problem Statement: I need to have Zeek log every UDP packet instead of only per UDP session/conversationBecause of Zeek’s session tracking it will only log one connection “uid” at the start of a session and for all subseque...

---

Published on April 09, 2021 | 4 min read

zeek scripts pcap

This blog outlines one of the questions I’ve been asked the most: How do I give internet access to my running images?Ever since I released my video How to run EVE-NG in Google Cloud in 2018, I have been inundated with this question and others. I finally put it all together for you and introduce ...

---

Published on February 28, 2021 | 3 min read

eve-ng google cloud internet access

This is an update from the content I released back in 2018. Thanks to the EVE-NG development team this process can be completed in just 15 minutes. I released a video series on Network Collective covering this topic and other EVE-NG Tips and Tricks.Process Summary Login to Google Cloud using you...

---

Published on February 28, 2021 | 4 min read

eve-ng google cloud

Today I Was Asked: “When a Cisco ASA throws a ‘500003’ syslog message, was the packet forwarded or dropped?”For today’s TIWA I wasn’t sure of the answer. I needed to do some research.I built a lab, looked at PCAPs and studied the documentation. Here’s what I found.What is syslog message 500003?C...

---

Published on February 02, 2021 | 13 min read

t.i.w.a cisco asa scapy

TL;DRI couldn’t expand the Primary partition because there was another partition in the way. I needed to move the small partition before I could expand the primary.BackgroundI had a Surface Pro 4 that suffered from the ‘Battery Swelling’ issue. My Surface Pro 4 had a 256GB storage. The Microsoft ...

---

Published on January 09, 2021 | 4 min read

surface pro gparted partitions

Every goal should be achievable if supported by the right system. You need to have a value adding supporting system in place that allows you to track your progress, hit your milestones and each day bring your goal closer into focus. Focus on systems, not on goals.There are lots of tools availabl...

---

Published on January 03, 2021 | 2 min read

2021 goals organization

Starting something new is exciting!!! In the recent weeks Jordan Martin and I started the Network Collective live stream. We are streaming network discussions, talking with special guests, doing trivia, having fun with current events and more. This has been a really exciting new venture that comb...

---

Published on December 15, 2020 | 2 min read

network collective live stream

I learned a ton of great things that will help me as a better network engineer, and analyst. This will be a recap of a couple important take aways that everyone can use any time they are looking at PCAPs. If you find any of this interesting go subscribe to the Sharkfest YouTube channel and start ...

---

Published on October 25, 2020 | 6 min read

sharkfest wireshark pcap

For me it seems like #NFD23 was months ago even though it has only been a few weeks.Network Field Day (NFD) is the networking focussed event organized by Tech Field Day. It’s one of the many events they put on throughout the year. Whether you’re into wireless, security, mobility, cloud, AI or eve...

---

Published on October 21, 2020 | 3 min read

nfd23 network field day

We only truly grow when we accept change and try something new. - Tony E.I have had the overwhelming need to write something. To leave something behind. To show that world the 2020 hasn’t killed me and I have had all these great experiences and cool things to show and document for all the world t...

---

Published on October 20, 2020 | 3 min read

past present future