Paketanalyse - Use It or Lose It


Packet Analysis - Use It or Lose It by Chris Greer

Over the past few days, I have become painfully aware that I can't really speak Spanish. In Panama, Spanish is the first language so you have to use it everyday. I took Spanish in high school but the old saying is true, "if you don't use it, you lose it."

What does this have to do with packet analysis? Well, learning a spoken language made me realize that learning how to read packets can be similar in several ways. When you think about it, protocols are simply the vehicle computers use to communicate, so aren't they kinda like a language? 

First, in order to make sense of a trace file, you have to just get in there and do it!! You can't just look over somebody's shoulder and become a good at it. One of the best ways to learn how to do it is to just roll back your sleeves, download ClearSight, and start capturing. The longer the packets stay undetected on the wire, the longer you will be blind to what is really going on! - To liken this to a language, no matter how much I may read about spanish, unless I dig in and start speaking it, it won't stick.

Next, it is best to start with the basics and go from there. A guy told me yesterday to learn spanish like a child. Start with the simple stuff and progress to the harder words. With protocols, start with the simple ones such as ARP, ICMP, Spanning Tree, CDP, and OSPF. Think about it... do you know each of these protocols well enough to determine when they are contributing to a problem, or when they are working properly? Don't tear apart SQL calls and SMB file handling until you have a good handle on the lower layer stuff.

One other similarity that comes to mind is how to retain language. It is true, if you don't use a language you will lose it. The same is true with packet analysis. If you only break out the analyzer once a year when Exchange comes to a screeching halt, will you remember how to read TCP sequence numbers, apply complex filters, and isolate server delay in a multi-tiered environment? 

The key to being a good packet analyst is to capture and read. Learn one packet at a time, one trace at a time, one problem at a time. Nobody gets good at this stuff overnight. And just like with learning a language, it takes time, effort, and patience.

Powered By OneLink