Free Wireshark Training Course Online

Take a free Wireshark Jumpstart training class online at

Thursday, March 27, 2008

The "HackTool Virus" is Re-Released

Ah... it must be March. The frantic and outwardly snickering emails are flooding in - "did you know..." The excited caller exclaims, "Your Laura's Lab Kit has a virus on it! Really! I just put it in my drive and my virus detection software came up with a warning about the HackTool Virus! Another virus detection package says the DVD has a Hacker Tool virus as well. One of the applications, Cain and Abel, is infected!"

Note: The new Laura's Lab Kit v9 ISO image can be downloaded from:

Ok, ok... before you get your iPod cables in a bunch, one vendor blew it by calling this the HackTool virus when they should have simply said you've got a hacker tool there, bubba. Let's quickly look at a description of the "Hacker Tool" designation from one of the VD (virus detection) vendors:

F-Secure's Description of "HackerTool"

Hacker Tool (generic description)
Hacker Tool is usually a standalone file. In many cases such tools are used by hackers to perform certain actions on a compromised computer, for example to crack passwords or to scan for vulnerable computers. It should be noted that such tools are sometimes used by system administrators.

Our corporate customers prefer hacker tools to be detected by F-Secure Anti-Virus. If a system administrator still wants to use a hacker tool, he can exclude the tool's file from scanning. For ordinary users running such tools should be prohibited.

Here's the scoop... the HackTool or Hacker Tools designation does indicate that there is a potentially unwanted program on your computer or on connected media. You do want to know about that, don't you? The Laura's Lab Kit always contains some programs that could potentially be nasty if used in the wrong hands -- Cain and Abel always makes VDs spew forth complaints. Even sweet little Wireshark can cause VDs to scream bloody murder.

Don't get me wrong, you probably do want to know when there's a HackTool issue on your system - a message that your system is infected with the HackTool.rootkit virus should make your skin crawl. But before you freak out about Laura's Lab Kit, check out which tools are associated with the HackTools warning - they may become your favorite secuirty research tools and replace your lost hours on World of Warcraft with the thrill of idle scanning or redirecting traffic usinig ICMP (instead of plain old ARP).

Oh... and one more thing... The fact that we release Laura's Lab Kit on the ides of March is purely coincidence! Now get back to work!


Tuesday, March 25, 2008

No Free Sharkfest Booze!

Putting together a conference is a hell of a lot of work - and I'm not even doing all the difficult stuff for Sharkfest, the first Wireshark User and Developer conference taking place next week (March 31-April 2 in Los Altos, California). Visit for the session list and registration information.

It was a major coup to get Vince Cerf out to Sharkfest! What a line-up! We'll have Gerald there teaching how to create dissectors and Loris will be showing the new hot tool graphing and reporting for Wireshark. My Monday presentation was altered so Loris could join me and show this hot tool in action.

Geez... the show bags, the logistics, the marketing, the presenters, the signage, the food... the FOOD!
I am shocked at how much conference people eat! I am thrilled we don't have to supply the booze for the conference!

Conference attendees’ concentration levels change as their blood alcohol levels adjust throughout the week. During the first day, their bodies are relatively free of booze toxins (BTs). As the week progresses, the BT level increases as does the sleep deprivation (SD) level. I prefer teaching morning sessions at conferences unless my BT/SD levels are also accelerated. As the week progresses, I see more eyelids than the eye shadow tester brush in the front aisle at Sephora (a very popular cosmetic pusher located in airports and swanky shopping malls. Nothing costs less than US $20... unless it is orange... or is that popular now?).

Private "voluntary class attendees" usually want to be in the class. That doesn’t mean they can give you their full attention, however. They are balancing work responsibilities, family responsibilities and their reputations. They are often in class with a peer, senior member of their firm or some junior smartass who wants to take their job. I do not fault them for being distracted and late to return from the breaks – I appreciate that they could give me a moment of their attention – let alone 6-1/2 hours a day for numerous days in a row.

Private-class "forced attendees" are just warm bodies in the room. They don’t want to be there, but some management mucky muck has decided that this class will suddenly make them worth the paperwork used to hire them. Since I truly do believe the topics I teach are important and make more effective and efficient network troubleshooters and better security technicians, these are the worst students to encounter. Many times I’ve considered handing out the Certificate of Completion papers during the first morning break, thereby weeding out these indentured students from the rest of the class.

Well - the music is blaring and it's time to play with beta products - hopefully, I will see you at Sharkfest... or at least I'll see your eyelids!


Saturday, March 22, 2008

No Rest for the Wicked?

The flight home from Utah was uneventful - primarily because I slept the entire time. Thanks so much to the BrainShare attendee who sat next to me and let me snooze uninterrupted for the short flight. My voice is recovering nicely after going for 24 hours without speaking (to the delight of all around me).

I decided to stop by the office for a quick 'check in' - yipes! The office was crammed with boxes of all sizes - nearly floor to ceiling. Hoping I hadn't hit eBay after a late night of Port o' Calling last week, I nonchalantly asked Angela 'what's in the boxes?' She raced over to rip one open (apparently these were not tipsy eBay purchases - phew!) - Sharkfest conference goodies!

Sharkfest is just 9 days away! Eek! Time flies when conference time rolls around. It promises to be an interesting conference considering you have some of the premier Wireshark contributors coming from all over the world to sit face-to-face with Gerald Combs, Loris Degioanni and Gianluca Varenni. In addition, we'll all get to spend more time with Pilot, the new graphing and reporting tool for Wireshark. I showed Pilot during the Meet-the-Experts night at BrainShare. CACE Technologies ( is expected to release Pilot on March 31st! Keep an eye out for it. Check out the entire Sharkfest schedule at the CACE Technologies site when you get a chance.

One of the myriad of boxes in the office held the 'shark shaped shirts' (glad I did not have a rum and coke before trying to say that). These shirts are a bit freaky, if you ask me. They are compressed and squeezed into the shape of a shark. Although everyone assures me that a slight bump on the box will not cause sudden decompression and the boxes will not expload with shirts and fill up all the breathing room around... I am staying away from those boxes!

So... as I sit here gazing out the window at a 70-degree plus day, I find myself putting together the schedule for the coming week in the lab:
  1. Finalize my Sharkfest presentations (one session has a last-minute enhancement)
  2. Do the final review of the Wireshark Certification Test question bank
  3. Upgrade my old Windows 2003 servers to Windows 2008 servers
  4. Perform daily updates to my Pilot Beta software and give it a good workout
  5. Organize all the business cards and contacts received during BrainShare
  6. Review, clean and release some of the trace files gathered last week
  7. Finish up and turn in Microsoft project "R"
  8. Record at least three hours of the new NetScanTools course (coming soon)

Yup - the week will be busy and filled with exciting new projects and opportunities. Before I head into my lab and immerse myself in packets (especially those 'ICMP Communication Administratively Prohibited' packets), however, I will catch a few moments in the sun to ward off a florescent-light pallor...


Wednesday, March 19, 2008

BrainShare Highlights

It’s Wednesday and we’re exhausted from the non-stop activity this year at BrainShare. The sponsor party last night seemed to fit the audience - the theme was World of Warcraft, but there were Halo characters (Master Sergeant) and many Wii systems set up in the various booths. Only a few more months until WiiFit comes out - wonder if that would be welcomed as warmly as Wii bowling...?

After the vendor party, we joined NetVision upstairs in the Port o’ Call to "bust a move"! Only one person fell on the dance floor (and it wasn’t me!) - a definite improvement over past years. Amazing how much my feet hurt early in the evening, but as the evening unfolded I couldn’t even feel my feet.

This afternoon we hit the OpenAudio booth to record a conversation recapping some of my sessions and talking a bit about Thursday’s scheduled videocast at the Meet the Experts event. I will be giving away the hidden secrets in the Laura’s Lab Kit during that session and talk about other cool tools related to troubleshooting and security. The OpenAudio booth was swelteringly hot inside, but the recording was (as always) a hoot! This time Brenda joined us for the taping - tomorrow she will be recording on her own... next thing you know, she’ll be taking over my sessions. See
for more information.

Speaking of sessions - head over to the FIN BIT page at
to get the slides from the four BrainShare presentations.

Again, Novell gave me access to the double conference room and had tables and power strips setup up for the BYOL (Bring Your Own Laptop) sessions. It is a great configuration for conferences.

For those of you who are not at the show, don’t forget to download the new Laura’s Lab Kit v9 from
The ISO image is 3.3 GB, so start the download and go have a good lunch or dinner... That is also where you will find the latest animated articles.

Now it’s time to catch up with a few hundred emails that are overflowing my inbox! Must... hang... in... there... must... stay... awake...