After capturing your data, you end up with a trace file. This next step is just as important as capturing the data since you can’t properly analyze or come to meaningful conclusions if you’re not sure where, when and how the data was captured.
This is where Wireshark’s “Capture File Properties” feature comes in. I use this to make notes about the capture such as: and time markers for events, physical location, vlan, contact info if other people were involved and other documents that might have diagrams, config or other info.
As a matter of personal preference, I prefer creating folders with the date and task and put trace files, images, documents, config files, emails and anything else that I feel is helpful. Don’t spend too much time deciding what to put in the folder at the very beginning. I find it easier to add files as I go along and include a brief description why I thought that file was important. For example, I might include the Cisco or computer config to compare after any suggested changes. There is step is entirely up to you.
In the next few articles, I will cover more packet analysis examples.
Comments