Sharkfest 2013 Recap

Yesterday I returned from the annual Wireshark conference, Sharkfest 2013, and once again it has been a great conference. I had four talks (well, actually I had three, but one was scheduled to run twice and it looks like I never do a talk the same way), and one of them I did together with my coworker, Christian.

Travel Trouble

Christian and I were traveling with Scandinavian Airlines from Düsseldorf to Copenhagen and then San Francisco. At least that was the plan. We checked in in Düsseldorf at Sunday morning and were scheduled to arrive at San Francisco (SFO) in the afternoon, thanks to gaining 9 hours on our way west. That would mean that we’d miss a few talks of the conference since it started at 1:30pm, but we hadn’t been able to take an earlier flight this year for personal reasons. At the airport in Düsseldorf we could only check in for the flight to Copenhagen, but not for the next flight from Copenhagen to San Francisco, which we didn’t really give it much thought. That changed quite instantly when we got out of the airplane in Copenhagen and saw that our next flight to SFO had been canceled.

We went to the transfer desk and they had already booked me on another flight with Swiss via Zürich, but hadn’t for Christian because there was only one seat left. So we negotiated to be put on the same flight, ending up with flights operated by Air France via Paris, with a total delay of about 4 hours compared to the original flight. We asked multiple times to make sure that our luggage was checked in to SFO via Air France, but we already guessed that it would probably not arrive with us. So we took a flight to Paris, and spent a couple of hours waiting for the flight to San Francisco. Immigration at SFO was the smoothest I had ever seen, and Christian and I went to see if our luggage made it against our expectation. Of course it hadn’t.

We filed a lost baggage claim for both our suitcases, using one incident number, and got a “starter kit” (or whatever it is called) containing a T-Shirt, toothbrush and other things, so the first thing we did after picking up the car was buying some underwear for the next day or two, because the lady at the airport had told us that it could take 24 to 48 hours until the luggage arrived. She was right and wrong at the same time, because Christian got his bag the next night, but mine didn’t show up. The staff at our hotel was constantly on the phone with the Air France lost luggage service, trying to convince them that my suitcase still had not arrived – apparently, they didn’t realize that there were two pieces of luggage for two different travelers filed with just incident number. Anyway, it turned out that I spent the whole conference without my suitcase, because it finally arrived in the night before the flight home. Funny thing was that the tag on it said “Rush Delivery”:Luggage Tag

Five days to deliver a suitcase is certainly no rush delivery. Oh, and it was severely damaged, with the drag handle almost being completely broken of (I added the red horizontal lines to show you how far the handle is positioned from where it should be):Broken Drag Handle

The only reason why I could still drag the suitcase behind me was the green belt that barely kept the handle from breaking off completely. So now I have to buy a new suitcase, too.

UPDATE: apparently, it looked worse than it really was. The luggage repair shop barely spent time on it (maybe 5 minutes) and it was fixed. For 45 Euros.

The Conference

The conference was great, as it has been every year. I learned a couple of things about Ethernet from the keynote held by Rich Seifert:

  1. the thick yellow cable was made yellow because he liked the color, and it made it easy to distinguish it from power cables – which would have been bad to drill into
  2. Ethernet is now just a protocol, and not a physical specification anymore
  3. the Ethernet frame length was supposed to be 1500 bytes, with 1000 bytes reserved for payload and 500 bytes reserved for headers, but they forgot to mention that in the specs, which is why everybody uses the full 1500 for Ethernet payload
  4. it’s only 1500 bytes because of the cost for memory chips which had to buffer the frames
  5. There was a dispute on how long the FCS should be. Rich voted for 32 bit CRC, and won against 16 bit which could be done in hardware at the time.

Rich Seiferts Keynote

You can watch the keynote on YouTube. I had brought his Ethernet book with me, but since it was in my suitcase I could not have it signed. Thanks, Air France.

Other things to mention about the conference:

  1. the talks I went to very quite interesting, especially the (very brief) laptop capture shootout I had with Chris Greer. From 10,000 frames sent to my capture card by his packet generator I only captured about 1,000 while using dumpcap, saving the file to my SSD. And, most interestingly, dumpcap reported 0 drops, so I guess they were dropped at OS or driver level and dumpcap never knew about them. So it looks like standard PC network cards cannot cope with frames coming in at a very high frequency. And you don’t get a drop count.
  2. My “Top 5 false positives” talk was so crowded that people had to stand in the back. I think everybody liked it, and there was that running gag about reading the release notes once again (I can’t remember, but I don’t think I was the one bringing it up). Sorry, Hansang 🙂
    I had only time to show 5 of the 6 traces I had, but I had kinda expected that since I tend to always bring more stuff than fits into the time frame. There was no recording made but I’m thinking about doing one on my desktop in the next couple of days.
  3. I had promised to come up with a trace file sanitization talk at the end of Sharkfest 2012, so it was one of the two that I turned in for the call for papers. It got scheduled to run twice, and I think the second run was better. I was surprised that there were that many people at  Krutch theater when I did it. By the way, the trace sanitization tool called “TraceWrangler” I mostly wrote in the last twelve months can be found here: I just compiled a new version earlier today.
  4. Christian and had I mentioned to Janice that we could do another talk on network analysis over multiple network segments, and that one turned up in the agenda suddenly a few months back, so we did that one, too. It was my fourth and Christians third talk this year, so we had 7 talks in total. Not bad.
  5. I had tons of good chats with other attendees at breakfast, lunch and dinner, as well as in the breaks between sessions.
  6. The event sponsored by cPacket at the Lawrence Hall of Science up in the hills of Berkeley was great, just as it had been last year. I didn’t have a camera with me except the one in my cell phone, so I didn’t try to capture the amazing sights over the bay. I did one capturing the sunset as a back light setup though, just for the fun of it – it was a really cool location with good food and lots of beverages:Lawrence Hall of Science
  7. My idea of doing a round table discussing the PCAPng file format and how to finalize the 1.0 specification turned into an impromptu meeting at the Hackathon. We’re now going to find out what it takes to turn the existing specifications into an official RFC, and I’m going to work on a version we can turn into 1.0.
  8. Graham Bloice kindly helped me to get my Wireshark build setup to run on Windows since I had not been able to compile the sources when I had tried to set it up myself. It turned out I hadn’t made a mistake, but the source code at the time had just been broken and would not compile. Pulling down the latest version from SVN fixed that problem. Thanks, Graham!
  9. Thanks to Janice, Gerald and all the others organizing a fantastic conference, once again!

Lessons learned: if your baggage is lost, file a case per person so that they know that delivering just one piece is not enough. Oh, and of course: come to Sharkfest 2014! 🙂


Discussions — 9 Responses

  • Andy Brown June 28, 2013 on 6:23 pm

    I’m glad to hear you at least got your luggage back before you had to leave to go home. I look forward to a recording of your “Top 5 (err, 4) false positives” talk; I took furious notes during the talk at Sharkfest but I wouldn’t mind seeing it again and I’d definitely like to see the presentation of the final capture file.

  • Jasper Bongertz June 29, 2013 on 3:50 pm

    Thanks, Andy, I’ll try to find the time to do the recording – I got to buy a Camtasia license first though. I also remembered what the final trace was about, so I’ll include that one when I do the recording 😉

  • Werner Fischer July 12, 2013 on 2:17 pm

    Jasper and Christian delivered great sessions at the Sharkfest 2013. Other presenters also make it very well. The user experience for me at the event at the Clark Campus in Berkeley was so amazing and i felt badly that i’m not joining sharkfest earlier. The social events, the packet challenge and the keynotes are also well organized – a big THANK YOU to Janice Spampinato and her team – you have done a “fantastico” Wireshark Developer and User Conference 2013!

    Hopefully we can meet together next year again at Sharkfest 2014 😉

    • Jasper Bongertz Werner Fischer July 17, 2013 on 12:31 pm

      Thanks, Werner, I’m glad you liked the conference. I’ll be at Sharkfest 2014, no matter what – so see you there 😉

  • Graham Bloice July 17, 2013 on 10:49 am

    I wish all Windows build issues were as easy as ‘svn up’. Now you have a working build environment I’m looking forward to all your patches 😉

    Good to meet up again with you and Christian at SharkFest, looking forward to next year.

    • Jasper Bongertz Graham Bloice July 17, 2013 on 12:30 pm

      I guess I’ll have to learn C then… sigh 🙂 But my guess is that it will be even more work to familiarize myself with the existing code…

      Good meeting you too, and of course I’ll see you at Sharkfest next year!

  • David Freese June 19, 2015 on 4:36 am

    Came here because of this post here:

    Did you guys do any analysis of rates you could capture or write to disk at different data/packet rates?

    • Jasper Bongertz David Freese June 20, 2015 on 3:03 pm

      No, sorry, I haven’t done a specific test like this in a long time; the last one I did was about 8 years ago and isn’t valid anymore since the hardware got a lot faster in the meantime. Also, result vary a lot depending on what system does the capture (NICs, disk I/O, CPU), so it’s not easy to get good results unless you have a large test bed (and the time to do the tests)

      • David Freese Jasper Bongertz June 23, 2015 on 10:01 pm

        I’ll keep that in mind. Thanks for your work!


Leave a Reply to Jasper Bongertz Cancel reply