1
00:00:01,230 --> 00:00:04,110
Sometimes sifting through logs is not enough.

2
00:00:04,110 --> 00:00:11,310
And we need to retrieve raw data traversing the network packet captures provide the most detail when

3
00:00:11,310 --> 00:00:14,000
it comes to gathering data on a network.

4
00:00:14,070 --> 00:00:20,340
It is a raw capture of IP traffic with all the information you could ask for when troubleshooting or

5
00:00:20,340 --> 00:00:22,570
investigating a security issue.

6
00:00:23,730 --> 00:00:31,260
These captures can be fetched directly from network devices like firewalls and switches or were they

7
00:00:31,260 --> 00:00:34,940
software tool running on a computer.

8
00:00:34,980 --> 00:00:41,430
The most popular packet capturing softwares are TCAP damp and Wireshark.

9
00:00:41,430 --> 00:00:49,800
TCAP dump is a utility that can be used on Linux and Mac operating systems to show you how to use the

10
00:00:49,800 --> 00:00:53,870
TZP dump utility on a Linux machine.

11
00:00:53,880 --> 00:00:58,610
I'm going to use my Kelly Linux box and start by launching a terminal

12
00:01:01,590 --> 00:01:02,340
from the terminal.

13
00:01:02,340 --> 00:01:07,890
I used the command TCAP dump and then to capture.

14
00:01:08,050 --> 00:01:13,350
I'll use the dash w command than the name of the file.

15
00:01:13,400 --> 00:01:20,020
I'll just call this capture and then you're going to want to make it a copy cat file.

16
00:01:20,990 --> 00:01:27,700
That's a file extension for packet captures and then if I wanted I could actually specify specific TCAP

17
00:01:27,700 --> 00:01:37,920
Porth but I'm just going to hit enter and capture all data traversing my network interface cards.

18
00:01:37,920 --> 00:01:43,190
OK so now that the packet captures running I'm going to generate some traffic by launching a Web browser.

19
00:01:45,240 --> 00:01:46,420
Then I'll just go to a Web site

20
00:01:49,590 --> 00:01:49,850
OK.

21
00:01:49,870 --> 00:01:56,490
So now that I've generated some data others should be some traffic being captured I'll hit Control C

22
00:01:56,490 --> 00:01:58,060
too and the capture

23
00:02:01,600 --> 00:02:08,220
shows that they captured 644 packets to view the TCAP dump.

24
00:02:08,260 --> 00:02:16,470
I'll use the TCAP dump command again then the dash are command in the name of my captured file.

25
00:02:21,630 --> 00:02:25,830
My screen is kind of small here so it's not a very good view but I can easily copy this and put this

26
00:02:25,830 --> 00:02:28,320
in a text file and take a closer look at it.

27
00:02:28,320 --> 00:02:36,540
And as you can see all the raw packets that were being generated from my Linux machine was captured

28
00:02:36,540 --> 00:02:39,730
by the TCAP dump utility.

29
00:02:39,870 --> 00:02:44,400
So I just showed you how to use the TZP dump utility on a Linux machine.

30
00:02:44,400 --> 00:02:50,930
Now let's use wireshark on a Windows computer to obtain a copy of Wireshark.

31
00:02:50,940 --> 00:02:56,870
You can go to the wireshark Web site at wireshark or

32
00:03:04,110 --> 00:03:09,310
and it is a free download so you would simply download your desktop run through the wizard already have

33
00:03:09,330 --> 00:03:11,560
installed so I'm just going to launch it.

34
00:03:15,710 --> 00:03:20,180
The first thing you need to do in Wireshark is pick which network interface card you want to capture

35
00:03:20,180 --> 00:03:21,430
on.

36
00:03:21,470 --> 00:03:27,590
I'm using wireless currently so I'll double off click on my wireless network interface card and now

37
00:03:28,490 --> 00:03:31,040
the wireshark software is capturing data.

38
00:03:31,130 --> 00:03:33,650
That leaves my wireless network interface card

39
00:03:36,620 --> 00:03:42,880
so if I wanted to I could slot to one of these traffic flows and then down below I can expand the eternal

40
00:03:42,950 --> 00:03:48,860
frame or IP packet information to really take a close look at the traffic.

41
00:03:48,890 --> 00:03:54,900
One cool thing about wireshark is you can apply display filters so if I only wanted to see what HTP

42
00:03:54,920 --> 00:04:02,540
traffic my computer was generating I could just type in a TTP which is a predefined filter hit enter

43
00:04:03,150 --> 00:04:07,730
and now it's only showing me HTP traffic that's running on my computer.

44
00:04:10,490 --> 00:04:17,810
So even though pad captures are very helpful for administrators for troubleshooting in for cybersecurity

45
00:04:17,840 --> 00:04:26,660
engineers for investigations it can also be our worst enemy because a hacker could use a packet capturing

46
00:04:26,690 --> 00:04:31,910
tool to capture wireless or wired traffic being sent on the network.

47
00:04:32,030 --> 00:04:36,510
And that's why you want to make sure that you're always using encrypted protocols.

48
00:04:36,590 --> 00:04:43,070
For example when you remotely access network equipment like firewalls routers and switches you can use

49
00:04:43,070 --> 00:04:48,220
S-sh or Telma S-sh of course is encrypted and is the more preferred option.

50
00:04:48,320 --> 00:04:53,960
But if you were to use something like Talma a hacker could actually intercept your username and password

51
00:04:54,340 --> 00:05:01,660
sense tell him that data is sent in clear attacks just to show you I will filter or capture a few Talma

52
00:05:01,670 --> 00:05:02,240
traffic

53
00:05:05,270 --> 00:05:14,270
I'll launch a Telma session to my core switch and I'll put in the username Cisco and password Cisco.

54
00:05:14,820 --> 00:05:22,630
So just now my computer just sent a telnet quest and my username and password and information in plain

55
00:05:22,640 --> 00:05:23,510
text.

56
00:05:23,520 --> 00:05:31,230
So now we go back to our packy capture software here and we look at these packet captures for my telnet

57
00:05:31,230 --> 00:05:32,250
session.

58
00:05:32,250 --> 00:05:36,790
You can actually look through the raw data that was sent in my session.

59
00:05:36,900 --> 00:05:44,500
I can look and I can see the banner that was sent from the switch to my log and prom.

60
00:05:44,640 --> 00:05:55,010
And then you can see the data that was sent when I entered my username I have a c i s c o.

61
00:05:56,050 --> 00:06:05,430
From a user name and then it shows my password as c i s c o.

62
00:06:06,180 --> 00:06:13,170
So using C with this capture if I was a hacker and I was able to somehow capture the data that was being

63
00:06:13,170 --> 00:06:19,140
sent to this telnet session I could easily look at the payload and see what username and password was

64
00:06:19,440 --> 00:06:22,310
sent to log into the switch.