1
00:00:00,670 --> 00:00:05,890
So Wireshark is not a disaster movie set in the wide open sea.

2
00:00:05,920 --> 00:00:11,410
It is a free, open source and the world's foremost network packet analyzer.

3
00:00:11,410 --> 00:00:19,000
And it is the de facto standard across system and network administrators with a graphical user interface.

4
00:00:19,030 --> 00:00:25,210
Wireshark has the ability to listen and record traffic, as well as advanced filtering and reviewing

5
00:00:25,210 --> 00:00:25,990
options.

6
00:00:26,110 --> 00:00:33,070
So I'm going to visit a Http website first, then an Https website.

7
00:00:34,710 --> 00:00:36,990
Let's go to Cali and run Wireshark.

8
00:00:37,880 --> 00:00:41,420
You can open a terminal screen and type Wireshark to start it.

9
00:00:42,940 --> 00:00:47,440
So these are the network interfaces that Wireshark is able to listen to.

10
00:00:48,320 --> 00:00:54,470
They open another terminal screen and run the ifconfig command to see the network interfaces.

11
00:00:54,740 --> 00:01:02,060
So as you know, if config stands for network interface configuration, so if we use the command without

12
00:01:02,060 --> 00:01:05,900
any parameter, it will list all the interfaces available.

13
00:01:06,740 --> 00:01:10,370
We have eth0 as a network interface to listen to.

14
00:01:11,450 --> 00:01:16,940
So now I'll turn back to Wireshark and double click Eth0 to select it.

15
00:01:17,600 --> 00:01:24,920
Now Wireshark starts to listen to the Ethernet interface of Kali and to create some traffic I'll open

16
00:01:24,920 --> 00:01:28,610
a web browser and just visit an arbitrary website.

17
00:01:38,790 --> 00:01:40,800
And now we have enough packets to examine.

18
00:01:40,800 --> 00:01:46,440
So I'll click the stop button at the upper left corner of Wireshark to stop listening to the traffic.

19
00:01:46,560 --> 00:01:53,370
So first we have some DNS packets to find out the IP address of the visited site.

20
00:01:53,610 --> 00:01:59,170
We'll look at these kinds of packets soon, but right now let's just have a brief look.

21
00:01:59,190 --> 00:02:03,180
So a DNS query for the IP version four.

22
00:02:03,970 --> 00:02:07,240
Another DNS query for IP version six.

23
00:02:07,270 --> 00:02:08,830
Don't worry about the versions right now.

24
00:02:08,830 --> 00:02:10,750
We'll cover them soon, I promise.

25
00:02:11,080 --> 00:02:17,470
These DNS queries are transferred as UDP packets in transport layer.

26
00:02:17,500 --> 00:02:19,990
The destination port is 53.

27
00:02:20,570 --> 00:02:25,580
This is the IP packet with the source and the destination IP addresses.

28
00:02:26,160 --> 00:02:33,370
So we'll go through the layers one by one and we'll see all these packets datagrams and frames in detail.

29
00:02:33,390 --> 00:02:34,710
So we'll keep going.

30
00:02:35,950 --> 00:02:39,100
This is the structure of the Ethernet frame.

31
00:02:43,400 --> 00:02:48,760
First, there are two DNS queries for Dub Dub Dub Hacker Academy UK.

32
00:02:49,460 --> 00:02:55,400
One for the IPV four address and the other one is for the IPV six address.

33
00:02:55,400 --> 00:03:02,960
And because the website is redirected to Hacker Academy UK, there are two more DNS requests for this

34
00:03:02,960 --> 00:03:03,650
address.

35
00:03:04,600 --> 00:03:08,650
Next DNS packets are the DNS query responses.

36
00:03:08,680 --> 00:03:14,470
This response is type A, That means it's an answer for the IPV four request.

37
00:03:15,110 --> 00:03:16,760
And here's the answer.

38
00:03:17,030 --> 00:03:18,950
The IP address of the website.

39
00:03:20,800 --> 00:03:29,320
Now DNS response packet uses UDP at the transport layer, IP at the network layer, etcetera.

40
00:03:30,140 --> 00:03:35,060
Here we have a TCP handshake between Kali and the Web server.

41
00:03:35,090 --> 00:03:37,820
We'll also see this in detail later on.

42
00:03:39,040 --> 00:03:40,390
A syn packet.

43
00:03:40,510 --> 00:03:46,390
A synack as a reply and an ack packet to complete the handshake.

44
00:03:48,030 --> 00:03:51,660
This is an Http get request.

45
00:03:51,960 --> 00:03:58,050
We learn the IP address of the website and now the system is ready to receive the web page.

46
00:03:59,790 --> 00:04:02,940
Http protocol and application layer.

47
00:04:03,550 --> 00:04:07,030
Now you can see the headers and the parameters of the request.

48
00:04:08,380 --> 00:04:10,910
TCP Protocol and Transport layer.

49
00:04:10,930 --> 00:04:12,190
Source Port.

50
00:04:12,220 --> 00:04:13,090
Destination.

51
00:04:13,090 --> 00:04:15,160
Port flags, etcetera.

52
00:04:16,350 --> 00:04:18,870
IP protocol in network layer.

53
00:04:19,850 --> 00:04:22,850
Here are the source and destination addresses.

54
00:04:23,910 --> 00:04:26,490
An Ethernet frame in layer two.

55
00:04:28,160 --> 00:04:33,350
These are the TCP packets which will build the Http response.

56
00:04:33,350 --> 00:04:35,990
So in this example, it's the web page.

57
00:04:36,020 --> 00:04:42,680
In other words, the response is transferred between the web server and our system as fragmented packets

58
00:04:42,680 --> 00:04:44,150
in transport layer.

59
00:04:46,150 --> 00:04:48,340
Here's the Http response.

60
00:04:48,340 --> 00:04:49,140
200.

61
00:04:49,150 --> 00:04:54,880
Okay, So the Web page is received and here's the data, which is our Web page.

62
00:04:56,110 --> 00:05:01,060
These are the response details, response type headers, etcetera.

63
00:05:03,150 --> 00:05:03,690
Here.

64
00:05:03,690 --> 00:05:10,290
There's additional information produced by Wireshark which says that the Http response is created by

65
00:05:10,290 --> 00:05:14,100
reassembling five TCP segments or packets.

66
00:05:14,660 --> 00:05:21,650
So now I'd like to show you the difference between that and https traffic.

67
00:05:22,780 --> 00:05:27,040
So I'll go to the browser and visit an https page now.

68
00:05:28,290 --> 00:05:31,470
But before visiting the page, let's start Wireshark.

69
00:05:31,650 --> 00:05:33,180
Here's a start button.

70
00:05:33,330 --> 00:05:34,950
Continue without saving.

71
00:05:36,610 --> 00:05:38,470
Okay, now we have a clean sheet.

72
00:05:39,080 --> 00:05:41,630
So I'll go to the browser and hit enter.

73
00:05:41,780 --> 00:05:42,200
Wow.

74
00:05:42,230 --> 00:05:43,940
Lots of packets in milliseconds.

75
00:05:43,940 --> 00:05:46,730
So we've got plenty of packets to investigate.

76
00:05:46,730 --> 00:05:48,650
Just click the stop button once again.

77
00:05:49,640 --> 00:05:54,320
Okay, So the DNS request and the response packets first.

78
00:05:54,770 --> 00:05:58,100
Here is a response with an IPV four address.

79
00:05:59,720 --> 00:06:06,860
Here there is a TCP three way handshake between Carly and Port 443 of Google's Web server.

80
00:06:07,580 --> 00:06:08,780
And now a client.

81
00:06:08,810 --> 00:06:09,400
Hello.

82
00:06:09,410 --> 00:06:15,080
TLS packet to start the TLS handshake again between Kali and Google Server.

83
00:06:16,190 --> 00:06:19,120
Now to get rid of the other traffic records.

84
00:06:19,130 --> 00:06:24,530
I'd like to filter the results by the IP address of the Google server.

85
00:06:25,390 --> 00:06:33,130
Now while the mouse pointer is on the server IP address, right click and go to apply as filter and

86
00:06:33,130 --> 00:06:35,530
select the selected option.

87
00:06:36,310 --> 00:06:43,390
So as you can see here in the filter bar, the IP address is assigned as the destination IP address.

88
00:06:43,630 --> 00:06:51,070
Now, we only have to see the traffic where the destination is the Google server, but we'd like to

89
00:06:51,070 --> 00:06:59,650
see both the incoming and the outgoing traffic, so I'll change the DST part of the filter to addr and

90
00:06:59,650 --> 00:07:02,260
click the blue arrow to activate the new filter.

91
00:07:02,380 --> 00:07:05,350
Now we can see the traffic in both directions.

92
00:07:06,410 --> 00:07:10,490
Okay, so here we are at the Hello TLS message.

93
00:07:11,280 --> 00:07:13,230
Here are the details of the message.

94
00:07:13,500 --> 00:07:17,820
TLS uses TCP protocol in transport layer.

95
00:07:18,150 --> 00:07:24,780
The Google server replies a serverhello message as the second step of the TLS handshake.

96
00:07:25,490 --> 00:07:30,560
Then comes the certificate and server key exchange and the server.

97
00:07:30,560 --> 00:07:30,920
Hello.

98
00:07:30,920 --> 00:07:33,140
Done message is sent by the server.

99
00:07:34,450 --> 00:07:36,900
Kylie sends the client key exchange.

100
00:07:36,910 --> 00:07:39,550
Google server sends a new session ticket.

101
00:07:40,420 --> 00:07:43,330
And the encrypted communication starts.

102
00:07:45,420 --> 00:07:50,460
Here is some encrypted application data which is meaningless for others who listen to the traffic.

103
00:07:51,760 --> 00:07:56,320
And as you can see here, the message is encrypted at the application layer.

104
00:07:56,620 --> 00:08:01,480
So you can still see the source and the destination addresses the ports, etcetera.

105
00:08:02,230 --> 00:08:06,040
This is how an IPV four packet is seen on Wireshark.

106
00:08:06,770 --> 00:08:09,440
So it's a DNS query response.

107
00:08:09,740 --> 00:08:13,160
The fields we mentioned are seen pretty clearly.

108
00:08:14,030 --> 00:08:15,080
Versions for.

109
00:08:16,650 --> 00:08:19,890
Header length is five words, which means no options.

110
00:08:19,890 --> 00:08:20,430
Field.

111
00:08:21,540 --> 00:08:23,730
Total length is 96 bytes.

112
00:08:24,780 --> 00:08:27,600
MF and DF flags are not set.

113
00:08:28,550 --> 00:08:33,080
And you can see the source and the destination addresses and all the rest.