1
00:00:00,470 --> 00:00:07,610
So in typical traffic capturing on a network interface, there are a lot of packets received from and

2
00:00:07,610 --> 00:00:12,140
delivered to all over the network and well, the internet as well.

3
00:00:12,350 --> 00:00:17,120
So let's see how we can take a picture of that network.

4
00:00:18,440 --> 00:00:21,380
Let's go to Cali and start Wireshark.

5
00:00:21,710 --> 00:00:28,370
You can start Wireshark from the applications menu or open a terminal window and type Wireshark to start

6
00:00:28,370 --> 00:00:29,000
the app.

7
00:00:29,620 --> 00:00:32,320
Don't worry about the ampersand and the end of the command.

8
00:00:32,320 --> 00:00:36,880
Putting an ampersand at the end of the command causes the shell to run the process in the background.

9
00:00:36,910 --> 00:00:38,710
It's sort of multitasking.

10
00:00:39,320 --> 00:00:44,270
You can have many processes running, but only one in the foreground at any given point.

11
00:00:44,300 --> 00:00:50,450
The process in the foreground is the process that appears to have locked up the terminal, whatever

12
00:00:51,230 --> 00:00:55,190
the first message is, because we are a superuser on Kali.

13
00:00:55,670 --> 00:00:56,810
No worries.

14
00:00:57,080 --> 00:00:57,680
Okay.

15
00:00:57,710 --> 00:01:02,870
The welcome page of Wireshark asks which interface we would like to listen to first.

16
00:01:03,700 --> 00:01:06,130
So let's have a look at the interfaces of our system.

17
00:01:07,200 --> 00:01:11,250
To look at the interfaces and to remember the IP address of Kali.

18
00:01:11,310 --> 00:01:14,250
Open a terminal and type ifconfig.

19
00:01:15,090 --> 00:01:20,880
There are two result sets of the ifconfig command eth0 and l o.

20
00:01:21,830 --> 00:01:24,350
Eth0 is the first Ethernet interface.

21
00:01:24,890 --> 00:01:30,290
Additional Ethernet interfaces would be named Eith one, E two, etcetera.

22
00:01:30,470 --> 00:01:32,360
Here we have only one.

23
00:01:33,090 --> 00:01:35,950
Now L0 is the loopback interface.

24
00:01:35,970 --> 00:01:40,980
This is a special network interface that the system uses to communicate with itself.

25
00:01:41,690 --> 00:01:44,900
E0 is the interface that we're interested in at the moment.

26
00:01:45,670 --> 00:01:52,330
Double click to open the Eth0 on the main page of Wireshark to start capturing the packets passing through

27
00:01:52,330 --> 00:01:53,980
our Ethernet interface.

28
00:01:54,010 --> 00:01:57,790
Now to speed it up, let's create some network traffic.

29
00:01:57,880 --> 00:02:02,350
Open one of my virtual machines, Owasp, BWA and Ping Kali.

30
00:02:05,590 --> 00:02:13,150
To stop ping command press control c if config to learn the IP address of the machine.

31
00:02:14,050 --> 00:02:17,770
Now I go to another VM metasploit and ping the last VM.

32
00:02:17,800 --> 00:02:18,580
First.

33
00:02:26,910 --> 00:02:28,560
And then Pinkel.

34
00:02:37,210 --> 00:02:40,930
Here we have a lot of ICMP and ARP traffic at the moment.

35
00:02:45,140 --> 00:02:46,860
So let's generate some traffic.

36
00:02:46,880 --> 00:02:52,250
I open the browser in Cali and visit the website served by the Owasp BWA machine.

37
00:03:02,320 --> 00:03:04,060
And even more traffic.

38
00:03:04,360 --> 00:03:07,000
I visit nhs.uk.

39
00:03:07,210 --> 00:03:08,740
My favourite website.

40
00:03:09,880 --> 00:03:10,900
Okay, that's enough.

41
00:03:10,900 --> 00:03:12,550
Let's turn back to Wireshark.

42
00:03:13,310 --> 00:03:18,920
As you see, we have a lot of packets captured and new packets arrive every second.

43
00:03:19,400 --> 00:03:20,480
ARP Packets.

44
00:03:20,510 --> 00:03:21,770
TCP packets.

45
00:03:21,800 --> 00:03:24,770
TLS packets for https traffic.

46
00:03:24,800 --> 00:03:25,760
ET cetera.

47
00:03:25,970 --> 00:03:29,040
Here we don't investigate the packets in detail.

48
00:03:29,060 --> 00:03:33,170
We want to learn about the systems which are interacting with us.

49
00:03:33,530 --> 00:03:37,560
So go to Statistics menu and select conversations.

50
00:03:37,640 --> 00:03:41,180
There are five tabs in the conversation window by default.

51
00:03:41,840 --> 00:03:45,320
And we're on the IPV four tab at the moment here.

52
00:03:45,320 --> 00:03:54,590
There are IP packets grouped by address A and address B and each line we see how many packets sent up

53
00:03:54,590 --> 00:04:02,630
to now total size of the packets in bytes, number in size of the packets from A to B and from B to

54
00:04:02,630 --> 00:04:04,220
A, etcetera.

55
00:04:05,220 --> 00:04:09,210
There is traffic between 8.8.8.8 and colleague.

56
00:04:10,030 --> 00:04:18,610
Now I know that 8.8.8.8 is the IP address of Google DNS, so I must have set the Google DNS as the DNS

57
00:04:18,610 --> 00:04:19,329
of my colleague.

58
00:04:19,360 --> 00:04:21,760
You know, I'd like to look at the network config.

59
00:04:27,000 --> 00:04:32,040
And yes, my DNS address is 8.8.8.8.

60
00:04:35,770 --> 00:04:39,460
The Ethernet tab, we can see the Mac addresses of the systems.

61
00:04:39,970 --> 00:04:44,680
The address is full of FS, meaning that the packet is broadcasted.

62
00:04:44,710 --> 00:04:48,220
ARP requests are the examples for these kind of packets.

63
00:04:48,870 --> 00:04:56,610
In the TCP tab, we can see TCP packets grouped by the addresses and this time by ports as well.

64
00:04:57,490 --> 00:05:01,530
Because a system may have different interactions with any other system.

65
00:05:01,540 --> 00:05:10,000
For example, Collie may have Http traffic through Port 80 and at the same time it may have an SSH connection

66
00:05:10,000 --> 00:05:11,650
through 22 as well.

67
00:05:12,910 --> 00:05:18,940
Same as TCP packets are grouped by IPS and ports in the UDP tab.

68
00:05:20,160 --> 00:05:20,610
Here.

69
00:05:20,610 --> 00:05:26,100
We have learned a lot of live systems, IP addresses and Mac addresses just listening to the traffic

70
00:05:26,100 --> 00:05:27,810
go through our network interface.

71
00:05:28,500 --> 00:05:33,870
If you'd like to investigate the traffic between the two machines, select the line right click.

72
00:05:34,290 --> 00:05:41,460
If you choose, apply as filter from the menu, only these kinds of packets will be seen in Wireshark.

73
00:05:42,420 --> 00:05:44,730
I'll choose find at this time.

74
00:05:45,060 --> 00:05:48,660
As you see, automatic query string is prepared.

75
00:05:48,840 --> 00:05:52,860
I can navigate between the packets by clicking the find button.

76
00:05:56,520 --> 00:05:58,440
Go back to the conversation window.

77
00:05:59,040 --> 00:06:02,430
At the bottom right there is a conversation types button.

78
00:06:02,790 --> 00:06:06,780
When you click on it, a lot of different protocols are listed.

79
00:06:08,020 --> 00:06:12,310
The selected five are the default selected protocols.

80
00:06:12,640 --> 00:06:14,920
You can add any protocol from the list.

81
00:06:14,950 --> 00:06:19,180
When you select one of them, a new tab is added to the conversation window.