1
00:00:00,920 --> 00:00:05,840
So Wireshark is not a disaster movie set in the wide open sea.

2
00:00:06,140 --> 00:00:13,430
It is a free, open source and the world's foremost network pack it analyzed and it is the de facto

3
00:00:13,430 --> 00:00:20,360
standard across system and network administrators with a graphical user interface, Wireshark has the

4
00:00:20,360 --> 00:00:25,790
ability to listen and record traffic as well as advance filtering and reviewing options.

5
00:00:26,480 --> 00:00:32,900
So I'm going to visit a HTTP website first, then and a Web site.

6
00:00:34,910 --> 00:00:36,890
Let's go to Cali and run Wireshark.

7
00:00:38,120 --> 00:00:41,270
You can open a terminal screen and type Wireshark to start it.

8
00:00:43,180 --> 00:00:47,260
So these are the network interfaces that Wireshark is able to listen to.

9
00:00:48,320 --> 00:00:55,400
You open another terminal screen and run the F config demand to see the network interfaces says, you

10
00:00:55,400 --> 00:00:59,710
know, if config stands for network interface configuration.

11
00:01:00,020 --> 00:01:05,690
So if we use the command without any parameter, it'll list all the interfaces available.

12
00:01:06,950 --> 00:01:10,160
We have zero as a network interface to listen to.

13
00:01:11,780 --> 00:01:16,760
So now I'll turn back to Wireshark and double click e0 to selected.

14
00:01:17,930 --> 00:01:22,040
Now Wireshark starts to listen to the Ethernet interface of Carly.

15
00:01:22,920 --> 00:01:28,470
And to create some traffic, I'll open a Web browser and just visit an arbitrary Web site.

16
00:01:38,960 --> 00:01:43,820
And now we have enough packets to examine, so I'll click the stop button at the upper left corner of

17
00:01:43,820 --> 00:01:46,190
Wireshark to stop listening to the traffic.

18
00:01:46,880 --> 00:01:53,120
So first we have some DNS packets to find out the IP address of the visited site.

19
00:01:53,960 --> 00:01:56,120
Well, look at these kinds of packets soon.

20
00:01:56,270 --> 00:01:58,930
But right now, let's just have a brief look.

21
00:01:59,510 --> 00:02:03,020
So a DNS query for the IP version for.

22
00:02:04,180 --> 00:02:08,930
Another DNS query for IP Version six, don't worry about the versions right now.

23
00:02:08,950 --> 00:02:10,540
We'll cover them soon, I promise.

24
00:02:11,380 --> 00:02:17,280
These DNS queries are transferred as UDP packets in transport layer.

25
00:02:17,800 --> 00:02:19,840
The destination port is 53.

26
00:02:20,840 --> 00:02:25,460
This is the IP packet with a source and the destination IP addresses.

27
00:02:26,390 --> 00:02:32,450
So we'll go through the layers one by one, and we'll see all these packets, data, grams and frames

28
00:02:32,450 --> 00:02:34,550
in detail, so we'll keep going.

29
00:02:36,190 --> 00:02:38,950
This is the structure of the Ethernet frame.

30
00:02:43,700 --> 00:02:48,680
First, there are two DNS queries for Dub, Dub, Dub, Hacker Academy, DOT UK.

31
00:02:49,630 --> 00:02:57,820
One for the IPV for address and the other one is for the IPV six address because the website is redirected

32
00:02:57,820 --> 00:02:59,470
to Hacker Academy DOT UK.

33
00:02:59,770 --> 00:03:03,490
There are two more DNS requests for this address.

34
00:03:04,840 --> 00:03:12,070
Next, DNS packets are the DNS query responses, this response is type A, that means it's an answer

35
00:03:12,070 --> 00:03:14,320
for the IPV for request.

36
00:03:15,310 --> 00:03:18,850
And here is the answer, the IP address of the website.

37
00:03:20,860 --> 00:03:29,190
Now, DNS response packet uses UDP at the transport layer, IP at the network layer, etc..

38
00:03:30,350 --> 00:03:37,660
Here we have a TCP handshake between Collee and the Web server will also see this in detail later on.

39
00:03:39,070 --> 00:03:46,240
A sin packett, a Sinak as a reply and an act packett to complete the handshake.

40
00:03:48,270 --> 00:03:56,400
This is an HTP get request, we learned the IP address of the website and now the system is ready to

41
00:03:56,400 --> 00:03:57,870
receive the Web page.

42
00:03:59,810 --> 00:04:02,750
HTTP protocol and application layer.

43
00:04:03,710 --> 00:04:06,890
Now you can see the headers and the parameters of the request.

44
00:04:08,530 --> 00:04:15,000
TCP protocol and transport layer, Searsport destination, port flags, et cetera.

45
00:04:16,500 --> 00:04:18,750
IP protocol in network layer.

46
00:04:20,060 --> 00:04:22,700
Here are the source and destination addresses.

47
00:04:24,060 --> 00:04:26,370
And Ethernet frame in layer two.

48
00:04:28,360 --> 00:04:33,390
These are the TCP packets which will build the HTTP response.

49
00:04:33,460 --> 00:04:35,780
So in this example, it's the Web page.

50
00:04:36,190 --> 00:04:42,760
In other words, the response is transferred between the Web server and our system as fragmented packets

51
00:04:42,760 --> 00:04:43,990
in transport layer.

52
00:04:46,390 --> 00:04:54,070
Here's the FDP response, two hundred, OK, so the webpage is received and here's a data, which is

53
00:04:54,070 --> 00:04:54,730
our Web page.

54
00:04:56,320 --> 00:05:00,900
These are the response, detailed response type headers, et cetera.

55
00:05:03,380 --> 00:05:10,340
Here, there's additional information produced by Wireshark which says that the responses created by

56
00:05:10,340 --> 00:05:13,940
reassembling five TCP segments or packets.

57
00:05:14,900 --> 00:05:21,530
So now I'd like to show you the difference between that and HTP s traffic.

58
00:05:23,080 --> 00:05:26,920
So I'll go to the browser and visit and https page now.

59
00:05:28,560 --> 00:05:34,770
But before visiting the page, let's start Wireshark, here's a start button continue without saving.

60
00:05:36,610 --> 00:05:38,340
OK, now we have a clean sheet.

61
00:05:39,320 --> 00:05:41,460
So I'll go to the browser and hit enter.

62
00:05:41,840 --> 00:05:46,780
Wow, lots of packets in milliseconds, so we've got plenty of packets to investigate.

63
00:05:46,790 --> 00:05:48,500
Just click the stop button once again.

64
00:05:49,700 --> 00:05:57,980
OK, so the DNS request and the response packets first, here is a response with an IP V4 address.

65
00:05:59,960 --> 00:06:06,710
Here, there's a TCP three way handshake between Collie and Port four for three of Google's Web server.

66
00:06:07,760 --> 00:06:14,960
And now a client hello tells packett to start the TLS handshake again between Collee and Google server.

67
00:06:16,370 --> 00:06:23,390
Now, to get rid of the other traffic records, I'd like to filter the results by the IP address of

68
00:06:23,390 --> 00:06:24,380
the Google server.

69
00:06:25,570 --> 00:06:32,530
Now, while the mouse pointer is on the server IP address, right, click and go to apply as filter

70
00:06:32,860 --> 00:06:35,380
and select the selected option.

71
00:06:36,550 --> 00:06:43,150
So as you can see here in the filter bar, the IP address is assigned as the destination IP address.

72
00:06:43,960 --> 00:06:51,340
Now we only have to see the traffic where the destination is the Google server, but we'd like to see

73
00:06:51,340 --> 00:06:53,610
both the incoming and the outgoing traffic.

74
00:06:53,920 --> 00:07:01,990
So I'll change the DST part of the filter to ADR and click the Blue Arrow to activate the new filter.

75
00:07:02,680 --> 00:07:05,200
Now we can see the traffic in both directions.

76
00:07:06,410 --> 00:07:10,340
OK, so here we are at the hello text message.

77
00:07:11,460 --> 00:07:20,100
Here are the details of the message Tlas uses TCP protocol in transport layer, the Google server replies

78
00:07:20,100 --> 00:07:24,660
a server hello message as a second step of the RTLS handshake.

79
00:07:25,700 --> 00:07:30,600
Then comes the certificate and server key exchange and the server.

80
00:07:30,620 --> 00:07:32,990
Hello, done message is sent by the server.

81
00:07:34,630 --> 00:07:35,910
Cali sends the client.

82
00:07:36,100 --> 00:07:39,430
Exchange Google server sends a new session ticket.

83
00:07:40,630 --> 00:07:43,150
And the encrypted communications starts.

84
00:07:45,640 --> 00:07:50,320
Here is some encrypted application data, which is meaningless for others who listen to the traffic.

85
00:07:51,910 --> 00:07:58,030
And as you can see here, the message is encrypted at the application layer, so you can still see the

86
00:07:58,030 --> 00:08:01,380
source and the destination addresses the ports, et cetera.

87
00:08:02,480 --> 00:08:05,900
This is how an IPV for packett is seen on Wireshark.

88
00:08:07,010 --> 00:08:12,980
So it's a DNS query response, the fields we mentioned are seen pretty clearly.

89
00:08:14,060 --> 00:08:14,960
Versions for.

90
00:08:16,680 --> 00:08:20,280
At a length is five words, which means no options for you.

91
00:08:21,630 --> 00:08:23,550
Total length is 96 bites.

92
00:08:24,700 --> 00:08:27,490
PMF and D.F. legs are not set.

93
00:08:28,700 --> 00:08:32,890
And you can see the source and the destination addresses and all the rest.