1
00:00:00,150 --> 00:00:07,650
So let's examine the packets and protocols with Wireshark, Wireshark is a free open source and is the

2
00:00:07,650 --> 00:00:13,500
world's foremost network packet analyzer, and it's also the de facto standard across system and network

3
00:00:13,500 --> 00:00:20,160
administrators wireshark as the ability to listen and record traffic, as well as contain some pretty

4
00:00:20,160 --> 00:00:22,290
advanced filtering and reviewing options.

5
00:00:23,220 --> 00:00:30,660
So first, I'm going to visit and HTP website and then an HTTP s Web site.

6
00:00:32,610 --> 00:00:34,590
Let's go to Cali and run Wireshark.

7
00:00:35,820 --> 00:00:38,970
You can open a terminal screen and type Wireshark to start it.

8
00:00:40,880 --> 00:00:44,960
So these are the network interfaces that Wireshark is able to listen to.

9
00:00:46,010 --> 00:00:53,090
You open another terminal screen and run the if config demand to see the network interfaces says, you

10
00:00:53,090 --> 00:00:57,400
know, if config stands for network interface configuration.

11
00:00:57,710 --> 00:01:03,380
So if we use the command without any parameter, it'll list all the interfaces available.

12
00:01:04,670 --> 00:01:07,850
We have either zero as a network interface to listen to.

13
00:01:09,470 --> 00:01:14,450
So now I'll turn back to Wireshark and double click e0 to selected.

14
00:01:15,600 --> 00:01:19,740
Now Wireshark starts to listen to the Ethernet interface of Carly.

15
00:01:20,620 --> 00:01:26,170
And to create some traffic, I'll open a Web browser and just visit an arbitrary Web site.

16
00:01:36,660 --> 00:01:41,520
And now we have enough packets to examine, so I'll click the stop button at the upper left corner of

17
00:01:41,520 --> 00:01:43,880
Wireshark to stop listening to the traffic.

18
00:01:44,580 --> 00:01:50,820
So first we have some DNS packets to find out the IP address of the visited site.

19
00:01:51,650 --> 00:01:53,820
Well, look at these kinds of packets soon.

20
00:01:53,970 --> 00:01:56,630
But right now, let's just have a brief look.

21
00:01:57,210 --> 00:02:00,720
So a DNS query for the IP version for.

22
00:02:01,850 --> 00:02:06,630
Another DNS query for IP Version six, don't worry about the versions right now.

23
00:02:06,650 --> 00:02:08,240
We'll cover them soon, I promise.

24
00:02:09,080 --> 00:02:14,980
These DNS queries are transferred as UDP packets in transport layer.

25
00:02:15,500 --> 00:02:17,540
The destination port is 53.

26
00:02:18,530 --> 00:02:23,150
This is the IP packet with a source and the destination IP addresses.

27
00:02:24,090 --> 00:02:30,120
So we'll go through the layers one by one, and we'll see all these packets, data, grams and frames

28
00:02:30,120 --> 00:02:32,250
in detail, so we'll keep going.

29
00:02:33,850 --> 00:02:36,640
This is the structure of the Ethernet frame.

30
00:02:41,390 --> 00:02:46,370
First, there are two DNS queries for Dub, Dub, Dub, Hacker Academy, DOT UK.

31
00:02:47,330 --> 00:02:55,520
One for the IPV for address and the other one is for the IPV six address because the website is redirected

32
00:02:55,520 --> 00:03:01,190
to Hacker Academy DOT UK, there are two more DNS requests for this address.

33
00:03:02,540 --> 00:03:06,440
Next, DNS packets are the DNS query responses.

34
00:03:06,590 --> 00:03:12,020
This response is type A, that means it's an answer for the IPV for request.

35
00:03:12,980 --> 00:03:16,550
And here is the answer, the IP address of the website.

36
00:03:18,560 --> 00:03:26,890
Now, DNS response packet uses UDP at the transport layer, IP at the network layer, etc..

37
00:03:28,050 --> 00:03:35,360
Here we have a TCP handshake between Collee and the Web server will also see this in detail later on.

38
00:03:36,770 --> 00:03:43,940
A sin packett, a Sinak as a reply and an act packett to complete the handshake.

39
00:03:45,970 --> 00:03:54,100
This is an http get request, we learned the IP address of the website and now the system is ready to

40
00:03:54,100 --> 00:03:55,570
receive the Web page.

41
00:03:57,480 --> 00:04:00,450
HTTP protocol and application layer.

42
00:04:01,380 --> 00:04:04,590
Now you can see the headers and the parameters of the request.

43
00:04:06,220 --> 00:04:12,700
TCP protocol and transport layer, Searsport destination, port flags, et cetera.

44
00:04:14,200 --> 00:04:16,450
IP protocol in network layer.

45
00:04:17,760 --> 00:04:20,400
Here are the source and destination addresses.

46
00:04:21,750 --> 00:04:24,060
And Ethernet frame in layer two.

47
00:04:26,060 --> 00:04:31,140
These are the TCP act, which will build the HTTP response.

48
00:04:31,160 --> 00:04:33,470
So in this example, it's the Web page.

49
00:04:33,890 --> 00:04:40,460
In other words, the response is transferred between the Web server and our system as fragmented packets

50
00:04:40,460 --> 00:04:41,690
in transport layer.

51
00:04:44,100 --> 00:04:51,900
Here's the response, two hundred, OK, so the webpage is received and here's a data, which is our

52
00:04:51,900 --> 00:04:52,410
Web page.

53
00:04:54,020 --> 00:04:58,600
These are the response, detailed response type headers, et cetera.

54
00:05:01,080 --> 00:05:08,040
Here, there's additional information produced by Wireshark which says that the responses created by

55
00:05:08,040 --> 00:05:11,640
reassembling five TCP segments or packets.

56
00:05:12,600 --> 00:05:19,230
So now I'd like to show you the difference between that and HTP s traffic.

57
00:05:20,780 --> 00:05:24,620
So I'll go to the browser and visit and https page now.

58
00:05:26,260 --> 00:05:32,470
But before visiting the page, let's start Wireshark, here's a start button continue without saving.

59
00:05:34,310 --> 00:05:36,040
OK, now we have a clean sheet.

60
00:05:37,050 --> 00:05:39,160
So I'll go to the browser and hit enter.

61
00:05:39,540 --> 00:05:44,480
Wow, lots of packets in milliseconds, so we've got plenty of packets to investigate.

62
00:05:44,490 --> 00:05:46,200
Just click the stop button once again.

63
00:05:47,400 --> 00:05:55,650
OK, so the DNS request and the response packets first, here is a response with an IP V4 address.

64
00:05:57,660 --> 00:06:04,410
Here, there's a TCP three way handshake between Cali and Port four for three of Google's Web server.

65
00:06:05,430 --> 00:06:12,660
And now a client hello tells Bacquet to start the TLS handshake again between Collee and Google server.

66
00:06:14,060 --> 00:06:21,110
Now, to get rid of the other traffic records, I'd like to filter the results by the IP address of

67
00:06:21,110 --> 00:06:22,100
the Google server.

68
00:06:23,240 --> 00:06:30,230
Now, while the mouse pointer is on the server IP address, right, click and go to apply as filter

69
00:06:30,560 --> 00:06:33,080
and select the selected option.

70
00:06:34,250 --> 00:06:40,850
So as you can see here in the filter bar, the IP address is assigned as the destination IP address.

71
00:06:41,630 --> 00:06:49,040
Now we only have to see the traffic where the destination is the Google server, but we'd like to see

72
00:06:49,040 --> 00:06:51,310
both the incoming and the outgoing traffic.

73
00:06:51,620 --> 00:06:59,690
So I'll change the DST part of the filter to ADR and click the Blue Arrow to activate the new filter.

74
00:07:00,350 --> 00:07:02,900
Now we can see the traffic in both directions.

75
00:07:04,110 --> 00:07:08,040
OK, so here we are at the hello text message.

76
00:07:09,190 --> 00:07:17,800
Here are the details of the message TLC uses TCP protocol in transport layer, the Google server replies

77
00:07:17,800 --> 00:07:22,330
a server hello message as a second step of the RTLS handshake.

78
00:07:23,400 --> 00:07:28,300
Then comes the certificate and server key exchange and the server.

79
00:07:28,320 --> 00:07:30,720
Hello, done message is sent by the server.

80
00:07:32,330 --> 00:07:37,130
Cali sends the client to exchange Google server, sends a new session ticket.

81
00:07:38,300 --> 00:07:40,850
And the encrypted communications starts.

82
00:07:43,330 --> 00:07:48,040
Here is some encrypted application data, which is meaningless for others who listen to the traffic.

83
00:07:49,610 --> 00:07:55,700
And as you can see here, the message is encrypted at the application layer, so you can still see the

84
00:07:55,700 --> 00:07:59,080
source and the destination addresses the ports, et cetera.