1
00:00:02,330 --> 00:00:06,490
Network monitors such as wireshark really make network analysis easier.

2
00:00:06,680 --> 00:00:10,030
The analysis doesn't have to concern each individual packet.

3
00:00:10,310 --> 00:00:12,680
It may be a session or a protocol analysis.

4
00:00:12,680 --> 00:00:17,240
It can have the form of charts presenting certain relations or hierarchy statistics showing how much

5
00:00:17,240 --> 00:00:23,200
data was sent through which protocol the program offers such functionalities in March.

6
00:00:23,240 --> 00:00:29,030
You can also create your own intrusion detection systems through Pecka colorization wireshark is a free

7
00:00:29,030 --> 00:00:31,830
network monitor after preparing your file.

8
00:00:31,830 --> 00:00:36,530
Simply start the network monitor and watch whether packets colored for example Orange do not appear

9
00:00:36,530 --> 00:00:42,110
on the screen unless they do everything as well if certain colors start appearing.

10
00:00:42,140 --> 00:00:46,130
You immediately know what's going on because you've previously created a coloring rule.

11
00:00:47,710 --> 00:00:53,260
The advantage of wireshark is that it collects data sent by all types of popular networks Ethernet Bluetooth

12
00:00:53,350 --> 00:01:00,140
or less commonly used token ring the data collection program uses when pre-cap library in the Windows

13
00:01:00,140 --> 00:01:06,080
environment you can use it to collect data sent over wireless networks to what it requires the air cap

14
00:01:06,110 --> 00:01:11,930
adapter or a Wi-Fi adapter compatible with wireshark on the Epi Capcom website.

15
00:01:11,960 --> 00:01:13,780
You can order such an adapter.

16
00:01:13,940 --> 00:01:18,030
The image you see above represents the statistics collected by Wireshark.

17
00:01:18,050 --> 00:01:23,600
This alone can let you detect suspicious situations such as for example unusually high numbers of broadcast

18
00:01:23,630 --> 00:01:26,580
or data transmission errors.

19
00:01:26,590 --> 00:01:29,600
However there is one problem with wireshark.

20
00:01:29,760 --> 00:01:30,860
You should not filter the data.

21
00:01:30,860 --> 00:01:35,880
The program captures if you did you would make the same mistake as the manufacturers of firewalls and

22
00:01:35,880 --> 00:01:41,130
intrusion detection systems you would collect information only about the known threats.

23
00:01:41,130 --> 00:01:47,100
Instead what you'd like to do is gather all possible data and analyze them later before creating capturing

24
00:01:47,100 --> 00:01:47,660
filters.

25
00:01:47,670 --> 00:01:50,340
You should receive wireshark in another way.

26
00:01:50,340 --> 00:01:52,470
Actually you can do this in several ways.

27
00:01:53,230 --> 00:01:55,600
You can disable updating packets in real time.

28
00:01:55,600 --> 00:02:00,730
You can also disable auto scroll and you can disable automatic conversation of Mac and IP addresses

29
00:02:00,730 --> 00:02:02,260
to domain names.

30
00:02:02,990 --> 00:02:08,060
Also a good way to relieve the program is to uncheck the option which reassembles fragments of IP protocol

31
00:02:08,060 --> 00:02:11,960
packets and verifies their checksums Wireshark.

32
00:02:11,960 --> 00:02:14,280
Does this automatically by default.

33
00:02:14,360 --> 00:02:20,680
You can also disable TCAP validation if all of these ways do not help you can start wireshark from the

34
00:02:20,680 --> 00:02:24,520
command line just in order to capture data you will analyze yourself later.

35
00:02:26,080 --> 00:02:28,900
You can customize Wireshark to suit your needs.

36
00:02:28,900 --> 00:02:30,190
This applies to all windows.

37
00:02:30,190 --> 00:02:35,950
You can see in the picture below where a shirt consists of three sections at the top of the window you

38
00:02:35,950 --> 00:02:38,110
can observe all packets collected.

39
00:02:38,110 --> 00:02:42,700
Below are the details of the packets you selected from the top window at the bottom is the data sent

40
00:02:42,700 --> 00:02:44,340
within the packet you selected.

41
00:02:44,620 --> 00:02:46,550
All of that can be customized to suit your needs.

42
00:02:46,560 --> 00:02:52,120
The best you can change the order of the columns in the main window and add or remove columns.

43
00:02:52,120 --> 00:02:54,070
You can filter the data being displayed.

44
00:02:54,070 --> 00:02:57,160
This is something completely different than filtering captured data.

45
00:02:57,160 --> 00:03:02,130
The program still captures everything but it only shows you what interests us at the moment.

46
00:03:02,140 --> 00:03:07,030
We can also create coloring rules based on any piece of information captured by Wireshark.

47
00:03:07,030 --> 00:03:12,370
These can include for example combinations of TZP header fields.

48
00:03:12,570 --> 00:03:16,510
If you choose glaring colors you'll have the perfect intrusion detection system.

49
00:03:17,740 --> 00:03:20,610
Wireshark gives you more than just real time analysis.

50
00:03:20,740 --> 00:03:23,190
It allows you to create all kinds of reports.

51
00:03:23,410 --> 00:03:28,720
For example you can browse through objects downloaded within the HTP session in a while we'll find out

52
00:03:28,750 --> 00:03:31,190
how to do that Wireshark.

53
00:03:31,200 --> 00:03:37,480
Also enables you to observe the communication between computers on the TCAP level or on the HTP level.

54
00:03:37,560 --> 00:03:41,400
The program allows you to check which servers you really connect to when you type an address in your

55
00:03:41,400 --> 00:03:42,000
browser.

56
00:03:42,000 --> 00:03:44,670
For sure there will be more than one server.

57
00:03:44,670 --> 00:03:47,430
This feature has a very practical application.

58
00:03:47,430 --> 00:03:51,840
Earlier we mentioned that a simpler way of intrusion detection is to analyze and network traffic generated

59
00:03:51,840 --> 00:03:53,290
by a given program.

60
00:03:54,070 --> 00:03:58,810
Wireshark allows you to see which shows that your computer has never connected to before is connected

61
00:03:58,810 --> 00:03:59,710
to now.

62
00:04:00,220 --> 00:04:04,430
In the same way you can check if the amount of sent and received data has changed.

63
00:04:04,720 --> 00:04:09,760
But to make all of this information relevant you have to have something to compare it against using

64
00:04:09,760 --> 00:04:11,520
wireshark in your network for a month or two.

65
00:04:11,560 --> 00:04:16,630
You'll acquire a reference point because you'll learn what kind of activity is normal and which is not.

66
00:04:16,660 --> 00:04:21,310
It's much easier to get to know the characteristics of the network traffic this way than to run a pre-configured

67
00:04:21,310 --> 00:04:25,210
intrusion detection system and wait until a certain alarm goes off.

68
00:04:25,240 --> 00:04:29,320
If you'd like to consult charts shirt can generate various types.

69
00:04:29,420 --> 00:04:33,940
Some are quite complex and allow for example the evaluation of bandwidth insertion validity.

70
00:04:35,800 --> 00:04:39,950
There is also a functionality called expert functions in Wireshark.

71
00:04:39,960 --> 00:04:42,990
The most common issues reported are non-security issues.

72
00:04:44,120 --> 00:04:47,600
Strictly speaking it's not an intrusion detection system.

73
00:04:47,630 --> 00:04:52,460
For example if a program performs the ex-mistress scan on your computer this will not be reported as

74
00:04:52,460 --> 00:04:56,840
the ex-mistress scan but as an illogical combination of flags and the TZP header.