1
00:00:00,940 --> 00:00:06,750
In the previous video we seen how we can launch wire shark and we said that we can actually just open

2
00:00:06,840 --> 00:00:11,910
and a file that contains packets that we already captured and we can start analyzing them using wire

3
00:00:11,910 --> 00:00:12,880
shark.

4
00:00:13,230 --> 00:00:18,000
In this video I want to start sniffing packets and then generate some traffic in my windows machine

5
00:00:18,210 --> 00:00:22,080
and then we'll see how we can analyze these packets using wire shark.

6
00:00:22,080 --> 00:00:26,400
So I've already I'm already the man in the middle as I said you first have to be the man in the middle

7
00:00:26,400 --> 00:00:32,240
to use wire shark and then yeah the traffic that's generated in the Windows machine is actually flowing

8
00:00:32,250 --> 00:00:33,340
through 88 0.

9
00:00:33,390 --> 00:00:35,200
As we've seen in the previous video.

10
00:00:35,340 --> 00:00:41,310
So before I start capturing the packets I want to go to the options and I just want to show you what

11
00:00:41,400 --> 00:00:42,400
options we can set.

12
00:00:43,110 --> 00:00:47,100
So first you can see all the interfaces that you have and you can see the traffic generated on them

13
00:00:47,790 --> 00:00:53,430
and you can see 88 zeros actually generating some traffic every now and then because it's actually coming

14
00:00:53,430 --> 00:00:55,350
from the windows machine.

15
00:00:55,350 --> 00:01:00,870
So in here you can select the interfaces that you want to start capturing on and you can actually select

16
00:01:00,870 --> 00:01:06,300
more than one interface and all you have to do is just hold the control and then click.

17
00:01:06,300 --> 00:01:11,100
Other interfaces that you want to listen on for example we can just click them like this.

18
00:01:11,100 --> 00:01:19,590
But for now I actually only want to sniff on 88 0 now if we go in on the output you'll see that you

19
00:01:19,590 --> 00:01:22,460
have an option to store these packets somewhere.

20
00:01:22,470 --> 00:01:27,330
So again if you're only if you only want to sniff and you don't want to analyze things then you can

21
00:01:27,330 --> 00:01:32,340
just go on the Browse and you can store the packets that you're going to sniff somewhere and then you

22
00:01:32,340 --> 00:01:36,530
can analyze them whenever you have the time at a different time you can just open them with wire shark

23
00:01:36,540 --> 00:01:41,610
like I showed you in the previous video you can just go on file open and then open the packets and start

24
00:01:41,670 --> 00:01:44,340
analyzing them.

25
00:01:44,520 --> 00:01:53,180
Now I have 88 0 selected and I'm just going to click on Start and that'll start capturing packets anything

26
00:01:53,230 --> 00:01:57,530
that's going to flow through 88 0 will be captured and it'll be displayed in here.

27
00:01:57,550 --> 00:01:58,130
Anything.

28
00:01:58,210 --> 00:02:05,770
I mean images pictures messages cookies anything that the computer does on the Internet will flow through

29
00:02:05,780 --> 00:02:09,280
88 0 and therefore will be captured by wire shark.

30
00:02:09,550 --> 00:02:14,620
So it's not like man in the middle life or it was only shown us the important information right here

31
00:02:14,770 --> 00:02:16,060
you'll see anything.

32
00:02:16,060 --> 00:02:23,020
All the traffic that's generated now I want to go and generate some traffic on the target computer so

33
00:02:23,020 --> 00:02:31,170
we can analyze it here but before I do that I'm going to go back to buttercup and I want to start my

34
00:02:31,180 --> 00:02:39,480
Hage Estes couplet so I can downgrade TTP s to TTP cause if everything goes overhead TTP we won't be

35
00:02:39,480 --> 00:02:46,510
able to see or read anything because like I said everything will be encrypted so I'm going to hit enter.

36
00:02:46,560 --> 00:02:53,190
This will work as expected we'll go back to wire shark and let's go to the target computer.

37
00:02:53,280 --> 00:03:00,500
I'm going to go to Google the Little E and the search for some things so for example let's search for

38
00:03:00,500 --> 00:03:01,520
that security

39
00:03:04,440 --> 00:03:08,130
and keep in mind everything is loading over TTP in here.

40
00:03:08,130 --> 00:03:15,120
So that's why we'll be able to read and analyze everything that we're loading right here now let's go

41
00:03:15,120 --> 00:03:21,750
back to white shark and see how we can filter this information and discover the Web sites visit by the

42
00:03:21,750 --> 00:03:25,270
target see the requests and all that.

43
00:03:25,440 --> 00:03:29,860
So I'm going to click on the start button to stop this.

44
00:03:29,910 --> 00:03:32,720
Now this is the main interface of fire shark.

45
00:03:32,970 --> 00:03:36,700
And you can see that the first thing we have is each one right here.

46
00:03:36,700 --> 00:03:41,320
This is a pocket now you'll see here the columns.

47
00:03:41,440 --> 00:03:44,210
First of all here is the number of the packet.

48
00:03:44,260 --> 00:03:46,120
So you have this one is number one.

49
00:03:46,150 --> 00:03:53,110
Number two number three number four in the time you'll see the time when this packet was captured.

50
00:03:53,110 --> 00:03:55,890
So zero is when we first started sniffing.

51
00:03:56,020 --> 00:04:02,350
And then the time increases as we go down and it shows when these packets were captured when they were

52
00:04:02,350 --> 00:04:03,700
sent basically.

53
00:04:04,180 --> 00:04:05,470
You can also see the source.

54
00:04:05,470 --> 00:04:08,890
So this is the device that the packet was sent from.

55
00:04:08,890 --> 00:04:11,830
And you can see that this one is not sent from our target.

56
00:04:11,830 --> 00:04:18,370
It's actually coming from the Internet from a server that has this IP and it's going to our target computer

57
00:04:19,090 --> 00:04:21,650
which is 10 2014 to 0 6.

58
00:04:21,700 --> 00:04:22,940
You can see the protocol.

59
00:04:22,960 --> 00:04:24,930
So it's DCP for this one.

60
00:04:24,970 --> 00:04:27,570
You can see that it's ICMP in this one.

61
00:04:27,670 --> 00:04:30,520
And you can see that it's a sharpie for this.

62
00:04:30,520 --> 00:04:37,240
You can see the length which is the size and you can also see info about this packet.

63
00:04:37,280 --> 00:04:40,430
Now we can also notice that these packets have different colors.

64
00:04:40,640 --> 00:04:43,300
Usually Green is DCP packets.

65
00:04:43,430 --> 00:04:45,590
Dark blue is DNS packets.

66
00:04:45,590 --> 00:04:49,940
And if we go down with that we should actually be able to find some of them.

67
00:04:50,150 --> 00:04:57,520
And you can see all of these are DNS packets lively usually is UDP but we don't have any UDP packets

68
00:04:57,520 --> 00:04:58,520
at the moment.

69
00:04:58,780 --> 00:05:04,260
And you can also see that we have some black packets and these are TCE packets that had the problems

70
00:05:04,260 --> 00:05:06,470
that had issues.

71
00:05:06,490 --> 00:05:07,930
Now I know what you're thinking.

72
00:05:08,020 --> 00:05:15,100
There are so many packets in here and a lot of them might not be useful to you depending on what you're

73
00:05:15,100 --> 00:05:16,510
trying to get.

74
00:05:16,510 --> 00:05:22,390
But don't worry about this in the next lecture I'm going to show you how to filter these packets to

75
00:05:22,390 --> 00:05:28,810
only display the relevant ones and then analyze them to extract the useful information.