1
00:00:00,300 --> 00:00:06,210
In this lecture I want to spend more time with wire shark showing you how to filter all of these packets

2
00:00:06,450 --> 00:00:10,300
to only display the useful packets how to trace them.

3
00:00:10,350 --> 00:00:17,910
What do they mean and how to display more information about each one of these packets.

4
00:00:17,950 --> 00:00:23,290
Now all we did on the target computer so far we most of the traffic that we generated was hasty teepee

5
00:00:23,320 --> 00:00:24,100
traffic.

6
00:00:24,100 --> 00:00:27,950
So to get rid of all this information that's hard for us to read.

7
00:00:27,970 --> 00:00:30,550
We're just gonna type in here and the filters.

8
00:00:30,550 --> 00:00:38,290
We're just gonna type in haste TTP hit enter and as you can see now that's filtered all the packets

9
00:00:38,500 --> 00:00:46,710
too hasty teepee traffic only so this is the traffic that was basically sent by the browser and is usually

10
00:00:46,710 --> 00:00:48,080
sent by web browsers.

11
00:00:48,090 --> 00:00:55,890
They always send traffic over hash TTP or hash TTP as answers were downgraded hash TTP to TTP you want

12
00:00:55,890 --> 00:01:02,280
to use the hash TTP filter to see everything that a target person is doing on the browser regardless

13
00:01:02,280 --> 00:01:07,680
of what they're doing whether they're browsing Web sites whether they're watching a video whether they're

14
00:01:07,680 --> 00:01:12,270
looking at images wherever they're looking it will be loaded over hash TTP

15
00:01:14,830 --> 00:01:22,090
so looking at the first record there right here we can see that this request is sent from this IP which

16
00:01:22,090 --> 00:01:28,510
is the IP of my target to an IP on the Internet so we can see that this is not a private IP this is

17
00:01:28,510 --> 00:01:35,680
an IP on the Internet so it's sent to a server and if we double click this record we'll get much more

18
00:01:35,680 --> 00:01:38,710
information about the packet itself.

19
00:01:39,640 --> 00:01:47,170
So we have the information about the frame which includes the size of the packet it includes the interface

20
00:01:47,170 --> 00:01:55,930
that it was sent on the time and all that in the ethernet we have information about the source mac address

21
00:01:56,050 --> 00:01:57,940
and the destination MAC address.

22
00:01:57,940 --> 00:02:02,270
So where did this packet go from and where did it go to.

23
00:02:02,470 --> 00:02:08,170
Remember when I when I first spoke about the packets and how they always travelled from a source mark

24
00:02:08,170 --> 00:02:09,560
to a destination Mark.

25
00:02:09,610 --> 00:02:16,420
So this information is all stored in here in the Internet Protocol.

26
00:02:16,460 --> 00:02:23,180
We have information about the IP is so in the Internet we had information about the Mac addresses in

27
00:02:23,180 --> 00:02:24,650
the Internet Protocol.

28
00:02:24,650 --> 00:02:32,420
We have information about the source IP and the destination IP for this particular packet and the transmission

29
00:02:32,420 --> 00:02:38,660
protocol we have information about the port so we can see that this went from this source port to port

30
00:02:38,740 --> 00:02:43,010
80 This is usually the default port used on web servers.

31
00:02:43,040 --> 00:02:49,610
So in most cases whenever data is sent to a Web site it will always be sent to port 80.

32
00:02:50,780 --> 00:02:58,640
But the most important part in here is the Hypertext Transfer Protocol which is basically the data sent

33
00:02:58,850 --> 00:03:00,060
over Hastie TPD.

34
00:03:01,220 --> 00:03:07,520
Clicking on this will give us information on whatever that has been sent over Hastie TTP and like I

35
00:03:07,520 --> 00:03:13,710
said this would contain everything that was sent to and from a browser.

36
00:03:13,730 --> 00:03:21,440
So right here we can see that this particular packet sent a GET request to a Web site called Google

37
00:03:21,440 --> 00:03:22,930
dot i.e..

38
00:03:23,360 --> 00:03:29,180
Now this is literally when we typed Google data we did a search for anything we didn't really do anything.

39
00:03:29,180 --> 00:03:35,660
You can also expand this to see more information about the actual the request and you can even see the

40
00:03:35,850 --> 00:03:37,610
TTP had their sent.

41
00:03:37,640 --> 00:03:45,350
If you want to get more information about this particular request now this whole method of getting information

42
00:03:45,350 --> 00:03:50,690
follows with all types of packets so you can double click any packet you have and you'll be able to

43
00:03:50,690 --> 00:03:58,290
read the data sent within this packet now you can also in here see an arrow which basically means that

44
00:03:58,290 --> 00:04:06,650
this was a request and the arrow back here marks that this was a response to this request right here

45
00:04:08,280 --> 00:04:09,540
now moving down.

46
00:04:09,570 --> 00:04:16,950
You can also see requests for images which you can also do is click on any of these packets for example.

47
00:04:16,950 --> 00:04:25,950
Again back to this get request right click it and go to follow Hayes TTP stream and this will basically

48
00:04:25,950 --> 00:04:32,380
follow the stream that this request has caused all the way down to the response.

49
00:04:32,430 --> 00:04:40,010
So if I click it you'll see the response for this particular request was this right here.

50
00:04:40,070 --> 00:04:48,420
You can see that this was a PMG and literally the binary content of this PMG image is right here.

51
00:04:48,440 --> 00:04:52,860
So as you can see we're literally getting the raw data in here.

52
00:04:52,910 --> 00:04:59,200
Now I'm going to close this and go back to what we had which was Haitian TTP.

53
00:04:59,370 --> 00:05:06,450
Now if we keep going down you literally see everything that has been sent and received by the target.

54
00:05:06,450 --> 00:05:13,050
So for example again in here we can see this was a javascript file that was loaded by Google.

55
00:05:13,260 --> 00:05:20,700
Then in here we can see another get request and this gets request was what we searched for Z security

56
00:05:20,700 --> 00:05:24,090
so you can even see the search term in here.

57
00:05:24,090 --> 00:05:27,390
So let me double click this to show you in more details.

58
00:05:27,420 --> 00:05:34,060
Again this automatically went to the hypertext protocol part like I said this is the TTP part whatever

59
00:05:34,110 --> 00:05:40,350
that gets sent to the browser and you can see that this was sent to Google dot com.

60
00:05:40,350 --> 00:05:46,890
First of all and the you are ice or whatever went after Google dot com was search.

61
00:05:46,980 --> 00:05:57,000
And what we were searching for was that security which is exactly what we typed in here again in here

62
00:05:57,150 --> 00:06:00,170
you can see the fully URL with the search term.

63
00:06:00,180 --> 00:06:07,810
This is literally what the user gets in there you are Albar in here so as you can see wires shark literally

64
00:06:07,810 --> 00:06:11,890
shows everything that flows through the interface.

65
00:06:12,070 --> 00:06:18,970
And this lecture I want to show you a quick overview on how we can filter data and don't worry too much

66
00:06:18,970 --> 00:06:24,550
about this will actually be using it more in the next lectures and we'll see how we can easily use it

67
00:06:24,760 --> 00:06:28,210
to filter data and discover useful information.