1
00:00:00,650 --> 00:00:08,400
Wireshark is free, open source and the world's foremost network packett analyzer, and it is the de

2
00:00:08,400 --> 00:00:11,570
facto standard across system and network administrators.

3
00:00:12,600 --> 00:00:18,270
Wireshark has the ability to listen and record traffic, as well as advance filtering and reviewing

4
00:00:18,270 --> 00:00:18,780
options.

5
00:00:19,140 --> 00:00:24,780
We're not going to do a deep dive into Wireshark right now, since that's the subject of network layer

6
00:00:24,780 --> 00:00:27,210
attacks, which is, of course, it's coming soon.

7
00:00:28,140 --> 00:00:33,270
So here, let's let's see a summary of the traffic and the systems related to the interfaces.

8
00:00:33,300 --> 00:00:33,710
We listen.

9
00:00:36,250 --> 00:00:38,710
Let's go to Cali and start Wireshark.

10
00:00:39,670 --> 00:00:46,000
You can start Wireshark from the applications menu or open a terminal window and type Wireshark to start

11
00:00:46,000 --> 00:00:46,370
the app.

12
00:00:47,290 --> 00:00:51,950
Don't worry about the ampersand in the end of the command, putting an ampersand at the end of the command.

13
00:00:51,950 --> 00:00:54,280
It causes a shell to run the process in the background.

14
00:00:54,760 --> 00:00:56,110
It's sort of multitasking.

15
00:00:57,160 --> 00:01:01,600
You can have many processes running, but only one in the foreground at any given point.

16
00:01:02,200 --> 00:01:06,790
The process in the foreground is the process that appears to have locked up the terminal.

17
00:01:07,210 --> 00:01:12,790
Whatever the first message is, because we are a super user on collee.

18
00:01:13,540 --> 00:01:14,140
No worries.

19
00:01:14,840 --> 00:01:15,040
OK.

20
00:01:15,520 --> 00:01:20,260
The welcome page of Wireshark asks which interface we would like to listen to first.

21
00:01:21,590 --> 00:01:23,570
So let's have a look at the interfaces of our system.

22
00:01:25,070 --> 00:01:31,670
To look at the interfaces and to remember the IP address of Colly over the terminal and type if config.

23
00:01:32,960 --> 00:01:38,390
There are two ResultSet sets of the Afghan fingerman, either zero and L oh.

24
00:01:39,520 --> 00:01:41,690
Ethe Zero is the first Ethernet interface.

25
00:01:42,700 --> 00:01:47,680
Additional Ethernet interfaces would be named ethe one, ethe two, et cetera.

26
00:01:48,430 --> 00:01:49,780
Year we have only one.

27
00:01:50,920 --> 00:01:53,410
Now, L o is the loop back interface.

28
00:01:53,830 --> 00:01:58,390
This is a special network interface that the system uses to communicate with itself.

29
00:01:59,530 --> 00:02:02,320
E0 is the interface that we're interested in at the moment.

30
00:02:03,460 --> 00:02:09,699
Double click two over the ethe zero on the main page of Wireshark to start capturing the packets, passing

31
00:02:09,699 --> 00:02:11,350
through our Ethernet interface.

32
00:02:11,950 --> 00:02:13,090
Now to speed it up.

33
00:02:13,630 --> 00:02:15,130
Let's create some network traffic.

34
00:02:15,670 --> 00:02:19,960
Open one of my virtual machines, A, WASP, B, W.A. and Ping Colly.

35
00:02:23,390 --> 00:02:30,570
To stop Pink Command, press control, see if config to learn the IP address of the machine.

36
00:02:32,010 --> 00:02:36,000
Now I go to another VM Meadows, Bloy and Ping the last VM first.

37
00:02:44,810 --> 00:02:46,190
And then Ping Colly.

38
00:02:55,080 --> 00:02:58,300
Here we have a lot of ICMP and art traffic at the moment.

39
00:03:03,030 --> 00:03:04,290
So let's generate some traffic.

40
00:03:04,720 --> 00:03:09,600
I open the browser and collee and visit the Web site served by the Owais B.W., a machine.

41
00:03:20,190 --> 00:03:24,620
And even more traffic, I visit NHS, Dot UK.

42
00:03:25,050 --> 00:03:26,100
My favorite Web site.

43
00:03:27,580 --> 00:03:28,380
OK, that's enough.

44
00:03:28,710 --> 00:03:30,030
Let's turn back to Wireshark.

45
00:03:31,050 --> 00:03:38,100
As you see, we have a lot of packet's captured and new package arrive every second hour, packet's,

46
00:03:38,310 --> 00:03:43,010
TCAP packets, deal less packets for HDD, P.S. traffic, et cetera.

47
00:03:43,920 --> 00:03:46,350
Here, we don't investigate the packets in detail.

48
00:03:47,040 --> 00:03:53,970
We want to learn about the systems which are interacting with us to go to statistics menu and select

49
00:03:53,970 --> 00:03:54,930
conversations.

50
00:03:55,590 --> 00:03:58,550
There are five tabs in a conversation window by default.

51
00:03:59,620 --> 00:04:06,670
And we're on the IPV for tab at the moment here, there are IP packets grouped by Address A and address

52
00:04:06,700 --> 00:04:17,800
B in each line we see how many packets sent up to now total size of the packets in byte number and size

53
00:04:17,800 --> 00:04:21,610
of packets from A to B and from BDK, et cetera.

54
00:04:23,080 --> 00:04:26,780
There is traffic between eight eight eight eight eight eight and my colleague.

55
00:04:27,870 --> 00:04:34,410
Now, I know that eight eight eight eight eight is the IP address of Google VNS, so I must have set

56
00:04:34,410 --> 00:04:36,960
the Google DNS as the DNS of my colleague.

57
00:04:37,220 --> 00:04:39,180
You know, I'd like to look at the network config.

58
00:04:44,770 --> 00:04:48,710
And yes, my DNS address is eight eight eight eight eight.

59
00:04:48,770 --> 00:04:49,430
Got a.

60
00:04:53,300 --> 00:04:56,860
In the Ethernet tab, we can see the Mac addresses of the systems.

61
00:04:57,910 --> 00:05:04,840
The address is full of F's mean that the packet is broadcasted, AAP requests or the examples for these

62
00:05:04,840 --> 00:05:05,650
kind of packets.

63
00:05:06,730 --> 00:05:11,590
In the DCP tab, we can see TCAP packets grouped by the addresses.

64
00:05:11,650 --> 00:05:14,050
And this time by ports as well.

65
00:05:15,330 --> 00:05:18,840
Because the system may have different interactions with any other system.

66
00:05:19,440 --> 00:05:23,940
For example, Colly may have HTP traffic through Port 80.

67
00:05:24,070 --> 00:05:29,080
And at the same time, it may have an SS age connection through 22 as well.

68
00:05:30,780 --> 00:05:36,360
Same as TCAP packets are grouped by IPD airports in the UDP tab.

69
00:05:38,060 --> 00:05:41,810
Here we have learned a lot of live systems, IP addresses and Mac addresses.

70
00:05:42,260 --> 00:05:45,200
Just listening to the traffic go through our network interface.

71
00:05:46,370 --> 00:05:52,460
If you'd like to investigate the traffic between the two machines, select the line right click if you

72
00:05:52,460 --> 00:05:54,500
choose, apply as filter from the menu.

73
00:05:55,580 --> 00:05:58,820
Only these kinds of packets will be seen in Wireshark.

74
00:06:00,230 --> 00:06:02,090
I'll choose find at this time.

75
00:06:03,080 --> 00:06:06,050
As you see, automatic query string is prepared.

76
00:06:06,800 --> 00:06:10,270
I can navigate between the packets by clicking the find button.

77
00:06:14,290 --> 00:06:17,450
Go back to the conversation window at the bottom right.

78
00:06:17,470 --> 00:06:21,550
There is a conversation type's button when you click on it.

79
00:06:22,150 --> 00:06:24,220
A lot of different protocols are listed.

80
00:06:25,840 --> 00:06:29,680
These selected five are the default selected protocols.

81
00:06:30,580 --> 00:06:33,970
You can add any protocol from the list when you select one of them.

82
00:06:34,330 --> 00:06:36,610
A new tab is added to the conversation window.