WEBVTT 00:00.590 --> 00:06.650 Packet analysis is the process of gathering traffic on the network, decoding it and dissecting the 00:06.650 --> 00:13.070 raw bits and presenting it in human readable format for analysis as shown here. 00:13.100 --> 00:15.590 Gathering, Decoding. 00:15.740 --> 00:18.140 Displaying and analyzing. 00:18.720 --> 00:24.510 So regardless of the software used, there are four main phases of the packet analysis. 00:24.660 --> 00:32.580 As I said in previous lectures, which is gather, decode, display and analyze. 00:32.730 --> 00:40.650 In this section we will review each of the phases, starting with the first step is gather where we 00:40.650 --> 00:42.180 collect data from the network. 00:42.210 --> 00:46.050 So now let's go back to our Kali Linux. 00:46.260 --> 00:49.770 It's actually Wireshark is independent from the operating system. 00:49.770 --> 00:54.450 You can use Windows or Mac OS or operating system. 00:54.450 --> 00:58.030 You want that Wireshark supports it. 00:58.050 --> 01:00.240 So now let's go to Kali. 01:00.270 --> 01:01.590 Here and here. 01:01.590 --> 01:03.120 Yes, perfect. 01:03.150 --> 01:05.130 Now open the. 01:06.570 --> 01:07.280 Out here. 01:07.290 --> 01:07.770 Yeah. 01:09.730 --> 01:13.420 So let's launch Wireshark. 01:13.450 --> 01:14.230 Wireshark. 01:14.230 --> 01:19.330 So when you launch Wireshark, a welcome screen displays a list of available network connections on 01:19.330 --> 01:20.860 your current device. 01:20.860 --> 01:28.360 And this is in most cases, in most cases, you will have more than one interface. 01:28.360 --> 01:36.220 And to begin capturing immediately, you can select an active spark line and begin capture apparently. 01:36.550 --> 01:37.930 Now let's go to. 01:39.060 --> 01:45.090 And you can also go to capture menu if you want and then go to options here. 01:45.090 --> 01:47.460 So capture options. 01:47.460 --> 01:49.670 So as you can see, there's also shortcut. 01:49.690 --> 01:51.930 You can also click on the shortcut here. 01:51.930 --> 01:55.890 This will same same screen will open here. 01:55.890 --> 02:03.030 So now there's an keep in mind that there are two keys areas that will enable you to gather traffic, 02:03.330 --> 02:09.180 which is capturing in promiscuous mode and using a capture engine. 02:09.180 --> 02:14.940 So let's first discuss why it's important to enable promiscuous mode prior to capture. 02:15.120 --> 02:17.820 So the capturing in promiscuous mode. 02:17.850 --> 02:24.000 So when gathering traffic with Wireshark, you can capture on all interfaces however, so that you can 02:24.000 --> 02:28.110 see all the traffic that is coming into the network interface card. 02:28.140 --> 02:36.930 Make sure you select one of the following when on the input on the input tab of the capture options 02:36.930 --> 02:37.860 dialog. 02:38.700 --> 02:45.720 So check the box next to the interface under the promiscuous column header. 02:46.740 --> 02:51.570 So, as you can see, enable promiscuous mode on all interface. 02:52.220 --> 02:52.760 So. 02:54.520 --> 02:55.540 Uh, here. 02:56.300 --> 03:05.590 And secondly, the secondly is the you have to enable the promiscuous mode on all interfaces as soon 03:05.630 --> 03:08.000 as you can see here. 03:08.180 --> 03:08.690 Right. 03:08.960 --> 03:19.130 So you can also we have update output options and we have your address of our Ethernet network and interfaces 03:19.250 --> 03:21.470 and so on. 03:22.340 --> 03:30.380 So as you can see here, we can also, as I said, firstly, you should make sure that this promiscuous 03:30.410 --> 03:31.370 is checked. 03:31.640 --> 03:38.240 So after choosing an interface to listen on and placing it in promiscuous mode, the interface gathers 03:38.270 --> 03:42.080 up the new traffic like a double click on your face. 03:42.080 --> 03:45.680 And here, as you can see here, my interface is gathering new traffic. 03:45.680 --> 03:58.160 So if I if I go to some website like Oxley oxley.com, it will send us a bunch of um, requests and 03:58.160 --> 03:58.520 signals. 03:58.520 --> 03:59.030 Right. 03:59.480 --> 04:00.170 So. 04:01.810 --> 04:02.410 Here. 04:02.440 --> 04:04.210 This is our website also. 04:04.210 --> 04:13.150 So part of the effect of capturing traffic is having an appropriate package, capture pcap engine installed 04:13.150 --> 04:17.530 and the Pcap engine provides an application programming interface API that. 04:18.580 --> 04:24.550 After traffic from the network so that it can be processed by operating system. 04:24.640 --> 04:29.350 In this case, we will not install that for now. 04:29.440 --> 04:37.330 And first, let's learn about how to decode bits in Wireshark, which you will learn in next lecture.