WEBVTT 00:00.990 --> 00:06.900 Graphic enters a network interface card in a binary form one frame at a time. 00:06.900 --> 00:08.010 So there's an. 00:08.910 --> 00:09.240 Here. 00:09.240 --> 00:17.010 As you can see here, we have source IP source port and here Ethernet Ethernet to source address and 00:17.010 --> 00:18.390 so on. 00:18.570 --> 00:26.640 Type IP version four Internet Protocol Version four Flags, Time to Live one protocol UDP. 00:26.640 --> 00:31.230 And there's so much information that we will need to analyze, right? 00:31.290 --> 00:40.260 So while this space the wireshark uses the enhanced packet analyzer Epan, which decodes the bits into 00:40.290 --> 00:41.880 human readable format. 00:41.880 --> 00:48.920 So let me take my grommet to draw things on the screen and here apply. 00:48.930 --> 00:51.510 So this is our. 00:52.740 --> 00:53.490 Bits. 00:53.490 --> 00:56.390 So these are the hex codes and so on. 00:56.400 --> 01:02.400 So obviously you can't read this in your batteries and there's some information about that. 01:02.400 --> 01:11.700 And here after getting this raw information, Wireshark translates it to in with enchants packet analyzer 01:11.700 --> 01:18.810 engine which decodes as I said decodes the bits into human readable format here. 01:19.970 --> 01:20.540 Perfect. 01:20.540 --> 01:24.340 So now we will step through the pan. 01:24.350 --> 01:29.690 So prior to 2006, Wireshark was called ethanol. 01:30.440 --> 01:34.220 So, yeah, so the name has changed. 01:34.220 --> 01:38.030 However, as obviously the main score is the same, right? 01:38.030 --> 01:44.570 So it is the packet analyzing engine for Wireshark that use the sisters, also known as Decoder. 01:45.140 --> 01:53.240 The So the sectors provide information on how to create the protocols in the proper format according 01:53.270 --> 01:58.160 to the appropriate requests for comments RFC or other specification. 01:58.160 --> 02:04.970 So IPAM contains four main APIs, which is the first is protocol three. 02:05.000 --> 02:06.230 The sisters. 02:07.010 --> 02:12.020 Sorry for this, the sectors, the sector, plugins and display filters. 02:12.800 --> 02:18.890 So we have the protocol three, which is this displays the detailed analysis of a single packet. 02:18.890 --> 02:19.500 We can. 02:19.500 --> 02:26.070 We also have the sectors so these provide information how to break down the protocols into proper format. 02:26.100 --> 02:28.650 We also have the sector plugins. 02:28.890 --> 02:31.680 So these use the sectors as a separate functions. 02:31.680 --> 02:38.370 And lastly, we have display filter and this allows you to filter captured data. 02:38.370 --> 02:43.410 In most cases, Wireshark is able to correctly identify and dissect the protocol. 02:43.680 --> 02:47.310 However, there are times when you will need help. 02:47.760 --> 02:49.740 Wireshark decode the protocols, right? 02:49.740 --> 03:01.230 So you can achieve this by right clicking on the frame here and here you will go to decode as here, 03:01.230 --> 03:04.890 which will bring up this dialog. 03:05.630 --> 03:05.960 Here. 03:05.960 --> 03:09.470 As you can see here, we have several options here. 03:09.470 --> 03:14.990 So once in this window, you can modify the values to match the appropriate protocol. 03:14.990 --> 03:20.510 And this function is very useful when protocols either don't have a dedicated port or they are running 03:20.510 --> 03:23.560 on a different port compared to the usual. 03:23.570 --> 03:29.960 For example, you should use decode as when the HTTP is running on port 88 instead of port 80. 03:30.200 --> 03:37.550 So once the bits have been converted into proper format, the next step is to display the results in 03:37.580 --> 03:39.410 human readable format. 03:39.410 --> 03:42.590 So now let's display the result here. 03:42.590 --> 03:48.560 So in Wireshark, along with the many other packet analysis tools, there are many options to enhance 03:48.560 --> 03:50.180 your graphical experience. 03:50.180 --> 03:57.440 So when you open a packet capture in a wireshark, the default layout for the main display is is in 03:57.440 --> 04:00.950 the three panels which is here. 04:04.360 --> 04:06.240 Let me take my pen again. 04:06.250 --> 04:08.590 So this is our. 04:09.010 --> 04:09.790 Can you see it? 04:10.700 --> 04:11.120 Sorry. 04:12.830 --> 04:14.000 Please come. 04:14.780 --> 04:15.590 I guess we. 04:17.180 --> 04:17.840 Here. 04:18.140 --> 04:19.790 So to painting home. 04:20.330 --> 04:21.020 Gift home. 04:23.220 --> 04:23.910 Yes. 04:24.120 --> 04:24.800 Perfect. 04:24.810 --> 04:28.950 So here, this is our packet list. 04:28.950 --> 04:33.090 This tab we are using for is our packet list. 04:33.120 --> 04:36.990 These are the packet details here. 04:37.440 --> 04:44.730 These are the packet details and obviously these are the raw format, which is a packet bytes. 04:45.260 --> 04:46.010 So. 04:47.090 --> 04:49.100 Uh, the packet list here. 04:49.430 --> 04:56.660 This is a list of all captured packet packets where each line represents a single packet, As you can 04:56.660 --> 05:01.790 see here, broadcast IP destination, source, destination, source, protocol length info, and so 05:01.790 --> 05:02.270 on. 05:02.360 --> 05:05.570 Everything has a source and destination, right? 05:06.140 --> 05:08.750 This was so philosophical here. 05:09.440 --> 05:12.890 So we also have packet details. 05:12.890 --> 05:20.900 So here this is a packet details that displays the details of a single packet and includes the protocols 05:20.900 --> 05:22.240 and field values. 05:22.250 --> 05:30.980 It also displays Wireshark specific hints, for example, when examining the TCP here, let's choose 05:30.980 --> 05:32.600 some TCP here. 05:32.870 --> 05:34.030 TCP oops. 05:34.070 --> 05:36.920 Of course we have to use, uh, here. 05:36.920 --> 05:38.670 So this is our TCP. 05:39.200 --> 05:45.620 So when you examining a transmission control protocol header, you will see the stream index listed 05:45.620 --> 05:49.140 below the source and destination force, right? 05:49.260 --> 05:56.550 So however, there is no field value called the stream index, and a stream is a communication between 05:56.550 --> 06:04.880 two endpoints that compromise the endpoint, A socket and endpoint B socket. 06:04.890 --> 06:09.240 So to help you keep track of all those streams. 06:10.110 --> 06:15.510 Wireshark lists each stream in a TCP header. 06:15.600 --> 06:18.990 Here we have transmission control protocol. 06:18.990 --> 06:25.260 Let's actually here you can also send protocol here, open this tab, transmission control protocol. 06:25.260 --> 06:29.490 And as you can see here, stream index one. 06:29.490 --> 06:31.080 That's kind of, kind of here. 06:31.080 --> 06:31.470 Yeah. 06:31.470 --> 06:32.970 Stream index one. 06:32.970 --> 06:35.400 So I hope you see clearly. 06:35.400 --> 06:37.710 So stream index one. 06:38.160 --> 06:45.300 So this is what I called endpoint as an endpoint B socket, which is. 06:46.590 --> 06:48.710 Uh, source and destination ports. 06:48.720 --> 06:55.830 However, there is no field called stream index in some cases, and that's how you can bring it up. 06:56.350 --> 06:59.130 And we also have packet bites. 06:59.140 --> 07:03.970 This is a hexadecimal representation of a single packet as shown. 07:04.210 --> 07:13.180 As you can see here and any plaintext data is displayed on the right hand side, as you can see here, 07:13.210 --> 07:17.830 this link dot net something, something here. 07:22.180 --> 07:27.910 Yes, Let's get some meaningful text here because it happens sometimes, right? 07:28.980 --> 07:30.000 Okay. 07:33.410 --> 07:39.050 You can also use your arrow keys to get user information and. 07:39.050 --> 07:40.610 Okay, here. 07:40.640 --> 07:41.480 Perfect. 07:42.230 --> 07:43.010 That's it. 07:43.010 --> 07:44.290 That's our request. 07:44.300 --> 07:46.260 The http request. 07:46.280 --> 07:47.180 So. 07:48.450 --> 07:54.390 Yeah, this is a hexadecimal representation of a single packet that's shown here, and any plaintext 07:54.390 --> 07:56.880 data is displayed on the right side. 07:57.090 --> 08:01.710 And these are the hexadecimal this turned to. 08:02.860 --> 08:03.520 Our. 08:04.400 --> 08:05.180 Texts. 08:05.180 --> 08:12.050 And after that, if it's not enough for you, the Wireshark like analyzes it itself. 08:12.050 --> 08:18.800 And here request version, request URI request method, post request and so on. 08:19.430 --> 08:24.530 In next lecture, we will also learn how to change the layout, how to analyze the package, capture, 08:24.530 --> 08:25.550 and so on. 08:25.580 --> 08:26.960 I'm waiting in next lecture.