WEBVTT 00:01.220 --> 00:06.750 Surprisingly, capturing useful traffic can be a challenging aspect of political entities. 00:07.430 --> 00:13.430 This election and this actually this whole section of our course. 00:15.200 --> 00:21.410 Describes two different capture techniques, passive capture techniques and active captors techniques, 00:22.070 --> 00:25.280 passive capture doesn't directly interact with the traffic. 00:25.460 --> 00:35.210 Instead, it extracts the data as it travels on the wire, which should be familiar from tools, for 00:35.210 --> 00:39.380 example, like hair wireshark via front. 00:41.920 --> 00:42.520 Why should? 00:43.480 --> 00:44.080 Supports. 00:46.370 --> 00:46.730 So. 00:48.170 --> 00:54.860 Now you will find different applications, provides different mechanisms which have their own advantages 00:55.010 --> 01:04.700 and disadvantages to either retire or traffic, active culture interferes with traffic between a client 01:04.700 --> 01:06.500 application and the server. 01:06.830 --> 01:11.450 This has a great power but can cause some complications. 01:12.020 --> 01:18.530 You can think of active capture in terms of proxies or even men in the middle attack. 01:19.370 --> 01:25.910 So let's look at both active and passive can use in more depth. 01:26.630 --> 01:30.860 Let's get started with passive network traffic capture. 01:31.310 --> 01:36.290 So now I want, uh, your, uh, write some diagrams. 01:41.170 --> 01:41.530 Here. 01:45.360 --> 01:48.060 Let's, uh, create some diagram here. 01:49.300 --> 01:55.590 So we need, uh, actually two computers, two, uh, computers here. 01:56.380 --> 02:04.180 Uh, this is the first one to hear actually here. 02:04.720 --> 02:07.370 And one several said of yourselves. 02:13.190 --> 02:13.660 So. 02:17.980 --> 02:27.560 For example, let's make this survey here, and we just need another wife. 02:27.820 --> 02:30.820 Here, for example, like this. 02:35.160 --> 02:35.460 If. 02:41.400 --> 02:44.400 And, uh, this is the this is our server here. 02:45.240 --> 02:52.350 Server, uh, for example, uh, pass catcher device. 02:52.350 --> 02:53.430 This is the attacker. 02:54.770 --> 02:59.420 And this is the client client application. 03:00.940 --> 03:01.480 Target. 03:03.510 --> 03:07.400 Let me get this here and then. 03:08.940 --> 03:12.990 We will connect is here, uh, like here. 03:14.900 --> 03:17.600 And we will do this by the rational one. 03:19.150 --> 03:20.830 And to. 03:22.680 --> 03:24.240 Here and. 03:25.590 --> 03:26.100 One. 03:26.970 --> 03:27.450 To. 03:30.680 --> 03:31.670 Lastly, here. 03:32.660 --> 03:34.100 Connect this to settle. 03:35.700 --> 03:44.250 So passive capture is relatively easy to conduct, so it doesn't typically require and specialist hardware, 03:44.580 --> 03:49.110 nor the usual need to write your own code so you don't need to. 03:49.200 --> 03:52.500 What I hope there is some so much programs like Russia. 03:53.760 --> 04:02.340 In this figure, I illustrated the common scenario a client application and server communicating. 04:02.700 --> 04:12.000 We are Ethernet over the network, so passive network capture can take place either on the network by 04:12.870 --> 04:21.600 tapping the traffic as it created in some way or by sniffing directly on either the client or server 04:21.600 --> 04:22.110 host. 04:23.010 --> 04:23.400 So. 04:24.430 --> 04:28.480 You know, in this election, actually, we will use Wireshark here. 04:28.810 --> 04:30.430 Let me tell you. 04:31.900 --> 04:32.390 He is. 04:33.940 --> 04:38.020 This we will use Wireshark to make. 04:40.430 --> 04:42.070 Passive, actually. 04:42.800 --> 04:44.180 Yes, passive capture. 04:49.050 --> 04:49.320 Yeah. 04:59.540 --> 04:59.860 Oops! 05:08.990 --> 05:11.630 So let's open my trunk here. 05:22.710 --> 05:28.500 So White Shark is perhaps the most popular packet sniffing application available. 05:28.860 --> 05:35.340 It's a cross-platform and easy to use, and it comes with many built-in protocol and assist features. 05:36.930 --> 05:43.110 In the next lectures, you will learn how to write this sector to aid in political analysis. 05:43.230 --> 05:51.660 But for now, let's say the word shock to capture IP traffic from the network to capture traffic from 05:51.660 --> 05:59.480 an internet interface, wired or wireless, the capturing device must be in. 05:59.790 --> 06:01.170 Who misuse what? 06:01.470 --> 06:09.390 So a device in premises mode um receives and processes any ethernet frame it sees, even if that frame 06:09.390 --> 06:11.910 wasn't designed for that interface. 06:12.460 --> 06:16.890 Captioning an application running on the same computer, it is easy. 06:16.980 --> 06:24.060 So just monitor the outbound network interface or the local loop interface better known as localhost. 06:25.830 --> 06:33.060 So otherwise you might need to use networking hardware such as hub or configure switch to ensure traffic 06:33.060 --> 06:36.720 is sent to your network interface so. 06:38.070 --> 06:39.660 Because you can see here. 06:39.950 --> 06:48.570 Uh, let's start out capturing here, I will, uh, select it, uh, internet interface here. 06:52.030 --> 06:53.380 And let's open browser. 06:56.210 --> 06:58.190 Let's go to coliforms. 07:03.960 --> 07:07.620 So now, as you can see here, we have traffic's. 07:09.330 --> 07:09.660 So. 07:10.830 --> 07:17.130 Um, there are three main uh, there are three main windows, as you can see here. 07:17.760 --> 07:21.180 So in a window, the top of that is area. 07:21.180 --> 07:32.690 Here is the area, uh, of, uh, this area hosts, um, a time line of a row packets of the, uh, 07:32.700 --> 07:33.180 network. 07:33.540 --> 07:37.950 So the timeline provides a list of source, as you can see here. 07:38.610 --> 07:46.350 Um uh, this progress and list of source and destination IP addresses, as well as the coded political 07:46.350 --> 07:47.640 summary information. 07:49.020 --> 07:53.250 Here, let's pause this, so um. 07:53.310 --> 07:57.990 And this area here, this area, uh, provides. 07:59.670 --> 08:06.750 This area provides a dissected weave of the packets separated into a distinct protocol list that corresponds 08:06.960 --> 08:12.720 to the always-I layer USA networks like model. 08:13.020 --> 08:15.360 And lastly, this area here. 08:16.450 --> 08:22.330 This area here, uh, shows the capture is packaged its real world. 08:22.960 --> 08:30.340 So the TCP IP network protocol is stream based and designed to recover from dropped packets or data 08:30.340 --> 08:34.570 corruption due to the nature of networks and IP. 08:34.990 --> 08:39.430 There is no guarantee that packets will be received in a particular order. 08:39.730 --> 08:46.720 Therefore, when you are capturing packets, the timeline view might be difficult to interpret. 08:47.500 --> 08:54.670 Fortunately, Wireshark offers the sectors for known protocols that will normally resemble the entire 08:54.670 --> 08:57.820 stream and provide all the information in one place. 08:58.210 --> 09:05.350 For example, a highlight, uh, a packet in TCP section in the travel time line as select analyzed 09:05.530 --> 09:13.930 full of, uh, TCP, uh, TCP actually just two years. 09:14.110 --> 09:14.740 Analyze. 09:20.970 --> 09:21.450 Near. 09:24.830 --> 09:26.390 Timesheets, as you can see here. 09:31.470 --> 09:36.630 You can have, uh, they could uh, you can record this and. 09:38.830 --> 09:40.930 Applications and features like that. 09:42.480 --> 09:42.870 So. 09:49.390 --> 09:49.750 You're. 09:55.440 --> 09:56.700 Here, as you can see it. 10:00.310 --> 10:01.480 And see, this is the package. 10:01.990 --> 10:04.870 This is the raw files, and this is the analyzed here. 10:12.420 --> 10:20.970 I see follow this stream and you can see here we can see the stream with streamflow and which order 10:21.150 --> 10:21.750 a sent. 10:23.110 --> 10:29.170 Uh, so actually, what protocols we took to the sector, Wireshark, uh, can decode the stream and 10:29.170 --> 10:31.990 present it in easy to weave dialogue. 10:33.490 --> 10:39.370 And Wireshark is a comprehensive tool, and covering all of its features is beyond the scope of this 10:39.370 --> 10:39.800 course. 10:40.150 --> 10:42.880 If you are not familiar with it, obtain a good reference. 10:43.280 --> 10:50.080 Uh, in you can actually watch videos on YouTube about Wireshark. 10:50.590 --> 10:57.910 There are books written about Wireshark because Wireshark is so big and comprehensive a comprehensive 10:57.910 --> 11:02.680 tool, uh, covering all of its features. 11:02.920 --> 11:08.450 We can't do that because we need at least five or six house with content. 11:09.610 --> 11:17.350 So this is just an intermediate Wireshark um, course intermediate Wireshark connection.