1
00:00:00,252 --> 00:00:01,085
In this lesson,

2
00:00:01,085 --> 00:00:03,492
I'm going to use a tool known as Wireshark,

3
00:00:03,492 --> 00:00:05,398
which is a packet analyzer

4
00:00:05,398 --> 00:00:07,890
to be able to pull apart some network traffic

5
00:00:07,890 --> 00:00:10,834
and show you the different layers of the OSI model.

6
00:00:10,834 --> 00:00:13,756
Now, the actual usage of this tool known as Wireshark

7
00:00:13,756 --> 00:00:16,441
is not covered by the Network Plus exam.

8
00:00:16,441 --> 00:00:19,113
You do need to know that this tool is a packet analyzer

9
00:00:19,113 --> 00:00:21,660
and what kind of functions we might use it for,

10
00:00:21,660 --> 00:00:22,853
and we'll talk about those specifically

11
00:00:22,853 --> 00:00:24,469
in the troubleshooting section.

12
00:00:24,469 --> 00:00:27,060
But for right now, I just want you to focus

13
00:00:27,060 --> 00:00:29,006
on how I'm pulling apart these different layers

14
00:00:29,006 --> 00:00:32,616
and the type of information I can get from Wireshark.

15
00:00:32,616 --> 00:00:34,672
Again, this is going to be further and more in depth

16
00:00:34,672 --> 00:00:36,639
than you need to know for the exam,

17
00:00:36,639 --> 00:00:38,338
but it's going to help you understand

18
00:00:38,338 --> 00:00:41,100
the OSI model a little bit better

19
00:00:41,100 --> 00:00:44,018
as we start putting these pieces together from this theory

20
00:00:44,018 --> 00:00:46,770
into something that's actually used on the network.

21
00:00:46,770 --> 00:00:49,162
So let's jump into the environment and take a look.

22
00:00:49,162 --> 00:00:51,301
All right, welcome to Wireshark.

23
00:00:51,301 --> 00:00:54,720
Now the first thing we need to do is have a file to look at.

24
00:00:54,720 --> 00:00:56,331
So I have a couple of different packet captures

25
00:00:56,331 --> 00:00:58,376
and I'm just going to open one up here

26
00:00:58,376 --> 00:01:01,350
and it's going to be right here.

27
00:01:01,350 --> 00:01:04,349
This is an HTTP connection.

28
00:01:04,349 --> 00:01:06,581
So what I'm showing here on the screen

29
00:01:06,581 --> 00:01:09,820
is everything that happened for one computer

30
00:01:10,703 --> 00:01:14,400
to make a request from my computer to a server and back.

31
00:01:14,400 --> 00:01:17,141
So as you can see here, it starts at time zero.

32
00:01:17,141 --> 00:01:20,580
The source IP is my machine that sent the request.

33
00:01:20,580 --> 00:01:23,557
And the destination IP is the server I'm trying to go to.

34
00:01:23,557 --> 00:01:25,320
That's how we read these things.

35
00:01:25,320 --> 00:01:28,282
It's time, source, destination, the protocol used,

36
00:01:28,282 --> 00:01:29,628
in this case, TCP,

37
00:01:29,628 --> 00:01:32,058
which we'll talk about later in the course,

38
00:01:32,058 --> 00:01:34,597
and then the information that was sent.

39
00:01:34,597 --> 00:01:35,910
As you go through, you'll see

40
00:01:35,910 --> 00:01:36,743
there's this two-way conversation

41
00:01:36,743 --> 00:01:38,901
going back and forth between the two.

42
00:01:38,901 --> 00:01:41,914
And this is all at the packet layer.

43
00:01:41,914 --> 00:01:44,672
And what you're seeing here is actually the session traffic

44
00:01:44,672 --> 00:01:49,279
that was captured from one host to one server.

45
00:01:49,279 --> 00:01:50,898
Now as I scroll down a little bit further,

46
00:01:50,898 --> 00:01:52,359
you're going to see it goes down to

47
00:01:52,359 --> 00:01:56,341
43 different line items happened, it took 30 seconds total.

48
00:01:56,341 --> 00:01:59,040
And we're going to go in and look at some of this information.

49
00:01:59,040 --> 00:02:00,730
So let me go into this first packet,

50
00:02:00,730 --> 00:02:02,533
and here in the middle section,

51
00:02:02,533 --> 00:02:05,130
you'll see that we have frame one.

52
00:02:05,130 --> 00:02:06,660
This was the first frame.

53
00:02:06,660 --> 00:02:10,830
Now going back to our OSI model, what is frame?

54
00:02:10,830 --> 00:02:12,019
Where do frames operate?

55
00:02:12,019 --> 00:02:14,430
Well, they operate at layer two,

56
00:02:14,430 --> 00:02:17,149
so I should expect to see some layer two data in here.

57
00:02:17,149 --> 00:02:19,230
What type of things are layer two data?

58
00:02:19,230 --> 00:02:21,270
Well, things like mac addresses.

59
00:02:21,270 --> 00:02:22,770
So if I open this up,

60
00:02:22,770 --> 00:02:25,599
you're going to see that the encapsulation type was ethernet,

61
00:02:25,599 --> 00:02:27,675
which is a layer two protocol.

62
00:02:27,675 --> 00:02:29,760
We can see the time it arrived,

63
00:02:29,760 --> 00:02:30,853
we can see the time that it left.

64
00:02:30,853 --> 00:02:31,916
We could see what frame number it was

65
00:02:31,916 --> 00:02:33,928
and how long the frame was.

66
00:02:33,928 --> 00:02:36,120
We could see how much was captured

67
00:02:36,120 --> 00:02:38,610
and all that type of information there.

68
00:02:38,610 --> 00:02:39,915
Next, if I go into ethernet two,

69
00:02:39,915 --> 00:02:43,893
this again is part of ethernet, which is layer two.

70
00:02:43,893 --> 00:02:45,896
And inside layer two we can see

71
00:02:45,896 --> 00:02:48,300
our destination and our source.

72
00:02:48,300 --> 00:02:49,310
So this is our destination.

73
00:02:49,310 --> 00:02:51,300
This is the server I was trying to get to.

74
00:02:51,300 --> 00:02:52,413
It's the MAC address.

75
00:02:52,413 --> 00:02:54,395
And underneath it we can see the source,

76
00:02:54,395 --> 00:02:57,332
which is the machine that I had that made the request.

77
00:02:57,332 --> 00:02:59,593
And it happened over IPv4.

78
00:02:59,593 --> 00:03:00,575
And if I bring this down,

79
00:03:00,575 --> 00:03:03,458
you can actually see it even further details.

80
00:03:03,458 --> 00:03:06,235
Now the next thing I'm going to look at is IPv4.

81
00:03:06,235 --> 00:03:08,580
When we start talking about IP,

82
00:03:08,580 --> 00:03:09,960
what are we talking about now?

83
00:03:09,960 --> 00:03:11,335
We're talking about layer three

84
00:03:11,335 --> 00:03:13,199
because we're talking about internet protocol.

85
00:03:13,199 --> 00:03:15,655
This means that we're going to have source and destination IPs

86
00:03:15,655 --> 00:03:18,131
as you can see here highlighted in blue.

87
00:03:18,131 --> 00:03:19,126
And if I open that up,

88
00:03:19,126 --> 00:03:21,355
you'll see that this was version four.

89
00:03:21,355 --> 00:03:22,795
We can see the header length

90
00:03:22,795 --> 00:03:24,779
and then we can actually dig into that packet.

91
00:03:24,779 --> 00:03:27,842
But again, way beyond the scope of network plus.

92
00:03:27,842 --> 00:03:29,520
The big thing we want to take away is

93
00:03:29,520 --> 00:03:33,278
layer 2 as mac addresses, layer three was IPs.

94
00:03:33,278 --> 00:03:36,270
Now when we go to layer four, we're going to be talking about

95
00:03:36,270 --> 00:03:38,357
did we use TCP or UDP?

96
00:03:38,357 --> 00:03:40,530
In this case, we use TCP.

97
00:03:40,530 --> 00:03:42,773
So this is our layer four of the OSI model.

98
00:03:42,773 --> 00:03:46,050
And as you can see, we're building up each of these layers.

99
00:03:46,050 --> 00:03:48,573
And all of that was one packet.

100
00:03:49,410 --> 00:03:50,728
So the next one I'm going to do

101
00:03:50,728 --> 00:03:55,170
is the one that came back from the server to the host.

102
00:03:55,170 --> 00:03:58,978
So we sent the SYN over and now we got back a SYN ACK.

103
00:03:58,978 --> 00:04:02,270
As we look at that, we can see the same type of information,

104
00:04:02,270 --> 00:04:04,258
the same layout each time.

105
00:04:04,258 --> 00:04:06,112
You'll see that we have our frame,

106
00:04:06,112 --> 00:04:08,760
our layer two addresses, our IP addresses,

107
00:04:08,760 --> 00:04:10,992
and then our TCP protocol layer four.

108
00:04:10,992 --> 00:04:15,960
So layer two, layer two, layer three, layer four, okay?

109
00:04:15,960 --> 00:04:17,315
And we can go through the entire packet

110
00:04:17,315 --> 00:04:19,800
and look at each and every one of them.

111
00:04:19,800 --> 00:04:21,899
Now, if I want to figure out what was happening

112
00:04:21,899 --> 00:04:24,861
during this session, I can do that as well.

113
00:04:24,861 --> 00:04:26,760
So if I go in here,

114
00:04:26,760 --> 00:04:29,996
I can see that there was a get request over HTTP.

115
00:04:29,996 --> 00:04:31,795
Now, HTTP is a protocol.

116
00:04:31,795 --> 00:04:33,395
It's an application.

117
00:04:33,395 --> 00:04:36,536
So this is actually a layer seven capture here.

118
00:04:36,536 --> 00:04:39,661
And what was done, if I open this up,

119
00:04:39,661 --> 00:04:44,365
I can see that they went to the server ethereal.com.

120
00:04:44,365 --> 00:04:47,441
They were using Mozilla, which is Firefox,

121
00:04:47,441 --> 00:04:50,082
and that they came from this webpage,

122
00:04:50,082 --> 00:04:53,640
ethereal.com/development.html.

123
00:04:53,640 --> 00:04:56,670
And they clicked on the link for download.html.

124
00:04:56,670 --> 00:04:58,110
And that's what we're asking for.

125
00:04:58,110 --> 00:05:02,019
We're asking for the webpage download.html at this point.

126
00:05:02,019 --> 00:05:04,343
This then is acknowledged by the server

127
00:05:04,343 --> 00:05:05,640
and goes back and forth

128
00:05:05,640 --> 00:05:07,214
as they're getting more and more data.

129
00:05:07,214 --> 00:05:09,616
And eventually we get that webpage downloaded.

130
00:05:09,616 --> 00:05:12,570
In fact, if I right click on this,

131
00:05:12,570 --> 00:05:15,335
I can tell it to follow the stream

132
00:05:15,335 --> 00:05:19,140
and I can see what that webpage looked like.

133
00:05:19,140 --> 00:05:21,625
Now, this webpage is being shown to me in HTML

134
00:05:21,625 --> 00:05:24,390
because that's how webpages are sent,

135
00:05:24,390 --> 00:05:26,105
but this is exactly what this person got

136
00:05:26,105 --> 00:05:27,899
when they went to that website.

137
00:05:27,899 --> 00:05:30,744
And we captured all that in this network packet.

138
00:05:30,744 --> 00:05:34,157
I could actually copy this, make it into an HTML file,

139
00:05:34,157 --> 00:05:36,420
and then load it up inside of Edge

140
00:05:36,420 --> 00:05:38,060
or Google Chrome or Firefox

141
00:05:38,060 --> 00:05:40,070
and be able to look at all of that.

142
00:05:40,070 --> 00:05:41,533
So I think that's enough of that packet.

143
00:05:41,533 --> 00:05:43,050
Let's take a look at another one

144
00:05:43,050 --> 00:05:44,459
and see if it looks similar.

145
00:05:44,459 --> 00:05:46,090
The next one I'm going to look at

146
00:05:46,950 --> 00:05:49,440
is this one here that says FTP.

147
00:05:49,440 --> 00:05:53,040
And what FTP is going to do is file transfer protocol.

148
00:05:53,040 --> 00:05:54,060
It's going to be very similar.

149
00:05:54,060 --> 00:05:57,005
You're going to see that we went from a source to a destination

150
00:05:57,005 --> 00:05:58,030
and they went back and forth

151
00:05:58,030 --> 00:05:59,454
a whole bunch of different times.

152
00:05:59,454 --> 00:06:01,920
And in this case, it was a much longer stream.

153
00:06:01,920 --> 00:06:05,970
561 different packets went through that were captured.

154
00:06:05,970 --> 00:06:08,354
So if I go back to the first one,

155
00:06:08,354 --> 00:06:10,770
you'll see that there was this acknowledgement

156
00:06:10,770 --> 00:06:12,164
and they went back and forth,

157
00:06:12,164 --> 00:06:14,181
and we can go through here and see frame.

158
00:06:14,181 --> 00:06:16,159
Again, that's layer two.

159
00:06:16,159 --> 00:06:17,730
Ethernet.

160
00:06:17,730 --> 00:06:20,414
And so again, we can see the source and the destination

161
00:06:20,414 --> 00:06:22,315
as far as those MAC addresses.

162
00:06:22,315 --> 00:06:24,691
If we go down to the next one, we go up to layer three.

163
00:06:24,691 --> 00:06:28,078
We're now seeing the source and destination IP addresses.

164
00:06:28,078 --> 00:06:29,640
And when we get to layer four,

165
00:06:29,640 --> 00:06:32,760
we're able to see that this was a TCP session,

166
00:06:32,760 --> 00:06:34,913
transmission control protocol.

167
00:06:34,913 --> 00:06:36,270
And so again, if I wanted to,

168
00:06:36,270 --> 00:06:39,497
I can right click this and follow that stream.

169
00:06:39,497 --> 00:06:43,113
Now, when I follow that stream, what am I going to see?

170
00:06:43,113 --> 00:06:44,606
I'm not going to see a pretty webpage

171
00:06:44,606 --> 00:06:46,640
because this was FTP traffic,

172
00:06:46,640 --> 00:06:48,779
somebody was downloading a file.

173
00:06:48,779 --> 00:06:52,087
All of this, if I convert it back into its hexa decimal

174
00:06:52,087 --> 00:06:55,292
or binary format, let's go to raw for instance.

175
00:06:55,292 --> 00:06:57,682
I can copy this in and try to figure out

176
00:06:57,682 --> 00:07:00,320
what type of file it was and put that back together.

177
00:07:00,320 --> 00:07:02,137
That's what happens with network forensics

178
00:07:02,137 --> 00:07:03,558
and digital forensics.

179
00:07:03,558 --> 00:07:06,095
Way beyond the scope of this particular course.

180
00:07:06,095 --> 00:07:07,740
But that's the idea here.

181
00:07:07,740 --> 00:07:09,337
You can capture everything going over the network

182
00:07:09,337 --> 00:07:12,633
into these PCAP files, packet capture files,

183
00:07:12,633 --> 00:07:15,330
and you'll be able to open them inside of Wireshark

184
00:07:15,330 --> 00:07:17,739
to see what type of traffic is being used on your network.

185
00:07:17,739 --> 00:07:19,382
And as a network technician,

186
00:07:19,382 --> 00:07:21,694
really you're going to be focused mostly on this screen,

187
00:07:21,694 --> 00:07:23,433
the source and the destination,

188
00:07:23,433 --> 00:07:25,180
the protocol, and even the ports.

189
00:07:25,180 --> 00:07:28,830
You could see here it went from port 80, the web port

190
00:07:28,830 --> 00:07:30,840
to port 2727.

191
00:07:30,840 --> 00:07:34,902
The server then answered up from 2727 back to port 80,

192
00:07:34,902 --> 00:07:37,577
and they went back and forth throughout this communication.

193
00:07:37,577 --> 00:07:39,024
Let's open up one more.

194
00:07:39,024 --> 00:07:41,120
We're going to open up Telnet.

195
00:07:41,120 --> 00:07:44,043
Now, Telnet is a way to remotely control a computer.

196
00:07:44,043 --> 00:07:45,327
Again, you're going to see

197
00:07:45,327 --> 00:07:47,910
that we have the time, the source, the destination,

198
00:07:47,910 --> 00:07:49,593
and the protocol, just like we did before.

199
00:07:49,593 --> 00:07:52,770
We have our SYN, SYN ACK, ACK,

200
00:07:52,770 --> 00:07:54,540
which is that three-way handshake.

201
00:07:54,540 --> 00:07:56,912
And again, down here we have layer two, layer two,

202
00:07:56,912 --> 00:07:59,917
layer three, and layer four.

203
00:07:59,917 --> 00:08:03,314
Now, in the protocol column, you're going to see TCP,

204
00:08:03,314 --> 00:08:05,896
but you're also going to see this Telnet data,

205
00:08:05,896 --> 00:08:07,560
and that is an application.

206
00:08:07,560 --> 00:08:08,910
So this is layer seven again,

207
00:08:08,910 --> 00:08:11,490
just like we saw with HTTP before.

208
00:08:11,490 --> 00:08:12,360
And if I go over here,

209
00:08:12,360 --> 00:08:14,149
I can see that layer seven now is added

210
00:08:14,149 --> 00:08:17,029
and I get different information for that.

211
00:08:17,029 --> 00:08:20,994
If I go through and right click it and follow that stream.

212
00:08:20,994 --> 00:08:22,653
Let's see what we get this time.

213
00:08:24,120 --> 00:08:24,953
There we go.

214
00:08:24,953 --> 00:08:28,590
So what we're seeing is the person and their session

215
00:08:28,590 --> 00:08:31,103
when they tried to connect to a Telnet server.

216
00:08:31,103 --> 00:08:35,851
So what you see in blue is what the server sent back.

217
00:08:35,851 --> 00:08:37,620
So when they connected the server said,

218
00:08:37,620 --> 00:08:39,732
Hey, I'm an open BSD server.

219
00:08:39,732 --> 00:08:41,232
Log in.

220
00:08:41,232 --> 00:08:46,072
What the person did was they typed F-A-K-E,

221
00:08:46,072 --> 00:08:48,210
which you can see is red.

222
00:08:48,210 --> 00:08:50,149
That's what the user sent to the server.

223
00:08:50,149 --> 00:08:51,748
And the blue is what the server displayed on the screen,

224
00:08:51,748 --> 00:08:53,761
which was F-A-K-E.

225
00:08:53,761 --> 00:08:56,033
So their username was fake.

226
00:08:56,033 --> 00:08:57,931
Then it asked for their password,

227
00:08:57,931 --> 00:09:00,758
and the user typed in user.

228
00:09:00,758 --> 00:09:04,252
So their username is fake and their password is user.

229
00:09:04,252 --> 00:09:06,583
At this point, they were able to log into the server

230
00:09:06,583 --> 00:09:07,775
and start running commands.

231
00:09:07,775 --> 00:09:09,754
They run the LS command,

232
00:09:09,754 --> 00:09:11,467
which if you remember from A+,

233
00:09:11,467 --> 00:09:13,140
on a Unix system,

234
00:09:13,140 --> 00:09:15,493
it's going to list the contents of a directory.

235
00:09:15,493 --> 00:09:18,360
And then they did it again, ls -a,

236
00:09:18,360 --> 00:09:20,575
they wanted to see it going across the side.

237
00:09:20,575 --> 00:09:22,950
And you saw this is what came back.

238
00:09:22,950 --> 00:09:25,020
This is the list of directories.

239
00:09:25,020 --> 00:09:26,655
Then they tried to run a program.

240
00:09:26,655 --> 00:09:31,309
/sbin/ping www.yahoo.com,

241
00:09:31,309 --> 00:09:33,780
and that is showing that they tried to do a ping

242
00:09:33,780 --> 00:09:36,214
from this Telnet server out to yahoo.com

243
00:09:36,214 --> 00:09:38,453
and they received this information back.

244
00:09:38,453 --> 00:09:40,161
Now we're seeing the entire conversation.

245
00:09:40,161 --> 00:09:42,060
We're seeing both halves.

246
00:09:42,060 --> 00:09:42,893
But if I wanted to see

247
00:09:42,893 --> 00:09:45,448
just what one person sent to the other,

248
00:09:45,448 --> 00:09:47,274
I can see the server side.

249
00:09:47,274 --> 00:09:49,110
It's a lot easier to read, right?

250
00:09:49,110 --> 00:09:50,400
But now I don't see that password.

251
00:09:50,400 --> 00:09:53,010
I don't see the commands that got sent over.

252
00:09:53,010 --> 00:09:56,170
When I go here and I switch it over to the client side,

253
00:09:56,170 --> 00:09:57,909
this is what they typed in.

254
00:09:57,909 --> 00:09:59,928
I can see that they typed in user,

255
00:09:59,928 --> 00:10:01,500
which was their password,

256
00:10:01,500 --> 00:10:02,925
fake, which was their username.

257
00:10:02,925 --> 00:10:06,008
And then the commands, the list command, the list all,

258
00:10:06,008 --> 00:10:11,008
and the /sbin/ping www.yahoo.com and then exit.

259
00:10:11,573 --> 00:10:13,664
So you can see how this is useful

260
00:10:13,664 --> 00:10:15,768
where we can start digging into this stuff.

261
00:10:15,768 --> 00:10:18,099
If you go in furthering your career with CompTIA

262
00:10:18,099 --> 00:10:20,910
and you go to your cybersecurity analyst training

263
00:10:20,910 --> 00:10:22,309
or your PenTest+ training,

264
00:10:22,309 --> 00:10:24,407
you'll get very familiar with Wireshark

265
00:10:24,407 --> 00:10:26,543
and be able to dig in and grab this information

266
00:10:26,543 --> 00:10:27,815
from the wire.

267
00:10:27,815 --> 00:10:29,167
Now, again, like I said,

268
00:10:29,167 --> 00:10:31,115
this video is a little bit beyond the scope

269
00:10:31,115 --> 00:10:34,110
of what you need to know for the Network Plus exam.

270
00:10:34,110 --> 00:10:36,240
But hopefully I've wetted your appetite

271
00:10:36,240 --> 00:10:37,073
where you're really interested

272
00:10:37,073 --> 00:10:38,947
in being able to learn more about Wireshark

273
00:10:38,947 --> 00:10:40,627
and be able to learn how you can use this

274
00:10:40,627 --> 00:10:42,251
both as a network technician,

275
00:10:42,251 --> 00:10:44,905
be able to see where the breakdown in communication is,

276
00:10:44,905 --> 00:10:47,462
whether it's layer two, layer three, layer four,

277
00:10:47,462 --> 00:10:52,001
or layer seven, or using it more from the defense side

278
00:10:52,001 --> 00:10:53,707
with cybersecurity analysts

279
00:10:53,707 --> 00:10:55,516
going through these packets and figuring out

280
00:10:55,516 --> 00:10:57,990
what did the bad guy do on your system.

281
00:10:57,990 --> 00:10:59,766
Because you'll be able to see what the bad guy did

282
00:10:59,766 --> 00:11:01,526
because it's capturing everything,

283
00:11:01,526 --> 00:11:04,211
both the server side and the client side.

284
00:11:04,211 --> 00:11:05,947
Or if you're using it for PenTest+,

285
00:11:05,947 --> 00:11:07,520
if you got this type of data,

286
00:11:07,520 --> 00:11:10,596
you now have access to that person's username and password

287
00:11:10,596 --> 00:11:13,800
that you can use as a follow on in your pen test.

288
00:11:13,800 --> 00:11:15,211
So I hope you enjoyed this video.

289
00:11:15,211 --> 00:11:17,350
Now let's get back to Network Plus.