1
00:00:00,650 --> 00:00:09,330
A five topple refers to a set of five different values that are used to analyze security events it includes

2
00:00:09,330 --> 00:00:18,440
a source IP address and port number destination IP address and port number and the protocol used in

3
00:00:18,450 --> 00:00:25,140
this example the top host had IP address and zeroed out one to allow even use source port.

4
00:00:25,230 --> 00:00:33,240
Sixty five thousand one TCAP protocol as it's transport with the destination IP address of 10.0 not

5
00:00:33,260 --> 00:00:40,040
one to 12 and destination port of 445.

6
00:00:40,860 --> 00:00:47,430
Let's take a look at a couple of examples of how you could find your five top all information for connections

7
00:00:47,430 --> 00:00:50,510
between hosts.

8
00:00:50,540 --> 00:00:57,630
So here I am in Wireshark and let's say that I was investigating an issue with an appoint.

9
00:00:57,770 --> 00:01:00,850
So I wanted to correlate five topical information.

10
00:01:00,890 --> 00:01:03,770
I could easily do so from here.

11
00:01:03,770 --> 00:01:11,060
So let's say I wanted to find out information for this connection from my PC to this destination address.

12
00:01:11,270 --> 00:01:14,640
I could just double click on that connection.

13
00:01:14,960 --> 00:01:18,140
I can see the source and destination IP addresses.

14
00:01:18,140 --> 00:01:26,000
I can see the transport protocol was TCAP as well as a source port number and destination port number

15
00:01:27,730 --> 00:01:37,590
and other useful place to know how to find five all information is from a firewall log I am in the lab

16
00:01:37,590 --> 00:01:39,010
with a Cisco firewall.

17
00:01:39,210 --> 00:01:42,450
There are a few different ways you can find your five total information.

18
00:01:42,750 --> 00:01:46,660
Well I like to do is run the command show connection detail

19
00:01:50,370 --> 00:01:58,950
and here you have a nice summary of all your connections as well as your IP address information transport

20
00:01:58,950 --> 00:02:04,410
protocol and port numbers.

21
00:02:04,440 --> 00:02:09,950
So if I wanted to drill down into a suspicious connection let's say regarding this IP address

22
00:02:12,690 --> 00:02:18,450
I could just filter to that destination to collect five table information.