WEBVTT

0
00:02.070 --> 00:08.760
In this lecture I'll show you how to use Wireshark to sniff and analyze network packets.

1
00:08.910 --> 00:15.340
It captures packets in real time and displays them in human-readable format. 

2
00:15.360 --> 00:19.690
Wireshark includes filters, protocol dissectors, 


3
00:19.710 --> 00:27.510
color coding and many other features that let you dig deep into network traffic and inspect individual 

4
00:27.510 --> 00:28.830
packets.

5
00:28.830 --> 00:35.430
Note that Wireshark is not a hacking tool. It’s used to monitor the  interface of your own 

6
00:35.430 --> 00:41.930
computer and capture and analyze the traffic that passes through that interface.

7
00:41.940 --> 00:49.620
In my opinion it is the most useful networking tool for learning how networks work and for a troubleshooting

8
00:49.710 --> 00:51.320
network problems.

9
00:51.420 --> 00:53.910
Of course this is arguable!

10
00:53.910 --> 00:55.770
Let's get started!

11
00:55.770 --> 01:03.940
Wireshark is installed by default on many Linux distributions.
If it's not installed on Ubuntu or

12
01:03.970 --> 01:06.550
other debian based distributions

13
01:06.550 --> 01:11.680
you simply install wireshark by executing: apt install wireshark.


14
01:15.990 --> 01:21.960
For Windows or Mac you simply download and install the corresponding version.

15
01:22.900 --> 01:24.630
I'm opening wireshark.

16
01:27.440 --> 01:29.320
To be able to sniff traffic

17
01:29.390 --> 01:30.950
you should start it as root.

18
01:36.470 --> 01:39.680
To allow non-root users to capture packets 


19
01:39.680 --> 01:48.730
you have to follow a special procedure described in this official help file. To start capturing 


20
01:48.730 --> 01:50.820
packets on an interface 

21
01:50.820 --> 01:57.220
you double-click the name of that interface in the capture section of the main screen.

22
01:57.510 --> 02:01.460
For example I wanted to capture packets on eth0

23
02:01.470 --> 02:08.810
and it's capturing packets. Let's visit a website!

24
02:16.280 --> 02:16.750
okay!

25
02:16.830 --> 02:19.560
And you see here all the captured packets.

26
02:22.910 --> 02:25.990
And I'm stopping capturing packets!


27
02:26.030 --> 02:31.830
Another way to start capturing packets is to go to capture -options-

28
02:31.910 --> 02:34.390
select the interface - click

29
02:34.400 --> 02:39.350
any other options and start; like this!

30
02:47.440 --> 02:55.290
In this window you can enable promiscuous mode on all interfaces or only on a specific interface.

31
02:55.420 --> 03:02.500
When a wired or wireless network card is in promiscuous mode, it can read all the received traffic  rather


32
03:02.500 --> 03:06.920
than just packets addressed to it. At the moment

33
03:06.940 --> 03:11.440
Wireshark is capturing all the packets received on the interface.

34
03:13.950 --> 03:14.460
Let's

35
03:14.480 --> 03:16.310
generate some more traffic!

36
03:21.760 --> 03:29.350
When you want to stop capturing traffic click the red stop button near the top left corner of the window.

37
03:31.190 --> 03:36.600
You can see captured packets highlighted in a variety of different colors.

38
03:36.600 --> 03:43.070
Wireshark uses colors to help you identify the types of traffic at a glance.

39
03:43.140 --> 03:44.090
By default

40
03:44.100 --> 03:54.950
light purple is TCP traffic, light blue is UDP traffic, and black identifies packets with errors; to view


41
03:54.950 --> 03:58.210
exactly what the colour codes mean

42
03:58.280 --> 04:06.000
click View and coloring rules.  You can customize and modify the coloring

43
04:06.010 --> 04:14.490
rules from here if you like. Let's have a look at the wireshark's main window! We notice it consists

44
04:14.610 --> 04:16.680
of three main parts:

45
04:16.920 --> 04:25.200
The packet list pane displays a summary of each packet captured. By clicking on packets 

46
04:25.230 --> 04:33.670
in this pane you control what is displayed in the other two panes. The packet details pane which displays 


47
04:33.670 --> 04:42.010
the packet selected in the packet list pane in more detail.  And the packet bytes pane which displays the data from


48
04:42.010 --> 04:49.450
the packet selected in the packet list pane, and highlights the field selected in the packet details pane.

49
04:50.710 --> 04:57.580
Each line in the packet list corresponds to one captured packet. And if you select a line in this pane, 


50
04:57.910 --> 05:04.170
more details will be displayed in the “Packet Details” and “Packet Bytes” panes.

51
05:04.170 --> 05:12.070
Now if you double click a line a new window pops up with details about that particular packet. In this

52
05:12.070 --> 05:18.730
example we are seeing information about the ethernet header, like the source and destination 

53
05:18.910 --> 05:23.060
MAC  addresses, the IP header, 

54
05:23.250 --> 05:28.410
these are the source and the destination IP addresses


55
05:28.410 --> 05:34.970
and finally information about the TCP header and application data.

56
05:35.070 --> 05:38.890
This one: http-over-tls.

57
05:39.030 --> 05:48.460
By the way this is an encrypted packet. Probably you have noticed that there is a lot of information. But

58
05:48.460 --> 05:56.840
if you want you can save the capture for later inspection. To save the capture to a file you press

59
05:56.870 --> 05:57.810
on control

60
05:57.830 --> 06:05.540
+ s like this or go to file and then Save or Save As

61
06:10.210 --> 06:17.610
Wireshark can save the packet data in more than one format.  You should choose the correct format

62
06:17.610 --> 06:21.860
depending on how you want to open the file later.

63
06:21.880 --> 06:25.500
Other network analyzers use their own format.

64
06:25.560 --> 06:34.980
The most important formats are pcapng , this one, which is the native file format for the latest version


65
06:35.070 --> 06:44.150
of wireshark and pcap format used by older versions of wireshark but also by other well-known 

66
06:44.400 --> 06:51.600
and widely used tools like tcpdump. Not all information will be saved in a capture  file.

67
06:51.630 --> 07:00.660
For example most file formats do not record the number of dropped packets; and I'm saving the capture

68
07:01.020 --> 07:02.550
as a pcap file.

69
07:08.940 --> 07:18.920
And I'm closing wireshark. At a later time you can open the file with wireshark or with other tools like

70
07:18.920 --> 07:22.270
tcpdump which is a command line tool.

71
07:25.440 --> 07:27.960
This is the file, the pcap file

72
07:27.960 --> 07:33.330
I've just saved and I can open it with tcpdump like this:

73
07:45.340 --> 07:45.930
okay!

74
07:45.990 --> 07:49.400
That's all about the basics of wireshark!

75
07:49.430 --> 07:55.280
Take your time to understand how it works because Wireshark is really important for any networking

76
07:55.280 --> 08:03.050
engineer. In the next lecture will dive deeper into other advanced features of Wireshark, which our filters.