WEBVTT

0
00:01.180 --> 00:06.850
In the last lecture we've seen how useful is Wireshark for troubleshooting network problems or

1
00:06.850 --> 00:09.590
isolating security incidents.


2
00:09.610 --> 00:17.290
Unfortunately, the amount of information you will get when capturing packets  can be overwhelming.

3
00:17.560 --> 00:25.440
Capturing so many packets means that you will end up seeing a huge amount of packets. Thankfully, 

4
00:25.460 --> 00:32.930
Wireshark allows us to quickly filter all that data, so you only see the parts you’re interested


5
00:32.930 --> 00:39.280
in, like a certain IP source or destination address, tcp port and so on.

6
00:40.320 --> 00:45.420
The filtering capabilities of Wireshark are very comprehensive.

7
00:45.540 --> 00:49.860
You can filter on just about any field of any protocol.

8
00:50.110 --> 01:01.320
Let's start to Wireshark and then capture on the eth0 interface, on this interface.As root

9
01:01.450 --> 01:02.320
I'm starting

10
01:02.320 --> 01:03.040
Wireshark.

11
01:08.940 --> 01:09.410
Now

12
01:09.440 --> 01:11.750
Wireshark is kept capturing data.

13
01:13.070 --> 01:24.560
And I'm generating some traffic. I'm refreshing a web page to generate some https or http traffic. I'm

14
01:24.570 --> 01:34.950
using the dig command to generate DNS traffic and I'll ping a random IP address, like say the DNS server

15
01:35.100 --> 01:36.080
of Google.

16
01:41.020 --> 01:48.430
The most basic way to apply a filter is by typing the name of the protocol you want to see in the filter

17
01:48.430 --> 01:53.980
box at the top of the window and clicking apply or pressing enter.

18
01:53.980 --> 01:59.940
When you start typing why a shark will help you autocomplete your filter.

19
02:00.050 --> 02:06.110
For example I'm typing DNS and I'm seeing only DNS traffic.

20
02:07.610 --> 02:18.370
Or icmp and it's displaying only icmp packets; the ping is still running. We can see the packets in real

21
02:18.370 --> 02:18.780
time.

22
02:20.030 --> 02:23.030
That's a very basic filter.

23
02:23.070 --> 02:31.980
You can also click  Analyze > Display Filters to choose a filter from among the default filters included

24
02:32.070 --> 02:41.290
in Wireshark. I'm removing the filter and I'm stopping the capture. Another interesting thing you can

25
02:41.290 --> 02:47.110
do is  right-click a packet and select Follow > TCP Stream.

26
02:49.190 --> 02:57.590
You'll see the full TCP conversation between the client and the server. This gibberish is encrypted data.

27
03:00.160 --> 03:04.710
Notice that the filter has been applied automatically.

28
03:04.710 --> 03:13.720
Wireshark is showing you the packets that make up the conversation, that https conversation. Let's

29
03:13.800 --> 03:24.180
continue with some of my preferred filters; for exampleip.addr = = and an IP address

30
03:26.460 --> 03:34.890
That sets a filter for any packet that has that IP addressas the source or the destination IP address.

31
03:34.890 --> 03:40.340
This is very useful if you want to analyze specific traffic.

32
03:40.420 --> 03:47.650
You can also use not equals operator, which is an exclamation mark, and the equal sign to negate

33
03:47.680 --> 03:49.480
the filter, like this:

34
03:52.330 --> 04:01.240
We are seeing all packets that do not have that IP address as source or destination address; or you

35
04:01.240 --> 04:07.610
can use ip.dst to filter only by destination or 

36
04:07.620 --> 04:19.480
ip.src to filter by source like this:== let's say 104.16.121

37
04:19.480 --> 04:23.760
145

38
04:23.980 --> 04:28.330
We are seeing only the packets sent to that destination.

39
04:29.270 --> 04:35.990
And you can use tcp.port and udp.port to filter by ports.

40
04:35.990 --> 04:43.780
For example I want to see only packets to or from port 443 which is


41
04:43.820 --> 04:44.270
https.

42
04:48.540 --> 04:54.640
And you can add the logical end operator which  is && to add


43
04:54.660 --> 05:00.360
another condition like say I want to see packets to port 443 if 

44
05:00.660 --> 05:10.010
the destination ip address is a specific one, like this: && ip.dst==

45
05:10.620 --> 05:15.420
and let's take this IP address, the one that starts with 18

46
05:19.310 --> 05:27.660
that's the filter, or I could see only tcp packets that initialize a new connection and have the syn

47
05:27.660 --> 05:39.330
flag set: tcp.flags.syn==1
These are all packets that have the syn flag set

48
05:41.680 --> 05:50.050
or if you do not want to see packets of some protocols and want to negate them you use an exclamation

49
05:50.050 --> 05:54.530
mark and a pair of parentheses to group the protocols.

50
05:54.790 --> 06:09.470
For example !(arp or icmp or dns)
it won't display packets of these protocols. And the last filter  I'm

51
06:09.480 --> 06:15.590
going to show you is frame contains and the word like: frame contains medium

52
06:20.430 --> 06:24.930
it's displaying all packets that contains the word "medium"

53
06:28.370 --> 06:35.980
You see, there is the word "medium" in each packet; this is excellent when searching for a specific

54
06:35.980 --> 06:45.000
string, username or password. Wireshark is an extremely powerful tool and these lectures have just scratched

55
06:45.060 --> 06:47.450
the surface of what it can do.

56
06:47.730 --> 06:54.600
Network Engineers use it to troubleshoot networks, examine security problems or deeply understand how 


57
06:54.630 --> 07:02.990
how network protocols work. You can find more detailed information on the official website.