1
00:00:00,590 --> 00:00:06,650
Packet analysis is the process of gathering traffic on the network, decoding it and dissecting the

2
00:00:06,650 --> 00:00:13,070
raw bits and presenting it in human readable format for analysis as shown here.

3
00:00:13,100 --> 00:00:15,590
Gathering, Decoding.

4
00:00:15,740 --> 00:00:18,140
Displaying and analyzing.

5
00:00:18,720 --> 00:00:24,510
So regardless of the software used, there are four main phases of the packet analysis.

6
00:00:24,660 --> 00:00:32,580
As I said in previous lectures, which is gather, decode, display and analyze.

7
00:00:32,730 --> 00:00:40,650
In this section we will review each of the phases, starting with the first step is gather where we

8
00:00:40,650 --> 00:00:42,180
collect data from the network.

9
00:00:42,210 --> 00:00:46,050
So now let's go back to our Kali Linux.

10
00:00:46,260 --> 00:00:49,770
It's actually Wireshark is independent from the operating system.

11
00:00:49,770 --> 00:00:54,450
You can use Windows or Mac OS or operating system.

12
00:00:54,450 --> 00:00:58,030
You want that Wireshark supports it.

13
00:00:58,050 --> 00:01:00,240
So now let's go to Kali.

14
00:01:00,270 --> 00:01:01,590
Here and here.

15
00:01:01,590 --> 00:01:03,120
Yes, perfect.

16
00:01:03,150 --> 00:01:05,130
Now open the.

17
00:01:06,570 --> 00:01:07,280
Out here.

18
00:01:07,290 --> 00:01:07,770
Yeah.

19
00:01:09,730 --> 00:01:13,420
So let's launch Wireshark.

20
00:01:13,450 --> 00:01:14,230
Wireshark.

21
00:01:14,230 --> 00:01:19,330
So when you launch Wireshark, a welcome screen displays a list of available network connections on

22
00:01:19,330 --> 00:01:20,860
your current device.

23
00:01:20,860 --> 00:01:28,360
And this is in most cases, in most cases, you will have more than one interface.

24
00:01:28,360 --> 00:01:36,220
And to begin capturing immediately, you can select an active spark line and begin capture apparently.

25
00:01:36,550 --> 00:01:37,930
Now let's go to.

26
00:01:39,060 --> 00:01:45,090
And you can also go to capture menu if you want and then go to options here.

27
00:01:45,090 --> 00:01:47,460
So capture options.

28
00:01:47,460 --> 00:01:49,670
So as you can see, there's also shortcut.

29
00:01:49,690 --> 00:01:51,930
You can also click on the shortcut here.

30
00:01:51,930 --> 00:01:55,890
This will same same screen will open here.

31
00:01:55,890 --> 00:02:03,030
So now there's an keep in mind that there are two keys areas that will enable you to gather traffic,

32
00:02:03,330 --> 00:02:09,180
which is capturing in promiscuous mode and using a capture engine.

33
00:02:09,180 --> 00:02:14,940
So let's first discuss why it's important to enable promiscuous mode prior to capture.

34
00:02:15,120 --> 00:02:17,820
So the capturing in promiscuous mode.

35
00:02:17,850 --> 00:02:24,000
So when gathering traffic with Wireshark, you can capture on all interfaces however, so that you can

36
00:02:24,000 --> 00:02:28,110
see all the traffic that is coming into the network interface card.

37
00:02:28,140 --> 00:02:36,930
Make sure you select one of the following when on the input on the input tab of the capture options

38
00:02:36,930 --> 00:02:37,860
dialog.

39
00:02:38,700 --> 00:02:45,720
So check the box next to the interface under the promiscuous column header.

40
00:02:46,740 --> 00:02:51,570
So, as you can see, enable promiscuous mode on all interface.

41
00:02:52,220 --> 00:02:52,760
So.

42
00:02:54,520 --> 00:02:55,540
Uh, here.

43
00:02:56,300 --> 00:03:05,590
And secondly, the secondly is the you have to enable the promiscuous mode on all interfaces as soon

44
00:03:05,630 --> 00:03:08,000
as you can see here.

45
00:03:08,180 --> 00:03:08,690
Right.

46
00:03:08,960 --> 00:03:19,130
So you can also we have update output options and we have your address of our Ethernet network and interfaces

47
00:03:19,250 --> 00:03:21,470
and so on.

48
00:03:22,340 --> 00:03:30,380
So as you can see here, we can also, as I said, firstly, you should make sure that this promiscuous

49
00:03:30,410 --> 00:03:31,370
is checked.

50
00:03:31,640 --> 00:03:38,240
So after choosing an interface to listen on and placing it in promiscuous mode, the interface gathers

51
00:03:38,270 --> 00:03:42,080
up the new traffic like a double click on your face.

52
00:03:42,080 --> 00:03:45,680
And here, as you can see here, my interface is gathering new traffic.

53
00:03:45,680 --> 00:03:58,160
So if I if I go to some website like Oxley oxley.com, it will send us a bunch of um, requests and

54
00:03:58,160 --> 00:03:58,520
signals.

55
00:03:58,520 --> 00:03:59,030
Right.

56
00:03:59,480 --> 00:04:00,170
So.

57
00:04:01,810 --> 00:04:02,410
Here.

58
00:04:02,440 --> 00:04:04,210
This is our website also.

59
00:04:04,210 --> 00:04:13,150
So part of the effect of capturing traffic is having an appropriate package, capture pcap engine installed

60
00:04:13,150 --> 00:04:17,530
and the Pcap engine provides an application programming interface API that.

61
00:04:18,580 --> 00:04:24,550
After traffic from the network so that it can be processed by operating system.

62
00:04:24,640 --> 00:04:29,350
In this case, we will not install that for now.

63
00:04:29,440 --> 00:04:37,330
And first, let's learn about how to decode bits in Wireshark, which you will learn in next lecture.