1 00:00:01,220 --> 00:00:06,750 Surprisingly, capturing useful traffic can be a challenging aspect of political entities. 2 00:00:07,430 --> 00:00:13,430 This election and this actually this whole section of our course. 3 00:00:15,200 --> 00:00:21,410 Describes two different capture techniques, passive capture techniques and active captors techniques, 4 00:00:22,070 --> 00:00:25,280 passive capture doesn't directly interact with the traffic. 5 00:00:25,460 --> 00:00:35,210 Instead, it extracts the data as it travels on the wire, which should be familiar from tools, for 6 00:00:35,210 --> 00:00:39,380 example, like hair wireshark via front. 7 00:00:41,920 --> 00:00:42,520 Why should? 8 00:00:43,480 --> 00:00:44,080 Supports. 9 00:00:46,370 --> 00:00:46,730 So. 10 00:00:48,170 --> 00:00:54,860 Now you will find different applications, provides different mechanisms which have their own advantages 11 00:00:55,010 --> 00:01:04,700 and disadvantages to either retire or traffic, active culture interferes with traffic between a client 12 00:01:04,700 --> 00:01:06,500 application and the server. 13 00:01:06,830 --> 00:01:11,450 This has a great power but can cause some complications. 14 00:01:12,020 --> 00:01:18,530 You can think of active capture in terms of proxies or even men in the middle attack. 15 00:01:19,370 --> 00:01:25,910 So let's look at both active and passive can use in more depth. 16 00:01:26,630 --> 00:01:30,860 Let's get started with passive network traffic capture. 17 00:01:31,310 --> 00:01:36,290 So now I want, uh, your, uh, write some diagrams. 18 00:01:41,170 --> 00:01:41,530 Here. 19 00:01:45,360 --> 00:01:48,060 Let's, uh, create some diagram here. 20 00:01:49,300 --> 00:01:55,590 So we need, uh, actually two computers, two, uh, computers here. 21 00:01:56,380 --> 00:02:04,180 Uh, this is the first one to hear actually here. 22 00:02:04,720 --> 00:02:07,370 And one several said of yourselves. 23 00:02:13,190 --> 00:02:13,660 So. 24 00:02:17,980 --> 00:02:27,560 For example, let's make this survey here, and we just need another wife. 25 00:02:27,820 --> 00:02:30,820 Here, for example, like this. 26 00:02:35,160 --> 00:02:35,460 If. 27 00:02:41,400 --> 00:02:44,400 And, uh, this is the this is our server here. 28 00:02:45,240 --> 00:02:52,350 Server, uh, for example, uh, pass catcher device. 29 00:02:52,350 --> 00:02:53,430 This is the attacker. 30 00:02:54,770 --> 00:02:59,420 And this is the client client application. 31 00:03:00,940 --> 00:03:01,480 Target. 32 00:03:03,510 --> 00:03:07,400 Let me get this here and then. 33 00:03:08,940 --> 00:03:12,990 We will connect is here, uh, like here. 34 00:03:14,900 --> 00:03:17,600 And we will do this by the rational one. 35 00:03:19,150 --> 00:03:20,830 And to. 36 00:03:22,680 --> 00:03:24,240 Here and. 37 00:03:25,590 --> 00:03:26,100 One. 38 00:03:26,970 --> 00:03:27,450 To. 39 00:03:30,680 --> 00:03:31,670 Lastly, here. 40 00:03:32,660 --> 00:03:34,100 Connect this to settle. 41 00:03:35,700 --> 00:03:44,250 So passive capture is relatively easy to conduct, so it doesn't typically require and specialist hardware, 42 00:03:44,580 --> 00:03:49,110 nor the usual need to write your own code so you don't need to. 43 00:03:49,200 --> 00:03:52,500 What I hope there is some so much programs like Russia. 44 00:03:53,760 --> 00:04:02,340 In this figure, I illustrated the common scenario a client application and server communicating. 45 00:04:02,700 --> 00:04:12,000 We are Ethernet over the network, so passive network capture can take place either on the network by 46 00:04:12,870 --> 00:04:21,600 tapping the traffic as it created in some way or by sniffing directly on either the client or server 47 00:04:21,600 --> 00:04:22,110 host. 48 00:04:23,010 --> 00:04:23,400 So. 49 00:04:24,430 --> 00:04:28,480 You know, in this election, actually, we will use Wireshark here. 50 00:04:28,810 --> 00:04:30,430 Let me tell you. 51 00:04:31,900 --> 00:04:32,390 He is. 52 00:04:33,940 --> 00:04:38,020 This we will use Wireshark to make. 53 00:04:40,430 --> 00:04:42,070 Passive, actually. 54 00:04:42,800 --> 00:04:44,180 Yes, passive capture. 55 00:04:49,050 --> 00:04:49,320 Yeah. 56 00:04:59,540 --> 00:04:59,860 Oops! 57 00:05:08,990 --> 00:05:11,630 So let's open my trunk here. 58 00:05:22,710 --> 00:05:28,500 So White Shark is perhaps the most popular packet sniffing application available. 59 00:05:28,860 --> 00:05:35,340 It's a cross-platform and easy to use, and it comes with many built-in protocol and assist features. 60 00:05:36,930 --> 00:05:43,110 In the next lectures, you will learn how to write this sector to aid in political analysis. 61 00:05:43,230 --> 00:05:51,660 But for now, let's say the word shock to capture IP traffic from the network to capture traffic from 62 00:05:51,660 --> 00:05:59,480 an internet interface, wired or wireless, the capturing device must be in. 63 00:05:59,790 --> 00:06:01,170 Who misuse what? 64 00:06:01,470 --> 00:06:09,390 So a device in premises mode um receives and processes any ethernet frame it sees, even if that frame 65 00:06:09,390 --> 00:06:11,910 wasn't designed for that interface. 66 00:06:12,460 --> 00:06:16,890 Captioning an application running on the same computer, it is easy. 67 00:06:16,980 --> 00:06:24,060 So just monitor the outbound network interface or the local loop interface better known as localhost. 68 00:06:25,830 --> 00:06:33,060 So otherwise you might need to use networking hardware such as hub or configure switch to ensure traffic 69 00:06:33,060 --> 00:06:36,720 is sent to your network interface so. 70 00:06:38,070 --> 00:06:39,660 Because you can see here. 71 00:06:39,950 --> 00:06:48,570 Uh, let's start out capturing here, I will, uh, select it, uh, internet interface here. 72 00:06:52,030 --> 00:06:53,380 And let's open browser. 73 00:06:56,210 --> 00:06:58,190 Let's go to coliforms. 74 00:07:03,960 --> 00:07:07,620 So now, as you can see here, we have traffic's. 75 00:07:09,330 --> 00:07:09,660 So. 76 00:07:10,830 --> 00:07:17,130 Um, there are three main uh, there are three main windows, as you can see here. 77 00:07:17,760 --> 00:07:21,180 So in a window, the top of that is area. 78 00:07:21,180 --> 00:07:32,690 Here is the area, uh, of, uh, this area hosts, um, a time line of a row packets of the, uh, 79 00:07:32,700 --> 00:07:33,180 network. 80 00:07:33,540 --> 00:07:37,950 So the timeline provides a list of source, as you can see here. 81 00:07:38,610 --> 00:07:46,350 Um uh, this progress and list of source and destination IP addresses, as well as the coded political 82 00:07:46,350 --> 00:07:47,640 summary information. 83 00:07:49,020 --> 00:07:53,250 Here, let's pause this, so um. 84 00:07:53,310 --> 00:07:57,990 And this area here, this area, uh, provides. 85 00:07:59,670 --> 00:08:06,750 This area provides a dissected weave of the packets separated into a distinct protocol list that corresponds 86 00:08:06,960 --> 00:08:12,720 to the always-I layer USA networks like model. 87 00:08:13,020 --> 00:08:15,360 And lastly, this area here. 88 00:08:16,450 --> 00:08:22,330 This area here, uh, shows the capture is packaged its real world. 89 00:08:22,960 --> 00:08:30,340 So the TCP IP network protocol is stream based and designed to recover from dropped packets or data 90 00:08:30,340 --> 00:08:34,570 corruption due to the nature of networks and IP. 91 00:08:34,990 --> 00:08:39,430 There is no guarantee that packets will be received in a particular order. 92 00:08:39,730 --> 00:08:46,720 Therefore, when you are capturing packets, the timeline view might be difficult to interpret. 93 00:08:47,500 --> 00:08:54,670 Fortunately, Wireshark offers the sectors for known protocols that will normally resemble the entire 94 00:08:54,670 --> 00:08:57,820 stream and provide all the information in one place. 95 00:08:58,210 --> 00:09:05,350 For example, a highlight, uh, a packet in TCP section in the travel time line as select analyzed 96 00:09:05,530 --> 00:09:13,930 full of, uh, TCP, uh, TCP actually just two years. 97 00:09:14,110 --> 00:09:14,740 Analyze. 98 00:09:20,970 --> 00:09:21,450 Near. 99 00:09:24,830 --> 00:09:26,390 Timesheets, as you can see here. 100 00:09:31,470 --> 00:09:36,630 You can have, uh, they could uh, you can record this and. 101 00:09:38,830 --> 00:09:40,930 Applications and features like that. 102 00:09:42,480 --> 00:09:42,870 So. 103 00:09:49,390 --> 00:09:49,750 You're. 104 00:09:55,440 --> 00:09:56,700 Here, as you can see it. 105 00:10:00,310 --> 00:10:01,480 And see, this is the package. 106 00:10:01,990 --> 00:10:04,870 This is the raw files, and this is the analyzed here. 107 00:10:12,420 --> 00:10:20,970 I see follow this stream and you can see here we can see the stream with streamflow and which order 108 00:10:21,150 --> 00:10:21,750 a sent. 109 00:10:23,110 --> 00:10:29,170 Uh, so actually, what protocols we took to the sector, Wireshark, uh, can decode the stream and 110 00:10:29,170 --> 00:10:31,990 present it in easy to weave dialogue. 111 00:10:33,490 --> 00:10:39,370 And Wireshark is a comprehensive tool, and covering all of its features is beyond the scope of this 112 00:10:39,370 --> 00:10:39,800 course. 113 00:10:40,150 --> 00:10:42,880 If you are not familiar with it, obtain a good reference. 114 00:10:43,280 --> 00:10:50,080 Uh, in you can actually watch videos on YouTube about Wireshark. 115 00:10:50,590 --> 00:10:57,910 There are books written about Wireshark because Wireshark is so big and comprehensive a comprehensive 116 00:10:57,910 --> 00:11:02,680 tool, uh, covering all of its features. 117 00:11:02,920 --> 00:11:08,450 We can't do that because we need at least five or six house with content. 118 00:11:09,610 --> 00:11:17,350 So this is just an intermediate Wireshark um, course intermediate Wireshark connection.