0
1
00:00:10,150 --> 00:00:15,460
Hello everyone and welcome to another video of expert malware analysis and reverse engineering. Continuing
1

2
00:00:15,550 --> 00:00:21,320
from our previous video and this video we are going to give a quick introduction to Wireshark.
2

3
00:00:21,370 --> 00:00:27,100
So what is Wireshark? Wireshark is a network packet and protocol analyzer tool.
3

4
00:00:27,100 --> 00:00:32,980
It helps you in capturing the packages that are going in and out of your network and you can basically
4

5
00:00:32,980 --> 00:00:39,400
dissect into those packets and you can look at all the headers and the information that is basically
5

6
00:00:39,400 --> 00:00:41,710
contained in those packets.
6

7
00:00:41,710 --> 00:00:46,330
wireshark is perhaps one of the best open source packet analyzers that is available today for Unix
7

8
00:00:46,330 --> 00:00:47,590
and Windows.
8

9
00:00:47,650 --> 00:00:52,780
It's used for network troubleshooting analysis software and communication protocol development as well
9

10
00:00:52,780 --> 00:01:00,170
as education. Some intended purposes of wireshark: well its use by network administrators to trouble
10

11
00:01:00,230 --> 00:01:01,520
shooting network problems.
11

12
00:01:01,760 --> 00:01:09,340
And it's also used by security analyst to uncover different security traits of infections on a system.
12

13
00:01:09,470 --> 00:01:12,960
Developers use it to debug protocol implementations.
13

14
00:01:13,040 --> 00:01:16,950
People use it to learn network protocol internals and so on.
14

15
00:01:16,950 --> 00:01:19,960
Wireshark is not really an intrusion detection system.
15

16
00:01:19,970 --> 00:01:24,380
A lot of people have this misconception but it's not really an intrusion detection system.
16

17
00:01:24,380 --> 00:01:29,030
All it does is that it basically gives you a replica of all the packets that are flowing into a network.
17

18
00:01:31,010 --> 00:01:34,430
So here is a quick system overview of Wireshark.
18

19
00:01:34,520 --> 00:01:37,440
Let's say you have the end point sitting here.
19

20
00:01:37,700 --> 00:01:47,600
So if we expand the diagram and if you look on the complete right hand side you'll see that there are
20

21
00:01:47,930 --> 00:01:50,350
four layers of the OSI model
21

22
00:01:50,570 --> 00:01:52,950
And the first layer is the physical.
22

23
00:01:53,240 --> 00:02:01,580
So this is where your entry point or exit point to the network starts or ends right.
23

24
00:02:01,670 --> 00:02:06,050
So if you look here on the left this is the point which has been marked here.
24

25
00:02:06,290 --> 00:02:09,810
So the data gets in here and exits from here as well.
25

26
00:02:10,100 --> 00:02:17,150
So what wireshark does is that it basically sits at the link level twhere your ethernet is present
26

27
00:02:17,780 --> 00:02:19,690
the hardware ethernet in your system.
27

28
00:02:19,790 --> 00:02:25,240
It sits here and it copies all the ethernet frames that are sent and received.
28

29
00:02:25,430 --> 00:02:29,760
And it kind of creates a packet capture or a pcap file.
29

30
00:02:29,770 --> 00:02:36,210
So once the capture is done the UI can then use a packet analyzer to display you what is it.
30

31
00:02:36,220 --> 00:02:40,290
So everything here basically works along with the operating system.
31

32
00:02:40,300 --> 00:02:45,940
So once you have some kind of data coming in let's say you was at Google.com you will send the request
32

33
00:02:46,000 --> 00:02:51,110
out and then other response will come back in and all the way to your web browser.
33

34
00:02:51,160 --> 00:02:56,530
So once that once your request goes out it gets captured here and once the response comes in it gets
34

35
00:02:56,530 --> 00:02:57,520
captured here as well.
35

36
00:02:57,520 --> 00:03:02,700
So pcap will contain both the request and response bits that are going in and out of your network.
36

37
00:03:04,920 --> 00:03:09,210
So downloading and installing wireshark is pretty straightforward or you can just go to wireshark.org
37

38
00:03:09,210 --> 00:03:14,040
and you can download it from there and you can get the latest version.
38

39
00:03:14,070 --> 00:03:18,120
Wireshark will install all their dependencies for you as well so you don't really have to worry about
39

40
00:03:18,120 --> 00:03:19,290
those things.
40

41
00:03:19,300 --> 00:03:24,850
The last I checked I don't think it gets installed with flare but you can obviously check with your
41

42
00:03:24,840 --> 00:03:27,600
machine and see whether flare supports wireshark or not.
42

43
00:03:27,600 --> 00:03:29,560
If not you can easily download it from here.
43

44
00:03:29,580 --> 00:03:30,830
Much more updated version.
44

45
00:03:30,870 --> 00:03:36,110
And it's pretty straightforward and you just run the executable and you'll have wireshark up and going
45

46
00:03:36,190 --> 00:03:37,470
on your machine.
46

47
00:03:38,130 --> 00:03:43,710
So once you are done with the installation part once you launch wireshark you'll see something similar
47

48
00:03:43,710 --> 00:03:45,640
to the image shown here.
48

49
00:03:45,660 --> 00:03:50,350
So there are few basic pointers that I want to go through.
49

50
00:03:50,370 --> 00:03:57,960
So at the top once the GUI starts, the top bar basically shows you the command menus then you'll see
50

51
00:03:57,960 --> 00:04:01,870
that there is a bar as well where you can type in.
51

52
00:04:02,010 --> 00:04:09,660
So this bar is your display filter where you can apply different filters in order to look at specific
52

53
00:04:09,750 --> 00:04:15,210
traffic that has been captured by a wireshark. We will be going into much more details about how filter
53

54
00:04:15,210 --> 00:04:15,540
works.
54

55
00:04:15,540 --> 00:04:18,940
It's a very critical part of analyzing pcaps.
55

56
00:04:18,960 --> 00:04:24,290
So we will be doing a separate session completely on display folders and how to write your own filters
56

57
00:04:24,360 --> 00:04:28,550
to look at traffic and analyze what data is present in it.
57

58
00:04:28,710 --> 00:04:32,100
Then below here is the actual capture traffic.
58

59
00:04:32,100 --> 00:04:36,660
Once you apply some filters here you see the result of the filter here.
59

60
00:04:36,690 --> 00:04:43,020
If you don't apply anything you just see the entire capture of traffic then the details of the individual
60

61
00:04:43,020 --> 00:04:45,050
packets can be seen here.
61

62
00:04:45,100 --> 00:04:45,960
the details window.
62

63
00:04:45,990 --> 00:04:51,090
This is also very important we know where you can get much more details you can drill down into the
63

64
00:04:51,090 --> 00:04:53,080
package for example if you see here.
64

65
00:04:53,280 --> 00:04:58,440
There is a drill-down of HTTP request so you can see all the HTTP headers here.
65

66
00:04:58,440 --> 00:05:06,090
For example there is host information that is User-Agent there is encoding, connections, referee, cookie
66

67
00:05:06,150 --> 00:05:11,010
and all those informations are present here so you can go down to the repeated requests and you look
67

68
00:05:11,010 --> 00:05:17,670
at each of the headers and see what information has been transferred and lower down is the packet content
68

69
00:05:17,670 --> 00:05:18,910
in hexadecimal format.
69

70
00:05:18,930 --> 00:05:24,170
So you'll have both Hex as well as ASCII representation here so you can compare the data both at hex
70

71
00:05:24,190 --> 00:05:29,150
as well as ASCII level. Moving ahead,
71

72
00:05:29,210 --> 00:05:34,550
So once you launch wireshark it's very critical to make sure that you are capturing traffic from the
72

73
00:05:34,610 --> 00:05:35,710
right interface.
73

74
00:05:35,900 --> 00:05:41,390
So if you're connected with wireless internet you have to make sure that you're capturing your wireless
74

75
00:05:41,390 --> 00:05:46,160
data if you're connected with an ethernet cable you have to make sure that you capture that data on
75

76
00:05:46,160 --> 00:05:47,260
the ethernet cable.
76

77
00:05:47,330 --> 00:05:53,000
So wireshark makes it easy for you and once launch Wireshark and once you go to interfaces
77

78
00:05:53,210 --> 00:05:54,400
the option that is shown here.
78

79
00:05:54,440 --> 00:05:59,630
If you click on capture it's any good or interfaces it will show all the interfaces that exist
79

80
00:05:59,630 --> 00:06:03,620
on your machine and it to tell you which of those interfaces are active.
80

81
00:06:03,620 --> 00:06:09,440
So if you are using a Wi-Fi you will automatically see that the Wi-Fi interface will show you a graph
81

82
00:06:09,500 --> 00:06:13,640
which shows that OK there is some live traffic going on so you can just click on it and you can begin
82

83
00:06:13,640 --> 00:06:14,360
to capture.
83

84
00:06:14,550 --> 00:06:17,450
OK so here I have an example of all their faces as well.
84

85
00:06:17,450 --> 00:06:24,480
So in this case you can see that there is a gigabit interface interface and there are two VMware virtual ethernet adapters
85

86
00:06:24,490 --> 00:06:28,430
as well which didn't help me in capturing the traffic of my virtual
86

87
00:06:28,430 --> 00:06:29,440
machines.
87

88
00:06:29,480 --> 00:06:36,580
So if you can see the ethernet is having lots of Packets going in and out.
88

89
00:06:36,650 --> 00:06:40,900
So I can just click on start and it will begin capturing the packets for me.
89

90
00:06:40,910 --> 00:06:44,730
So the entire capture is basically split into two parts.
90

91
00:06:44,750 --> 00:06:46,630
One is the packet list panel.
91

92
00:06:46,670 --> 00:06:52,100
So this is basically the list of Packets in the current capture and they all are color coded so wireshark
92

93
00:06:52,100 --> 00:06:56,710
uses lot of color code to denote different Packets for example for HTTP it will
93

94
00:06:56,720 --> 00:07:01,550
use green color, for DNS it will use grey color and so on
94

95
00:07:01,790 --> 00:07:04,070
So that's the packet list panel.
95

96
00:07:04,070 --> 00:07:10,250
Then you have the packet details panel where you have all the details off of each packet or you can just select
96

97
00:07:10,310 --> 00:07:15,320
one packet and it will give you much more details you can drill down pretty much like what we saw in
97

98
00:07:15,320 --> 00:07:17,560
the previous slide.
98

99
00:07:17,670 --> 00:07:23,980
Then there is a packet bytes panel as well which shows you packet bytes it Hex and ASCII.
99

100
00:07:24,010 --> 00:07:29,580
So here is a snapshot of what I was mentioning in the previous slide.
100

101
00:07:29,590 --> 00:07:34,630
You have a packet list panel where you have all the packets which are color-coded so you can see
101

102
00:07:34,630 --> 00:07:37,340
that there are green for the http for TcP.
102

103
00:07:37,360 --> 00:07:39,120
And there are grey ones.
103

104
00:07:39,130 --> 00:07:41,420
There are blue ones for UDP.
104

105
00:07:41,470 --> 00:07:48,310
So that's how the wireshark intelligently creates color coatings to make sure that they're able to
105

106
00:07:48,340 --> 00:07:54,850
separate different protocols based on colors as well so that it's easy for you to interpret them.
106

107
00:07:55,550 --> 00:08:01,050
And you jave packet details panel there you can drill down to the individual package that you select
107

108
00:08:01,050 --> 00:08:01,530
here.
108

109
00:08:01,680 --> 00:08:07,350
And at last you have the packet bytes panel which basically gives you hex and ASCII representation
109

110
00:08:07,350 --> 00:08:10,880
of the packet bytes.
110

111
00:08:11,210 --> 00:08:13,460
So once you are done with capturing the data.
111

112
00:08:13,490 --> 00:08:17,860
Never forget to just click on the stop button so that it stops the packet capture.
112

113
00:08:17,870 --> 00:08:20,270
Otherwise it will just keep going on and on forever.
113

114
00:08:20,270 --> 00:08:26,660
So make sure that you click on the stop button so that it can stop your packet capture and then you
114

115
00:08:26,660 --> 00:08:31,580
can just go ahead and save it as a pcap file you can transfer it to someone else who wants to look
115

116
00:08:31,580 --> 00:08:38,150
at the pcap and you can use it as evidence for whatever type of examination you are doing.
116

117
00:08:38,150 --> 00:08:42,850
So this was a brief introduction to wireshark in the later videos.
117

118
00:08:42,860 --> 00:08:49,150
We are going to do a demo on how we can capture Wireshark and then we will see into analyzing suspicious
118

119
00:08:49,150 --> 00:08:51,390
or malicious traffic using wireshark.
119

120
00:08:51,470 --> 00:08:52,760
That's it for this video.
120

121
00:08:52,760 --> 00:08:53,490
Thanks a lot guys.