1
00:00:10,600 --> 00:00:15,940
Hello everyone and welcome to another video of course in this studio we are going to talk a bit more

2
00:00:15,940 --> 00:00:17,780
about Warszawa display filters.

3
00:00:17,980 --> 00:00:24,620
And once we get a basic understanding of our it don't work we'll move to them with exercises where we

4
00:00:24,620 --> 00:00:28,220
can start working with catching brackets and applying those filters.

5
00:00:28,240 --> 00:00:30,810
So what exactly is a sharp display for readers.

6
00:00:31,010 --> 00:00:35,610
So filters lets you look at specific traffic.

7
00:00:35,650 --> 00:00:41,410
For example if you only want to look at all the DNS requests that you have made and you don't want to

8
00:00:41,410 --> 00:00:48,310
look at the speed requests you can apply a DNS filter so that wireshark will only show you all the DNS

9
00:00:48,310 --> 00:00:51,270
traffic that has been captured for the game in session.

10
00:00:51,280 --> 00:00:57,880
So this is what Phil does does for you it's basically post filters once you have the packet capture

11
00:00:58,120 --> 00:01:05,620
you can apply those filters to that filter and reserved are if let's say you are only interested in

12
00:01:05,980 --> 00:01:09,280
looking at live DNS requests and you can start a live capture.

13
00:01:09,280 --> 00:01:17,380
You can apply the finger on Gyi will only show you the packets that gets matched video filters.

14
00:01:17,380 --> 00:01:25,120
One thing to keep in mind is that the filters only filters out the traffic it doesn't delete the remaining

15
00:01:25,120 --> 00:01:28,350
part of the remaining gap on the remaining Gotcher still remains.

16
00:01:28,420 --> 00:01:34,360
It shows that the display filter kind of narrows down to the specific requests that you have made using

17
00:01:34,360 --> 00:01:40,600
the filters so the slave traders have their own format and they're much more powerful than the capture

18
00:01:40,620 --> 00:01:42,790
figures.

19
00:01:42,870 --> 00:01:47,790
So in the previous video we saw their display for this location is in a new way.

20
00:01:47,900 --> 00:01:56,240
So you can see that there will be a filter tap there you can just pro-white here and display and the

21
00:01:56,780 --> 00:01:58,230
display panel here.

22
00:01:58,340 --> 00:02:02,520
They basically list the result of the filter that you have up right.

23
00:02:02,540 --> 00:02:08,850
So the most basic way is to just write the name of any protocol that you want to think.

24
00:02:08,850 --> 00:02:16,100
For example if you want to look at DNS traffic you can just enter DNS and press enter an equal only

25
00:02:16,310 --> 00:02:21,860
show you all the DNS requests that has been made by your machine.

26
00:02:21,860 --> 00:02:27,910
Similarly you can boss DCP you can be and so on to look at specific captures of data

27
00:02:30,740 --> 00:02:35,130
so wash or display has a very specific format here.

28
00:02:35,150 --> 00:02:40,160
I have broken a filter into its specific sections.

29
00:02:40,370 --> 00:02:42,400
So first you provide the protocol.

30
00:02:42,590 --> 00:02:50,360
For example here I'm providing FGP and then you can put dark stupe on got a different string operations.

31
00:02:50,360 --> 00:02:54,260
For example the string one is Bassi and string do is IP.

32
00:02:54,410 --> 00:02:57,220
And then you can boss the combatives an operator.

33
00:02:57,220 --> 00:02:58,880
What do you want to look at.

34
00:02:58,880 --> 00:03:00,830
We want to look at specific IP.

35
00:03:00,830 --> 00:03:04,270
Do you want to look at conditional matchin and things like that.

36
00:03:04,370 --> 00:03:11,310
For example in this case I want to get a specific match for IP address and door to door 3.4.

37
00:03:11,540 --> 00:03:18,560
And then you can further add logical operators and you can add medical expressions going forward.

38
00:03:18,680 --> 00:03:24,950
You can either end right here and the value once you feel that okay this is the only data that you need

39
00:03:25,180 --> 00:03:27,170
and this should be or figure.

40
00:03:27,170 --> 00:03:33,710
For example let's say you only want to look at IP then do before then you could just have this much

41
00:03:33,850 --> 00:03:41,920
data provided and you get your results and you can keep on expanding the filters by just gone Gatty

42
00:03:41,970 --> 00:03:42,690
knitting.

43
00:03:42,800 --> 00:03:44,360
Following this particular logic.

44
00:03:44,360 --> 00:03:50,740
So this was how their display fingers are arranged by washer.

45
00:03:50,820 --> 00:03:57,180
So if they figure that you have provided for example the speed or CT equals 100.

46
00:03:57,600 --> 00:04:05,370
If this figure is correct and it will by sharp you can see that the bar turns to green color which means

47
00:04:05,430 --> 00:04:11,520
that it's the correct index and if the bar remains as red in color it means that most inducts is wrong

48
00:04:11,520 --> 00:04:16,520
and probably you might have to look for the right way off the writing filter.

49
00:04:16,530 --> 00:04:24,240
So this is a very good indication right after the label itself that was pro-white too so that you don't

50
00:04:24,240 --> 00:04:29,570
really have to run it and then wait for wrong results and then say that all you figure was wrong.

51
00:04:29,790 --> 00:04:36,050
So it kind of runs a static check hid itself and it tells you whether your figure is correct or not.

52
00:04:36,060 --> 00:04:41,180
So it's basically checking the Sendak's if your index is correct then it's obviously going to greet.

53
00:04:41,250 --> 00:04:42,720
If this index is wrong it will.

54
00:04:42,720 --> 00:04:44,280
Don't do it.

55
00:04:44,280 --> 00:04:46,230
So here is a protip for you guys.

56
00:04:46,290 --> 00:04:50,420
There is an excellent cheat sheet that has been created by Packard life darknet.

57
00:04:50,490 --> 00:04:58,020
It has all the important why shot display filters in this one single PDA which you can obviously and

58
00:04:58,020 --> 00:05:01,620
refer back whenever you are walking by a shark.

59
00:05:01,680 --> 00:05:07,240
I have also attached this PDA as a resource for you with this video.

60
00:05:07,260 --> 00:05:10,720
You can go to the resources section and you can download it from there.

61
00:05:10,950 --> 00:05:13,830
And this this it is really really handy.

62
00:05:13,830 --> 00:05:20,340
And we will be looking at some of the militias big gaps in the league of radios the other important

63
00:05:20,340 --> 00:05:23,790
thing that I want to bring up is the follow stream option in Bosher.

64
00:05:23,970 --> 00:05:31,860
So if let's say you are collecting a bunch of streams Let's say you are using your browser to visit

65
00:05:31,920 --> 00:05:36,880
all kinds of sites and at a given time you will visit different websites.

66
00:05:37,050 --> 00:05:42,950
If you look at the peak app it will have all the backers that have been captured at any given and do

67
00:05:42,950 --> 00:05:50,130
with it will not have the serial capture display for example if you are visiting Google dot com and

68
00:05:50,280 --> 00:05:53,460
at the same time you visit CNN.com as well.

69
00:05:53,530 --> 00:05:54,440
Then Divakar gotcha.

70
00:05:54,450 --> 00:06:01,350
We'll have all those placards displayed in all the random sequences there will be a request to Google

71
00:06:01,350 --> 00:06:07,610
all of a sudden there will be a request to CNN and the responsible will to sponsor CNN and so on.

72
00:06:07,740 --> 00:06:13,120
So what do you do if you let's say only want to look at the traffic that correlates with google.com.

73
00:06:13,220 --> 00:06:15,920
That's where I follow APCP screen comes into picture.

74
00:06:16,020 --> 00:06:20,280
So let's say you see that OK I have sent a request or will will not comment.

75
00:06:20,280 --> 00:06:22,430
I want to see what the response came back.

76
00:06:22,430 --> 00:06:28,500
You can just right click on it and you can go to follow stream and it will basically show you the entire

77
00:06:28,500 --> 00:06:37,380
stream of data here the read mugged text is basically the request that you send and the blue part is

78
00:06:37,380 --> 00:06:39,650
the response that you got back from the server.

79
00:06:39,750 --> 00:06:45,660
So this is what follows stream helps you with that kind of aggregates the anti-ID communication into

80
00:06:45,660 --> 00:06:52,820
a single window so that it becomes easy for you plan like that saving packet filters you can just click

81
00:06:52,820 --> 00:06:58,970
on file and you can just click on Save as all you can exported into various different formats that are

82
00:06:58,970 --> 00:07:02,550
supported by Wireshark and other packet capturing tools as well.

83
00:07:02,960 --> 00:07:09,920
It's always advisable to keep a copy of your back at capture because this was an important and critical

84
00:07:09,920 --> 00:07:15,500
evidence for your forensics and analysis work.

85
00:07:15,520 --> 00:07:19,660
So there is another handy option in charcoal bartók start started sticks.

86
00:07:20,020 --> 00:07:26,170
If you have a Packard captured with you you can just go to Russia statistics it gives you information

87
00:07:26,170 --> 00:07:32,590
about what kind of packet has been captured by shark failed or nine you Randy Bakhit capture and tell

88
00:07:32,590 --> 00:07:34,540
you how many DCB Packards were captured.

89
00:07:34,540 --> 00:07:36,300
How many DNS requests were made.

90
00:07:36,410 --> 00:07:40,260
And a lot of ones statistics as well which can be very helpful.

91
00:07:40,480 --> 00:07:45,690
Then you are analyzing complex records or then you analyzing packages which are re-insurance size and

92
00:07:45,700 --> 00:07:51,700
that is wash our statistics play a very critical role in giving us a rough idea about what kind of Bakhit

93
00:07:52,000 --> 00:07:56,460
mostly contributes in the particular pick up flight.

94
00:07:56,470 --> 00:08:01,000
Here is another view that you'll get and died a few graphs off here.

95
00:08:01,090 --> 00:08:07,630
Now packet captures you can just go and launch by a shark and you can start playing with all these features

96
00:08:07,630 --> 00:08:08,270
in marker.

97
00:08:08,290 --> 00:08:09,790
So that's it for this video.

98
00:08:09,870 --> 00:08:10,740
See you later the.