1
00:00:00,720 --> 00:00:07,680
So in typical traffic capturing on a network interface, there are a lot of packets received from and

2
00:00:07,680 --> 00:00:11,950
delivered to all over the network and, well, the Internet as well.

3
00:00:12,660 --> 00:00:17,010
So let's see how we can take a picture of that network.

4
00:00:18,590 --> 00:00:25,700
Let's go to college and start Wireshark, you can start Wireshark from the applications menu or open

5
00:00:25,700 --> 00:00:28,870
a terminal window and type Wireshark to start the app.

6
00:00:29,770 --> 00:00:34,400
Don't worry about the ampersand in the end of the command, putting an ampersand at the end of a command

7
00:00:34,400 --> 00:00:36,700
because it's a shell to run the process in the background.

8
00:00:37,100 --> 00:00:38,560
It's sort of multitasking.

9
00:00:39,470 --> 00:00:44,030
You can have many processes running, but only one in the foreground at any given point.

10
00:00:44,540 --> 00:00:50,210
The process in the foreground is the process that appears to have locked up the terminal, whatever

11
00:00:51,530 --> 00:00:55,250
the first message is, because we are a super user on Colley.

12
00:00:55,880 --> 00:00:56,600
No worries.

13
00:00:57,150 --> 00:01:02,720
OK, the welcome page of Wireshark asks which interface we would like to listen to first.

14
00:01:03,930 --> 00:01:06,000
So let's have a look at the interfaces of our system.

15
00:01:07,440 --> 00:01:14,100
To look at the interfaces and to remember the IP address of Kali overdetermined and type if config.

16
00:01:15,330 --> 00:01:20,790
There are two ResultSet of the config command, either zero and L.O..

17
00:01:21,840 --> 00:01:28,530
Ethe Zero is the first Ethernet interface, additional Ethernet interfaces would be named ethe one,

18
00:01:28,600 --> 00:01:32,250
etc, etc. Here we have only one.

19
00:01:33,230 --> 00:01:35,840
Now, Ello is the Lookback interface.

20
00:01:36,200 --> 00:01:40,840
This is a special network interface that the system uses to communicate with itself.

21
00:01:41,840 --> 00:01:48,710
E0 is the interface that we're interested in at the moment, double click to open the e0 on the main

22
00:01:48,710 --> 00:01:53,760
page of Wireshark to start capturing the packets, passing through our Ethernet interface.

23
00:01:54,290 --> 00:02:01,340
Now, to speed it up, let's create some network traffic, open one of my virtual machines oos BBWAA

24
00:02:01,340 --> 00:02:02,420
and ping pinkly.

25
00:02:05,800 --> 00:02:13,030
To stop Pinkman press control, see if config to learn the IP address of the machine.

26
00:02:14,340 --> 00:02:18,450
Now I go to another via metastable and paying the last pvm first.

27
00:02:27,080 --> 00:02:28,640
And then Pengelley.

28
00:02:37,390 --> 00:02:40,750
Here we have a lot of ICMP and AAFP traffic at the moment.

29
00:02:45,370 --> 00:02:46,750
So let's generate some traffic.

30
00:02:47,020 --> 00:02:52,060
I open the browser and Cali and visit the website served by Voysey Machine.

31
00:03:02,490 --> 00:03:08,580
And even more traffic, I visit NHS, Dot, UK, my favorite website.

32
00:03:09,880 --> 00:03:10,880
OK, that's enough.

33
00:03:11,080 --> 00:03:12,480
Let's turn back to Wireshark.

34
00:03:13,360 --> 00:03:20,500
As you see, we have a lot of packet's captured and new package arrive every second hour, packet's

35
00:03:20,650 --> 00:03:25,590
TCP packets, less packets for HTTPS, traffic, et cetera.

36
00:03:26,290 --> 00:03:28,820
Here we don't investigate the packets in detail.

37
00:03:29,380 --> 00:03:36,400
We want to learn about this systems which are interacting with us to go to statistics menu and select

38
00:03:36,400 --> 00:03:37,360
conversations.

39
00:03:37,940 --> 00:03:41,020
There are five tabs in a conversation window by default.

40
00:03:41,960 --> 00:03:49,130
And we're on the IPV for tab at the moment here, there are IP packets grouped by Address A and address

41
00:03:49,130 --> 00:03:59,870
B in each line we see how many packets sent up to now total size of the packets and byte number and

42
00:03:59,870 --> 00:04:04,090
size of packets from A to B and from B2K, et cetera.

43
00:04:05,460 --> 00:04:09,240
There is traffic between eight eight eight eight eight eight and my colleague.

44
00:04:10,210 --> 00:04:16,840
Now, I know that eight eight eight eight eight is the IP address of Google DNS, so I must have set

45
00:04:16,840 --> 00:04:19,380
the Google DNS as the DNS of my colleague.

46
00:04:19,540 --> 00:04:21,610
You know, I'd like to look at the network config.

47
00:04:27,090 --> 00:04:31,920
And yes, my DNS address is eight eight eight eight eight.

48
00:04:35,700 --> 00:04:39,270
The Ethernet tab, we can see the Mac addresses of the systems.

49
00:04:40,250 --> 00:04:47,060
The address is full of F's, meaning that the packet is broadcasted, our requests or the examples for

50
00:04:47,060 --> 00:04:48,080
these kind of packets.

51
00:04:49,020 --> 00:04:56,460
In the DCPI tab, we can see TCP packets grouped by the addresses and this time by ports as well.

52
00:04:57,700 --> 00:05:03,880
Because the system may have different interactions with any other system, for example, Carly may have

53
00:05:03,890 --> 00:05:11,170
HTP traffic through Port 80 and at the same time it may have an SS connection through twenty two as

54
00:05:11,170 --> 00:05:11,520
well.

55
00:05:13,140 --> 00:05:18,810
Same as TCP packets are grouped by IPS and ports in the UDP tab.

56
00:05:20,390 --> 00:05:25,700
Here we have learned a lot of live systems, IP addresses and Mac addresses, just listening to the

57
00:05:25,700 --> 00:05:27,650
traffic go through our network interface.

58
00:05:28,700 --> 00:05:34,910
If you like to investigate the traffic between the two machines, select the line right click if you

59
00:05:34,910 --> 00:05:41,260
choose, apply as filter from the menu, only these kinds of packets will be seen in Wireshark.

60
00:05:42,560 --> 00:05:44,540
I'll choose find at this time.

61
00:05:45,380 --> 00:05:48,470
As you see, automatic query string is prepared.

62
00:05:49,160 --> 00:05:52,670
I can navigate between the packets by clicking the find button.

63
00:05:56,650 --> 00:06:03,310
Go back to the conversation window at the bottom right, there is a conversation type's button when

64
00:06:03,310 --> 00:06:06,670
you click on it, a lot of different protocols are listed.

65
00:06:08,210 --> 00:06:15,500
These selected five are the default selected protocols, you can add any protocol from the list when

66
00:06:15,500 --> 00:06:19,070
you select one of them, a new tab is added to the conversation window.