1
00:00:02,410 --> 00:00:08,120
That's the end of the theoretical part of this module Let's start the practical part in this.

2
00:00:08,140 --> 00:00:14,440
We'll use wireshark to detect issues with network communications including above all those that indicate

3
00:00:14,440 --> 00:00:20,410
the attack is taking or have taken place or errors in the configuration of the network services.

4
00:00:21,780 --> 00:00:27,330
Will first discuss the features of the program in detail during the training.

5
00:00:27,340 --> 00:00:33,670
We will use version one point six point four if you'd like to do similar exercises by yourself.

6
00:00:33,670 --> 00:00:35,580
Please use this version or higher.

7
00:00:35,740 --> 00:00:38,590
Newer versions are backwards compatible.

8
00:00:38,760 --> 00:00:44,450
Since this is a network monitor it should first and foremost capture information sent through a network

9
00:00:47,090 --> 00:00:51,440
where a shark is able to collect various types of data sent through various adapters connected to your

10
00:00:51,440 --> 00:00:52,270
computer.

11
00:00:53,570 --> 00:00:56,000
In our case it's a network card.

12
00:00:56,390 --> 00:01:00,540
As we've mentioned in the theoretical part these can also be Wi-Fi adapters

13
00:01:03,820 --> 00:01:04,610
in Wireshark.

14
00:01:04,640 --> 00:01:08,860
You can configure a few options related to the adapter.

15
00:01:08,880 --> 00:01:11,730
It's not that you can collect data from a remote computer.

16
00:01:13,170 --> 00:01:18,770
Wireshark allows the capture of data sent by another adapter on the computer you are connected to.

17
00:01:18,810 --> 00:01:24,630
This functionality works only in the Windows environment although wireshark is available in other platforms

18
00:01:24,630 --> 00:01:25,440
too.

19
00:01:25,860 --> 00:01:31,710
You can choose the type of network we're working with the either no networks you can choose to capture

20
00:01:31,710 --> 00:01:39,680
data in the promiscuous mode where Shurkin put the network card into promiscuous mode.

21
00:01:39,830 --> 00:01:45,380
The wireless settings button is inactive because wireshark hasn't detected any comparable adapter such

22
00:01:45,380 --> 00:01:48,550
as the MP cap.

23
00:01:48,580 --> 00:01:52,600
The data collected can be saved in one file or in a couple of files.

24
00:01:52,600 --> 00:01:58,320
You can specify the rules according to which the data will be divided in the lower left corner.

25
00:01:58,360 --> 00:02:02,890
You can see the settings that allow you to determine in which circumstances the data capture should

26
00:02:02,890 --> 00:02:04,400
stop.

27
00:02:04,420 --> 00:02:11,540
It is not necessary to sit before the screen watching wireshark collecting data capture filter is an

28
00:02:11,540 --> 00:02:15,490
option use to set the data capture filters.

29
00:02:15,630 --> 00:02:19,000
We have already mentioned that you ought to be careful with those filters.

30
00:02:20,010 --> 00:02:25,210
You can use them when you want to diagnose the specific situation or a particular problem.

31
00:02:25,440 --> 00:02:29,860
For example to collect the data addressed only to TCAP port 80.

32
00:02:30,240 --> 00:02:35,940
The age TGP protocol data or to examine the communications of a particular host

33
00:02:38,610 --> 00:02:44,060
while collecting data in order to create a baseline or to make sure that everything is working normally.

34
00:02:44,160 --> 00:02:49,300
You should not use data capture filters.

35
00:02:49,310 --> 00:02:52,910
There are also a few display and name resolution options.

36
00:02:53,150 --> 00:02:59,530
As we've mentioned you should turn this off in case the program cannot cope with the stream of data.

37
00:02:59,580 --> 00:03:05,890
The start button starts the monitoring process as you can see in the picture above.

38
00:03:05,900 --> 00:03:10,550
We don't have to generate any additional traffic yet.

39
00:03:10,620 --> 00:03:16,430
Let's select a packet to get a look at the program interface in the upper window we see information

40
00:03:16,430 --> 00:03:19,200
about the captured packets grouped in the columns.

41
00:03:19,370 --> 00:03:25,510
The information available includes sequence number the number of the first packet captured is always

42
00:03:25,510 --> 00:03:35,790
0 the next grow sequentially by 1 the next column shows the time elapsed since beginning of capture.

43
00:03:35,830 --> 00:03:38,460
Often we would like to see this in a different layout.

44
00:03:39,440 --> 00:03:45,250
Frequently we're interested in how much time passed since the previous captured packet.

45
00:03:45,290 --> 00:03:48,020
Sometimes it makes it easier to find some abnormalities

46
00:03:50,520 --> 00:03:51,350
in other columns.

47
00:03:51,360 --> 00:03:58,800
We see the sender IP address the receivers IP address the protocol as long as wireshark is interpreted

48
00:03:58,800 --> 00:04:05,270
correctly and the amount of data and diagnostic information.

49
00:04:05,280 --> 00:04:08,870
Let's see how this looks for an application layer protocol.

50
00:04:09,000 --> 00:04:13,920
For example let's look at the HTP protocol.

51
00:04:14,030 --> 00:04:22,890
After typing a valid display filter we will only see HTP packets from the lecture on the same model

52
00:04:23,340 --> 00:04:28,250
we know that the higher level protocols are packed into the protocol packets of the lower layers.

53
00:04:30,040 --> 00:04:34,720
We can see the Internet frame and at the bottom we can see the whole set of captured data.

54
00:04:35,990 --> 00:04:39,830
The frame contains everything that we would find in the higher level protocols.

55
00:04:41,940 --> 00:04:48,000
When we choose the details of IP version 4 we can get to know the values of the IP version 4 header

56
00:04:48,000 --> 00:04:57,040
fields for example time to live is 64 which means that the package was most likely sent by the server

57
00:04:57,040 --> 00:05:03,640
running under Windows because these systems in the case of the local networks ascribe 64 as the initial

58
00:05:03,640 --> 00:05:07,240
TTL value.

59
00:05:07,270 --> 00:05:10,980
We can also find out by whom and to whom the packet was sent.

60
00:05:15,500 --> 00:05:22,280
Examining one level higher refined the TCAP protocol we see that this is a packet sent to port 80 from

61
00:05:22,280 --> 00:05:28,460
a dynamic port higher than the port 10:24 we can see the sequence numbers and the acknowledgment numbers

62
00:05:29,390 --> 00:05:35,310
that is numbers that allow the TCAP protocol to make sure no data has been lost during the session.

63
00:05:35,330 --> 00:05:39,880
There are also the TCAP Hetter options.

64
00:05:40,030 --> 00:05:46,420
These are the flags which as we said are sent in a strange way during the ex-mistress scan the checksum

65
00:05:46,470 --> 00:05:52,520
closes the TCAP header when it comes to the TTP protocol.

66
00:05:52,520 --> 00:05:59,380
Wireshark analyzes it just like any other header values we get to know that it was a servers 200 OK

67
00:05:59,380 --> 00:06:07,860
response a message confirming a successful client request to try out more wireshark functions related

68
00:06:07,860 --> 00:06:09,810
to HTP protocol.

69
00:06:09,870 --> 00:06:15,060
Let's visit a web site such as you to come from the perspective of a user.

70
00:06:15,060 --> 00:06:20,090
This site gives you an opportunity to view a variety of contents.

71
00:06:20,190 --> 00:06:22,700
Let's see how it looks from the White shirts perspective.

72
00:06:23,490 --> 00:06:25,060
Let's clear the filter field.

73
00:06:26,830 --> 00:06:31,640
If the data is not cashed yet will be able to see the data downloaded by the client.

74
00:06:33,200 --> 00:06:37,360
Looking at a stream of packets it's hard to say what we're actually seeing.

75
00:06:37,610 --> 00:06:40,580
So let's apply some additional features offered by wireshark

76
00:06:43,250 --> 00:06:50,550
in the file export menu you can select objects from the HTP session.

77
00:06:50,550 --> 00:06:56,600
Now we can see that these were some pictures wireshark has a sync option so that everything that's displayed

78
00:06:56,600 --> 00:07:00,070
in an additional window is highlighted in the main one too.

79
00:07:00,510 --> 00:07:05,870
You can even save the pictures that have been captured after the reassembly of the right packet.

80
00:07:05,950 --> 00:07:08,670
You can do the same with other multimedia files.

81
00:07:09,750 --> 00:07:15,360
If you have a program that plays Adobe Flash video files you can watch offline what you've previously

82
00:07:15,360 --> 00:07:16,710
watched on the internet

83
00:07:20,420 --> 00:07:25,270
while exploring other functionalities of wireshark will examine some problems.

84
00:07:25,610 --> 00:07:28,810
Let's start with a classic problem.

85
00:07:28,900 --> 00:07:34,220
We close the window we've been using and start the program with a capture file we've saved before.

86
00:07:35,260 --> 00:07:39,380
Because we're now dealing with the AARP protocol a lower layer protocol.

87
00:07:39,460 --> 00:07:47,490
The analysis is much simpler ARPU converts IP addresses to Mac addresses and vice versa.

88
00:07:48,460 --> 00:07:54,640
There's little data in the error packets the minimum and maximum size of the ethernet frame is specified

89
00:07:56,070 --> 00:08:02,340
if there's too little data to reach the minimum the frame must be filled up programs sometimes fill

90
00:08:02,340 --> 00:08:06,440
up the frame with current buffer content evidently.

91
00:08:06,440 --> 00:08:08,620
This is a network card driver problem.

92
00:08:10,380 --> 00:08:12,990
It fills up the frame with what's in the buffer at the moment.

93
00:08:13,810 --> 00:08:21,090
For example with what the user is last received or sent over a network analyzing the AARP you can find

94
00:08:21,090 --> 00:08:23,370
out what network users have been doing recently.