1 00:00:01,621 --> 00:00:07,819 2 00:00:07,822 --> 00:00:10,203 Hi, good morning evryone. 3 00:00:10,204 --> 00:00:12,056 My name is Rob Shimonski 4 00:00:12,051 --> 00:00:16,343 and welcome to INE’s Wireshark Foundations. 5 00:00:16,342 --> 00:00:19,279 In this course, we're going to talk about 6 00:00:19,288 --> 00:00:22,696 Wireshark networking and a whole bunch of things 7 00:00:22,698 --> 00:00:26,495 that will teach you more about protocol analysis, 8 00:00:26,495 --> 00:00:29,843 packet analysis, network analysis. 9 00:00:29,835 --> 00:00:34,730 And in this course, our plan is to get you from square one 10 00:00:34,731 --> 00:00:39,467 all the way through to understanding how to navigate the tool, 11 00:00:39,479 --> 00:00:41,144 how to capture traffic, 12 00:00:41,145 --> 00:00:46,142 how to analyze traffic and find problems on your network. 13 00:00:46,146 --> 00:00:50,826 My name is Rob Shimonski and I've been in the networking field for about 2 decades. 14 00:00:50,834 --> 00:00:53,614 I’ve been working as a consultant, 15 00:00:53,609 --> 00:00:58,110 full-time employee, trainer, book author, 16 00:00:58,100 --> 00:01:00,825 I’ve done quite a few things in the realm of 17 00:01:00,825 --> 00:01:02,440 networking technologies, 18 00:01:02,440 --> 00:01:05,081 systems administration, data center 19 00:01:05,079 --> 00:01:07,180 and one of the things that I found is that 20 00:01:07,177 --> 00:01:08,806 no matter how many things I’ve learned 21 00:01:08,806 --> 00:01:09,814 there’s always more to learn. 22 00:01:09,814 --> 00:01:12,919 So welcome and thank you for joining 23 00:01:12,919 --> 00:01:15,081 because we’re going to get through a lot of material 24 00:01:15,082 --> 00:01:18,953 and our goal is that you get a lot out of this course. 25 00:01:18,970 --> 00:01:24,243 So without any further adieu, let’s get started. 26 00:01:24,245 --> 00:01:29,444 Alright, module 1... 27 00:01:29,443 --> 00:01:30,831 In this module, we’re going to talk about 28 00:01:30,831 --> 00:01:31,721 Network Layers 29 00:01:31,721 --> 00:01:33,578 and the OSI Model. 30 00:01:33,578 --> 00:01:37,406 Now, one may ask, why do I need to understand so much 31 00:01:37,407 --> 00:01:39,920 foundational information to use Wireshark. 32 00:01:39,921 --> 00:01:45,445 Well, with Wireshark, interestingly 33 00:01:45,453 --> 00:01:49,734 without understanding the fundamentals of networking, 34 00:01:49,741 --> 00:01:52,046 it’s really just a tool or an application. 35 00:01:52,046 --> 00:01:54,660 It’s really what you understand about networking 36 00:01:54,646 --> 00:01:57,371 that’s really going to bring this to light. 37 00:01:57,367 --> 00:02:00,029 So what does that mean? 38 00:02:00,025 --> 00:02:02,603 Well, you’re going to need some fundamental network 39 00:02:02,601 --> 00:02:05,261 knowledge to be able to operate the tool, 40 00:02:05,262 --> 00:02:06,422 to use the tool. 41 00:02:06,427 --> 00:02:08,004 If you are just navigating the tool, 42 00:02:08,011 --> 00:02:10,201 you install, you capture some traffic, 43 00:02:10,201 --> 00:02:11,972 you open it up, all you are going to see is 44 00:02:11,972 --> 00:02:14,717 a ton of information that you may not really understand. 45 00:02:14,717 --> 00:02:17,365 So what we are going to do is we are going to work on 46 00:02:17,365 --> 00:02:18,598 in the beginning 47 00:02:18,598 --> 00:02:21,074 getting you some of the information that you need 48 00:02:21,066 --> 00:02:23,599 to be able to use the tool accurately. 49 00:02:23,596 --> 00:02:25,111 So when you use the tool, 50 00:02:25,102 --> 00:02:27,471 one of the things that you want to do is you want to be able 51 00:02:27,469 --> 00:02:29,578 to do some detective work. 52 00:02:29,561 --> 00:02:33,284 Alright, so let’s say you’re trying to troubleshoot a network and 53 00:02:33,292 --> 00:02:37,710 you have a problem with the particular segment, maybe it’s slow. 54 00:02:37,706 --> 00:02:40,867 Well, when you set up Wireshark and you learn 55 00:02:40,860 --> 00:02:43,598 a capture, all you’re going to see is a whole bunch of traffic. 56 00:02:43,600 --> 00:02:47,127 It’s really understanding what to do, how to filter that traffic, 57 00:02:47,122 --> 00:02:49,704 knowing that you captured particularly data 58 00:02:49,712 --> 00:02:52,445 from one point to the other, that’s really gonna make a difference 59 00:02:52,436 --> 00:02:56,583 of using and understanding this tool. 60 00:02:56,596 --> 00:03:00,196 So later on in the course, we gonna talk about how to install it, 61 00:03:00,197 --> 00:03:02,500 how to build filters, 62 00:03:02,491 --> 00:03:06,271 how to look through the data, find problems with voice, 63 00:03:06,279 --> 00:03:09,669 find problems with slow performing websites. 64 00:03:09,673 --> 00:03:11,921 But before we get there, what we need to do is we need to 65 00:03:11,915 --> 00:03:14,417 spend some time just understanding the basics. 66 00:03:14,408 --> 00:03:17,255 So, the first thing that's very important is 67 00:03:17,247 --> 00:03:19,885 understanding how the data traverse is as a network. 68 00:03:19,880 --> 00:03:23,263 So if you have a client and you have a server 69 00:03:23,263 --> 00:03:26,536 that is a very simple network segment maybe connected by a switch. 70 00:03:26,541 --> 00:03:29,649 So we can start there. 71 00:03:29,640 --> 00:03:31,857 If you have a client that’s accessing a server, 72 00:03:31,861 --> 00:03:36,272 it’s trying to access some type of resource and is performing slowly, 73 00:03:36,262 --> 00:03:40,819 the most important thing to understand about using Wireshark is to know 74 00:03:40,801 --> 00:03:44,842 that you want to capture the data from one point to another, 75 00:03:44,833 --> 00:03:49,516 so we're going to call that source to destination. 76 00:03:49,511 --> 00:03:53,669 When you use the capture which you're going to look at 77 00:03:53,652 --> 00:03:56,838 from source to destination is how that data traverse is 78 00:03:56,836 --> 00:03:59,802 from that source to destination and 79 00:03:59,793 --> 00:04:03,487 you're going to have to understand at least the basics of the OSI model. 80 00:04:03,488 --> 00:04:08,079 When we talk about protocols, we talk about the TCP/IP protocol sweep, 81 00:04:08,084 --> 00:04:10,857 we talk about sending data from one place to another 82 00:04:10,856 --> 00:04:13,151 and how it is encapsulating the data. 83 00:04:13,150 --> 00:04:17,042 The most fundamental thing to understand is the actual OSI model. 84 00:04:17,035 --> 00:04:21,045 And now this may seem very elementary for some, 85 00:04:21,045 --> 00:04:23,733 a lot of people do know the OSI model. 86 00:04:23,719 --> 00:04:26,179 They do understand it, maybe they did the network plus 87 00:04:26,179 --> 00:04:31,387 or the CCNA or in their first foray into this field, 88 00:04:31,395 --> 00:04:35,315 but really understanding that the data travels from source to destination, 89 00:04:35,318 --> 00:04:40,077 when it does that it goes up and down the OSI model and at that each layer 90 00:04:40,070 --> 00:04:44,777 it’s encapsulating the data and adding and appending stuff to the data. 91 00:04:44,787 --> 00:04:46,862 So why is that important with Wireshark? 92 00:04:46,867 --> 00:04:49,595 Well, when you capture the data with Wireshark, 93 00:04:49,593 --> 00:04:52,486 you are going to see in the actual window, 94 00:04:52,485 --> 00:04:57,424 you’re going to see things where you’ll see protocols like ARP, 95 00:04:57,421 --> 00:05:00,693 you’ll see mMAC addresses, you’ll see IP addresses. 96 00:05:00,695 --> 00:05:06,146 Well, understanding that a MAC address can be found in layer 2, the data link layer, 97 00:05:06,144 --> 00:05:08,647 understanding that the IP, IP address 98 00:05:08,639 --> 00:05:13,304 with the routing will be down at layer 3, the network layer. 99 00:05:13,302 --> 00:05:16,981 That’s the fundamental information you will need to understand 100 00:05:16,979 --> 00:05:25,620 to use the tool is understanding the basics of the OSI model. 101 00:05:25,632 --> 00:05:28,389 So, when you're learning Wireshark 102 00:05:28,385 --> 00:05:32,072 what’s good is that, your, the segment or 103 00:05:32,078 --> 00:05:34,790 the lab segment that you're going to work with 104 00:05:34,785 --> 00:05:38,009 unless we start adding firewalls and load balances 105 00:05:38,015 --> 00:05:42,563 and those types of things which we will explain in future modules. 106 00:05:42,562 --> 00:05:45,820 Basically the understanding of how data traffic, 107 00:05:45,805 --> 00:05:49,298 traverses the network from source to destination, 108 00:05:49,298 --> 00:05:51,850 going through layer 2 and layer 3 segments is 109 00:05:51,847 --> 00:05:57,096 is probably the most common scenario that you’re going to be trouble shooting. 110 00:05:57,097 --> 00:06:01,009 So another key element is actually how to capture traffic 111 00:06:01,009 --> 00:06:03,510 and again in the future module we will talk 112 00:06:03,520 --> 00:06:05,520 about how to actually span a port, 113 00:06:05,531 --> 00:06:09,453 how to get that data captured. But what’s important to understand now is 114 00:06:09,447 --> 00:06:12,782 if you just played around with Wireshark in the past, 115 00:06:12,806 --> 00:06:17,996 maybe downloaded it, installed it, that’s basically installed on an endpoint. 116 00:06:17,993 --> 00:06:22,742 Now, there’s different ways to do this. You can run a tap, you can hub out, 117 00:06:22,742 --> 00:06:26,929 you can do a bunch of different things but the 2 most common scenarios 118 00:06:26,913 --> 00:06:30,770 that you will see when you try to capture data with Wireshark will be 119 00:06:30,760 --> 00:06:34,950 you will either install on the endpoint which will probably be the source 120 00:06:34,957 --> 00:06:39,055 PC or client and the destination server, 121 00:06:39,050 --> 00:06:42,651 and you will install it locally on the system. 122 00:06:42,664 --> 00:06:45,293 Another way you can do it is to do a port mirror 123 00:06:45,281 --> 00:06:48,201 which is actually coming through the network 124 00:06:48,208 --> 00:06:50,109 spanning a port if you have a CISCO switch, 125 00:06:50,107 --> 00:06:54,925 you can run a port monitor and you can send the traffic from either of these, 126 00:06:54,928 --> 00:06:58,734 the source or the destination to a second port, 127 00:06:58,732 --> 00:07:01,954 where you can capture the data on let's say, a third machine. 128 00:07:01,959 --> 00:07:07,405 So why do you use Wireshark? 129 00:07:07,405 --> 00:07:12,140 Why are we going to set all these stuff up and go through all this work? 130 00:07:12,140 --> 00:07:17,172 So what Wireshark does essentially is help you solve problems. 131 00:07:17,156 --> 00:07:21,886 Now, one of the misconceptions is is that by installing Wireshark 132 00:07:21,882 --> 00:07:25,378 and looking at it, it's going to tell you exactly what your problem is. 133 00:07:25,389 --> 00:07:28,888 Now in some cases it might. You might open up 134 00:07:28,887 --> 00:07:31,786 the Expert and it might give you a close enough clue 135 00:07:31,786 --> 00:07:34,214 or you may see something very obvious in the capture. 136 00:07:34,207 --> 00:07:36,860 But what’s really important to understand is that 137 00:07:36,863 --> 00:07:39,542 you have to do some detective work and you 138 00:07:39,542 --> 00:07:41,516 have to know a few things about networking, 139 00:07:41,516 --> 00:07:44,812 systems administration, and here’s a good example. 140 00:07:44,801 --> 00:07:48,676 Let’s say, you have a problem with a slow performing network 141 00:07:48,680 --> 00:07:51,488 or what was called a slow performing network. 142 00:07:51,481 --> 00:07:55,215 Now most of you, if you’re in the field, you probably feel this pain, 143 00:07:55,214 --> 00:07:57,469 everything comes up as a networking problem. 144 00:07:57,471 --> 00:08:02,122 So the server could be very slow and the tickets get opened 145 00:08:02,122 --> 00:08:04,640 and the escalations start and they’re saying, 146 00:08:04,644 --> 00:08:06,904 "'Why is the network slow?" 147 00:08:06,897 --> 00:08:10,569 End users do this predominantly and it’s interesting how 148 00:08:10,562 --> 00:08:12,838 through the years they’ve learned enough to say, 149 00:08:12,834 --> 00:08:18,419 “Hey you know what, my application’s not working correctly, the network slow.” 150 00:08:18,411 --> 00:08:23,337 So a lot of what we do is to rule out and to isolate what the exact problem is 151 00:08:23,320 --> 00:08:26,204 and Wireshark is a great tool for helping you do that. 152 00:08:26,207 --> 00:08:30,622 So, yes you are going to do some other things, you can run a ping, 153 00:08:30,624 --> 00:08:35,154 you can run a trace route, you can look in your router logs, 154 00:08:35,154 --> 00:08:38,929 you can look in your switch logs, you can look at the server, 155 00:08:38,938 --> 00:08:41,810 let’s see, it’s a Microsoft server, you can look at event viewer, 156 00:08:41,818 --> 00:08:45,843 you can look at performance monitor, start looking at the I/O on the box. 157 00:08:45,831 --> 00:08:51,068 There’s a lot of things that you can do and it’s recommended that you do that. 158 00:08:51,062 --> 00:08:55,538 So using Wireshark is a part of what you’re going to do to trouble shoot problems 159 00:08:55,546 --> 00:09:00,003 and Wireshark is predominantly going to be used to capture the traffic, 160 00:09:00,001 --> 00:09:04,175 to look at the packets and note exactly what’s going on 161 00:09:04,175 --> 00:09:08,601 because you will find a lot from those data packets. 162 00:09:08,599 --> 00:09:12,246 You’re going to use Wireshark to review the traffic on the network. 163 00:09:12,239 --> 00:09:16,029 You can look at the protocols that are in use and the traffic flow. 164 00:09:16,021 --> 00:09:18,720 So, as an example again, one of the things 165 00:09:18,735 --> 00:09:20,459 that you might find is you might find that 166 00:09:20,459 --> 00:09:22,316 that someone's saying the network's slow, 167 00:09:22,319 --> 00:09:23,484 and it could be something else. 168 00:09:23,479 --> 00:09:27,816 It could be that you're trying, your client's trying to access a website 169 00:09:27,812 --> 00:09:30,106 and let's say, there's a problem on the web server, 170 00:09:30,109 --> 00:09:32,658 but what you might also find from the 171 00:09:32,658 --> 00:09:35,077 traffic capture is you might find 172 00:09:35,074 --> 00:09:37,516 that there is a lot of extra traffic on your network. 173 00:09:37,513 --> 00:09:40,557 So, you may find a lot of multicast traffic 174 00:09:40,675 --> 00:09:42,675 you weren't aware of, you might find some 175 00:09:42,792 --> 00:09:45,946 printers doing some multicast. 176 00:09:45,932 --> 00:09:48,746 You might find quite a few things that 177 00:09:48,763 --> 00:09:51,435 you would then be able to note on your report 178 00:09:51,439 --> 00:09:53,850 after you capture and say, "Listen, 179 00:09:53,850 --> 00:09:56,568 we found a problem with x,y and z, but 180 00:09:56,568 --> 00:09:58,928 we also like to recommend that 181 00:09:58,928 --> 00:10:00,928 you know maybe we'll look at these other areas 182 00:10:00,928 --> 00:10:03,779 and try to solve some of these issues as well." 183 00:10:03,779 --> 00:10:07,520 So as we were talking about before 184 00:10:07,530 --> 00:10:11,134 one of the key things with troubleshooting 185 00:10:11,124 --> 00:10:13,573 with Wireshark is to understand 186 00:10:13,573 --> 00:10:14,924 what you're going to be doing with it. 187 00:10:14,924 --> 00:10:17,352 So in the graphic that I have up, 188 00:10:17,348 --> 00:10:19,480 there's a simple network design. 189 00:10:19,487 --> 00:10:23,781 It’s a very simple network segment where you have 190 00:10:23,787 --> 00:10:27,111 a client accessing a server through a switch. 191 00:10:27,111 --> 00:10:30,587 It could go to a routed segment. 192 00:10:30,578 --> 00:10:33,923 The switch maybe a layer 3 switch 193 00:10:33,914 --> 00:10:36,770 but one of the key things I wanted to point out here 194 00:10:36,770 --> 00:10:38,540 from what we talked about before is 195 00:10:38,545 --> 00:10:41,902 installing Wireshark either on the endpoints where 196 00:10:41,891 --> 00:10:44,809 you would install Wireshark on both 197 00:10:44,804 --> 00:10:48,302 of these computers, the client’s as well as the server. 198 00:10:48,292 --> 00:10:51,893 And or, you could install Wireshark 199 00:10:51,894 --> 00:10:54,312 just on, let's say, the laptop that you see 200 00:10:54,310 --> 00:10:56,642 span a port from the switch and 201 00:10:56,642 --> 00:11:01,350 send all the traffic to that Wireshark so that you can analyze it. 202 00:11:01,350 --> 00:11:04,009 One of the key things that you want to remember is 203 00:11:04,009 --> 00:11:05,717 when you're troubleshooting, you may not 204 00:11:05,711 --> 00:11:08,787 be able to install Wireshark on the target machines. 205 00:11:08,787 --> 00:11:12,781 And that's because maybe they're not capable 206 00:11:12,786 --> 00:11:16,587 of taking Wireshark. They don't have enough 207 00:11:16,590 --> 00:11:19,099 system resources, as an example, 208 00:11:19,099 --> 00:11:20,791 and or, they're doing work. 209 00:11:20,791 --> 00:11:22,465 Maybe there’s a policy that says, 210 00:11:22,477 --> 00:11:24,544 we cannot install this on the server. 211 00:11:24,527 --> 00:11:29,320 So just be aware that before you do install Wireshark, 212 00:11:29,307 --> 00:11:32,216 you need to be aware of some system requirements. 213 00:11:32,207 --> 00:11:35,422 We will get to that when we discuss how to install Wireshark 214 00:11:35,426 --> 00:11:39,914 but just remember for starting off here in this module 215 00:11:39,904 --> 00:11:42,270 where we're just going to talk about the basics of, 216 00:11:42,274 --> 00:11:45,356 you know, you have a simple network segment, 217 00:11:45,341 --> 00:11:47,504 you want to install Wireshark on the client’s 218 00:11:47,491 --> 00:11:52,662 and then the destination server to troubleshoot the traffic, 219 00:11:52,664 --> 00:11:56,818 and or you can install it on one machine 220 00:11:56,804 --> 00:12:00,716 and send the data through a span port to a target. 221 00:12:00,703 --> 00:12:09,398 Alright so, just to close out the topic on the OSI model, 222 00:12:09,402 --> 00:12:12,261 again, it’s important to understand that 223 00:12:12,261 --> 00:12:13,951 when data traverses a network, 224 00:12:13,943 --> 00:12:17,963 and it goes from the source client to the destination server, 225 00:12:17,976 --> 00:12:19,958 there’s a lot of things happening here. 226 00:12:19,949 --> 00:12:22,507 So at Layer 1, is generally where you’re not 227 00:12:22,503 --> 00:12:25,483 going to be looking so much into Wireshark. 228 00:12:25,491 --> 00:12:27,988 That’s where the electrical signals flow 229 00:12:27,985 --> 00:12:30,698 through the wire, the cable, the copper, 230 00:12:30,707 --> 00:12:35,270 the fiber and or the wireless signal. 231 00:12:35,266 --> 00:12:39,247 And then more so, you'll see, layer 2 through 7 where 232 00:12:39,259 --> 00:12:41,854 the data is being encapsulated, 233 00:12:41,859 --> 00:12:45,077 or being stripped, decapsulated and 234 00:12:45,079 --> 00:12:47,849 what you’re going to see from that capture, 235 00:12:47,858 --> 00:12:50,889 when you capture with Wireshark is that 236 00:12:50,893 --> 00:12:52,898 addresses may or may not change. 237 00:12:52,894 --> 00:12:54,383 So you have to be aware of that. 238 00:12:54,388 --> 00:12:57,014 For example, when it goes through a swtich 239 00:12:56,998 --> 00:12:58,468 it’s likely that the addressing 240 00:12:58,458 --> 00:12:59,908 it's not going to change but then as 241 00:12:59,899 --> 00:13:02,116 it's being sent from router to router, 242 00:13:02,116 --> 00:13:03,836 it's going to change things, right? 243 00:13:03,836 --> 00:13:05,449 So, you’re going to have to be aware 244 00:13:05,449 --> 00:13:07,086 of your network topology. 245 00:13:07,086 --> 00:13:08,721 You’re going to have to be aware of 246 00:13:08,732 --> 00:13:13,497 when it traverses a firewall, for example, if it's doing natting 247 00:13:13,505 --> 00:13:15,353 then you’re going to have to be aware of that 248 00:13:15,362 --> 00:13:18,472 because if you just installed Wireshark on the server, 249 00:13:18,474 --> 00:13:20,873 you may see a different set of addresses 250 00:13:20,873 --> 00:13:22,506 coming to it in your capture, 251 00:13:22,506 --> 00:13:24,305 and you may not understand what that is. 252 00:13:24,305 --> 00:13:27,474 So understanding as much about the network 253 00:13:27,465 --> 00:13:30,044 and the OSI model and how the data traverses 254 00:13:30,039 --> 00:13:34,346 the network is going to be key to using this. 255 00:13:34,352 --> 00:13:37,462 As well, when you capture data in Wireshark, 256 00:13:37,474 --> 00:13:40,427 you're going to see things that 257 00:13:40,415 --> 00:13:42,681 reference ports, a lot of you 258 00:13:42,681 --> 00:13:44,620 I'm sure are aware of what a port is. 259 00:13:44,620 --> 00:13:46,828 Essentially, in Wireshark 260 00:13:46,831 --> 00:13:48,739 there is a services file 261 00:13:48,749 --> 00:13:51,346 that does the most commonly known ports. 262 00:13:51,345 --> 00:13:56,410 We all know IANA.org, the assigned port numbers, 263 00:13:56,420 --> 00:13:58,789 so you can actually modify this file 264 00:13:58,788 --> 00:14:02,139 for some not well known ports to customize it. 265 00:14:02,163 --> 00:14:04,163 We’ll get into that in future modules. 266 00:14:04,158 --> 00:14:05,554 But just be aware 267 00:14:05,554 --> 00:14:07,403 that a lot of things that you're going to see 268 00:14:07,391 --> 00:14:09,719 in Wireshark when you capture your data 269 00:14:09,722 --> 00:14:12,828 will be in that capture window in the packets pane list 270 00:14:12,834 --> 00:14:15,889 and you're going to see things such as 271 00:14:15,882 --> 00:14:19,684 the ports, the IP addresses and MAC connections, 272 00:14:19,704 --> 00:14:21,883 MAC addresses, the connections 273 00:14:21,902 --> 00:14:23,702 from source to destination 274 00:14:23,704 --> 00:14:28,757 as well as the data encapsulating and decapsulating. 275 00:14:28,751 --> 00:14:33,617 So when you look at the actual connectivity 276 00:14:33,615 --> 00:14:36,153 when you're installing Wireshark, 277 00:14:36,153 --> 00:14:41,004 Wireshark is going to use something called WinPcap 278 00:14:41,006 --> 00:14:44,200 and that's going to go in,work with your NIC card 279 00:14:44,205 --> 00:14:47,555 to supply the driver with the ability 280 00:14:47,537 --> 00:14:49,578 to interface with the API 281 00:14:49,582 --> 00:14:51,176 through Windows if you use it or with 282 00:14:51,172 --> 00:14:53,216 Bcap if you are using Unix, 283 00:14:53,200 --> 00:14:55,861 and that’s going to allow your NIC card 284 00:14:55,861 --> 00:14:57,609 to be set in a promiscuous mode 285 00:14:57,609 --> 00:15:00,790 which will allow for the data, all the data 286 00:15:00,782 --> 00:15:03,841 to be captured and collected by Wireshark. 287 00:15:03,840 --> 00:15:05,260 Otherwise, it’s only going to collect 288 00:15:05,248 --> 00:15:08,350 what's destined for the machine. 289 00:15:08,351 --> 00:15:10,021 You’re going to have to be aware of ports 290 00:15:10,021 --> 00:15:12,781 for example, when we’re talking about port mirroring. 291 00:15:12,792 --> 00:15:16,566 You’re going to have to be able to span or 292 00:15:16,553 --> 00:15:20,074 mirror a port, put the port in monitor, 293 00:15:20,081 --> 00:15:22,541 and you’re going to do that in a CISCO switch, 294 00:15:22,548 --> 00:15:24,186 you can do that in a Nortel switch, 295 00:15:24,170 --> 00:15:26,882 you can do that pretty much in most switches 296 00:15:26,866 --> 00:15:28,918 but just be aware that you might have to configure 297 00:15:28,918 --> 00:15:31,987 a port to do that, that type of connectivity. 298 00:15:31,986 --> 00:15:35,360 And then other network interfaces are 299 00:15:35,356 --> 00:15:38,623 probes where, for example if you're not tapping, 300 00:15:38,612 --> 00:15:41,173 if you're not configuring a port, 301 00:15:41,173 --> 00:15:43,206 if you’re not installing on an endpoint 302 00:15:43,184 --> 00:15:46,193 and configuring the NIC to work in promiscuous mode, 303 00:15:46,191 --> 00:15:50,341 with higher end tools, enterprise tools such as 304 00:15:50,335 --> 00:15:56,012 Riverbed Cascade, ARX, Net Scout, and Genius. 305 00:15:56,017 --> 00:15:59,235 You can use probes that will view 306 00:15:59,235 --> 00:16:01,134 the traffic as it's traversing the network. 307 00:16:01,134 --> 00:16:03,061 It’s going to look at the network 308 00:16:03,041 --> 00:16:05,306 passing and will be able to collect and 309 00:16:05,320 --> 00:16:08,682 allow you to view it in an enterprise tool such as those. 310 00:16:08,680 --> 00:16:13,853 Other hardware to be aware of, obviously 311 00:16:13,852 --> 00:16:16,176 we already talked about switches and routers, 312 00:16:16,168 --> 00:16:18,548 we mentioned firewalls briefly, 313 00:16:18,543 --> 00:16:22,053 IPS units, load balancers. 314 00:16:22,052 --> 00:16:24,624 Just be aware that when you're 315 00:16:24,623 --> 00:16:27,562 troubleshooting and you’re capturing data with Wireshark 316 00:16:27,574 --> 00:16:29,999 and you’re only from source to destination, 317 00:16:29,992 --> 00:16:33,963 it’s important to remember that these devices that 318 00:16:33,968 --> 00:16:37,948 it traverses, it’s going to change the network 319 00:16:37,956 --> 00:16:40,431 data that you see as you capture it. 320 00:16:40,451 --> 00:16:42,878 And you need to be aware of these devices 321 00:16:42,876 --> 00:16:45,796 and have a fundamental knowledge of 322 00:16:45,803 --> 00:16:48,948 how they operate because for example, 323 00:16:48,961 --> 00:16:51,421 with the, with firewalls as we already mentioned, 324 00:16:51,430 --> 00:16:55,511 if it’s blocking traffic - a very good example 325 00:16:55,495 --> 00:16:58,379 of not being able to troubleshoot an issue is 326 00:16:58,386 --> 00:17:00,726 when you go and you configure Wireshark, 327 00:17:00,726 --> 00:17:03,712 let's say, on a server in a DMZ 328 00:17:03,695 --> 00:17:07,612 and you set up a Wireshark on a client, 329 00:17:07,617 --> 00:17:10,400 not in a DMZ and you're trying to figure out 330 00:17:10,402 --> 00:17:12,227 why data is not traversing, 331 00:17:12,231 --> 00:17:15,095 it’s likely that an ACL is dropping that traffic 332 00:17:15,095 --> 00:17:16,630 and it’s quite possible that 333 00:17:16,630 --> 00:17:19,625 by looking at both captures, you’ll be able 334 00:17:19,633 --> 00:17:21,945 to find and see that the data is not 335 00:17:21,945 --> 00:17:23,829 going from source to destination. 336 00:17:23,829 --> 00:17:26,612 So you just need to be aware of 337 00:17:26,609 --> 00:17:32,345 the network hardware that is on your enterprise network. 338 00:17:32,339 --> 00:17:36,496 So one of the things that Wireshark also does 339 00:17:36,494 --> 00:17:39,205 is allow you to not only look at protocols 340 00:17:39,205 --> 00:17:40,847 and look in the packets. 341 00:17:40,847 --> 00:17:44,587 You've heard it called a protocol analyzer, 342 00:17:44,574 --> 00:17:46,490 network analyzer, 343 00:17:46,474 --> 00:17:49,956 a packet analyzer, a traffic analyzer 344 00:17:49,978 --> 00:17:53,326 That's because it pretty much does all of those things 345 00:17:53,345 --> 00:17:55,986 and when you're doing each one of those things 346 00:17:56,005 --> 00:17:58,876 you can reference Wireshark or a tool 347 00:17:58,870 --> 00:18:01,278 such as that in that means. 348 00:18:01,281 --> 00:18:04,570 You could say, "You know I'm looking at traffic, 349 00:18:04,560 --> 00:18:07,874 I'm using it as a traffic analyzer." 350 00:18:07,887 --> 00:18:09,199 And some of the things that you could do 351 00:18:09,199 --> 00:18:10,887 when you capture the traffic 352 00:18:10,887 --> 00:18:13,456 is reveal some of the issues such as, 353 00:18:13,456 --> 00:18:16,207 you may have bandwidth issues, 354 00:18:16,207 --> 00:18:18,207 you may have corrupted data, 355 00:18:18,207 --> 00:18:20,724 you may be taking an incorrect path, 356 00:18:20,724 --> 00:18:22,724 path maybe having a synchronous routing 357 00:18:22,724 --> 00:18:25,634 problem, data may be latent. 358 00:18:25,650 --> 00:18:27,863 There's many reasons and just 359 00:18:27,877 --> 00:18:30,809 some of the background information of 360 00:18:30,821 --> 00:18:34,307 Wireshark being helped, used to help solve those issues 361 00:18:34,307 --> 00:18:37,968 is you may see a lot of a TCP traffic, 362 00:18:37,971 --> 00:18:41,861 a lot of handshaking where 363 00:18:41,861 --> 00:18:43,429 there's a lot of reset packets. 364 00:18:43,429 --> 00:18:45,055 Why, why would that be happening? 365 00:18:45,055 --> 00:18:46,815 You may see things where 366 00:18:46,815 --> 00:18:48,518 there's a lot of retransmitted packets. 367 00:18:48,518 --> 00:18:51,315 So now if you understand TCP/IP 368 00:18:51,318 --> 00:18:53,399 which we'd get to future module 369 00:18:53,397 --> 00:18:55,569 to discuss a little deeper, 370 00:18:55,566 --> 00:18:58,408 you may see that the data restransmiting which 371 00:18:58,408 --> 00:18:59,588 is just fine because that's 372 00:18:59,588 --> 00:19:01,297 essentially what it's supposed to do but 373 00:19:01,297 --> 00:19:04,142 very often why is it doing that - 374 00:19:04,142 --> 00:19:06,468 you may have a problem on your network 375 00:19:06,468 --> 00:19:09,474 where it's getting choked and that it may have 376 00:19:09,474 --> 00:19:11,582 to continuously resend the data. 377 00:19:11,573 --> 00:19:15,784 All these things you can find with Wireshark 378 00:19:15,784 --> 00:19:16,865 when you capture the data. 379 00:19:16,865 --> 00:19:22,847 And again just remember source to destination 380 00:19:22,847 --> 00:19:25,467 data is commonly captured and analyzed 381 00:19:25,475 --> 00:19:27,755 from a source to a destination. 382 00:19:27,755 --> 00:19:29,607 That does not mean again and 383 00:19:29,607 --> 00:19:31,254 this is very important to understand that 384 00:19:31,254 --> 00:19:33,154 you're just looking at that data. 385 00:19:33,154 --> 00:19:34,722 You may want to log into the router, 386 00:19:34,730 --> 00:19:36,058 you may want to see, 387 00:19:36,058 --> 00:19:37,824 you know, what the process is. 388 00:19:37,824 --> 00:19:38,693 Or you may want to see 389 00:19:38,691 --> 00:19:41,204 if the buffers are getting jammed up. 390 00:19:41,208 --> 00:19:42,572 You may want to look at a lot of 391 00:19:42,572 --> 00:19:44,221 different things because 392 00:19:44,221 --> 00:19:46,221 it's all one big picture. 393 00:19:46,221 --> 00:19:48,296 If you were just looking let's say at a 394 00:19:48,295 --> 00:19:50,769 a very simple segment, then 395 00:19:50,769 --> 00:19:53,327 the amount of detective and analysis work 396 00:19:53,318 --> 00:19:55,128 that you have to do maybe limited. 397 00:19:55,128 --> 00:19:57,128 But when you're troubleshooting 398 00:19:57,128 --> 00:19:59,361 on an enterprise level network, 399 00:19:59,353 --> 00:20:00,664 if you're trying to figure out 400 00:20:00,664 --> 00:20:02,730 something in a CCIE lab, 401 00:20:02,721 --> 00:20:04,516 you're trying to figure out something, 402 00:20:04,524 --> 00:20:07,894 why a production system is completely failing 403 00:20:07,894 --> 00:20:11,540 in a DMZ, there's a lot of things that 404 00:20:11,540 --> 00:20:12,583 you're going to need to look at 405 00:20:12,583 --> 00:20:14,829 and it's not just limited to Wireshark. 406 00:20:14,820 --> 00:20:16,742 Wireshark is just a tool 407 00:20:16,742 --> 00:20:17,800 that will allow you 408 00:20:17,800 --> 00:20:21,694 to perform a deep set of troubleshooting 409 00:20:21,694 --> 00:20:23,762 analytics to allow you to 410 00:20:23,762 --> 00:20:25,124 peer into the data 411 00:20:25,124 --> 00:20:27,789 and get more, more information. 412 00:20:27,783 --> 00:20:29,802 A great example would be 413 00:20:29,802 --> 00:20:31,365 in a MPOS network 414 00:20:31,365 --> 00:20:32,787 you may want to find out 415 00:20:32,787 --> 00:20:36,524 what data is traversing. 416 00:20:36,524 --> 00:20:38,723 You may need to take a look at the labels 417 00:20:38,723 --> 00:20:41,347 that will be very apparent to you 418 00:20:41,347 --> 00:20:42,988 when you capture the data. 419 00:20:42,988 --> 00:20:45,063 Look at it in Wireshark, you sort it 420 00:20:45,062 --> 00:20:46,922 and you can figure it out by filtering 421 00:20:46,922 --> 00:20:48,547 through it and seeing exactly 422 00:20:48,532 --> 00:20:50,922 where things are going and why. 423 00:20:50,922 --> 00:20:52,922 And if it's not going there 424 00:20:52,922 --> 00:20:54,789 perhaps you may need to look at 425 00:20:54,789 --> 00:20:57,654 in the network, a routing problem. 426 00:20:57,654 --> 00:21:00,053 You may need to see if something is 427 00:21:00,053 --> 00:21:03,149 getting dropped somewhere 428 00:21:03,149 --> 00:21:05,709 So those are good examples of why 429 00:21:05,709 --> 00:21:07,475 you would really need to focus 430 00:21:07,475 --> 00:21:10,353 with Wireshark on source to destination, 431 00:21:10,375 --> 00:21:13,080 multiple sources to multiple destinations, 432 00:21:13,249 --> 00:21:15,249 but remember the foundation of 433 00:21:15,418 --> 00:21:16,588 where you're starting from, 434 00:21:16,588 --> 00:21:18,104 and where you're going to, 435 00:21:18,104 --> 00:21:20,104 where you're going to put Wireshark, 436 00:21:20,104 --> 00:21:22,104 how you're going to capture the data... 437 00:21:22,104 --> 00:21:23,554 You want to recreate the problem, right? 438 00:21:23,554 --> 00:21:25,554 You don't want to just install Wireshark 439 00:21:25,554 --> 00:21:28,056 and, and you know, just run it. 440 00:21:28,056 --> 00:21:30,180 You want to run Wireshark 441 00:21:30,180 --> 00:21:32,056 and try to recreate the problem. 442 00:21:32,056 --> 00:21:34,056 Maybe have a baseline of how it operates. 443 00:21:34,056 --> 00:21:35,847 It's normally to compare against. 444 00:21:35,847 --> 00:21:38,006 So these are some of the key elements. 445 00:21:38,006 --> 00:21:43,599 And again with data encapsulation, 446 00:21:43,599 --> 00:21:46,573 what you're going to be looking in Wireshark is 447 00:21:46,590 --> 00:21:48,664 you're going to see the data encapsulated. 448 00:21:48,664 --> 00:21:50,697 So for example, if you're just looking 449 00:21:50,697 --> 00:21:51,893 in a layer 2 problem, 450 00:21:51,885 --> 00:21:54,590 you'll see it encapsulated in ethernet. 451 00:21:54,590 --> 00:21:58,529 Right? So, generally as our profession 452 00:21:58,529 --> 00:22:00,171 moves into the future 453 00:22:00,171 --> 00:22:01,345 you're not going to be looking at 454 00:22:01,345 --> 00:22:03,971 the things with token ring really much anymore 455 00:22:03,971 --> 00:22:05,638 even though you can use tools 456 00:22:05,638 --> 00:22:09,115 to sniff out and find problems with it 457 00:22:09,102 --> 00:22:10,788 but you're mostly going to be, you know 458 00:22:10,788 --> 00:22:12,709 concerned about ethernet, 459 00:22:12,827 --> 00:22:14,827 TCP/IP and that kind of stuff. 460 00:22:14,944 --> 00:22:18,149 But from encapsulation point 461 00:22:18,149 --> 00:22:20,382 when you're capturing data in Wireshark 462 00:22:20,381 --> 00:22:23,250 you're going to be able to see particularly 463 00:22:23,250 --> 00:22:24,584 the header information, 464 00:22:24,584 --> 00:22:25,519 and you're going to be able to see 465 00:22:25,519 --> 00:22:26,532 when you capture it 466 00:22:26,532 --> 00:22:28,181 what's under the hood. 467 00:22:28,181 --> 00:22:29,696 You're going to see details to be able 468 00:22:29,696 --> 00:22:30,932 to solve these problems. 469 00:22:30,932 --> 00:22:33,489 And when you look at the actual data 470 00:22:33,489 --> 00:22:36,911 and this is in the details of a packet, 471 00:22:36,911 --> 00:22:37,816 you'll be able to see 472 00:22:37,813 --> 00:22:39,945 the encapsulation type ethernet. 473 00:22:39,968 --> 00:22:42,016 Ok, well that's really good. 474 00:22:42,016 --> 00:22:43,140 because that's very simple 475 00:22:43,140 --> 00:22:43,953 and it's the first type 476 00:22:43,953 --> 00:22:45,695 of things that we would look at 477 00:22:45,695 --> 00:22:46,714 but more importantly, 478 00:22:46,714 --> 00:22:48,634 we would be able to see things like 479 00:22:48,634 --> 00:22:51,398 what's the frame length, what, 480 00:22:51,398 --> 00:22:54,608 is it having issues, something with FCS. 481 00:22:54,606 --> 00:22:55,918 You'll be able to see these things 482 00:22:55,919 --> 00:22:58,474 as you're digging through your capture 483 00:22:58,468 --> 00:23:00,468 and looking through the network. 484 00:23:00,468 --> 00:23:06,766 Alright, so as we wrap up this first module 485 00:23:06,784 --> 00:23:10,134 some of the things that we want to cover is 486 00:23:10,134 --> 00:23:11,498 when you capture data, 487 00:23:11,498 --> 00:23:13,215 you want to inspect it for issues, 488 00:23:13,215 --> 00:23:14,615 you're going to be doing 489 00:23:14,615 --> 00:23:16,353 some deep protocol analysis 490 00:23:16,353 --> 00:23:18,365 you're going to be looking opening up 491 00:23:18,365 --> 00:23:20,050 after you capture the data 492 00:23:20,050 --> 00:23:22,050 and you're going to inspect it. 493 00:23:22,050 --> 00:23:23,781 We're going to do things such as like 494 00:23:23,781 --> 00:23:27,375 pre-capture filters, display filters; 495 00:23:27,375 --> 00:23:28,999 we'll be able to write expression, 496 00:23:28,999 --> 00:23:30,863 and then we'll be able to really drill down 497 00:23:30,863 --> 00:23:32,713 into the data that we want to see. 498 00:23:32,713 --> 00:23:34,713 But just remember, at a very high level, 499 00:23:34,708 --> 00:23:36,475 we're not going to be able 500 00:23:36,465 --> 00:23:38,816 this stuff without Wireshark. 501 00:23:38,819 --> 00:23:41,607 There's tool you can use for example 502 00:23:41,607 --> 00:23:43,187 on an ASA, you can, 503 00:23:43,174 --> 00:23:46,145 you can run a cap and you see data. 504 00:23:46,146 --> 00:23:48,353 There's other things like fluke, 505 00:23:48,350 --> 00:23:51,676 has some tools that you can capture data with. 506 00:23:51,677 --> 00:23:53,677 But just remember with Wireshark 507 00:23:53,677 --> 00:23:54,931 in particularly, 508 00:23:54,940 --> 00:23:57,546 it's going to open up the captured data 509 00:23:57,546 --> 00:23:59,527 and allow you to see very deeply within it, 510 00:23:59,527 --> 00:24:03,199 filter on it in a GUI and at the command line. 511 00:24:03,199 --> 00:24:06,594 It will also help you do 512 00:24:06,582 --> 00:24:08,537 traffic analysis, network analysis 513 00:24:08,530 --> 00:24:10,258 that you could find key problems 514 00:24:10,258 --> 00:24:11,332 with your network. 515 00:24:11,332 --> 00:24:14,766 Remember, you're not just going to use Wireshark, 516 00:24:14,766 --> 00:24:17,803 your fundamental tools will still apply. 517 00:24:17,803 --> 00:24:19,380 You'll still want to run a ping, 518 00:24:19,380 --> 00:24:22,840 a path ping, a trace route. Look in router logs, 519 00:24:22,834 --> 00:24:27,030 look at router, routing tables, switch logs 520 00:24:27,030 --> 00:24:30,429 firewall logs, the actual system itself. 521 00:24:30,429 --> 00:24:32,005 Run the performance monitor 522 00:24:32,005 --> 00:24:34,949 or run it, look at the processes on the Unix box, 523 00:24:34,948 --> 00:24:37,206 see how healthy those systems are. 524 00:24:37,206 --> 00:24:39,212 All this is going to play 525 00:24:39,209 --> 00:24:42,166 in your overall traffic analysis 526 00:24:42,160 --> 00:24:45,727 and that concludes module 1. 527 00:24:45,727 --> 00:24:47,345 One of the things that we want to do is 528 00:24:47,326 --> 00:24:48,716 we want to make sure 529 00:24:48,718 --> 00:24:51,001 that with everything that we're doing 530 00:24:50,995 --> 00:24:54,862 we look at Wireshark as a tool. 531 00:24:54,862 --> 00:24:56,266 We want to make sure 532 00:24:56,257 --> 00:24:59,658 that everything that we look at is not 533 00:24:59,666 --> 00:25:01,435 in a way where we're going to look at it 534 00:25:01,435 --> 00:25:02,984 Wireshark and say Wireshark 535 00:25:02,984 --> 00:25:04,839 is going to give me the specific 536 00:25:04,839 --> 00:25:06,642 problem that we're seeing, 537 00:25:06,642 --> 00:25:08,204 it's going to tell me what the problem is. 538 00:25:08,204 --> 00:25:10,069 Just remember, it's just a tool, 539 00:25:10,069 --> 00:25:12,640 it's an extention of your experience, 540 00:25:12,640 --> 00:25:14,698 it's an extention of your knowledge, 541 00:25:14,690 --> 00:25:17,920 and you'll always be learning. 542 00:25:17,920 --> 00:25:20,587 So just remember that, learning Wireshark 543 00:25:20,587 --> 00:25:23,384 is a lifetime event as the networks change, 544 00:25:23,402 --> 00:25:25,402 as technologies change, 545 00:25:25,420 --> 00:25:28,086 so that's what you see with Wireshark.