1
00:00:02,535 --> 00:00:07,533


2
00:00:07,537 --> 00:00:10,379
As we just learned with Wireshark

3
00:00:10,364 --> 00:00:12,112
there's a lot of data that 

4
00:00:12,112 --> 00:00:13,775
can be captured on the network.

5
00:00:13,775 --> 00:00:15,775
And one of the things that we're going to see

6
00:00:15,775 --> 00:00:17,775
is protocols and 

7
00:00:17,775 --> 00:00:20,401
you will have to understand the foundation 

8
00:00:20,401 --> 00:00:21,767
of what a protocol is 

9
00:00:21,767 --> 00:00:23,323
and how it works on your network.

10
00:00:23,323 --> 00:00:26,847
Basically as we already covered in module 1,

11
00:00:26,853 --> 00:00:29,570
it's going to encapsulate your data

12
00:00:29,577 --> 00:00:33,447
it's going to add some data to the traffic

13
00:00:33,453 --> 00:00:35,512
that's flowing to give it some more

14
00:00:35,512 --> 00:00:36,988
some more information

15
00:00:36,988 --> 00:00:39,879
so that each and each way of the OSI model

16
00:00:39,879 --> 00:00:42,864
system know what to do with it, for example.

17
00:00:42,864 --> 00:00:46,542
It's at layer 2, it's just the MAC address

18
00:00:46,542 --> 00:00:48,542
what's going to wind up happening is

19
00:00:48,542 --> 00:00:52,364
you're going to see MAC addresses in the capture.

20
00:00:52,364 --> 00:00:54,401
So what happens when it moves up

21
00:00:54,401 --> 00:00:56,914
to layer 3, the network player 

22
00:00:56,914 --> 00:00:58,823
as it's going through a router.

23
00:00:58,823 --> 00:01:01,168
Well, at this layer,

24
00:01:01,170 --> 00:01:03,651
you're going to now have IP addresses

25
00:01:03,661 --> 00:01:05,661
and you're going to have routing information.

26
00:01:05,661 --> 00:01:08,871
So at each layer of the OSI model

27
00:01:08,871 --> 00:01:10,871
there's going to be more information added

28
00:01:10,871 --> 00:01:14,598
to the packet or the frame if it's at layer 2 and

29
00:01:14,598 --> 00:01:16,382
this course will predominantly

30
00:01:16,382 --> 00:01:17,770
going to call everything packets

31
00:01:17,770 --> 00:01:20,836
even though we, there's segments in this frames

32
00:01:20,836 --> 00:01:24,358
but at this layer, let's say, at layer 3,

33
00:01:24,353 --> 00:01:26,413
the network layer, the packet's going to contain 

34
00:01:26,413 --> 00:01:28,263
a lot of information within it.

35
00:01:28,263 --> 00:01:30,457
So that when we do capture it with Wireshark

36
00:01:30,455 --> 00:01:32,004
and you look at it

37
00:01:32,004 --> 00:01:34,004
and you analyze it, it's going to 

38
00:01:34,004 --> 00:01:36,004
give you information such as

39
00:01:36,004 --> 00:01:40,032
source IP, destination IP and so on.

40
00:01:40,046 --> 00:01:44,160
In this module, we're going to

41
00:01:44,166 --> 00:01:46,216
take a very simple protocol

42
00:01:46,222 --> 00:01:48,222
and we're going to take a 

43
00:01:48,222 --> 00:01:50,222
a look at it in a way where

44
00:01:50,222 --> 00:01:52,721
we can see with Wireshark

45
00:01:52,721 --> 00:01:54,151
what we're capturing and why it's 

46
00:01:54,158 --> 00:01:56,942
so important to understand the protocol.

47
00:01:56,940 --> 00:01:58,940
So that when you do capture it,

48
00:01:58,940 --> 00:02:00,801
you, you know what to do with it.

49
00:02:00,801 --> 00:02:01,855
You know what it's supposed 

50
00:02:01,855 --> 00:02:03,187
to be doing on your network.

51
00:02:03,187 --> 00:02:04,675
So as an example,

52
00:02:04,675 --> 00:02:06,530
and we'll look at this in future modules.

53
00:02:06,545 --> 00:02:10,026
If you capture ARP or you capture ICMP

54
00:02:10,026 --> 00:02:12,026
or you capture TCP,

55
00:02:12,026 --> 00:02:13,562
what are those protocols really 

56
00:02:13,562 --> 00:02:14,790
supposed to be doing?

57
00:02:14,790 --> 00:02:19,290
So, when you talk about ICMP

58
00:02:19,290 --> 00:02:22,294
or internet control message protocol,

59
00:02:22,294 --> 00:02:23,750
one of the things that 

60
00:02:23,750 --> 00:02:25,271
it's responsible for doing is,

61
00:02:25,271 --> 00:02:27,013
providing error or problem 

62
00:02:27,013 --> 00:02:28,177
information on your network.

63
00:02:28,169 --> 00:02:31,474
So, some of the tools that uses ICMP is a

64
00:02:31,474 --> 00:02:33,474
simple ping, or trace route,

65
00:02:33,474 --> 00:02:35,474
and it's used to troubleshoot

66
00:02:35,474 --> 00:02:37,474
network connectivity.

67
00:02:37,474 --> 00:02:39,848
Now, when you capture it with Wireshark

68
00:02:39,848 --> 00:02:42,512
and, and on the screen is a simple

69
00:02:42,512 --> 00:02:44,512
ICMP capture,

70
00:02:44,512 --> 00:02:47,540
you're going to see traffic of 

71
00:02:47,540 --> 00:02:48,740
flowing to the network

72
00:02:48,740 --> 00:02:50,740
from a source to destination address,

73
00:02:50,740 --> 00:02:52,070
and you're going to see 

74
00:02:52,067 --> 00:02:54,842
in the protocol column, ICMP.

75
00:02:54,859 --> 00:02:58,437
Now in the, in the information column, 

76
00:02:58,437 --> 00:02:59,201
you're going to see

77
00:02:59,201 --> 00:03:01,201
specific information like echo

78
00:03:01,201 --> 00:03:03,201
and you're going to see

79
00:03:03,201 --> 00:03:06,002
echo request, echo reply.

80
00:03:05,995 --> 00:03:08,082
So if you didn't understand how 

81
00:03:08,088 --> 00:03:10,720
protocol ICMP actually works

82
00:03:10,709 --> 00:03:12,500
when you open up Wireshark, 

83
00:03:12,500 --> 00:03:14,034
you really wouldn't understand what it

84
00:03:14,034 --> 00:03:15,992
it's really telling you.

85
00:03:16,000 --> 00:03:18,441
So, some of the ways that you can learn 

86
00:03:18,444 --> 00:03:22,724
more about protocols is to read RFC's,

87
00:03:22,743 --> 00:03:24,743
requests for comments, 

88
00:03:24,743 --> 00:03:26,175
do some research,

89
00:03:26,175 --> 00:03:28,591
there's some good books that you can read.

90
00:03:28,591 --> 00:03:30,188
But predominantly,

91
00:03:30,188 --> 00:03:32,564
and the way that I've done in the past

92
00:03:32,567 --> 00:03:35,685
is everytime I run a capture and I find things

93
00:03:35,684 --> 00:03:39,560
it immediately sparks interest in me to dig

94
00:03:39,562 --> 00:03:42,723
deeper into what that is and how it actually

95
00:03:42,726 --> 00:03:44,630
operates on the network - what it does.

96
00:03:44,635 --> 00:03:48,083
Now, as we were in networking fundamentals,

97
00:03:48,088 --> 00:03:50,265
there's certain things that we have to know.

98
00:03:50,261 --> 00:03:52,913
We obviously have to know how IP works.

99
00:03:52,913 --> 00:03:55,733
If we want to configure a router, or a switch.

100
00:03:55,734 --> 00:03:57,200
We have to understand that if you're going to 

101
00:03:57,200 --> 00:03:58,738
configure an IP address in,

102
00:03:58,738 --> 00:04:00,245
if you're going to build how 

103
00:04:00,245 --> 00:04:01,383
the routing's going to work,

104
00:04:01,383 --> 00:04:04,793
you have to understand the fundamentals of it.

105
00:04:04,793 --> 00:04:07,067
This simple protocol that we picked 

106
00:04:07,067 --> 00:04:08,789
for just to get you through 

107
00:04:08,782 --> 00:04:10,697
foundations, beginnings here,

108
00:04:10,706 --> 00:04:12,964
 ICMP, we have to understand how that works.

109
00:04:12,964 --> 00:04:14,479
Where sending pings across.

110
00:04:14,479 --> 00:04:16,462
We want to know what the TTL is.

111
00:04:16,478 --> 00:04:19,690
We want to understand what that really means.

112
00:04:19,687 --> 00:04:21,687
While we have our ways of doing that as

113
00:04:21,687 --> 00:04:23,657
network professionals and we know 

114
00:04:23,657 --> 00:04:25,657
that we're going to send a ping, it will tell us

115
00:04:25,657 --> 00:04:27,420
destination unreachable, 

116
00:04:27,420 --> 00:04:29,207
possible routing problem.

117
00:04:29,207 --> 00:04:31,288
There's certain things that we understand.

118
00:04:31,287 --> 00:04:33,921
But if we actually capture the data, 

119
00:04:33,921 --> 00:04:35,203
what would that really mean?

120
00:04:35,203 --> 00:04:37,203
What would that mean to us?

121
00:04:37,203 --> 00:04:41,396
So obviously, we're going to use Wireshark

122
00:04:41,391 --> 00:04:44,148
to capture this traffic

123
00:04:44,144 --> 00:04:46,144
from source to destination.

124
00:04:46,144 --> 00:04:48,144
And again that's the most important thing.

125
00:04:48,144 --> 00:04:51,425
If you want to send a ping or a trace route,

126
00:04:51,425 --> 00:04:53,200
and again, this is a simple example

127
00:04:53,184 --> 00:04:55,258
of what we are trying to get across-

128
00:04:55,253 --> 00:04:58,048
let's say, we couldn't ping something, why?

129
00:04:58,054 --> 00:05:00,054
So the quickest way to do this

130
00:05:00,054 --> 00:05:01,544
is would be to set up Wireshark 

131
00:05:01,546 --> 00:05:04,177
ping it to endpoints and start capturing the data.

132
00:05:04,169 --> 00:05:06,840
So let's say, at a source, a client

133
00:05:06,840 --> 00:05:08,840
and I'm running a ping, a continuous ping,

134
00:05:08,840 --> 00:05:11,576
from the source to a destination, 

135
00:05:11,562 --> 00:05:13,932
let's say, it's just a file server,

136
00:05:13,933 --> 00:05:15,586
and it's continuously running, 

137
00:05:15,586 --> 00:05:16,965
it's running over and over,

138
00:05:16,965 --> 00:05:18,270
and I see nothing but drops.

139
00:05:18,273 --> 00:05:21,714
So I see milliseconds that 

140
00:05:21,707 --> 00:05:23,707
are very high and then very low.

141
00:05:23,707 --> 00:05:25,119
Why would that be doing that? 

142
00:05:25,125 --> 00:05:28,522
Well, as we mentioned already in the earlier module,

143
00:05:28,514 --> 00:05:30,514
we would want to look at, first

144
00:05:30,514 --> 00:05:32,498
hey, let's run a trace route,

145
00:05:32,498 --> 00:05:34,638
let's see if there is something else 

146
00:05:34,628 --> 00:05:35,551
that we don't see.

147
00:05:35,547 --> 00:05:38,372
Maybe, we do have access or don't have access

148
00:05:38,385 --> 00:05:40,385
through the routers, let's take a look there.

149
00:05:40,385 --> 00:05:44,195
But, if we were only limited to using Wireshark, 

150
00:05:44,195 --> 00:05:46,325
and we just installed on the source

151
00:05:46,325 --> 00:05:49,534
to the destination, what exactly would we see?

152
00:05:49,534 --> 00:05:51,534
Well, if we did so, 

153
00:05:51,534 --> 00:05:53,870
we would see that we would capture

154
00:05:53,870 --> 00:05:58,521
data that looks as if

155
00:05:58,505 --> 00:06:02,827
in here, that we had a ping request

156
00:06:02,838 --> 00:06:05,732
and we would look for replies

157
00:06:05,733 --> 00:06:08,527
 identifiers, we'd see sequence numbers

158
00:06:08,527 --> 00:06:10,527
we'd see some specific data

159
00:06:10,527 --> 00:06:12,527
that may or may not give us

160
00:06:12,527 --> 00:06:14,527
a clue as to what it is, but

161
00:06:14,527 --> 00:06:16,446
in some instances, it may.

162
00:06:16,446 --> 00:06:18,358
So again, it may not always 

163
00:06:18,358 --> 00:06:19,479
tell you what the problem is

164
00:06:19,479 --> 00:06:22,421
you may have to do a little bit deeper diving 

165
00:06:22,421 --> 00:06:24,421
using tools outside of Wireshark.

166
00:06:24,421 --> 00:06:26,421
But just remember, if you were looking

167
00:06:26,421 --> 00:06:28,063
at the actual packet, 

168
00:06:28,063 --> 00:06:31,248
there's information in the actual packet

169
00:06:31,248 --> 00:06:33,248
that match to other things.

170
00:06:33,248 --> 00:06:39,455
So what do we use ICMP mostly for?

171
00:06:39,455 --> 00:06:41,455
We use it to use ping,

172
00:06:41,455 --> 00:06:43,616
we use it do trace route.

173
00:06:43,616 --> 00:06:48,234
It's part of the TCP/IP protocol sweep.

174
00:06:48,234 --> 00:06:50,234
It relays query messages

175
00:06:50,234 --> 00:06:52,217
and it uses control messages.

176
00:06:52,217 --> 00:06:54,217
So what does these really mean?

177
00:06:54,217 --> 00:06:56,238
So one of the things that's important 

178
00:06:56,238 --> 00:06:59,123
to understand with ICMP is that

179
00:06:59,123 --> 00:07:03,446
this is actually the information that's appended

180
00:07:03,446 --> 00:07:06,283
as the packets are moving

181
00:07:06,283 --> 00:07:08,283
and up and down from the client

182
00:07:08,283 --> 00:07:10,283
source to the destination

183
00:07:10,283 --> 00:07:12,703
and in here you can see some of those exact

184
00:07:12,703 --> 00:07:14,476
things that we were just talking about.

185
00:07:14,470 --> 00:07:16,261
You could see the source address, 

186
00:07:16,261 --> 00:07:18,211
the destination address,

187
00:07:18,211 --> 00:07:20,746
options, the time to live,

188
00:07:20,746 --> 00:07:22,746
the checksum.

189
00:07:22,746 --> 00:07:24,789
Those are the things that when you learn 

190
00:07:24,786 --> 00:07:26,448
about the protocols themselves

191
00:07:26,434 --> 00:07:29,475
and you do deep dives into the protocols,

192
00:07:29,476 --> 00:07:31,772
it will provide you the information

193
00:07:31,780 --> 00:07:34,004
so that when you capture it with Wireshark,

194
00:07:34,004 --> 00:07:38,160
and you look at the data in the details,

195
00:07:38,160 --> 00:07:41,593
you will understand deeper information about

196
00:07:41,593 --> 00:07:43,184
what that actually means. 

197
00:07:43,184 --> 00:07:46,566
Now, when you do filters, 

198
00:07:46,566 --> 00:07:48,667
you'll also be able to build filters 

199
00:07:48,667 --> 00:07:50,300
based on this information.

200
00:07:50,300 --> 00:07:51,680
 For example, if you wanted to 

201
00:07:51,680 --> 00:07:53,677
build an offset filter,

202
00:07:53,677 --> 00:07:55,431
specific hexadecimal code 

203
00:07:55,431 --> 00:07:56,755
could be used to build

204
00:07:56,755 --> 00:08:00,232
filters to search for information

205
00:08:00,232 --> 00:08:02,558
that may or may not be in this headers.

206
00:08:02,558 --> 00:08:04,607
So, this is one of the key things 

207
00:08:04,607 --> 00:08:06,202
to remember about protocols 

208
00:08:06,202 --> 00:08:08,202
when you're troubleshooting with Wireshark.

209
00:08:08,202 --> 00:08:10,661
So when we're doing traffic

210
00:08:10,663 --> 00:08:12,822
full analysis with Wireshark

211
00:08:12,815 --> 00:08:14,798
and again with the protocol ICMP, 

212
00:08:14,791 --> 00:08:15,772
some of the things that we're going to 

213
00:08:15,774 --> 00:08:18,857
be looking for - some dropped packets,

214
00:08:18,856 --> 00:08:20,968
maybe an incorrect gateway assignment,

215
00:08:20,968 --> 00:08:22,937
it's taking the incorrect path,

216
00:08:22,937 --> 00:08:24,809
maybe there's latency.

217
00:08:24,809 --> 00:08:27,970
There's many reasons why the data may not

218
00:08:27,970 --> 00:08:30,078
be getting from source to destination

219
00:08:30,063 --> 00:08:31,986
either in an appropriate time,

220
00:08:32,003 --> 00:08:34,003
it may not be getting there at all,

221
00:08:34,002 --> 00:08:36,231
or maybe taking an incorrect route.

222
00:08:36,374 --> 00:08:38,374
Whatever those things are,

223
00:08:38,374 --> 00:08:40,536
those things could be found

224
00:08:40,536 --> 00:08:42,762
when you capture the data from the source

225
00:08:42,762 --> 00:08:45,877
and at the destination, and analyze

226
00:08:45,877 --> 00:08:48,212
both captures to see specifically

227
00:08:48,212 --> 00:08:50,446
what that protocol is doing.

228
00:08:50,449 --> 00:08:52,811
Filter for ICMP and 

229
00:08:52,815 --> 00:08:55,335
specifically look inside the data

230
00:08:55,339 --> 00:08:57,041
to find the information you need 

231
00:08:57,041 --> 00:08:58,979
to get the clues to solve that problem.

232
00:08:58,979 --> 00:09:03,931