1 00:00:02,550 --> 00:00:07,230 2 00:00:07,244 --> 00:00:11,467 In routers and switches, a lot of the data 3 00:00:11,459 --> 00:00:13,459 that you capture with Wireshark 4 00:00:13,471 --> 00:00:16,485 this is the most commonly thing, common 5 00:00:16,483 --> 00:00:18,057 common hardware that you're going 6 00:00:18,057 --> 00:00:19,609 to use with Wireshark. 7 00:00:19,609 --> 00:00:21,318 And one of the most important things 8 00:00:21,304 --> 00:00:23,638 to remember, remember with switches 9 00:00:23,642 --> 00:00:27,936 is that, basically what it's going to do is 10 00:00:27,936 --> 00:00:29,304 keep the information the same 11 00:00:29,304 --> 00:00:30,669 from source to destination. 12 00:00:30,669 --> 00:00:33,194 So, a lot of the data that you're capturing 13 00:00:33,185 --> 00:00:35,185 in the switch segment is going to be 14 00:00:35,185 --> 00:00:37,185 pretty easy to sort through. 15 00:00:37,185 --> 00:00:39,185 There's a lot of information 16 00:00:39,185 --> 00:00:42,074 that can be gathered from the packets - 17 00:00:42,074 --> 00:00:43,588 such as the frame, 18 00:00:43,588 --> 00:00:45,388 information that we talked about. 19 00:00:45,388 --> 00:00:48,806 We can do advanced captures with the switch 20 00:00:48,806 --> 00:00:51,629 so we can send the data to a span port. 21 00:00:51,629 --> 00:00:53,629 But just remember that on a switch segment, 22 00:00:53,629 --> 00:00:57,016 it's basically sending the data 23 00:00:57,016 --> 00:00:59,787 in the, from the source in the switch and then 24 00:00:59,787 --> 00:01:02,643 if that switch knows where to send the data 25 00:01:02,643 --> 00:01:04,526 and it's scan table is going to 26 00:01:04,526 --> 00:01:06,041 send it out the appropriate port 27 00:01:06,041 --> 00:01:08,501 or it's going to send it out all the ports 28 00:01:08,509 --> 00:01:10,951 to find the destination. 29 00:01:10,949 --> 00:01:13,482 So, particularly, 30 00:01:13,504 --> 00:01:15,504 it's going to do that by MAC address. 31 00:01:15,525 --> 00:01:18,036 It's going to keep this table, 32 00:01:18,036 --> 00:01:20,565 it's going to know exactly where to send it 33 00:01:20,565 --> 00:01:23,516 or it's going to send the data at all ports and 34 00:01:23,516 --> 00:01:26,682 hopefully, it will find that 35 00:01:26,682 --> 00:01:29,187 and if it doesn't, then obviously 36 00:01:29,187 --> 00:01:31,187 it's not configured on your network. 37 00:01:31,187 --> 00:01:33,324 But one of most important things 38 00:01:33,324 --> 00:01:34,649 to remember with Wireshark 39 00:01:34,649 --> 00:01:36,246 is the data that you are looking for 40 00:01:36,246 --> 00:01:37,895 is not information that's going to be 41 00:01:37,882 --> 00:01:39,271 going over a routed segment. 42 00:01:39,273 --> 00:01:41,990 It's likely not to be firewalled, 43 00:01:41,990 --> 00:01:43,806 it's going to be easier to 44 00:01:43,806 --> 00:01:45,371 look at and understand. 45 00:01:45,371 --> 00:01:48,310 With the routed segment, 46 00:01:48,310 --> 00:01:50,213 this gets a little different. 47 00:01:50,213 --> 00:01:51,886 So with the routed segment, 48 00:01:51,889 --> 00:01:54,268 the information as it goes into the router 49 00:01:54,262 --> 00:01:57,451 will be sent by it's routing table look up 50 00:01:57,451 --> 00:01:59,451 to the next hop 51 00:01:59,451 --> 00:02:04,155 and or, it will, you know, it's going 52 00:02:04,158 --> 00:02:05,210 it's going to send the data 53 00:02:05,210 --> 00:02:06,945 in a way where it's going to 54 00:02:06,945 --> 00:02:10,690 find with it, send the data and or 55 00:02:10,690 --> 00:02:13,035 it's going to change the information such as 56 00:02:13,041 --> 00:02:15,373 the MAC address as it goes from hop to hop. 57 00:02:15,380 --> 00:02:18,717 So what can get, what can go wrong? 58 00:02:18,717 --> 00:02:20,377 So for this example, we're going to use 59 00:02:20,385 --> 00:02:22,774 a hot stand by routing protocol 60 00:02:22,781 --> 00:02:24,781 and we capture the data 61 00:02:24,781 --> 00:02:27,108 to show exactly 62 00:02:27,108 --> 00:02:29,817 what information can be seen 63 00:02:29,817 --> 00:02:31,657 when you're using this protocol. 64 00:02:31,657 --> 00:02:34,056 So, when you, you would use this protocol 65 00:02:34,056 --> 00:02:36,134 in a way, where you want 66 00:02:36,134 --> 00:02:37,679 resiliency in your network. 67 00:02:37,679 --> 00:02:40,216 So, for example, you have a gateway, 68 00:02:40,216 --> 00:02:42,624 the data knows to go to the gateway, 69 00:02:42,624 --> 00:02:45,577 and what if you wanted to have a way where 70 00:02:45,577 --> 00:02:48,436 if the data was going to be 71 00:02:48,436 --> 00:02:50,872 critical to the, the enterprise - 72 00:02:50,879 --> 00:02:52,511 what if that router went down? 73 00:02:52,511 --> 00:02:54,511 What if there was an issue with that router? 74 00:02:54,511 --> 00:02:57,647 Well, if you configure HSRP 75 00:02:57,647 --> 00:02:59,026 and you have a VIP to send to, 76 00:02:59,026 --> 00:03:01,086 it's going to know that virtual IP, 77 00:03:01,080 --> 00:03:02,483 and then it's going to have a 78 00:03:02,483 --> 00:03:04,202 primary and secondary behind it 79 00:03:04,202 --> 00:03:06,050 and those will be the 2 routers. 80 00:03:06,050 --> 00:03:08,177 So, essentially, 81 00:03:08,177 --> 00:03:09,927 when you're capturing with Wireshark, 82 00:03:09,927 --> 00:03:11,927 you're going to see that in your capture 83 00:03:11,927 --> 00:03:13,855 as the destination address, 84 00:03:13,855 --> 00:03:16,410 the protocol as HSRP 85 00:03:16,410 --> 00:03:18,750 and it's going to show the hello packets 86 00:03:18,750 --> 00:03:21,693 as a state of standby or active. 87 00:03:21,689 --> 00:03:24,238 So, this maybe tricky 'cause 88 00:03:24,211 --> 00:03:26,476 if you don't understand what that means - 89 00:03:26,468 --> 00:03:27,769 you're going to capture this data and 90 00:03:27,769 --> 00:03:29,320 not really know what you're looking at. 91 00:03:29,320 --> 00:03:31,089 But in this example, 92 00:03:31,089 --> 00:03:33,075 you can see that particularly, 93 00:03:33,075 --> 00:03:36,602 with HSRP, you're going to be able to 94 00:03:36,605 --> 00:03:38,875 troubleshoot problems such as 95 00:03:38,875 --> 00:03:41,990 ok, well the active is down, 96 00:03:41,990 --> 00:03:44,257 it's going to specifically 97 00:03:44,267 --> 00:03:47,307 the wrong broadcast address. 98 00:03:47,315 --> 00:03:50,786 It's not functioning, but 99 00:03:50,786 --> 00:03:52,133 what you're going to have to do is 100 00:03:52,133 --> 00:03:53,091 you're also going to have to look 101 00:03:53,091 --> 00:03:55,763 inside the router. So as we mentioned last time, 102 00:03:55,763 --> 00:03:58,683 one of the key aspects of using this tool is 103 00:03:58,683 --> 00:04:00,930 to not simply use this tool 104 00:04:00,930 --> 00:04:05,078 in it's entirety or in an isolated fashion. 105 00:04:05,078 --> 00:04:06,623 What you're going to also want to do 106 00:04:06,623 --> 00:04:08,077 is you're going to also want to 107 00:04:08,077 --> 00:04:09,442 log into the routers, 108 00:04:09,442 --> 00:04:10,872 you're going to want to check the logs 109 00:04:10,872 --> 00:04:12,514 you're going to want to see which one's active, 110 00:04:12,514 --> 00:04:14,771 you're going to want to see which one's standby, 111 00:04:14,769 --> 00:04:16,769 and if you have problems there as well. 112 00:04:16,769 --> 00:04:21,342 As you can see from this segment, 113 00:04:21,342 --> 00:04:23,342 one of the key aspects of using 114 00:04:23,350 --> 00:04:26,658 Wireshark on this network is 115 00:04:26,658 --> 00:04:28,257 one of the things we did 116 00:04:28,251 --> 00:04:30,802 was set up a span port 117 00:04:30,802 --> 00:04:33,129 and we captured the data as close 118 00:04:33,129 --> 00:04:35,009 to the routers as, as possible. 119 00:04:35,009 --> 00:04:36,997 So one of the things that's important with 120 00:04:36,997 --> 00:04:38,694 using Wireshark is, 121 00:04:38,694 --> 00:04:40,718 when you're troubleshooting something 122 00:04:40,718 --> 00:04:42,709 and you want to get as close to 123 00:04:42,709 --> 00:04:44,604 as the problem as you can. 124 00:04:44,604 --> 00:04:48,065 And or send the data directly from 125 00:04:48,063 --> 00:04:50,459 what you think is the target problem 126 00:04:50,459 --> 00:04:51,472 to Wireshark. 127 00:04:51,472 --> 00:04:53,505 If you install Wireshark, 128 00:04:53,505 --> 00:04:55,222 for example, on a segment 129 00:04:55,222 --> 00:04:58,236 where that traffic doesn't exist 130 00:04:58,236 --> 00:05:00,483 or is blocked, you're not going to be able 131 00:05:00,483 --> 00:05:02,476 to see that there's an actual problem there. 132 00:05:02,476 --> 00:05:04,694 So in this example where you have 133 00:05:04,694 --> 00:05:06,380 2 routers on a segment, 134 00:05:06,380 --> 00:05:08,380 if you had set up 135 00:05:08,380 --> 00:05:10,380 Wireshark, for example 136 00:05:10,380 --> 00:05:12,380 on the server and it wasn't 137 00:05:12,380 --> 00:05:14,380 able to see that data and 138 00:05:14,380 --> 00:05:16,380 you weren't able to capture that data 139 00:05:16,380 --> 00:05:19,263 then you won't be able to look at actual data 140 00:05:19,263 --> 00:05:21,263 to find out about the problem. 141 00:05:21,263 --> 00:05:24,722 So, some of the information 142 00:05:24,722 --> 00:05:26,479 captured may point to 143 00:05:26,479 --> 00:05:28,911 or reveal problems such as 144 00:05:28,911 --> 00:05:31,655 incorrect gateway assignment, 145 00:05:31,655 --> 00:05:33,929 an incorrect path. 146 00:05:33,924 --> 00:05:36,517 Again, you're going to be looking 147 00:05:36,517 --> 00:05:37,738 at the data from the source 148 00:05:37,738 --> 00:05:38,814 to the destination. 149 00:05:38,814 --> 00:05:41,271 So you're going to want to see that your client's 150 00:05:41,261 --> 00:05:43,528 configured with the correct gateway. 151 00:05:43,535 --> 00:05:45,442 It's going to the correct VIP 152 00:05:45,442 --> 00:05:48,159 and when you capture and isolate that data 153 00:05:48,159 --> 00:05:50,127 you may be able to find 154 00:05:50,127 --> 00:05:52,764 what the root cause of that issue is, 155 00:05:52,764 --> 00:05:54,764 or the underlying problem. 156 00:05:54,764 --> 00:05:59,026 Again, you're going to want to look at 157 00:05:59,026 --> 00:06:01,517 the actual encapsulated data. 158 00:06:01,523 --> 00:06:04,517 You're going to want to look at the headers, 159 00:06:04,517 --> 00:06:07,503 you're going to want to analyze the protocol, 160 00:06:07,495 --> 00:06:09,599 or you're going to want to look at the traffic flow 161 00:06:09,599 --> 00:06:10,983 from source to destination, 162 00:06:10,983 --> 00:06:12,296 you're going to want not just 163 00:06:12,296 --> 00:06:13,858 use Wireshark with other tools 164 00:06:13,858 --> 00:06:15,568 such as the router logs, 165 00:06:15,568 --> 00:06:17,568 maybe send a trace 166 00:06:17,568 --> 00:06:20,524 to see exactly where it's ending up. 167 00:06:20,524 --> 00:06:23,401 And after the data is captured, 168 00:06:23,401 --> 00:06:24,787 you can analyze it, 169 00:06:24,787 --> 00:06:26,350 look at all applicable layers 170 00:06:26,340 --> 00:06:28,374 or the under the hood details 171 00:06:28,374 --> 00:06:30,374 and try to solve the problem. 172 00:06:30,374 --> 00:06:35,012 Again, as you can see, 173 00:06:35,012 --> 00:06:37,184 we can drill down into the data 174 00:06:37,184 --> 00:06:39,715 so we selected one HSRP packet, 175 00:06:39,715 --> 00:06:41,715 we drilled down into it 176 00:06:41,715 --> 00:06:43,715 and we could find things such as 177 00:06:43,715 --> 00:06:47,299 the destination. We could see that's a multicast. 178 00:06:47,299 --> 00:06:52,055 We could see that it's a 20 bytes header. 179 00:06:52,055 --> 00:06:55,313 We could see specific things that will allow us 180 00:06:55,313 --> 00:06:58,418 to solve the issue, for example, the source 181 00:06:58,418 --> 00:06:59,882 to the destination, 182 00:06:59,895 --> 00:07:04,296 the destination being 224.0.0.2. 183 00:07:04,304 --> 00:07:06,183 These are the things that we can look at 184 00:07:06,183 --> 00:07:08,349 specifically within Wireshark 185 00:07:08,349 --> 00:07:10,349 to try to gain more information 186 00:07:10,349 --> 00:07:12,976 so that we can dig deeper into it 187 00:07:12,976 --> 00:07:15,078 and try to solve the issue. 188 00:07:15,052 --> 00:07:20,077 When we capture the data, 189 00:07:20,077 --> 00:07:21,722 we'll be able to inspect it, 190 00:07:21,722 --> 00:07:23,722 we'll be able to look at that data, 191 00:07:23,722 --> 00:07:25,514 see what the types of problem are 192 00:07:25,514 --> 00:07:27,192 if there are any problems. 193 00:07:27,192 --> 00:07:29,971 In future modules, we'll talk about the Expert. 194 00:07:29,971 --> 00:07:32,797 This is a helping hand 195 00:07:32,796 --> 00:07:35,378 to give you some more insight into the tool 196 00:07:35,369 --> 00:07:38,289 to allow you to look at the data a little closer - 197 00:07:38,289 --> 00:07:40,791 the ability to protocol analysis. 198 00:07:40,799 --> 00:07:42,556 Again, what's most important about 199 00:07:42,551 --> 00:07:45,472 understanding protocols, you know, 200 00:07:45,472 --> 00:07:48,552 how does that actually work inside the protocol. 201 00:07:48,560 --> 00:07:51,104 What is it doing? 202 00:07:51,104 --> 00:07:53,360 Wireshark will allow you to open this data 203 00:07:53,360 --> 00:07:55,448 so that you can look at the specific data 204 00:07:55,456 --> 00:07:58,814 to try to summarize what the problem is. 205 00:07:58,814 --> 00:08:01,933 And it will help you to see things that 206 00:08:01,933 --> 00:08:03,464 you would not be able to see 207 00:08:03,464 --> 00:08:05,464 if you had not captured the data. 208 00:08:05,464 --> 00:08:08,701 And again, traffic analysis 209 00:08:08,701 --> 00:08:10,168 maybe there's a reason why 210 00:08:10,168 --> 00:08:12,807 this data cannot use HSRP 211 00:08:12,807 --> 00:08:15,517 or the clients cannot get there. 212 00:08:15,517 --> 00:08:17,294 You can do traffic analysis 213 00:08:17,294 --> 00:08:18,519 to try to dig in deeper 214 00:08:18,519 --> 00:08:20,023 to see what the issues may be. 215 00:08:20,023 --> 00:08:24,311