1 00:00:02,273 --> 00:00:08,752 2 00:00:08,750 --> 00:00:10,457 So again, as we talked about 3 00:00:10,457 --> 00:00:12,651 what's important with Wireshark, 4 00:00:12,654 --> 00:00:14,654 is understanding 5 00:00:14,656 --> 00:00:16,641 the fundamentals of networking. 6 00:00:16,641 --> 00:00:18,641 And where some of us 7 00:00:18,641 --> 00:00:20,641 may be training to become 8 00:00:20,641 --> 00:00:23,020 high level professionals or experts 9 00:00:23,022 --> 00:00:25,630 or some of us may already be in that area, 10 00:00:25,640 --> 00:00:28,296 understanding how to configure a device 11 00:00:28,288 --> 00:00:30,167 is a little bit different than 12 00:00:30,167 --> 00:00:31,424 actually troubleshooting 13 00:00:31,424 --> 00:00:33,424 the data going to and from the device. 14 00:00:33,424 --> 00:00:35,944 So, what's key to learning about 15 00:00:35,944 --> 00:00:38,564 networking is not only how to configure, 16 00:00:38,564 --> 00:00:40,620 how to design, but also how to troubleshoot. 17 00:00:40,612 --> 00:00:42,630 So that's a lot of the design, run, 18 00:00:42,641 --> 00:00:45,533 build elements of networking. 19 00:00:45,528 --> 00:00:47,528 So, you're going to design it. 20 00:00:47,528 --> 00:00:48,712 You're going to make sure that you 21 00:00:48,712 --> 00:00:50,185 say, if I want resiliency 22 00:00:50,185 --> 00:00:52,185 either I want them to be secure, 23 00:00:52,185 --> 00:00:54,368 do I want redundancy, 24 00:00:54,361 --> 00:00:56,177 do I want density? 25 00:00:56,169 --> 00:00:58,169 What do I want, actually want 26 00:00:58,169 --> 00:01:00,196 to produce and then 27 00:01:00,184 --> 00:01:02,412 it has to be built or engineered. 28 00:01:02,409 --> 00:01:03,503 So then we're going to go 29 00:01:03,503 --> 00:01:04,409 through the process of 30 00:01:04,409 --> 00:01:05,963 building all these components. 31 00:01:05,961 --> 00:01:07,233 We're going to deploy them, 32 00:01:07,233 --> 00:01:09,233 and we're going to test them. 33 00:01:09,233 --> 00:01:11,536 Possibly lab them prior to 34 00:01:11,536 --> 00:01:12,462 you know, make sure 35 00:01:12,462 --> 00:01:14,785 that our theories and designs are accurate 36 00:01:14,783 --> 00:01:16,240 and then we're going to deploy them. 37 00:01:16,232 --> 00:01:17,712 And then there is run, 38 00:01:17,712 --> 00:01:20,361 So that's the actual operations of 39 00:01:20,358 --> 00:01:21,984 of position where 40 00:01:21,984 --> 00:01:24,843 you'll likely be using Wireshark the most, right? 41 00:01:24,830 --> 00:01:28,532 So, if you're in a network situation 42 00:01:28,532 --> 00:01:30,777 where, you know, you get hired 43 00:01:30,777 --> 00:01:32,058 or you're a consultant and 44 00:01:32,058 --> 00:01:35,235 and you step into the role of handling operations, 45 00:01:35,243 --> 00:01:36,501 you'll likely going to be 46 00:01:36,501 --> 00:01:38,278 using troubleshooting tools 47 00:01:38,278 --> 00:01:40,278 pretty much on a daily basis. 48 00:01:40,278 --> 00:01:43,553 Now, Wireshark will likely not be your only tool. 49 00:01:43,553 --> 00:01:46,578 You'll probably be using things as simplistic as 50 00:01:46,578 --> 00:01:49,385 ping and trace route and basic logs all the way 51 00:01:49,385 --> 00:01:52,425 to enterprise monitoring tools 52 00:01:52,435 --> 00:01:54,613 that we discussed earlier 53 00:01:54,609 --> 00:01:56,853 which some of the ones that are more specific 54 00:01:56,857 --> 00:01:59,126 to data capture and analysis is 55 00:01:59,169 --> 00:02:01,892 ones from Riverbed and 56 00:02:01,892 --> 00:02:03,892 from NetScout, as an example. 57 00:02:03,892 --> 00:02:07,525 So, just to highlight what 58 00:02:07,525 --> 00:02:09,081 we've already discussed 59 00:02:09,081 --> 00:02:11,081 as far as source to destination, 60 00:02:11,081 --> 00:02:13,694 that concept still applies when you're talking 61 00:02:13,684 --> 00:02:15,811 about other network hardware. 62 00:02:15,819 --> 00:02:18,335 What we're really going to talk 63 00:02:18,335 --> 00:02:19,676 about in this module is 64 00:02:19,676 --> 00:02:22,487 specifically the security devices because 65 00:02:22,487 --> 00:02:24,160 they really change your data a lot 66 00:02:24,160 --> 00:02:26,963 and it makes it more difficult 67 00:02:26,960 --> 00:02:29,373 to look at the data with Wireshark. 68 00:02:29,378 --> 00:02:31,378 Either whether it's blocking it, 69 00:02:31,378 --> 00:02:33,759 or it's changing it through net 70 00:02:33,759 --> 00:02:36,539 or you can't actually use the, 71 00:02:36,534 --> 00:02:38,915 or to use Wireshark to capture the data 72 00:02:38,917 --> 00:02:40,917 because it's being blocked completely. 73 00:02:40,937 --> 00:02:42,937 No matter that is, 74 00:02:42,937 --> 00:02:44,519 that's going to be some of the things 75 00:02:44,519 --> 00:02:46,011 that you encounter when using 76 00:02:46,011 --> 00:02:47,954 Wireshark in this fashion. 77 00:02:47,954 --> 00:02:52,010 So, some of the things that 78 00:02:52,013 --> 00:02:54,475 Wireshark can do as of 1.8, 79 00:02:54,475 --> 00:02:58,966 a lot of radical changes that we will talk about. 80 00:02:58,968 --> 00:03:00,736 Some really good things like some simple 81 00:03:00,735 --> 00:03:04,588 things, like you can annotate files all the way to - 82 00:03:04,588 --> 00:03:07,835 you can actually build and use a 83 00:03:07,843 --> 00:03:10,621 a firewall ACL rule within Wireshark. 84 00:03:10,628 --> 00:03:12,471 It'll help you build that depending on what 85 00:03:12,472 --> 00:03:14,835 data it is that you're trying to look at 86 00:03:14,843 --> 00:03:17,997 as you can see from this screen shot. 87 00:03:17,997 --> 00:03:19,997 So there's a lot of things that 88 00:03:19,997 --> 00:03:23,272 you need to understand about using Wireshark 89 00:03:23,280 --> 00:03:24,756 in this fashion because as 90 00:03:24,756 --> 00:03:26,733 we have mentioned earlier 91 00:03:26,733 --> 00:03:30,612 these firewall devices are going to 92 00:03:30,612 --> 00:03:33,807 block by default. It's very restrictive, 93 00:03:33,807 --> 00:03:35,478 it's likely to block the traffic. 94 00:03:35,478 --> 00:03:40,128 unless you specifically ask the firewall to allow it. 95 00:03:40,128 --> 00:03:43,133 It's going to have a, implicit 96 00:03:43,135 --> 00:03:45,303 deny on pretty much anything. 97 00:03:45,304 --> 00:03:49,599 There's fix up protocols that allow you 98 00:03:49,597 --> 00:03:52,140 to do things in it's ACL's and there's all 99 00:03:52,144 --> 00:03:54,609 kinds of tools within the firewall 100 00:03:54,595 --> 00:03:58,238 but with Wireshark specifically, 101 00:03:58,238 --> 00:04:01,183 there are some tools sets within it, as well. 102 00:04:01,183 --> 00:04:08,360 So, what is an ACL? 103 00:04:08,360 --> 00:04:10,360 An ACL is an access control list. 104 00:04:10,360 --> 00:04:13,774 It's basically used to say, 105 00:04:13,774 --> 00:04:17,786 I am going to either allow data to pass 106 00:04:17,778 --> 00:04:21,607 or I'm going to deny it from passing. 107 00:04:21,606 --> 00:04:25,616 There's many things that create ACL's. 108 00:04:25,606 --> 00:04:29,419 Now, we're learning about Cisco at INE 109 00:04:29,419 --> 00:04:33,199 at the highest layer, and obviously, 110 00:04:33,197 --> 00:04:35,124 that's something that you would take 111 00:04:35,124 --> 00:04:36,384 into account immediately. 112 00:04:36,384 --> 00:04:38,560 You'd say, well, I can't get the data through 113 00:04:38,552 --> 00:04:40,067 I'm going to check the Cisco router, 114 00:04:40,067 --> 00:04:41,357 I'm going to look at the firewall. 115 00:04:41,357 --> 00:04:43,219 It's likely an an ACL issue, 116 00:04:43,217 --> 00:04:44,937 but there's a couple of different things. 117 00:04:44,922 --> 00:04:48,241 Now, if we go back to our concept 118 00:04:48,241 --> 00:04:50,769 from earlier that you're not looking at 119 00:04:50,767 --> 00:04:52,444 when you're using Wireshark 120 00:04:52,444 --> 00:04:54,344 to troubleshoot problems, you're not looking at 121 00:04:54,338 --> 00:04:56,657 in a, in a, in a tube or at. 122 00:04:56,657 --> 00:04:59,490 You're not looking at specifically at one point. 123 00:04:59,487 --> 00:05:01,456 You are looking at everything holistically. 124 00:05:01,453 --> 00:05:04,540 You're saying from the source to the destination, 125 00:05:04,540 --> 00:05:07,637 what are all the things involved. 126 00:05:07,633 --> 00:05:10,554 So, we talked about the tip of the arrow 127 00:05:10,554 --> 00:05:12,818 you know, we say, oh the client. 128 00:05:12,818 --> 00:05:13,928 Alright, so what's, 129 00:05:13,928 --> 00:05:15,321 what could be wrong with the client? 130 00:05:15,321 --> 00:05:18,104 The client could be performing horribly. 131 00:05:18,104 --> 00:05:20,104 It could have, it could have malware on it. 132 00:05:20,104 --> 00:05:23,131 There's so many things that can impact 133 00:05:23,123 --> 00:05:25,157 the client - memory, disc space. 134 00:05:25,149 --> 00:05:27,740 So when we talk about, you know, 135 00:05:27,740 --> 00:05:30,392 traffic problems, we just got to remember that 136 00:05:30,396 --> 00:05:32,225 it's not necessarily just 137 00:05:32,225 --> 00:05:34,522 specifically, let say the router ACL. 138 00:05:34,522 --> 00:05:36,522 We might have other things that 139 00:05:36,522 --> 00:05:38,522 are blocking, so for example, 140 00:05:38,522 --> 00:05:40,522 it may not be a Cisco router 141 00:05:40,522 --> 00:05:42,522 or it may be a checkpoint firewall. 142 00:05:42,522 --> 00:05:47,101 It may be, you know, a SideWinder firewall, 143 00:05:47,101 --> 00:05:50,069 Palo Alto. It could be any particular thing 144 00:05:50,083 --> 00:05:52,167 but they're also going to be using ACL's. 145 00:05:52,165 --> 00:05:54,955 With Windows server, 146 00:05:54,955 --> 00:05:59,731 you can use netsh to configure firewall rules. 147 00:05:59,731 --> 00:06:00,699 There's the GUI. 148 00:06:00,699 --> 00:06:02,315 You can configure firewall rules. 149 00:06:02,308 --> 00:06:04,896 Those are technically ACL's that would 150 00:06:04,896 --> 00:06:08,239 block traffic on a Window's client. 151 00:06:08,235 --> 00:06:10,762 It could be blocking with the 152 00:06:10,762 --> 00:06:12,276 Window's firewalls so you may be 153 00:06:12,276 --> 00:06:14,276 trying to run a capture and can't figure out 154 00:06:14,276 --> 00:06:16,907 why data is not traversing - 155 00:06:16,907 --> 00:06:18,907 it could be as simple as looking at the client. 156 00:06:18,907 --> 00:06:23,026 With Linux or Unix, IP tables, the same thing - 157 00:06:23,026 --> 00:06:25,581 firewall, ACL's blocking the traffic 158 00:06:25,586 --> 00:06:27,586 and many others. 159 00:06:27,591 --> 00:06:29,591 So just remember, 160 00:06:29,591 --> 00:06:31,591 when you're using Wireshark that 161 00:06:31,591 --> 00:06:33,101 and you were dealing something 162 00:06:33,101 --> 00:06:34,133 such as the firewall, 163 00:06:34,133 --> 00:06:36,383 a firewall may not just be the device 164 00:06:36,383 --> 00:06:39,832 that you're used to, like a Cisco PIX/ASA. 165 00:06:39,840 --> 00:06:41,092 It may be something different. 166 00:06:41,092 --> 00:06:43,228 It may be a checkpoint firewall. 167 00:06:43,228 --> 00:06:45,377 It may be one of many 168 00:06:45,377 --> 00:06:46,705 different flavors of firewalls. 169 00:06:46,705 --> 00:06:48,120 It could be a router with a 170 00:06:48,120 --> 00:06:49,846 simple set of ACL's. 171 00:06:49,846 --> 00:06:53,558 It could be a client with a, a client firewall. 172 00:06:53,558 --> 00:06:55,841 It could be a Linux or a Unix 173 00:06:55,833 --> 00:06:58,018 system with a client firewall. 174 00:06:58,017 --> 00:07:00,137 So just remember these concepts of 175 00:07:00,137 --> 00:07:02,065 when you're troubleshooting with Wireshark 176 00:07:02,065 --> 00:07:03,462 if you can't get the traffic 177 00:07:03,462 --> 00:07:04,970 and you don't understand why, 178 00:07:04,970 --> 00:07:06,970 there's many things from 179 00:07:06,970 --> 00:07:08,362 source to destination 180 00:07:08,362 --> 00:07:11,191 that could be blocking that traffic. 181 00:07:11,190 --> 00:07:14,820 So, troubleshooting a network or 182 00:07:14,820 --> 00:07:18,137 or, or trying to capture data to analyze it, 183 00:07:18,137 --> 00:07:21,360 in this sense where you have a firewall 184 00:07:21,360 --> 00:07:25,189 that may be the source of the problem 185 00:07:25,189 --> 00:07:28,634 and or blocking your view of it, 186 00:07:28,634 --> 00:07:31,557 it's very, very simple to understand. 187 00:07:31,557 --> 00:07:35,535 If you're trying to capture and analyze 188 00:07:35,535 --> 00:07:37,535 traffic from the router, 189 00:07:37,535 --> 00:07:40,036 let's say, from the laptop computer 190 00:07:40,036 --> 00:07:41,664 with Wireshark installed, 191 00:07:41,664 --> 00:07:43,960 and you're not seeing 192 00:07:43,955 --> 00:07:46,047 the traffic from the server, 193 00:07:46,050 --> 00:07:49,217 the simplest answer could be - well, 194 00:07:49,217 --> 00:07:51,217 in this instance there's likely 195 00:07:51,217 --> 00:07:52,672 a firewall in between. 196 00:07:52,672 --> 00:07:55,360 Maybe that's, that could be the 197 00:07:55,360 --> 00:07:57,177 problem or it's blocking it. 198 00:07:57,177 --> 00:07:59,177 Maybe I don't have Wireshark 199 00:07:59,177 --> 00:08:02,239 on the right side of the firewall. 200 00:08:02,238 --> 00:08:03,911 Maybe I need them on both sides. 201 00:08:03,911 --> 00:08:05,679 Maybe I need to allow 202 00:08:05,672 --> 00:08:07,723 the traffic through the firewall. 203 00:08:07,717 --> 00:08:08,934 We need to remember, 204 00:08:08,934 --> 00:08:10,884 if you're using Wireshark in a lab, 205 00:08:10,884 --> 00:08:12,012 we could pretty much do 206 00:08:12,012 --> 00:08:13,784 whatever it is that we want to do. 207 00:08:13,784 --> 00:08:17,323 We can install things in a way where 208 00:08:17,331 --> 00:08:20,604 you know, if we wanted to test 209 00:08:20,601 --> 00:08:23,056 any theory if it's in a lab environment, 210 00:08:23,069 --> 00:08:25,688 we can, you know, change the firewall rules. 211 00:08:25,688 --> 00:08:27,145 We can, we can do pretty much 212 00:08:27,145 --> 00:08:28,558 anything we want. 213 00:08:28,558 --> 00:08:30,558 What's important to remember in production, 214 00:08:30,550 --> 00:08:32,715 and likely, you're going to be using Wireshark 215 00:08:32,717 --> 00:08:35,561 the most, there's 2 important concepts 216 00:08:35,573 --> 00:08:39,226 to remember - one, you're using a protocol 217 00:08:39,234 --> 00:08:41,499 and packet capture device 218 00:08:41,499 --> 00:08:42,896 on a production network, 219 00:08:42,896 --> 00:08:46,298 and therefore, you may not be allowed to. 220 00:08:46,298 --> 00:08:48,568 One of the reasons is because Wireshark 221 00:08:48,554 --> 00:08:50,574 is also used for security analysis. 222 00:08:50,575 --> 00:08:55,528 So with the protocols we talked to already 223 00:08:55,528 --> 00:08:58,932 with, let's say, this TCP/IP protocol 224 00:08:58,932 --> 00:09:02,162 sweep version 4 allow the protocols involved 225 00:09:02,174 --> 00:09:05,025 in within that sweep such as, let's say, 226 00:09:05,030 --> 00:09:08,747 telnet, SNMP, and others. 227 00:09:08,754 --> 00:09:11,574 They will send information in clear text, 228 00:09:11,574 --> 00:09:13,767 non-encrypted so if you're not 229 00:09:13,766 --> 00:09:16,070 doing extra encryption, 230 00:09:16,069 --> 00:09:18,937 if you're sending this data in clear text 231 00:09:18,937 --> 00:09:20,937 Wireshark can capture it. 232 00:09:20,937 --> 00:09:23,012 So you may be called to troubleshoot 233 00:09:23,012 --> 00:09:25,097 a problem with Wireshark configured on a 234 00:09:25,094 --> 00:09:28,139 network and start capturing data that 235 00:09:28,139 --> 00:09:31,190 in reality may expose a lot of 236 00:09:31,195 --> 00:09:35,273 the things that are meant to be kept secret 237 00:09:35,276 --> 00:09:37,462 on the network itself. 238 00:09:37,462 --> 00:09:40,313 So just remember that when you're using 239 00:09:40,325 --> 00:09:42,924 Wireshark, it is, it is also used primarily 240 00:09:42,924 --> 00:09:45,242 as a security tool and you need to have 241 00:09:45,242 --> 00:09:47,015 permission to use it specifically 242 00:09:47,015 --> 00:09:48,055 on a production network. 243 00:09:48,055 --> 00:09:51,716 Also as we're talking about before, the firewall 244 00:09:51,716 --> 00:09:54,155 you may see data that's encrypted 245 00:09:54,155 --> 00:09:56,251 and you may not be able to see it 246 00:09:56,243 --> 00:09:58,925 and you could use Wireshark to, 247 00:09:58,924 --> 00:10:00,958 to add the keys to decrypt it. 248 00:10:00,966 --> 00:10:02,765 So that's one of the interesting 249 00:10:02,765 --> 00:10:03,874 things about Wireshark. 250 00:10:03,874 --> 00:10:05,463 It could be used in a security sense 251 00:10:05,463 --> 00:10:06,860 that it could be - 252 00:10:06,860 --> 00:10:08,588 you can reconstruct voice calls, 253 00:10:08,596 --> 00:10:11,794 you can use it to capture data 254 00:10:11,794 --> 00:10:13,203 that can be decrypted. 255 00:10:13,203 --> 00:10:15,203 You can capture unencrypted data 256 00:10:15,203 --> 00:10:18,401 that can be used to log in to devices. 257 00:10:18,401 --> 00:10:21,371 You may see read and write strings, 258 00:10:21,367 --> 00:10:24,009 private and public strings 259 00:10:24,005 --> 00:10:26,418 from SNMP that you can capture 260 00:10:26,412 --> 00:10:28,504 and now manipulate the device with. 261 00:10:28,506 --> 00:10:31,049 So, just remember, 262 00:10:31,049 --> 00:10:33,363 with Wireshark, that's there's a lot more that 263 00:10:33,350 --> 00:10:35,049 you can do with it than just troubleshooting. 264 00:10:35,049 --> 00:10:39,304 So simple firewall concepts 265 00:10:39,304 --> 00:10:43,114 obviously, a firewall will block traffic. 266 00:10:43,114 --> 00:10:46,628 This is tricky when you're trying 267 00:10:46,637 --> 00:10:48,017 to troubleshoot with Wireshark 268 00:10:48,025 --> 00:10:50,161 because if you're trying to see 269 00:10:50,160 --> 00:10:52,359 for example, why a source cannot 270 00:10:52,358 --> 00:10:54,646 communicate with the destination 271 00:10:54,652 --> 00:10:56,959 and let's say, you don't have access 272 00:10:56,959 --> 00:10:58,651 to the firewall and they're asking you 273 00:10:58,651 --> 00:11:00,836 to solve that problem with Wireshark. 274 00:11:00,834 --> 00:11:02,961 Ok, well, how are we actually going to do that? 275 00:11:02,950 --> 00:11:06,958 Well, as we reflect back to the simple lab 276 00:11:06,958 --> 00:11:08,958 where we had the source to the destination, 277 00:11:08,958 --> 00:11:13,076 we had, let's say, a firewall in between 278 00:11:13,076 --> 00:11:16,248 if you see that you're not able to traverse that 279 00:11:16,248 --> 00:11:18,209 let's say, with RDP 280 00:11:18,209 --> 00:11:20,882 but you able to ping through it, 281 00:11:20,889 --> 00:11:23,134 it may give you the false impression that 282 00:11:23,147 --> 00:11:26,515 the firewall is not the source of the issue. But 283 00:11:26,515 --> 00:11:30,505 it may be blocking specific traffic that is required 284 00:11:30,505 --> 00:11:32,505 for an application to function. 285 00:11:32,505 --> 00:11:35,539 And why would that be an issue because 286 00:11:35,539 --> 00:11:37,600 let's say, we're troubleshooting a 287 00:11:37,600 --> 00:11:38,976 a new problem where they said 288 00:11:38,976 --> 00:11:40,196 "You know just recently 289 00:11:40,189 --> 00:11:42,356 something on the DMZ stopped working, 290 00:11:42,356 --> 00:11:43,647 we don't understand." 291 00:11:43,647 --> 00:11:45,422 You know, as being network professionals, 292 00:11:45,422 --> 00:11:47,573 we, our brains would start working - 293 00:11:47,572 --> 00:11:50,899 say, when was the last change on the firewall? 294 00:11:50,897 --> 00:11:53,282 What, what could have possibly, you know, 295 00:11:53,281 --> 00:11:55,844 made this happen, as in a new deployment. 296 00:11:55,849 --> 00:11:58,280 We know that with 297 00:11:58,280 --> 00:12:00,499 the complexity of what it is that we do, 298 00:12:00,498 --> 00:12:05,419 we try to be masterful and perfect everytime, but 299 00:12:05,419 --> 00:12:07,419 we could fat finger something and 300 00:12:07,419 --> 00:12:09,419 we can knock something off the network. 301 00:12:09,419 --> 00:12:12,333 But in regards to that if it's blocking the traffic 302 00:12:12,333 --> 00:12:15,093 and you do not have information back 303 00:12:15,093 --> 00:12:17,065 from the firewall that anything changed, 304 00:12:17,065 --> 00:12:18,644 or there's any specific 305 00:12:18,644 --> 00:12:20,050 problems that they can see, 306 00:12:20,050 --> 00:12:21,425 a simple solution would be 307 00:12:21,425 --> 00:12:22,538 to set up Wireshark 308 00:12:22,545 --> 00:12:24,545 on both sides of the firewall 309 00:12:24,545 --> 00:12:26,211 and take a look at the source 310 00:12:26,202 --> 00:12:28,548 to destination traffic in 2 captures. 311 00:12:28,547 --> 00:12:32,485 If you see that you're sending data 2 312 00:12:32,485 --> 00:12:34,704 and you're not receiving on the other side 313 00:12:34,705 --> 00:12:36,703 then it could be implied that the 314 00:12:36,699 --> 00:12:39,096 firewall is actually blocking the traffic. 315 00:12:39,101 --> 00:12:42,188 We will learn in future modules 316 00:12:42,188 --> 00:12:43,977 how do you time that, right? 317 00:12:43,970 --> 00:12:45,354 So, you would want to 318 00:12:45,354 --> 00:12:46,717 actually look at timestamps 319 00:12:46,717 --> 00:12:48,529 from one capture to the other. 320 00:12:48,529 --> 00:12:51,410 to see exactly when things are 321 00:12:51,410 --> 00:12:52,897 going from one side to the other. 322 00:12:52,897 --> 00:12:54,618 You can look at the handshakes. 323 00:12:54,618 --> 00:12:56,581 There's lots of ways to figure that out. 324 00:12:56,581 --> 00:12:58,352 But a very simple capture would be 325 00:12:58,352 --> 00:13:00,250 the time it capture on both ends. 326 00:13:00,250 --> 00:13:01,000 Take a look - 327 00:13:01,000 --> 00:13:03,467 is the source getting to the destination? 328 00:13:03,462 --> 00:13:06,237 Yes or no? And if not, 329 00:13:06,244 --> 00:13:08,436 then likely it's blocking that traffic. 330 00:13:08,444 --> 00:13:12,056 Firewall also translates traffic. 331 00:13:12,048 --> 00:13:12,881 It will do that through 332 00:13:12,881 --> 00:13:14,365 Network Address Translation. 333 00:13:14,365 --> 00:13:17,533 It also does it with Port Address Translation. 334 00:13:17,533 --> 00:13:19,533 And when it does that 335 00:13:19,533 --> 00:13:21,533 it will send the data, 336 00:13:21,533 --> 00:13:23,533 the source will send the data. 337 00:13:23,533 --> 00:13:25,820 It will hit the NAT device, 338 00:13:25,820 --> 00:13:27,820 maybe a router, maybe a firewall. 339 00:13:27,820 --> 00:13:31,989 And that device will then send the data 340 00:13:31,984 --> 00:13:34,693 as it appears from a different IP address, and 341 00:13:34,693 --> 00:13:36,438 it can do that from a pool. 342 00:13:36,438 --> 00:13:38,916 And the reason it does that is it generally hides 343 00:13:38,927 --> 00:13:42,364 the privately addressed network 344 00:13:42,364 --> 00:13:43,902 from the outside world. 345 00:13:43,902 --> 00:13:47,887 It would translate a larger set of addresses 346 00:13:47,894 --> 00:13:50,887 to a smaller subset of public addresses. 347 00:13:50,893 --> 00:13:53,173 But regardless, it's something that you need 348 00:13:53,176 --> 00:13:54,951 to understand because when you're capturing 349 00:13:54,951 --> 00:13:56,104 the data with Wireshark 350 00:13:56,104 --> 00:13:58,104 if you did not know it was NATting 351 00:13:58,104 --> 00:14:02,635 and, and you weren't capturing specifically 352 00:14:02,635 --> 00:14:05,219 and looking for specifically that data, 353 00:14:05,220 --> 00:14:07,448 it may confuse you. Here's an example. 354 00:14:07,441 --> 00:14:10,154 Let's say, you're capturing 355 00:14:10,171 --> 00:14:13,438 a source to destination problem where 356 00:14:13,439 --> 00:14:16,200 you know that the source address is, 357 00:14:16,193 --> 00:14:19,517 you know, 192.168.1.10 358 00:14:19,520 --> 00:14:22,963 and the destination is 10.1.1.20. 359 00:14:22,957 --> 00:14:25,580 You're not going to necessarily as 360 00:14:25,581 --> 00:14:27,954 you're troubleshooting the segments through 361 00:14:27,945 --> 00:14:30,914 see that all the way through. 362 00:14:30,914 --> 00:14:32,458 You're going to see different things happening. 363 00:14:32,458 --> 00:14:34,326 As we talked about earlier in the modules, 364 00:14:34,319 --> 00:14:36,964 these devices change the data from hop to hop, 365 00:14:36,973 --> 00:14:39,072 and if you're not, if you do not understand 366 00:14:39,073 --> 00:14:40,946 what's happening from hop to hop, 367 00:14:40,946 --> 00:14:44,532 you may not what you're looking at or looking for. 368 00:14:44,524 --> 00:14:49,306 And again, as we talked about earlier, 369 00:14:49,311 --> 00:14:52,734 ports and IP addresses, firewalls will generally 370 00:14:52,731 --> 00:14:56,176 block or, or translate the data by IP 371 00:14:56,178 --> 00:14:59,107 and or block the port. 372 00:14:59,112 --> 00:15:06,033 So just a simple example of a network firewall, 373 00:15:06,033 --> 00:15:08,687 just want to make you aware that 374 00:15:08,684 --> 00:15:12,429 again, we're very, we try to learn things very 375 00:15:12,428 --> 00:15:17,283 in advanced forms and get to expert levels and 376 00:15:17,283 --> 00:15:20,466 what ends up happening sometimes is it gets 377 00:15:20,466 --> 00:15:22,911 your brain thinking at the highest level. 378 00:15:22,902 --> 00:15:26,053 And sometimes it happens to me and I have 379 00:15:26,066 --> 00:15:28,466 to actually stop myself and think 380 00:15:28,460 --> 00:15:30,460 simplistically in a way where - 381 00:15:30,460 --> 00:15:32,408 "Hold on a second, 382 00:15:32,408 --> 00:15:35,304 did I really look at the client close enough"? 383 00:15:35,295 --> 00:15:37,295 Simple things, you know. 384 00:15:37,295 --> 00:15:39,918 And sometimes, you wind up spending, 385 00:15:39,932 --> 00:15:41,932 at least it happened to people I know, 386 00:15:41,932 --> 00:15:43,216 as well as myself, 387 00:15:43,216 --> 00:15:45,216 very, very smart people - 388 00:15:45,216 --> 00:15:47,579 they start looking very deeply into things 389 00:15:47,579 --> 00:15:49,383 and it's something they missed 390 00:15:49,383 --> 00:15:51,115 because it's something very simple. 391 00:15:51,115 --> 00:15:53,859 So as a reminder, a network firewall could be 392 00:15:53,853 --> 00:15:56,360 something as simple as the client itself. 393 00:15:56,360 --> 00:15:58,355 It can have a role configured 394 00:15:58,355 --> 00:16:01,075 and it may be throwing your whole capture off 395 00:16:01,075 --> 00:16:02,228 for not allowing to do 396 00:16:02,228 --> 00:16:03,969 some specific troubleshooting. 397 00:16:03,969 --> 00:16:06,115 So just a reminder to be a aware 398 00:16:06,098 --> 00:16:08,159 that those things do exist 399 00:16:08,159 --> 00:16:10,120 and it's very important 400 00:16:10,120 --> 00:16:13,217 to be mindful of them. 401 00:16:13,217 --> 00:16:19,069 Alright, some other hardware - hubs. 402 00:16:19,069 --> 00:16:22,006 So, hubs are something we've almost 403 00:16:22,006 --> 00:16:25,114 completely eradicated from our networks 404 00:16:25,111 --> 00:16:27,689 with the inception of switching 405 00:16:27,689 --> 00:16:30,396 and data traveling a gigabit 406 00:16:30,408 --> 00:16:32,444 and now at 10 gigabit speeds. 407 00:16:32,447 --> 00:16:34,384 Hubs are just dinosaurs, 408 00:16:34,384 --> 00:16:35,645 they're things of the past. 409 00:16:35,645 --> 00:16:40,291 But, it's interesting because still to this day, 410 00:16:40,291 --> 00:16:43,508 I find hubs available. 411 00:16:43,508 --> 00:16:45,854 Now, not only they're available, 412 00:16:45,846 --> 00:16:48,036 but I find them available to people 413 00:16:48,038 --> 00:16:52,319 who try to expand their networks using them. 414 00:16:52,334 --> 00:16:54,385 And why, and most times it's not from the 415 00:16:54,391 --> 00:16:57,084 the people who actually run the network. 416 00:16:57,092 --> 00:16:59,961 So if you're, if you're locking down your networks 417 00:16:59,965 --> 00:17:02,102 and you're only allowing the ports open, 418 00:17:02,096 --> 00:17:03,937 if you're using port security as an example, 419 00:17:03,937 --> 00:17:07,218 and you're blocking everything that's not open, 420 00:17:07,218 --> 00:17:11,868 then these are less likely to be used. But 421 00:17:11,868 --> 00:17:16,457 if you're not using port security or using a device 422 00:17:16,457 --> 00:17:18,457 that doesn't have that feature 423 00:17:18,457 --> 00:17:21,000 you may be in for a surprise. 424 00:17:21,000 --> 00:17:22,340 You may go into a, let say, 425 00:17:22,340 --> 00:17:25,399 conference room where they needed 426 00:17:25,407 --> 00:17:29,388 to host 30 people and they didn't have 427 00:17:29,394 --> 00:17:31,813 as an example, wireless connection. 428 00:17:31,813 --> 00:17:35,032 They may all jack in from a hub 429 00:17:35,030 --> 00:17:38,361 that they actually, you know, purchased from 430 00:17:38,376 --> 00:17:39,739 let's say, Best Buy and they connect 431 00:17:39,739 --> 00:17:40,842 and configure. 432 00:17:40,842 --> 00:17:43,569 So these things do exist, they're out there, 433 00:17:43,569 --> 00:17:44,685 you need to be mindful of them. 434 00:17:44,685 --> 00:17:46,142 Hubs are actually dangerous 435 00:17:46,142 --> 00:17:47,931 because you can create a gigantic 436 00:17:47,931 --> 00:17:49,418 loop on your network and 437 00:17:49,418 --> 00:17:51,418 I've see hubs completely blowup, 438 00:17:51,418 --> 00:17:53,418 take down an enterprise network. 439 00:17:53,418 --> 00:17:55,491 So that's another reason why you should 440 00:17:55,491 --> 00:17:57,046 lock down your unused ports. 441 00:17:57,030 --> 00:17:59,439 But, just be aware that they do exist. 442 00:17:59,447 --> 00:18:03,649 But as the Wireshark expert, 443 00:18:03,649 --> 00:18:05,149 the network analyst, 444 00:18:05,149 --> 00:18:07,995 the person who's doing protocol analysis 445 00:18:07,995 --> 00:18:10,139 a hub is a quick way for you to 446 00:18:10,143 --> 00:18:13,304 quickly span out a section of a network. 447 00:18:13,309 --> 00:18:15,195 So if you understand networks 448 00:18:15,195 --> 00:18:17,062 and you do not create a loop, 449 00:18:17,062 --> 00:18:20,185 and you know how to masterfully use the hub, 450 00:18:20,185 --> 00:18:24,793 you can quickly look between 2 451 00:18:24,793 --> 00:18:26,793 2, a source and a destination 452 00:18:26,793 --> 00:18:28,793 and figure things out by hubbing out 453 00:18:28,793 --> 00:18:31,948 so they are useful in that matter. 454 00:18:31,940 --> 00:18:34,743 They create a larger domain 455 00:18:34,730 --> 00:18:36,730 and they will allow you to 456 00:18:36,730 --> 00:18:39,937 look at traffic traversing from a group of host. 457 00:18:39,935 --> 00:18:43,501 But remember, it may confuse things, 458 00:18:43,501 --> 00:18:45,893 it may be dangerous, so just make sure 459 00:18:45,876 --> 00:18:48,880 that if you do use it, you're careful. 460 00:18:48,874 --> 00:18:52,275 Again, load balancers, as we already discussed, 461 00:18:52,284 --> 00:18:53,995 the use of virtual IP. 462 00:18:53,995 --> 00:18:56,433 There may be one or many devices 463 00:18:56,425 --> 00:18:59,044 behind it as standby's and 464 00:18:59,053 --> 00:19:01,355 this is for network resiliency. 465 00:19:01,355 --> 00:19:05,477 You want to be very careful, or should say, 466 00:19:05,468 --> 00:19:07,867 you should be very mindful of their existence 467 00:19:07,867 --> 00:19:09,851 because if you're troubleshooting problem 468 00:19:09,851 --> 00:19:13,119 from host to a gateway, you may not realize 469 00:19:13,124 --> 00:19:15,406 that the gateway is multiple gateways. 470 00:19:15,408 --> 00:19:19,949 So, just remember that it's a virtual IP or VIP, 471 00:19:19,949 --> 00:19:22,651 commonly called the VIP that may be 472 00:19:22,652 --> 00:19:26,513 in the path from source to destination. 473 00:19:26,513 --> 00:19:30,266 And also inspection units, such as IPS, 474 00:19:30,257 --> 00:19:33,106 IDS, moreso IPS today - 475 00:19:33,112 --> 00:19:35,379 with the IPS modules that you could put in 476 00:19:35,378 --> 00:19:38,842 too many ASA firewall. There's a lot of devices 477 00:19:38,834 --> 00:19:41,527 that also inspect the traffic, a lot like sniffer. 478 00:19:41,526 --> 00:19:42,629 They look for heuristics. 479 00:19:42,628 --> 00:19:47,276 They, they monitor the traffic for anomalies. 480 00:19:47,295 --> 00:19:52,492 So these, these do the same function of sniffing 481 00:19:52,492 --> 00:19:54,317 Nessus as an open source is one, 482 00:19:54,320 --> 00:19:56,740 like Wireshark is an open source tool. 483 00:19:56,741 --> 00:19:59,594 Just beware that they are in a path 484 00:19:59,591 --> 00:20:02,208 so when you troubleshoot with Wireshark, 485 00:20:02,242 --> 00:20:04,736 there may be another thing in the hop. 486 00:20:04,736 --> 00:20:10,353 And all these devices, 487 00:20:10,354 --> 00:20:14,194 what's important about them with Wireshark is 488 00:20:14,200 --> 00:20:16,737 when you capture the data, again, 489 00:20:16,751 --> 00:20:19,923 the mantra over these next 3 days is 490 00:20:19,923 --> 00:20:22,730 you have to look at this as very holistically, 491 00:20:22,740 --> 00:20:25,242 high-level, wide. 492 00:20:25,240 --> 00:20:27,910 Remember that you're looking at the 493 00:20:27,910 --> 00:20:29,378 forest through the trees. 494 00:20:29,378 --> 00:20:31,690 You're trying to capture the whole entire 495 00:20:31,685 --> 00:20:34,240 essence of what's going on on the segment, 496 00:20:34,242 --> 00:20:37,670 the enterprise network, the area in which you are 497 00:20:37,660 --> 00:20:40,124 using Wireshark to troubleshoot the problem. 498 00:20:40,127 --> 00:20:44,163 The very important - that you look at it 499 00:20:44,156 --> 00:20:48,606 in a way where you're aware of these devices. 500 00:20:48,624 --> 00:20:51,021 Hopefully, when you go in to do this, 501 00:20:51,021 --> 00:20:52,861 it's either the network that you work on 502 00:20:52,861 --> 00:20:56,419 so you'll have, let's say, a blueprint or some 503 00:20:56,419 --> 00:20:58,419 Visio documentation for it. 504 00:20:58,419 --> 00:21:01,336 If it's a customer or client, 505 00:21:01,336 --> 00:21:03,336 maybe they do, hopefully they do. 506 00:21:03,336 --> 00:21:05,183 Maybe they do some network discoveries 507 00:21:05,183 --> 00:21:06,779 to find these devices or 508 00:21:06,779 --> 00:21:08,510 talk to the network manager. 509 00:21:08,510 --> 00:21:09,704 Likely they know, if it's not documented 510 00:21:09,704 --> 00:21:11,699 if it's not documented, what's in the path - 511 00:21:11,699 --> 00:21:14,295 then maybe draw out a quick document, 512 00:21:14,292 --> 00:21:16,458 the segment or segments in which 513 00:21:16,458 --> 00:21:18,177 you're going to be troubleshooting. 514 00:21:18,177 --> 00:21:20,563 Where you will playing, placing Wireshark 515 00:21:20,561 --> 00:21:23,222 and where these other devices, hubs, switches, 516 00:21:23,235 --> 00:21:26,113 routers, firewalls, load balancers, 517 00:21:26,122 --> 00:21:28,996 NAT devices, proxy servers, all these 518 00:21:28,995 --> 00:21:31,406 things, what will be in the path 519 00:21:31,411 --> 00:21:35,253 and how it will change the interpreted data. 520 00:21:35,253 --> 00:21:37,812 And then specifically, 521 00:21:37,815 --> 00:21:40,370 the protocol analysis that you're going to do 522 00:21:40,379 --> 00:21:43,354 when you're capturing how these, 523 00:21:43,353 --> 00:21:46,144 these devices actually impact your data. 524 00:21:46,141 --> 00:21:48,544 If it's NAtting, it's going to change the address. 525 00:21:48,544 --> 00:21:49,529 If it's routing, 526 00:21:49,529 --> 00:21:51,157 it's going to change the MAC address. 527 00:21:51,156 --> 00:21:53,556 If it's load balancing, it may be a VIP. 528 00:21:53,556 --> 00:21:55,340 So, just remember, 529 00:21:55,340 --> 00:21:58,246 that these devices are very specific 530 00:21:58,246 --> 00:22:00,618 to protocol and traffic analysis, 531 00:22:00,618 --> 00:22:01,838 when you're doing either, 532 00:22:01,838 --> 00:22:04,741 to make sure that you're aware of them 533 00:22:04,741 --> 00:22:07,490 Tip is to again look for documentation and or 534 00:22:07,487 --> 00:22:10,582 make a landscape document, document 535 00:22:10,589 --> 00:22:12,792 of what area you'll be troubleshooting, 536 00:22:12,790 --> 00:22:15,484 so you're aware, do some network discovery 537 00:22:15,484 --> 00:22:18,096 and, and then use Wireshark to start 538 00:22:18,080 --> 00:22:20,216 capturing data and, and troubleshooting. 539 00:22:20,222 --> 00:22:22,222