1
00:00:00,008 --> 00:00:08,594


2
00:00:08,586 --> 00:00:10,249
Welcome back and in this next segment,

3
00:00:10,248 --> 00:00:13,649
we're going to talk about TCP/IP.

4
00:00:13,650 --> 00:00:17,067
As network analysts, most of the protocol stacks 

5
00:00:17,067 --> 00:00:19,235
that we will use and most of the things

6
00:00:19,235 --> 00:00:20,821
that we wiil see will revolve around

7
00:00:20,821 --> 00:00:23,572
ethernet and TCP/IP.

8
00:00:23,573 --> 00:00:26,423
This is because most of the other

9
00:00:26,425 --> 00:00:29,016
protocols that have been used

10
00:00:29,018 --> 00:00:33,145
over the years, such as SNA, Appletalk,

11
00:00:33,154 --> 00:00:38,486
IPX's, PX and many other have pretty much

12
00:00:38,491 --> 00:00:41,615
been phased out for need of TCP/IP.

13
00:00:41,612 --> 00:00:43,612
And the reason for that is because

14
00:00:43,612 --> 00:00:46,286
we needed to, as a community

15
00:00:46,292 --> 00:00:48,360
standardize on a protocol stack.

16
00:00:48,366 --> 00:00:50,366
There is way too much stuff out there.

17
00:00:50,366 --> 00:00:52,366
And there was a lot of a

18
00:00:52,366 --> 00:00:54,469
gateways put in place

19
00:00:54,469 --> 00:00:56,701
to translate one protocol

20
00:00:56,701 --> 00:00:59,978
to another and to allow for communication.

21
00:00:59,978 --> 00:01:03,697
So essentially, back in the day when the DOD

22
00:01:03,697 --> 00:01:06,661
started working with ARPAnet in creating

23
00:01:06,661 --> 00:01:08,710
the foundation of a network's

24
00:01:08,715 --> 00:01:11,594
internet-working and the internet.

25
00:01:11,589 --> 00:01:16,657
interestingly enough, TCP/IP was in it's infancy.

26
00:01:16,657 --> 00:01:19,835
And it has grown since

27
00:01:19,835 --> 00:01:22,116
from many versions of

28
00:01:22,116 --> 00:01:24,839
primarily the one we were using IP version 4

29
00:01:24,839 --> 00:01:27,790
into what is now the defacto

30
00:01:27,790 --> 00:01:30,349
or becoming a defacto standard of

31
00:01:30,349 --> 00:01:32,457
IP version 6, so IPng, 

32
00:01:32,462 --> 00:01:33,533
the next generation.

33
00:01:33,533 --> 00:01:36,601
That being sad, the reason why

34
00:01:36,601 --> 00:01:38,601
this is so important is because as

35
00:01:38,601 --> 00:01:40,659
as a network analysts, one of the things

36
00:01:40,659 --> 00:01:43,239
that we're going to be focusing on and if,

37
00:01:43,234 --> 00:01:47,369
in our capturing of data and analyzing it 

38
00:01:47,366 --> 00:01:49,755
is the actual protocols and how they

39
00:01:49,750 --> 00:01:52,763
inter-operate and help systems

40
00:01:52,763 --> 00:01:54,118
communicate with one another.

41
00:01:54,118 --> 00:01:58,323
So, again the most commonly one,

42
00:01:58,323 --> 00:01:59,722
commonly used one that you will see

43
00:01:59,722 --> 00:02:02,425
will be TCP/IP and that's 

44
00:02:02,420 --> 00:02:04,088
Transmission Control Protocol

45
00:02:04,088 --> 00:02:05,406
Internet Protocol.

46
00:02:05,406 --> 00:02:07,406
They're 2 separate protocols

47
00:02:07,406 --> 00:02:10,212
however they work together to create a 

48
00:02:10,212 --> 00:02:12,503
connection-oriented network

49
00:02:12,514 --> 00:02:15,543
communication and together,

50
00:02:15,549 --> 00:02:19,754
they form up the TCP/IP protocol sweep.

51
00:02:19,755 --> 00:02:21,892
So, in our first module,

52
00:02:21,892 --> 00:02:23,650
we talked about the OSI model.

53
00:02:23,650 --> 00:02:26,207
There's also the DOD model which is a

54
00:02:26,207 --> 00:02:28,781
4 layer version of that 7 layer model.

55
00:02:28,781 --> 00:02:32,010
And the TCP/IP protocol sweep

56
00:02:32,010 --> 00:02:36,152
maps to each layer of that model.

57
00:02:36,160 --> 00:02:38,992
So as an example, for the network layer,

58
00:02:38,992 --> 00:02:40,928
that's where the Internet Protocol,

59
00:02:40,913 --> 00:02:43,513
or IP will exist and above that,

60
00:02:43,513 --> 00:02:45,085
in the transport layer is where 

61
00:02:45,085 --> 00:02:47,123
Transmission Control Protocol -

62
00:02:47,127 --> 00:02:50,751
a protocol will exist as well as you UDP.

63
00:02:50,751 --> 00:02:51,645
And then above that,

64
00:02:51,645 --> 00:02:54,529
the higher layer protocols that help 

65
00:02:54,529 --> 00:02:56,947
provide services such as

66
00:02:56,939 --> 00:03:03,672
emails, SNTP, web services, HTTP,

67
00:03:03,675 --> 00:03:07,169
and file transfer services, FTP

68
00:03:07,169 --> 00:03:09,169
all operate at the higher layers.

69
00:03:09,169 --> 00:03:13,094
So that being said, it's imperative

70
00:03:13,092 --> 00:03:15,591
as a network analyst to be familiar with

71
00:03:15,591 --> 00:03:18,732
these protocols to know

72
00:03:18,732 --> 00:03:20,470
the interworkings of them,

73
00:03:20,470 --> 00:03:22,470
and to be able to predict

74
00:03:22,470 --> 00:03:25,345
their behavior because

75
00:03:25,353 --> 00:03:28,464
if you do not understand what it is

76
00:03:28,470 --> 00:03:29,514
that you're supposed to see

77
00:03:29,514 --> 00:03:31,499
or how they're supposed to work,

78
00:03:31,499 --> 00:03:33,499
then when you capture the data

79
00:03:33,499 --> 00:03:34,597
you're just going to see a

80
00:03:34,591 --> 00:03:35,553
whole bunch of jibbers

81
00:03:35,553 --> 00:03:37,089
and you're really not going to understand

82
00:03:37,089 --> 00:03:38,633
wnat it is that you're looking at 

83
00:03:38,633 --> 00:03:40,633
to analyze it to see if there's issues.

84
00:03:40,633 --> 00:03:42,633
So as an example,

85
00:03:42,633 --> 00:03:46,089
when you're troubleshooting

86
00:03:46,089 --> 00:03:46,994
do you know how 

87
00:03:46,994 --> 00:03:48,793
IP routing is supposed to work,

88
00:03:48,793 --> 00:03:51,567
and why IP address is a necessary

89
00:03:51,567 --> 00:03:53,207
and how that whole logical

90
00:03:53,207 --> 00:03:55,207
networking component works?

91
00:03:55,207 --> 00:03:57,728
Do you know that there are source

92
00:03:57,726 --> 00:04:00,286
addresses and destination addresses

93
00:04:00,297 --> 00:04:02,297
and as it goes through router hops,

94
00:04:02,297 --> 00:04:05,059
as you're troubleshooting and capturing data

95
00:04:05,059 --> 00:04:07,271
what the next source will be

96
00:04:07,271 --> 00:04:10,055
as it's transferring over from router to router?

97
00:04:10,049 --> 00:04:12,347
So, for example when you capture the data

98
00:04:12,339 --> 00:04:16,390
on farside segment, do you really understand

99
00:04:16,390 --> 00:04:19,441
the fundamentals of IP addressing?

100
00:04:19,441 --> 00:04:21,245
And ever more so,

101
00:04:21,245 --> 00:04:24,458
the underlying or under the hood pieces of it,

102
00:04:24,453 --> 00:04:25,960
so when it's encapsulated, 

103
00:04:25,960 --> 00:04:27,570
do you understand what the header is?

104
00:04:27,570 --> 00:04:29,834
Do you understand what an offset is?

105
00:04:29,835 --> 00:04:32,216
Do you understand what fragmentation is?

106
00:04:32,226 --> 00:04:37,680
A good example is with IP fragmentation

107
00:04:37,680 --> 00:04:40,768
where that could be the most

108
00:04:40,768 --> 00:04:42,248
common thing that you see 

109
00:04:42,248 --> 00:04:45,348
because of how it works for them to you.

110
00:04:45,348 --> 00:04:48,199
But you could also, as an example

111
00:04:48,199 --> 00:04:51,251
see that it will be part of an attack.

112
00:04:51,251 --> 00:04:53,241
So, one of the things that 

113
00:04:53,241 --> 00:04:55,227
we put up on the screen is 

114
00:04:55,227 --> 00:04:57,227
a capture of a teardrop attack

115
00:04:57,227 --> 00:05:00,273
and we'll get, we'll learn about this 

116
00:05:00,272 --> 00:05:02,391
as we move through the course, but

117
00:05:02,381 --> 00:05:03,571
if you go into the Expert, 

118
00:05:03,571 --> 00:05:04,907
you'll start to see that

119
00:05:04,907 --> 00:05:07,496
the IP payload length, there's a,

120
00:05:07,496 --> 00:05:08,699
there was a problem with it

121
00:05:08,699 --> 00:05:11,540
that's showing up as a malformed packet.

122
00:05:11,540 --> 00:05:13,540
But in reality, what it is is

123
00:05:13,540 --> 00:05:17,914
it's actually part of an attack, and again if

124
00:05:17,903 --> 00:05:20,326
you're not really sure of the inner workings

125
00:05:20,325 --> 00:05:22,749
of TCP/IP, or IP for this matter,

126
00:05:22,748 --> 00:05:25,099
you're really not going to understand

127
00:05:25,099 --> 00:05:27,020
what it is you are capturing and

128
00:05:27,020 --> 00:05:28,077
what you're looking at.

129
00:05:28,077 --> 00:05:30,077
So that's why it's so important

130
00:05:30,077 --> 00:05:34,660
to really understand the underlying mechanisms

131
00:05:34,653 --> 00:05:36,653
of how these protocols work.

132
00:05:36,653 --> 00:05:39,498
So what does it do?

133
00:05:39,492 --> 00:05:41,942
And why are we analyzing TCP/IP?

134
00:05:41,941 --> 00:05:46,136
Well, again as we'll learn, for example with TCP

135
00:05:46,136 --> 00:05:48,376
there's a, there's a handshake sequence where

136
00:05:48,367 --> 00:05:52,807
synbits are sent, they're acknowledged and

137
00:05:52,806 --> 00:05:55,087
a connection will be closed or finished.

138
00:05:55,085 --> 00:05:57,119
And then there's resets and

139
00:05:57,119 --> 00:05:58,259
and all different types of things

140
00:05:58,259 --> 00:06:00,259
and when you capture those,

141
00:06:00,259 --> 00:06:01,615
what do you actually,

142
00:06:01,615 --> 00:06:03,447
what are you actually looking at?

143
00:06:03,447 --> 00:06:05,993
Is it normal, is it normal traffic behavior?

144
00:06:05,993 --> 00:06:08,523
Is it abnormal traffic behavior?

145
00:06:08,520 --> 00:06:10,520
A good example would be

146
00:06:10,520 --> 00:06:12,116
on a network where you're trying

147
00:06:12,116 --> 00:06:13,981
to access the server and you're looking at 

148
00:06:13,984 --> 00:06:16,617
the underlying TCP communication

149
00:06:16,610 --> 00:06:18,730
and you see, let's say, for example

150
00:06:18,730 --> 00:06:20,342
a retransmission or 2.

151
00:06:20,342 --> 00:06:24,032
So do you think that that's a problem or not?

152
00:06:24,032 --> 00:06:28,016
When in fact, the whole point of TCP is

153
00:06:28,016 --> 00:06:31,079
to allow for the ability of it 

154
00:06:31,091 --> 00:06:33,286
to be able to retransmit so that

155
00:06:33,288 --> 00:06:36,663
if data is lost, it can then be resent.

156
00:06:36,663 --> 00:06:38,355
However, what if you saw

157
00:06:38,355 --> 00:06:40,352
within a certain time period

158
00:06:40,352 --> 00:06:42,352
dozens of retransmissions?

159
00:06:42,352 --> 00:06:44,438
That would then indicate maybe a problem, 

160
00:06:44,438 --> 00:06:46,175
maybe there was contention on the network

161
00:06:46,176 --> 00:06:49,822
or buffering issue or something causing it

162
00:06:49,822 --> 00:06:52,361
to retransmit often. Maybe the server

163
00:06:52,360 --> 00:06:55,481
can't handle the communication

164
00:06:55,475 --> 00:06:57,689
so it's causing it to retransmit.

165
00:06:57,689 --> 00:07:00,883
But again, that's why working with 

166
00:07:00,883 --> 00:07:02,733
and understanding specifically,

167
00:07:02,735 --> 00:07:07,197
how these protocols work is key

168
00:07:07,207 --> 00:07:09,466
to working effectiviely with Wireshark.

169
00:07:09,466 --> 00:07:10,940
It's going to help you

170
00:07:10,940 --> 00:07:12,866
after you capture the data, then 

171
00:07:12,865 --> 00:07:15,112
be able to further filter it and refine it

172
00:07:15,112 --> 00:07:16,977
and understand where to look 

173
00:07:16,977 --> 00:07:18,851
and then you can analyze -

174
00:07:18,856 --> 00:07:20,442
is that normal behavior or

175
00:07:20,442 --> 00:07:21,740
is that abnormal behavior?

176
00:07:21,740 --> 00:07:25,369
Common issues that you'll see with the,

177
00:07:25,370 --> 00:07:27,059
when you're troubleshooting IP, 

178
00:07:27,059 --> 00:07:28,857
as an example is you may have 

179
00:07:28,851 --> 00:07:30,013
routing problems.

180
00:07:30,013 --> 00:07:32,104
Maybe you have a asynchronous

181
00:07:32,103 --> 00:07:34,213
routing issue and you're seeing

182
00:07:34,203 --> 00:07:38,879
data coming at a sequence - why is that?

183
00:07:38,879 --> 00:07:42,633
You may have inccorect TCP/IP configuration.

184
00:07:42,633 --> 00:07:44,560
And you may capture that, for example,

185
00:07:44,560 --> 00:07:46,560
why can't a host communicate.

186
00:07:46,560 --> 00:07:48,126
When you run a capture, 

187
00:07:48,127 --> 00:07:49,636
that it has incorrect default

188
00:07:49,636 --> 00:07:50,889
gateway assignment.

189
00:07:50,889 --> 00:07:52,768
Therefore, the packets are not going

190
00:07:52,767 --> 00:07:55,506
to the router to be routed across

191
00:07:55,504 --> 00:07:58,343
the network, and other things.

192
00:07:58,333 --> 00:08:00,621
And in order to really troubleshoot that

193
00:08:00,621 --> 00:08:03,165
and really dig deep and look inside it,

194
00:08:03,155 --> 00:08:05,348
you're going to capture the packets

195
00:08:05,351 --> 00:08:07,469
and drill down into the details pane

196
00:08:07,463 --> 00:08:10,850
to see specific things, like in this example,

197
00:08:10,849 --> 00:08:12,889
 we are looking for the source and

198
00:08:12,901 --> 00:08:15,258
destination IP addresses here.

199
00:08:15,250 --> 00:08:17,660
I can see that the source is in a PIP address

200
00:08:17,660 --> 00:08:20,256
and I can see right there that 

201
00:08:20,251 --> 00:08:24,066
I have a problem with my, my host, maybe.

202
00:08:24,059 --> 00:08:26,705
For example, the DHCP server

203
00:08:26,705 --> 00:08:28,903
is not giving out addresses. Therefore,

204
00:08:28,895 --> 00:08:31,161
it's not getting in the correct IP assignment

205
00:08:31,161 --> 00:08:33,611
and it will not, not allow it to communicate.

206
00:08:33,606 --> 00:08:36,376
So again, there's, there's a lot of reasons

207
00:08:36,376 --> 00:08:39,502
why you wanted to be able to understand 

208
00:08:39,496 --> 00:08:41,530
specifics so that these protocols

209
00:08:41,530 --> 00:08:43,019
in the sweep because if you don't

210
00:08:43,014 --> 00:08:44,782
understand how DHCP works

211
00:08:44,782 --> 00:08:46,654
you don't understand how IP works,

212
00:08:46,654 --> 00:08:50,686
then the data you capture and you inspect -

213
00:08:50,686 --> 00:08:52,883
you will not really know what to,

214
00:08:52,883 --> 00:08:54,872
what the problem would be.

215
00:08:54,872 --> 00:08:57,295
And again, as the example I used earlier,

216
00:08:57,303 --> 00:08:59,345
there may be things that you think

217
00:08:59,345 --> 00:09:02,302
is the problem but that's normal behavior

218
00:09:02,298 --> 00:09:04,064
for the protocol and it's ok.

219
00:09:04,073 --> 00:09:07,298
So, for example, a duplicate act

220
00:09:07,289 --> 00:09:09,926
one or two of them, not a big deal.

221
00:09:09,935 --> 00:09:12,946
Maybe, you know, data got dropped

222
00:09:12,938 --> 00:09:15,530
for a moment. It's indicating that there is

223
00:09:15,530 --> 00:09:16,884
something is going on but

224
00:09:16,884 --> 00:09:21,667
is that a, a really bad problem? Is it a

225
00:09:21,667 --> 00:09:25,836
is it indicating systematic ongoing issue,

226
00:09:25,836 --> 00:09:29,156
or is it just for a moment in time

227
00:09:29,156 --> 00:09:31,595
the server was overwhelmed and dropped traffic.

228
00:09:31,595 --> 00:09:34,470
And so that it didn't really impact the client

229
00:09:34,470 --> 00:09:36,644
because it was able to hold the connection up.

230
00:09:36,644 --> 00:09:39,626
But again, without that understanding

231
00:09:39,624 --> 00:09:41,963
of how those protocols are working

232
00:09:41,959 --> 00:09:44,846
you would not be able to really figure out

233
00:09:44,882 --> 00:09:46,882
or make that determination.

234
00:09:46,918 --> 00:09:51,192
So when you capture the protocol data,

235
00:09:51,192 --> 00:09:55,837
TCP/IP, HTTP, SNMP, any of these protocols

236
00:09:55,837 --> 00:10:00,788
and Wireshark is used, you can open the data

237
00:10:00,795 --> 00:10:03,990
up for inspection and to further analyze it.

238
00:10:03,995 --> 00:10:06,462
So as we mentioned before when we

239
00:10:06,456 --> 00:10:10,105
brought up the, the teardrop attack

240
00:10:10,113 --> 00:10:12,604
with the, or the IP fragmentation attack

241
00:10:12,610 --> 00:10:17,135
we're able to take a look at this possible issue

242
00:10:17,135 --> 00:10:19,693
then drill down into it and see specifics,

243
00:10:19,696 --> 00:10:24,280
like in here, there's a bad payload

244
00:10:24,338 --> 00:10:27,600
and the Expert flagged it as a malformed,

245
00:10:27,600 --> 00:10:32,106
malformed packet. So again, you can see that

246
00:10:32,114 --> 00:10:34,207
while using Wireshark, you're able to drill

247
00:10:34,199 --> 00:10:37,485
down into the data and really analyze it

248
00:10:37,486 --> 00:10:40,273
and see within the protocols and the

249
00:10:40,274 --> 00:10:43,923
packets that are transmitted. And again,

250
00:10:43,924 --> 00:10:45,817
it helps find problems that you cannot see

251
00:10:45,816 --> 00:10:47,977
without capturing the data for inspection. So,

252
00:10:47,974 --> 00:10:52,281
a great example would be this particular capture.

253
00:10:52,297 --> 00:10:56,396
How would you know without capturing this data

254
00:10:56,396 --> 00:10:59,863
that you had this issue? You may be able to run

255
00:10:59,866 --> 00:11:02,062
gigantic ping and see the outcome.

256
00:11:02,062 --> 00:11:06,113
You might be able to do other tests but

257
00:11:06,113 --> 00:11:08,627
when you use Wireshark to capture this data

258
00:11:08,627 --> 00:11:11,384
it's really exposed and you can dig,

259
00:11:11,382 --> 00:11:14,033
dig deep into it and drill down into it.

260
00:11:14,033 --> 00:11:16,518
And you can also recreate

261
00:11:16,518 --> 00:11:18,433
the problem which is very helpful.

262
00:11:18,433 --> 00:11:23,931
So that being said, just remember

263
00:11:23,931 --> 00:11:25,173
when using Wireshark

264
00:11:25,173 --> 00:11:27,141
one of the key things you want to do is

265
00:11:27,158 --> 00:11:31,345
be able to look at some RFC's or get a

266
00:11:31,344 --> 00:11:35,566
really good book on the TCP/IP and really

267
00:11:35,574 --> 00:11:37,687
really undestand how

268
00:11:37,686 --> 00:11:39,686
each one of those protocols work.

269
00:11:39,684 --> 00:11:45,221
Another thing, key thing that can be done 

270
00:11:45,225 --> 00:11:47,021
is you can do traffic analysis

271
00:11:47,030 --> 00:11:49,294
as we mentioned earlier.

272
00:11:49,300 --> 00:11:52,356
There's things you can do with Wireshark.

273
00:11:52,356 --> 00:11:54,068
You can do protocol analysis.

274
00:11:54,068 --> 00:11:56,726
You can do packet analysis.

275
00:11:56,726 --> 00:11:58,467
You can do traffic analysis.

276
00:11:58,467 --> 00:12:01,349
And with traffic analysis, you'll be able to find

277
00:12:01,337 --> 00:12:03,414
bandwidth and latency issues, and other 

278
00:12:03,405 --> 00:12:05,933
types of issues when using Wireshark.

279
00:12:05,934 --> 00:12:10,218