1
00:00:00,000 --> 00:00:08,563


2
00:00:08,555 --> 00:00:12,557
Ethernet, fast ethernet, and gigabit ethernet,

3
00:00:12,557 --> 00:00:14,349
and now 10 gigabit ethernet

4
00:00:14,349 --> 00:00:18,741
are some of the most commonly found

5
00:00:18,741 --> 00:00:20,801
protocols on networks today

6
00:00:20,800 --> 00:00:22,389
because that how most, 

7
00:00:22,384 --> 00:00:24,520
if not everything single connection is made.

8
00:00:24,530 --> 00:00:29,764
Yes, we have wired and wireless most of it,

9
00:00:29,762 --> 00:00:32,845
everything operates the ethernet today.

10
00:00:32,856 --> 00:00:33,847
Where as in the past,

11
00:00:33,847 --> 00:00:35,480
we had things like Token Ring.

12
00:00:35,480 --> 00:00:40,649
It's generally, none even in existence if unless

13
00:00:40,649 --> 00:00:43,767
it's a mainframe backend connection

14
00:00:43,767 --> 00:00:46,633
connecting to a segment of the network

15
00:00:46,633 --> 00:00:50,147
that may have not been updated as of yet.

16
00:00:50,141 --> 00:00:54,246
We've seen this out in a

17
00:00:54,245 --> 00:00:55,444
when we're troubleshooting

18
00:00:55,444 --> 00:00:57,678
and trying to solve problems, there's this old

19
00:00:57,673 --> 00:01:01,049
ERP system running on an IBM mainframe

20
00:01:01,049 --> 00:01:03,009
that's actually still has it's Token Ring

21
00:01:03,009 --> 00:01:06,142
connections, but today,

22
00:01:06,144 --> 00:01:09,217
99% of what you're going to be troubleshooting

23
00:01:09,228 --> 00:01:11,100
especially when you're capturing with Wireshark

24
00:01:11,103 --> 00:01:15,131
is going to be some version or flavor of ethernet.

25
00:01:15,147 --> 00:01:20,379
So why is ethernet important?

26
00:01:20,376 --> 00:01:22,973
So as we mention this, the most commonly used

27
00:01:22,967 --> 00:01:26,592
layer 2 protocol today, most if not everything

28
00:01:26,596 --> 00:01:28,900
that you capture is going to

29
00:01:28,903 --> 00:01:33,493
you're going to see ethernet and there's a lot 

30
00:01:33,487 --> 00:01:34,838
stuff that you can glean from it.

31
00:01:34,842 --> 00:01:37,028
So specifically, the MAC address

32
00:01:37,032 --> 00:01:39,656
or the burn in address, the BIA

33
00:01:39,665 --> 00:01:42,554
of the devices that are sending

34
00:01:42,554 --> 00:01:44,945
the traffic source and or where

35
00:01:44,945 --> 00:01:46,560
it's sending to the destination.

36
00:01:46,560 --> 00:01:48,273
Now, you're going to generally see this

37
00:01:48,273 --> 00:01:49,897
in hexadecimal format.

38
00:01:49,881 --> 00:01:53,370
So here in this example, you can see all f's,

39
00:01:53,658 --> 00:01:57,433
that if you actually dig the translation

40
00:01:57,433 --> 00:02:01,367
to boolean, you'll see that it goes from all f's

41
00:02:01,367 --> 00:02:06,736
to an IP 255.255.255.255

42
00:02:06,736 --> 00:02:11,251
So essentially, what this ethernet 2 frame

43
00:02:11,251 --> 00:02:16,043
is sending this from a specific source of a 

44
00:02:16,043 --> 00:02:19,844
a NIC card which is also hexadecimal of 

45
00:02:19,850 --> 00:02:22,714
double O colon 19 (00:19) and so forth.

46
00:02:22,725 --> 00:02:26,120
to a destination broadcast of all f's.

47
00:02:26,123 --> 00:02:31,843
So generally, it's common that the burn in

48
00:02:31,834 --> 00:02:35,724
address, the first grouping of numbers in hex

49
00:02:35,740 --> 00:02:38,838
is going to spell out the specific vendor.

50
00:02:38,838 --> 00:02:40,671
So whether it's a Cisco device

51
00:02:40,671 --> 00:02:43,635
or an HP device or a Dell device

52
00:02:43,634 --> 00:02:45,464
these are the types of things that you're going

53
00:02:45,467 --> 00:02:48,950
to see when you're capturing the data.

54
00:02:48,942 --> 00:02:52,270
So be aware that if you're trying to look for

55
00:02:52,272 --> 00:02:55,194
some, some problem on the network 

56
00:02:55,195 --> 00:02:57,965
and you see tons of broadcasts, it may be a

57
00:02:57,972 --> 00:02:59,595
a chattering NIC card which is

58
00:02:59,592 --> 00:03:02,307
damaged NIC card. And you may be able to

59
00:03:02,298 --> 00:03:05,489
track it down by just finding this information.

60
00:03:05,482 --> 00:03:08,148
You may find it in the MAC address table

61
00:03:08,146 --> 00:03:11,347
of the switch and you may be able to then

62
00:03:11,363 --> 00:03:13,844
find the port in which it's coming from and 

63
00:03:13,836 --> 00:03:16,248
be able to drill down and 

64
00:03:16,258 --> 00:03:20,546
find this broadcasting NIC that is potentially

65
00:03:20,546 --> 00:03:22,515
creating havoc on your network.

66
00:03:22,507 --> 00:03:26,384
So this is potentially when we, the things

67
00:03:26,393 --> 00:03:28,657
that you could find when using Wireshark

68
00:03:28,657 --> 00:03:32,250
and you capture the data, you want to know

69
00:03:32,257 --> 00:03:34,141
what, what kind of, what kind of things

70
00:03:34,133 --> 00:03:36,037
can we use Wireshark to do?

71
00:03:36,037 --> 00:03:39,725
This specifically at layer 2, the lowest layer

72
00:03:39,725 --> 00:03:42,971
above layer 1, the physical layer where 

73
00:03:42,978 --> 00:03:46,098
you can actually see frame to data.

74
00:03:46,098 --> 00:03:49,049
You could see that it's ethernet and again,

75
00:03:49,056 --> 00:03:50,341
likely it's always going to be

76
00:03:50,341 --> 00:03:52,499
the same frame type. Most commonly, 

77
00:03:52,499 --> 00:03:55,141
I should say, and what exactly

78
00:03:55,141 --> 00:03:56,838
are we looking for within this data?

79
00:03:56,838 --> 00:03:59,142
We're looking for things, like we just said,

80
00:03:59,142 --> 00:04:03,586
you can find broadcasting traffic, maybe

81
00:04:03,586 --> 00:04:06,792
find the NIC card that's a problem.

82
00:04:06,792 --> 00:04:12,975
And some other common issues would be,

83
00:04:12,975 --> 00:04:16,007
alright, we may have an encapsulation issue.

84
00:04:16,007 --> 00:04:19,296
Like we said before, that's an ethernet 2 frame.

85
00:04:19,296 --> 00:04:21,296
We might have an incorrect frame type.

86
00:04:21,296 --> 00:04:25,041
We have, may have media problems where,

87
00:04:25,053 --> 00:04:29,613
specifically, the actual device

88
00:04:29,624 --> 00:04:31,853
because it works electronically,

89
00:04:31,853 --> 00:04:33,614
may have take a power hit.

90
00:04:33,614 --> 00:04:36,431
And now it's causing some kind of issue.

91
00:04:36,431 --> 00:04:39,353
We've seen this in the form of corrupt data.

92
00:04:39,351 --> 00:04:43,929
We've seen NIC's that don't operate as

93
00:04:43,923 --> 00:04:47,478
they should or they're, they're altering

94
00:04:47,478 --> 00:04:49,060
the data because they've been damaged.

95
00:04:49,060 --> 00:04:51,265
So, these are the things that you can do

96
00:04:51,265 --> 00:04:53,168
whe you capture the data with Wireshark.

97
00:04:53,168 --> 00:04:56,218
You could find them and captures data,

98
00:04:56,218 --> 00:04:59,866
filter on it and zero in on this types of 

99
00:04:59,867 --> 00:05:04,706
problems. So again, with the capturing 

100
00:05:04,699 --> 00:05:08,305
of the data and analyzing it, so specifically,

101
00:05:08,300 --> 00:05:11,216
some of the things that you may try to

102
00:05:11,224 --> 00:05:17,065
find with Wireshark is, ok. I think I have

103
00:05:17,066 --> 00:05:20,191
a problem. I think I've isolated to this segment.

104
00:05:20,190 --> 00:05:22,487
It seems to be poor performance

105
00:05:22,492 --> 00:05:24,747
on this particular network segment.

106
00:05:24,746 --> 00:05:27,621
And I think if I span a port

107
00:05:27,604 --> 00:05:29,467
and I start collecting the data here, I might

108
00:05:29,467 --> 00:05:31,467
get a clue as to what's going on.

109
00:05:31,467 --> 00:05:35,277
If I do that and I start capturing data at layer 2

110
00:05:35,277 --> 00:05:37,580
and I see a ton of broadcast traffic,

111
00:05:37,580 --> 00:05:42,011
I may be able to zero in and find specifically

112
00:05:42,011 --> 00:05:43,812
where that traffic is coming from, 

113
00:05:43,812 --> 00:05:47,288
the originating source. And either take that note

114
00:05:47,280 --> 00:05:49,301
offline and take a look at the capture again

115
00:05:49,301 --> 00:05:50,903
and see how it's working,

116
00:05:50,903 --> 00:05:55,545
and or isolate it to a single or a group of devices.

117
00:05:55,545 --> 00:05:58,312
So, what does it do for the protocol?

118
00:05:58,312 --> 00:06:00,525
It opens up the protocol for analysis

119
00:06:00,525 --> 00:06:02,295
as we saw in the earlier slide.

120
00:06:02,295 --> 00:06:03,929
It allows you to look at things like -

121
00:06:03,929 --> 00:06:05,380
Is it the incorrect frame type?

122
00:06:05,380 --> 00:06:07,237
Is it an all broadcast traffic?

123
00:06:07,237 --> 00:06:09,401
And then if you're going to try to troubleshoot

124
00:06:09,401 --> 00:06:11,337
what it's doing on the network,

125
00:06:11,337 --> 00:06:13,337
what's the actual impact?

126
00:06:13,337 --> 00:06:15,724
You can use this to see ok, well we have 

127
00:06:15,724 --> 00:06:18,047
degraded signals, we have corruption.

128
00:06:18,040 --> 00:06:21,187
There's tons of collisions taking place,

129
00:06:21,187 --> 00:06:24,351
broadcast traffic. So these are, again

130
00:06:24,351 --> 00:06:26,259
some of the things that you can use Wireshark

131
00:06:26,259 --> 00:06:30,464
to do, to help isolate your traffic, and

132
00:06:30,464 --> 00:06:33,718
when you do that, you can potentially

133
00:06:33,718 --> 00:06:35,718
you could save the day.

134
00:06:35,718 --> 00:06:40,887