1
00:00:00,000 --> 00:00:08,578


2
00:00:08,578 --> 00:00:11,464
We're going to get started with the actual

3
00:00:11,464 --> 00:00:15,041
getting into and getting Wireshark,

4
00:00:15,041 --> 00:00:18,119
installing Wireshark and prepping it for use

5
00:00:18,108 --> 00:00:20,574
because everything that we've talked about

6
00:00:20,581 --> 00:00:23,331
until now has been - alright well, what do you,

7
00:00:23,331 --> 00:00:24,941
what do you really need to know

8
00:00:24,941 --> 00:00:26,941
before you use Wireshark?

9
00:00:26,941 --> 00:00:30,451
What's the preliminary information required?

10
00:00:30,451 --> 00:00:34,393
So before you use Wireshark at all,

11
00:00:34,408 --> 00:00:36,078
as we discussed and we try to keep

12
00:00:36,084 --> 00:00:38,196
that very brief. We try to say, alright before,

13
00:00:38,202 --> 00:00:41,656
before you actually fire up Wireshark and use it,

14
00:00:41,665 --> 00:00:44,527
what is the basics that you need to know?

15
00:00:44,527 --> 00:00:46,701
So we just finalize those basics.

16
00:00:46,715 --> 00:00:49,415
You need to know about networking 

17
00:00:49,423 --> 00:00:51,465
at the most fundamental layer,

18
00:00:51,480 --> 00:00:56,015
about TCP/IP and basic form ethernet.

19
00:00:56,015 --> 00:00:57,686
What devices exist?

20
00:00:57,686 --> 00:01:00,636
Where you really are going to place this tool?

21
00:01:00,652 --> 00:01:02,652
And what can you expect out of it?

22
00:01:02,652 --> 00:01:05,382
Now, what we'd like to do is we'd like to get

23
00:01:05,386 --> 00:01:09,891
into the installation, the preparation of this tool

24
00:01:09,891 --> 00:01:12,654
so that when we get into the troubleshooting

25
00:01:12,657 --> 00:01:16,232
of particular technology such as voice,

26
00:01:16,224 --> 00:01:18,584
you will know how to operate all the tools

27
00:01:18,580 --> 00:01:21,635
within Wireshark so that you can troubleshoot

28
00:01:21,641 --> 00:01:24,951
those particular problems. Otherwise, if you're

29
00:01:24,948 --> 00:01:28,151
you know, just in downloading, installing it,

30
00:01:28,151 --> 00:01:30,235
running it and capturing it, it's likely unless

31
00:01:30,238 --> 00:01:32,816
to configure it specifically to look for

32
00:01:32,814 --> 00:01:34,889
the problems that or filter for the problems

33
00:01:34,892 --> 00:01:37,733
that you want or to use the tools within it

34
00:01:37,738 --> 00:01:43,146
or have the specific custom profile built for it,

35
00:01:43,146 --> 00:01:45,439
you're going to have a difficult time

36
00:01:45,446 --> 00:01:48,078
making heads or tails of what you're looking at.

37
00:01:48,078 --> 00:01:52,990
Alright so, to move into the next module,

38
00:01:53,004 --> 00:01:56,306
basically installing Wireshark is a, is

39
00:01:56,309 --> 00:01:59,125
is somewhat of a no-brainer.

40
00:01:59,125 --> 00:02:00,595
So we're going to talk about some of the

41
00:02:00,597 --> 00:02:03,473
history behind it before we get into

42
00:02:03,475 --> 00:02:07,049
the requirements and preparing to install.

43
00:02:07,049 --> 00:02:08,939
So Wireshark's been around for a

44
00:02:08,947 --> 00:02:11,586
pretty long time, so, somewhere in mid 

45
00:02:11,589 --> 00:02:16,732
to late 90's, a gentleman, Gerald Combs, 

46
00:02:16,734 --> 00:02:21,239
decided to build a protocol analyzer

47
00:02:21,245 --> 00:02:24,026
because back in those days you could 

48
00:02:24,026 --> 00:02:27,114
only really use one and was really expensive

49
00:02:27,120 --> 00:02:31,368
to use one with a full-blown out GUI or GUI.

50
00:02:31,366 --> 00:02:35,308
Those were your, your old sniffer,

51
00:02:35,308 --> 00:02:39,075
some Fluke tools and stuff like that.

52
00:02:39,075 --> 00:02:42,786
They were actually really expensive.

53
00:02:42,786 --> 00:02:44,738
And if you didn't use that, you could always 

54
00:02:44,731 --> 00:02:47,085
rely ona good old TCP dump.

55
00:02:47,080 --> 00:02:48,793
Some people got away with

56
00:02:48,793 --> 00:02:50,614
network monitor on Windows.

57
00:02:50,614 --> 00:02:52,575
But you still had to pay for the server version

58
00:02:52,576 --> 00:02:55,981
licensing so there were tools out there but

59
00:02:55,993 --> 00:02:59,156
there was never a free tool.

60
00:02:59,156 --> 00:03:02,783
And originally it was created as Ethereal and 

61
00:03:02,783 --> 00:03:06,720
it was developed and it was very good.

62
00:03:06,720 --> 00:03:09,848
It was a, it needed further development but

63
00:03:09,848 --> 00:03:12,431
it would actually allow you to do

64
00:03:12,431 --> 00:03:14,803
somewhat what sniffer and these other tools

65
00:03:14,810 --> 00:03:17,124
are allowing you to do. But what was

66
00:03:17,138 --> 00:03:19,526
beautiful about it was that it was open source

67
00:03:19,529 --> 00:03:22,962
and because it uses the GTK 

68
00:03:22,944 --> 00:03:27,296
which is GIMP, and a lot of the development

69
00:03:27,290 --> 00:03:32,375
community open with the GPL and tooling

70
00:03:32,373 --> 00:03:34,966
is devicing, really getting into it, is turned out

71
00:03:34,968 --> 00:03:37,801
to be probably one of the most downloaded,

72
00:03:37,809 --> 00:03:41,854
most used, most often requested

73
00:03:41,854 --> 00:03:45,106
for use troubleshooting tools of our time.

74
00:03:45,106 --> 00:03:48,426
So, that is the essential history of it

75
00:03:48,422 --> 00:03:52,440
where it moved into with current versions.

76
00:03:52,449 --> 00:03:55,429
It was then moved to a company called

77
00:03:55,435 --> 00:04:00,041
CAC and then, right after that Riverbed 

78
00:04:00,035 --> 00:04:02,938
bought CAC and now it's really a

79
00:04:02,940 --> 00:04:04,983
not predominantly a Riverbed product

80
00:04:04,984 --> 00:04:07,386
because it's still open source.

81
00:04:07,384 --> 00:04:09,004
It's still open to the community and

82
00:04:09,004 --> 00:04:11,473
it's still being openly developed which is 

83
00:04:11,479 --> 00:04:15,549
really good but you will see with some of the

84
00:04:15,549 --> 00:04:18,878
Riverbed tools like ARX and some of the more

85
00:04:18,876 --> 00:04:22,383
more enterprise-wide tools, 

86
00:04:22,382 --> 00:04:25,534
it has very Wireshark feel to it.

87
00:04:25,548 --> 00:04:28,435
So, that is essentially where we were,

88
00:04:28,428 --> 00:04:31,579
where it went and where we are today.

89
00:04:31,579 --> 00:04:34,619
So to get Wireshark basically, you just 

90
00:04:34,630 --> 00:04:37,264
need to go to the website wireshark.org.

91
00:04:37,267 --> 00:04:39,821
You could download it and install it

92
00:04:39,831 --> 00:04:41,805
pretty much without fee.

93
00:04:41,814 --> 00:04:43,228
You just need an internet connection.

94
00:04:43,228 --> 00:04:46,140
But to do that, you basically need 

95
00:04:46,139 --> 00:04:48,901
to have a device to install on.

96
00:04:48,892 --> 00:04:51,551
So, some of these other enterprise tools

97
00:04:51,559 --> 00:04:55,365
will allow you to - how a hand held 

98
00:04:55,335 --> 00:04:58,316
or a device where you can capture data.

99
00:04:58,340 --> 00:05:00,466
Fluke releases a lot of these types of tool

100
00:05:00,466 --> 00:05:05,023
a very good one, very good ones and a

101
00:05:05,019 --> 00:05:07,050
there are some tools like the old sniffer

102
00:05:07,051 --> 00:05:09,043
that also loaded on a PC.

103
00:05:09,044 --> 00:05:12,357
But in this instance, this instance especially,

104
00:05:12,357 --> 00:05:13,826
what we're going to be working on 

105
00:05:13,826 --> 00:05:15,826
you need to install Wireshark on a PC.

106
00:05:15,826 --> 00:05:18,503
And if you're going to install it on a PC,

107
00:05:18,500 --> 00:05:21,229
some of the things that you have to,

108
00:05:21,242 --> 00:05:23,475
you have to look at is the system requirements.

109
00:05:23,475 --> 00:05:26,506
So that can all be found at wireshark.org.

110
00:05:26,505 --> 00:05:29,378
You can look through and find out specific

111
00:05:29,378 --> 00:05:32,251
specific settings that you need to make -

112
00:05:32,251 --> 00:05:34,327
what the requirements are.

113
00:05:34,334 --> 00:05:36,055
But you just have to remember that

114
00:05:36,051 --> 00:05:38,076
it has to be compatible PC.

115
00:05:38,080 --> 00:05:40,865
Some of the things I will add, is that

116
00:05:40,861 --> 00:05:42,427
in partcularly if you're going to be

117
00:05:42,424 --> 00:05:45,568
saving a lot of data, you need to have a

118
00:05:45,566 --> 00:05:48,461
place to save it. These captures can 

119
00:05:48,453 --> 00:05:52,621
grow very large in size. And you will need to

120
00:05:52,629 --> 00:05:55,053
be able to place those not only in safe place

121
00:05:55,052 --> 00:05:57,055
because you don't want these data to get

122
00:05:57,056 --> 00:05:59,145
off your system or into the wrong hands.

123
00:05:59,145 --> 00:06:00,629
Because as we mentioned

124
00:06:00,629 --> 00:06:02,306
it could be a security violation.

125
00:06:02,306 --> 00:06:04,704
But you will also want to have it in a place

126
00:06:04,704 --> 00:06:07,807
where you can actually store it and not 

127
00:06:07,805 --> 00:06:09,605
completely wipe out the available space

128
00:06:09,605 --> 00:06:10,670
on your hard drive.

129
00:06:10,670 --> 00:06:13,115
If you're running Wireshark and you feel

130
00:06:13,110 --> 00:06:14,505
that you're going to be running these long

131
00:06:14,509 --> 00:06:15,976
captures, you're probably going to need some

132
00:06:15,971 --> 00:06:19,105
extra memory to be able to handle it.

133
00:06:19,105 --> 00:06:21,105
And you will want to obviously

134
00:06:21,105 --> 00:06:23,105
use a compatible NIC.

135
00:06:23,105 --> 00:06:25,808
So your prep to install is very simple.

136
00:06:25,808 --> 00:06:27,496
You want to download Wireshark

137
00:06:27,496 --> 00:06:29,496
on a compatible PC.

138
00:06:29,496 --> 00:06:32,361
Sometimes this may be tricky because 

139
00:06:32,363 --> 00:06:35,611
if you're using it in the field, they may

140
00:06:35,616 --> 00:06:37,617
ask you to install it on a server.

141
00:06:37,617 --> 00:06:39,617
You would be very careful with that obviously.

142
00:06:39,617 --> 00:06:41,617
You want to check to make sure you have the

143
00:06:41,617 --> 00:06:43,146
appropriate permissions.

144
00:06:43,146 --> 00:06:44,197
You want to make sure that you

145
00:06:44,200 --> 00:06:46,447
have enough disc space and you want to 

146
00:06:46,454 --> 00:06:48,341
make sure that if you're running this

147
00:06:48,341 --> 00:06:50,571
in tandem with the running application,

148
00:06:50,568 --> 00:06:53,245
it does not compete for and take, wipe away

149
00:06:53,243 --> 00:06:56,212
the memory of the application and

150
00:06:56,220 --> 00:06:58,662
cause a performance degradation.

151
00:06:58,668 --> 00:07:02,298
So just be, be aware of where you're

152
00:07:02,294 --> 00:07:04,457
installing it and why you are installing it,

153
00:07:04,441 --> 00:07:06,782
And what impact it will have on the source

154
00:07:06,771 --> 00:07:09,946
and or the destination or target devices.

155
00:07:09,945 --> 00:07:15,251
There are versions, there are stable versions

156
00:07:15,255 --> 00:07:17,469
and there are development versions.

157
00:07:17,478 --> 00:07:20,478
I, I recommend using in production

158
00:07:20,478 --> 00:07:22,033
the stable version.

159
00:07:22,033 --> 00:07:24,512
You're free to download and 

160
00:07:24,512 --> 00:07:26,797
play with what they would call the beta 

161
00:07:26,799 --> 00:07:29,342
or the development version at any time.

162
00:07:29,342 --> 00:07:32,567
They're always developing the next

163
00:07:32,566 --> 00:07:36,808
product version, so it's recommended that 

164
00:07:36,808 --> 00:07:38,554
if you're really into Wireshark,

165
00:07:38,554 --> 00:07:42,395
you stay on top of the latest trends with it.

166
00:07:42,395 --> 00:07:44,552
You can get on their mailing list.

167
00:07:44,552 --> 00:07:46,198
They'll send you things

168
00:07:46,198 --> 00:07:48,879
to tell you what's coming next, or 

169
00:07:48,874 --> 00:07:50,423
you can make recommendations yourself

170
00:07:50,423 --> 00:07:51,807
and you can talk about the product.

171
00:07:51,807 --> 00:07:53,172
Then you could probably

172
00:07:53,163 --> 00:07:55,461
if you're a developer, get on the

173
00:07:55,455 --> 00:07:57,918
development team and help build this product.

174
00:07:57,911 --> 00:08:01,409
So that's another open door for it,

175
00:08:01,415 --> 00:08:03,859
is that it is a open source tool

176
00:08:03,851 --> 00:08:07,124
and it's one of the better ones out there.

177
00:08:07,124 --> 00:08:09,124
It has a great development community.

178
00:08:09,124 --> 00:08:14,968
WinPcap is the, the low level interface.

179
00:08:14,968 --> 00:08:18,714
It's a lead Pcap on a lead Bcap

180
00:08:18,714 --> 00:08:20,553
on Unix and Linux boxes, but

181
00:08:20,553 --> 00:08:22,980
from Windows boxes is WinPcap

182
00:08:22,980 --> 00:08:26,538
and this is the low level driver interface

183
00:08:26,538 --> 00:08:29,285
put in promiscuous mode interfaced

184
00:08:29,290 --> 00:08:32,496
with the API piece of software that actually

185
00:08:32,498 --> 00:08:35,041
is the shim between Wireshark itself 

186
00:08:35,039 --> 00:08:36,669
and your physical NIC.

187
00:08:36,669 --> 00:08:40,012
So this is the software that let's the

188
00:08:40,014 --> 00:08:43,387
NIC and Wireshark work inter op,

189
00:08:43,387 --> 00:08:49,628
allows it to inter-operate. It's a dirver, sorry,

190
00:08:49,638 --> 00:08:52,231
and it's used to capture the data.

191
00:08:52,247 --> 00:08:54,347
It puts your NIC in promiscuous mode.

192
00:08:54,347 --> 00:08:55,604
So what does that mean?

193
00:08:55,604 --> 00:08:59,202
So data is sent to and from your NIC card

194
00:08:59,202 --> 00:09:00,792
and it's actually by unicast.

195
00:09:00,792 --> 00:09:04,996
It's a targeted, it'll send targeted information

196
00:09:05,008 --> 00:09:08,067
and it'll drop the rest that is not, that is not

197
00:09:08,059 --> 00:09:10,439
it's not destined to go - 

198
00:09:10,440 --> 00:09:13,393
information destined to go to it, it will drop.

199
00:09:13,393 --> 00:09:16,472
So, what's not good about that is

200
00:09:16,472 --> 00:09:18,016
if you're trying to troubleshoot

201
00:09:18,016 --> 00:09:20,175
with Wireshark and you wanted to see

202
00:09:20,175 --> 00:09:22,066
everything going on and not just 

203
00:09:22,066 --> 00:09:23,828
specifically that unicast traffic -

204
00:09:23,828 --> 00:09:26,173
what, what, what do you need to do?

205
00:09:26,173 --> 00:09:29,669
So what when Pcap does is it allows your

206
00:09:29,669 --> 00:09:32,111
NIC card to be put into promiscuous mode

207
00:09:32,111 --> 00:09:35,757
so that you can see and capture all data

208
00:09:35,757 --> 00:09:38,603
on the network segment in which

209
00:09:38,603 --> 00:09:40,019
the NIC card is configured.

210
00:09:40,019 --> 00:09:45,291
Wait, another important piece of information is

211
00:09:45,300 --> 00:09:46,952
that Wireshark cannot 

212
00:09:46,951 --> 00:09:50,126
be used without WinPcap or 

213
00:09:50,120 --> 00:09:52,608
the Unix version because

214
00:09:52,608 --> 00:09:55,764
when you go to install it, it's going to

215
00:09:55,763 --> 00:09:57,505
check for and make sure that

216
00:09:57,523 --> 00:09:59,523
it's installed and or installed for you.

217
00:09:59,541 --> 00:10:03,911
So if you are uninstalling things on your system

218
00:10:03,911 --> 00:10:06,559
and then you pull this off with Wireshark installed

219
00:10:06,557 --> 00:10:09,349
just be wary that these two have

220
00:10:09,349 --> 00:10:10,991
to inter-operate together.

221
00:10:10,991 --> 00:10:12,991
You cannot use them separately.

222
00:10:12,991 --> 00:10:14,391
You will not be able to run

223
00:10:14,395 --> 00:10:16,965
and capture without it.

224
00:10:16,974 --> 00:10:18,666
So when you run your installation, 

225
00:10:18,666 --> 00:10:19,874
a couple of things that you want to

226
00:10:19,871 --> 00:10:23,412
pay attention to is if you're using 

227
00:10:23,409 --> 00:10:26,306
Wireshark often, you're likely going to

228
00:10:26,317 --> 00:10:28,017
have an older version on there.

229
00:10:28,017 --> 00:10:31,367
When you go to learn the new version

230
00:10:31,367 --> 00:10:33,544
it's going to ask you to uninstall

231
00:10:33,544 --> 00:10:35,222
that version if you'd like to.

232
00:10:35,222 --> 00:10:37,644
So you can leave it and or you can

233
00:10:37,644 --> 00:10:39,899
uninstall and put on the new version.

234
00:10:39,899 --> 00:10:42,871
There are many plug ins.

235
00:10:42,873 --> 00:10:45,151
This allows you to do different things

236
00:10:45,154 --> 00:10:48,219
within Wireshark. So there's different filters,

237
00:10:48,225 --> 00:10:50,481
and different types of services that you can add.

238
00:10:50,568 --> 00:10:53,889
It's going to ask you to install WinPcap.

239
00:10:53,889 --> 00:10:55,889
A lot of times you may already have it

240
00:10:55,889 --> 00:10:57,309
installed on your system.

241
00:10:57,309 --> 00:10:59,526
Just make sure that it's the most current,

242
00:10:59,524 --> 00:11:01,230
current version since this

243
00:11:01,238 --> 00:11:05,234
operates with other tools. WinPcap, it's

244
00:11:05,230 --> 00:11:06,911
you may already have it installed.

245
00:11:06,916 --> 00:11:08,735
So just as you're running through the

246
00:11:08,736 --> 00:11:11,872
installation, make sure that it is installed.

247
00:11:11,872 --> 00:11:15,142
Or you need to upgrade it, upgrade it.

248
00:11:15,142 --> 00:11:18,480
It's going to set some global settings,

249
00:11:18,491 --> 00:11:20,854
some personal settings and then the tools.

250
00:11:20,858 --> 00:11:24,483
So once you're done installing Wireshark, 

251
00:11:24,483 --> 00:11:26,859
basically, you're going to launch and check it.

252
00:11:26,874 --> 00:11:28,607
And this is going to get us

253
00:11:28,607 --> 00:11:29,976
into the next module.

254
00:11:29,976 --> 00:11:32,236
We're going to start going through the interface.

255
00:11:32,236 --> 00:11:35,636
We will talk specifically about how things

256
00:11:35,651 --> 00:11:39,172
tie together, the importance of customization

257
00:11:39,172 --> 00:11:43,418
the tools, like the I/O graph, the flow graph,

258
00:11:43,418 --> 00:11:45,782
streams, all that stuff.

259
00:11:45,782 --> 00:11:47,202
We're going to look at all that but

260
00:11:47,202 --> 00:11:48,556
to do that we're going to know how,

261
00:11:48,556 --> 00:11:50,366
we need to know how to navigate the tool,

262
00:11:50,366 --> 00:11:51,720
we're going to need to know to work

263
00:11:51,720 --> 00:11:53,808
through the tool and that's what we will be

264
00:11:53,823 --> 00:11:55,790
learning in our next module.

265
00:11:53,808 --> 00:11:52,725


266
00:11:55,790 --> 00:12:00,236