1
00:00:00,000 --> 00:00:08,445




2
00:00:08,445 --> 00:00:11,800
Ok, welcome to configuring your PC.

3
00:00:11,800 --> 00:00:15,160
So as we download and install Wireshark,

4
00:00:15,160 --> 00:00:16,036
there are a couple of things

5
00:00:16,033 --> 00:00:18,423
we need to do on the PC.

6
00:00:18,420 --> 00:00:20,794
We're going to talk about placement again.

7
00:00:20,794 --> 00:00:22,538
This will be a brief module.

8
00:00:22,538 --> 00:00:24,122
We just want to make sure that

9
00:00:24,129 --> 00:00:26,197
before you start using Wireshark,

10
00:00:26,204 --> 00:00:28,435
there's some specific things that you do

11
00:00:28,435 --> 00:00:31,331
so that you're not in a situation where

12
00:00:31,331 --> 00:00:35,226
you're, you're capturing data but

13
00:00:35,226 --> 00:00:36,828
you're not in the right segment

14
00:00:36,828 --> 00:00:38,591
or you're capturing data and your

15
00:00:38,598 --> 00:00:39,710
machine's going to crash.

16
00:00:39,710 --> 00:00:41,747
Sure, you haven't, you know, 

17
00:00:41,747 --> 00:00:43,064
placed things correctly.

18
00:00:43,064 --> 00:00:45,118
You haven't downloaded the correct plug ins.

19
00:00:45,112 --> 00:00:46,012
So there's a few things that

20
00:00:46,012 --> 00:00:48,087
we just want to go over to make sure that

21
00:00:48,093 --> 00:00:51,036
before you get deep into, you know,

22
00:00:51,036 --> 00:00:53,905
configuring Wireshark, you've absolutely

23
00:00:53,901 --> 00:00:55,784
made sure that this basics have been covered.

24
00:00:55,781 --> 00:01:00,006
So, when you set up your PC to capture traffic

25
00:01:00,006 --> 00:01:01,632
now, whether you are actually getting it

26
00:01:01,636 --> 00:01:03,830
from a mirror, a mirrored port or 

27
00:01:03,840 --> 00:01:06,880
you're capturing right off the promiscuos NIC,

28
00:01:06,883 --> 00:01:08,815
you want to make sure that Wireshark

29
00:01:08,822 --> 00:01:11,496
is installed and loaded and operating

30
00:01:11,493 --> 00:01:13,662
on the target machine.

31
00:01:13,675 --> 00:01:15,351
You want to make sure that the PC

32
00:01:15,351 --> 00:01:18,198
is connected to the network correctly

33
00:01:18,196 --> 00:01:20,476
and you are able to receive traffic

34
00:01:20,476 --> 00:01:22,047
from your intended source.

35
00:01:22,047 --> 00:01:25,190
So if you're setting up specific data

36
00:01:25,192 --> 00:01:27,269
to be sent via a mirrored port,

37
00:01:27,262 --> 00:01:28,817
you've done that correctly.

38
00:01:28,814 --> 00:01:31,043
You're actually receiving that data.

39
00:01:31,049 --> 00:01:34,559
You can see data accumulating in Wireshark

40
00:01:34,559 --> 00:01:37,335
and you have set it up in a way where

41
00:01:37,335 --> 00:01:39,527
it's not going to crash your machine and or,

42
00:01:39,511 --> 00:01:43,172
you know, take over the resources of your

43
00:01:43,168 --> 00:01:45,349
your target machine. 

44
00:01:45,341 --> 00:01:47,614
And again, make sure that you understand

45
00:01:47,614 --> 00:01:49,284
specifically, you know,

46
00:01:49,284 --> 00:01:50,840
where you're placing this thing.

47
00:01:50,840 --> 00:01:52,921
Make sure that if you're going to use

48
00:01:52,933 --> 00:01:55,788
Wireshark, ok, what am I, what am I,

49
00:01:55,788 --> 00:01:58,174
what is my source? What is my destination?

50
00:01:58,173 --> 00:02:00,503
Where am I looking to send data to and from?

51
00:02:00,503 --> 00:02:03,539
What type of data do I want to see?

52
00:02:03,539 --> 00:02:05,868
Where do I want to, where do I want to place

53
00:02:05,868 --> 00:02:07,894
Wireshark, and when I placed Wireshark,

54
00:02:07,894 --> 00:02:09,680
not only can it collect data so I can filter on it,

55
00:02:09,680 --> 00:02:14,071
but I just want make sure that specifically,

56
00:02:14,075 --> 00:02:17,062
I'm on one side of a firewall if I need to be

57
00:02:17,062 --> 00:02:19,017
and will I allow the traffic through it.

58
00:02:19,017 --> 00:02:23,679
And when we do this, specifically,

59
00:02:23,663 --> 00:02:25,968
with the port mirror, one of the key things

60
00:02:25,968 --> 00:02:27,887
that we want to make sure that we do

61
00:02:27,894 --> 00:02:29,647
is we want to make sure that

62
00:02:29,642 --> 00:02:34,002
we're capturing traffic from the intended source.

63
00:02:34,002 --> 00:02:37,639
So, with the Cisco switch,

64
00:02:37,634 --> 00:02:39,999
we're going to set up a monitor session.

65
00:02:40,001 --> 00:02:42,061
And the first things that we do when we set up

66
00:02:42,056 --> 00:02:44,810
what we normally call span session is

67
00:02:44,813 --> 00:02:47,199
we want to make sure that there is no other

68
00:02:47,196 --> 00:02:49,137
span sessions running.

69
00:02:49,134 --> 00:02:50,784
So we want to make sure that

70
00:02:50,785 --> 00:02:54,163
we run a no monitor session all, and we cancel

71
00:02:54,168 --> 00:02:56,381
out everything that may be configured.

72
00:02:56,381 --> 00:02:58,988
The next thing we want to do

73
00:02:58,988 --> 00:03:01,726
is we want to set up a new monitor session.

74
00:03:01,726 --> 00:03:03,805
And we want to set up specifically

75
00:03:03,810 --> 00:03:06,793
what the source and the destination is.

76
00:03:06,793 --> 00:03:09,128
Now this doesn't necessarily map

77
00:03:09,123 --> 00:03:11,454
to the source and destination information

78
00:03:11,449 --> 00:03:12,993
that we were talking about 

79
00:03:12,993 --> 00:03:15,360
when we were laying out where we're sending

80
00:03:15,357 --> 00:03:18,477
data to and from on the network

81
00:03:18,475 --> 00:03:20,940
and where could the potential problem be.

82
00:03:20,946 --> 00:03:24,100
This is specific to the switch itself.

83
00:03:24,100 --> 00:03:27,072
So what this means is, ok -

84
00:03:27,058 --> 00:03:29,892
I have an open port on my Cisco switch

85
00:03:29,890 --> 00:03:31,589
and one of the things that I want to do 

86
00:03:31,594 --> 00:03:35,963
is I want to make sure that I have the data

87
00:03:35,950 --> 00:03:39,191
coming from the specific computer with,

88
00:03:39,191 --> 00:03:42,431
that I want to capture sent to that open port.

89
00:03:42,431 --> 00:03:45,605
So the source is going to be where

90
00:03:45,605 --> 00:03:47,373
I want to capture the data from

91
00:03:47,373 --> 00:03:49,896
and specifically the destination is

92
00:03:49,891 --> 00:03:52,435
where do I want to set up the data to.

93
00:03:52,443 --> 00:03:54,443
So if you're thinking this correctly

94
00:03:54,443 --> 00:03:56,443
the destination would be

95
00:03:56,443 --> 00:03:58,443
the system with Wireshark.

96
00:03:58,443 --> 00:04:02,992
And again, just make sure that if

97
00:04:02,992 --> 00:04:05,473
you know, if you're going to do something locally

98
00:04:05,471 --> 00:04:08,384
you want to make sure your system is mobile.

99
00:04:08,384 --> 00:04:10,948
You know, generally, we try not to

100
00:04:10,948 --> 00:04:12,716
impact the clients we're helping.

101
00:04:12,716 --> 00:04:16,875
So if you have a system on a network,

102
00:04:16,875 --> 00:04:17,762
it's having an issue

103
00:04:17,762 --> 00:04:19,539
and having an application issue, the last thing

104
00:04:19,531 --> 00:04:22,348
I want to do is I want to get in front of them.

105
00:04:22,348 --> 00:04:24,638
I want to try to, ok get, you know,

106
00:04:24,630 --> 00:04:27,038
let me get Wireshark installed.

107
00:04:27,028 --> 00:04:30,663
It might be easier if you set up the span session

108
00:04:30,663 --> 00:04:34,192
and you're able to get the data sent

109
00:04:34,200 --> 00:04:35,883
from one location to the other

110
00:04:35,883 --> 00:04:37,249
so you're not impacting them

111
00:04:37,249 --> 00:04:39,249
which actually makes it a lot easier.

112
00:04:39,249 --> 00:04:41,249
You could set this up remotely.

113
00:04:41,249 --> 00:04:43,672
You can have someone from desktop

114
00:04:43,670 --> 00:04:45,451
maybe help you set up a laptop with

115
00:04:45,451 --> 00:04:47,192
Wireshark span a port.

116
00:04:47,192 --> 00:04:51,139
Go, have the, this is if you're doing it remotely,

117
00:04:51,139 --> 00:04:53,979
have the, the field service's agent go out

118
00:04:53,979 --> 00:04:55,962
to help the customer.

119
00:04:55,962 --> 00:04:58,187
Ask him, ok, I see you have that issue -

120
00:04:58,185 --> 00:05:01,842
can you do that particular, you know,

121
00:05:01,842 --> 00:05:04,995
access to data or that that application

122
00:05:04,995 --> 00:05:08,309
you know, movement that you're doing

123
00:05:08,309 --> 00:05:11,143
and be on the phone with the network engineer

124
00:05:11,143 --> 00:05:13,280
or net, network analyst and say,

125
00:05:13,280 --> 00:05:14,768
alright you're running a capture,

126
00:05:14,760 --> 00:05:16,118
yeah, they're doing that now.

127
00:05:16,118 --> 00:05:17,399
And you could see this live

128
00:05:17,397 --> 00:05:19,105
if you're already feed into the machine

129
00:05:19,097 --> 00:05:20,528
or just capturing the data.

130
00:05:20,528 --> 00:05:22,478
And you know, you'll analyze it later.

131
00:05:22,478 --> 00:05:24,303
But that's a really good way to capture

132
00:05:24,303 --> 00:05:26,695
your data remotely and not necessarily

133
00:05:26,686 --> 00:05:29,188
have to go onsite specifically to capture it.

134
00:05:29,188 --> 00:05:31,132
So that might be one way that you want to 

135
00:05:31,131 --> 00:05:36,052
place your PC or your mobile device and

136
00:05:36,052 --> 00:05:39,649
you also want to make sure

137
00:05:39,649 --> 00:05:41,025
that you're selecting the correct NIC.

138
00:05:41,025 --> 00:05:44,701
So one of the, the tricky things now, today

139
00:05:44,701 --> 00:05:45,936
with almost every device

140
00:05:45,933 --> 00:05:47,933
having a wireless connection on it

141
00:05:47,938 --> 00:05:51,000
and a, a landline, is that you want to 

142
00:05:50,992 --> 00:05:54,360
make sure that if you're capturing a problem

143
00:05:54,371 --> 00:05:56,085
that you take both interfaces 

144
00:05:56,092 --> 00:05:58,010
and all interfaces into account.

145
00:05:58,011 --> 00:06:01,981
So as an example, we have epN interfaces.

146
00:06:01,995 --> 00:06:03,523
So when you build a virtual interface,

147
00:06:03,530 --> 00:06:05,998
it shows up. We might have a VMware installed

148
00:06:05,994 --> 00:06:08,666
where it creates a whole series of interfaces.

149
00:06:08,666 --> 00:06:10,666
We might have a loop back installed 

150
00:06:10,666 --> 00:06:12,666
even locally on a PC.

151
00:06:12,666 --> 00:06:14,525
We might have a wireless connection.

152
00:06:14,534 --> 00:06:16,545
We might have 2 or 3 NIC card

153
00:06:16,545 --> 00:06:19,625
connections configured. When you go to select

154
00:06:19,634 --> 00:06:21,071
an interface and we'll talk about this 

155
00:06:21,070 --> 00:06:22,556
when we talk about launch pad,

156
00:06:22,563 --> 00:06:26,072
when we actually get right into using Wireshark,

157
00:06:26,063 --> 00:06:28,262
is that you have to actually select the correct

158
00:06:28,261 --> 00:06:31,553
interface to capture data from.

159
00:06:31,553 --> 00:06:35,067
And you may not know what that is without

160
00:06:35,077 --> 00:06:37,149
getting into Wireshark and looking at it

161
00:06:37,157 --> 00:06:39,325
and seeing what activity is taking place.

162
00:06:39,325 --> 00:06:41,229
So, we'll talk about that when

163
00:06:41,229 --> 00:06:42,708
we talk about the interfaces.

164
00:06:42,708 --> 00:06:44,750
But when you're ready to select interface,

165
00:06:44,750 --> 00:06:46,278
you want to make sure it's a live interface.

166
00:06:46,278 --> 00:06:48,086
You want to make sure it's the right interface.

167
00:06:48,086 --> 00:06:50,039
You want to make sure that it's the interface 

168
00:06:50,047 --> 00:06:51,773
that you intend to use to collect

169
00:06:51,775 --> 00:06:55,298
the correct data because you may different

170
00:06:55,305 --> 00:06:57,120
interfaces on different segments.

171
00:06:57,120 --> 00:07:01,793