1
00:00:00,000 --> 00:00:08,562



2
00:00:08,562 --> 00:00:10,190
Ok, welcome back everybody

3
00:00:10,182 --> 00:00:11,878
and we're going to get into some

4
00:00:11,881 --> 00:00:14,100
configuration of Wireshark.

5
00:00:14,096 --> 00:00:16,576
We will get very deeply within

6
00:00:16,579 --> 00:00:18,731
the configuration of Wireshark because

7
00:00:18,742 --> 00:00:21,826
there's a tremendous amount of 

8
00:00:21,826 --> 00:00:24,500
things that you can do particularly

9
00:00:24,503 --> 00:00:25,669
when we get into the preferences

10
00:00:25,669 --> 00:00:27,445
in setting up profiles.

11
00:00:27,445 --> 00:00:29,064
One of the most important things

12
00:00:29,067 --> 00:00:32,026
for that is you may want to troubleshoot

13
00:00:32,026 --> 00:00:33,484
something rather quickly

14
00:00:33,484 --> 00:00:37,728
and you may find that, you know,

15
00:00:37,724 --> 00:00:39,236
you want to try to solve,

16
00:00:39,241 --> 00:00:41,443
let's say, a wireless, wireless issue.

17
00:00:41,441 --> 00:00:43,483
Instead of going in and configuring all that stuff

18
00:00:43,483 --> 00:00:45,767
you could set up a particular profile

19
00:00:45,767 --> 00:00:47,440
or preference systems,

20
00:00:47,440 --> 00:00:49,440
so that when you load Wireshark,

21
00:00:49,440 --> 00:00:53,210
you can just drop in that profile

22
00:00:53,210 --> 00:00:54,826
and you'll have everything ready to go.

23
00:00:54,826 --> 00:00:57,105
So, that's essentially one of the reasons

24
00:00:57,105 --> 00:01:01,891
why it's so important to, to get in there,

25
00:01:01,892 --> 00:01:04,562
and, and really learn the nuts and bolts of it.

26
00:01:04,562 --> 00:01:06,254
Alright, so before we begin,

27
00:01:06,254 --> 00:01:08,916
there's a couple of questions in the chatroom.

28
00:01:08,916 --> 00:01:12,110
One of the questions I saw

29
00:01:12,110 --> 00:01:13,831
as I'm pulling this one up now,

30
00:01:13,831 --> 00:01:16,835
is, "Will we cover Lua processing?"

31
00:01:16,835 --> 00:01:18,376
Yes, we will cover that.

32
00:01:18,376 --> 00:01:22,397
Also, what I wanted to ask everybody is,

33
00:01:22,397 --> 00:01:25,229
if you have any questions about things that 

34
00:01:25,237 --> 00:01:27,305
aren't particularly covered,

35
00:01:27,305 --> 00:01:30,882
go ahead and ask them in the forum,

36
00:01:30,889 --> 00:01:34,531
and we will get to that information.

37
00:01:34,531 --> 00:01:37,995
Alright, one of the questions I see here,

38
00:01:37,995 --> 00:01:41,032
"Is Wireshark stable with the Linux server?"

39
00:01:41,032 --> 00:01:44,573
So, actually yes, it's very stable.

40
00:01:44,573 --> 00:01:49,184
I have Wireshark here on a Linux server.

41
00:01:49,184 --> 00:01:50,631
I have it on right now.

42
00:01:50,631 --> 00:01:53,473
I could pull this up and show you.

43
00:01:53,473 --> 00:01:56,025
But particularly, one of the things that I see

44
00:01:56,031 --> 00:01:58,961
with Wireshark is that since it's open source

45
00:01:58,968 --> 00:02:00,522
in it's open source community,

46
00:02:00,522 --> 00:02:03,882
a lot of what we see with Wireshark

47
00:02:03,874 --> 00:02:06,412
in particular is that it's most stable

48
00:02:06,412 --> 00:02:10,464
on Linux systems. But it's, it's just as stable

49
00:02:10,464 --> 00:02:13,975
on the Windows systems as well.

50
00:02:13,975 --> 00:02:18,676
So, it's really stable on both.

51
00:02:18,676 --> 00:02:20,433
And I'm going to pull it up for you

52
00:02:20,433 --> 00:02:22,002
to see as soon as it loads

53
00:02:22,002 --> 00:02:24,931
but that was one of the questions. Alright,

54
00:02:24,922 --> 00:02:28,703
so let me take a look at another set here.

55
00:02:28,710 --> 00:02:37,234
Ok, ok so, a couple questions about 

56
00:02:37,244 --> 00:02:40,106
the advanced stuff. The advanced stuff is

57
00:02:40,106 --> 00:02:42,011
coming up in future modules.

58
00:02:42,011 --> 00:02:43,702
It's a 3-day course so obviously

59
00:02:43,702 --> 00:02:47,105
we got to get some information, you know,

60
00:02:47,098 --> 00:02:48,879
tee you first on how to install it,

61
00:02:48,900 --> 00:02:51,347
configure it, getting it up and running.

62
00:02:51,348 --> 00:02:52,806
It's a foundational course

63
00:02:52,797 --> 00:02:54,605
so we will definitely go into some

64
00:02:54,589 --> 00:02:57,935
some deep diving but this was a course

65
00:02:57,922 --> 00:03:01,311
offered to all so that people who have

66
00:03:01,311 --> 00:03:03,399
used Wireshark briefly and those

67
00:03:03,396 --> 00:03:05,018
who are learning to learn more,

68
00:03:05,018 --> 00:03:06,898
looking to learn more information about it -

69
00:03:06,914 --> 00:03:09,007
we will definitely get into some more

70
00:03:09,007 --> 00:03:11,820
specifics as we go along. Alright,

71
00:03:11,821 --> 00:03:12,888
so I'm going to draw up on the screen

72
00:03:12,880 --> 00:03:15,900
very quickly, having it running on a VM but

73
00:03:15,911 --> 00:03:18,327
you definitely have Wireshark.

74
00:03:18,332 --> 00:03:20,984
I'm using one to backtrack right now, 

75
00:03:20,993 --> 00:03:24,286
so, let me post up for you.

76
00:03:24,286 --> 00:03:32,342
So, it's just as stable as if you're going to

77
00:03:32,337 --> 00:03:35,027
use it with the Windows, so

78
00:03:35,027 --> 00:03:36,960
we will definitely field some more questions

79
00:03:36,968 --> 00:03:39,807
about that as I see more coming into the chats.

80
00:03:39,823 --> 00:03:42,130
Alright, so keep the questions coming 

81
00:03:42,130 --> 00:03:45,223
and let's go into the next module.

82
00:03:45,222 --> 00:03:48,897
Alright, configuring wireshark -

83
00:03:48,897 --> 00:03:51,025
Now some of these may seem rudimentary

84
00:03:51,018 --> 00:03:54,257
but in actuality, it's really one of the most

85
00:03:54,260 --> 00:03:57,391
important things about using Wireshark is -

86
00:03:57,388 --> 00:03:59,324
Do I know how to use it correctly?

87
00:03:59,315 --> 00:04:01,426
Do I know what I'm filtering for?

88
00:04:01,438 --> 00:04:04,328
Do I know protocol behavior? Have I,

89
00:04:04,334 --> 00:04:06,357
do I have the correct layout and the tools 

90
00:04:06,357 --> 00:04:07,949
available to me to be able

91
00:04:07,949 --> 00:04:09,609
to troubleshoot traffic?

92
00:04:09,609 --> 00:04:12,241
So essentially, when you configure

93
00:04:12,241 --> 00:04:14,092
Wireshark for use for the first time,

94
00:04:14,092 --> 00:04:15,603
one of the key things that you want to

95
00:04:15,613 --> 00:04:18,001
do is you want to make sure that

96
00:04:18,001 --> 00:04:19,906
you understand what preferences are.

97
00:04:19,906 --> 00:04:23,047
You understand what, how to change profiles.

98
00:04:23,047 --> 00:04:24,864
You want to understand the basics of

99
00:04:24,864 --> 00:04:27,407
filtering which we'll have a whole module on.

100
00:04:27,409 --> 00:04:30,109
And the basic layout of it so when you

101
00:04:30,094 --> 00:04:33,282
first open it, you're going to have this start page.

102
00:04:33,309 --> 00:04:35,176
I like to call it the launch pad 'cause it's 

103
00:04:35,176 --> 00:04:36,900
basically where you're going to launch.

104
00:04:36,900 --> 00:04:40,888
The actual capture window from

105
00:04:40,888 --> 00:04:44,780
that particular launch pad or that start page

106
00:04:44,780 --> 00:04:47,559
newer with newer versions of Wireshark;

107
00:04:47,551 --> 00:04:49,492
older versions, just load it right into

108
00:04:49,511 --> 00:04:52,440
the capture window, that has it's own

109
00:04:52,437 --> 00:04:55,146
 set of specifics you have to work through.

110
00:04:55,135 --> 00:04:56,958
Such as selecting an interface,

111
00:04:56,958 --> 00:04:58,734
you could set up pre-capture rules

112
00:04:58,734 --> 00:05:01,627
which are very different from display filter.

113
00:05:01,627 --> 00:05:05,714
So a capture filter is different than display filter.

114
00:05:05,714 --> 00:05:07,599
And you can do those on

115
00:05:07,599 --> 00:05:09,256
and from the launch pad.

116
00:05:09,256 --> 00:05:12,122
And what interface to select which

117
00:05:12,136 --> 00:05:14,471
we started talking about in the last module,

118
00:05:14,463 --> 00:05:17,659
where you have to know specifically what mod-,

119
00:05:17,659 --> 00:05:20,977
what interface it is that you want to use.

120
00:05:20,984 --> 00:05:29,917
So, what's the overall layout of Wireshark?

121
00:05:29,907 --> 00:05:32,810
Very quickly, we just highlighted it.

122
00:05:32,802 --> 00:05:34,075
When you load Wireshark,

123
00:05:34,102 --> 00:05:36,102
you're going to have a launchpad.

124
00:05:36,130 --> 00:05:39,096
You're going to be able to select an interface.

125
00:05:39,096 --> 00:05:43,141
That will allow you to choose a LAN adapter,

126
00:05:43,141 --> 00:05:45,372
or a wireless LAN adapter. 

127
00:05:45,376 --> 00:05:46,812
There are other adapters. 

128
00:05:46,812 --> 00:05:47,798
We already talked about them.

129
00:05:47,798 --> 00:05:49,988
We have some virtual adapters. And

130
00:05:49,987 --> 00:05:53,414
you'll be able to pre-configure adapter behaviors.

131
00:05:53,414 --> 00:05:55,414
So what does this really mean?

132
00:05:55,414 --> 00:05:58,810
So, when you want to configure your,

133
00:05:58,810 --> 00:06:01,786
your interface, you're going to see that there's

134
00:06:01,808 --> 00:06:04,168
multiple interfaces that you could choose from.

135
00:06:04,168 --> 00:06:05,997
Now, yeah, you could hide some of these

136
00:06:05,997 --> 00:06:07,820
and you can make them disappear

137
00:06:07,820 --> 00:06:10,942
so that you don't see them here.

138
00:06:10,942 --> 00:06:13,653
Some, often people do that with bluetooth,

139
00:06:13,663 --> 00:06:15,538
or some of their VM ware interfaces,

140
00:06:15,549 --> 00:06:16,937
they want to just, kind of, you know,

141
00:06:16,934 --> 00:06:19,178
they don't want to see them.

142
00:06:19,174 --> 00:06:20,850
But again, what you could do,

143
00:06:20,854 --> 00:06:22,305
you can hide them, and or

144
00:06:22,305 --> 00:06:23,928
you could set up specifically

145
00:06:23,928 --> 00:06:27,138
when you launch in configuration files, 

146
00:06:27,147 --> 00:06:29,482
you can limit this list.

147
00:06:29,490 --> 00:06:34,508
Now, when you do want to select the interface,

148
00:06:34,494 --> 00:06:37,286
you have options in which you can select 

149
00:06:37,281 --> 00:06:39,885
from when selecting interface.

150
00:06:39,877 --> 00:06:41,877
So if you're going to select, let's say

151
00:06:41,877 --> 00:06:46,694
a LAN interface, you can check

152
00:06:46,694 --> 00:06:48,271
the health of your adapter.

153
00:06:48,271 --> 00:06:50,637
Make sure it's passing traffic

154
00:06:50,645 --> 00:06:53,832
right from the options, and the reason

155
00:06:53,833 --> 00:06:54,916
you want to do this is because

156
00:06:54,916 --> 00:06:56,439
it's going to help you select the interface.

157
00:06:56,439 --> 00:06:58,866
It might show the IP address configured.

158
00:06:58,866 --> 00:07:00,905
So if you have, let's say, 

159
00:07:00,904 --> 00:07:04,752
3 network adapters configured on 3 different

160
00:07:04,742 --> 00:07:06,474
let's say, 3 different IP addresses and 

161
00:07:06,474 --> 00:07:07,653
you want to troubleshoot

162
00:07:07,653 --> 00:07:11,980
something on, let's say, 10.1.1.X/24

163
00:07:11,980 --> 00:07:14,169
you want to find an interface configured

164
00:07:14,179 --> 00:07:16,989
on that subnet so that you can

165
00:07:17,002 --> 00:07:19,182
capture data within that subnet.

166
00:07:19,192 --> 00:07:20,479
And you know that you're doing the right, 

167
00:07:20,479 --> 00:07:22,396
you're on the right path.

168
00:07:22,396 --> 00:07:24,237
There's also a lot of statistics

169
00:07:24,237 --> 00:07:28,154
that you can review when you

170
00:07:28,170 --> 00:07:30,104
open the sub so that you can see

171
00:07:30,104 --> 00:07:33,143
particularly on this interface - I am connected,

172
00:07:33,143 --> 00:07:35,454
what's the link speed, am I passing traffic,

173
00:07:35,454 --> 00:07:39,730
how much traffic? And, and specifically,

174
00:07:39,735 --> 00:07:42,574
you know, data revolving around that interface.

175
00:07:42,574 --> 00:07:46,448
So it's very important to consider the interfaces 

176
00:07:46,447 --> 00:07:49,673
before you launch a Wireshark capture.

177
00:07:49,673 --> 00:07:52,710
It's going to basically predetermine everything

178
00:07:52,720 --> 00:07:55,202
that it is that you want to see from the interface.

179
00:07:55,196 --> 00:07:57,196
So it you don't have the correct interface

180
00:07:57,196 --> 00:07:59,340
you're not going to be able to capture data.

181
00:07:59,340 --> 00:08:00,214
You may get,

182
00:08:00,214 --> 00:08:01,822
you may choose the wrong interface,

183
00:08:01,838 --> 00:08:04,216
collect the wrong capture information.

184
00:08:04,229 --> 00:08:05,650
And you'll be able to see

185
00:08:05,650 --> 00:08:07,189
specifically the link status.

186
00:08:07,189 --> 00:08:11,335
When you finalize your selection,

187
00:08:11,335 --> 00:08:13,335
you want to just do your final prep.

188
00:08:13,335 --> 00:08:16,238
Load the adapter and begin your capture.

189
00:08:16,238 --> 00:08:20,755