1
00:00:00,000 --> 00:00:08,371


2
00:00:08,371 --> 00:00:09,908
Ok, on our next module,

3
00:00:09,917 --> 00:00:12,179
we will briefly go over window panes.

4
00:00:12,179 --> 00:00:14,752
We started talking about it when we were

5
00:00:14,769 --> 00:00:18,451
discussing navigating the GUI but particularly,

6
00:00:18,461 --> 00:00:22,042
the 3 window panes that you will

7
00:00:22,042 --> 00:00:24,440
be working mostly with.

8
00:00:24,447 --> 00:00:29,378
So, to use Wireshark,

9
00:00:29,378 --> 00:00:30,248
you're going to have to understand

10
00:00:30,248 --> 00:00:32,855
the fundamentals of navigating this interface.

11
00:00:32,854 --> 00:00:36,343
And particularly, beyond the dashboard

12
00:00:36,353 --> 00:00:39,098
or the launchpad, the capture window itself,

13
00:00:39,095 --> 00:00:41,750
you're going to have 3 major panes -

14
00:00:41,752 --> 00:00:45,210
the packets list, the packet details and the bytes.

15
00:00:45,220 --> 00:00:49,378
What's really important about this is

16
00:00:49,380 --> 00:00:53,279
when you cover data or you're looking

17
00:00:53,273 --> 00:00:56,784
at data that you captured, the main window 

18
00:00:56,796 --> 00:00:59,151
or the main pane you're going to look at

19
00:00:59,146 --> 00:01:01,889
first and foremost is the, the packet list

20
00:01:01,889 --> 00:01:04,129
because what you really need to do

21
00:01:04,123 --> 00:01:06,571
is you really need to filter down

22
00:01:06,572 --> 00:01:08,705
what you're trying to get to. Otherwise,

23
00:01:08,704 --> 00:01:11,025
it's just going to be an entire mess of data

24
00:01:11,025 --> 00:01:13,372
you're going to have to sort through

25
00:01:13,379 --> 00:01:16,288
or scroll through and that's going to make

26
00:01:16,299 --> 00:01:19,934
what's in the details pane less relevant to you.

27
00:01:19,934 --> 00:01:22,513
So, essentially, yes there's a lot that

28
00:01:22,517 --> 00:01:25,196
you can glean from the packets list, but

29
00:01:25,196 --> 00:01:27,823
what you're really trying to get to is 

30
00:01:27,823 --> 00:01:29,609
some of the data in the details pane.

31
00:01:29,609 --> 00:01:31,901
And if you're not really sure how to filter 

32
00:01:31,901 --> 00:01:34,884
your data out, you're just going to be

33
00:01:34,884 --> 00:01:36,638
sifting for a needle in the haystack.

34
00:01:36,638 --> 00:01:39,954
So, in this example we can see quite simply 

35
00:01:39,964 --> 00:01:42,993
that we have an ARP broadcast

36
00:01:42,990 --> 00:01:46,888
It's telling a story here in the packet list panes.

37
00:01:46,888 --> 00:01:50,277
So that's why I chose this specifically

38
00:01:50,291 --> 00:01:54,049
for this, this screen shot is because

39
00:01:54,047 --> 00:01:56,065
this is something that you really don't

40
00:01:56,073 --> 00:01:58,040
need to go too deep into detail

41
00:01:58,035 --> 00:01:59,689
in the details pane to see that there's

42
00:01:59,689 --> 00:02:01,314
some kind of issue going on.

43
00:02:01,314 --> 00:02:05,097
Again, you have to know how ARP operates,

44
00:02:05,097 --> 00:02:07,131
and you have to know when 

45
00:02:07,131 --> 00:02:08,779
things kind of look wrong.

46
00:02:08,779 --> 00:02:13,100
But this is basically a sweep or a broadcast

47
00:02:13,100 --> 00:02:16,567
or some kind of issue where you have a

48
00:02:16,565 --> 00:02:19,091
a bunch of NIC cards, basically ARPing out 

49
00:02:19,098 --> 00:02:22,341
to each other over and over, creating a storm.

50
00:02:22,526 --> 00:02:26,893
So, this is one of those times where this pane

51
00:02:26,893 --> 00:02:29,585
particularly can tell us story without

52
00:02:29,578 --> 00:02:31,978
having to go too deep into the details.

53
00:02:31,978 --> 00:02:38,276
So, in the packets, the packet list, basically

54
00:02:38,276 --> 00:02:40,788
it's going to be captured in the order,

55
00:02:40,781 --> 00:02:44,935
in order for review. Yes, you can merge

56
00:02:44,934 --> 00:02:47,776
and things will be out of order if you don't

57
00:02:47,770 --> 00:02:49,084
know how to merge correctly.

58
00:02:49,084 --> 00:02:53,234
You can change the time stamps and 

59
00:02:53,232 --> 00:02:55,565
you could change some of the details

60
00:02:55,570 --> 00:02:58,821
about the capture but essentially

61
00:02:58,821 --> 00:03:00,795
it's going to show a number order -

62
00:03:00,795 --> 00:03:04,025
packet 1 through X, how much data,

63
00:03:04,029 --> 00:03:06,528
how many packets that were captured.

64
00:03:06,523 --> 00:03:08,279
We'll show you how to get, 

65
00:03:08,280 --> 00:03:11,577
show you the summary of the capture

66
00:03:11,566 --> 00:03:12,755
so that you could see exactly 

67
00:03:12,755 --> 00:03:14,501
how many packets were captured.

68
00:03:14,501 --> 00:03:17,410
But particularly in this, this pane,

69
00:03:17,427 --> 00:03:20,464
it will show you from 1 all the way down

70
00:03:20,468 --> 00:03:22,468
every single packet that was captured

71
00:03:22,476 --> 00:03:26,859
by Wireshark - the columns that you'll review

72
00:03:26,859 --> 00:03:29,334
as the number, the number of the packet, 

73
00:03:29,334 --> 00:03:32,383
the time. Now, we have a whole module on time, 

74
00:03:32,387 --> 00:03:35,201
where we'll cover absolute, we'll cover relative,

75
00:03:35,201 --> 00:03:36,441
we'll cover all the different things

76
00:03:36,441 --> 00:03:37,568
that you could do with it.

77
00:03:37,568 --> 00:03:40,733
But it essentially, it will show you

78
00:03:40,736 --> 00:03:42,864
the time between the packets.

79
00:03:42,875 --> 00:03:45,768
This is very help, helpful in finding

80
00:03:45,768 --> 00:03:48,576
performance issues. So if you look at a,

81
00:03:48,584 --> 00:03:51,241
particularly a TCP handshake and

82
00:03:51,241 --> 00:03:54,211
it's going back and forth, and you're not

83
00:03:54,218 --> 00:03:57,022
seeing this happening in a timely manner,

84
00:03:57,022 --> 00:03:59,547
this may give you a hint that there's a problem 

85
00:03:59,555 --> 00:04:02,227
by looking at the delta of the packets.

86
00:04:02,239 --> 00:04:03,976
You're going to see the source and

87
00:04:03,969 --> 00:04:05,993
the destination where the data is

88
00:04:05,990 --> 00:04:08,621
originating from and where it's going.

89
00:04:08,637 --> 00:04:10,723
Some protocol information which is held 

90
00:04:10,723 --> 00:04:14,426
by a file in Wireshark so that it will 

91
00:04:14,428 --> 00:04:17,260
tell you what protocol it is, for example, 

92
00:04:17,260 --> 00:04:21,144
if it's DHCP, or it's SNMP, or it's SNTP,

93
00:04:21,145 --> 00:04:22,834
whatever that protocol is,

94
00:04:22,843 --> 00:04:24,344
it will show you, if it knows.

95
00:04:24,344 --> 00:04:27,963
And then the most helpful column

96
00:04:27,957 --> 00:04:30,896
is the info column, where it's going to tell you

97
00:04:30,899 --> 00:04:34,391
specifically the information that will then be

98
00:04:34,424 --> 00:04:37,571
translated down into the details pane.

99
00:04:37,571 --> 00:04:40,225
So, the details pane of that packet

100
00:04:40,225 --> 00:04:41,865
will show you everything that you see

101
00:04:41,865 --> 00:04:47,092
particularly of value in the packets list pane.

102
00:04:47,092 --> 00:04:51,400
But it will show you more granular detail.

103
00:04:51,400 --> 00:04:53,761
So here we can see again, 

104
00:04:53,773 --> 00:04:55,951
once we drill down into the packet,

105
00:04:55,954 --> 00:04:59,540
the details of it. We can see more information.

106
00:04:59,540 --> 00:05:02,899
And you'll be able to see things such as,

107
00:05:02,895 --> 00:05:05,243
codes, frame types and headers.

108
00:05:05,247 --> 00:05:09,246
So, what that leaves as with is that

109
00:05:09,250 --> 00:05:12,248
packet bytes, which is going to be the most

110
00:05:12,248 --> 00:05:13,626
granular information.

111
00:05:13,626 --> 00:05:16,115
This is the information that's translated up

112
00:05:16,123 --> 00:05:18,354
into the details so that you could see

113
00:05:18,354 --> 00:05:22,078
what that is and it's essentially the word data.

114
00:05:22,078 --> 00:05:24,966
And it could be viewed in hexadecimal

115
00:05:24,968 --> 00:05:27,365
format or bits or ASCII characters.

116
00:05:27,376 --> 00:05:31,315