1 00:00:00,000 --> 00:00:08,698 2 00:00:08,698 --> 00:00:11,974 Ok, in this module, we will be talking about 3 00:00:11,974 --> 00:00:13,740 pre-capture settings. 4 00:00:13,740 --> 00:00:17,430 So, some of the things that we want to do 5 00:00:17,458 --> 00:00:21,310 when we capture data is we want to 6 00:00:21,304 --> 00:00:23,166 and we had talked about this briefly earlier, 7 00:00:23,183 --> 00:00:25,753 but we want to consolidate what it is that 8 00:00:25,753 --> 00:00:27,450 we're seeing 'cause when we run a capture, 9 00:00:27,457 --> 00:00:30,588 it's basically just everything it sees 10 00:00:30,601 --> 00:00:34,498 promiscuously bring in and let's put it in 11 00:00:34,499 --> 00:00:37,180 the capture window and let's take a look. 12 00:00:37,180 --> 00:00:40,965 So, we're going to get into some, a deep dive 13 00:00:40,978 --> 00:00:43,936 on the actual information that you'll see 14 00:00:43,949 --> 00:00:46,291 with the display filters which is 15 00:00:46,291 --> 00:00:47,950 after you've captured those data. 16 00:00:47,950 --> 00:00:50,539 How do I refine it? How do I look in and 17 00:00:50,543 --> 00:00:52,990 pull out exactly what I need? 18 00:00:52,992 --> 00:00:54,811 But there's some pre-capture settings 19 00:00:54,805 --> 00:00:56,901 that are, are equally important 20 00:00:56,910 --> 00:00:59,250 so that when you're troubleshooting, 21 00:00:59,265 --> 00:01:01,369 there's certain things that you can eliminate. 22 00:01:01,360 --> 00:01:03,360 So what is that? 23 00:01:03,360 --> 00:01:07,933 So, there may be times 24 00:01:07,933 --> 00:01:09,354 we need to run a capture 25 00:01:09,354 --> 00:01:11,892 on a production server and distribute 26 00:01:11,908 --> 00:01:14,164 the information to a troubleshooting team. 27 00:01:14,166 --> 00:01:16,847 I've seen this in the past where 28 00:01:16,850 --> 00:01:19,121 working with an outsourced vendor, 29 00:01:19,124 --> 00:01:21,066 there were something where, 30 00:01:21,074 --> 00:01:24,709 you know, we needed to find an application 31 00:01:24,706 --> 00:01:27,709 performance issue and they basically said, 32 00:01:27,715 --> 00:01:29,909 'Well, we're going to run on a capture 33 00:01:29,907 --> 00:01:32,652 for the next 2 hours and you know, 34 00:01:32,656 --> 00:01:33,406 they didn't have someone 35 00:01:33,406 --> 00:01:34,608 actively working with us. 36 00:01:34,608 --> 00:01:37,900 They were just essentially, 37 00:01:37,929 --> 00:01:39,929 you know, we'll run the capture, 38 00:01:39,925 --> 00:01:43,460 you know, you try to recreate your problem 39 00:01:43,459 --> 00:01:46,577 within that and then, you know, we'll get 40 00:01:46,575 --> 00:01:48,558 we'll get, you know, we'll get the capture file 41 00:01:48,559 --> 00:01:52,129 to you after we sanitize it and you can use it.' 42 00:01:52,139 --> 00:01:55,915 Well, what we've asked for in the past is 43 00:01:55,915 --> 00:01:57,845 to do some pre-capture settings 44 00:01:57,845 --> 00:02:00,034 so that when we got that file, 45 00:02:00,031 --> 00:02:02,883 it wasn't completely inundated with, you know, 46 00:02:02,889 --> 00:02:04,972 50,000 packets of information 47 00:02:04,972 --> 00:02:05,741 that we didn't need. 48 00:02:05,741 --> 00:02:08,153 So what we ask for as we mentioned earlier, 49 00:02:08,145 --> 00:02:10,368 we don't need to see some specific information. 50 00:02:10,377 --> 00:02:13,317 Remove that completely. Do as a favor. 51 00:02:13,317 --> 00:02:15,224 Can you chop it up into, you know, like 52 00:02:15,224 --> 00:02:18,627 30 files at a certain size and then, 53 00:02:18,635 --> 00:02:22,966 you know, zip it up and we'll have, whatever... 54 00:02:22,989 --> 00:02:26,257 And that helps enormously because you're not 55 00:02:26,264 --> 00:02:30,627 always going to be able to control the capture. 56 00:02:30,625 --> 00:02:32,439 You're not always going to be able to control 57 00:02:32,439 --> 00:02:33,752 who runs the capture. 58 00:02:33,752 --> 00:02:36,723 You're not always going to be able to, you know, 59 00:02:36,719 --> 00:02:39,084 control things that are outside of your, 60 00:02:39,080 --> 00:02:41,832 your span of control. 61 00:02:41,858 --> 00:02:46,613 So that's, that's the time or relevant time where 62 00:02:46,613 --> 00:02:49,450 using these particular settings would be very, 63 00:02:49,453 --> 00:02:54,820 very, very crucial to working with capturing data 64 00:02:54,826 --> 00:02:56,206 especially when you're working with another team. 65 00:02:56,206 --> 00:03:00,165 another team, a vendor, you know, sombody 66 00:03:00,176 --> 00:03:02,515 other than, you know, working with your, 67 00:03:02,515 --> 00:03:04,325 your direct team or you, yourself. 68 00:03:04,335 --> 00:03:06,778 You may find that you need to set up 69 00:03:06,794 --> 00:03:09,057 pre-capture settings so you eliminate 70 00:03:09,057 --> 00:03:10,942 the traffic that you don't want to see. 71 00:03:10,942 --> 00:03:15,215 You can limit the size of the file or files. 72 00:03:15,215 --> 00:03:17,883 You can create multiple files and that also 73 00:03:17,879 --> 00:03:20,544 increases the security because you don't 74 00:03:20,553 --> 00:03:22,583 necessarily want to be transferring around 75 00:03:22,585 --> 00:03:25,967 data that has information in it that is not only 76 00:03:25,973 --> 00:03:28,388 not relevant to what it is that you're trying to do 77 00:03:28,392 --> 00:03:31,928 but potentially proprietary and or, 78 00:03:31,927 --> 00:03:35,352 you know, open to attack if captured. 79 00:03:35,354 --> 00:03:39,251 So some of the things we can do in a 80 00:03:39,251 --> 00:03:42,676 pre-capture filter is we can create a filter, 81 00:03:42,688 --> 00:03:47,621 basically say, remove this information or 82 00:03:47,627 --> 00:03:50,299 this information only when you run a capture. 83 00:03:50,299 --> 00:03:53,382 So, yes, you can add more to this. 84 00:03:53,382 --> 00:04:00,182 This is the default pre-capture filters. 85 00:04:00,190 --> 00:04:03,007 But what's important here is to just take 86 00:04:03,007 --> 00:04:04,432 a quick look at what you have here. 87 00:04:04,432 --> 00:04:08,428 So, for example, IP only. That will only 88 00:04:08,430 --> 00:04:11,615 capture IP information, no ARP. 89 00:04:11,620 --> 00:04:13,224 I don't want to see any ARPing just 90 00:04:13,224 --> 00:04:15,121 you know, capture everything except for ARP. 91 00:04:15,121 --> 00:04:18,956 UDP only. I know that I am looking for, 92 00:04:18,959 --> 00:04:22,580 let's say, DNS queries. 93 00:04:22,606 --> 00:04:25,604 No zone transfers, just specific queries and 94 00:04:25,607 --> 00:04:29,303 I want to capture that, I know it's only UDP. 95 00:04:29,318 --> 00:04:32,045 Just run that. Those are the types of reasons 96 00:04:32,045 --> 00:04:34,097 that we would use this but this is 97 00:04:34,097 --> 00:04:35,581 where you would get the example. 98 00:04:35,581 --> 00:04:37,522 So in the capture filter, 99 00:04:37,522 --> 00:04:39,274 for ethernet address and there's some 100 00:04:39,274 --> 00:04:41,081 some ethernet address that 101 00:04:41,092 --> 00:04:43,164 doesn't really map to anything on your network, 102 00:04:43,166 --> 00:04:45,209 that's ok because you can now 103 00:04:45,209 --> 00:04:46,619 create and add your own. 104 00:04:46,619 --> 00:04:50,042 You can select on new, enter the filter name 105 00:04:50,049 --> 00:04:52,049 and the filter string which would be 106 00:04:52,065 --> 00:04:54,064 you know, ethernet address, and then 107 00:04:54,066 --> 00:04:56,759 the actual address that you're looking for. 108 00:04:56,759 --> 00:04:58,583 So again, there would be some 109 00:04:58,575 --> 00:05:00,949 specific detective work that you need to do. 110 00:05:00,946 --> 00:05:02,623 Like you would need to know what that, 111 00:05:02,631 --> 00:05:04,233 that ethernet address was. 112 00:05:04,233 --> 00:05:06,792 You would need to dig that out and 113 00:05:06,791 --> 00:05:10,544 add that to the filter but again, specifically, 114 00:05:10,539 --> 00:05:13,406 you can use this to build 115 00:05:13,406 --> 00:05:14,967 your own pre-capture filters. 116 00:05:14,967 --> 00:05:20,372 So, what's the differences between a 117 00:05:20,364 --> 00:05:22,107 capture and a display filter? 118 00:05:22,107 --> 00:05:23,879 Actually, there's many. 119 00:05:23,886 --> 00:05:27,216 So, capture filters cannot do everything 120 00:05:27,217 --> 00:05:28,750 that a display filter can do. 121 00:05:28,759 --> 00:05:30,919 Capture filters actually are more limited. 122 00:05:30,928 --> 00:05:34,886 It's actually very similar to TCP dump. 123 00:05:34,886 --> 00:05:38,424 There's certain things that you can do. 124 00:05:38,424 --> 00:05:41,195 Display filters are way more granular. 125 00:05:41,193 --> 00:05:41,995 There's way more things 126 00:05:41,995 --> 00:05:43,351 that you can do with it. 127 00:05:43,351 --> 00:05:47,307 And you would, the most obvious 128 00:05:47,303 --> 00:05:49,183 difference is that you use the, 129 00:05:49,183 --> 00:05:53,476 the capture filter on, before you run 130 00:05:53,472 --> 00:05:54,988 your capture and then you use 131 00:05:54,977 --> 00:05:57,810 your display filter to refine the data 132 00:05:57,818 --> 00:05:59,192 that you've already captured. 133 00:05:59,184 --> 00:06:02,125 So obviously, other than those, that glaring 134 00:06:02,123 --> 00:06:05,932 very obvious difference, the other 135 00:06:05,938 --> 00:06:08,770 difference is that they are not the same. 136 00:06:08,770 --> 00:06:10,915 They are different and actually if you look 137 00:06:10,915 --> 00:06:12,656 in the internals of Wireshark, 138 00:06:12,656 --> 00:06:14,492 it actually interfaces with the 139 00:06:14,504 --> 00:06:17,229 core tool differently as well. 140 00:06:17,250 --> 00:06:21,876 And again, the capture filter is very, very 141 00:06:21,876 --> 00:06:24,698 TCP dumpish so if you're familiar with 142 00:06:24,698 --> 00:06:27,391 TCP dump, then this will be 143 00:06:27,392 --> 00:06:29,268 very similar for you. 144 00:06:29,268 --> 00:06:34,137