1
00:00:00,000 --> 00:00:08,755



2
00:00:08,755 --> 00:00:12,184
In our next module, we will discuss navigation.

3
00:00:12,192 --> 00:00:18,766
Navigation is key to working effectively
and efficiently with Wireshark.

4
00:00:18,766 --> 00:00:23,332
Being able to navigate the interface 
is critically important.

5
00:00:23,332 --> 00:00:29,699
Being able to open, start a capture.
We talked briefly about this yesterday.

6
00:00:29,699 --> 00:00:35,727
when we did, when we're talking about
setting up profiles and adjusting preferences.

7
00:00:35,730 --> 00:00:40,884
But once you have all those stuff adjusted
and you're able to start your capture,

8
00:00:40,884 --> 00:00:44,826
once you have captured data, 
exactly what you're going to do with it 

9
00:00:44,842 --> 00:00:49,478
which is what we'll learn in all 
the rest of the modules - use the tools.

10
00:00:49,476 --> 00:00:52,999
To be able to do that you have to know 
how to navigate the interface.

11
00:00:52,999 --> 00:00:56,164
So in this module, we're going to talk specifically

12
00:00:56,164 --> 00:01:00,365
about how to get through the interface.

13
00:01:00,365 --> 00:01:05,191
Alright, so with Wireshark, 
navigating a Wireshark interface

14
00:01:05,199 --> 00:01:09,374
you will be able to quickly navigate through the tool,

15
00:01:09,374 --> 00:01:13,661
and find, use, and work with captured data.

16
00:01:13,661 --> 00:01:18,482
So we talked yesterday, yesterday about
the launch pad or the start page -

17
00:01:18,482 --> 00:01:23,156
where you can begin your capture, 
select the interface,

18
00:01:23,156 --> 00:01:27,764
set up capture options, pre-capture filters,

19
00:01:27,764 --> 00:01:32,858
saving options so it will chop 
the data up into multiple files,

20
00:01:32,858 --> 00:01:34,858
so it's not one big capture.

21
00:01:34,858 --> 00:01:41,231
But once you actually start the capture,
you're going to open up into the capture window.

22
00:01:41,231 --> 00:01:46,938
So with the capture window, one of the things
that you're going to start off with is 

23
00:01:46,938 --> 00:01:52,561
the file menu, and each one of these 
menu options here as you see

24
00:01:52,561 --> 00:01:58,053
will give you most of what it is 
that you need to get to within Wireshark.

25
00:01:58,061 --> 00:02:01,427
So just really quickly, the file menu is

26
00:02:01,422 --> 00:02:05,863
responsible for opening and closing your captures.

27
00:02:05,875 --> 00:02:11,356
You can save them. We have one module 
on how to save them 'cause 

28
00:02:11,356 --> 00:02:13,165
there's so many different formats and things that

29
00:02:13,171 --> 00:02:16,055
you need to learn about the saving of the captures.

30
00:02:16,055 --> 00:02:19,138
You can review if this was a file set.

31
00:02:19,138 --> 00:02:23,873
If we chop the files up, we could save them

32
00:02:23,866 --> 00:02:27,292
in multiple files and you could browse through them.

33
00:02:27,294 --> 00:02:31,122
You could see them in the list of files.

34
00:02:31,122 --> 00:02:33,122
We will learn about exporting.

35
00:02:33,122 --> 00:02:36,579
You can export objects. 
This is helpful when you want

36
00:02:36,572 --> 00:02:41,901
to see the TCP objects as we just learned

37
00:02:41,916 --> 00:02:49,346
about this HTTP capture, this is helpful 
to give you a view into specifics.

38
00:02:49,346 --> 00:02:53,842
Let's say, we wanted to see the size or we wanted to see

39
00:02:53,843 --> 00:02:58,263
what packets map to what objects.

40
00:02:58,253 --> 00:03:04,440
We can print, print packets and or quit the program.

41
00:03:04,440 --> 00:03:10,961
The edit file menu - you can use this to find specific packets.

42
00:03:10,961 --> 00:03:13,620
We will look at that momentarily.

43
00:03:13,620 --> 00:03:18,267
You can mark and annotate packets 
which we'll look at in a separate module.

44
00:03:18,267 --> 00:03:23,173
This is important for, if you wanted to 

45
00:03:23,173 --> 00:03:27,076
for example, make reference to what this is.

46
00:03:27,076 --> 00:03:32,573
You can now with Pcap-ng file formats.

47
00:03:32,573 --> 00:03:34,939
You can save specific things.

48
00:03:34,940 --> 00:03:47,316
And annotate, you know, the entire file and or,
sorry, hit the wrong thing.

49
00:03:47,316 --> 00:03:51,423
So you can specifically save data in the comments.

50
00:03:51,423 --> 00:03:55,541
So there's a lot of things that you can do to edit the file itself.

51
00:03:55,541 --> 00:04:01,548
You can switch through and change 
your preferences or adjust your profiles. 

52
00:04:01,548 --> 00:04:03,548
You can also select it down here.

53
00:04:03,548 --> 00:04:15,036
In the view menu, you can adjust and 
select which toolbars you'd like to see.

54
00:04:15,036 --> 00:04:19,349
So for example, if we do not want to see wireless setting,

55
00:04:19,353 --> 00:04:21,492
things we can adjsut, we can turn it off.

56
00:04:21,495 --> 00:04:28,149
We can turn it on. There's a lot of things that
are available to you in the interface

57
00:04:28,158 --> 00:04:31,568
so you're able to turn them off and on here.

58
00:04:31,568 --> 00:04:36,619
What we just learned about was adjusting the time.

59
00:04:36,619 --> 00:04:41,998
So you can change the time format.

60
00:04:41,998 --> 00:04:45,137
You can turn on and off name resolution.

61
00:04:45,137 --> 00:04:49,943
You can also adjust that in your 
preferences to do that every single time.

62
00:04:49,943 --> 00:04:53,792
You can adjust the zooming so I actually zoomed

63
00:04:53,784 --> 00:04:56,475
in here so that you could see things easier.

64
00:04:56,475 --> 00:05:04,208
And you can also zoom out. 
You can readjust it to normal size.

65
00:05:04,208 --> 00:05:07,199
You can resize your columns so as an example,

66
00:05:07,194 --> 00:05:11,621
if you're adjusting this 
you can quickly resize them.

67
00:05:11,628 --> 00:05:17,422
You can display columns. 
In preferences, you can add more columns.

68
00:05:17,422 --> 00:05:21,113
Here, you can take away or add columns at will.

69
00:05:21,113 --> 00:05:23,808
You can also move them very easily, if needed.

70
00:05:23,808 --> 00:05:29,251
If you want to adjust something,
 you can just move the column.

71
00:05:29,251 --> 00:05:36,080
You can get to your coloring rules
which we briefly talked about 

72
00:05:36,080 --> 00:05:39,699
to change specifics in the capture.

73
00:05:39,699 --> 00:05:46,367
How things are viewed - you can completely 
reload the capture, reload the interface.

74
00:05:46,367 --> 00:05:54,532
What we'd like to talk about next 
is the go menu and specifically,

75
00:05:54,538 --> 00:05:58,027
when you move around the actual capture,

76
00:05:58,034 --> 00:06:01,288
you can use the go menu to help navigate the data.

77
00:06:01,305 --> 00:06:04,961
So it's actually pretty simplistic in nature but

78
00:06:04,961 --> 00:06:11,632
this toolbar will allow you to
essentially move through the packets.

79
00:06:11,641 --> 00:06:14,221
You can go to the next packet and move through the,

80
00:06:14,221 --> 00:06:16,095
obviously you can scroll through.

81
00:06:16,095 --> 00:06:19,741
But this provides you a quick way to navigate.

82
00:06:19,741 --> 00:06:21,988
One of the more helpful ones is at the end.

83
00:06:21,978 --> 00:06:26,124
You can go to a, the beginning 
or the end of the capture.

84
00:06:26,124 --> 00:06:28,124
So we'll show you that.

85
00:06:28,124 --> 00:06:35,133
So if you wanted to get 
to the beginning of the capture

86
00:06:35,133 --> 00:06:38,892
and or if you wanted to get 
to the end of the capture.

87
00:06:38,892 --> 00:06:42,612
So, there's different ways to navigate.

88
00:06:42,612 --> 00:06:45,471
Through the capture itself, 
you can move through it

89
00:06:45,471 --> 00:06:49,544
or you can go to the beginning or the end but

90
00:06:49,544 --> 00:06:56,496
regardless, this tool will allow you to navigate 
the capture itself pretty quickly and easily.

91
00:06:56,496 --> 00:07:05,461
So, why would we want to navigate 
through these files?

92
00:07:05,471 --> 00:07:10,957
Well, one of the things here 
is I have a capture display here.

93
00:07:10,983 --> 00:07:14,420
Let me put this back up for you.

94
00:07:14,420 --> 00:07:17,497
I put a, let me clear and I'll show you.

95
00:07:17,497 --> 00:07:22,496
But if you wanted to specifically get 
to the beginning of a HTTP conversation,

96
00:07:22,496 --> 00:07:27,036
instead of scrolling all around this large capture,
and this isn't really a large one,

97
00:07:27,036 --> 00:07:31,978
we only have about a,
maybe a few hundred packets.

98
00:07:31,978 --> 00:07:35,959
I can get to the beginning of the capture,
get to the end of the capture,

99
00:07:35,959 --> 00:07:39,758
and start navigating through the capture
based on the filter that I applied.

100
00:07:39,758 --> 00:07:46,882
So that could be very helpful to you if that's a,
if, if you find out that it's quicker and easier

101
00:07:46,882 --> 00:07:48,882
to get you around the capture.

102
00:07:48,882 --> 00:07:56,571
So other navigation features, obviously
we started going through the file menus.

103
00:07:56,571 --> 00:08:01,674
That's one thing where everything that you need,

104
00:08:01,674 --> 00:08:04,835
could be found primarily within the menu options.

105
00:08:04,835 --> 00:08:09,530
So as we go through and learn about the tools, 
we get more into the statistics menu.

106
00:08:09,530 --> 00:08:12,478
Touch on a lot of the tools in there.

107
00:08:12,478 --> 00:08:16,722
There's specific telephony and or
if you're troubleshooting voice.

108
00:08:16,722 --> 00:08:18,722
There's a whole menu system for that.

109
00:08:18,722 --> 00:08:22,398
But get comfortable with navigating the menu system

110
00:08:22,398 --> 00:08:25,237
'cause it's really going to give you
a bird's eyeview into what

111
00:08:25,237 --> 00:08:27,140
Wireshark has to offer.

112
00:08:27,140 --> 00:08:29,527
And again, don't forget about the main interface.

113
00:08:29,527 --> 00:08:34,857
The main interface will provide you
with a lot of different options

114
00:08:34,857 --> 00:08:40,412
that we already started going through,
as we mentioned you can navigate through it.

115
00:08:40,412 --> 00:08:49,619
You have some capture stuff in here 
where you can select your interfaces.

116
00:08:49,621 --> 00:08:54,168
This is the same as if you were in the launch pad.

117
00:08:54,168 --> 00:09:00,195
Do you want to change interfaces.
You can change options on the interface.

118
00:09:00,195 --> 00:09:02,730
Again, this was off the main launch pad

119
00:09:02,730 --> 00:09:08,348
but you can see specifically which interface
was used to run the capture.

120
00:09:08,348 --> 00:09:15,873
You can start and stop the capture.

121
00:09:15,873 --> 00:09:19,109
Obviously, if you've already started one,
it will ask you to save it.

122
00:09:19,109 --> 00:09:23,457
We recommend that if you're saving captures, obviously

123
00:09:23,466 --> 00:09:26,876
you will want to find a spot on your hard drive.

124
00:09:26,896 --> 00:09:30,578
Don't you stamp them into documents, 
maybe create a capture folder.

125
00:09:30,578 --> 00:09:34,336
But to start and stop captures, 
you will have to save it.

126
00:09:34,336 --> 00:09:38,136
You can set some pre-defined capture filters.

127
00:09:38,136 --> 00:09:42,869
This is for the next capture.
Obviously, we can apply capture filter 2.

128
00:09:42,869 --> 00:09:48,783
ARD capture, already established capture, 
we can apply a display filter to it.

129
00:09:48,783 --> 00:09:53,033
And again, we can refresh the interfaces.

130
00:09:53,033 --> 00:09:55,820
In analyze, we can look at display filters.

131
00:09:55,820 --> 00:10:01,447
We can set up macros
and we can file the TCP stream.

132
00:10:01,447 --> 00:10:04,649
For example, if we have a conversation here 
as we can see,

133
00:10:04,652 --> 00:10:07,030
we can see the whole conversation in the stream.

134
00:10:07,030 --> 00:10:11,975
So we can get through that.
One of the tips to navigating

135
00:10:11,975 --> 00:10:18,333
is we have a right click context menu 
for the packets list and the details pane.

136
00:10:18,333 --> 00:10:21,082
So if you wanted to see some specific information

137
00:10:21,107 --> 00:10:24,107
you wanted to see this conversation in particular,

138
00:10:24,120 --> 00:10:31,231
you can file the TCP stream there.
It will apply this conversation filter directly in.

139
00:10:31,231 --> 00:10:37,067
And then you can see specifically 
the stream for that conversation.

140
00:10:37,067 --> 00:10:46,672
So, that's what you can get from the analyze.

141
00:10:46,672 --> 00:10:50,658
You can also view the Expert.
We will get directly into the Expert in more depth

142
00:10:50,658 --> 00:10:55,454
but the Expert is a,
I like to call it a clue system.

143
00:10:55,454 --> 00:11:00,222
It will give you some specific information
so as an example here,

144
00:11:00,222 --> 00:11:04,766
we had some out of order segments. 
If we were interested in figuring that out,

145
00:11:04,766 --> 00:11:08,657
we can click on that and it will take us 
directly to the numbered packet.

146
00:11:08,657 --> 00:11:14,095
So in this example, it's showing in the summary 
that it was packet 141.

147
00:11:14,095 --> 00:11:18,592
We were able to double click on that and
it was able to take us to packet 141.

148
00:11:18,592 --> 00:11:23,663
Then we can drill down into 
the details of that specific data

149
00:11:23,664 --> 00:11:26,929
and look at what the Expert flagged.

150
00:11:26,929 --> 00:11:32,798
So again, this is just learning 
how to navigate the system

151
00:11:32,798 --> 00:11:36,581
so that when we start getting into the,
the more granular detail,

152
00:11:36,581 --> 00:11:42,505
we'll understand how to move around Wireshark
and where things are located.

153
00:11:42,505 --> 00:11:48,224
So we have a lot of drop-down menus.

154
00:11:48,224 --> 00:11:53,304
We have pane navigation, 
right click context menus.

155
00:11:53,298 --> 00:11:56,498
The toolbars, in particular, we started looking at them.

156
00:11:56,498 --> 00:11:57,820
You can turn them on and off.

157
00:11:57,820 --> 00:12:02,070
We can set up a filter through the filtering toolbar.

158
00:12:02,070 --> 00:12:04,278
So there's a lot of things in here that we can work

159
00:12:04,289 --> 00:12:06,929
with when it comes to navigating Wireshark.

160
00:12:06,932 --> 00:12:08,932
It's very user-friendly.

161
00:12:08,932 --> 00:12:14,926