1 00:00:00,000 --> 00:00:08,828 2 00:00:08,828 --> 00:00:12,334 In our next module, setting filters, 3 00:00:12,339 --> 00:00:15,904 as we touched on throughout the course, 4 00:00:15,908 --> 00:00:22,322 setting filters is a way for you to take a gigantic data dump. 5 00:00:22,322 --> 00:00:27,626 Whatever it is that your NIC card is capturing or is being sent to your machine 6 00:00:27,626 --> 00:00:32,087 possibly through a mirrored port or stand port, 7 00:00:32,087 --> 00:00:37,313 and finding what it is that you, finding what it is that you really want to see. 8 00:00:37,313 --> 00:00:42,096 So, a good example would be, I install Wireshark 9 00:00:42,106 --> 00:00:44,170 in a machine and I just run a capture. 10 00:00:44,181 --> 00:00:50,662 And I want to now see specifically something that tells me 11 00:00:50,664 --> 00:00:57,752 what, from what source to what destination is possibly a problem. 12 00:00:57,752 --> 00:01:02,629 So here's an example. There's a client accessing an application. 13 00:01:02,629 --> 00:01:06,830 They're claiming that they have an issue. It seems to be only that client. 14 00:01:06,830 --> 00:01:10,931 It's a web-based application. 15 00:01:10,931 --> 00:01:16,637 Well, I would then want to know what the source IP of the application is. 16 00:01:16,637 --> 00:01:22,492 And I would want to know the source IP of the, or should I say, the source IP of the client 17 00:01:22,492 --> 00:01:26,373 and the destination IP of the application. 18 00:01:26,373 --> 00:01:33,172 And then I can build the filter specifically on that conversation and I can then 19 00:01:33,172 --> 00:01:39,854 view in the, from the packets list pane and refined in the packets list pane. 20 00:01:39,860 --> 00:01:46,553 Wireshark filters are used to help you to more effectively troubleshoot a problem. 21 00:01:46,553 --> 00:01:48,961 Instead of looking at a ton of data, 22 00:01:48,963 --> 00:01:53,180 you can really drill down into what it is that you want to see. 23 00:01:53,184 --> 00:01:57,443 If you only want to see ICMP traffic, 24 00:01:57,443 --> 00:02:02,005 you can write a filter for ICMP. It will only show you ICMP. 25 00:02:02,005 --> 00:02:05,162 If you want to look specifically at a DNS traffic, 26 00:02:05,162 --> 00:02:11,186 you can write a DNS filter. It will show you just the DNS traffic. 27 00:02:11,186 --> 00:02:12,631 And so on and so forth. 28 00:02:12,631 --> 00:02:15,289 And that's another reason why we needed to know our protocols 29 00:02:15,288 --> 00:02:20,232 and TCP/IP protocol sweep because as you start to troubleshoot 30 00:02:20,239 --> 00:02:22,888 and you know what the problem, what, 31 00:02:22,884 --> 00:02:25,715 where you think the problem may be revolving around, 32 00:02:25,716 --> 00:02:31,832 maybe it's a DHCP problem. You can just filter out everything except for that traffic. 33 00:02:31,832 --> 00:02:38,709 It allows you to refine the view. As we've seen in some earlier modules, 34 00:02:38,725 --> 00:02:42,778 we wanted to quickly look at something. So what we were able to do is 35 00:02:42,785 --> 00:02:45,947 we were able to highlight that traffic. 36 00:02:45,958 --> 00:02:49,225 Get rid of everything else and just see what we want to see. 37 00:02:49,225 --> 00:02:56,281 And one point to mention is you can also continue to run filters on already filtered data. 38 00:02:56,284 --> 00:02:59,567 So you can actually drill down deeper and deeper 39 00:02:59,573 --> 00:03:03,354 as you, as you learn how to use the tool. 40 00:03:03,366 --> 00:03:08,357 You know, just need to write one display filter and look for traffic. 41 00:03:08,357 --> 00:03:12,408 You can really start drilling down and that's when we get into 42 00:03:12,408 --> 00:03:18,716 writing some more deeper or more granular filters to find specific data. 43 00:03:18,716 --> 00:03:24,916 So applying a filter is actually very simple. 44 00:03:24,937 --> 00:03:27,184 There's many ways to do it. 45 00:03:27,198 --> 00:03:29,465 What we looked at before, before we started the module 46 00:03:29,465 --> 00:03:33,402 we answered the question about packet loss and how we might find that. 47 00:03:33,399 --> 00:03:37,192 We wound up going to the statistics menu. 48 00:03:37,192 --> 00:03:42,207 In the statistics menu, we wanted to see the conversations. 49 00:03:42,207 --> 00:03:45,485 Right from there, we could right click and apply a filter. 50 00:03:45,485 --> 00:03:48,805 We could filter pretty much anywhere in this tool. 51 00:03:48,805 --> 00:03:53,734 You can right click right off the packet and generate a filter. 52 00:03:53,734 --> 00:03:57,687 You can use the toolbar to make a filter. You can use the contacts menu. 53 00:03:57,687 --> 00:04:01,015 You can make filters within your I/O graph. 54 00:04:01,015 --> 00:04:04,569 You can pretty much apply filters everywhere you go 55 00:04:04,569 --> 00:04:09,147 and the reason for that is because the more helpful, 56 00:04:09,158 --> 00:04:14,320 the more granular you can get what it is that you're trying to solve and troubleshoot, 57 00:04:14,320 --> 00:04:17,863 the more helpful it will be after you apply the filter. 58 00:04:17,863 --> 00:04:27,765 So as we discussed before, there are 2 main filter types - 59 00:04:27,756 --> 00:04:32,664 there's a capture filter and there's a display filter. 60 00:04:32,664 --> 00:04:36,882 Th capture filter use the Berkeley format and 61 00:04:36,882 --> 00:04:40,544 it is a little bit more limited. It's different than a display filter. 62 00:04:40,544 --> 00:04:44,612 It will not allow you to do everything that a display filter can do. 63 00:04:44,612 --> 00:04:48,086 And in some instances, the syntax is different. 64 00:04:48,086 --> 00:04:53,314 So learning filters, it will require you to look at 65 00:04:53,314 --> 00:04:58,076 both separately, as well as together because 66 00:04:58,076 --> 00:05:03,755 in some aspects, they're similar, obviously, the concept of filtering is the same 67 00:05:03,746 --> 00:05:10,610 and you want to remove things that you don't want to see and granulize the view. 68 00:05:10,602 --> 00:05:15,372 However, the way that you do it will be slightly different. 69 00:05:15,372 --> 00:05:20,670 And also remember that a capture filter is applied before you start the capture. 70 00:05:20,670 --> 00:05:27,728 Where as the display filter is applied after you've run the capture. 71 00:05:27,728 --> 00:05:31,462 And you want to then filter out data that you don't want to see. 72 00:05:31,462 --> 00:05:37,789 Th capture filter will eliminate it completely from the capture, you will never see it. 73 00:05:37,789 --> 00:05:45,031 So configuring a capture filter, we'll do this live here. 74 00:05:45,031 --> 00:05:50,207 So if I wanted to capture some data, 75 00:05:50,207 --> 00:05:55,214 I can go into select an interface, go into capture options. 76 00:05:55,214 --> 00:05:59,076 I can apply a capture filter right here. 77 00:05:59,076 --> 00:06:07,905 So, in this instance, I want to say, alright I don't any ARP traffic at all in my capture. 78 00:06:07,922 --> 00:06:12,364 So I am going to filter all ARP traffic before. 79 00:06:12,361 --> 00:06:18,183 It will not put it in the capture once I am done running a capture. 80 00:06:18,193 --> 00:06:25,130 So we're going to see no ARP and we're going to start the capture. 81 00:06:25,130 --> 00:06:34,109 And I will try to generate some traffic here. 82 00:06:34,109 --> 00:06:55,715 As we can see, no ARP. So that's a pre-capture filter. 83 00:06:55,715 --> 00:06:58,438 So what's a display filter? What's the difference here? 84 00:06:58,438 --> 00:07:05,808 Ok, well, here I may want to say, ok, IP only and it will only show me the IP traffic. 85 00:07:05,808 --> 00:07:10,912 There's many things that you can typewrite in once you start to learn. 86 00:07:10,912 --> 00:07:19,715 Otherwise you can build your filter. You can specifically take from many 87 00:07:19,715 --> 00:07:25,160 different types and build them, boolean and apply them. 88 00:07:25,160 --> 00:07:29,570 So in this case, we may want to filter out HTTP. 89 00:07:29,570 --> 00:07:38,831 You can search for it, and then drill down and find specific things that you want. 90 00:07:38,831 --> 00:07:59,119 And clear it once you're done. Alright, so next stop, 91 00:07:59,119 --> 00:08:03,970 some simple Wireshark expressions. 92 00:08:03,970 --> 00:08:09,645 Basically, if you wanted to capture traffic to or from a specific IP address, 93 00:08:09,645 --> 00:08:13,974 you could put host in and you could put the IP address of it in. 94 00:08:13,974 --> 00:08:21,531 This will capture data just for that host. You can also add the net mask. 95 00:08:21,531 --> 00:08:25,613 And you can capture based on a specific port. 96 00:08:25,613 --> 00:08:31,119 You can go deeper. However, these are some of the more common things 97 00:08:31,119 --> 00:08:33,119 that you will do as you're learning Wireshark. 98 00:08:33,119 --> 00:08:38,820 It's recommended that you apply and test some of these specific filters. 99 00:08:38,869 --> 00:08:44,200 So you can get a taste of what it can do and then expand from there. 100 00:08:44,200 --> 00:08:48,552 The best way to do it is to practise so the more you work with it 101 00:08:48,552 --> 00:08:55,214 you'll see that if something's allowed, it will be in the display filter. 102 00:08:55,214 --> 00:08:59,144 It'll be green. If you're making a mistake as you're typing it out, it will be red. 103 00:08:59,144 --> 00:09:01,651 So it's very helpful. It's dropped down. 104 00:09:01,651 --> 00:09:07,639 It sent contact sensitive so that as you're typing things in it will try to help you out. 105 00:09:07,639 --> 00:09:13,500 And it is something that as you learn your protocols 106 00:09:13,492 --> 00:09:15,543 and what it is that you can and can't do, 107 00:09:15,586 --> 00:09:20,800 you will be able to be more flexible within writing your filters. 108 00:09:20,800 --> 00:09:26,324 And as you can see here, one of, a more advanced filter. 109 00:09:26,341 --> 00:09:34,124 Specifically I'm looking for a hardware address as a destination. 110 00:09:34,140 --> 00:09:39,517 So as you learn more and more about it, you will be able to populate specifically 111 00:09:39,517 --> 00:09:42,139 what it is that you do or don't want to see. 112 00:09:42,156 --> 00:09:49,386 You can remove various, specific things or entire protocols all together. 113 00:09:49,386 --> 00:09:55,949 So why do we use filters? Well, for one reason, 114 00:09:55,949 --> 00:10:00,513 you try to stream on your view board traffic 115 00:10:00,513 --> 00:10:06,119 because as you're working through your traffic analysis you may 116 00:10:06,134 --> 00:10:08,936 see things from a whole hosts of IP's. 117 00:10:08,959 --> 00:10:12,824 And you're just trying to figure out something from one source to a destination. 118 00:10:12,824 --> 00:10:19,995 We'll get more into it in a future module but that conversations tool allows you to really see 119 00:10:19,995 --> 00:10:26,572 what's talking in your capture file and it's very helpful to go right there 120 00:10:26,572 --> 00:10:30,309 to, you know, right click from there and apply filters because 121 00:10:30,309 --> 00:10:36,498 you can then, instead of sifting through the capture itself, you could see specifically 122 00:10:36,481 --> 00:10:40,701 what your top talkers are. Who's having the most conversations? 123 00:10:40,701 --> 00:10:49,910 And lastly, it will help you to remove anything that you don't want to see. 124 00:10:49,910 --> 00:10:54,916 So you're not confused as to having this gigantic data dump of information. 125 00:10:54,916 --> 00:10:58,736 It removes any extrenuous data that is really not relevant. 126 00:10:58,736 --> 00:11:05,763 It can, you know, busy up the capture. 127 00:11:05,763 --> 00:11:11,415 And lastly, it'll just give you, the analyst, a clearer view as to, of what's there, 128 00:11:11,429 --> 00:11:15,662 so you that you can get to the root cause of the problem through isolation. 129 00:11:15,661 --> 00:11:21,676