1
00:00:00,000 --> 00:00:08,203


2
00:00:08,203 --> 00:00:13,314
Welcome back. In our next module, 
we will talk about capture filters.

3
00:00:13,314 --> 00:00:18,863
When you use Wireshark, 
you're able to capture a whole lot of data and

4
00:00:18,863 --> 00:00:22,792
the key to really analyzing that data is to streamline

5
00:00:22,792 --> 00:00:27,485
or filter what it is that you will see 
once you're done capturing.

6
00:00:27,485 --> 00:00:31,060
So as we talked about in earlier module is 
you want to, you want to make sure 

7
00:00:31,060 --> 00:00:34,524
that you have Wireshark placed correctly.
It's in the right spot.

8
00:00:34,521 --> 00:00:38,405
You're capturing specific data from the source to destination.

9
00:00:38,405 --> 00:00:41,637
And then once you're done, 
you can filter on that data

10
00:00:41,637 --> 00:00:47,163
to granulize what it is that you captured
so that you could troubleshoot it.

11
00:00:47,156 --> 00:00:53,161
But there'll be times where you will want to 
take that data and minimize what you see

12
00:00:53,161 --> 00:00:58,299
prior to stopping the capture 
and here's an example.

13
00:00:58,299 --> 00:01:01,562
Let's say, you are only interested in seeing data

14
00:01:01,562 --> 00:01:04,366
on your network and you're not really worried about

15
00:01:04,366 --> 00:01:06,843
analyzing anything from your machine.

16
00:01:06,843 --> 00:01:10,751
You can actually restrict or tell Wireshark to restrict

17
00:01:10,751 --> 00:01:14,214
the data from your machine so that
it doesn't get caught up in your capture.

18
00:01:14,214 --> 00:01:16,881
And you don't have to filter it out afterwards.

19
00:01:16,881 --> 00:01:21,151
So what's nice about that is
you're already in a position where

20
00:01:21,151 --> 00:01:26,414
you don't have to get inundated with data and

21
00:01:26,414 --> 00:01:29,672
you know, you can limit what it is that you see.

22
00:01:29,672 --> 00:01:34,329
So with Wireshark filters, first of all, what's a filter?

23
00:01:34,329 --> 00:01:41,661
A filter is what's going to allow you to,
to break down what it is you are seeing

24
00:01:41,661 --> 00:01:44,973
and, and refine it so that you're looking for specific

25
00:01:44,973 --> 00:01:51,033
IP addresses, protocols, specific ports,

26
00:01:51,033 --> 00:01:54,509
things that you're looking for 
to aid in your troubleshootings.

27
00:01:54,509 --> 00:01:55,439
So for an example,

28
00:01:55,439 --> 00:01:59,454
if you're looking to troubleshoot 
a client access to an application

29
00:01:59,454 --> 00:02:02,885
you may only want to see the IP address activity

30
00:02:02,888 --> 00:02:06,511
from the source of the client to the destination server,

31
00:02:06,534 --> 00:02:10,014
and you're not really worried about, for example,
the other ARP broadcast.

32
00:02:10,014 --> 00:02:13,026
So you're not worried about net bios broadcast.

33
00:02:13,026 --> 00:02:15,201
So you're not worried about SNMP traffic.

34
00:02:15,201 --> 00:02:17,201
You're not worried about anything, any of that.

35
00:02:17,201 --> 00:02:20,089
And you're able to filter all that stuff out.

36
00:02:20,089 --> 00:02:24,918
And again, what's nice is that with Wireshark
 you have 2 different types of filters.

37
00:02:24,918 --> 00:02:28,442
You can the capture or I like 
to call them pre-capture filter,

38
00:02:28,442 --> 00:02:32,848
because you're, before running 
your capture again you're restricting

39
00:02:32,853 --> 00:02:35,593
what it is that you don't want to see.

40
00:02:35,591 --> 00:02:38,016
And then after, afterwards,

41
00:02:38,019 --> 00:02:41,733
you can also continue to drill down
with the display filter but

42
00:02:41,733 --> 00:02:47,182
again you minimize what it is that you see 
from when you first run the capture.

43
00:02:47,182 --> 00:02:50,139
So, what does it help you do?

44
00:02:50,139 --> 00:02:52,869
Well, it aids in your ability to troubleshoot.

45
00:02:52,869 --> 00:02:57,227
Again, as we just mentioned, if you're looking 
for a specific source to a destination

46
00:02:57,227 --> 00:03:01,217
and you're trying to analyze that,
you don't really need to see all of that traffic.

47
00:03:01,217 --> 00:03:05,228
So let's just drill down into that specific conversation

48
00:03:05,228 --> 00:03:07,046
and we can remove all the rest.

49
00:03:07,046 --> 00:03:14,321
You do this to refine the view and 
it allows you to go into the packets list pane

50
00:03:14,329 --> 00:03:20,427
and really say, alright, if I'm looking for, 
you know, IP address 10.1.2.1

51
00:03:20,431 --> 00:03:25,756
and a destination of 192.168.10.3

52
00:03:25,756 --> 00:03:29,172
you're only going to see the communication
 from those 2 systems

53
00:03:29,185 --> 00:03:32,930
and it will highlight in the packets list pane

54
00:03:32,931 --> 00:03:39,153
and remove that communication and remove all the rest.

55
00:03:39,161 --> 00:03:44,068
So as we mentioned before, 
you have 2 types of filters that you can apply.

56
00:03:44,068 --> 00:03:47,330
Again, as we mentioned, one's the capture filter.

57
00:03:47,330 --> 00:03:54,019
And plainly explained, this is used to filter data 
before it is captured by Wireshark. 

58
00:03:54,019 --> 00:03:59,565
So again, you're saying if you set up a capture filter,

59
00:03:59,565 --> 00:04:00,708
let's say, no ARP,

60
00:04:00,716 --> 00:04:05,389
when you run your capture, 
no ARP traffic will be collected.

61
00:04:05,389 --> 00:04:10,810
And then again, the display is when you want to capture everything

62
00:04:10,810 --> 00:04:14,765
and then refine down or you can also capture

63
00:04:14,765 --> 00:04:19,543
data with a, with a pre-capture 
or capture filter and then a

64
00:04:19,543 --> 00:04:23,794
then once you're stopped at a capture, 
you can apply display filter to it.

65
00:04:23,794 --> 00:04:28,599
So you could also use them in tandem.

66
00:04:28,599 --> 00:04:33,461
So you configure a capture filter, basically 
what you want to do is you want to

67
00:04:33,461 --> 00:04:37,382
load Wireshark and once you have Wireshark up,

68
00:04:37,382 --> 00:04:43,146
you can go to capture options,
and from here you can select an interface.

69
00:04:43,146 --> 00:04:47,202
So for this example, I am going to use the,
my wireless interface.

70
00:04:47,202 --> 00:04:52,247
And then here, you could say,
I want to set up a capture filter.

71
00:04:52,247 --> 00:04:54,247
Now, we're going to do this one very simply.

72
00:04:54,247 --> 00:05:01,763
We're going to select IP only and
hit ok and then start.

73
00:05:01,763 --> 00:05:07,025
Now, essentially, all these, 
Wireshark's going to do right now, 

74
00:05:07,036 --> 00:05:09,108
only capture IP traffic.

75
00:05:09,126 --> 00:05:14,930
Now again, what's good about that is
if you're trying to, you know, again

76
00:05:14,930 --> 00:05:18,420
as we said, just look for some specific traffic

77
00:05:18,420 --> 00:05:21,995
and you can actually specify the IP address as well.

78
00:05:21,995 --> 00:05:25,019
If you're just looking for some specific traffic,

79
00:05:25,019 --> 00:05:28,878
then this, this will in fact allow you to

80
00:05:28,878 --> 00:05:32,476
block out everything else except for that traffic.

81
00:05:32,476 --> 00:05:37,463
Now, as we said before, 
you could select any of your interfaces.

82
00:05:37,463 --> 00:05:45,071
You can then save your capture filter.
You can type it directly into the, the area there.

83
00:05:45,071 --> 00:05:49,287
You can say specifically host
 the broadcast host and IP address.

84
00:05:49,287 --> 00:05:52,904
One thing to remember is 
this uses the Berkeley format.

85
00:05:52,904 --> 00:05:56,323
And it's not the same as a display filter.

86
00:05:56,323 --> 00:06:00,044
It's, it's less flexible. It's more like TCP dump.

87
00:06:00,044 --> 00:06:04,547
So you're not going to be able to just do
anything with a pre-capture filter.

88
00:06:04,547 --> 00:06:11,914
It's meant to really just isolate 
or remove bulk traffic as I like to call it.

89
00:06:11,914 --> 00:06:21,131
You know, taking ARP out, taking net bios out,
taking UDP out, taking your IP address out.

90
00:06:21,131 --> 00:06:23,957
So you don't see any unicast to your machine.

91
00:06:23,957 --> 00:06:29,880
So again, this is specific to pre, to pre-capture,
applying a capture filter.

92
00:06:29,880 --> 00:06:33,255
And it will only allow you to do so much so don't, 


93
00:06:33,266 --> 00:06:36,614
you know, don't think that it's just going to

94
00:06:36,615 --> 00:06:40,090
you know, allow you to do everything 
that a display filter will.

95
00:06:40,090 --> 00:06:44,470
And again, just to remind you, you can still,
once you stop the capture

96
00:06:44,470 --> 00:06:47,123
as you could see, I only have IP traffic here.

97
00:06:47,142 --> 00:06:57,691
I can still apply a display filter directly to the data 
that's been captured with the capture filter

98
00:06:57,700 --> 00:07:02,960
so they do work in tandem.

99
00:07:02,969 --> 00:07:10,358
So, just to summarize, 
again your filtering that you do with 

100
00:07:10,380 --> 00:07:14,819
Wireshark is specific to streamlining your view.

101
00:07:14,845 --> 00:07:18,787
Making what it is that you want 
to troubleshoot very granular

102
00:07:18,787 --> 00:07:21,809
and making sure that, you know, 

103
00:07:21,816 --> 00:07:24,332
you're zooming in on what it is that you want to see.

104
00:07:24,334 --> 00:07:29,960
It's removing stuff that you don't want to see 
and from there, it will give you, the analyst

105
00:07:29,960 --> 00:07:34,750
the clear view of being able 
to troubleshoot this and find root cause

106
00:07:34,760 --> 00:07:37,705
data of what the problem could be.

107
00:07:37,716 --> 00:07:42,321
Thanks again for the questions 
that you're posting to the forum.

108
00:07:42,321 --> 00:07:50,989
One very good question was -
Are the default files, folder structure files enabled

109
00:07:50,989 --> 00:07:57,659
for Wireshark, and if so, which one 
is based on the, the capture filters?

110
00:07:57,659 --> 00:08:04,393
So, if you're studying for the exam, 
the Wireshark certified network analyst exam,

111
00:08:04,393 --> 00:08:11,830
one of the key questions that they'll ask which 
you'll, you'll find as you navigate Wireshark

112
00:08:11,859 --> 00:08:17,082
is specific files that you need to know about
and how the file structures layout in Wireshark.

113
00:08:17,082 --> 00:08:20,148
So, one of the things you can do is to go to help.

114
00:08:20,148 --> 00:08:24,155
And in here, in the help menu, 
you can go to about Wireshark.

115
00:08:24,140 --> 00:08:30,595
Now, if you go to the folders tab, 
you will see direct links to

116
00:08:30,613 --> 00:08:34,850
specifically where data is kept for Wireshark.

117
00:08:34,866 --> 00:08:38,534
So, one of the things that you can do is 
you can go the system folder.

118
00:08:38,534 --> 00:08:45,020
And once you open the system folder,
you will see in here specific files.

119
00:08:45,020 --> 00:08:49,391
And the answer to that question is 
the, the C filter file.

120
00:08:49,391 --> 00:08:56,809
So that's the default name for the,
for the capture filter file.

121
00:08:56,809 --> 00:09:02,087