1
00:00:00,000 --> 00:00:08,388


2
00:00:08,396 --> 00:00:12,041
So signing in to Wireshark foundation,

3
00:00:12,057 --> 00:00:16,368
hopefully, we're all able to take a break 
and get some air.

4
00:00:16,371 --> 00:00:22,237
We're back and we're going to continue 
with the next 2 modules on filters.

5
00:00:22,237 --> 00:00:28,993
Just a basic primer to catch you up
if you're just joining now.

6
00:00:28,993 --> 00:00:35,944
So, why are we filtering traffic?
Well, when you run a capture on Wireshark

7
00:00:35,944 --> 00:00:40,463
it can collect a lot of data.
And it will likely collect everything

8
00:00:40,463 --> 00:00:42,876
especially if it's in promiscuous mode.

9
00:00:42,876 --> 00:00:45,171
It'll capture everything that it sees on the network.

10
00:00:45,181 --> 00:00:53,985
So, if you're trying to isolate something like a,
a slow file download or transfer,

11
00:00:53,985 --> 00:00:59,120
or you're trying to pinpoint 
why an application is not responding,

12
00:00:59,120 --> 00:01:04,690
you know, in a way where
 it's acceptable poor performance.

13
00:01:04,690 --> 00:01:09,947
Again, things that we had discussed earlier in the course is

14
00:01:09,947 --> 00:01:14,598
you don't just load up Wireshark and
 it won't tell you what the problem is.

15
00:01:14,598 --> 00:01:18,997
You know and, and specifically say 
this is what the issue is.

16
00:01:18,997 --> 00:01:24,972
But it will allow to collect that data and 
take a look within it and do some protocol

17
00:01:24,972 --> 00:01:29,855
packet or traffic analysis, or network analysis and

18
00:01:29,855 --> 00:01:34,940
allow you to look in and see what's going on. 

19
00:01:34,940 --> 00:01:41,979
So, how do we see what's going on is 
by putting our detective hat on

20
00:01:41,979 --> 00:01:47,068
saying, ok well, this is the client 
that can or is having the issue

21
00:01:47,068 --> 00:01:53,252
with this server or this destination system 
and I want to see what's going on between them.

22
00:01:53,252 --> 00:01:56,927
And again, we have this huge amount 
of data that we've collected

23
00:01:56,927 --> 00:02:02,821
what are we going to do to, to refine it,
to really see exactly what's going on,

24
00:02:02,821 --> 00:02:04,821
or we do that with a filter.

25
00:02:04,821 --> 00:02:12,224
And as we mentioned before,
 the filters will allow you to refine the data

26
00:02:12,224 --> 00:02:15,633
before you collect it so you can do a capture filter.

27
00:02:15,633 --> 00:02:18,943
It will block out things that you don't want to see.

28
00:02:18,943 --> 00:02:22,213
Commonly, if you don't want to see your ARP's
or ARP's at all,

29
00:02:22,221 --> 00:02:24,836
net bios traffic, things of that nature.

30
00:02:24,835 --> 00:02:31,772
It won't even collect it and or you collect all data
and you run what's called a display filter.

31
00:02:31,772 --> 00:02:39,003
So our next module is called display filters and
what a display filter does

32
00:02:39,003 --> 00:02:45,391
is it takes all of the data that you've captured
and allows you to apply a filter

33
00:02:45,391 --> 00:02:50,821
to remove things that you don't want to see.

34
00:02:50,821 --> 00:02:58,143
So as we just mentioned, 
it does so in the packets list pane.

35
00:02:58,150 --> 00:03:02,911
So, when you run Wireshark and 
when you're capturing, you record your packets.

36
00:03:02,919 --> 00:03:08,943
You have your 3 panes, the topmost, 
being the packets list pane.

37
00:03:08,943 --> 00:03:13,283
And this is where you will see each 
and every packet that you've captured.

38
00:03:13,283 --> 00:03:22,004
The display filter, you can run and it will limit 
what appears in the packet, packets list pane.

39
00:03:22,004 --> 00:03:28,777
You cannot also go into the details pane
and set up a display filter

40
00:03:28,769 --> 00:03:31,914
to show you in the packets list pane specific things,

41
00:03:31,920 --> 00:03:34,048
for example, if you wanted to see

42
00:03:34,070 --> 00:03:39,010
some data specifically like 
an ethernet frame type or something.

43
00:03:39,002 --> 00:03:43,306
And you could find that in the details
then right click that detail,

44
00:03:43,306 --> 00:03:49,228
and apply this filter and it will then show 
in the packets list pane that refined data.

45
00:03:49,229 --> 00:03:53,889
So, there are reasons why you would 
actually run a filter off the details but

46
00:03:53,889 --> 00:03:57,677
essentially, what we're going to learn in this module

47
00:03:57,677 --> 00:04:02,278
is how to apply a filter to a display.

48
00:04:02,278 --> 00:04:04,278
So again, why do we do this?

49
00:04:04,278 --> 00:04:08,751
It's an aid in your troubleshooting efforts.

50
00:04:08,759 --> 00:04:13,488
When the fire alarm goes off 
and people want their network fixed 

51
00:04:13,482 --> 00:04:16,836
so their application running smoothly, they call on us,

52
00:04:16,848 --> 00:04:20,897
the network engineers and analysts
to help save the day.

53
00:04:20,911 --> 00:04:25,924
The last thing that I personally want to do 
is set up Wireshark in the wrong spot,

54
00:04:25,924 --> 00:04:28,644
collect data for 3 hours and crash my machine

55
00:04:28,654 --> 00:04:31,232
because I have so much data 
that I don't know what to do with it.

56
00:04:31,222 --> 00:04:34,659
I'd rather know strategically where I'm going to put it.

57
00:04:34,659 --> 00:04:39,735
Capture, hopefully capture what it is that I'm looking for.

58
00:04:39,735 --> 00:04:45,685
And then further refine it down to what it is 
that I may think the problem could be.

59
00:04:45,685 --> 00:04:52,593
So again as we discussed these 2 filter types, 
this capture and display -

60
00:04:52,593 --> 00:04:57,416
your capture filters applied prior to running a capture,

61
00:04:57,408 --> 00:05:01,228
it will block out some stuff that you don't want to see.

62
00:05:01,236 --> 00:05:04,346
Display is run afterwards.

63
00:05:04,346 --> 00:05:09,941
And when you do run your display filter

64
00:05:09,941 --> 00:05:13,405
there's a lot of things that you can do here.

65
00:05:13,405 --> 00:05:18,415
However, we will run a sample here for you to see.

66
00:05:18,415 --> 00:05:26,752
So, particularly here, I've ran a capture 
and I've captured some HTTP traffic.

67
00:05:26,752 --> 00:05:32,879
And I want to further filter on it.
So, one of the things that you could do is

68
00:05:32,879 --> 00:05:39,721
you could essentially say, alright well,
I know that the client was looking,

69
00:05:39,721 --> 00:05:42,984
looking up this website prior to going to it.

70
00:05:42,984 --> 00:05:47,991
Maybe I missed it but I do see some information 
here that may be relevant to that.

71
00:05:47,991 --> 00:05:53,763
What I could do is I can go to statistics
and I can look at the protocol hierarchy.

72
00:05:53,763 --> 00:05:59,179
And this will tell me exactly what protocols 
are listed or found in the capture.

73
00:05:59,179 --> 00:06:03,982
Very helpful for writing a filter because instead of

74
00:06:03,982 --> 00:06:08,522
you know, scrolling down, yes 
if you only have a few hundred packets,

75
00:06:08,522 --> 00:06:16,272
it may not be a big deal but navigating through
 a capture with a thousand plus packets,

76
00:06:16,276 --> 00:06:20,218
it may be quicker and easier to just pull up

77
00:06:20,218 --> 00:06:25,031
your protocol hierarchy and say,
ok well, I know I have IPV 4.

78
00:06:25,031 --> 00:06:27,031
Obviously Ihave some ethernet here.

79
00:06:27,031 --> 00:06:33,972
It's using TCP drilling up the OSI, 
going up the OSI model.

80
00:06:33,972 --> 00:06:38,107
It's using HTTP, hyper text transfer protocol.

81
00:06:38,107 --> 00:06:40,107
It gives me percentages of use obviously.

82
00:06:40,107 --> 00:06:45,275
And I can see here that some,
there's some UDP query traffic,

83
00:06:45,275 --> 00:06:49,854
primarily using the domain name service. 
Very good to know.

84
00:06:49,854 --> 00:06:55,335
So what I will then do is I will then,
 and again, I can go into my expression

85
00:06:55,335 --> 00:06:58,744
and right here, I can drill down and 

86
00:06:58,743 --> 00:07:01,592
search for DNS if I need to look for DNS.

87
00:07:01,612 --> 00:07:05,627
And select what it is that I need to see or

88
00:07:05,627 --> 00:07:10,183
in this friendly filter toolbar, I can type DNS.

89
00:07:10,183 --> 00:07:16,743
And it will show me exactly 
what the DNS packets are doing.

90
00:07:16,743 --> 00:07:22,446
It'll, It'll filter for them and 
then I can drill down into them and say

91
00:07:22,446 --> 00:07:28,045
ok well, UDP port 53 is likely a query, yes it is.

92
00:07:28,045 --> 00:07:35,738
And the, it was a request. So as you can see here

93
00:07:35,738 --> 00:07:41,198
specifically, it's very helpful to know
 how to filter in for your data because

94
00:07:41,198 --> 00:07:44,579
it will help you to figure out things. 
So for example,

95
00:07:44,579 --> 00:07:50,735
in this particular problem, whomever was 
raising the complaint said -

96
00:07:50,735 --> 00:07:54,747
Oh, you know, I was trying to hit the website, 
it was very slow to come up.

97
00:07:54,747 --> 00:07:56,540
Or what exactly does that mean?

98
00:07:56,540 --> 00:08:00,450
Well, now I can look and drill down 
into the specific HTTP data.

99
00:08:00,450 --> 00:08:03,781
And I can also look at the DNS queries and see

100
00:08:03,781 --> 00:08:06,953
how that, how it was responding.

101
00:08:06,953 --> 00:08:16,220
Also, on my filter toolbar, I can also clear out the,

102
00:08:16,242 --> 00:08:18,491
what's in here in the filter.

103
00:08:18,484 --> 00:08:21,458
Obviously, I can just erase it or I can hit the clear button.

104
00:08:21,458 --> 00:08:24,927
But just a quick tip, something very helpful. 
If you could see here,

105
00:08:24,927 --> 00:08:26,927
I have a couple of them already saved up.

106
00:08:26,927 --> 00:08:33,970
I have a TCP full handshake conversation 
and I have one for ARP.

107
00:08:33,970 --> 00:08:39,065
You can click the save button and 
it will allow you to save this filter

108
00:08:39,065 --> 00:08:43,184
on your toolbar. Obviously, you want to name it but

109
00:08:43,184 --> 00:08:48,156
if you then want to clear out 
and then quickly run a filter on DNS.

110
00:08:48,156 --> 00:08:55,834
as an example, you can just click that quick 
short cut button and you'll be off and running.

111
00:08:55,834 --> 00:09:02,655
So as we mentioned before, it can get complex but 

112
00:09:02,655 --> 00:09:05,959
for, for all intensive purposes here,

113
00:09:05,974 --> 00:09:08,638
we want to just make sure that it's understood that

114
00:09:09,001 --> 00:09:13,637
running display filter is primarily used to 

115
00:09:13,637 --> 00:09:18,607
remove unwanted data, help you drill down 
into what it is that you want to see

116
00:09:18,607 --> 00:09:25,732
and remove a lot of waste that you'll capture
so you can streamline your viewable traffic.

117
00:09:25,732 --> 00:09:28,279
to see what exactly you want to see.

118
00:09:28,279 --> 00:09:31,388
Remove whatever it is that you don't want to see.

119
00:09:31,388 --> 00:09:33,970
And allow you to have a clearer picture

120
00:09:33,970 --> 00:09:36,916
as to what it is that you're going to be working on

121
00:09:36,962 --> 00:09:38,962
analyzing or troubleshooting.

122
00:09:39,008 --> 00:09:44,284