1
00:00:00,000 --> 00:00:09,299


2
00:00:09,299 --> 00:00:15,987
Before we start the next module,
there was a question in the forums asking

3
00:00:15,987 --> 00:00:21,558
what happened to the data, I'm sorry,
what happened 

4
00:00:21,560 --> 00:00:24,381
to the chapter starting a capture

5
00:00:24,375 --> 00:00:29,069
capturing packets timestamps and 
time values, navigation sample captures.

6
00:00:29,069 --> 00:00:36,244
Apologies but we already went through those. 
If you've missed those, they would be available

7
00:00:36,244 --> 00:00:42,734
on the website to stream for 
once this live broadcast is completed,

8
00:00:42,741 --> 00:00:45,182
INE will package up the data.

9
00:00:45,196 --> 00:00:51,116
And it will be available for you.
What I will do is very quickly and briefly

10
00:00:51,116 --> 00:01:01,090
before I go into the next, into the next topic
is basically to cover those very quickly.

11
00:01:01,090 --> 00:01:06,111
Starting a capture, basically off the lauchpad,

12
00:01:06,116 --> 00:01:09,595
you select your interface, you have capture options.

13
00:01:09,604 --> 00:01:13,962
You start your capture. 
And from there you collect your data, 

14
00:01:13,962 --> 00:01:18,755
you stop the capture and 
then you can further filter it.

15
00:01:18,755 --> 00:01:24,349
Timestamps and time values - we went through these.

16
00:01:24,349 --> 00:01:28,311
This is probably, this is the first topic we covered today.

17
00:01:28,319 --> 00:01:34,141
And one of the things that we covered
 with timestamps and time values is that 

18
00:01:34,141 --> 00:01:40,436
in your Wireshark capture here as you can see

19
00:01:40,436 --> 00:01:49,272
we have, let's zoom in a little bit.
You have your time column.

20
00:01:49,272 --> 00:01:59,674
And what you can adjust is specifics 
to the view menu time display format. 

21
00:01:59,682 --> 00:02:04,329
You can change it to seconds since beginning of capture, 

22
00:02:04,329 --> 00:02:09,267
seconds since previous capture packet, 
and so on and so forth.

23
00:02:09,267 --> 00:02:14,388
What we covered in that module is
why that's important.

24
00:02:14,388 --> 00:02:21,804
Essentially, in a nutshell, the gist of it 
is that if you have from source to destination


25
00:02:21,804 --> 00:02:25,975
you have some kind of performance issue,
 let's say, there's some kind of latency.

26
00:02:25,975 --> 00:02:28,804
You can capture that in your packet.

27
00:02:28,804 --> 00:02:35,155
So when we use an example with HTTP and
 the traffic is moving from one place to the other,

28
00:02:35,155 --> 00:02:40,734
if it's taking an abnormal amount of time for the response,


29
00:02:40,743 --> 00:02:44,501
as an example, you will see that as the time delta.

30
00:02:44,521 --> 00:02:51,689
And you can use that as an example
of a, against the baseline.

31
00:02:51,689 --> 00:02:54,774
You can also go into your summary and 

32
00:02:54,782 --> 00:02:58,141
you can get some information there as well, 
how many packets.

33
00:02:58,134 --> 00:03:04,086
And so on and so forth. So you can get 
an understanding of how long your entire

34
00:03:04,086 --> 00:03:07,882
capture was. That will give you some information.

35
00:03:07,882 --> 00:03:14,210
However, if you go packet by packet,
 it will allow you in milliseconds to

36
00:03:14,210 --> 00:03:20,149
figure out just how long it took for things 
to happen in a transaction.

37
00:03:20,149 --> 00:03:22,439
So I hope that answers your question.

38
00:03:22,439 --> 00:03:26,355
Otherwise, the rest of it would be up online 
as soon as the,

39
00:03:26,362 --> 00:03:29,297
they're done packaging the product.

40
00:03:29,314 --> 00:03:35,446
Ok, in our next module, 
we'll be discussing about advanced filters.

41
00:03:35,446 --> 00:03:39,936
This is the last filtering specific module that we will cover.

42
00:03:39,936 --> 00:03:44,038
However, I will say that through the rest of the 

43
00:03:44,046 --> 00:03:46,846
examples that we give and the things that we do

44
00:03:46,850 --> 00:03:49,806
while we're troubleshooting, we will be using filters.

45
00:03:49,806 --> 00:03:54,872
So this is not the last time you will see it.
Let's say that from here on out,

46
00:03:54,872 --> 00:04:03,292
it's more than likely you will be building filters 
quite often while you use Wireshark.

47
00:04:03,292 --> 00:04:08,717
And as you can see, some of the things 
that we've done is we've 

48
00:04:08,722 --> 00:04:11,432
worked through some pretty simple filters

49
00:04:11,424 --> 00:04:15,588
all the way to the more advanced, the more advanced

50
00:04:15,589 --> 00:04:19,292
we will cover here in this module.

51
00:04:19,300 --> 00:04:25,320
But as you can see, 
a filter again is just to refine the traffic.

52
00:04:25,320 --> 00:04:30,173
It's going to get muddy. You're not going to 
be able to see what you want to see.

53
00:04:30,173 --> 00:04:37,406
And by doing filtering either pre-capture or post capture,

54
00:04:37,406 --> 00:04:42,010
when you run a display filter, you'll be able to minimize what you need, 

55
00:04:42,010 --> 00:04:46,790
minimize the stuff in the capture you don't want to see.

56
00:04:46,790 --> 00:04:50,789
And bring to the surface or highlight 
the things that you do want to see.

57
00:04:50,789 --> 00:04:54,738
So that you can find root cause of a problem.

58
00:04:54,738 --> 00:05:01,002
So there's, there's a actually a lot of different 
display filters that you can set up.

59
00:05:01,002 --> 00:05:06,386
Obviously, we've talked about capture filters.
I think we'll leave that one for rest for now. 

60
00:05:06,386 --> 00:05:10,123
The major difference is it works in the Berkeley format.

61
00:05:10,123 --> 00:05:11,879
It's different than a display.

62
00:05:11,879 --> 00:05:16,104
I'ts used to isolate things off your capture 
that you don't want to see

63
00:05:16,104 --> 00:05:19,415
such as net bios, off those types of things.

64
00:05:19,415 --> 00:05:23,805
Your display filter is going to be something 
that you apply afterwards and

65
00:05:23,805 --> 00:05:27,125
there's actually a lot of different types 
of filtering that you can do.

66
00:05:27,125 --> 00:05:32,604
So, here as you can see on the screen, 
I've bolded a few, bolded a few of them.

67
00:05:32,604 --> 00:05:38,677
And one of the filters that 
you can see is a stream filter.

68
00:05:38,677 --> 00:05:42,218
And that will actually show you the entire conversation

69
00:05:42,224 --> 00:05:44,957
either the TCP or UDP.

70
00:05:44,959 --> 00:05:48,800
We'll show that live so you can 
understand what that's about.

71
00:05:48,800 --> 00:05:54,133
There's macros you can write.
There's conversation filters that you can build.

72
00:05:54,133 --> 00:05:57,493
We highlighted that briefly either on another mod,

73
00:05:57,502 --> 00:05:59,784
question and answer period we did.

74
00:05:59,795 --> 00:06:04,969
And as you'll see, 
as we mentioned in some other

75
00:06:04,982 --> 00:06:08,338
questions and answers, 
you can do this in an I/O graph.

76
00:06:08,339 --> 00:06:12,606
Pretty much anywhere in Wireshark, 
and we'll get to each one of those tools 

77
00:06:12,610 --> 00:06:15,886
and we'll show you how you can use filtering in them.

78
00:06:15,886 --> 00:06:19,549
But the key concept here is with advanced filtering 

79
00:06:19,549 --> 00:06:24,733
is that you start with the most basic.
You learn the syntax of it.

80
00:06:24,733 --> 00:06:30,706
You use the, the expression filter 
to kind of help you build some stuff.

81
00:06:30,706 --> 00:06:35,051
And then once you move more into using the tool,

82
00:06:35,051 --> 00:06:42,039
you could start to, as you see here, 
start building your own filter types

83
00:06:42,045 --> 00:06:47,332
right in the, in the open window here.

84
00:06:47,323 --> 00:06:50,488
You can basically type in something as long as this,

85
00:06:50,491 --> 00:06:52,569
where it basically says,

86
00:06:52,572 --> 00:06:57,078
that I want the IP address equal to this IP.

87
00:06:57,078 --> 00:07:00,156
And the IP address equal to this IP.

88
00:07:00,156 --> 00:07:07,693
And specific UDP ports such as 53 
which will help me to isolate.

89
00:07:07,693 --> 00:07:11,002
You guessed it, right here, DNS traffic.

90
00:07:11,002 --> 00:07:16,967
So, one of the reasons why we did this is
we wanted to see, alright well

91
00:07:16,967 --> 00:07:21,690
I have a DNS server here that is not working.

92
00:07:21,690 --> 00:07:23,575
It's, there's some problem here.

93
00:07:23,575 --> 00:07:26,988
My client doesn't seem to be able to resolve DNS.

94
00:07:27,008 --> 00:07:31,581
And why would that be? Well, as we write this filter


95
00:07:31,597 --> 00:07:34,768
and we drill down into this specific traffic to look at 

96
00:07:34,785 --> 00:07:40,106
one IP to another to figure out why on UDP port 53,

97
00:07:40,106 --> 00:07:41,910
it's not really working here.

98
00:07:41,910 --> 00:07:48,871
Alright, I have a few clues where I can see that
I have a type 3 destination unreachable.

99
00:07:48,871 --> 00:07:55,500
And I have some resource records in here 
that are not being answered.

100
00:07:55,500 --> 00:08:00,850
So as we can see from our filter that we drew

101
00:08:00,850 --> 00:08:07,568
a more advanced filter that 
essentially we have a DNS problem.

102
00:08:07,568 --> 00:08:11,267
And that is exactly what the whole point of filtering is.

103
00:08:11,267 --> 00:08:17,007
And this was not even a super complex one,
 it was just long and maybe difficult to write

104
00:08:17,007 --> 00:08:19,495
and that's what I think makes them more advanced.

105
00:08:19,495 --> 00:08:23,069
But once you understand the concepts of networking

106
00:08:23,069 --> 00:08:27,575
and be able to put your detective hat on
and isolate a little bit of the problem

107
00:08:27,575 --> 00:08:30,451
then it's likely that you'll be able to come in,

108
00:08:30,451 --> 00:08:34,396
write your filter, display the traffic 
that you want to see, or I should say, 

109
00:08:34,396 --> 00:08:35,923
the packets you want to see

110
00:08:35,933 --> 00:08:39,994
and start drilling into the details and finding things out

111
00:08:39,994 --> 00:08:44,227
that you need to know and will tell you the story.

112
00:08:44,227 --> 00:08:47,857
The client's trying to clear the DNS server.

113
00:08:47,857 --> 00:08:51,148
It's not working. And now we know 
why something is broken.

114
00:08:51,148 --> 00:08:52,879
Why is it not resolving?

115
00:08:52,879 --> 00:08:59,893
So that's a way for you to dig deeper 
into what is going on.

116
00:08:59,893 --> 00:09:11,810
Alright, so back to another capture. 
Let me just load this up.

117
00:09:11,810 --> 00:09:18,668
And as we see this was a very simple one.

118
00:09:18,668 --> 00:09:22,741
Again, it was very muddy. 
There's a lot to scroll through here.

119
00:09:22,741 --> 00:09:25,682
One of the things that we wanted to highlight

120
00:09:25,682 --> 00:09:31,025
was that you can pull up your protocol hierarchy.

121
00:09:31,025 --> 00:09:36,639
And  another way to do this is to pull up
conversations from the statistics menu.

122
00:09:36,639 --> 00:09:41,379
So your statistics menu, I could see here that -

123
00:09:41,379 --> 00:09:48,235
Oh ok, well I have a few things going on 
and maybe I want to look at the top talkers here.

124
00:09:48,235 --> 00:09:53,866
In bytes or in packets, 
we will the take most packets.

125
00:09:53,866 --> 00:09:57,516
And maybe I want to see specifically,
I'll apply a filter.

126
00:09:57,516 --> 00:10:00,128
And I want to see specifically, what that looks like,

127
00:10:00,128 --> 00:10:01,819
just that traffic.

128
00:10:01,819 --> 00:10:07,930
And as you can see, in the filter, 
I could have wrote, written that. 

129
00:10:07,926 --> 00:10:13,170
I could have said, ethernet or e dot address equals, 

130
00:10:13,170 --> 00:10:14,626
usually a double equals,

131
00:10:14,626 --> 00:10:21,614
the MAC address, ---- ---- and the ethernet dot address,

132
00:10:21,619 --> 00:10:23,854
equals, equals the MAC address,

133
00:10:23,858 --> 00:10:28,372
the source to destination conversation 
and would uphold this filter.

134
00:10:28,372 --> 00:10:34,182
Well, maybe I want to refine this further,
Maybe I want to dig in a little bit deeper

135
00:10:34,182 --> 00:10:39,829
into this traffic and I can go into my details pane 
and I want to follow the UDP stream.

136
00:10:39,829 --> 00:10:45,032
And I can see specifically, there's certain DNS 
servers that I might be looking for here now

137
00:10:45,032 --> 00:10:48,784
that I might not be, might not have 
on my network and then I can 

138
00:10:48,784 --> 00:10:50,740
ping them and see if they're responding.

139
00:10:50,740 --> 00:10:55,630
So again, this is the, 
some of the ways that you can use this 

140
00:10:55,638 --> 00:10:58,964
Wireshark to drill down more into filters

141
00:10:58,973 --> 00:11:03,100
and find a more detailed information.

142
00:11:03,100 --> 00:11:10,503
You can, of course, just write in here DNS
and it will pull the DNS information for you.

143
00:11:10,503 --> 00:11:15,410
Or you can write something a little bit more complex.

144
00:11:15,410 --> 00:11:24,956
So specifically, 
we've covered capture filters, display filters, 

145
00:11:24,956 --> 00:11:27,672
we did a little bit of conversation filters.

146
00:11:27,672 --> 00:11:31,217
Let's go a little bit deeper into streams.

147
00:11:31,217 --> 00:11:34,174
So why is the stream important?

148
00:11:34,174 --> 00:11:39,605
Well, in this, in this conversation we're 
following a UDP stream.

149
00:11:39,605 --> 00:11:42,290
And here we want to see something very specific.

150
00:11:42,290 --> 00:11:51,273
We want to see if we were resolving something
maybe what domain name was it resolving to.

151
00:11:51,273 --> 00:11:55,874
Maybe I could throw that in the web browser
 and try to see if that resolves for me as well

152
00:11:55,874 --> 00:12:00,974
on the same client or on the machine that's nearby.

153
00:12:00,974 --> 00:12:04,495
You may not be able to see that 
directly right from the packets

154
00:12:04,495 --> 00:12:06,354
if you're going packet by packet.

155
00:12:06,354 --> 00:12:12,032
You may not know that there's 8 different 
conversations going on at the same time.

156
00:12:12,032 --> 00:12:17,242
So one of the tricks to doing this is 
to specifically find a conversation

157
00:12:17,242 --> 00:12:23,125
in your packets list pane.
Maybe use a conversations filter and say,

158
00:12:23,125 --> 00:12:28,877
alright well, I know it from this source IP,
I run an IP config or an IP config and I say,

159
00:12:28,877 --> 00:12:33,071
on this system, this is the source IP address.

160
00:12:33,071 --> 00:12:35,810
So I know that's what I'm going to start filtering on.

161
00:12:35,827 --> 00:12:37,682
Maybe search for that IP.

162
00:12:37,688 --> 00:12:43,853
And I want to know what DNS server
 it might be trying to connect to.

163
00:12:43,853 --> 00:12:48,486
And if I at least go to the source
and I look and follow the first query

164
00:12:48,486 --> 00:12:51,957
and I pull UDP stream, 
I might very quickly be able

165
00:12:51,957 --> 00:12:53,939
to find out something such as this.

166
00:12:53,939 --> 00:12:58,036
What was the domain name 
that they were trying to get to?

167
00:12:58,036 --> 00:13:01,005
Upon further investigation, I can find other things.

168
00:13:01,008 --> 00:13:03,380
I can find other protocols that are involved.

169
00:13:03,421 --> 00:13:07,344
I can also change it from raw data.

170
00:13:07,354 --> 00:13:10,240
I can look at arrays, I can look at pure hex dump.

171
00:13:10,243 --> 00:13:16,350
Or I can pull ASCII data.
ASCII data is actually very helpful because

172
00:13:16,350 --> 00:13:20,928
then I can take that data and I can re-import it into

173
00:13:20,929 --> 00:13:24,111
into Wireshark to, to build a conversation.

174
00:13:24,122 --> 00:13:29,218
Those are quite a few things that 
you can do with these streams.

175
00:13:29,218 --> 00:13:33,763
This is a UDP stream. 
TCP streams get a little bit more intense.

176
00:13:33,763 --> 00:13:39,845
But just for purposes of this lesson, 
as you can see, 

177
00:13:39,854 --> 00:13:43,975
there's a lot that you can glean from this, 
this capture filter.

178
00:13:43,992 --> 00:13:54,922
And lastly, to close out the filters topics
 that we've covered thus far,

179
00:13:54,922 --> 00:13:58,900
a quick reminder, 
that we're doing this to troubleshoot problems, 

180
00:13:58,900 --> 00:14:00,838
to learn what's going on in the network.

181
00:14:00,838 --> 00:14:04,445
To figure out more things about the network.

182
00:14:04,445 --> 00:14:11,141
Things that we would not likely see. Things that 
we cannot gather without looking at the packets.

183
00:14:11,141 --> 00:14:15,980
Once we'd captured all these packets,
what exactly are we looking for?

184
00:14:15,980 --> 00:14:19,072
We put on a detective hat. We run a few pings.

185
00:14:19,072 --> 00:14:24,138
We do a little a, we figure out what our,
our enterprise looks like.

186
00:14:24,138 --> 00:14:28,764
What's source to destination?
We figure out what we want to filter on.

187
00:14:28,764 --> 00:14:32,130
And then from there, 
we can granulize the output 

188
00:14:32,130 --> 00:14:33,920
and we can some specifics

189
00:14:33,920 --> 00:14:38,241
to drill down and find and isolate the root cause.

190
00:14:38,241 --> 00:14:44,895