1 00:00:00,000 --> 00:00:08,682 2 00:00:08,682 --> 00:00:11,502 So a couple of great questions came up 3 00:00:11,509 --> 00:00:15,314 on looking deeper into things and 4 00:00:15,319 --> 00:00:18,803 I mentioned this earlier in the course that 5 00:00:18,803 --> 00:00:23,437 Wireshark is extremely helpful, extremely powerful but 6 00:00:23,437 --> 00:00:28,087 there are enterprise tool sets out there that will allow you 7 00:00:28,087 --> 00:00:35,228 to do more with network and protocol and traffic analysis and some of them 8 00:00:35,228 --> 00:00:40,187 as mentioned again earlier in the, in the foundations course was 9 00:00:40,187 --> 00:00:44,825 Riverbed who owns a huge take in Wireshark. 10 00:00:44,825 --> 00:00:50,204 They have tools such as Cascade, ARX. 11 00:00:50,204 --> 00:00:55,846 There's agents that run directly on the systems themselves all the way through the network. 12 00:00:55,838 --> 00:00:59,304 And it'll all give you an entire picture of application response 13 00:00:59,304 --> 00:01:02,367 all the way down to the database layer of an application. 14 00:01:02,367 --> 00:01:08,403 So, there are many tool sets that you can use 15 00:01:08,403 --> 00:01:12,494 however, for the folks of this course, is on Wireshark. 16 00:01:12,494 --> 00:01:14,494 And what you can do directly with it. 17 00:01:14,494 --> 00:01:19,539 If you can get the foundations down, move in to more advanced functionality, 18 00:01:19,539 --> 00:01:22,203 and then into those enterprise tool sets, 19 00:01:22,203 --> 00:01:28,451 you will be able to quickly and very easily tell what's going on on your network at all times. 20 00:01:28,459 --> 00:01:31,778 And the systems that live and operate them. 21 00:01:31,778 --> 00:01:37,237 Ok, in this module, we will be talking about command-line tools. 22 00:01:37,237 --> 00:01:42,346 So interestingly with Wireshark, 23 00:01:42,346 --> 00:01:48,064 and with Cisco, and with Unix, and with Windows, 24 00:01:48,064 --> 00:01:52,559 a lot of people like operating at the command-line. 25 00:01:52,559 --> 00:01:58,253 Some of us, for geeky reasons, we prefer to type specifically what we want. 26 00:01:58,253 --> 00:02:03,310 We don't necessarily need to point and click, and go through an entire subset of menus. 27 00:02:03,310 --> 00:02:09,609 Some of us are able to operate very quickly while using the command-line. 28 00:02:09,609 --> 00:02:17,099 And by doing so, you can understand things and move very quickly through them 29 00:02:17,099 --> 00:02:20,270 but you have to know the command-line. 30 00:02:20,270 --> 00:02:23,778 What else is it beneficial for? Scripting. 31 00:02:23,778 --> 00:02:27,424 So, you can automate pretty much anything that you want 32 00:02:27,418 --> 00:02:29,984 on a, on just about any system 33 00:02:30,002 --> 00:02:32,833 because if you have the ability to do things at the command-line, 34 00:02:32,828 --> 00:02:39,638 and then you can write file, scripts, bad files, script, scripts into the shell. 35 00:02:39,646 --> 00:02:45,248 There's a lot of things that you can create to automate functionality. 36 00:02:45,248 --> 00:02:51,343 So, that's another reason why a lot of people work with and enjoy the command-line. 37 00:02:51,343 --> 00:02:55,121 So for purposes of this course, 38 00:02:55,121 --> 00:03:01,100 and what we're going to be doing, I've fired up a VM with Linux on it 39 00:03:01,100 --> 00:03:04,862 which we will go through and we will use tshark 40 00:03:04,862 --> 00:03:08,471 and some of the other tools, just so you can be aware of them. 41 00:03:08,471 --> 00:03:11,098 So the command-line tools that you will see, 42 00:03:11,098 --> 00:03:16,097 the ones that are available with Wireshark, 43 00:03:16,097 --> 00:03:19,068 is first and foremost, tshark. 44 00:03:19,068 --> 00:03:23,967 So, you're operating at a terminal. You want to use Wireshark functionality. 45 00:03:23,967 --> 00:03:29,042 Very, very similar to tcpdump which is next on the list. 46 00:03:29,042 --> 00:03:32,730 Both of these are packet capture tools. 47 00:03:32,730 --> 00:03:36,003 Tcpdump has been around for ages, 48 00:03:36,026 --> 00:03:40,444 standard with most Unix and Linux operating systems. 49 00:03:40,458 --> 00:03:45,362 It is also found on a great many firewalls. 50 00:03:45,362 --> 00:03:49,630 If any of you ever used some other firewalls 51 00:03:49,630 --> 00:03:55,176 other than basically, Cisco proprietary firewalls, 52 00:03:55,176 --> 00:04:01,957 McAfee sidewinders as an example. You can run tcpdump right on the console. 53 00:04:01,957 --> 00:04:08,232 So there's a lot of, there's a lot of tcpdump, tshark-ish 54 00:04:08,252 --> 00:04:12,009 command-line packet capture tools available 55 00:04:12,003 --> 00:04:17,845 very freely, on most, if not all systems. 56 00:04:17,845 --> 00:04:23,529 Other command-line tools that you may encounter - dumpcap, 57 00:04:23,538 --> 00:04:26,661 rawshark, editcap, mergecap. 58 00:04:26,671 --> 00:04:30,150 Some of them are very, very self-explanatory. 59 00:04:30,150 --> 00:04:35,881 So, as an example, if you wanted to run a packet capture, 60 00:04:35,881 --> 00:04:39,591 on the command-line and we can do that, right from here. 61 00:04:39,591 --> 00:04:42,802 In this VM, I have tshark running. 62 00:04:42,802 --> 00:04:46,934 And it is simply just capturing all the data in the background while we're talking. 63 00:04:46,934 --> 00:04:55,741 We can, in fact, capture data. We can stop it and then we can move to 64 00:04:55,741 --> 00:05:00,198 to editing it or merging it with another capture file. 65 00:05:00,198 --> 00:05:07,386 So, each one of these utilities is used to get into the capture and work with it. 66 00:05:07,394 --> 00:05:11,228 So, you can do pretty much the same things 67 00:05:11,229 --> 00:05:14,559 that you can do with Wireshark with the command-line tools. 68 00:05:14,559 --> 00:05:19,825 But obviously, not everything. Some of the tools that we went through in earlier modules, 69 00:05:19,825 --> 00:05:26,763 such as the flow graph and this, this plotting statistical tools. 70 00:05:26,771 --> 00:05:32,891 They are in the GUI only. But I will say this, that if you're running Wireshark 71 00:05:32,891 --> 00:05:36,563 let's say on Linux, yes you can use tshark but 72 00:05:36,563 --> 00:05:42,177 it's also, the GUI version is available, so you can just run it right from there. 73 00:05:42,177 --> 00:05:49,086 So we'll let that run in the background. 74 00:05:49,086 --> 00:05:53,353 So as we just mentioned, a little bigger there for you, 75 00:05:53,353 --> 00:05:55,713 the command-line tools are right now, 76 00:05:55,722 --> 00:05:59,485 we're running a packet capture on Linux using tshark, 77 00:05:59,511 --> 00:06:05,208 very much again, like tcpdump. We'll also look at tcpdump but 78 00:06:05,224 --> 00:06:12,767 specifically, it's just capturing the packets, packets list pane data. 79 00:06:12,766 --> 00:06:19,329 Right there for you to see, scrolling. You could see specific information scrolling by. 80 00:06:19,329 --> 00:06:26,201 I see a lot of name querying, so just as an example. 81 00:06:26,201 --> 00:06:31,903 And then other tools, such as tcpdump, very similar. 82 00:06:31,903 --> 00:06:36,138 So what I wanted to do while we are running this, 83 00:06:36,160 --> 00:06:45,424 is I also wanted to run a tcpdump. 84 00:06:45,436 --> 00:06:52,595 It'll run that awhile. And then to stimulate some traffic, 85 00:06:52,587 --> 00:06:55,762 I'll just do a dig and do some basic querying. 86 00:06:55,822 --> 00:06:59,922 So just generate a whole bunch of traffic on the network and there we go. 87 00:06:59,922 --> 00:07:07,233 Alright so, as we mentioned before, there's a lot of things that we can use 88 00:07:07,233 --> 00:07:11,033 to capture data but if we're going to do it at the command-line, 89 00:07:11,033 --> 00:07:14,885 we're going to be using primarily tcpdump or tshark. 90 00:07:14,885 --> 00:07:20,999 Tcpdump is generally found on most Linux and Unix distributions. 91 00:07:20,999 --> 00:07:25,582 Again as mentioned before, on a bunch of firewall distributions, 92 00:07:25,588 --> 00:07:27,916 there's variations of these. 93 00:07:27,921 --> 00:07:34,335 I recommend playing around with this. It will show you very quickly 94 00:07:34,347 --> 00:07:37,350 and easily what may be going on on your network 95 00:07:37,350 --> 00:07:38,550 at the command-line. 96 00:07:38,550 --> 00:07:42,081 So for example, you're troubleshooting a Linux host, 97 00:07:42,081 --> 00:07:45,682 you do a quick ifconfig. You see what IP address you have. 98 00:07:45,682 --> 00:07:51,613 Ok, that's my source, what am I going to, maybe do a quick dig 99 00:07:51,641 --> 00:07:55,975 and you try to resolve a website, ok there's my destination. 100 00:07:55,975 --> 00:08:00,089 Run a tcpdump or tshark. 101 00:08:00,089 --> 00:08:06,297 And just start capturing data and have an idea of where, what my source and destination is. 102 00:08:06,297 --> 00:08:10,664 And once I am done with that capture, I can close it, I can save it 103 00:08:10,675 --> 00:08:13,110 and then I can parse it further. 104 00:08:13,110 --> 00:08:19,733 I can edit it. I can merge it with other capture files and so on. 105 00:08:19,733 --> 00:08:30,014 And here's just a little bit of a closer look at a tcpdump. 106 00:08:30,014 --> 00:08:40,300 And some more questions based on this, and examples - 107 00:08:40,328 --> 00:08:47,092 Again here, everything off the command-line can be run pretty quickly. 108 00:08:47,083 --> 00:08:52,861 You stop the tshark process. You can stop the tcpdump process. 109 00:08:52,861 --> 00:08:57,411 And you can run it directly from the command-line here. 110 00:08:57,462 --> 00:09:00,727 If you're following the syllabus, 111 00:09:00,731 --> 00:09:04,527 the next module I'm going into is based on tsharks. 112 00:09:04,527 --> 00:09:09,784 So these questions are perfectly aligned with what we will be talking about. 113 00:09:09,784 --> 00:09:16,181 However, prior to getting to them, I will answer some of these questions now. 114 00:09:16,181 --> 00:09:21,960 So one of the questions that was asked was 'can you do more than just run a capture?' 115 00:09:21,960 --> 00:09:25,264 Can you do other things with tshark? And the answer is yes. 116 00:09:25,264 --> 00:09:30,658 So, obviously if you're familiar with Unix, the demand pages, 117 00:09:30,674 --> 00:09:34,170 there's information here that I can pull. 118 00:09:34,205 --> 00:09:41,468 I type man space tshark. And it basically gives me the syntax 119 00:09:41,498 --> 00:09:44,662 that I need to be able to pull 120 00:09:44,691 --> 00:09:49,008 pretty much what it is that I would do from a GUI. 121 00:09:49,012 --> 00:09:51,515 Now, it won't do as I said, 122 00:09:51,529 --> 00:09:54,018 everything the GUI will do, but it will do quite a bit. 123 00:09:54,018 --> 00:09:58,965 And this is the missing link here, it's the actual syntax that you will apply. 124 00:09:58,965 --> 00:10:04,011 So as an example, and remember that with Unix and Linux, 125 00:10:04,218 --> 00:10:06,218 everything is case sensitive. 126 00:10:06,424 --> 00:10:13,111 If you wanted to specifically apply settings, you could look through here and say that, 127 00:10:13,127 --> 00:10:20,214 "ok, I want to do a display filter, which would be minus upper case Y, 128 00:10:20,213 --> 00:10:27,118 capture would be minus lower case s." 129 00:10:27,118 --> 00:10:33,525 So the more you play around with it, the more that you can get some data out of it. 130 00:10:33,529 --> 00:10:40,175 But yes, running tshark with these options is going to help you get more granulized data. 131 00:10:40,175 --> 00:10:45,364 And yes, you can run filters and yes, you can specify different things 132 00:10:45,376 --> 00:10:47,690 when you're running tshark. 133 00:10:47,713 --> 00:10:54,657 So let me, actually supersize this so you can see it. 134 00:10:54,654 --> 00:10:57,857 And I apologize, it's a little small but 135 00:10:57,869 --> 00:11:07,958 if you type in man space tshark, you will get a entire listing of options that you can use. 136 00:11:07,958 --> 00:11:15,046 Ok that was one question, and in the chat, if I'm not, 137 00:11:15,132 --> 00:11:17,254 if I don't answer your question completely, 138 00:11:17,259 --> 00:11:22,994 feel free to repost the question with more clear instructions 139 00:11:23,011 --> 00:11:25,601 on what it is that you would like me to answer. 140 00:11:25,595 --> 00:11:32,242 In which cases would you use the command-line versus the GUI? 141 00:11:32,242 --> 00:11:38,013 As we mentioned before, 142 00:11:38,043 --> 00:11:41,188 it's just quicker and easier if that's what you're used to. 143 00:11:41,264 --> 00:11:44,861 It's a lot less overhead on the system. 144 00:11:44,861 --> 00:11:48,373 You don't have to load up the Wireshark tool. 145 00:11:48,373 --> 00:11:52,488 Although it doesn't take up a tremendous amount of memory, the capture will. 146 00:11:52,488 --> 00:11:57,674 It's still low overhead. It's helpful in that way. 147 00:11:57,674 --> 00:12:02,710 It's also helpful in the sense, as I mentioned before if you're running scripts 148 00:12:02,710 --> 00:12:05,346 and you want to script some of this out and automate it. 149 00:12:05,346 --> 00:12:09,492 You can do so with these types of commands. 150 00:12:09,492 --> 00:12:15,623 Essentially, that's one, one of the major reasons people like to use the command-line 151 00:12:15,623 --> 00:12:18,723 is that they can script out what it is that they want to do 152 00:12:18,746 --> 00:12:22,108 and then launch it as a shell script. 153 00:12:22,123 --> 00:12:29,331