1
00:00:00,000 --> 00:00:08,352


2
00:00:08,352 --> 00:00:14,917
Tshark is a command-line tool 
that you can run from a Linux based distribution.

3
00:00:14,917 --> 00:00:20,309
It is helpful in capturing packet data.

4
00:00:20,309 --> 00:00:24,289
It's very similar to what you do with Wireshark.

5
00:00:24,289 --> 00:00:28,984
However, it is Wireshark at the command-line,
 at the terminal.

6
00:00:28,984 --> 00:00:33,378
So, although it does a lot of the same things

7
00:00:33,378 --> 00:00:36,886
you have to learn how to manipulate it in a way

8
00:00:36,886 --> 00:00:42,716
where you can get those specific things

9
00:00:42,716 --> 00:00:50,037
or those actions out of them by using switches
and command-line data.

10
00:00:50,047 --> 00:00:55,859
So, what can you do with tshark?
You can capture packets.

11
00:00:55,859 --> 00:00:59,622
You can display packets.
You can select different interfaces.

12
00:00:59,622 --> 00:01:05,053
You can run statistics. You can use profiles.

13
00:01:05,053 --> 00:01:09,214
YOu can use a lot of the same things,
although not everything 

14
00:01:09,235 --> 00:01:11,451
that you can do in a GUI but

15
00:01:11,463 --> 00:01:17,256
as mentioned in the Q&A,
there's a lot of things that are very similar.

16
00:01:17,256 --> 00:01:22,195
You can merge capture files.
There's separate command-line utilities

17
00:01:22,195 --> 00:01:29,936
for those specific functions.
However, it requires a basic knowledge

18
00:01:29,936 --> 00:01:35,329
of Linux and Unix command-line
 to be able to manipulate.

19
00:01:35,329 --> 00:01:40,259
So, some examples of important things 
that you should take note of.

20
00:01:40,259 --> 00:01:44,895
You would need to be a super user

21
00:01:44,895 --> 00:01:50,904
preferably, we do not like to log in as root
on a Unix or Linux box.

22
00:01:50,896 --> 00:01:57,933
But you would obviously have to have 
super user permissions to do certain functions.

23
00:01:57,942 --> 00:02:07,774
So, you may have to modify some files to,
to be able to use tshark in all it's functionality.

24
00:02:07,772 --> 00:02:10,995
You have to remember that with Unix and Linux,

25
00:02:10,995 --> 00:02:18,937
there's a lot of uppercase, lowercase settings 
or things that you would type in.

26
00:02:18,937 --> 00:02:23,289
And with Unix and Linux, it's primarily case sensitive.

27
00:02:23,289 --> 00:02:30,630
So you would have to aware of that 
to navigate the command-line or the shell.

28
00:02:30,630 --> 00:02:37,631
In Unix, you have to be aware of setting the shell and 

29
00:02:37,631 --> 00:02:42,417
being aware of how that's going to output
if you wanted to modify a file.

30
00:02:42,417 --> 00:02:46,744
Sometimes you would use the, 
the Vi editor, as an example.

31
00:02:46,744 --> 00:02:52,453
So there's some, some Unix and Linux basics
that you're going to have to be able to use this.

32
00:02:52,453 --> 00:02:59,848
Otherwise, a good way to learn as I have up 
on the screen now is you can download VMware.

33
00:02:59,848 --> 00:03:09,462
You can get any of many different 
distributions of Linux to load up and to test with.

34
00:03:09,471 --> 00:03:14,053
It's recommended though, if you're going to set up a

35
00:03:14,053 --> 00:03:18,276
Linux machine to do packet capture 
that is not on a VM. 

36
00:03:18,284 --> 00:03:20,311
This is just for instructional purposes.

37
00:03:20,311 --> 00:03:22,345
You'd want it on the base machine.

38
00:03:22,350 --> 00:03:26,707
It interacts directly with you NIC instead of the VNIC.

39
00:03:26,718 --> 00:03:32,028
So, altough this is helpful,
 it's only really looking and analyzing stuff

40
00:03:32,028 --> 00:03:36,633
on the host machine right now, so it's limited but

41
00:03:36,633 --> 00:03:42,127
if you're going to really do this and install Linux
on a machine to use in the field

42
00:03:42,127 --> 00:03:45,236
to do protocol, packet and network analysis

43
00:03:45,236 --> 00:03:48,504
you can install that directly to the host machine.

44
00:03:48,504 --> 00:03:56,920
That being said, you can basically also load
the Wireshark GUI on Linux.

45
00:03:56,920 --> 00:04:01,708
So, whatever you aren't using tshark for,

46
00:04:01,708 --> 00:04:06,307
anything that you want to be using -GUI,
generally, it's also loaded.

47
00:04:06,307 --> 00:04:10,739
Also when you install Wireshark,
 you have the options to put it in

48
00:04:10,748 --> 00:04:14,345
or take it out, so just be aware that 
when you did install it, 

49
00:04:14,345 --> 00:04:17,347
hopefully you chose everything and it's already there,

50
00:04:17,347 --> 00:04:19,132
if not, you may need to add it.

51
00:04:19,132 --> 00:04:32,518
So as we mentioned earlier, tshark is capable 
of running a packet capture on your system.

52
00:04:32,518 --> 00:04:41,310
It is customizable. We talked about on Q&A,
 there's different things that you can do with it.

53
00:04:41,310 --> 00:04:46,095
There's a man page, 
if you are familiar with Linux.

54
00:04:46,095 --> 00:04:53,487
Unix'ish man pages, you can type in 
man, MAN, space, tshark.

55
00:04:53,483 --> 00:04:56,725
And it will give you many of the 
option settings that you need.

56
00:04:56,725 --> 00:05:00,195
And you can do that with editcap, merge cap,
the rest as well.

57
00:05:00,195 --> 00:05:04,119
Basically, they're just executables that you're trying, 

58
00:05:04,112 --> 00:05:06,559
or I should say binaries that you're trying

59
00:05:06,627 --> 00:05:11,881
to figure out switches for or arguments
so that you can customize the strength

60
00:05:11,881 --> 00:05:21,493
and pull exactly what you need from tshark.

61
00:05:21,493 --> 00:05:22,922
And how do you use it?

62
00:05:22,922 --> 00:05:27,452
 Obviously, you would need 
some basic Unix and Linux system, 

63
00:05:27,493 --> 00:05:29,493
systems administration skills.

64
00:05:29,533 --> 00:05:33,269
I already went over basically what they need to be.

65
00:05:33,269 --> 00:05:40,207
It's not impossible to do.
Most of you, if you're using Cisco devices,

66
00:05:40,197 --> 00:05:46,232
Linux is fairly easy because you're used 
to manipulating the command-line.

67
00:05:46,232 --> 00:05:52,334
There's also obviously if you're using Bash
or some kind of shelves, it's a GUI-like window.

68
00:05:52,334 --> 00:05:56,621
So between the 2, it's very, very simple to use

69
00:05:56,621 --> 00:05:59,386
just make sure that when you install it, 

70
00:05:59,402 --> 00:06:03,764
you follow the same criteria of 
adding the things that you need.

71
00:06:03,790 --> 00:06:09,009
You have the proper systems requirements 
which you can find on wireshark.org.

72
00:06:09,009 --> 00:06:14,039
And you have permissions to install which generally, 

73
00:06:14,039 --> 00:06:19,559
and configured Wireshark installation 
and configuration files which would require

74
00:06:19,559 --> 00:06:22,924
something other than a user privilege.

75
00:06:22,924 --> 00:06:26,604
And as we noted before, you're going to be running 

76
00:06:26,614 --> 00:06:30,010
this from the terminal window - tshark terminal.

77
00:06:30,002 --> 00:06:35,812
And you should learn how to use 
the man pages which is basically

78
00:06:35,817 --> 00:06:40,885
your view into help files, if you will.

79
00:06:40,897 --> 00:06:48,826
As if you're going to type a question mark 
at a command prompt in Cisco.

80
00:06:48,826 --> 00:06:54,394
or you're trying to figure out more infromation.
Man pages are generally 

81
00:06:54,394 --> 00:06:59,204
where you can find these different switches
and so on and so forth.

82
00:06:59,204 --> 00:07:07,628
So there's a lot of questions about the Nexus
and it's packet capture capability.

83
00:07:07,628 --> 00:07:13,467
So you have the eth analyzer, 
you have the ability to capture packets

84
00:07:13,467 --> 00:07:18,513
and get them into a device
 such as Wireshark to analyze.

85
00:07:18,511 --> 00:07:22,909
I believe the question was 
'is tshark directly on the Nexus platform?'

86
00:07:22,909 --> 00:07:28,730
I do not believe so. I believe that 
it is not tshark, it's eth analyzer.

87
00:07:28,730 --> 00:07:35,749
Just as it may have the same functionality
but I, it's named different.

88
00:07:35,738 --> 00:07:40,967
So I do not believe that it is called tshark.
So I hope that answers that question.

89
00:07:40,985 --> 00:07:43,539
But they can be used together.

90
00:07:43,558 --> 00:07:48,731
You can take the data and you can use it in Wireshark.

91
00:07:48,731 --> 00:07:55,328
So we will talk about that in the last 2 modules,
I believe. It's file formats.

92
00:07:55,328 --> 00:08:00,374
And that's why file formats is so important
because with file formats

93
00:08:00,374 --> 00:08:04,557
you're going to be moving the data around
and opening in other things 

94
00:08:04,557 --> 00:08:09,475
and if you do not have it the correct format
then you either mght not open it

95
00:08:09,475 --> 00:08:13,540
or you may lose data. So just we mentioned 
when we were talking about timestamps,

96
00:08:13,540 --> 00:08:18,270
so you can put it from one to the other,
and it will lose, for example, nanoseconds

97
00:08:18,270 --> 00:08:25,365
if the other analyzer you opened it in 
does not allow for that.

98
00:08:25,365 --> 00:08:33,684
So, I hope I answered that question.
Let's see what else we have.

99
00:08:33,738 --> 00:08:38,680
Launching tshark, multiple tsharks -

100
00:08:38,719 --> 00:08:46,617
 So you can open up tshark, multiple instances of tshark. 

101
00:08:46,628 --> 00:08:49,974
Yes, and you can use it to capture different things.

102
00:08:49,988 --> 00:08:55,029
Yes, so as an example of hiding it on the system,

103
00:08:55,050 --> 00:09:12,459
as a background process.
 Yes, and let's see what else.

104
00:09:12,459 --> 00:09:21,838
And as far as trying to determine packet loss,
yes, if you did Wireshark or tshark on one

105
00:09:21,838 --> 00:09:27,368
close to the source or on the source,
or close to the destination or on the destination

106
00:09:27,368 --> 00:09:30,185
and you ran the same statistics that we did

107
00:09:30,199 --> 00:09:32,605
when we looked at the GUI version of Wireshark,

108
00:09:32,658 --> 00:09:35,747
you can then determine the same types of things

109
00:09:35,747 --> 00:09:37,507
which will be the roundtrip.

110
00:09:37,507 --> 00:09:43,537
Packet loss could be determined by many things but 

111
00:09:43,537 --> 00:09:48,111
Wireshark and or tshark can help you 
come to that conclusion.

112
00:09:48,111 --> 00:09:56,114