1
00:00:00,000 --> 00:00:08,182


2
00:00:08,182 --> 00:00:09,640
Hey, welcome back.

3
00:00:09,636 --> 00:00:12,912
In this section of the 
Wireshark Foundations course,

4
00:00:12,907 --> 00:00:17,564
we will be talking about UDP and TCP streams.

5
00:00:17,564 --> 00:00:29,793
So, just to refine what this is because 
in the next section when we start going over 

6
00:00:29,793 --> 00:00:33,011
troubleshooting specific applications
and how they work,

7
00:00:33,011 --> 00:00:37,539
knowing how to work with streams 
will be extremely important.

8
00:00:37,539 --> 00:00:43,103
To be able to quickly pull the information that you need,

9
00:00:43,103 --> 00:00:47,277
you're going to see a lot of different packets
and what you really going to want to do is

10
00:00:47,277 --> 00:00:51,221
you want to drill on the entire conversation so that

11
00:00:51,221 --> 00:00:52,590
when you're troubleshooting something

12
00:00:52,590 --> 00:00:56,088
you could see exactly 
from start to finish what's happening.

13
00:00:56,088 --> 00:01:03,506
And when you follow the streams, 
it will give you a higher level of view of the data

14
00:01:03,506 --> 00:01:07,793
such as the application layer of the OSI model.

15
00:01:07,793 --> 00:01:13,152
Streams allow you to pull an entire conversation 
from the captured data.

16
00:01:13,152 --> 00:01:22,530
If you, for example, wanted to view telnet,
or FTP or any kind of TCP based protocol,

17
00:01:22,530 --> 00:01:26,599
and you wanted to see the entire thing, 
telnet is a good example.

18
00:01:26,599 --> 00:01:32,112
Let's say you were telnetting from your
workstation to a Cisco router.

19
00:01:32,113 --> 00:01:34,552
Yes, we should be using SSH.

20
00:01:34,543 --> 00:01:37,531
However, in this example, we used telnet because

21
00:01:37,531 --> 00:01:43,856
with IPV 4 protocols, that information 
was sent in clear text.

22
00:01:43,856 --> 00:01:49,339
So what I could do is I could know
I could filter for TCP, I could filter for telnet,

23
00:01:49,339 --> 00:01:52,646
and I could filter for the IP address 
source to destination.

24
00:01:52,646 --> 00:01:58,292
But then when I right click it,
and look for N go to the TCP stream, 

25
00:01:58,292 --> 00:02:04,100
I can quickly pull up in that window
specific data that's very important to me

26
00:02:04,100 --> 00:02:09,913
such as the entire conversation where 
I may be able to glean the credentials

27
00:02:09,913 --> 00:02:14,591
of what it is that you sent when you try 
to connect to that device.

28
00:02:14,591 --> 00:02:21,052
This is a, obviously a security question,
a question of security

29
00:02:21,052 --> 00:02:27,171
because this is one of the main reasons why
most companies have a policy of not allowing

30
00:02:27,171 --> 00:02:31,443
a protocol analyzer to be run on their network.

31
00:02:31,443 --> 00:02:38,116
Unencrypted mail, unencrypted attempts 
at logging into devices, SNP information,

32
00:02:38,116 --> 00:02:43,051
is constantly traversing the network.
And if it is not encrypted,

33
00:02:43,047 --> 00:02:48,226
 you can quickly follow a stream 
and find that information within it.

34
00:02:48,226 --> 00:02:56,038
As an example, we're just going to take 
a basic stream and when we look within it

35
00:02:56,038 --> 00:03:01,977
we can basically what website you went to,
why you went to the website,

36
00:03:01,968 --> 00:03:04,749
which you did, for example, 
you were getting something,

37
00:03:04,749 --> 00:03:08,656
things that were sent back, the posts.

38
00:03:08,656 --> 00:03:14,171
If there was any other transmission, 
it will be found in the conversation.

39
00:03:14,171 --> 00:03:20,036
So that's a question, or that's a consideration
for security but when we go 

40
00:03:20,028 --> 00:03:24,609
to the realm of troubleshooting, it shows you
the entire picture of activities.

41
00:03:24,618 --> 00:03:28,252
So, someone was saying, 
I was trying to go somewhere and

42
00:03:28,266 --> 00:03:29,922
do something and there was a problem,

43
00:03:29,922 --> 00:03:34,157
you can quickly look at the entire stream.
Here, you could see the TCP stream.

44
00:03:34,157 --> 00:03:38,854
And you can start to put together 
what could have happened.

45
00:03:38,854 --> 00:03:44,670
For example, you may see a 44 error or
500 error or some type of page error.

46
00:03:44,670 --> 00:03:48,351
That may indicate that there's an issue 
with the webserver

47
00:03:48,351 --> 00:03:56,011
and you have been quick, you've quickly been 
able to find this out by using the TCP stream.

48
00:03:56,011 --> 00:04:05,092
You can also use UDP streams. 
Very commonly used with OSPF updates,

49
00:04:05,080 --> 00:04:13,308
multicast data, DNS queries.
There's a lot of things that we can find

50
00:04:13,308 --> 00:04:19,199
by reviewing UDP data, 
specifically the UDP stream.

51
00:04:19,199 --> 00:04:24,843
And it will also allow us to view the entire
conversation from start to finish

52
00:04:24,843 --> 00:04:27,664
based on what it is that we want to look for.

53
00:04:27,664 --> 00:04:31,416
And in this case, we were looking specifically for

54
00:04:31,416 --> 00:04:39,460
some DNS queries, some email activity 
was taking place and it was a query.

55
00:04:39,460 --> 00:04:43,055
And it failed and therefore,
email could not have been sent,

56
00:04:43,055 --> 00:04:47,788
and we were able to see the entire conversation 
from source to destination.

57
00:04:47,788 --> 00:04:52,593
Everything that happened as well as 
the failure within the stream

58
00:04:52,593 --> 00:04:57,514
so that we can, more closely 
figure, see and then figure out

59
00:04:57,514 --> 00:04:59,514
and isolate to root cause.

60
00:04:59,514 --> 00:05:04,437