1
00:00:00,000 --> 00:00:08,402


2
00:00:08,402 --> 00:00:13,203
In our next module, 
we will cover using the Expert.

3
00:00:13,203 --> 00:00:19,712
The Expert is a tool that you can use with Wireshark

4
00:00:19,712 --> 00:00:24,699
that will help you zoom in or give you a clue

5
00:00:24,699 --> 00:00:27,472
as to what may be going on within your capture.

6
00:00:27,480 --> 00:00:35,812
It will provide some intelligence in what it thinks 
could be happening.

7
00:00:35,818 --> 00:00:42,350
For example, you may have a lot of 
re-transmissions due to a performance issue.

8
00:00:42,358 --> 00:00:46,040
It will tell you that you have a lot of transmissions,

9
00:00:46,051 --> 00:00:51,100
re-transmissions, suspected re-transmission issue.

10
00:00:51,110 --> 00:00:56,424
It will tell you if you have malformed 
or corrupted data in its opinion.

11
00:00:56,430 --> 00:01:01,648
However, some of the data is and could be a 

12
00:01:01,659 --> 00:01:05,828
false positive and may point you in the wrong direction

13
00:01:05,840 --> 00:01:09,301
if you're not familiar with what it is that you're looking at.

14
00:01:09,301 --> 00:01:17,325
A good example is if, let's say,
you're getting a couple of re-transmissions,

15
00:01:17,325 --> 00:01:22,155
and you think that's a problem 
but it was just a brief issue.

16
00:01:22,155 --> 00:01:26,370
That's how TCP/IP is, or TCP is 
supposed to operate

17
00:01:26,370 --> 00:01:31,876
and it's not necessarily a problem 
but it is being flagged in the Expert.

18
00:01:31,876 --> 00:01:35,773
So, the Expert is a guide.

19
00:01:35,773 --> 00:01:41,039
I like to call it a guide because 
it guides me into helping solve issues.

20
00:01:41,040 --> 00:01:43,168
It doesn't tell me what the problem is.

21
00:01:43,168 --> 00:01:46,768
It helps to point me in the correct direction.

22
00:01:46,768 --> 00:01:52,969
It is helpful for me to baseline
activity on my network

23
00:01:52,969 --> 00:01:55,850
or the network that I am troubleshooting.

24
00:01:55,850 --> 00:02:00,425
You should remember there are false positives.

25
00:02:00,425 --> 00:02:02,846
It's possible problems.

26
00:02:02,846 --> 00:02:07,959
It very well may show you that you do have an issue.

27
00:02:07,959 --> 00:02:13,644
But again, you have to have some 
foundational experience and knowledge

28
00:02:13,652 --> 00:02:17,693
in networking to be able to read 
what that is and read through it.

29
00:02:17,687 --> 00:02:22,729
And based on what you're troubleshooting,
 the information could even be limited.

30
00:02:22,729 --> 00:02:28,928
So it may not show you a problem.
You may overlook a problem

31
00:02:28,928 --> 00:02:32,871
if you're just looking at the Expert.
So remember, it's a guide.

32
00:02:32,871 --> 00:02:37,912
So what can you find?
I like to call them clues.

33
00:02:37,920 --> 00:02:44,036
We'll pull up Wireshark now and
we'll take a look at the Expert.

34
00:02:44,035 --> 00:02:52,076
And you could find this in the 
analyze menu under Expert info.

35
00:02:52,076 --> 00:02:56,256
And although I've modified mine a little,

36
00:02:56,256 --> 00:02:59,308
and I will show you how to do that in the next module.

37
00:02:59,308 --> 00:03:05,553
It will show me basically errors.
Here I see a malformed TCP packet,

38
00:03:05,553 --> 00:03:12,139
warnings, a few notes based on some duplicate ACK's.

39
00:03:12,159 --> 00:03:14,512
Again, it may not be a problem.

40
00:03:14,514 --> 00:03:18,511
It may just be how the network is operating at that time.

41
00:03:18,518 --> 00:03:23,073
It doesn't necessarily mean that it is 
the cause of the performance issues.

42
00:03:23,080 --> 00:03:25,915
So remember, it's guiding you.

43
00:03:25,916 --> 00:03:29,445
It's not necessarily telling you what the problem is.

44
00:03:29,445 --> 00:03:32,434
There's, there's no correlation between the fact that 

45
00:03:32,440 --> 00:03:35,090
you know that there's a performance issue 
or that's what you're told.

46
00:03:35,098 --> 00:03:40,358
And you capture some data, 
open up the Expert and see some information.

47
00:03:40,362 --> 00:03:45,599
It may or may not be correlated 
so you have to do some investigation.

48
00:03:45,599 --> 00:03:53,023
It will tell you specifically what packets
are tied to what information.

49
00:03:53,023 --> 00:03:55,847
So as you see, there's many get requests here.

50
00:03:55,861 --> 00:04:02,472
This isn't primarily a HTTP-based, 
webserver-based communications.

51
00:04:02,472 --> 00:04:05,019
So I may be able to pull some information from here.

52
00:04:05,019 --> 00:04:09,537
There's further details and interestingly,

53
00:04:09,537 --> 00:04:13,331
which we'll get to in one of the last couple of modules,

54
00:04:13,331 --> 00:04:17,763
is that you can, as you go into your packets,

55
00:04:17,763 --> 00:04:23,171
annotate a packet to say something specific,
like you may find a packet that's an anomaly.

56
00:04:23,171 --> 00:04:28,367
And you may want to enter or 
annotate it and leave a comment.

57
00:04:28,367 --> 00:04:33,733
And you can also see that in 
the packet comments tab here.

58
00:04:33,733 --> 00:04:38,341
So, there is some information that 
you can glean from here but remember,

59
00:04:38,341 --> 00:04:44,111
it's not necessarily going to point you
 to what you think may be the problem.

60
00:04:44,111 --> 00:04:46,834
It's going to give you a clue and will guide you.

61
00:04:46,834 --> 00:04:54,347
Specifically, you will find Expert information
in the details pane.

62
00:04:54,340 --> 00:04:59,684
It might, you may have to drill down for it
but as you go into

63
00:04:59,695 --> 00:05:04,848
the Expert and you flag a packet,
this packet in particular.

64
00:05:04,846 --> 00:05:10,969
Packet 532, if I go into 532.

65
00:05:10,969 --> 00:05:14,148
It will mark the packet up with Expert information.

66
00:05:14,148 --> 00:05:21,171
So that's how I know particularly that 
I have Expert information

67
00:05:21,171 --> 00:05:26,089
viewable in the actual detail pane.

68
00:05:26,089 --> 00:05:29,393
So I can drill even deeper down into it

69
00:05:29,393 --> 00:05:32,448
to see exactly what that message was.

70
00:05:32,462 --> 00:05:37,915
Ok. So as we mentioned,

71
00:05:37,911 --> 00:05:42,598
the Expert will provide you with some information.

72
00:05:42,598 --> 00:05:47,378
It will not necessarily give you the, 
the problem.

73
00:05:47,378 --> 00:05:51,050
It may help to solve the problem but

74
00:05:51,050 --> 00:05:56,923
it's generally just a way to take a look 
at what Wireshark thought

75
00:05:56,923 --> 00:06:02,420
was interesting about the packets and provide 
them in an area where you can go through it

76
00:06:02,432 --> 00:06:08,644
and try to surmise for yourself through 
further investigation and analysis

77
00:06:08,644 --> 00:06:10,644
what could be the problem.

78
00:06:10,644 --> 00:06:14,116
Common ones would be, for example,

79
00:06:14,134 --> 00:06:19,437
if you had a windowing issue or buffering,
what does that really mean?

80
00:06:19,435 --> 00:06:22,833
It's telling you that there's an issue 
but that does mean there is

81
00:06:22,833 --> 00:06:26,110
overwhelmed buffers on the client?
Or the client has,

82
00:06:26,127 --> 00:06:30,393
doesn't have enough resources to work the data.

83
00:06:30,393 --> 00:06:36,083
Or is it slow through the network and on the 
destination end is being overwhelmed?

84
00:06:36,077 --> 00:06:39,076
So again, just seeing something may give you a clue but

85
00:06:39,075 --> 00:06:41,580
you're going to have to dig a little bit deeper into it.

86
00:06:47,671 --> 00:06:55,051
So as we were looking at before, 
there's multiple tabs in Wireshark Expert.

87
00:06:55,064 --> 00:07:03,552
Let me just pull that back up.
Here, you will see that you have an errors tab.

88
00:07:03,552 --> 00:07:11,649
And the errors will show you if it may be 
a major issue such as corrupted data.

89
00:07:11,654 --> 00:07:15,793
This is something that you immediately 
want to take a look at and flag.

90
00:07:15,793 --> 00:07:20,378
This packet in particularly. 
Again, this is a small capture.

91
00:07:20,378 --> 00:07:25,008
At the end of the session, 
I will open up a larger capture.

92
00:07:25,008 --> 00:07:30,128
One full of problems and show you just 
 how busy the Expert can get.

93
00:07:30,128 --> 00:07:37,319
But in particularly here, the errors will show you
something of major significance.

94
00:07:37,319 --> 00:07:45,052
Warnings show less serious 
but more likely to be a potential issue.

95
00:07:45,052 --> 00:07:48,601
It could be something similar to a disconnect.

96
00:07:48,626 --> 00:07:52,457
Notes show less serious warnings.

97
00:07:52,464 --> 00:07:56,703
Application error codes,
we saw some get requests.

98
00:07:56,682 --> 00:08:00,682
We might see some page errors on HTTP like 

99
00:08:00,682 --> 00:08:08,958
400 or 500 errors or something of that nature.
 You would see that in your notes.

100
00:08:08,958 --> 00:08:16,150
Your chats will show you conversation traffic
such as the TCP handshake.

101
00:08:16,150 --> 00:08:18,072
So as you can see in here,

102
00:08:18,072 --> 00:08:23,779
you have ACK, SYN ACK, reset, connection reset.

103
00:08:23,758 --> 00:08:29,743
So we may want to see,
wow, we have quite a few connection resets,

104
00:08:29,743 --> 00:08:35,667
all seemingly to be in a row.
So what could be causing the reset?

105
00:08:35,667 --> 00:08:40,703
Is that normal? So it's giving you a clue there.

106
00:08:40,703 --> 00:08:47,552
Details, it will show you details from the other 4 tabs.

107
00:08:47,552 --> 00:08:51,333
So, here in the severity, will show you the tab.

108
00:08:51,333 --> 00:08:55,131
So, here we see one from the chat, 
so more information.

109
00:08:55,131 --> 00:09:02,894
We see a note. We see, as we drill down, 
here's an error.

110
00:09:02,894 --> 00:09:07,861
Here's the major one but it's nice
'cause it shows you in packet order.

111
00:09:07,861 --> 00:09:12,409
So what you can do is it'll tell you a story
 from the start to the finish of the capture,

112
00:09:12,409 --> 00:09:16,016
everything that the Expert caught
 and it may be able to help you.

113
00:09:16,016 --> 00:09:21,655
For example, here we see an entire HTTP communication.

114
00:09:21,648 --> 00:09:24,641
We see a 304 not modified.

115
00:09:24,660 --> 00:09:30,234
We see an established, connection established request.

116
00:09:30,234 --> 00:09:36,131
So you're actually seeing in sequence
which all may lead up to

117
00:09:36,131 --> 00:09:41,675
a problem where as we saw it
 at the end of the sequence of HTTP,

118
00:09:41,675 --> 00:09:47,330
we saw re-transmission and a possible malformed packet.

119
00:09:47,330 --> 00:09:57,229
And again the packet comments are 
new with newer versions of Wireshark.

120
00:09:57,229 --> 00:10:04,853
If you saved the capture as a, a PCAPng, 
you will be able to make and save comments

121
00:10:04,885 --> 00:10:08,502
into the packets and or the entire capture file.

122
00:10:08,502 --> 00:10:14,587
You can also run filters directly from.

123
00:10:14,587 --> 00:10:18,069
So as we mentioned when 
we were talking about filtering,

124
00:10:18,069 --> 00:10:20,696
you can filter directly from the Expert.

125
00:10:20,696 --> 00:10:25,617
This is extremely helpful because 
if you're interested in figuring something out,

126
00:10:25,617 --> 00:10:31,470
you may want to drill down into the data and filter it.

127
00:10:31,506 --> 00:10:34,518
Ok, welcome back.

128
00:10:34,529 --> 00:10:39,093
Before we start the next module,
we will look at the questions and answers.

129
00:10:39,093 --> 00:10:47,873
In the chat, I saw a really good one.
Is it possible to sort types of alerts by severity?

130
00:10:47,873 --> 00:10:57,646
The answer is yes. So in order to do that,
you basically come into your,

131
00:10:57,646 --> 00:11:00,531
your Wireshark capture, 
as you can see on the screen.

132
00:11:00,531 --> 00:11:04,932
And you're going to want to 
write a filter expression.

133
00:11:04,943 --> 00:11:07,202
So what you can do

134
00:11:07,213 --> 00:11:12,843
in the Wireshark filter expressions
is search for Expert,

135
00:11:12,843 --> 00:11:21,021
and once you find Expert, drill down to severity.

136
00:11:21,021 --> 00:11:26,570
Now you can do any type of relation
but if you do equal to,

137
00:11:26,570 --> 00:11:39,613
let's see, we'll choose error. 
Then it will search for specifically that severity.

138
00:11:39,613 --> 00:11:46,663