1
00:00:00,000 --> 00:00:07,901


2
00:00:07,909 --> 00:00:13,588
Here, our next module will be on 
Expert advanced features.

3
00:00:13,588 --> 00:00:17,708
So interestingly, in one of the things that we will cover

4
00:00:17,708 --> 00:00:24,193
in this module is yes the Expert as we already discussed

5
00:00:24,193 --> 00:00:29,418
is a tool to give you a clue to guide you.

6
00:00:29,418 --> 00:00:33,314
But it is not in any way going to say

7
00:00:33,314 --> 00:00:36,432
this is specifically your problem based on

8
00:00:36,432 --> 00:00:38,685
what you think may be the problem.

9
00:00:38,685 --> 00:00:42,915
There's a lot of consideration that needs to be taken

10
00:00:42,923 --> 00:00:45,704
when you look at the Expert. For example,

11
00:00:45,704 --> 00:00:50,010
some of the, some of the examples that we gave,

12
00:00:50,010 --> 00:00:53,506
was that if there was a slow performing website or

13
00:00:53,506 --> 00:00:57,827
or network, or something of that nature,

14
00:00:57,827 --> 00:01:00,937
there may be something going on

15
00:01:00,937 --> 00:01:03,018
that the Expert doesn't tell you about.

16
00:01:03,018 --> 00:01:05,897
It may not say that the router is choked up

17
00:01:05,897 --> 00:01:09,623
or the website is freezing.

18
00:01:09,623 --> 00:01:12,212
It will tell you a different way by saying, 

19
00:01:12,212 --> 00:01:15,745
you know, when you were trying to go to the website

20
00:01:15,745 --> 00:01:17,745
you got all these re-transmissions.

21
00:01:17,745 --> 00:01:25,186
So just be aware that it is not exactly a tool

22
00:01:25,199 --> 00:01:27,856
to tell you what the problem is.
It is a guide.

23
00:01:27,856 --> 00:01:31,189
So what else can you do with the Expert?

24
00:01:31,189 --> 00:01:34,623
There's further customization that you can do.

25
00:01:34,623 --> 00:01:38,790
You can change the Packets List pane to show severity.

26
00:01:38,790 --> 00:01:43,513
That just came up in our Q&A.
We'll go into that a little bit deeper.

27
00:01:43,513 --> 00:01:48,863
You can color-code icons in the Expert window
to make it more visible.

28
00:01:48,863 --> 00:01:54,772
And you can create preferences and 
profile settings adjustments to make it more,

29
00:01:54,768 --> 00:01:59,423
to adjust it more so that you 
could see some specific things.

30
00:01:59,423 --> 00:02:04,906
So one of the things that we were looking at before 

31
00:02:04,906 --> 00:02:14,016
was the actual Wireshark tool 
where we applied a filter to find severity.

32
00:02:14,012 --> 00:02:19,866
We did expert.severity, 
the whole equals to and offset code

33
00:02:19,866 --> 00:02:25,679
which basically provided us with a high level warning.

34
00:02:25,679 --> 00:02:30,863
I'm sorry, an error, which was the 
most severe error in this capture.

35
00:02:30,863 --> 00:02:35,453
So, it completely wiped away all of the data from view,

36
00:02:35,452 --> 00:02:38,166
and allowed us to immediately see this packet.

37
00:02:38,166 --> 00:02:43,055
And be able to drill into it deeper 
to see what the problem may be.

38
00:02:43,055 --> 00:02:49,417
Other things we were able to do 
which we will explain very briefly

39
00:02:49,438 --> 00:02:53,035
was we were able to go into the preferences 
and make adjustments

40
00:02:53,039 --> 00:02:56,989
and add a column for the Expert.

41
00:02:57,007 --> 00:03:01,573
And the reason why we wanted to do that 
is because as we're capturing packets,

42
00:03:01,572 --> 00:03:04,671
I can quickly sort and see very quickly

43
00:03:04,671 --> 00:03:09,026
what packets are flagged from the Expert.

44
00:03:09,026 --> 00:03:11,992
So this is already applied in the capture.

45
00:03:12,014 --> 00:03:15,152
So we can see that right here.

46
00:03:15,170 --> 00:03:19,401
Right here, I have my Expert column that I added.

47
00:03:19,406 --> 00:03:24,938
And it's telling specifically, what the Expert found.

48
00:03:24,938 --> 00:03:33,514
So here's the chat, and this would be 
found directly in your Expert as a chat.

49
00:03:33,514 --> 00:03:40,130
And we can drill into the packet this way.

50
00:03:40,130 --> 00:03:46,205
or we can find them this way and sort on them.

51
00:03:46,205 --> 00:03:53,497
So you can invoke the Expert from 
the analyze menu within the capture window.

52
00:03:53,514 --> 00:04:01,151
Once you do invoke the Expert, 
you can find the information that you need

53
00:04:01,164 --> 00:04:04,003
such as this chat information

54
00:04:04,014 --> 00:04:08,841
that we see in the capture,
here, under the Expert column.

55
00:04:08,843 --> 00:04:15,314
Or a possible warnings. But regardless
 of how we search and sort for it,

56
00:04:15,314 --> 00:04:20,299
it's this further customization that I wanted to point out.

57
00:04:20,299 --> 00:04:26,523
As we mentioned earlier, 
there is a way to find Expert information.

58
00:04:26,531 --> 00:04:31,334
You can either just search for the Expert 
and filtering for it or

59
00:04:31,334 --> 00:04:38,177
you can set up an expression 
as we mentioned earlier to look for Expert info.

60
00:04:38,172 --> 00:04:44,139
And you have multiple things that you can search for -

61
00:04:44,139 --> 00:04:50,466
the Wireshark Expert group, 
the actual message or the severity level.

62
00:04:50,468 --> 00:04:57,233
These are the 3 refinements that you can make.

63
00:04:57,233 --> 00:05:13,399
So again, when we want to change 
the look and feel of the Expert,

64
00:05:13,399 --> 00:05:19,872
we can add the color icon. 
So you can set this up as well in preferences.

65
00:05:19,872 --> 00:05:25,731
You can set up red, yellow, cyan, light blue, blue

66
00:05:25,768 --> 00:05:30,627
and set up other icons on your Expert 
so that you can more quickly and easily

67
00:05:30,627 --> 00:05:35,298
see what that problem is.
Obviously, red - big problem.

68
00:05:35,298 --> 00:05:39,213
So that's just the new customization for the Expert 

69
00:05:39,225 --> 00:05:41,865
with the newer releases of Wireshark.

70
00:05:41,883 --> 00:05:46,362
And again, the packet comments 
are extremely important

71
00:05:46,362 --> 00:05:49,656
as we will learn in the annotation module.

72
00:05:49,656 --> 00:05:54,704
You can quickly annotate your captured data.

73
00:05:54,704 --> 00:05:57,588
And as you find things, make notes in them.

74
00:05:57,588 --> 00:06:00,414
For example, what it is that you think may happen there.

75
00:06:00,414 --> 00:06:03,838
So as you drill into the data,
you may say,

76
00:06:03,838 --> 00:06:08,396
'problem with Gateway as I was testing with ping.'

77
00:06:08,396 --> 00:06:11,985
might be relevant to that particular packet.

78
00:06:11,985 --> 00:06:15,975
And then when you open up the Expert,
you can go directly to the comments,

79
00:06:15,975 --> 00:06:24,288
and see specific comments in order 
that were made that may also tell a story.

80
00:06:24,283 --> 00:06:34,752
And here is specifically the chats where it tells us a story

81
00:06:34,743 --> 00:06:37,921
as we have mentioned before where
the story may be

82
00:06:37,934 --> 00:06:43,242
we're accessing a website inorder,
this is what's going on, the sequence of events.

83
00:06:43,242 --> 00:06:47,902
And it can tell me more specifically what is going on.

84
00:06:47,902 --> 00:06:51,223
The sequence of packets and then 
I can go over to the details 

85
00:06:51,223 --> 00:06:56,154
and it will tell me the entire sequence 
through the packet capture

86
00:06:56,154 --> 00:07:01,256
flagging the errors, the warnings, 
and the notes, and the chats.

87
00:07:01,283 --> 00:07:12,898
So I wanted to do for you quickly
 before we end this module

88
00:07:12,898 --> 00:07:22,653
is I wanted to open up a busier capture.

89
00:07:22,653 --> 00:07:34,205
As you will see this will take quite a while to load and 

90
00:07:34,205 --> 00:07:42,145
here we see some bad checksums,
which is not always a problem.

91
00:07:42,145 --> 00:07:46,789
Just the way that the data is read.
It's not necessarily an error. 

92
00:07:46,789 --> 00:07:47,966
Again, a false positive.

93
00:07:47,992 --> 00:07:53,719
But here, we see some issues directly 
related to window full and zero window.

94
00:07:53,710 --> 00:07:57,049
When we trouble, when we were
troubleshooting this problem,

95
00:07:57,060 --> 00:08:02,726
we found that the destination machine 
did not have enough resources

96
00:08:02,752 --> 00:08:11,420
and it was causing quite a problem 
with a web based application.

97
00:08:11,420 --> 00:08:15,848
Obviously, we see a tremendous amount 
of duplicate acknowledgments.

98
00:08:15,848 --> 00:08:23,419
It just continued to resend the data
 because it could not handle it.

99
00:08:23,433 --> 00:08:30,543
And we were able to trace this through 
the entire conversation dealing the details.

100
00:08:30,541 --> 00:08:35,728
So again, the Expert is extremely helpful but

101
00:08:35,728 --> 00:08:38,612
you have to really look at the data for what it is 

102
00:08:38,612 --> 00:08:41,354
and make sure that you're not assuming anything 

103
00:08:41,354 --> 00:08:44,321
and you're really drilling in, drilling down

104
00:08:44,321 --> 00:08:48,867
and really trying to get to the bottom 
of what the problem could be.

105
00:08:48,867 --> 00:08:56,601