1
00:00:00,000 --> 00:00:07,829



2
00:00:07,829 --> 00:00:11,734
Alright, welcome back to Wireshark Foundations. 

3
00:00:11,734 --> 00:00:18,096
This is day 3. We will be covering 
specifically how to use the Wireshark tool.

4
00:00:18,109 --> 00:00:22,427
We will be taking everything 
that we've learned in the past 2 days.

5
00:00:22,433 --> 00:00:28,747
And looking at issues and samples,
 and trying to use all the tools together

6
00:00:28,747 --> 00:00:31,709
that you can find and use it in Wireshark.

7
00:00:31,709 --> 00:00:36,239
And talk about some, some examples to where

8
00:00:36,239 --> 00:00:41,159
you can use this tool to troubleshoot things in a lab,

9
00:00:41,159 --> 00:00:45,265
in production networks, on the job or to practise with.

10
00:00:45,265 --> 00:00:48,847
So again, this is Rob Shimonski. This is day 3.

11
00:00:48,847 --> 00:00:52,704
This will be our final day for Wireshark Foundations.

12
00:00:52,704 --> 00:00:58,540
And today, we will cover again,
a lot of scenario-based stuff 

13
00:00:58,540 --> 00:01:03,258
to talk about how to use everything 
that you've learned in the past 2 days

14
00:01:03,259 --> 00:01:09,435
to really examine some issues 
and try to get through them.

15
00:01:09,435 --> 00:01:21,065
In this module, we will be covering
 capturing client/server response.

16
00:01:21,065 --> 00:01:23,065
So what is client/server communication?

17
00:01:23,065 --> 00:01:27,326
We've been covering this for the 
past couple of days in the modules.

18
00:01:27,326 --> 00:01:31,651
But everything that we talked about now
as we troubleshoot problems

19
00:01:31,651 --> 00:01:38,102
will rely on your understanding of the client or source

20
00:01:38,102 --> 00:01:42,099
to the server destination communication.

21
00:01:42,099 --> 00:01:45,644
That does not necessarily mean that 

22
00:01:45,644 --> 00:01:48,841
it's always going to be a client and a server.

23
00:01:48,845 --> 00:01:50,994
What we're going to be looking at

24
00:01:50,997 --> 00:01:54,726
primarily in the next set of troubleshooting scenarios

25
00:01:54,726 --> 00:01:58,673
will be client to server but just remember 
that communication can take place 

26
00:01:58,663 --> 00:02:01,231
between just about any host on a network.

27
00:02:01,231 --> 00:02:05,193
And Wireshark will be able to capture that 
and show that to you.

28
00:02:05,193 --> 00:02:14,566
So, just as a refresher, when I use Wireshark -
'what can I do with it?'

29
00:02:14,563 --> 00:02:16,777
Again, you really need to know placement.

30
00:02:16,776 --> 00:02:20,738
So if you're going to capture 
client/server communications,

31
00:02:20,738 --> 00:02:25,908
you need to know where to put this,
put the Wireshark capture device,

32
00:02:25,908 --> 00:02:30,614
or your endpoint - have Wireshark an endpoint.

33
00:02:30,614 --> 00:02:32,791
Because if you don't put it in the right place,

34
00:02:32,791 --> 00:02:36,077
you will not capture the communication
that you need to capture.

35
00:02:36,077 --> 00:02:41,161
So, we'll go over the, the lab set up again. 
Just so that you understand

36
00:02:41,161 --> 00:02:45,379
what it is that we're trying to accomplish
when we're troubleshooting with Wireshark.

37
00:02:45,375 --> 00:02:49,407
And remember, one of the biggest challenges is 

38
00:02:49,407 --> 00:02:53,017
to try to see exactly what it is 
that you want to see.

39
00:02:53,017 --> 00:02:59,001
So as an example, I can do a pre-capture filter and 

40
00:02:59,001 --> 00:03:01,971
blot out exactly what I don't want to see.

41
00:03:01,971 --> 00:03:06,497
And I can capture everything 
and then run a display filter,

42
00:03:06,497 --> 00:03:10,056
and try to see what it is that I do want to see.

43
00:03:10,056 --> 00:03:13,343
So essentially, what am I analyzing?

44
00:03:13,343 --> 00:03:19,174
A communication pattern, one of the examples 
we're going to use in this segment

45
00:03:19,174 --> 00:03:23,648
is a simple FTP site. We're going to look at

46
00:03:23,648 --> 00:03:28,785
the actual communication from the client to the server

47
00:03:28,794 --> 00:03:31,584
and get an understanding of what's taking place.

48
00:03:31,600 --> 00:03:34,001
Is it responding correctly?

49
00:03:34,006 --> 00:03:41,457
Is it responding in time and some of the issues 
that could take place when doing so?

50
00:03:41,457 --> 00:03:48,207
So just to highlight again, this is a foundation course.

51
00:03:48,207 --> 00:03:52,378
So, understanding the placement of Wireshark

52
00:03:52,378 --> 00:03:56,893
in this example is very simple one.

53
00:03:56,893 --> 00:04:01,805
However, it's the understanding of 
this simple network diagram

54
00:04:01,814 --> 00:04:04,589
that's going to allow you to expand out

55
00:04:04,589 --> 00:04:07,353
because essentially, if you're just looking at 

56
00:04:07,353 --> 00:04:10,130
the client and that's where you're running Wireshark

57
00:04:10,130 --> 00:04:13,621
and or running Wireshark on the client and the server,

58
00:04:13,621 --> 00:04:16,313
no matter what is in the middle

59
00:04:16,313 --> 00:04:19,170
it really is just going to complicate

60
00:04:19,170 --> 00:04:22,433
what it is that you're going to see 
on both sides to analyze.

61
00:04:22,443 --> 00:04:27,594
However, you're still going to be
 using the same type of framework in your mind.

62
00:04:27,586 --> 00:04:29,936
You're going to be capturing on the client.

63
00:04:29,936 --> 00:04:32,968
You're going to capture on the server,
 and or the server.

64
00:04:32,968 --> 00:04:40,108
And or, as we see in the diagram,
you can set up a separate device

65
00:04:40,108 --> 00:04:44,235
 and mirror the traffic, span it and send all the data

66
00:04:44,235 --> 00:04:47,930
to a mirrored-port where you can capture it for analysis.

67
00:04:47,930 --> 00:04:53,429
So again, this is the simple set up 
that we're going to be using.

68
00:04:53,429 --> 00:04:58,304
So in this example, what I wanted to do is 

69
00:04:58,304 --> 00:05:01,179
is I wanted to run a simple capture here.

70
00:05:01,179 --> 00:05:11,889
And what we're going to simulate here is an FTP.

71
00:05:11,893 --> 00:05:18,782
 So I'm going to open up Wireshark. 
I am on a launchpad - the start page.

72
00:05:18,785 --> 00:05:24,881
And just again to reference,
 I'm going to go to the capture pane

73
00:05:24,881 --> 00:05:29,983
and I am going to, in this case, I'm not going to 
send any capture options, although I could.

74
00:05:29,983 --> 00:05:34,349
I could specifically choose the interface here.

75
00:05:34,349 --> 00:05:38,215
I could set up a capture filter if I required one.

76
00:05:38,215 --> 00:05:41,927
And I could split the files up if need be.

77
00:05:41,927 --> 00:05:45,745
Since I selected the interface here,
I'm going to click start.

78
00:05:45,745 --> 00:05:56,891
And what I am going to do is 
I am going to open an FTP site.

79
00:05:56,887 --> 00:06:03,762
And when I'm opening an FTP site,
I purposely did some things here

80
00:06:03,762 --> 00:06:07,652
to mess with the response time.

81
00:06:07,652 --> 00:06:11,626
So I wanted to be able to show you 
a few things as we're capturing.

82
00:06:11,626 --> 00:06:15,954
So when we look at the actual capture, 
you'll be able to, 

83
00:06:15,960 --> 00:06:19,058
you'll be able to see a few things.
So let's just give that a moment.

84
00:06:19,058 --> 00:06:26,600
Ok, now if we filter for FTP,

85
00:06:26,600 --> 00:06:36,457
we will see quite a few things here.

86
00:06:36,457 --> 00:06:42,048
For one, it has captured everything
that we were doing in FTP.

87
00:06:42,056 --> 00:06:47,557
And a way we can take a quick look at 
what could be some basic problems is

88
00:06:47,557 --> 00:06:53,834
run into the Expert and take a look
to see some basic notes, warnings, chats.

89
00:06:53,834 --> 00:06:58,182
I see a couple of re-transmissions,
a couple of duplicate ACK's,

90
00:06:58,182 --> 00:07:02,718
and my whole entire conversation captured here.

91
00:07:02,718 --> 00:07:06,295
So essentially, it looks pretty good.

92
00:07:06,295 --> 00:07:09,767
However, it did hesitate momentarily.

93
00:07:09,767 --> 00:07:15,431
So what we can then do is go to statistics
and take a look at a flow graph.

94
00:07:15,431 --> 00:07:21,965
And here, we will see the client/server response,

95
00:07:21,965 --> 00:07:28,849
where the time it took from me 
opening up the FTP session

96
00:07:28,849 --> 00:07:33,248
and it closing out, and it kind of 
what happened in the middle.

97
00:07:33,248 --> 00:07:43,846
So essentially, we can see that 
FTP client, FTP client to the FTP server,

98
00:07:43,846 --> 00:07:47,752
we captured that response with Wireshark.

99
00:07:47,752 --> 00:07:50,377
And we can take a look in some of these tools

100
00:07:50,377 --> 00:07:54,502
to specifically see some of the things
that took place.

101
00:07:54,502 --> 00:07:59,580
So as an example, I can look at the TCP stream.

102
00:07:59,580 --> 00:08:04,967
Here, you will see at first,
when we were logging in.

103
00:08:04,967 --> 00:08:07,392
There was an anonymous log in and it passed.

104
00:08:07,392 --> 00:08:10,630
This is in clear text.
Again, when we were talking about security,

105
00:08:10,630 --> 00:08:14,272
you can see this information in clear text.

106
00:08:14,272 --> 00:08:18,859
Again, this is a quite, quite an issue on an open network.

107
00:08:18,859 --> 00:08:22,118
This is an anonymous log in so it's not that big of a deal.

108
00:08:22,118 --> 00:08:24,118
It's just an example for you.

109
00:08:24,118 --> 00:08:29,524
But, one of the things that you should 
definitely take away from this is that 

110
00:08:29,524 --> 00:08:34,476
when you're using the protocol analyzer,
right here in the TCP stream, 

111
00:08:34,476 --> 00:08:38,248
you can gather the information, credentials.

112
00:08:38,248 --> 00:08:42,788
For example, if you're telling that 
into a router or some other device,

113
00:08:42,792 --> 00:08:45,736
those, that information can be captured.

114
00:08:45,736 --> 00:08:49,925
So then bring down, we can see that 
there was a permission denied.

115
00:08:49,925 --> 00:08:54,778
That was the hang-up.
And then FTP moved into passive mode.

116
00:08:54,778 --> 00:08:58,779
And then I changed the directory.

117
00:08:58,779 --> 00:09:01,633
And then I closed everything out.

118
00:09:01,633 --> 00:09:06,192
So essentially, when we're talking about 
client/server communications,

119
00:09:06,192 --> 00:09:08,192
this is what we're talking about.

120
00:09:08,192 --> 00:09:10,742
What Wireshark can show you.

121
00:09:10,742 --> 00:09:13,866
All we did is run Wireshark on an interface.

122
00:09:13,866 --> 00:09:17,189
We access something from a client to a server.

123
00:09:17,189 --> 00:09:19,975
And with a lot of the tools we've already learned

124
00:09:19,975 --> 00:09:23,298
we were able to ascertain quite a few things.

125
00:09:23,298 --> 00:09:27,131
We were able to see the information 
was sent in clear text.

126
00:09:27,131 --> 00:09:30,374
We were able to see that there was a permissions issue.

127
00:09:30,374 --> 00:09:33,449
We were able to see that essentially,

128
00:09:33,449 --> 00:09:36,266
it opened and closed in a fair amount of time.

129
00:09:36,266 --> 00:09:39,124
And that even though we saw a duplicate ACK or 2,

130
00:09:39,124 --> 00:09:43,273
and a re-transmission, that doesn't necessarily 
mean there was an issue.

131
00:09:43,273 --> 00:09:46,900
Some networks that was operating here 
on a wireless network

132
00:09:46,900 --> 00:09:49,102
may be something was a little slow

133
00:09:49,102 --> 00:09:52,251
and they had to re-transmit a packet.

134
00:09:52,251 --> 00:09:57,427
Not a big deal but again to reference 
back to earlier modules,

135
00:09:57,427 --> 00:10:01,357
it doesn't necessarily mean that the Expert 
was telling you something was wrong.

136
00:10:01,357 --> 00:10:06,888
We found it in a different way.
We found it in the actual stream itself.

137
00:10:06,888 --> 00:10:18,187
So just to review, Wireshark can assist with
finding IP based issues.

138
00:10:18,187 --> 00:10:23,273
As we move up to OSI model, 
you can look directly into TCP and UDP.

139
00:10:23,273 --> 00:10:27,169
The next module we'll talk about
 the TCP handshake specifically.

140
00:10:27,169 --> 00:10:33,503
But as we can see, as we're learning, 
all these things do play into helping you

141
00:10:33,503 --> 00:10:37,756
analyze and dissect exactly what a problem could be.

142
00:10:37,756 --> 00:10:40,489
You can use Wireshark as an example

143
00:10:40,489 --> 00:10:44,615
to resolve client/server communication issues.

144
00:10:44,615 --> 00:10:52,100
Using the TCP flow graph, the flow graph -
I'm just highlighting on TCP.

145
00:10:52,100 --> 00:10:56,603
We were able to do this with just 
one instance of Wireshark.

146
00:10:56,603 --> 00:11:02,938
So, back to our network lab, we didn't need 
to necessarily set up Wireshark remotely.

147
00:11:02,938 --> 00:11:06,660
If we felt there was an issue 
that we needed to address there

148
00:11:06,650 --> 00:11:10,092
we could have set up a capture on either end 
and then looked at both.

149
00:11:10,092 --> 00:11:15,351
And try to use the tools to figure out 
what possibly be the issue.

150
00:11:15,351 --> 00:11:19,629
And again, as we've mentioned, there are other

151
00:11:19,629 --> 00:11:23,455
parts of the equation that could be a problem.

152
00:11:23,455 --> 00:11:26,937
It could be that there's and I/O issue on the box.

153
00:11:26,937 --> 00:11:30,191
It could be that there's a contention on the network,

154
00:11:30,202 --> 00:11:32,869
and so on and so forth.

155
00:11:32,882 --> 00:11:39,174
So, some of the available tools that we looked at
was obviously the capture window.

156
00:11:39,174 --> 00:11:43,312
We ran a capture, a very simple capture.

157
00:11:43,312 --> 00:11:51,631
We simulated an FTP connection to, 
from an FTP client to an FTP site.

158
00:11:51,631 --> 00:11:53,631
We saw an issue with that.

159
00:11:53,631 --> 00:11:56,552
We were able to quickly open up a few of the tools.

160
00:11:56,552 --> 00:11:59,876
We filtered on the traffic.
We just looked at FTP.

161
00:11:59,876 --> 00:12:04,203
We looked at a couple of tools 
and we were able to quickly find

162
00:12:04,200 --> 00:12:07,831
an issue with the client/server communication.

163
00:12:07,831 --> 00:12:15,945
In sum, you can, you can run a capture 
and you can jump around a capture window

164
00:12:15,947 --> 00:12:22,052
and try to figure things out.
You can click on single packets and look at 

165
00:12:22,065 --> 00:12:25,933
what exactly what was going on 
in that particular packet.

166
00:12:25,948 --> 00:12:28,641
But, to learn this tool,

167
00:12:28,648 --> 00:12:34,051
before you start getting into the greater detail 
of looking directly into the packet,

168
00:12:34,051 --> 00:12:40,577
and finding specific issues, remember, 
you had to refine what you're looking at first,

169
00:12:40,577 --> 00:12:44,121
because if you're not sure, 
it's going to be very bloated.

170
00:12:44,120 --> 00:12:46,593
you're going to see a lot of stuff in the capture window.

171
00:12:46,593 --> 00:12:51,105
And it's best to filter down to what 
it is that you think you need to see.

172
00:12:51,105 --> 00:12:54,639
And then, one of few of the tools that we learned about,

173
00:12:54,639 --> 00:12:59,625
and then go into the packets themselves,
into the details to try to find the other issues.

174
00:12:59,625 --> 00:13:04,418