1
00:00:00,000 --> 00:00:07,833


2
00:00:07,833 --> 00:00:12,446
Ok, welcome back. We're going to talk about 

3
00:00:12,460 --> 00:00:16,698
TCP sequencing and handshake for our next module.

4
00:00:16,707 --> 00:00:21,027
And essentially, the TCP handshake

5
00:00:21,027 --> 00:00:26,505
is one where we've been learning this
for a pretty long time -

6
00:00:26,505 --> 00:00:33,646
how TCP works, basics of networking,
the most fundamental stuff and

7
00:00:33,646 --> 00:00:37,162
why is this so important to really learn 
when you're using Wireshark.

8
00:00:37,162 --> 00:00:44,741
Well, predominantly, when you start looking at 
the communications at the TCP layer,

9
00:00:44,741 --> 00:00:50,862
and seeing SYN, SYN ACK, ACK, FIN, reset, 

10
00:00:50,862 --> 00:00:54,481
what does that really mean 
and why is it important 

11
00:00:54,479 --> 00:00:56,992
for when you're looking at Wireshark captures.

12
00:00:56,992 --> 00:00:59,940
Why is that something that you need to address.

13
00:00:59,940 --> 00:01:04,530
Well, when we talk about the basic 3-way handshake,

14
00:01:04,530 --> 00:01:12,811
that would create a connection-oriented
communication from a client to a server.

15
00:01:12,811 --> 00:01:18,459
And that will allow the communication
 to remain until officially closed.

16
00:01:18,459 --> 00:01:22,496
Or it's finished. And by doing so,

17
00:01:22,496 --> 00:01:26,221
if something happens in the middle 
of the communication, for example,

18
00:01:26,221 --> 00:01:29,838
a packet's dropped or it goes
 the wrong way in the network,

19
00:01:29,838 --> 00:01:35,870
the sequence numbers help you 
to rebuild the communication once it arrives.

20
00:01:35,875 --> 00:01:38,340
And all these things work together 

21
00:01:38,340 --> 00:01:41,589
to create a connection-oriented or

22
00:01:41,589 --> 00:01:45,516
a dedicated connection where 

23
00:01:45,516 --> 00:01:48,314
you know when you send, let's say,

24
00:01:48,314 --> 00:01:52,476
data from one source to a destination,

25
00:01:52,476 --> 00:02:00,085
it's something that you know, 
will get there and every chance that it could take.

26
00:02:00,085 --> 00:02:04,558
Whereas with UDP, it's the best effort
and you will not know

27
00:02:04,558 --> 00:02:08,935
essentially, if it got there 
and it got there in one piece.

28
00:02:08,935 --> 00:02:12,072
So, at the most fundamental level,

29
00:02:12,072 --> 00:02:15,622
this is why this is critically important.

30
00:02:15,622 --> 00:02:19,718
So, just a quick refresher.

31
00:02:19,718 --> 00:02:24,846
TCP, the transmission control protocol,
basically aside from IP,

32
00:02:24,849 --> 00:02:29,024
one of the most important protocols in the TCP/IP sweep.

33
00:02:29,024 --> 00:02:36,385
Reliable, connection-oriented, 
and it allows for a, error checking -

34
00:02:36,395 --> 00:02:39,093
as we mentioned before, the sequencing of packets

35
00:02:39,107 --> 00:02:41,836
which we'll take a look at in the actual capture.

36
00:02:41,836 --> 00:02:48,497
And it allows an underlying mechanism to have 
reliable communications for protocols,

37
00:02:48,497 --> 00:02:52,542
such as FTP. We looked at that in an earlier module.

38
00:02:52,542 --> 00:03:01,580
SNTP for email, HTTP for web services
and so on.

39
00:03:01,580 --> 00:03:09,751
The user datagram protocol, UDP, 
it's not connection-oriented.

40
00:03:09,764 --> 00:03:15,264
And it allows for faster connections 
'cause a lot less overheads.

41
00:03:15,264 --> 00:03:17,928
So as we mentioned also in an earlier module,

42
00:03:17,928 --> 00:03:21,635
if you're just sending, let's say, 
a file via TFTP, 

43
00:03:21,635 --> 00:03:24,441
you may not necessarily need that overhead,

44
00:03:24,441 --> 00:03:35,637
and it will rely on a less, or a protocol
with less overhead which would be UDP.

45
00:03:35,647 --> 00:03:39,894
Alright. So, what do we have to worry about again,

46
00:03:39,903 --> 00:03:41,438
when we have to worry about placement?

47
00:03:41,438 --> 00:03:45,933
We have to consider filters, and in this example,

48
00:03:45,932 --> 00:03:48,667
we will also look at the flow graph.

49
00:03:48,662 --> 00:03:58,172
So in this example, a web server which is trying to close

50
00:03:58,172 --> 00:04:02,299
a connection and essentially, one of the things 
that we were looking at here,

51
00:04:02,299 --> 00:04:05,240
was, and you could see this directly in the packet,

52
00:04:05,240 --> 00:04:08,736
was that, it was trying to close and acknowledge.

53
00:04:08,736 --> 00:04:12,344
There was a re-transmission, and it tried to close 

54
00:04:12,344 --> 00:04:15,278
and acknowledge, and then it was acknowledge 
that it was closed.

55
00:04:15,278 --> 00:04:20,574
So, when you look at each one of these packets 
and you drill down into the details pane,

56
00:04:20,573 --> 00:04:24,445
one of the things that you should notice here is

57
00:04:24,445 --> 00:04:27,312
in the highlight section is that it's using TCP.

58
00:04:27,312 --> 00:04:30,847
We learned about ports earlier,
and this is essential.

59
00:04:30,847 --> 00:04:35,277
So, we're using port 80 from the destination web server.

60
00:04:35,277 --> 00:04:40,258
The source port is 49943 which is an upper layer,

61
00:04:40,262 --> 00:04:42,550
level number port.

62
00:04:42,588 --> 00:04:47,470
And there's a sequence number and 
an acknowledgement number.

63
00:04:47,470 --> 00:04:53,938
So, specifically with sequence numbers,
you can see here, the first one was 1.

64
00:04:53,947 --> 00:04:58,680
Wireshark uses a relative sequence number and 

65
00:04:58,680 --> 00:05:02,966
we got on the next one down, a response

66
00:05:02,966 --> 00:05:06,705
and then it moved to another sequence 
and acknowledgement number.

67
00:05:06,705 --> 00:05:11,294
So as you can see with this very 
simple end of a transmission,

68
00:05:11,294 --> 00:05:13,933
these sequence and acknowledgement numbers

69
00:05:13,942 --> 00:05:16,318
allow it to be put back together.

70
00:05:16,318 --> 00:05:19,911
And as you could see in here, is the flags.

71
00:05:19,911 --> 00:05:22,937
So for example, you saw in here was
an acknowledgment.

72
00:05:22,937 --> 00:05:27,429
Well, in the detail here, you can see 
that the acknowledgement bit is set.

73
00:05:27,429 --> 00:05:32,968
Right here. And for example, up here
when it was a FIN and an ACK.

74
00:05:32,968 --> 00:05:37,870
The FIN is set. And the ACK is set.

75
00:05:37,870 --> 00:05:42,885
So essentially, what's very important 
to understand here is that 

76
00:05:42,885 --> 00:05:49,174
yes, there was specifically, a handshake.

77
00:05:49,174 --> 00:05:50,590
This was the end of the handshake.

78
00:05:50,590 --> 00:05:54,907
But other things that you can pull out 
of this information was the roundtrip time

79
00:05:54,907 --> 00:05:57,796
for that specific segment.

80
00:05:57,796 --> 00:06:02,476
And if we wanted to look deeper into it,
we can pull up the flow graph.

81
00:06:02,476 --> 00:06:09,374
And take specific look at the time it took

82
00:06:09,374 --> 00:06:16,458
and the sequence numbering and 
the acknowledgement number.

83
00:06:16,478 --> 00:06:21,365
So why is this important?

84
00:06:21,375 --> 00:06:26,548
Again, when you're looking at large captures,
where you see

85
00:06:26,568 --> 00:06:32,518
tons of re-transmissions, tons of duplicate ACK's
or other types of TCP errors,

86
00:06:32,518 --> 00:06:37,229
you can take this foundational knowledge of looking at

87
00:06:37,248 --> 00:06:39,858
specifically the handshark itself.

88
00:06:39,875 --> 00:06:44,270
Understanding specifics of the handshake,
looking at the sequence numbers,

89
00:06:44,270 --> 00:06:47,705
looking at the flags that are set and other detail

90
00:06:47,705 --> 00:06:52,682
within the Expert, the flow graph and 
as well as the capture window

91
00:06:52,682 --> 00:06:57,633
to try to estimate what the problem was or could be.

92
00:06:57,633 --> 00:07:05,342
And you can also build out larger TCP filters.

93
00:07:05,360 --> 00:07:10,880
You can do streams. 
You can look at specific TCP analysis

94
00:07:10,880 --> 00:07:15,045
where if you're looking for specific sequence numbers,

95
00:07:15,045 --> 00:07:20,327
you can drill down and look exactly for, 
for a specific sequence number.

96
00:07:20,327 --> 00:07:23,906
So if you're looking at a number of captures

97
00:07:23,906 --> 00:07:30,020
and you're really trying to do a deep analysis 
of where traffic was sourcing from

98
00:07:30,020 --> 00:07:34,966
what the destination was seeing, 
you can use this simple tools 

99
00:07:34,966 --> 00:07:38,182
to pull together the entire conversation.

100
00:07:38,182 --> 00:07:41,733
But again, understanding the basics 
of the handshake and sequencing

101
00:07:41,733 --> 00:07:46,500
is required for those, those larger captures where

102
00:07:46,500 --> 00:07:49,639
you're trying to really find a needle in the haystack.

103
00:07:49,639 --> 00:07:54,328
But as you can see, 
you can filter on pretty much anything

104
00:07:54,328 --> 00:08:02,571
within the TCP framework here
such as sequence numbers and so on.

105
00:08:02,571 --> 00:08:10,542
So what can Wireshark help you find
by doing this type of set up?

106
00:08:10,542 --> 00:08:14,126
You can look and find latency in your network.

107
00:08:14,126 --> 00:08:19,592
Again, just looking at TCP, 
may not give you the entire picture.

108
00:08:19,592 --> 00:08:22,028
You may want to know from where your source is

109
00:08:22,028 --> 00:08:23,573
to where your destination is.

110
00:08:23,573 --> 00:08:27,791
Run a trace. See if things are taking a long time.

111
00:08:27,791 --> 00:08:32,638
Check your path. Make, make sure -
maybe you have a synchronous routing issue.

112
00:08:32,638 --> 00:08:37,551
You might have out-of-order packets,
many re-transmissions,

113
00:08:37,551 --> 00:08:42,419
duplicate ACK's, fragmentation, and so on and so forth.

114
00:08:42,419 --> 00:08:47,306
So again, it's very important to take 
a look at the entire path

115
00:08:47,306 --> 00:08:52,988
from client to destination, 
from source to destination, client to server.

116
00:08:52,988 --> 00:08:57,738
You're looking for your basic 3-way handshake,
your SYN, SYN ACK, ACK.

117
00:08:57,738 --> 00:09:00,647
And then close out, and then any variations of it.

118
00:09:00,647 --> 00:09:02,647
Is it duplicate ACK's?

119
00:09:02,647 --> 00:09:04,647
Are you getting re-transmissions?

120
00:09:04,647 --> 00:09:06,647
Or you're getting constant resets?

121
00:09:06,647 --> 00:09:10,749
And those will give you clues as to 
why you have an issue.

122
00:09:10,749 --> 00:09:16,425
And to add, as well, we'd have now look at 
specifically some sequence numbers

123
00:09:16,425 --> 00:09:20,642
and how to find those in the capture themselves

124
00:09:20,642 --> 00:09:24,488
so that you can put the entire conversation back together.

125
00:09:24,488 --> 00:09:30,853