1 00:00:00,000 --> 00:00:07,985 2 00:00:07,985 --> 00:00:15,371 In our next segment, we will talk about marking and annotating and working with file data 3 00:00:15,385 --> 00:00:20,448 so that you can make notes in your packet captures 4 00:00:20,448 --> 00:00:25,201 for future reference or use and how to navigate those notes 5 00:00:25,201 --> 00:00:30,823 or those annotations within the, within the capture file. 6 00:00:30,823 --> 00:00:35,910 So, why is this so important? 7 00:00:35,910 --> 00:00:39,929 Some may think that annotating files is probably 8 00:00:39,929 --> 00:00:42,208 not the most important topic in the world. 9 00:00:42,208 --> 00:00:48,615 However, I believe that documentation is key 10 00:00:48,615 --> 00:00:51,749 to pretty much everything that it is that we do. 11 00:00:51,749 --> 00:00:56,238 One example would be, you're asked to build and design a network 12 00:00:56,238 --> 00:01:01,249 and I'd like you to do that in your head and not use a Visio diagram. 13 00:01:01,249 --> 00:01:05,833 You probably could fabricate it in your mind but then when you need to translate 14 00:01:05,837 --> 00:01:09,284 that to someone else for them to work on your network, 15 00:01:09,284 --> 00:01:13,060 not only it would be tedious for you to explain everything but 16 00:01:13,060 --> 00:01:16,414 a picture says a thousand words. And there's a reference for it, 17 00:01:16,409 --> 00:01:20,061 specifically for when things change and 18 00:01:20,061 --> 00:01:24,720 you add to the network or upgrade or change or flip by piece subnets 19 00:01:24,740 --> 00:01:30,051 or whatever you're doing, having documentation is critical. 20 00:01:30,064 --> 00:01:36,852 And I think we can all as network analysts, engineers and experts at least agree that 21 00:01:36,858 --> 00:01:41,287 network documentation is key to our success and survival. 22 00:01:41,287 --> 00:01:45,455 And the purpose of file and packet annotation 23 00:01:45,455 --> 00:01:48,479 is so that you can document what it is that you're doing. 24 00:01:48,479 --> 00:01:53,562 So obviously, if you saved the file, you want to save it with an appropriate name. 25 00:01:53,562 --> 00:01:59,318 But more so, what if you wanted to save some information in the capture itself 26 00:01:59,318 --> 00:02:06,605 and allow for it to be something that you can use or of relevance while you're troubleshooting. 27 00:02:06,605 --> 00:02:10,509 So, 2 very important types of annotation is 28 00:02:10,509 --> 00:02:15,871 the file itself as well as packet annotation. 29 00:02:15,871 --> 00:02:22,183 Now annotating files is something that is newer 30 00:02:22,183 --> 00:02:27,179 to Wireshark and one of the key things here is 31 00:02:27,171 --> 00:02:35,773 to remember that you must save the file as a Pcap-ng for it to retain this information. 32 00:02:35,766 --> 00:02:41,501 If you save it in an older file format such as Pcap, it will not retain this information. 33 00:02:41,501 --> 00:02:46,220 So that is the, the rule to using this. 34 00:02:46,220 --> 00:02:48,377 And to do it is actually quite simple. 35 00:02:48,372 --> 00:02:52,922 So we'll first start off with a packet annotation. 36 00:02:52,922 --> 00:02:58,103 And here as I was looking at a capture I just did, 37 00:02:58,103 --> 00:03:03,898 I had a file here that is interesting to me so I can right click it and 38 00:03:03,898 --> 00:03:07,837 select packet comment and I can put what I thought was interesting in here 39 00:03:07,837 --> 00:03:18,620 which I could say encrypted data using TLS, 40 00:03:18,620 --> 00:03:27,281 inspect further and, you know, that's just a simple note but 41 00:03:27,281 --> 00:03:32,200 one of the things I wanted to show you here was how in the details frame, 42 00:03:32,195 --> 00:03:38,927 a packet comments field popped up and interestingly I can see 43 00:03:38,933 --> 00:03:45,524 that it allowed me to actually add to the data in the capture 44 00:03:45,522 --> 00:03:48,137 so that I can reference it at another time. 45 00:03:48,137 --> 00:03:54,613 So I can make this pretty extensive. I can write some details like perhaps 46 00:03:54,613 --> 00:03:58,140 you know, maybe going to incorrect gateway or 47 00:03:58,140 --> 00:04:03,048 invalid router hop or something of that nature where 48 00:04:03,048 --> 00:04:08,118 when I now go into other tools, I can reference that even further. 49 00:04:08,118 --> 00:04:12,931 So as an example, I can go into analyze, click the Expert info 50 00:04:12,931 --> 00:04:17,095 and as we've mentioned in the past, if I go to packet comments tab now, 51 00:04:17,095 --> 00:04:19,095 there is my packet comment. 52 00:04:19,095 --> 00:04:25,143 And it tells me at packet 11 and it shows me the summary of my comment - 53 00:04:25,143 --> 00:04:28,266 encrypted data using TLS, inspect further. 54 00:04:28,266 --> 00:04:33,669 Now again, this is a very simple way to show you this 55 00:04:33,669 --> 00:04:38,772 but you can make this information as extensive as you need to and 56 00:04:38,772 --> 00:04:42,429 more relevant to a possible problem that you may be experiencing. 57 00:04:42,429 --> 00:04:48,999 So, as we dig deeper into the annotations, 58 00:04:48,999 --> 00:04:53,577 you can see here, I added specifically, one where I said, you know, 59 00:04:53,577 --> 00:04:56,975 there's a segment here that I'd like to check out 60 00:04:56,975 --> 00:05:04,009 and put the date and the time of reference and there's a whole bunch of stuff 61 00:05:04,026 --> 00:05:08,597 that we could put in here to help ourselves create documentation. 62 00:05:08,597 --> 00:05:12,636 And what's interesting is you can also do a summary 63 00:05:12,627 --> 00:05:17,226 so when you pull up Wireshark and you want a summary of the entire file, 64 00:05:17,226 --> 00:05:21,191 you will also find some of these annotations in there as well. 65 00:05:21,191 --> 00:05:30,935 So, we did this live, but basically to explain how to make and save an annotation, 66 00:05:30,935 --> 00:05:36,681 you select a file, or I should say, packet that you want to annotate. 67 00:05:36,700 --> 00:05:40,466 You right click it, you add a comment, 68 00:05:40,483 --> 00:05:45,501 you make your relevant notes, you close the comment and then just make sure that you save 69 00:05:45,507 --> 00:05:50,908 the file in the correct file format which is Pcap-ng. 70 00:05:50,912 --> 00:05:56,631 You can also reference this file anytime in the capture window. 71 00:05:56,649 --> 00:05:59,699 As we mentioned, you can go to the Expert and 72 00:05:59,727 --> 00:06:03,251 flag specifically what packet number that was, 73 00:06:03,242 --> 00:06:08,859 and you can look at it in the packets list and the details pane as well. 74 00:06:08,859 --> 00:06:14,050 There are many ways to make an annotation. 75 00:06:14,050 --> 00:06:18,252 And the one I will show you now is making an annotation on the file. 76 00:06:18,252 --> 00:06:22,781 So in the bottom left corner here, there's a little notepad and a pencil 77 00:06:22,781 --> 00:06:27,364 that if you can click on it, you can edit or add capture comments. 78 00:06:27,364 --> 00:06:35,034 So I can say something simply like, capture file number X or number 1, 79 00:06:35,562 --> 00:06:46,212 date, time, testing, connection from client to server through 4 router hops, 80 00:06:46,215 --> 00:06:54,406 using subnet 10.1.1.x/24 and so on and so forth. 81 00:06:54,407 --> 00:07:00,753 So as you can see, there's quite a few things that once you put them in here and save, 82 00:07:00,751 --> 00:07:07,759 you'll be able to show, you know, whatever notes you wanted to take. 83 00:07:07,777 --> 00:07:10,362 And as I showed you here, I went to the summary, 84 00:07:10,380 --> 00:07:15,549 the capture summary and here are my comments. 85 00:07:15,549 --> 00:07:22,207 I can copy, cut and paste. I can save all this information right into that capture file or 86 00:07:22,207 --> 00:07:24,986 place it outside in a report but regardless, 87 00:07:24,986 --> 00:07:29,115 this is why annotations are critically important. 88 00:07:29,115 --> 00:07:35,082 89 00:07:35,082 --> 00:07:37,082