1
00:00:00,000 --> 00:00:07,833


2
00:00:07,833 --> 00:00:11,224
One of the important things I want to highlight

3
00:00:11,224 --> 00:00:16,362
before we start the next round of modules is

4
00:00:16,362 --> 00:00:21,114
saving of data and protection of data.

5
00:00:21,114 --> 00:00:24,676
Some of the questions that come up are 

6
00:00:24,676 --> 00:00:31,254
how dangerous is a Wireshark or 
any type of a sniffer related data file

7
00:00:31,254 --> 00:00:37,359
and how important is it to keep it secure.

8
00:00:37,359 --> 00:00:45,597
So as network analysts, as engineers,
systems administrators, anyone working in IT,

9
00:00:45,597 --> 00:00:53,979
keeping information secure is probably
one of our most greatest responsibilities.

10
00:00:53,980 --> 00:00:55,980
If you work in healthcare,

11
00:00:55,981 --> 00:00:59,865
you have to make sure that your 
patient's information is protected.

12
00:00:59,877 --> 00:01:04,127
If you work in financial realms,

13
00:01:04,139 --> 00:01:08,538
you have to make sure that 
client's information is protected.

14
00:01:08,539 --> 00:01:14,597
If you're working in the military,
 it might be confidential. Law enforcement.

15
00:01:14,631 --> 00:01:16,631
We work in data

16
00:01:16,665 --> 00:01:20,859
and there's nothing that's going to 
get closer to working with that data,

17
00:01:20,859 --> 00:01:28,378
than doing Wireshark captures because 
you're collecting the data in transit and 

18
00:01:28,378 --> 00:01:33,033
you're able to see within it specifically,
and some cases, you can decrypt it.

19
00:01:33,033 --> 00:01:38,901
You can replay it. You can find out 
where it's going. You can see who sent it.

20
00:01:38,901 --> 00:01:47,514
So the ability to see inside this data and
to collect this data is a responsibility

21
00:01:47,514 --> 00:01:51,201
that we must take very seriously and when you save it,

22
00:01:51,199 --> 00:01:54,589
you should always make sure that it's secure.

23
00:01:54,589 --> 00:01:59,418
So make sure that you put it 
on a safe drive and encrypt it.

24
00:01:59,427 --> 00:02:06,082
Or safe share and encrypted. Just make sure
that you're keeping this data secure

25
00:02:06,073 --> 00:02:10,199
and you're not leaving it out there 
for others to see or to capture

26
00:02:10,199 --> 00:02:15,958
because it could reveal quite a bit about 
what's going on on the network as well as

27
00:02:15,958 --> 00:02:23,549
personal or client or employee information
that we want to keep secure.

28
00:02:23,547 --> 00:02:30,169
So, that's a common question that comes up
and we just wanted to make sure that 

29
00:02:30,169 --> 00:02:37,878
it's well understood and it's due diligence 
to ensure that you secure this data 

30
00:02:37,878 --> 00:02:42,491
appropriately and make sure that 
it does not get into the wrong hands.

31
00:02:42,491 --> 00:02:47,425
In our next module, we will be discussing 
the saving of capture files.

32
00:02:47,425 --> 00:02:53,996
It is also something that you may see, 
I think it's quite easy to do.

33
00:02:53,996 --> 00:02:59,893
But there's a handful of file formats 
you should be aware of and some other things

34
00:02:59,893 --> 00:03:05,757
involved in the saving of captures 
that is quite important.

35
00:03:05,757 --> 00:03:10,920
So, saving files is a great responsibility.

36
00:03:10,920 --> 00:03:14,892
It is one where it can contain sensitive information.

37
00:03:14,892 --> 00:03:21,219
And what we want to do as network analysts
is make sure that we encrypt this data

38
00:03:21,219 --> 00:03:25,422
if it's going to be at rest on our drives,
or put it on an encrypted drive or

39
00:03:25,422 --> 00:03:30,230
just make sure that it is out of people's hands

40
00:03:30,230 --> 00:03:34,760
so that if it got into the wrong hands, 
out of your hands or into the wrong hands,

41
00:03:34,760 --> 00:03:39,321
it is safeguarded so that the information within it

42
00:03:39,321 --> 00:03:43,157
cannot be used against the customer, 
client or your employer.

43
00:03:43,157 --> 00:03:45,561
So just make sure that when you're saving files,

44
00:03:45,561 --> 00:03:50,571
you're doing due diligence and 
ensuring that you're thinking of safety.

45
00:03:50,571 --> 00:04:00,386
So you can set up Wireshark to save 
data into a file or multiple files.

46
00:04:00,409 --> 00:04:04,103
You can save it in a compressed format using Gzip,

47
00:04:04,108 --> 00:04:07,415
and you can save it in different file formats

48
00:04:07,415 --> 00:04:11,468
for example, when we're talking about 
annotations, you can use the old Pcap,

49
00:04:11,468 --> 00:04:17,648
file extension or the new Pcap-ng file 
extension so that you can ensure

50
00:04:17,648 --> 00:04:21,844
that your report and annotation information stays intact.

51
00:04:21,844 --> 00:04:26,308
So as you can see, saving files can be a little tricky.

52
00:04:26,308 --> 00:04:30,960
There's not, there is a way to just file save as,

53
00:04:30,960 --> 00:04:36,998
save as the filename and keep going but 
there's some specific things that you could do

54
00:04:36,998 --> 00:04:42,221
to ensure that you're saving your data
correctly or accurately.

55
00:04:42,221 --> 00:04:52,292
So the first tip we will give you is to try to save 
the capture in a way where it's intelligent.

56
00:04:52,290 --> 00:04:59,045
One of the ways I like to do it is 
to flag it as a capture file.

57
00:04:59,045 --> 00:05:03,425
This is the most generic way to do it.
I try to always put the date.

58
00:05:03,416 --> 00:05:06,979
You can extend it into specific periods of time.

59
00:05:06,979 --> 00:05:10,179
You can add the application.
You can add the work station 

60
00:05:10,175 --> 00:05:12,997
or the system name that you're scanning from or to.

61
00:05:12,997 --> 00:05:16,312
There's a lot of ways to do this but it's better

62
00:05:16,312 --> 00:05:24,861
to save it intelligently and in a dedicated 
share on your system for captures

63
00:05:24,870 --> 00:05:28,986
than to just arbitrarily save it as capture.

64
00:05:28,986 --> 00:05:32,846
Capture 1, capture 2 and so on because then 
you're going to have to go in

65
00:05:32,846 --> 00:05:39,608
and hopefully you left some annotation notes
for yourself as to what it had to do with.

66
00:05:39,608 --> 00:05:44,760
But if not, then you're just going to have a large 
amount of captures that you really don't know 

67
00:05:44,760 --> 00:05:48,164
what they correlate to specifically.

68
00:05:48,164 --> 00:05:52,718
So after capture is completed, 
you can save or save as 

69
00:05:52,718 --> 00:05:54,764
which we will show in a moment.

70
00:05:54,764 --> 00:05:58,988
There are some differences.
So with Linux and Unix, 

71
00:05:58,988 --> 00:06:03,908
obviously you have the GTK plus
or the GIMP toolkit.

72
00:06:03,911 --> 00:06:08,397
And the extended interface so there are some
differences when you go to save the capture.

73
00:06:08,397 --> 00:06:14,819
In the dialog boxes, pay close attention to that 
'cause there's different options available. 

74
00:06:14,819 --> 00:06:18,590
And you can also print the files directly out

75
00:06:18,590 --> 00:06:22,397
and not save them as data at all.
You can just print it out.

76
00:06:22,396 --> 00:06:27,949
This will, if it's a capture of a couple of packets,
this is helpful.

77
00:06:27,949 --> 00:06:32,993
Otherwise, your printer is going to
probably go through 5 reams of paper.

78
00:06:32,993 --> 00:06:36,752
So it's important for you to consider 
what it is that you're printing.

79
00:06:36,752 --> 00:06:40,258
So, that being said, if you're also going to print

80
00:06:40,258 --> 00:06:43,283
make sure that you again do due diligence

81
00:06:43,292 --> 00:06:50,078
and you shred the data if it, in fact 
shows sensitive information.

82
00:06:50,078 --> 00:06:56,777
So if you're going to save a capture and this is 
one that I just ran and I haven't saved it yet.

83
00:06:56,777 --> 00:07:02,347
I can file save as and it will open up the dialog box.

84
00:07:02,347 --> 00:07:08,159
I have it in a sample capture folder.
I have a dedicated folder where I put these.

85
00:07:08,159 --> 00:07:15,435
And I am going to name this, 
sample capture with today's date.

86
00:07:15,435 --> 00:07:26,131
And then I can select the format.
So as we mentioned earlier, 

87
00:07:26,140 --> 00:07:29,231
there's quite a few formats that you can select between.

88
00:07:29,231 --> 00:07:34,369
You can save in formats where 
if you wanted to read it directly from network,

89
00:07:34,360 --> 00:07:37,190
Microsoft's network monitor, you can do so.

90
00:07:37,190 --> 00:07:43,800
You can do so from, here some other example, 
the ancient Novell LANalyzer,

91
00:07:43,800 --> 00:07:47,928
which is probably around 20 years old as of now.

92
00:07:47,928 --> 00:07:51,204
There's different things that you can use.

93
00:07:51,204 --> 00:07:57,584
Visual networks, those are the old boxes
that you used to put on your frame

94
00:07:57,584 --> 00:08:02,496
network to analyze it. Those types of things, 
there's some old stuff in here.

95
00:08:02,496 --> 00:08:08,578
But in general, you're going to 
probably save this as Pcap or Pcap-ng.

96
00:08:08,578 --> 00:08:12,335
I had some notes in here so 
I'm going to save it as Pcap-ng.

97
00:08:12,335 --> 00:08:16,179
And then I'm also going to choose to compress

98
00:08:16,179 --> 00:08:20,638
with Gzip so that it shrinks it down in size.

99
00:08:20,638 --> 00:08:27,641
It doesn't take a large portion up on my disc
or take up space.

100
00:08:27,641 --> 00:08:31,766
Alright, so as you can see, 'cause I saved with Pcap-ng,

101
00:08:31,789 --> 00:08:38,852
I was able to retain some information and we are good.

102
00:08:38,852 --> 00:08:45,340
So there's also another option,
you can output to a file, the data.

103
00:08:45,340 --> 00:08:50,502
So if you were to print, you can do a print out to a file.

104
00:08:50,501 --> 00:08:55,498
I've named this one Wireshark out.
I can set all packets and here I have a 

105
00:08:55,498 --> 00:09:00,778
displayed about 1500 plus packets.

106
00:09:00,778 --> 00:09:07,409
I can select the range or just 
the selected packets that I select arbitrarily,

107
00:09:07,432 --> 00:09:14,496
and or I can display or collapse packet details 
to shrink the amount of information but

108
00:09:14,496 --> 00:09:21,130
this is also another option that 
you can select the file to output 2.

109
00:09:21,130 --> 00:09:28,266
So question came up on annotation files
and the question was -

110
00:09:28,266 --> 00:09:33,145
'is annotation mainly the documentation of your traces?'

111
00:09:33,145 --> 00:09:38,022
So when you do a trace and you collect a data,

112
00:09:38,039 --> 00:09:41,999
annotation allows you to move directly

113
00:09:42,019 --> 00:09:47,134
to making notes in that trace file or that capture file.

114
00:09:47,210 --> 00:09:54,770
So, yes you are documenting inside the file itself.

115
00:09:54,770 --> 00:09:58,694
So that's what you want to remember 
is that it's actually making notes within

116
00:09:58,694 --> 00:10:02,343
the capture or what you will call, also a trace file.

117
00:10:02,343 --> 00:10:07,454
And it's just critically important 
that you save it as Pcap-ng

118
00:10:07,454 --> 00:10:10,435
otherwise you will not retain that information.

119
00:10:10,435 --> 00:10:15,168
And the 2 ways you can do it is 
you can add notes to the packet 

120
00:10:15,168 --> 00:10:19,322
and you can add notes directly to the entire capture.

121
00:10:19,322 --> 00:10:26,085