1
00:00:00,000 --> 00:00:08,003


2
00:00:08,003 --> 00:00:10,003
Ok, welcome back.

3
00:00:10,006 --> 00:00:13,121
In our last few modules, we will talk about

4
00:00:13,127 --> 00:00:18,308
about importing and exporting 
and merging options within Wireshark.

5
00:00:18,308 --> 00:00:22,662
And this is basically to get data inside or out of

6
00:00:22,662 --> 00:00:30,155
Wireshark, predominantly for use
 for analysis and importing .

7
00:00:30,155 --> 00:00:33,251
Obviously, if you wanted to import data,

8
00:00:33,251 --> 00:00:38,466
it's not the same as opening a capture.
It's a limited option.

9
00:00:38,466 --> 00:00:40,929
But specifically, when you're importing

10
00:00:40,929 --> 00:00:44,876
you're using Wireshark to import hex.

11
00:00:44,876 --> 00:00:47,429
You can adjust this a little bit and I will show this to you.

12
00:00:47,429 --> 00:00:53,837
But essentially, the hex dump 
that you get from another system,

13
00:00:53,837 --> 00:01:00,507
you can reconstruct into packets in Wireshark
which we will demonstrate.

14
00:01:00,531 --> 00:01:02,779
So why is this useful?

15
00:01:02,778 --> 00:01:09,012
There are times where you may capture 
hex data, let's say, from another tool,

16
00:01:09,049 --> 00:01:14,540
or you're doing some analysis work 
and you get a, a dump of hex.

17
00:01:14,538 --> 00:01:21,669
And that data may be completely unreadable 
to you and what would be easier than to 

18
00:01:21,669 --> 00:01:27,812
quickly import it into Wireshark to establish
a viewable conversation.

19
00:01:27,812 --> 00:01:32,070
So that's what we're going to do -
we're going to create a packet,

20
00:01:32,082 --> 00:01:39,677
based communication viewable in the packet
in the capture window when we import the data.

21
00:01:39,677 --> 00:01:44,691
So what I've created here is a simple hex data dump.

22
00:01:44,691 --> 00:01:49,745
There's many ways to do this.
You can pull this out of a stream.

23
00:01:49,745 --> 00:01:53,806
There's tools that will give you hex dumps but

24
00:01:53,806 --> 00:01:57,270
as an example, if you're given a hex dump

25
00:01:57,262 --> 00:01:59,977
which may be completely unreadable to you.

26
00:01:59,978 --> 00:02:04,277
All you need to do is you need to import that data 

27
00:02:04,277 --> 00:02:08,812
by going to file import from hex dump

28
00:02:08,812 --> 00:02:15,168
and then browse to that particular file that we created.

29
00:02:15,168 --> 00:02:23,378
And import, and you have options you can 
change your encapsulation type and

30
00:02:23,378 --> 00:02:29,222
this specific offsets octo or decimal
or other things that you can change.

31
00:02:29,222 --> 00:02:34,255
But for simple import, if we do so, 
we will import and there you go.

32
00:02:34,255 --> 00:02:38,038
There's your hex dump now created 
into a full conversation

33
00:02:38,038 --> 00:02:42,348
so that you can see what exactly 
it is that you have in here.

34
00:02:42,355 --> 00:02:54,699
And you can comment it,
 imported from hex dump file x, y and z.

35
00:02:54,690 --> 00:03:03,201
 Any other data you find relevant and you will be 
able to now save this as a Wireshark capture

36
00:03:03,198 --> 00:03:08,036
for future reference. 
Very helpful, extremely helpful.

37
00:03:08,036 --> 00:03:12,698
Again if you are getting data that 
you don't know what you are looking at,

38
00:03:12,698 --> 00:03:17,649
try to reconstruct it in something that 
would make more sense to you.

39
00:03:17,649 --> 00:03:22,043
So you can set some options, 
you can change the format,

40
00:03:22,043 --> 00:03:28,509
the encapsulation and the offsets,
 as well as other settings.

41
00:03:28,509 --> 00:03:34,598
And you can recreate the conversation 
in the capture window for further analysis.

42
00:03:34,598 --> 00:03:41,731
And as you can see, once we complete 
the rebuild, we can then dive into the data

43
00:03:41,731 --> 00:03:46,420
to review some specifics about it such as

44
00:03:46,420 --> 00:03:54,315
date, the time, any flags, source and 
destination information and so on and so forth.

45
00:03:54,315 --> 00:03:59,570
Again, extremely critical, you get a hex dump, 
you don't even know what you're looking at.

46
00:03:59,570 --> 00:04:02,527
You're not going to sit there 
and translate the entire thing.

47
00:04:02,527 --> 00:04:09,110
Much quicker, more efficient to import
into Wireshark and 

48
00:04:09,092 --> 00:04:12,099
very quickly recreate conversation.

49
00:04:12,099 --> 00:04:18,539