WEBVTT

00:07.460 --> 00:08.120
Okay.

00:08.120 --> 00:08.690
Welcome.

00:08.690 --> 00:11.420
Today we are going to play around with Wireshark.

00:11.420 --> 00:18.080
Now we can literally spend 80 to 120 hours, even two months working specifically on Wireshark so that

00:18.080 --> 00:21.140
you could understand all the ins and outs of become a true expert at it.

00:21.170 --> 00:26.750
However, for CSA, you don't need to be an expert, you just need to basically understand how to read

00:26.750 --> 00:32.900
Wireshark and not even that much of an in-depth level, as much as understanding what you're looking

00:32.900 --> 00:33.260
at.

00:33.260 --> 00:35.450
So we're going to do a basic setup for Wireshark.

00:35.450 --> 00:39.410
I'm going to show you some key features, and then I'm going to show you how to read some of the information.

00:39.410 --> 00:40.430
And that's pretty much it.

00:40.460 --> 00:41.930
So it should take about ten minutes.

00:41.960 --> 00:47.120
Very high level overview of what Sha Shark is and everything that's associated with it.

00:47.120 --> 00:49.400
So let's dive into it.

00:49.400 --> 00:51.890
The very first thing I need to do is actually open up Wireshark.

00:51.890 --> 00:54.890
I'm going to open up my terminal and blow that up so you can see it.

00:54.890 --> 00:57.830
And I'm just going to type in Wireshark just like that.

00:57.830 --> 01:02.030
Now Wireshark, because it's operating on my VirtualBox.

01:02.120 --> 01:04.070
Uh, it doesn't have any traffic going through it right now.

01:04.070 --> 01:07.760
There's nothing going in or out of it, which means you can't really see the line.

01:07.760 --> 01:11.240
So let's put some traffic on Wireshark.

01:11.240 --> 01:12.680
I'm going to open up a new terminal.

01:12.680 --> 01:14.000
I'm just going to do an nmap.

01:14.030 --> 01:16.460
I already got one running in the background.

01:16.460 --> 01:19.130
So I'm just going to do an nmap to that one.

01:19.370 --> 01:21.410
If you can't see it here you can.

01:21.440 --> 01:26.510
We've already identified that capture one is on 10.0.2.11.

01:26.540 --> 01:31.640
I'm going to run that and we should see some traffic now on Wireshark.

01:31.670 --> 01:35.900
Now I've got Ethernet zero which is the main traffic line coming into it.

01:35.900 --> 01:36.860
I've also got any.

01:36.890 --> 01:40.730
Now I would recommend that you utilize the any.

01:40.760 --> 01:42.890
When we're going through Wireshark in a lab environment.

01:42.890 --> 01:44.060
That's what we're going to do today.

01:44.060 --> 01:50.180
If you have or if you're using Wireshark for a specific purpose, then identifying the exact port in

01:50.180 --> 01:52.550
which the traffic is coming on is probably better.

01:52.550 --> 01:56.540
But for today's purposes, we're just going to do any you can see here.

01:56.540 --> 02:02.270
Again, no traffic coming through Uh, we have our number, right?

02:02.270 --> 02:03.500
We just had a spurt of traffic.

02:03.500 --> 02:03.800
Come in.

02:03.830 --> 02:04.760
We've got our number.

02:04.760 --> 02:09.260
That is the traffic that's currently processing on there.

02:09.290 --> 02:10.580
The time.

02:10.580 --> 02:12.770
That is the time since we started Wireshark.

02:12.770 --> 02:17.540
That means this is the very first packet from this point forward is going to count where each traffic

02:17.540 --> 02:18.200
comes after that.

02:18.200 --> 02:28.070
For instance, from packet one which was 0000 to packet number two was 0.014 seconds after the first

02:28.070 --> 02:29.030
packet came in.

02:29.030 --> 02:38.300
And point or packet number three or number three was 0.075 or excuse me, 5.075 seconds after the first

02:38.300 --> 02:39.020
packet came in.

02:39.020 --> 02:41.510
And you can kind of go through and see that as it goes through.

02:41.540 --> 02:42.140
Right.

02:42.140 --> 02:43.550
We have our source IP.

02:43.580 --> 02:45.680
That's the IP address that it came from.

02:45.680 --> 02:52.310
You have to realize that Wireshark is looking at traffic both from a from and then to a two, which

02:52.310 --> 02:59.150
means that if I pull up miss paint, if you look at Wireshark and we have two computers, we have computer

02:59.180 --> 03:03.650
A and we have computer B right here.

03:03.680 --> 03:05.450
Now between the two we have traffic.

03:05.480 --> 03:06.860
That goes both ways.

03:06.890 --> 03:11.810
Wireshark looks at it not like this but like this.

03:13.370 --> 03:20.330
There are two different strains of traffic, meaning that traffic is either going from B to A or from

03:20.360 --> 03:25.340
A to B, and it emphasizes that in the way that it processes information.

03:25.340 --> 03:28.820
So in this context we have source right.

03:28.850 --> 03:32.330
10.029 that's traffic coming from there.

03:32.330 --> 03:37.700
From the source IP address of 2.9 to the destination IP address of 2.3.

03:37.700 --> 03:45.050
When it reverts back, it's providing or when 2.3 responds, I should say when 2.9 responds, I cannot

03:45.050 --> 03:45.890
talk today.

03:46.040 --> 03:49.940
Uh, we're saying from 2.3 to 2.9.

03:49.940 --> 03:58.460
So for instance, traffic is going from 2.92 to 2.3 and then from 2.3 to 2.9.

03:58.460 --> 04:02.310
And we're kind of sitting in the middle looking at both traffic lanes.

04:02.310 --> 04:04.320
And that's what we're doing today, right.

04:04.350 --> 04:06.720
So those are our source and destination IP addresses.

04:06.720 --> 04:07.860
And then we have our protocol.

04:07.860 --> 04:10.380
What protocol is it operating on.

04:10.410 --> 04:17.400
In this case for one and two it's DHCP for lines three and four or for packets three and four it is

04:17.400 --> 04:19.380
on ARP Address Resolution Protocol.

04:19.380 --> 04:20.640
Then we can see the length.

04:20.640 --> 04:22.950
That's the length of traffic that's going through.

04:22.950 --> 04:26.850
And then a basic informational, uh, of what's going on.

04:26.880 --> 04:27.120
Right.

04:27.150 --> 04:28.560
This is very, very basic.

04:28.590 --> 04:28.920
Right.

04:28.950 --> 04:34.740
For instance, on number three we can see that it's saying who has 2.3.

04:34.740 --> 04:37.410
And it's going to tell 2.9.

04:37.410 --> 04:38.580
That's what it's doing.

04:38.580 --> 04:40.620
So let's provide some context to this.

04:40.620 --> 04:43.110
Well first let's set this up right.

04:43.380 --> 04:48.180
Uh for basic setup for Wireshark especially the first time you're using it, I like to add my source

04:48.180 --> 04:49.320
port and my destination.

04:49.320 --> 04:54.750
Now I can find that information right here under User Datagram Protocol.

04:54.750 --> 04:58.800
It tells me that the source port is 68 and the destination port is 67.

04:58.800 --> 05:00.140
But I want to view it up here.

05:00.140 --> 05:05.060
To do that, I'm going to right click anywhere on this bar and I'm going to do column preferences.

05:05.090 --> 05:08.330
Under Column Preferences on the right hand side we can add columns.

05:08.360 --> 05:11.360
I'm going to push that plus sign twice.

05:11.360 --> 05:16.250
And you can see that it added two columns for me right here and right here I'm going to put the first

05:16.250 --> 05:17.660
one just double left click.

05:17.690 --> 05:21.200
And I'm just going to put SK port enter.

05:21.200 --> 05:25.820
And then for the next one I'm just going to double click and put DSC port right there.

05:25.850 --> 05:28.040
So now I've got my source port and destination port.

05:28.040 --> 05:29.000
But I need to tie it in.

05:29.000 --> 05:31.460
So for my source port I'm going to double click again.

05:31.460 --> 05:35.510
And I'm going to drag it down to source port resolved right here.

05:35.540 --> 05:36.770
Source port resolved.

05:36.770 --> 05:42.620
And for my destination port again I'm going to put destination port resolved.

05:42.620 --> 05:44.030
I press okay.

05:44.030 --> 05:46.850
And then you can't see it yet, but it's all the way on the right hand side.

05:46.850 --> 05:48.410
So I'm going to grab that.

05:48.710 --> 05:53.960
I'm going to move it over to the source port, and then I'm going to grab the other one and move that

05:53.960 --> 05:55.220
over to the destination.

05:55.220 --> 06:02.250
So now if I look at this, I've got time source and then source port and destination, and then destination

06:02.250 --> 06:02.490
port.

06:02.490 --> 06:06.630
If the numbers don't add up or the columns are too small or whatnot, you can just double click and

06:06.630 --> 06:09.060
it'll fix that for you so that you can actually read it.

06:09.060 --> 06:14.280
Now, I would recommend expanding your destination out a little bit, because you may find out that

06:14.280 --> 06:15.330
it's not enough space.

06:15.330 --> 06:16.800
So let's dive into this a little bit.

06:16.800 --> 06:19.440
Let me do a basic internet search.

06:19.440 --> 06:23.760
Let's go into Firefox real quick and let's just go into Google.

06:24.690 --> 06:25.620
I'm just going to hit Google.

06:25.620 --> 06:26.220
That's it.

06:26.220 --> 06:31.230
And I'm going to go back into Wireshark and look at all the traffic that's associated with it.

06:32.310 --> 06:33.720
Look at all that juicy traffic.

06:33.720 --> 06:34.050
All right.

06:34.050 --> 06:37.230
Let's say that I wanted to look at a specific IP address.

06:37.230 --> 06:38.940
Let's say I wanted to look at 2.9.

06:38.970 --> 06:41.460
Like 2.9 is something I wanted to see.

06:41.460 --> 06:48.090
I could do IP and then just by typing IP, it's got all these little shortcuts that I could do.

06:48.120 --> 06:53.730
I could do destination, which means if I click on that and press enter, it's only going to show me,

06:53.910 --> 06:58.140
uh, traffic that is going to IP address 2.11, which there is none.

06:58.140 --> 06:58.650
Right now.

06:58.650 --> 07:02.070
But what if I did address?

07:03.390 --> 07:07.440
Let me throw that equal sign back in there and hit enter.

07:08.460 --> 07:10.980
And you can see that IP address 2.11.

07:11.010 --> 07:12.090
We're not seeing any traffic.

07:12.120 --> 07:13.290
What about nine.

07:13.440 --> 07:14.640
What if we did nine.

07:14.910 --> 07:15.750
There we go.

07:15.780 --> 07:19.920
That means that it's going to show all traffic going into IP address 2.9.

07:19.950 --> 07:23.400
Now I did to a lot of it because I've got catfish running in the background and I forgot to ping it.

07:23.400 --> 07:24.180
But that's okay.

07:24.210 --> 07:24.630
That's great.

07:24.630 --> 07:25.290
Let's do that now.

07:25.290 --> 07:26.850
Let's let's jump into this.

07:26.970 --> 07:29.460
We can see here that I've got 211.

07:29.460 --> 07:33.990
Let's just hit a ping 10.0.2. 11.

07:33.990 --> 07:34.980
Just like that.

07:35.040 --> 07:37.890
It's going to start pinging it and go back into here.

07:37.890 --> 07:39.690
And then I can do 11.

07:40.290 --> 07:43.530
But instead of doing IP address let's do destination.

07:43.530 --> 07:45.720
So I'm going to do IP and then DST.

07:46.620 --> 07:49.710
And now it's providing me all that juicy information.

07:49.830 --> 07:50.550
Right.

07:50.550 --> 07:53.730
So we're doing a ping against 211.

07:53.730 --> 07:56.220
And it's providing that information okay.

07:56.340 --> 08:00.360
If I stop that Press Ctrl C to stop that.

08:00.360 --> 08:03.660
It should stop traffic on there.

08:03.690 --> 08:08.250
Now, this entire time I've actually been capturing this data, I've been saving this data.

08:08.250 --> 08:12.300
And I go to file and then I can do a save.

08:12.330 --> 08:14.790
Well, I have to stop it first, but I have to stop the traffic.

08:14.820 --> 08:16.830
Then I can do a file and then save.

08:16.830 --> 08:18.990
And I can save this as a pcap file.

08:19.020 --> 08:20.610
And you can see here Wireshark pcap.

08:20.610 --> 08:25.140
I'm not going to do that right now, but just realize that is how you get a pcap file.

08:25.170 --> 08:27.120
Okay, so I've got all this information.

08:27.120 --> 08:29.970
Let's say that I wanted to get back to the original information.

08:29.970 --> 08:33.360
I could literally just delete all this right there.

08:33.390 --> 08:36.780
Hit enter and now I'm back at where I originally was.

08:36.810 --> 08:37.440
Okay.

08:37.950 --> 08:40.200
You can see here that the eight isn't actually accurate.

08:40.200 --> 08:43.620
If I click on that now, you can see that I'm actually in the inner range.

08:43.620 --> 08:49.650
And if I scroll all the way down and just that a little bit of traffic that I've done is that little

08:49.680 --> 08:56.520
bit of traffic you can see here that I am quite high on the traffic, around 904 packets already.

08:56.550 --> 08:57.240
Okay.

08:57.240 --> 09:00.600
So this is Wireshark very high level.

09:00.810 --> 09:03.960
Let's dive into this context here.

09:03.990 --> 09:05.100
Let me find a good one.

09:05.250 --> 09:07.740
Here's a basic traffic right.

09:07.770 --> 09:09.900
This first one is going to provide us the frames.

09:09.930 --> 09:12.600
Now this goes a lot off the OSI model if you remember that.

09:12.600 --> 09:14.130
So here's our IPS.

09:14.160 --> 09:16.140
Our internet protocol version.

09:16.170 --> 09:17.520
And we can dive into this.

09:17.550 --> 09:20.220
We can see our destination source IP addresses.

09:21.240 --> 09:24.750
I can expand these and go into different services.

09:25.170 --> 09:26.850
I can go through here and provide that.

09:26.880 --> 09:29.310
We can see the time to live for 255.

09:29.370 --> 09:31.230
We can see our protocol is TCP.

09:31.620 --> 09:36.360
We can see our chat or checksum validation is disabled but we see a checksum.

09:37.140 --> 09:39.240
I can expand our transmission for protocol.

09:39.270 --> 09:41.610
Let me, uh, reduce this.

09:41.640 --> 09:42.300
There we go.

09:43.350 --> 09:49.650
And this TCP provides us with our source port is if it's not available up here, we can see the destination

09:49.650 --> 09:52.080
port 40,134.

09:52.110 --> 09:53.490
Our stream index.

09:53.490 --> 09:55.860
And we can go through and really start to see this.

09:55.890 --> 10:03.270
We can also see our timestamps both from the perspective of time since first TCP stream or in this TCP

10:03.270 --> 10:06.720
stream, and then time sense this and PVC stream.

10:06.720 --> 10:11.580
We can also do a sequence analysis and we see that information.

10:12.600 --> 10:16.350
Uh, this is the basics of Wireshark very high level.

10:16.470 --> 10:21.150
Uh, very much something that you should understand the basic principles of.

10:21.150 --> 10:24.570
Now see why I say doesn't go into that much depth with Wireshark.

10:24.600 --> 10:27.330
It does expect you to understand what an echo and a ping is.

10:27.360 --> 10:30.150
It basically understands how Wireshark works.

10:30.150 --> 10:34.830
You should understand the basic principles of Wireshark as far as CBC is explained.

10:34.860 --> 10:37.050
Don't expect some in-depth questions on there.

10:37.080 --> 10:37.770
Don't expect that.

10:38.010 --> 10:42.270
Ask you specifically, how do you use Wireshark or the different filters?

10:42.270 --> 10:47.010
They might provide you a different context of this, of a little screenshot of Wireshark, and expect

10:47.010 --> 10:51.480
you to understand how to read it, but I wouldn't expect to see anything much more in depth with that.

10:51.570 --> 10:53.460
Uh, very quick overview of Wireshark.

10:53.460 --> 10:54.540
I hope this was helpful.

10:54.540 --> 10:57.690
We will see you in our next, uh showcase.

10:57.720 --> 10:58.530
Talk to you later.