1
00:00:00,060 --> 00:00:04,440
In this video, I'm going to show you how to use tea shock as well as term shock.

2
00:00:04,440 --> 00:00:10,210
Tea shock to capture traffic off the wire and term shock to view.

3
00:00:10,230 --> 00:00:12,120
Wireshark captures through a terminal.

4
00:00:12,750 --> 00:00:16,410
Sometimes you don't have access to a gooey interface.

5
00:00:16,410 --> 00:00:22,680
Sometimes you want to be able to capture packets off the wire using a terminal and tea shock is great

6
00:00:22,680 --> 00:00:23,730
for doing that.

7
00:00:24,240 --> 00:00:30,960
As an example, you may run a capture application on a Linux server or Linux host which doesn't have

8
00:00:30,960 --> 00:00:33,360
a graphical user interface installed.

9
00:00:33,600 --> 00:00:39,960
You could, as an example, run it on a Raspberry Pi, so capture traffic off the wire using a Raspberry

10
00:00:39,960 --> 00:00:44,130
Pi, but do that without a graphical user interface.

11
00:00:44,130 --> 00:00:50,310
So simply using a console, capture the traffic and you may want to be able to view those Wireshark

12
00:00:50,310 --> 00:00:51,960
captures through a console.

13
00:00:51,960 --> 00:00:56,580
So that's what I'm going to demonstrate in this video, in this genius three topology.

14
00:00:56,580 --> 00:00:58,230
I've got an Ubuntu host.

15
00:00:58,350 --> 00:01:03,150
This Ubuntu host does not have a graphical user interface.

16
00:01:03,540 --> 00:01:08,730
So if I type clear, all I get is a console connection.

17
00:01:08,730 --> 00:01:11,430
There is no graphical user interface.

18
00:01:11,910 --> 00:01:19,480
So as an example, if I want to view the interfaces on this device, I'm doing that through a ally.

19
00:01:19,530 --> 00:01:22,980
I'm not doing it through a graphical user interface.

20
00:01:23,370 --> 00:01:25,290
All I have is a console connection.

21
00:01:29,300 --> 00:01:34,010
So as an example, I'll edit this file so that.

22
00:01:34,910 --> 00:01:38,900
The host gets an IP address from a DHCP server.

23
00:01:39,500 --> 00:01:43,130
What I'll do is close that console connection down or terminal down.

24
00:01:43,640 --> 00:01:46,940
Stop the ubuntu client started up again.

25
00:01:47,270 --> 00:01:48,530
Open up a console.

26
00:01:49,130 --> 00:01:56,210
Notice here I now have an IP address that has been allocated to me via DHCP.

27
00:01:56,510 --> 00:02:00,680
The net cloud is allocating IP addresses to the ubuntu client.

28
00:02:00,770 --> 00:02:03,350
This is a bolt in genius.

29
00:02:03,350 --> 00:02:04,030
Three switch.

30
00:02:04,040 --> 00:02:05,450
This is a cisco switch.

31
00:02:05,660 --> 00:02:10,699
This is a Cisco router running within genius three.

32
00:02:11,120 --> 00:02:17,300
So the problem here is I can't run a graphical Wireshark application.

33
00:02:18,140 --> 00:02:24,320
I need to run Wireshark directly through the console.

34
00:02:27,480 --> 00:02:32,550
So the first thing I'm going to do is type apt, get update to update my ubuntu references.

35
00:02:39,650 --> 00:02:39,920
Okay.

36
00:02:39,920 --> 00:02:45,290
Now that my ubuntu references have been updated through apt get update.

37
00:02:46,880 --> 00:02:50,450
What I'm going to do is install t shock.

38
00:02:50,990 --> 00:02:54,290
So to do that, I type apt get install.

39
00:02:55,000 --> 00:02:56,050
Tea shock.

40
00:02:59,570 --> 00:03:01,730
Say yes to install the application.

41
00:03:02,500 --> 00:03:09,370
So what this is doing is connecting to the Ubuntu cloud and essentially downloading and installing te

42
00:03:09,370 --> 00:03:11,500
shock on the ubuntu client.

43
00:03:14,500 --> 00:03:17,730
I'm asked, should non super users be able to capture packets?

44
00:03:17,750 --> 00:03:23,230
I'm going to say yes, but in this example, I'm actually logged in as route, so I'm simply going to

45
00:03:23,230 --> 00:03:25,360
capture using route.

46
00:03:26,080 --> 00:03:27,860
So I've now installed tick tock.

47
00:03:27,880 --> 00:03:31,030
I can start it by simply typing tea shock.

48
00:03:32,170 --> 00:03:35,740
And notice it's capturing packets on Ethernet zero.

49
00:03:35,770 --> 00:03:39,430
It's essentially capturing packets on this interface.

50
00:03:39,430 --> 00:03:44,740
And what we're seeing at the moment are spanning three messages that are sent by the switch.

51
00:03:45,310 --> 00:03:46,750
What I'll do on the router.

52
00:03:48,300 --> 00:03:54,300
Is enable OSPF and we should be able to see OSPF updates.

53
00:03:55,570 --> 00:04:04,450
So we'll get this device to use DHCP and then enable OSPF on all interfaces.

54
00:04:09,830 --> 00:04:12,260
It's now received an IP address through DGP.

55
00:04:12,740 --> 00:04:17,480
Notice we can see information such as spanning tree op messages and so forth.

56
00:04:17,510 --> 00:04:18,709
Now that's not great.

57
00:04:18,709 --> 00:04:23,540
That's just showing me the updates in real time so I can see as an example.

58
00:04:23,540 --> 00:04:24,710
DHCP offer.

59
00:04:24,710 --> 00:04:26,030
DHCP request.

60
00:04:27,400 --> 00:04:34,240
So what you may find more useful is to push that to a file, so write it to a file.

61
00:04:34,240 --> 00:04:39,010
In this case t shock one dot pcap as an example.

62
00:04:39,280 --> 00:04:44,590
So that's capturing the traffic and dumping it into that file.

63
00:04:45,040 --> 00:04:48,970
So as an example, show ip ospf interface brief.

64
00:04:48,970 --> 00:04:53,200
We're running OSPF on this router now if I type clear.

65
00:04:54,060 --> 00:04:59,010
IP ospf process and clear all the OSPF processes.

66
00:04:59,490 --> 00:05:01,320
OSPF messages will be captured.

67
00:05:01,650 --> 00:05:03,660
Let's enable IGP.

68
00:05:05,480 --> 00:05:06,020
So I.

69
00:05:06,020 --> 00:05:11,240
JP And I'll enable that on all interfaces.

70
00:05:12,120 --> 00:05:20,910
Hopefully this tea shock application is now capturing messages including spanning tree, including CDP,

71
00:05:21,180 --> 00:05:25,140
HTTP, IGP, OSPF and so forth.

72
00:05:26,310 --> 00:05:28,160
So I'll stop that by pressing control.

73
00:05:28,170 --> 00:05:32,460
C and notice I now have a t locked up pcap file.

74
00:05:32,520 --> 00:05:35,250
Now I want to be able to view that.

75
00:05:35,460 --> 00:05:43,050
I could copy that to my Windows Computers, an example or my Mac or a Linux computer with a gooey and

76
00:05:43,050 --> 00:05:45,360
then open that up with Wireshark.

77
00:05:45,360 --> 00:05:49,590
But lets view the files directly through this console.