1 00:00:00,740 --> 00:00:00,980 Okay. 2 00:00:00,980 --> 00:00:04,820 So I'm going to open up a web browser from PC one to the server. 3 00:00:05,840 --> 00:00:12,950 The service IP address and this is a Linux server is ten .1.1. 100. 4 00:00:13,070 --> 00:00:17,090 I used the command if config to see the server's IP address. 5 00:00:17,630 --> 00:00:23,780 So what I'll do is start capturing traffic between the PC and the switch. 6 00:00:24,010 --> 00:00:26,180 Janus three makes us a very easy. 7 00:00:26,180 --> 00:00:33,380 It allows us to capture traffic directly within the topology rather than having to install a hub or 8 00:00:33,380 --> 00:00:36,740 a wiretap or something to see the traffic. 9 00:00:37,490 --> 00:00:43,610 So I'm going to capture the traffic between the PC and the switch and we'll be able to see exactly what's 10 00:00:43,610 --> 00:00:46,940 going on within this Wireshark capture. 11 00:00:47,060 --> 00:00:53,570 So you can see that we've got spending tree traffic, we've got IP traffic, dynamic trunk protocol 12 00:00:53,570 --> 00:00:55,790 traffic already displayed. 13 00:00:56,890 --> 00:00:59,680 And being captured by why shock. 14 00:01:00,070 --> 00:01:04,120 What I'm going to do, however, is filter for HTTP. 15 00:01:04,239 --> 00:01:06,640 There's no HTTP traffic at the moment. 16 00:01:06,850 --> 00:01:14,770 But what we'll do is open up a web browser on the PC and connect to the server. 17 00:01:15,420 --> 00:01:17,790 So let's use PC one. 18 00:01:19,340 --> 00:01:20,690 Open up a web browser. 19 00:01:22,850 --> 00:01:24,800 I'm going to browse to. 20 00:01:27,150 --> 00:01:30,510 Ten .1.1. 100, which is the server. 21 00:01:30,930 --> 00:01:34,030 And as you can see there, a web page is displayed. 22 00:01:34,050 --> 00:01:35,360 Now it's nothing fancy. 23 00:01:35,370 --> 00:01:39,660 It's just a basic web page hosted on the server. 24 00:01:39,840 --> 00:01:43,230 But it's enough for us to see what's going on. 25 00:01:43,800 --> 00:01:49,620 So in Wireshark, you can see that traffic was sent from a source IP address. 26 00:01:50,390 --> 00:01:55,220 Ten 111 to a destination IP address of ten one one 100. 27 00:01:55,340 --> 00:01:57,010 This is a HTTP traffic. 28 00:01:57,020 --> 00:01:58,040 You can see the protocol. 29 00:01:58,040 --> 00:01:59,480 There is http. 30 00:02:00,140 --> 00:02:01,490 You can see the length. 31 00:02:02,780 --> 00:02:05,030 You can see that it's an HTTP get. 32 00:02:05,060 --> 00:02:09,020 In other words, the PC is trying to get a web page from the server. 33 00:02:09,770 --> 00:02:15,830 Now, before I go through the Wireshark capture in more detail, let's explain some of the basics that 34 00:02:15,830 --> 00:02:17,360 you see in Wireshark. 35 00:02:17,780 --> 00:02:19,730 The first thing you see is a frame. 36 00:02:20,670 --> 00:02:25,340 Now in networking, this is known as Layer two of The O.C. model. 37 00:02:25,610 --> 00:02:28,400 Information captured here are known as Frames. 38 00:02:28,400 --> 00:02:30,610 So this is known as a frame. 39 00:02:30,620 --> 00:02:33,230 We've captured an Ethernet two frame. 40 00:02:33,230 --> 00:02:36,110 In other words, we've captured traffic on Ethernet. 41 00:02:36,350 --> 00:02:40,100 There are different types of Ethernet frames, but Ethernet two is the most common. 42 00:02:40,100 --> 00:02:44,210 The source Mac address is a VMware host destination. 43 00:02:44,210 --> 00:02:45,380 Mac addresses this. 44 00:02:45,620 --> 00:02:49,730 So the source Mac address is the PC. 45 00:02:49,880 --> 00:02:53,600 This PC is actually running inside of VMware. 46 00:02:53,900 --> 00:03:02,840 If I type IP config slash all, you'll be able to see the MAC address of the host 000c 29 ending in 47 00:03:02,840 --> 00:03:04,400 DC DX seven. 48 00:03:05,250 --> 00:03:08,520 And hopefully that's what we see over here. 49 00:03:09,090 --> 00:03:12,630 So notice mac address is DC D seven. 50 00:03:13,230 --> 00:03:16,950 So notice this mac address is the mac address of the PC. 51 00:03:16,980 --> 00:03:19,320 Destination address is this. 52 00:03:19,680 --> 00:03:21,840 That's the mac address of the server. 53 00:03:22,170 --> 00:03:23,970 Notice the mac address over here. 54 00:03:25,280 --> 00:03:29,060 36 E 45 C 4091, A2. 55 00:03:29,090 --> 00:03:29,900 There you go. 56 00:03:30,290 --> 00:03:34,310 That's the IP address of the server MAC address of the server. 57 00:03:34,730 --> 00:03:39,350 Here's the IP address of the PC and the MAC address of the PC. 58 00:03:39,680 --> 00:03:45,110 So in networking, we use the term frame at layer two. 59 00:03:45,350 --> 00:03:50,390 You get different types of frames on Ethernet, typically Ethernet too, but on a WAN connection or 60 00:03:50,390 --> 00:03:58,020 wide area network connection, you could be using something like point to point protocol or PGP or HDL-C. 61 00:03:58,040 --> 00:04:03,290 Or in the old days you had encapsulation like frame relay or ATM. 62 00:04:03,410 --> 00:04:11,210 In other words, the layer two frame changes depending on the physical technology that you're using. 63 00:04:11,210 --> 00:04:13,610 Most common technology today is Ethernet. 64 00:04:13,610 --> 00:04:17,329 Most common Ethernet frame type is Ethernet too. 65 00:04:17,329 --> 00:04:19,610 So this is known as a frame. 66 00:04:19,790 --> 00:04:26,180 Now, just to make it more confusing, in Wireshark, they talk about frames here as well. 67 00:04:26,180 --> 00:04:31,790 But this is actually just metadata used within Wireshark that tells us about the frame. 68 00:04:31,880 --> 00:04:34,340 So again, this is just metadata. 69 00:04:34,340 --> 00:04:38,050 We don't typically talk about that as a frame in networking. 70 00:04:38,060 --> 00:04:39,500 This is known as a frame. 71 00:04:39,680 --> 00:04:42,920 This is known as layer two in the OSSI model. 72 00:04:43,160 --> 00:04:44,810 So this is a frame. 73 00:04:44,810 --> 00:04:48,500 At a layer three, we have what's called a packet. 74 00:04:48,590 --> 00:04:55,100 So when we refer to the layers in the OSA model, we use terms such as frame at layer two packets, 75 00:04:55,100 --> 00:04:59,900 layer three and segment at the layer for at layer three. 76 00:04:59,900 --> 00:05:02,690 We've captured the IP version for addresses. 77 00:05:02,690 --> 00:05:04,670 So this is IP version for information. 78 00:05:05,060 --> 00:05:08,510 The protocol used to add layer four is IP version four. 79 00:05:09,270 --> 00:05:12,150 What I'll do, actually, at this point is stop my Wireshark capture. 80 00:05:12,910 --> 00:05:15,610 So that the capture that I share with you isn't too big. 81 00:05:16,810 --> 00:05:19,060 And I'll save this as. 82 00:05:20,240 --> 00:05:22,190 Basic wire shock. 83 00:05:23,830 --> 00:05:24,940 Capture one. 84 00:05:25,750 --> 00:05:31,210 Notice it's a pcap in g file will pick up next generation Wireshark file. 85 00:05:31,510 --> 00:05:35,560 So that's the file that you'll download and you'll be able to do something similar to what I've done 86 00:05:35,560 --> 00:05:35,950 here. 87 00:05:36,580 --> 00:05:40,700 So again, protocol at layer three is IP version four. 88 00:05:40,720 --> 00:05:43,210 Source IP addresses this destination IP addresses. 89 00:05:43,210 --> 00:05:49,690 This IP version four contains a lot of information, differentiated services, code points or differentiated 90 00:05:49,690 --> 00:05:57,250 services field DHCP Differentiated Services Code points is to do with quality of service. 91 00:05:57,250 --> 00:06:03,400 Quality of service or cause or chaos allows us to differentiate some traffic types from others. 92 00:06:03,400 --> 00:06:08,590 So in other words, we could say that voice traffic is more important than FTP traffic. 93 00:06:08,830 --> 00:06:14,980 So when you make a voice call, it should be prioritized over file transfer protocol or FTP traffic. 94 00:06:15,370 --> 00:06:20,020 This is a way to indicate to the network how important the traffic is. 95 00:06:20,350 --> 00:06:25,720 A lot of other information is shown in this header, including as an example that the protocol used 96 00:06:25,720 --> 00:06:27,640 at layer four is TCP IP. 97 00:06:27,910 --> 00:06:31,750 So layer four, once again, this is layer two frame. 98 00:06:31,750 --> 00:06:36,850 Layer three is packet, layer four is segment at layer four. 99 00:06:36,850 --> 00:06:43,900 In the OCI model, we are using TCP here and you can see source and destination port numbers, HTTP 100 00:06:43,930 --> 00:06:49,090 or hypertext transfer protocol uses the well-known port number of 80. 101 00:06:49,240 --> 00:06:52,180 The server was listening on port 80. 102 00:06:52,360 --> 00:06:56,740 That's why when the client made a connection to the server. 103 00:06:57,620 --> 00:06:59,990 The Web page displayed. 104 00:07:00,020 --> 00:07:02,780 The client initiated a session to Port 80. 105 00:07:02,810 --> 00:07:05,210 The server was listening on Port 80. 106 00:07:05,600 --> 00:07:08,170 It served because it's a server. 107 00:07:08,180 --> 00:07:15,380 It served a web page to the client, in this case using the protocol HTTP. 108 00:07:15,500 --> 00:07:24,170 So it basically has this page, this web page hosted on its harddrive, and it served that page to the 109 00:07:24,170 --> 00:07:27,020 client when the client connected on Port 80. 110 00:07:27,230 --> 00:07:33,440 The client uses this random port number or ephemeral port number to use the correct term. 111 00:07:33,440 --> 00:07:39,530 So it connects to the server using an ephemeral or random port number, going to a well known port number 112 00:07:39,530 --> 00:07:40,400 of 80. 113 00:07:40,520 --> 00:07:42,350 And then you can see here. 114 00:07:43,030 --> 00:07:46,360 The application used is hypertext transfer protocol. 115 00:07:46,480 --> 00:07:53,590 Now in networking, we talk about the same model, but typically it's a hybrid model between the TCP 116 00:07:53,590 --> 00:07:56,080 model and the OCI model. 117 00:07:56,680 --> 00:08:01,150 At the top of the other model we have application, presentation and session. 118 00:08:01,160 --> 00:08:05,310 Those layers are often grouped into a single layer called application. 119 00:08:05,320 --> 00:08:06,980 So notice we have layer two here. 120 00:08:07,000 --> 00:08:08,800 Layer one is the physical medium. 121 00:08:08,800 --> 00:08:10,890 So that's not shown in the Wireshark capture. 122 00:08:10,900 --> 00:08:15,370 The physical medium here is Ethernet, could be copper or could be fibre. 123 00:08:15,640 --> 00:08:21,030 In our example, this is just a virtual network, but in the real world this would be physical Ethernet, 124 00:08:21,040 --> 00:08:22,750 in this case perhaps copper. 125 00:08:22,780 --> 00:08:25,180 So the physical media is copper. 126 00:08:25,180 --> 00:08:27,910 So that's the physical connection. 127 00:08:28,760 --> 00:08:31,250 He had just a virtual logical connection. 128 00:08:31,700 --> 00:08:36,620 So layer one, physical layer two data link, or in this case, it's Ethernet. 129 00:08:36,650 --> 00:08:39,090 Layer three is network. 130 00:08:39,110 --> 00:08:41,240 In this case, we've got IP. 131 00:08:41,330 --> 00:08:42,980 Layer four is transport. 132 00:08:42,980 --> 00:08:44,470 In this case, it's TCP IP. 133 00:08:44,480 --> 00:08:49,280 And then the top three layers are kind of combined into one layer, application layer. 134 00:08:49,280 --> 00:08:51,940 So notice hypertext transfer protocol. 135 00:08:51,950 --> 00:09:02,360 And inside here we can see details such as the client used it shows up stall as windows 9010 164 but 136 00:09:02,390 --> 00:09:05,360 using a browser Mozilla 5.0. 137 00:09:07,470 --> 00:09:10,550 So in this example, I'm actually using Microsoft Edge. 138 00:09:10,560 --> 00:09:14,400 That's the browser used within Windows ten. 139 00:09:14,640 --> 00:09:17,250 So this is a Windows ten of virtual computer. 140 00:09:17,280 --> 00:09:18,960 In other words, it's a virtualized. 141 00:09:18,960 --> 00:09:24,540 I'm actually running on a mac here recording on a mac, but I'm running VMware, which allows me to 142 00:09:24,540 --> 00:09:28,140 virtualize multiple devices within my journey. 143 00:09:28,150 --> 00:09:29,100 Three Topology. 144 00:09:29,310 --> 00:09:35,790 So the Wireshark capture sees the client as a Windows ten computer, which is correct. 145 00:09:35,820 --> 00:09:38,010 It's using 64 bit Windows. 146 00:09:38,190 --> 00:09:39,750 Mozilla is the browser. 147 00:09:39,750 --> 00:09:44,730 It's actually Microsoft Edge and then the server replies back. 148 00:09:44,760 --> 00:09:49,020 Notice in the server example, the Mac addresses are swapped round. 149 00:09:49,470 --> 00:09:52,200 In this example, I've got a layer two switch. 150 00:09:52,230 --> 00:09:55,950 A layer two switch means that it's just simply switching frames. 151 00:09:55,950 --> 00:09:59,670 In other words, layer two data from one port to another. 152 00:09:59,670 --> 00:10:03,090 It's not trying to route the data from one network to another. 153 00:10:03,120 --> 00:10:09,840 These two hosts are in the same subnet or the same network, so the switch is simply switching the traffic 154 00:10:09,840 --> 00:10:11,360 from one port to another. 155 00:10:11,370 --> 00:10:16,920 So in this example, the IP addresses are swapped around and so are the MAC addresses going back to 156 00:10:16,920 --> 00:10:18,090 the first example. 157 00:10:18,120 --> 00:10:20,700 Notice source MAC address is this destination. 158 00:10:20,700 --> 00:10:27,720 Mac addresses this when the server replies, those are simply swapped around so the server is replying 159 00:10:27,720 --> 00:10:28,940 with its MAC addresses. 160 00:10:28,950 --> 00:10:32,730 The source destination MAC address is the Windows computer. 161 00:10:32,820 --> 00:10:35,880 IP addresses are swapped around and so are port numbers. 162 00:10:36,090 --> 00:10:41,790 And if we look at the hypertext protocol, notice we can see services 200. 163 00:10:41,830 --> 00:10:47,840 Okay, 200 means that the server was able to provide the data to the client. 164 00:10:47,850 --> 00:10:50,690 We didn't have a404 HTML error. 165 00:10:50,700 --> 00:10:55,350 As an example, some data was provided to the client. 166 00:10:55,380 --> 00:10:59,910 Notice you can see here the actual web page that was served to the client. 167 00:11:00,000 --> 00:11:02,670 So you can see it says Networkers Toolkit. 168 00:11:02,700 --> 00:11:08,310 You can see the PNG file notice network is toolkit. 169 00:11:08,310 --> 00:11:14,310 And if I look at that web page on the client, notice you can see the output here. 170 00:11:14,640 --> 00:11:20,100 It says w w w files located at var w w w html. 171 00:11:20,100 --> 00:11:28,560 And if we look here, that's actually what you see files located at var w w w dot html. 172 00:11:29,100 --> 00:11:36,030 So if I scroll to the right notice, you see the full output you get to root after logging in. 173 00:11:37,850 --> 00:11:44,990 Notice we told you you can place files in TFTP boot and that's exactly what you see over here. 174 00:11:45,260 --> 00:11:48,660 So Wireshark has read the HTTP traffic. 175 00:11:48,680 --> 00:11:50,420 Be careful with http. 176 00:11:50,450 --> 00:11:51,730 It's clear text. 177 00:11:51,740 --> 00:11:55,970 So through Wireshark you can see exactly what's going on here. 178 00:11:55,970 --> 00:12:01,790 The client is trying to get the PNG image, so it's trying to get the actual PNG image. 179 00:12:01,790 --> 00:12:08,150 And here the server which is an Ubuntu server is providing the PNG file. 180 00:12:08,300 --> 00:12:13,280 So that's the actual file and you can actually export that. 181 00:12:14,870 --> 00:12:16,430 And I do this again in other videos. 182 00:12:16,430 --> 00:12:17,930 But let's do it right now. 183 00:12:18,410 --> 00:12:20,180 This three image. 184 00:12:21,090 --> 00:12:22,980 So I'm going to export that to my desktop. 185 00:12:24,630 --> 00:12:28,290 And on my desktop, I'm going to change that. 186 00:12:29,940 --> 00:12:31,530 To a PNG file. 187 00:12:32,820 --> 00:12:34,320 And then when I open it up. 188 00:12:35,480 --> 00:12:37,580 Notice there's the actual image. 189 00:12:37,760 --> 00:12:42,320 So why shot captured all the data from the server as well as the image? 190 00:12:42,890 --> 00:12:45,290 And that's the image that we have on the server. 191 00:12:45,320 --> 00:12:51,710 So once again, to do that, click Portable Network Graphics because there's a PNG file and then go 192 00:12:51,710 --> 00:12:55,560 export packet bytes, save it to your hard drive. 193 00:12:55,580 --> 00:12:57,290 So I'm going to save it once again as genius. 194 00:12:57,290 --> 00:12:57,530 Three. 195 00:12:57,530 --> 00:12:58,580 Image two. 196 00:12:59,940 --> 00:13:01,710 And then I'm going to rename it. 197 00:13:02,620 --> 00:13:04,600 So it saved it as a bond file. 198 00:13:04,930 --> 00:13:08,860 I'm going to rename that as PAG because it's a PNG file. 199 00:13:10,230 --> 00:13:16,530 And then when I open it up, you can see that it's a PNG file and there's the actual image. 200 00:13:16,950 --> 00:13:17,610 So. 201 00:13:18,710 --> 00:13:25,810 You can see here, it's getting the fave icon and then we're getting something http for for error, 202 00:13:25,820 --> 00:13:27,050 something not found. 203 00:13:27,050 --> 00:13:29,060 So something went wrong here. 204 00:13:30,090 --> 00:13:36,180 But the point is, is that you can read the actual HTTP traffic and remember. 205 00:13:37,110 --> 00:13:40,560 Because these devices are in the same subnet. 206 00:13:41,730 --> 00:13:44,790 All that happens is the MAC addresses are swapped around IP addresses. 207 00:13:44,790 --> 00:13:49,260 The swapped round port numbers are swapped around during that communication. 208 00:13:49,470 --> 00:13:54,210 So source IP is host here, source IP is the server. 209 00:13:54,480 --> 00:13:59,250 So when the server replies back, it's replying back from Port 80 to the client. 210 00:13:59,820 --> 00:14:05,430 So that was a very basic example of using Wireshark to see what's going on in the network. 211 00:14:05,670 --> 00:14:09,450 Were you able to download the Pcap file? 212 00:14:09,480 --> 00:14:13,860 Were you able to open it up in Wireshark and actually do something similar to what I've done here? 213 00:14:13,890 --> 00:14:20,820 There's no better way to learn than to practically use Wireshark capture frames and see for yourself 214 00:14:20,820 --> 00:14:21,900 what's going on. 215 00:14:21,930 --> 00:14:27,690 I've made it a little bit more simple by giving you some pcap files, but hopefully they mean something 216 00:14:27,690 --> 00:14:33,660 because you you're using the actual files that I'm recording right now rather than just some random 217 00:14:33,660 --> 00:14:35,220 file that you got off the Internet. 218 00:14:35,610 --> 00:14:39,300 Now, please note it means a lot to me if you provide feedback on the course. 219 00:14:39,300 --> 00:14:43,020 So if you're enjoying the video, then please say so. 220 00:14:43,440 --> 00:14:48,960 If you get prompted to leave a review and you're enjoying the course, then please do that because it 221 00:14:48,960 --> 00:14:51,360 helps other students and it helps me make the course better. 222 00:14:51,600 --> 00:14:53,850 Let me know how I can improve the course as well.