1 00:00:00,480 --> 00:00:05,460 You need to be careful when using wire shock to capture packets or frames from a network. 2 00:00:05,730 --> 00:00:11,910 You need to think about how traffic flows through a network and make sure that you're capturing in the 3 00:00:11,910 --> 00:00:13,470 right part of the network. 4 00:00:13,800 --> 00:00:19,950 So as an example, if PC one opens up a browser and connects to the server. 5 00:00:19,980 --> 00:00:22,230 Where do you need to capture the traffic? 6 00:00:22,260 --> 00:00:27,930 Now it's obvious that you may capture here or may capture here, but what happens if you capture over 7 00:00:27,930 --> 00:00:28,430 here? 8 00:00:28,440 --> 00:00:33,300 Will you see the traffic sent from the client to the server? 9 00:00:33,630 --> 00:00:35,760 Notice we're seeing a whole bunch of traffic here. 10 00:00:35,790 --> 00:00:39,750 We're seeing ISP, we're seeing Spanning Tree. 11 00:00:39,780 --> 00:00:44,010 We see other protocols, but let's filter for HTTP. 12 00:00:44,550 --> 00:00:47,220 So at the moment we see no HTTP traffic. 13 00:00:48,230 --> 00:00:52,160 What happens when PC one opens up a browser to the server? 14 00:00:53,800 --> 00:00:55,450 So I'll close this down. 15 00:00:56,820 --> 00:00:59,160 And let's open up a browser. 16 00:01:01,260 --> 00:01:04,599 And go to 10.1 at 1.100. 17 00:01:04,620 --> 00:01:05,670 So the server. 18 00:01:06,640 --> 00:01:07,930 Do we see? 19 00:01:08,980 --> 00:01:10,480 Any HTTP traffic. 20 00:01:10,600 --> 00:01:11,950 And the answer is no. 21 00:01:12,840 --> 00:01:15,750 If I clear the filters, I'll see a whole bunch of traffic. 22 00:01:15,750 --> 00:01:17,760 So as an example, I can see DNS. 23 00:01:17,880 --> 00:01:19,380 So there's DNS queries. 24 00:01:19,380 --> 00:01:20,910 So let's filter for DNS. 25 00:01:22,480 --> 00:01:26,470 Notice the client ten 111 sent a DNS query. 26 00:01:26,470 --> 00:01:29,440 You can see query here to the DNS server. 27 00:01:29,770 --> 00:01:35,260 The source IP address is ten 111 destination is ten 11254. 28 00:01:35,560 --> 00:01:40,750 Now in this topology, the router is acting as a DNS server. 29 00:01:41,140 --> 00:01:42,940 This is a Cisco router. 30 00:01:43,920 --> 00:01:50,820 So show version here shows me that I'm running Cisco iOS software on this router. 31 00:01:51,480 --> 00:01:57,090 Now, if you're not familiar with Cisco again, you get free access to my CCNA course. 32 00:01:57,090 --> 00:01:59,610 So that'll teach you a whole bunch about Cisco routers. 33 00:01:59,610 --> 00:02:02,460 But you don't need to know that to use Wireshark. 34 00:02:02,460 --> 00:02:08,550 But if you want to be a serious network engineer, I strongly suggest that you learn about Cisco because 35 00:02:08,550 --> 00:02:10,289 Cisco the biggest vendor out there. 36 00:02:10,960 --> 00:02:18,520 But what I've done here if I type show run pipe include DNS, I have set up this router as a DNS server 37 00:02:18,550 --> 00:02:21,040 through this command IP DNS server. 38 00:02:21,430 --> 00:02:28,750 Now these commands may be confusing, so let me show you that the router is also acting as a DHCP server 39 00:02:28,870 --> 00:02:31,600 or dynamic host configuration protocol server. 40 00:02:31,630 --> 00:02:35,070 In other words, it's allocating IP addresses to clients dynamically. 41 00:02:35,110 --> 00:02:38,140 The PCs are not configured with static IP addresses. 42 00:02:38,350 --> 00:02:41,560 They dynamically get IP addresses from the DHCP server. 43 00:02:41,740 --> 00:02:48,400 So this allows me to configure the router as a DHCP server and this command allows me to create entries 44 00:02:48,400 --> 00:02:56,080 in the DNS server running on this router that says Janus three dot com has this IP address. 45 00:02:56,080 --> 00:03:03,880 So as an example, if I ping June three dot com that resolves to this IP address, domain name, server 46 00:03:03,880 --> 00:03:05,290 or domain name system. 47 00:03:05,290 --> 00:03:11,140 DNS allows us to resolve easy to read names to IP addresses. 48 00:03:11,380 --> 00:03:14,200 This is three topology is not connected to the Internet. 49 00:03:14,200 --> 00:03:17,170 It's running locally on my computer. 50 00:03:17,290 --> 00:03:23,550 So Julius Newcomb, if you surf from an Internet connected device, will take you to the actual gas 51 00:03:23,620 --> 00:03:24,430 three server. 52 00:03:24,430 --> 00:03:28,960 But in this example, it's simply taking us to this server in the topology. 53 00:03:29,440 --> 00:03:31,810 Now what I'll do is stop this Wireshark capture. 54 00:03:33,220 --> 00:03:34,540 And I'll save this. 55 00:03:38,310 --> 00:03:40,410 Basic Wireshark capture, too. 56 00:03:40,440 --> 00:03:43,530 So you can also once again have a look at this capture if you want to. 57 00:03:44,330 --> 00:03:48,590 But Natasha, the client is sending a DNS request to the server. 58 00:03:48,620 --> 00:03:54,050 The reason this was captured is we were capturing traffic on this link and the PC is sending a DNS request 59 00:03:54,050 --> 00:03:56,360 to the router, which is the DNS server. 60 00:03:59,400 --> 00:04:02,850 Source Mac addresses the PC destination address is the router. 61 00:04:06,640 --> 00:04:14,980 We can prove that once again by going to the Rada and I can use the command show interface gigabit. 62 00:04:16,079 --> 00:04:17,670 0/0. 63 00:04:17,730 --> 00:04:20,640 Notice the Mac address of this router is this. 64 00:04:20,640 --> 00:04:23,670 And that's the destination mac address of the frame. 65 00:04:23,670 --> 00:04:29,310 So the PC sent a DNS request to the router source ip address is the PC destination. 66 00:04:29,310 --> 00:04:30,690 IP address is the router. 67 00:04:31,020 --> 00:04:34,170 I can prove that once again by going back to the router. 68 00:04:34,260 --> 00:04:36,300 Remember I typed this command. 69 00:04:36,300 --> 00:04:37,710 There's the MAC address. 70 00:04:37,800 --> 00:04:40,140 There's the IP address of the router. 71 00:04:40,290 --> 00:04:42,420 Ten 11254. 72 00:04:42,870 --> 00:04:49,230 Source port number is an ephemeral or random or dynamic port number destination port number is a well 73 00:04:49,230 --> 00:04:49,890 known port. 74 00:04:49,890 --> 00:04:54,690 Number 53 is the well known port number for DNS. 75 00:04:55,650 --> 00:04:58,080 So again, layer two frames. 76 00:04:58,080 --> 00:04:59,700 Layer three packets. 77 00:04:59,730 --> 00:05:01,340 Layer four segments. 78 00:05:01,350 --> 00:05:05,700 In this case, however, it's UDP or user datagram protocol. 79 00:05:05,700 --> 00:05:07,430 It's not TCP. 80 00:05:07,770 --> 00:05:15,960 DNS in this example is using UDP source port again, destination port if we get to layer 5 to 7. 81 00:05:15,960 --> 00:05:20,430 So top layers of the OS model, you can see it's a standard query. 82 00:05:21,860 --> 00:05:24,410 Let's go through that Senate query. 83 00:05:26,680 --> 00:05:29,970 So the queries are in this example for MSN. 84 00:05:29,980 --> 00:05:31,840 So something was happening in the background. 85 00:05:31,990 --> 00:05:35,410 But let's have a look for Jenny three dot com. 86 00:05:35,410 --> 00:05:42,340 But notice windows just right out the gate is querying for a whole bunch of stuff, including Bing. 87 00:05:43,720 --> 00:05:45,810 So a whole bunch of queries there. 88 00:05:45,820 --> 00:05:51,400 Let's see if we carry on a bunch of Microsoft and MSN keep going. 89 00:05:52,420 --> 00:05:56,560 A lot of queries, but this is the one I'm off to notice newsweek.com. 90 00:05:57,130 --> 00:06:06,040 So the windows PC in this example queried for three dot com and the server hopefully at some point replies 91 00:06:06,040 --> 00:06:11,350 here we go server reply back to the client notice source port is 53. 92 00:06:11,350 --> 00:06:14,830 Destination port is the ephemeral port used by the client. 93 00:06:15,190 --> 00:06:19,480 Now notice different port numbers were used for different queries. 94 00:06:19,780 --> 00:06:24,940 So the Bing query over here used this source port number from the client. 95 00:06:25,820 --> 00:06:28,540 I'd have to go back and find the Genesis three query. 96 00:06:28,550 --> 00:06:29,300 There it is. 97 00:06:29,330 --> 00:06:33,560 Notice 5503 seven is the source port. 98 00:06:33,560 --> 00:06:41,150 When the query was made, when the server replies, it's replying back to that port number and it tells 99 00:06:41,150 --> 00:06:44,900 the client the IP address of the server. 100 00:06:45,200 --> 00:06:48,830 So the router acting as a DNS server is telling the client. 101 00:06:48,830 --> 00:06:57,500 June History.com has this IP address ten one one 100 and then the client can initiate a session to the 102 00:06:57,500 --> 00:06:58,220 server. 103 00:06:58,220 --> 00:07:01,520 But we don't see that if we capture traffic on this link. 104 00:07:01,850 --> 00:07:04,250 So again, if I filter. 105 00:07:05,910 --> 00:07:15,570 For HDPE, I see nothing in the output because the HTTP traffic is sent directly from the client to 106 00:07:15,570 --> 00:07:16,320 the server. 107 00:07:16,500 --> 00:07:17,220 Why? 108 00:07:17,250 --> 00:07:18,750 Because this is a switch. 109 00:07:19,850 --> 00:07:27,890 It's important to remember that switchers do not flood traffic once they know the Mac address is involved 110 00:07:27,890 --> 00:07:29,000 in a conversation. 111 00:07:31,870 --> 00:07:35,410 So as an example if I type show Mac address table. 112 00:07:37,070 --> 00:07:41,060 Notice we can see the MAC addresses that have been learnt. 113 00:07:41,630 --> 00:07:45,920 The switch has learnt about this MAC address on gigabit zero zero. 114 00:07:45,950 --> 00:07:51,860 It's also learnt about this MAC address and it's learnt about this MAC address on gigabyte zero one. 115 00:07:52,340 --> 00:08:00,770 Now when I send traffic from the client, so that could have timed out if I refresh that page. 116 00:08:02,360 --> 00:08:06,170 Notice it's learnt about this Mac address on gigabit zero two. 117 00:08:06,530 --> 00:08:13,520 Once the switch learns about the MAC addresses in the conversation, this once again is the server. 118 00:08:14,930 --> 00:08:16,610 And just in case you don't believe me. 119 00:08:16,610 --> 00:08:21,200 Notice, this is the Mac address of the server. 120 00:08:21,740 --> 00:08:24,050 This is the HTTP server over here. 121 00:08:25,430 --> 00:08:28,430 Notice this Mac address was learnt on gigabit zero two. 122 00:08:28,790 --> 00:08:33,530 Once this switch is learnt about to the devices in the conversation, it's not going to flood the frames 123 00:08:33,530 --> 00:08:34,510 out of other ports. 124 00:08:34,520 --> 00:08:36,980 It's going to be switched directly between these two hosts. 125 00:08:37,280 --> 00:08:39,980 So the PC. 126 00:08:41,630 --> 00:08:47,120 With this MAC address 000c ending in dd7. 127 00:08:48,180 --> 00:08:54,720 You know the words this Mac address is going to have its traffic forwarded directly to the server and 128 00:08:54,720 --> 00:08:58,350 the server traffic is going to go directly back to the PC. 129 00:08:58,380 --> 00:09:04,290 So if you capture traffic on this link, you won't see the conversation between the server and the client. 130 00:09:04,590 --> 00:09:11,250 That's why you need to either span a port or mirror a port on the switch to be able to see what's going 131 00:09:11,250 --> 00:09:11,580 on. 132 00:09:11,880 --> 00:09:17,220 Or you need to have a network tap or something in the network where you can see the traffic. 133 00:09:17,250 --> 00:09:21,030 You've got to get the traffic to your capturing device. 134 00:09:21,060 --> 00:09:22,590 Otherwise you won't see it. 135 00:09:22,950 --> 00:09:24,900 So in the next video, I'll show you how to do that. 136 00:09:25,110 --> 00:09:29,190 Let's add a mirror to the topology so that we can actually see what's going on.