1
00:00:00,480 --> 00:00:05,460
You need to be careful when using wire shock to capture packets or frames from a network.

2
00:00:05,730 --> 00:00:11,910
You need to think about how traffic flows through a network and make sure that you're capturing in the

3
00:00:11,910 --> 00:00:13,470
right part of the network.

4
00:00:13,800 --> 00:00:19,950
So as an example, if PC one opens up a browser and connects to the server.

5
00:00:19,980 --> 00:00:22,230
Where do you need to capture the traffic?

6
00:00:22,260 --> 00:00:27,930
Now it's obvious that you may capture here or may capture here, but what happens if you capture over

7
00:00:27,930 --> 00:00:28,430
here?

8
00:00:28,440 --> 00:00:33,300
Will you see the traffic sent from the client to the server?

9
00:00:33,630 --> 00:00:35,760
Notice we're seeing a whole bunch of traffic here.

10
00:00:35,790 --> 00:00:39,750
We're seeing ISP, we're seeing Spanning Tree.

11
00:00:39,780 --> 00:00:44,010
We see other protocols, but let's filter for HTTP.

12
00:00:44,550 --> 00:00:47,220
So at the moment we see no HTTP traffic.

13
00:00:48,230 --> 00:00:52,160
What happens when PC one opens up a browser to the server?

14
00:00:53,800 --> 00:00:55,450
So I'll close this down.

15
00:00:56,820 --> 00:00:59,160
And let's open up a browser.

16
00:01:01,260 --> 00:01:04,599
And go to 10.1 at 1.100.

17
00:01:04,620 --> 00:01:05,670
So the server.

18
00:01:06,640 --> 00:01:07,930
Do we see?

19
00:01:08,980 --> 00:01:10,480
Any HTTP traffic.

20
00:01:10,600 --> 00:01:11,950
And the answer is no.

21
00:01:12,840 --> 00:01:15,750
If I clear the filters, I'll see a whole bunch of traffic.

22
00:01:15,750 --> 00:01:17,760
So as an example, I can see DNS.

23
00:01:17,880 --> 00:01:19,380
So there's DNS queries.

24
00:01:19,380 --> 00:01:20,910
So let's filter for DNS.

25
00:01:22,480 --> 00:01:26,470
Notice the client ten 111 sent a DNS query.

26
00:01:26,470 --> 00:01:29,440
You can see query here to the DNS server.

27
00:01:29,770 --> 00:01:35,260
The source IP address is ten 111 destination is ten 11254.

28
00:01:35,560 --> 00:01:40,750
Now in this topology, the router is acting as a DNS server.

29
00:01:41,140 --> 00:01:42,940
This is a Cisco router.

30
00:01:43,920 --> 00:01:50,820
So show version here shows me that I'm running Cisco iOS software on this router.

31
00:01:51,480 --> 00:01:57,090
Now, if you're not familiar with Cisco again, you get free access to my CCNA course.

32
00:01:57,090 --> 00:01:59,610
So that'll teach you a whole bunch about Cisco routers.

33
00:01:59,610 --> 00:02:02,460
But you don't need to know that to use Wireshark.

34
00:02:02,460 --> 00:02:08,550
But if you want to be a serious network engineer, I strongly suggest that you learn about Cisco because

35
00:02:08,550 --> 00:02:10,289
Cisco the biggest vendor out there.

36
00:02:10,960 --> 00:02:18,520
But what I've done here if I type show run pipe include DNS, I have set up this router as a DNS server

37
00:02:18,550 --> 00:02:21,040
through this command IP DNS server.

38
00:02:21,430 --> 00:02:28,750
Now these commands may be confusing, so let me show you that the router is also acting as a DHCP server

39
00:02:28,870 --> 00:02:31,600
or dynamic host configuration protocol server.

40
00:02:31,630 --> 00:02:35,070
In other words, it's allocating IP addresses to clients dynamically.

41
00:02:35,110 --> 00:02:38,140
The PCs are not configured with static IP addresses.

42
00:02:38,350 --> 00:02:41,560
They dynamically get IP addresses from the DHCP server.

43
00:02:41,740 --> 00:02:48,400
So this allows me to configure the router as a DHCP server and this command allows me to create entries

44
00:02:48,400 --> 00:02:56,080
in the DNS server running on this router that says Janus three dot com has this IP address.

45
00:02:56,080 --> 00:03:03,880
So as an example, if I ping June three dot com that resolves to this IP address, domain name, server

46
00:03:03,880 --> 00:03:05,290
or domain name system.

47
00:03:05,290 --> 00:03:11,140
DNS allows us to resolve easy to read names to IP addresses.

48
00:03:11,380 --> 00:03:14,200
This is three topology is not connected to the Internet.

49
00:03:14,200 --> 00:03:17,170
It's running locally on my computer.

50
00:03:17,290 --> 00:03:23,550
So Julius Newcomb, if you surf from an Internet connected device, will take you to the actual gas

51
00:03:23,620 --> 00:03:24,430
three server.

52
00:03:24,430 --> 00:03:28,960
But in this example, it's simply taking us to this server in the topology.

53
00:03:29,440 --> 00:03:31,810
Now what I'll do is stop this Wireshark capture.

54
00:03:33,220 --> 00:03:34,540
And I'll save this.

55
00:03:38,310 --> 00:03:40,410
Basic Wireshark capture, too.

56
00:03:40,440 --> 00:03:43,530
So you can also once again have a look at this capture if you want to.

57
00:03:44,330 --> 00:03:48,590
But Natasha, the client is sending a DNS request to the server.

58
00:03:48,620 --> 00:03:54,050
The reason this was captured is we were capturing traffic on this link and the PC is sending a DNS request

59
00:03:54,050 --> 00:03:56,360
to the router, which is the DNS server.

60
00:03:59,400 --> 00:04:02,850
Source Mac addresses the PC destination address is the router.

61
00:04:06,640 --> 00:04:14,980
We can prove that once again by going to the Rada and I can use the command show interface gigabit.

62
00:04:16,079 --> 00:04:17,670
0/0.

63
00:04:17,730 --> 00:04:20,640
Notice the Mac address of this router is this.

64
00:04:20,640 --> 00:04:23,670
And that's the destination mac address of the frame.

65
00:04:23,670 --> 00:04:29,310
So the PC sent a DNS request to the router source ip address is the PC destination.

66
00:04:29,310 --> 00:04:30,690
IP address is the router.

67
00:04:31,020 --> 00:04:34,170
I can prove that once again by going back to the router.

68
00:04:34,260 --> 00:04:36,300
Remember I typed this command.

69
00:04:36,300 --> 00:04:37,710
There's the MAC address.

70
00:04:37,800 --> 00:04:40,140
There's the IP address of the router.

71
00:04:40,290 --> 00:04:42,420
Ten 11254.

72
00:04:42,870 --> 00:04:49,230
Source port number is an ephemeral or random or dynamic port number destination port number is a well

73
00:04:49,230 --> 00:04:49,890
known port.

74
00:04:49,890 --> 00:04:54,690
Number 53 is the well known port number for DNS.

75
00:04:55,650 --> 00:04:58,080
So again, layer two frames.

76
00:04:58,080 --> 00:04:59,700
Layer three packets.

77
00:04:59,730 --> 00:05:01,340
Layer four segments.

78
00:05:01,350 --> 00:05:05,700
In this case, however, it's UDP or user datagram protocol.

79
00:05:05,700 --> 00:05:07,430
It's not TCP.

80
00:05:07,770 --> 00:05:15,960
DNS in this example is using UDP source port again, destination port if we get to layer 5 to 7.

81
00:05:15,960 --> 00:05:20,430
So top layers of the OS model, you can see it's a standard query.

82
00:05:21,860 --> 00:05:24,410
Let's go through that Senate query.

83
00:05:26,680 --> 00:05:29,970
So the queries are in this example for MSN.

84
00:05:29,980 --> 00:05:31,840
So something was happening in the background.

85
00:05:31,990 --> 00:05:35,410
But let's have a look for Jenny three dot com.

86
00:05:35,410 --> 00:05:42,340
But notice windows just right out the gate is querying for a whole bunch of stuff, including Bing.

87
00:05:43,720 --> 00:05:45,810
So a whole bunch of queries there.

88
00:05:45,820 --> 00:05:51,400
Let's see if we carry on a bunch of Microsoft and MSN keep going.

89
00:05:52,420 --> 00:05:56,560
A lot of queries, but this is the one I'm off to notice newsweek.com.

90
00:05:57,130 --> 00:06:06,040
So the windows PC in this example queried for three dot com and the server hopefully at some point replies

91
00:06:06,040 --> 00:06:11,350
here we go server reply back to the client notice source port is 53.

92
00:06:11,350 --> 00:06:14,830
Destination port is the ephemeral port used by the client.

93
00:06:15,190 --> 00:06:19,480
Now notice different port numbers were used for different queries.

94
00:06:19,780 --> 00:06:24,940
So the Bing query over here used this source port number from the client.

95
00:06:25,820 --> 00:06:28,540
I'd have to go back and find the Genesis three query.

96
00:06:28,550 --> 00:06:29,300
There it is.

97
00:06:29,330 --> 00:06:33,560
Notice 5503 seven is the source port.

98
00:06:33,560 --> 00:06:41,150
When the query was made, when the server replies, it's replying back to that port number and it tells

99
00:06:41,150 --> 00:06:44,900
the client the IP address of the server.

100
00:06:45,200 --> 00:06:48,830
So the router acting as a DNS server is telling the client.

101
00:06:48,830 --> 00:06:57,500
June History.com has this IP address ten one one 100 and then the client can initiate a session to the

102
00:06:57,500 --> 00:06:58,220
server.

103
00:06:58,220 --> 00:07:01,520
But we don't see that if we capture traffic on this link.

104
00:07:01,850 --> 00:07:04,250
So again, if I filter.

105
00:07:05,910 --> 00:07:15,570
For HDPE, I see nothing in the output because the HTTP traffic is sent directly from the client to

106
00:07:15,570 --> 00:07:16,320
the server.

107
00:07:16,500 --> 00:07:17,220
Why?

108
00:07:17,250 --> 00:07:18,750
Because this is a switch.

109
00:07:19,850 --> 00:07:27,890
It's important to remember that switchers do not flood traffic once they know the Mac address is involved

110
00:07:27,890 --> 00:07:29,000
in a conversation.

111
00:07:31,870 --> 00:07:35,410
So as an example if I type show Mac address table.

112
00:07:37,070 --> 00:07:41,060
Notice we can see the MAC addresses that have been learnt.

113
00:07:41,630 --> 00:07:45,920
The switch has learnt about this MAC address on gigabit zero zero.

114
00:07:45,950 --> 00:07:51,860
It's also learnt about this MAC address and it's learnt about this MAC address on gigabyte zero one.

115
00:07:52,340 --> 00:08:00,770
Now when I send traffic from the client, so that could have timed out if I refresh that page.

116
00:08:02,360 --> 00:08:06,170
Notice it's learnt about this Mac address on gigabit zero two.

117
00:08:06,530 --> 00:08:13,520
Once the switch learns about the MAC addresses in the conversation, this once again is the server.

118
00:08:14,930 --> 00:08:16,610
And just in case you don't believe me.

119
00:08:16,610 --> 00:08:21,200
Notice, this is the Mac address of the server.

120
00:08:21,740 --> 00:08:24,050
This is the HTTP server over here.

121
00:08:25,430 --> 00:08:28,430
Notice this Mac address was learnt on gigabit zero two.

122
00:08:28,790 --> 00:08:33,530
Once this switch is learnt about to the devices in the conversation, it's not going to flood the frames

123
00:08:33,530 --> 00:08:34,510
out of other ports.

124
00:08:34,520 --> 00:08:36,980
It's going to be switched directly between these two hosts.

125
00:08:37,280 --> 00:08:39,980
So the PC.

126
00:08:41,630 --> 00:08:47,120
With this MAC address 000c ending in dd7.

127
00:08:48,180 --> 00:08:54,720
You know the words this Mac address is going to have its traffic forwarded directly to the server and

128
00:08:54,720 --> 00:08:58,350
the server traffic is going to go directly back to the PC.

129
00:08:58,380 --> 00:09:04,290
So if you capture traffic on this link, you won't see the conversation between the server and the client.

130
00:09:04,590 --> 00:09:11,250
That's why you need to either span a port or mirror a port on the switch to be able to see what's going

131
00:09:11,250 --> 00:09:11,580
on.

132
00:09:11,880 --> 00:09:17,220
Or you need to have a network tap or something in the network where you can see the traffic.

133
00:09:17,250 --> 00:09:21,030
You've got to get the traffic to your capturing device.

134
00:09:21,060 --> 00:09:22,590
Otherwise you won't see it.

135
00:09:22,950 --> 00:09:24,900
So in the next video, I'll show you how to do that.

136
00:09:25,110 --> 00:09:29,190
Let's add a mirror to the topology so that we can actually see what's going on.