WEBVTT

00:00.450 --> 00:08.730
Protocol analyzers are tools that we use to analyze the network traffic coming in and out of a specific

00:08.850 --> 00:10.170
host computer.

00:10.170 --> 00:12.660
Usually although not necessarily required.

00:12.690 --> 00:18.030
The one we're sitting at at any given moment I never really liked the word protocol analyzer.

00:18.030 --> 00:24.750
To me they're more like network analyzers or network traffic analyzers and these are critical tools

00:24.750 --> 00:29.960
that any good I.T. security person should know extremely well.

00:29.970 --> 00:36.000
Now the one I'm going to concentrate on today is the very very famous wireshark now wireshark has been

00:36.000 --> 00:45.280
around for 20 years if not 20 close to it and has been a powerful go to tool for that entire time.

00:45.300 --> 00:50.520
Wireshark is completely free and wireshark is specifically mentioned on the security plus.

00:50.550 --> 00:54.690
So if we're talking about protocol analyzers we need to know about Wireshark.

00:54.720 --> 01:00.000
Now before I start opening one up and letting you look at it you need to understand that there are two

01:00.030 --> 01:03.600
very separate pieces to any protocol analyzer.

01:03.600 --> 01:06.840
The first piece is what I'm going to call the sniffer.

01:06.840 --> 01:14.570
The sniffer is some type of software and it's usually has a name like pre-cap like when Kapper and pre-cap

01:14.690 --> 01:16.200
or 10 cap.

01:16.410 --> 01:21.930
And these are tools that are actually grabbing all the data that's going in and out of a particular

01:21.930 --> 01:22.800
interface.

01:23.010 --> 01:29.100
And when I say grabbing all the data I mean all of the data so all the ethernet information all the

01:29.100 --> 01:33.450
IP information all the application information it's all there.

01:33.450 --> 01:35.570
And these tools grab it.

01:35.670 --> 01:40.330
So a sniffer grabs all this information and then the sniffer is going to do one of two things.

01:40.410 --> 01:45.780
It's either first going to save it into a file or it's going to make a live feed directly into the protocol

01:45.780 --> 01:46.670
analyzer.

01:46.680 --> 01:52.890
So the protocol analyzer really just reads pre-cap data and then and here's where the turn comes from

01:53.100 --> 01:55.310
analyzes it in a way that we can look at it.

01:55.440 --> 01:57.640
The best way to see this is to see it in action.

01:57.690 --> 02:00.260
So let's fire up Wireshark.

02:00.270 --> 02:06.030
So what I've done here is I just started wireshark for us and you'll see that on this particular system

02:06.030 --> 02:08.040
it sees three different interfaces.

02:08.220 --> 02:11.640
I want to keep it simple and just go to my ether net interface.

02:11.640 --> 02:16.970
So I'm going to click on that and then I click on capture and let's start up.

02:17.200 --> 02:19.240
I'll make a full screen as soon as it starts.

02:20.980 --> 02:21.490
Great.

02:21.490 --> 02:22.750
Now let's take a look at this.

02:22.780 --> 02:28.230
So what's happening is in real time we are grabbing lots and lots of packets.

02:28.450 --> 02:38.080
So what I'd like to do is I'm just going to scroll up and arbitrarily pick something you know I'm going

02:38.080 --> 02:38.790
to stop it.

02:38.800 --> 02:39.790
There we go.

02:39.790 --> 02:41.830
So what I'm going to do is I'm going to pick one of these.

02:41.830 --> 02:48.550
So what you're see right here is the 146 packet that it's picked up in this capture so far.

02:48.730 --> 02:55.060
So when I click on this what we're looking at here at the bottom is the raw binary values in.

02:55.090 --> 02:59.260
People don't use that very often so I'm going to scroll that down it's because this middle part is where

02:59.260 --> 03:00.690
things are the most interesting.

03:01.030 --> 03:06.790
So you'll notice when I clicked on is some kind of command Let's go down one more because that's an

03:06.850 --> 03:07.060
app.

03:07.060 --> 03:12.740
I know what that is.

03:12.770 --> 03:13.500
I was there all the time.

03:13.520 --> 03:14.000
OK.

03:14.150 --> 03:19.130
So what you can do here is by clicking on these guys as you can get information.

03:19.130 --> 03:22.540
So here's basically this is wireshark information.

03:22.580 --> 03:26.170
When was this picked up how big is that stuff like that.

03:26.480 --> 03:30.770
But the next one down is where things get interesting you notice it says Ethernet too.

03:30.800 --> 03:38.120
So this is all layered to information so you'll see the destination source Mac addresses you'll see

03:38.120 --> 03:41.270
what type of data it is in this case it's a simple arp.

03:41.270 --> 03:46.690
And then we go into a little bit deeper and then we see the information that's being carried by an ARP.

03:46.730 --> 03:49.700
Now if you're not familiar with ARP ARP is designed.

03:49.880 --> 03:55.340
If somebody asks what an IP address is whatever device with that IP address responds back with its MAC

03:55.340 --> 03:55.950
address.

03:56.000 --> 03:59.110
So ARP resolves IP addresses to mac address.

03:59.130 --> 04:05.030
So knowing that if we take a look in here we can see what it's saying is here's my IP address here's

04:05.030 --> 04:08.600
the Mac Here's my IP address and then here's the Mac.

04:08.600 --> 04:14.720
So this is a perfect example of a ARP taking place without us having to do much.

04:14.720 --> 04:20.920
Now the downside to all of this is that you get tremendous amounts of information.

04:20.930 --> 04:27.050
So what I'm going to do is I'm going to start another capturer it's asking if I want to save that I'm

04:27.050 --> 04:32.160
going to say no and I'm going to sit here and let it capture for a while.

04:32.170 --> 04:36.410
So at this point it's going to start grabbing a tremendous amount of data.

04:36.610 --> 04:40.230
And the challenge we're going to run into is trying to find what data is what.

04:40.510 --> 04:46.980
So let's just let it run for a little bit so you can see now I'm up to seven thousand different packets

04:46.990 --> 04:48.930
so there's a lot of information in here.

04:49.030 --> 04:54.820
And what I want to be able to do and this is a really powerful feature of wireshark is the ability to

04:54.820 --> 04:56.090
filter data.

04:56.260 --> 05:01.270
So when I want to do is go through and let's look for some certain things for example one of the things

05:01.270 --> 05:05.990
I'd like to find is has there been any DHC traffic going on.

05:06.160 --> 05:11.170
So what I'm going to do is way up here in left hand corner I'm going to type in and you'll notice he's

05:11.170 --> 05:12.440
trying to help me here.

05:12.790 --> 05:19.450
The HTP uses the term boot P and what I'm gonna do is I'm going to say filter out everything out of

05:19.450 --> 05:26.950
this capture with the exception of DHP traffic and you'll see now that I filtered all this out.

05:26.950 --> 05:35.770
You can see I've got two different CPS in there I've got one DHP that released itself and then another

05:35.770 --> 05:40.000
DHC that came in and re established itself.

05:40.000 --> 05:41.650
Yes I did that myself.

05:41.650 --> 05:47.980
But I want you to be able to understand that the real power of Wireshark and this is absolutely amazing

05:48.370 --> 05:51.770
is the way wireshark can filter information.

05:52.060 --> 06:01.460
So let's do this again except this time when I want to do is I just want to look at HTP graphic.

06:01.550 --> 06:07.240
So now in this case you'll see I've just got HTP information.

06:07.320 --> 06:11.650
So what I want is just looking at HTP doesn't do me much good.

06:11.790 --> 06:17.730
But what I can do this is another great feature is that wireshark is smart about oh here's one particular

06:17.730 --> 06:23.460
session going on and this I could have four or five web browsers open right now so I can't filter this

06:23.460 --> 06:28.130
out but we're instead going to see if wireshark can.

06:28.350 --> 06:32.250
So what I'm going to do is I'm just going to arbitrarily click on any one of these and I'm going to

06:32.250 --> 06:35.730
go down to follow TCAP stream.

06:36.150 --> 06:45.360
So what you're looking at now is actually the entire web page for that one particular HTP session that

06:45.360 --> 06:46.100
came in.

06:46.110 --> 06:48.610
Now I don't necessarily know exactly what this is.

06:48.660 --> 06:51.710
If I look a little bit it looks like a J page.

06:51.750 --> 06:57.180
Image was brought down so if I was really interested I could probably just grab all this I can look

06:57.180 --> 07:00.190
at the X I-F data for that jpeg.

07:00.240 --> 07:08.310
So there's a lot of scenarios where I can do some real R&amp;D in terms of what's taking place on any particular

07:08.310 --> 07:10.530
session using Wireshark.

07:10.560 --> 07:12.980
Now that's all I want to do and Wireshark.

07:12.990 --> 07:19.590
Now I need to stress to you more than anything else is that wireshark is an incredibly incredibly powerful

07:19.590 --> 07:21.810
tool if you're looking for.

07:21.810 --> 07:26.820
For example what if I was looking for a rogue DHC P server in that particular case I could just look

07:26.820 --> 07:32.890
for boops information and suddenly I've got another mac address for something that isn't my DHC server.

07:32.910 --> 07:37.180
Wireshark would be an instant way to know that you've got a rogue DHC server.

07:37.200 --> 07:41.380
What if I had art poisoning going on instead of just a few ARP commands.

07:41.380 --> 07:46.560
What if I was getting zillions of them and doing strange ARP commands like router redirects and stuff

07:46.560 --> 07:48.840
like that which is pretty nonstandard.

07:48.840 --> 07:50.610
I can just do a quick filter on arp.

07:50.610 --> 07:56.010
I can see all those and I can very quickly ascertain the fact that I've probably got an art poisoner

07:56.010 --> 07:57.850
out on my network someplace.

07:58.020 --> 08:02.930
The last place where wireshark is really handy stuff for example like a broadcast storm.

08:03.120 --> 08:11.670
What if one person's Nic in the network just breaks and starts sending out all kinds of arbitrary garbage

08:11.670 --> 08:12.540
traffic.

08:12.540 --> 08:18.180
Well again with a tool like wireshark I could just filter on a particular IP address or even the MAC

08:18.180 --> 08:22.290
address of the suspect Nic and get all of this ugly information.

08:22.500 --> 08:26.310
Yeah I wouldn't be able to read it but I would certainly know that that particular system with that

08:26.310 --> 08:31.530
particular IP address and that particular Mac is sending out bad information at the very least I can

08:31.530 --> 08:34.180
zero in on that system and do some diagnosis.

08:34.350 --> 08:39.930
So there's tons of places where this really really comes into play if you want to learn about Wireshark.

08:39.930 --> 08:44.580
There are books out there that are this thick and they're actually interesting reading in terms of the

08:44.580 --> 08:47.220
power of what wireshark can actually provide.

08:47.220 --> 08:51.030
Hopefully I've got you a little bit interested and you'll take a deeper.

08:51.030 --> 08:54.230
This is about as far as security plus goes.

08:54.510 --> 09:03.030
The one downside to wireshark is that wireshark by itself has great protocol analyzing tools but a lot

09:03.030 --> 09:08.400
of the ways it works is that sometimes it misses a lot of incoming and outgoing packets.

09:08.460 --> 09:13.230
Now for casual users like me it's not that big of a deal.

09:13.230 --> 09:16.590
But for some people it's incredibly irritating.

09:16.590 --> 09:22.440
So what they'll do is instead of using the sniffers that come with wireshark they're going to use other

09:22.440 --> 09:27.180
tools and probably one of the most famous is TZP dump which runs only on Linux.

09:27.180 --> 09:28.430
Let me show that to you.

09:28.740 --> 09:35.290
OK so here I am in my Ubuntu system and I'm going to do a quick run of TC PDA.

09:35.310 --> 09:40.240
So I'm just going to do a Sudoku TZP dump.

09:43.490 --> 09:45.340
And I want you to watch this.

09:45.380 --> 09:52.340
This looks very similar to what we were seeing earlier with wireshark TCAP dump is not really a protocol

09:52.340 --> 09:54.750
analyzer although it has some basic tools.

09:54.850 --> 10:00.270
What TCAP done does much better than the wireshark does is sniff.

10:00.470 --> 10:07.130
It's real Slinn it works real well and it is very rare that this particular tool will miss even a single

10:07.340 --> 10:10.680
packet coming in or out of a particular host.

10:10.700 --> 10:18.200
So when it comes to looking for very specific scenarios on your network things like Rodi HGP servers

10:18.470 --> 10:25.660
aren't poisoning being able to read incoming and outgoing HTP or S-sh or anything type packets your

10:25.670 --> 10:33.940
goto tool is going to be a protocol analyzer and my go to tool is wireshark on

10:34.610 --> 10:38.120
and

10:40.010 --> 10:44.970
on

10:45.820 --> 10:49.780
and.