WEBVTT 0:00:08.360000 --> 0:00:10.420000 Hi, good morning everyone. 0:00:10.420000 --> 0:00:16.080000 My name is Rob Schimonsky and welcome to INE's Wire Shark Foundations. 0:00:16.080000 --> 0:00:21.820000 In this course we're going to talk about wire shark networking and a whole 0:00:21.820000 --> 0:00:26.740000 bunch of things that will teach you more about protocol analysis, packet 0:00:26.740000 --> 0:00:30.140000 analysis, network analysis. 0:00:30.140000 --> 0:00:35.280000 And in this course our plan is to get you from square one all the way 0:00:35.280000 --> 0:00:41.100000 through to understanding how to navigate the tool, how to capture traffic, 0:00:41.100000 --> 0:00:44.740000 how to analyze traffic and find problems on your network. 0:00:44.740000 --> 0:00:49.500000 My name is Rob Schimonsky and I've been in the networking field for about 0:00:49.500000 --> 0:00:56.780000 two decades. I've been working as a consultant, full-time employee, trainer, 0:00:56.780000 --> 0:01:02.400000 book author. I've done quite a few things in the realm of networking technologies, 0:01:02.400000 --> 0:01:05.640000 systems administration, data center. 0:01:05.640000 --> 0:01:08.140000 And one of the things that I've found is that no matter how many things 0:01:08.140000 --> 0:01:09.900000 I've learned is always more to learn. 0:01:09.900000 --> 0:01:13.960000 So welcome and thank you for joining because we're going to get through 0:01:13.960000 --> 0:01:18.940000 a lot of material and our goal is that you get a lot out of this course. 0:01:18.940000 --> 0:01:23.380000 So without any further ado, let's get started. 0:01:23.380000 --> 0:01:28.280000 All right, module one. 0:01:28.280000 --> 0:01:33.460000 In this module we're going to talk about network layers and the OSI model. 0:01:33.460000 --> 0:01:38.540000 Now one may ask why do I need to understand so much foundational information 0:01:38.540000 --> 0:01:40.380000 to use Wire Shark? 0:01:40.380000 --> 0:01:47.480000 Well, with Wire Shark, interestingly, without understanding the fundamentals 0:01:47.480000 --> 0:01:52.500000 of networking, it's really just a tool or an application. 0:01:52.500000 --> 0:01:55.380000 It's really what you understand about networking that's really going to 0:01:55.380000 --> 0:01:57.040000 bring this to light. 0:01:57.040000 --> 0:01:59.180000 So what does that mean? 0:01:59.180000 --> 0:02:03.960000 Well, you're going to need some fundamental network knowledge to be able 0:02:03.960000 --> 0:02:06.140000 to operate the tool, to use the tool. 0:02:06.140000 --> 0:02:10.460000 If you're just navigating the tool, you install it, you capture some traffic, 0:02:10.460000 --> 0:02:13.340000 you open it up, all you're going to see is a ton of information that you 0:02:13.340000 --> 0:02:14.780000 may not really understand. 0:02:14.780000 --> 0:02:18.580000 So what we're going to do is we're going to work on, in the beginning, 0:02:18.580000 --> 0:02:22.000000 getting you some of the information that you need to be able to use the 0:02:22.000000 --> 0:02:23.440000 tool accurately. 0:02:23.440000 --> 0:02:26.760000 So when you use the tool, one of the things that you want to do is you 0:02:26.760000 --> 0:02:29.700000 want to be able to do some detective work. 0:02:29.700000 --> 0:02:33.640000 Right, so let's say you're trying to troubleshoot a network and you have 0:02:33.640000 --> 0:02:37.640000 a problem with a particular segment, maybe it's slow. 0:02:37.640000 --> 0:02:42.100000 Well, when you set up Wire Shark and you run a capture, all you're going 0:02:42.100000 --> 0:02:43.540000 to see is a whole bunch of traffic. 0:02:43.540000 --> 0:02:47.320000 It's really understanding what to do, how to filter that traffic, knowing 0:02:47.320000 --> 0:02:51.240000 that you captured particularly data from one point to the other, that's 0:02:51.240000 --> 0:02:55.860000 really going to make the difference of using and understanding this tool. 0:02:55.860000 --> 0:03:00.120000 So later on in the course, we're going to talk about how to install it, 0:03:00.120000 --> 0:03:05.740000 how to build filters, how to look through the data, find problems with 0:03:05.740000 --> 0:03:09.620000 voice, find problems with slow performing websites. 0:03:09.620000 --> 0:03:12.560000 But before we get there, what we need to do is we need to spend some time 0:03:12.560000 --> 0:03:14.520000 just understanding the basics. 0:03:14.520000 --> 0:03:18.840000 So the first thing that's very important is understanding how data traverses 0:03:18.840000 --> 0:03:23.660000 a network. So if you have a client and you have a server, that's a very 0:03:23.660000 --> 0:03:26.920000 simple network segment, maybe connected by a switch. 0:03:26.920000 --> 0:03:28.900000 So we can start there. 0:03:28.900000 --> 0:03:33.020000 If you have a client and it's accessing a server, it's trying to access 0:03:33.020000 --> 0:03:36.280000 some type of resource and it's performing slowly. 0:03:36.280000 --> 0:03:40.520000 The most important thing to understand about using Wire Shark is to know 0:03:40.520000 --> 0:03:45.040000 that you want to capture the data from one point to another. 0:03:45.040000 --> 0:03:48.020000 So we're going to call that source to destination. 0:03:48.020000 --> 0:03:54.260000 When you use the capture, what you're going to look at from source to 0:03:54.260000 --> 0:04:00.100000 destination is how you can use the source to destination and you're going 0:04:00.100000 --> 0:04:03.500000 to have to understand at least the basics of the OSI model. 0:04:03.500000 --> 0:04:08.060000 When we talk about protocols, we talk about the TCP-IP protocol suite. 0:04:08.060000 --> 0:04:11.360000 When we talk about sending data from one place to another and how it's 0:04:11.360000 --> 0:04:15.400000 encapsulating the data, the most fundamental thing to understand is the 0:04:15.400000 --> 0:04:17.020000 actual OSI model. 0:04:17.020000 --> 0:04:21.260000 And now this may seem very elementary for some. 0:04:21.260000 --> 0:04:27.440000 A lot of people do know the OSI model. 0:04:27.440000 --> 0:04:31.500000 They're in their first foray into this field. 0:04:31.500000 --> 0:04:35.260000 But really understanding that the data travels from source to destination, 0:04:35.260000 --> 0:04:40.100000 when it does that, it goes up and down the OSI model and at each layer, 0:04:40.100000 --> 0:04:44.640000 it's encapsulating the data and adding and appending stuff to the data. 0:04:44.640000 --> 0:04:46.920000 So why is that important with Wire Shark? 0:04:46.920000 --> 0:04:50.800000 Well when you capture the data with Wire Shark, you're going to see in 0:04:50.800000 --> 0:04:56.080000 the actual window, you're going to see things where you'll see protocols 0:04:56.080000 --> 0:05:00.660000 like ARP, you'll see MAC addresses, you'll see IP addresses. 0:05:00.660000 --> 0:05:05.140000 Well understanding that a MAC address can be found in layer two, the data 0:05:05.140000 --> 0:05:09.820000 link layer, understanding that the IP address or the routing will be done 0:05:09.820000 --> 0:05:13.480000 at layer three, the network layer. 0:05:13.480000 --> 0:05:17.260000 That's the fundamental information you will need to understand to use 0:05:17.260000 --> 0:05:24.680000 the tool is understanding the basics of the OSI model. 0:05:24.680000 --> 0:05:32.040000 So when you're learning Wire Shark, what's good is that the segment or 0:05:32.040000 --> 0:05:35.780000 the lab segment that you're going to work with, unless we start adding 0:05:35.780000 --> 0:05:39.980000 firewalls and load balancers and those types of things which we will explain 0:05:39.980000 --> 0:05:46.700000 in future modules, basically the understanding of how data traverses the 0:05:46.700000 --> 0:05:50.980000 network from source to destination going through layer two and layer three 0:05:50.980000 --> 0:05:54.200000 segments is probably the most common scenario that you're going to be 0:05:54.200000 --> 0:05:55.520000 troubleshooting. 0:05:55.520000 --> 0:06:01.580000 So another key element is actually how to capture traffic and again in 0:06:01.580000 --> 0:06:05.600000 the future module we will talk about how to actually span a port, how 0:06:05.600000 --> 0:06:10.080000 to get that data captured but what's important to understand now is if 0:06:10.080000 --> 0:06:13.660000 you've just played around with Wire Shark in the past, maybe downloaded 0:06:13.660000 --> 0:06:18.080000 it, installed it, that's basically installed on an endpoint. 0:06:18.080000 --> 0:06:20.540000 Now there's different ways to do this. 0:06:20.540000 --> 0:06:24.580000 You can run a tap, you can hub out, you can do a bunch of different things 0:06:24.580000 --> 0:06:28.280000 but the two most common scenarios that you will see when you're trying 0:06:28.280000 --> 0:06:32.000000 to capture data with Wire Shark will be you will either install it on 0:06:32.000000 --> 0:06:37.160000 the endpoints which would probably be the source PC or client and the 0:06:37.160000 --> 0:06:42.680000 destination server and you will install it locally on the system. 0:06:42.680000 --> 0:06:46.720000 Another way you can do it is to do a port mirror which is actually coming 0:06:46.720000 --> 0:06:50.300000 through the network spanning a port, if you have a Cisco switch you can 0:06:50.300000 --> 0:06:55.220000 run a port monitor and you can send the traffic from either of these the 0:06:55.220000 --> 0:07:00.300000 source of the destination to a second port where you can capture the data 0:07:00.300000 --> 0:07:02.720000 on let's say a third machine. 0:07:02.720000 --> 0:07:07.560000 So why do we use Wire Shark? 0:07:07.560000 --> 0:07:12.540000 Why are we going to set all this stuff up and go through all this work? 0:07:12.540000 --> 0:07:17.300000 So what Wire Shark does essentially is help you solve problems. 0:07:17.300000 --> 0:07:22.280000 Now one of the misconceptions is that by installing a Wire Shark and looking 0:07:22.280000 --> 0:07:25.460000 at it it's going to tell you exactly what your problem is. 0:07:25.460000 --> 0:07:29.940000 Now in some cases it might, you might open up the expert and it might 0:07:29.940000 --> 0:07:33.560000 give you a close enough clue or you may see something very obvious in 0:07:33.560000 --> 0:07:37.240000 the capture but what's really important to understand is that you have 0:07:37.240000 --> 0:07:41.560000 to do some detective work and you have to know a few things about networking, 0:07:41.560000 --> 0:07:45.200000 systems administration and here's a good example. 0:07:45.200000 --> 0:07:49.580000 Let's say you had a problem with a slow performing network or what was 0:07:49.580000 --> 0:07:51.500000 called a slow performing network. 0:07:51.500000 --> 0:07:55.700000 Now most of you if you're in the field you probably feel this pain, everything 0:07:55.700000 --> 0:07:57.540000 comes up as a networking problem. 0:07:57.540000 --> 0:08:03.420000 So the server could be very slow and the tickets get opened and the escalations 0:08:03.420000 --> 0:08:06.880000 start and they're saying why is the network slow. 0:08:06.880000 --> 0:08:11.400000 End users do this predominantly, it's interesting how through the years 0:08:11.400000 --> 0:08:16.140000 they've learned enough to say hey you know what my application's not working 0:08:16.140000 --> 0:08:18.320000 correctly, the network's slow. 0:08:18.320000 --> 0:08:22.380000 So a lot of what we do is try to rule out and to isolate what the exact 0:08:22.380000 --> 0:08:26.140000 problem is and Wire Shark is a great tool for helping you do that. 0:08:26.140000 --> 0:08:31.180000 So yes you're going to do some other things, you can run a ping, you can 0:08:31.180000 --> 0:08:35.820000 run a trace route, you can look in your router logs, you can look in your 0:08:35.820000 --> 0:08:40.260000 switch logs, you can look at the server, let's say it's a Microsoft server, 0:08:40.260000 --> 0:08:43.820000 you can look in Event Viewer, you can look at performance monitor and 0:08:43.820000 --> 0:08:45.100000 start looking at the I.L. 0:08:45.100000 --> 0:08:48.960000 on the box. There's a lot of things that you can do and it's recommended 0:08:48.960000 --> 0:08:50.860000 that you do that. 0:08:50.860000 --> 0:08:55.760000 So using Wire Shark is a part of what you're going to do to troubleshoot 0:08:55.760000 --> 0:08:59.420000 problems and Wire Shark is predominantly going to be used to capture the 0:08:59.420000 --> 0:09:04.680000 traffic, to look at the packets and note exactly what's going on because 0:09:04.680000 --> 0:09:08.320000 you will find a lot from those data packets. 0:09:08.320000 --> 0:09:12.540000 You're going to use Wire Shark to review the traffic on the network, you 0:09:12.540000 --> 0:09:15.900000 can look at the protocols that are in use and the traffic flow. 0:09:15.900000 --> 0:09:19.940000 So as an example again, one of the things that you might find is you might 0:09:19.940000 --> 0:09:23.020000 find that someone's saying the network's slow and it could be something 0:09:23.020000 --> 0:09:27.920000 else, it could be that your clients are trying to access a website and 0:09:27.920000 --> 0:09:31.620000 let's say there's a problem on the web server but what you might also 0:09:31.620000 --> 0:09:35.720000 find from the traffic capture is you might find that there's a lot of 0:09:35.720000 --> 0:09:37.520000 extra traffic on your network. 0:09:37.520000 --> 0:09:41.580000 So you may find a lot of multi-cash traffic you weren't aware of, you 0:09:41.580000 --> 0:09:47.620000 might find some printers doing some multi-cash, you might find quite a 0:09:47.620000 --> 0:09:51.920000 few things that you would then be able to note on your report after your 0:09:51.920000 --> 0:09:57.540000 capture and say listen, we found a problem with X, Y and Z but we'd also 0:09:57.540000 --> 0:10:01.640000 like to recommend that maybe we look at these other areas and try to solve 0:10:01.640000 --> 0:10:04.380000 some of these issues as well. 0:10:04.380000 --> 0:10:10.720000 So as we were talking about before, one of the key things with troubleshooting 0:10:10.720000 --> 0:10:14.880000 with Wire Shark is to understand what you're going to be doing with it. 0:10:14.880000 --> 0:10:19.440000 So in the graphic that I have up you, there's a simple network design, 0:10:19.440000 --> 0:10:25.500000 it's a very simple network segment where you have a client accessing the 0:10:25.500000 --> 0:10:31.660000 server through a switch, it could go to a routed segment, the switch may 0:10:31.660000 --> 0:10:36.260000 be a layer three switch but one of the key things I wanted to point out 0:10:36.260000 --> 0:10:40.260000 here from what we talked about before is installing Wire Shark either 0:10:40.260000 --> 0:10:49.720000 on both of these computers, the clients as well as the server and or you 0:10:49.720000 --> 0:10:54.760000 could install Wire Shark just on let's say the laptop that you see span 0:10:54.760000 --> 0:10:59.540000 a port from the switch and send all the traffic to that Wire Shark so 0:10:59.540000 --> 0:11:01.640000 that you can analyze it. 0:11:01.640000 --> 0:11:04.820000 One of the key things that you want to remember is when you're troubleshooting 0:11:04.820000 --> 0:11:09.060000 you may not be able to install Wire Shark on the target machines and that's 0:11:09.060000 --> 0:11:15.460000 because maybe they are not capable of taking Wire Shark, they don't have 0:11:15.460000 --> 0:11:21.000000 enough system resources as an example and or they're doing work maybe 0:11:21.000000 --> 0:11:25.580000 there's a policy that says we cannot install this on the server so just 0:11:25.580000 --> 0:11:31.100000 be aware that before you do install Wire Shark you need to be aware of 0:11:31.100000 --> 0:11:32.320000 some system requirements. 0:11:32.320000 --> 0:11:35.780000 We will get to that when we discuss how to install Wire Shark but just 0:11:35.780000 --> 0:11:40.660000 remember for starting off here in this module we're just going to talk 0:11:40.660000 --> 0:11:45.620000 about the basics of you know you have a simple network segment you want 0:11:45.620000 --> 0:11:50.400000 to install Wire Shark on the clients and then the destination server to 0:11:50.400000 --> 0:11:56.940000 troubleshoot the traffic and or you can install it on one machine and 0:11:56.940000 --> 0:12:03.120000 send the data through a span port to a target. 0:12:03.120000 --> 0:12:11.000000 All right so just to close out the topic on the OSI model again it's important 0:12:11.000000 --> 0:12:15.220000 to understand that when data traverses a network and it goes from the 0:12:15.220000 --> 0:12:19.120000 source client to the destination server there's a lot of things happening 0:12:19.120000 --> 0:12:23.660000 here so layer one is generally where you're not going to be looking so 0:12:23.660000 --> 0:12:28.060000 much into Wire Shark that's where the electrical signals flow through 0:12:28.060000 --> 0:12:35.420000 the wire the cable the copper the fiber and or the wireless signal and 0:12:35.420000 --> 0:12:40.320000 then more so you'll see layers two through seven where the data is being 0:12:40.320000 --> 0:12:45.860000 encapsulated or being stripped decapsulated and what you're going to see 0:12:45.860000 --> 0:12:51.280000 from that capture when you capture it with Wire Shark is that addresses 0:12:51.280000 --> 0:12:54.460000 may or may not change so you're going to have to be aware of that for 0:12:54.460000 --> 0:12:58.200000 example when it goes through a switch it's likely that the addressing 0:12:58.200000 --> 0:13:01.820000 is not going to change but then as it's being sent from rather the router 0:13:01.820000 --> 0:13:05.240000 it's going to change things right so you're going to have to be aware 0:13:05.240000 --> 0:13:09.840000 of your network topology you're going to have to be aware of when it traverses 0:13:09.840000 --> 0:13:14.460000 a firewall for example if it's doing that thing then you're going to have 0:13:14.460000 --> 0:13:17.800000 to be aware of that because if you just install Wire Shark on the server 0:13:17.800000 --> 0:13:21.920000 you may see a different set of addresses coming to it in your capture 0:13:21.920000 --> 0:13:30.380000 and you may not and the OSI model and how the data traverses the network 0:13:30.380000 --> 0:13:36.720000 is going to be key to using this as well when you capture data in Wire 0:13:36.720000 --> 0:13:41.240000 Shark you're going to you're going to see things that reference ports 0:13:41.240000 --> 0:13:46.260000 a lot of you I'm sure are aware of what a port is essentially in Wire 0:13:46.260000 --> 0:13:51.000000 Shark there's a services file that does the most commonly known ports 0:13:51.000000 --> 0:13:57.540000 we all know ianna.org the assigned port numbers so you can actually modify 0:13:57.540000 --> 0:14:02.600000 this file for some not well known ports to customize it we'll get into 0:14:02.600000 --> 0:14:06.720000 that in future modules but just be aware that a lot of things that you're 0:14:06.720000 --> 0:14:10.720000 going to see in Wire Shark when you capture your data will be in that 0:14:10.720000 --> 0:14:14.780000 capture window in the packets pain list and you're going to see things 0:14:14.780000 --> 0:14:21.000000 such as the ports the IP addresses the Mac connections Mac addresses the 0:14:21.000000 --> 0:14:25.860000 connections from source to destination as well as the data encapsulating 0:14:25.860000 --> 0:14:34.400000 and decapsulating so when you look at the actual connectivity when you're 0:14:34.400000 --> 0:14:40.200000 installing Wire Shark Wire Shark is going to use something called Win 0:14:40.200000 --> 0:14:46.080000 PCAP and that's going to go work with your NIC card to supply the driver 0:14:46.080000 --> 0:14:50.540000 with the ability to interface with the API through windows if you use 0:14:50.540000 --> 0:14:55.180000 it or libbcap if you're using Unix and that's going to allow your your 0:14:55.180000 --> 0:14:59.300000 NIC card to be set in the promiscuous mode which will allow for the data 0:14:59.300000 --> 0:15:04.500000 all the data to be captured and collected by Wire Shark otherwise it's 0:15:04.500000 --> 0:15:08.780000 only going to collect what's destined for the machine you're going to 0:15:08.780000 --> 0:15:11.880000 have to be aware of ports for example when we were talking about port 0:15:11.880000 --> 0:15:18.140000 mirroring you're going to have to be able to span or mirror port put the 0:15:18.140000 --> 0:15:22.920000 port monitor and you're going to do that in a Cisco switch you can do 0:15:22.920000 --> 0:15:26.320000 that in an or tele switch you can do that pretty much in most switches 0:15:26.320000 --> 0:15:30.500000 but just be aware that you might have to configure a port to do that that 0:15:30.500000 --> 0:15:36.120000 type of connectivity and then other network interfaces are probes where 0:15:36.120000 --> 0:15:41.060000 for example if you're not tapping if you're not configuring a port or 0:15:41.060000 --> 0:15:44.740000 if you're not installing on an endpoint and configuring the NIC to work 0:15:44.740000 --> 0:15:51.280000 in promiscuous mode with higher end tools enterprise tools such as riverbed 0:15:51.280000 --> 0:15:59.260000 cascade ARX, net scout and genius you can use probes that will view the 0:15:59.260000 --> 0:16:02.900000 traffic as it's traversing the network it's going to look at the network 0:16:02.900000 --> 0:16:06.920000 passing and we'll be able to collect and allow you to view it in an enterprise 0:16:06.920000 --> 0:16:14.340000 tool such as those oh the hardware to be aware of obviously we already 0:16:14.340000 --> 0:16:19.980000 talked about switches and routers we mentioned firewalls briefly IPS units 0:16:19.980000 --> 0:16:25.720000 load balancers just be aware that when you're troubleshooting and you're 0:16:25.720000 --> 0:16:29.160000 capturing data with Wire Shark and you're going from source to destination 0:16:29.160000 --> 0:16:35.780000 it's important to remember that these devices that it traverses it's going 0:16:35.780000 --> 0:16:41.340000 to change the network data that you see as you capture it and you need 0:16:41.340000 --> 0:16:46.160000 to be aware of these devices and have a fundamental knowledge of how they 0:16:46.160000 --> 0:16:51.680000 operate because for example with firewalls as we already mentioned if 0:16:51.680000 --> 0:16:57.100000 it's blocking traffic a very good example of not being able to troubleshoot 0:16:57.100000 --> 0:17:01.660000 an issue is when you go and you configure Wire Shark let's say on a server 0:17:01.660000 --> 0:17:09.480000 in the DMZ and you set up a Wire Shark on a client not in the DMZ and 0:17:09.480000 --> 0:17:13.180000 you're trying to figure out why data is not traversing it's likely that 0:17:13.180000 --> 0:17:17.880000 an ACL is dropping that traffic and it's quite possible that by looking 0:17:17.880000 --> 0:17:22.080000 at both captures you'll be able to find and see that the data is not going 0:17:22.080000 --> 0:17:27.340000 from source to destination so you just need to be aware of the network 0:17:27.340000 --> 0:17:34.920000 hardware that is on your enterprise network so one of the things that 0:17:34.920000 --> 0:17:39.860000 Wire Shark also does is allow you to not only look at protocols and look 0:17:39.860000 --> 0:17:46.200000 in the packets you've heard it called protocol analyzer network analyzer 0:17:46.200000 --> 0:17:52.100000 a packet analyzer a traffic analyzer that's because it pretty much does 0:17:52.100000 --> 0:17:56.280000 all of those things and when you're doing each one of those things you 0:17:56.280000 --> 0:18:01.560000 can reference Wire Shark or a tool such as that in that means you can 0:18:01.560000 --> 0:18:07.740000 say you know I'm looking at traffic I'm using it as a traffic analyzer 0:18:07.740000 --> 0:18:10.320000 and some of the things that you could do when you capture the traffic 0:18:10.320000 --> 0:18:16.300000 is reveal some of the issues such as you may have bandwidth issues you 0:18:16.300000 --> 0:18:24.120000 may have corrupted data it may be taking an incorrect path maybe you have 0:18:24.120000 --> 0:18:29.260000 data maybe latent there's many reasons and just some of the background 0:18:29.260000 --> 0:18:34.900000 information of Wire Shark being used to help solve those issues is you 0:18:34.900000 --> 0:18:42.260000 may see a lot of TCP traffic a lot of handshaking where there's a lot 0:18:42.260000 --> 0:18:46.680000 of reset packets why why would that be happening you may see things where 0:18:46.680000 --> 0:18:51.040000 there's a lot of retransmitted packets and now if you understand TCP IP 0:18:51.040000 --> 0:18:58.000000 which discusses a little deeper you may see that the data is retransmitting 0:18:58.000000 --> 0:19:01.240000 which is fine because that's essentially what it's supposed to do but 0:19:01.240000 --> 0:19:06.180000 very often why is it doing that you may have a problem on your network 0:19:06.180000 --> 0:19:11.460000 where it's getting choked and it may have to continuously resend the data 0:19:11.460000 --> 0:19:16.520000 all these things that you can find with Wire Shark when you capture the 0:19:16.520000 --> 0:19:24.640000 data and again just remember source to destination data is commonly captured 0:19:24.640000 --> 0:19:29.640000 and analyzed from a source to a destination that does not mean again and 0:19:29.640000 --> 0:19:32.520000 this is very important understand that you're just looking at that data 0:19:32.520000 --> 0:19:36.620000 you may want to log into the router and you may want to see you know what 0:19:36.620000 --> 0:19:40.320000 the processes are you may want to see if the buffers are getting jammed 0:19:40.320000 --> 0:19:44.660000 up you may want to look at a lot of different things because it's all 0:19:44.660000 --> 0:19:49.820000 one big picture if you were just looking let's say at a very simple segment 0:19:49.820000 --> 0:19:54.280000 then the amount of detective and analysis work that you have to do may 0:19:54.280000 --> 0:19:59.160000 be limited but when you're troubleshooting on an enterprise level network 0:19:59.160000 --> 0:20:03.120000 if you're trying to figure out something in a CCIE lab if you're trying 0:20:03.120000 --> 0:20:08.280000 to figure out something why a production system is completely failing 0:20:08.280000 --> 0:20:12.500000 in a DMZ there's a lot of things that you're going to need to look at 0:20:12.500000 --> 0:20:14.800000 and it's not just limited to Wire Shark. 0:20:14.800000 --> 0:20:20.600000 Wire Shark is just a tool that will allow you to perform a deep set of 0:20:20.600000 --> 0:20:25.660000 troubleshooting analytics that will allow you to peer into the data and 0:20:25.660000 --> 0:20:31.060000 get more more information a great example would be in an MPLS network 0:20:31.060000 --> 0:20:37.680000 you may want to find out what data is traversing you may need to take 0:20:37.680000 --> 0:20:41.840000 a look at the labels that will be very apparent to you when you capture 0:20:41.840000 --> 0:20:46.140000 the data look at it in Wire Shark you sort it and you can figure it out 0:20:46.140000 --> 0:20:50.280000 by filtering through it and seeing exactly where things are going and 0:20:50.280000 --> 0:20:55.840000 why and if it's not going there perhaps you may need to look at in a network 0:20:55.840000 --> 0:21:01.900000 a routing problem you may need to see if something is getting dropped 0:21:01.900000 --> 0:21:07.200000 somewhere so those are good examples of why you would really need to focus 0:21:07.200000 --> 0:21:12.040000 with Wire Shark on source to destination multiple sources to multiple 0:21:12.040000 --> 0:21:16.440000 destination but remember the foundation of where you're starting from 0:21:16.440000 --> 0:21:20.620000 where you're going to where you're going to put Wire Shark how you're 0:21:20.620000 --> 0:21:23.720000 going to capture the data you want to recreate the problem right you don't 0:21:23.720000 --> 0:21:28.360000 want to just install Wire Shark and and you know just run it you want 0:21:28.360000 --> 0:21:32.980000 to run Wire Shark and try to recreate the problem maybe have a baseline 0:21:32.980000 --> 0:21:37.200000 of how it operates normally to compare against so these are some of the 0:21:37.200000 --> 0:21:44.140000 key elements and again with data encapsulation what you're going to be 0:21:44.140000 --> 0:21:48.560000 looking in and Wire Shark is you're going to see the data encapsulated 0:21:48.560000 --> 0:21:52.920000 so for example if you're just looking at a layer two problem you'll see 0:21:52.920000 --> 0:21:58.760000 it encapsulated in ethernet right so generally as our profession moves 0:21:58.760000 --> 0:22:02.520000 into the future you're not going to be looking at things with token ring 0:22:02.520000 --> 0:22:07.340000 really much anymore even though you can use tools to sniff out and find 0:22:07.340000 --> 0:22:11.500000 problems with it but you're mostly going to be you know concerned about 0:22:11.500000 --> 0:22:17.060000 ethernet TCP IP and that kind of stuff but from a cap and a cap insulation 0:22:17.060000 --> 0:22:21.080000 point when you're capturing data in Wire Shark you're going to be able 0:22:21.080000 --> 0:22:25.300000 to see particularly the header information you're going to be able to 0:22:25.300000 --> 0:22:29.000000 see when you capture it what's under the hood you're going to see details 0:22:29.000000 --> 0:22:32.820000 to be able to solve these problems and when you look at the actual data 0:22:32.820000 --> 0:22:38.720000 and this is in the details of a packet you'll be able to see the encapsulation 0:22:38.720000 --> 0:22:42.960000 type ethernet okay well that's really good because that's very simple 0:22:42.960000 --> 0:22:46.480000 and that's the first types of things that we would look at but more importantly 0:22:46.480000 --> 0:22:51.900000 you'd be able to see things like what's the frame length what up is it 0:22:51.900000 --> 0:22:56.040000 having issues something with FCS you'll be able to see these things as 0:22:56.040000 --> 0:23:03.520000 you're digging through your capture and looking through the network all 0:23:03.520000 --> 0:23:08.040000 right so as we wrap up this first module some of the some of the things 0:23:08.040000 --> 0:23:12.480000 that we want to cover is when you capture data you want to inspect it 0:23:12.480000 --> 0:23:16.580000 for issues you're going to be doing some deep protocol analysis you're 0:23:16.580000 --> 0:23:20.400000 going to be looking opening up after you capture the data and you're going 0:23:20.400000 --> 0:23:25.080000 to inspect it we're going to do things such as like pre-capture filters 0:23:25.080000 --> 0:23:29.620000 display filters we'll be able to write expressions and we'll be able to 0:23:29.620000 --> 0:23:33.160000 really drill down into the data that we want to see but just remember 0:23:33.160000 --> 0:23:37.220000 at a very high level we're not going to be able to see this stuff without 0:23:37.220000 --> 0:23:42.800000 Wire Shark you there's tools that you can use for example on an ASA you 0:23:42.800000 --> 0:23:48.160000 can you can run a cap and you can see data there's other things like Fluke 0:23:48.160000 --> 0:23:52.900000 has some tools that you can capture data with but just remember with Wire 0:23:52.900000 --> 0:23:57.760000 Shark in particularly it's going to open up the capture data and alat data. 385 00:19:33,154 --> 00:19:34,722 You may want to log into the router, 386 00:19:34,730 --> 00:19:36,058 you may want to see, 387 00:19:36,058 --> 00:19:37,824 you know, what the process is. 388 00:19:37,824 --> 00:19:38,693 Or you may want to see 389 00:19:38,691 --> 00:19:41,204 if the buffers are getting jammed up. 390 00:19:41,208 --> 00:19:42,572 You may want to look at a lot of 391 00:19:42,572 --> 00:19:44,221 different things because 392 00:19:44,221 --> 00:19:46,221 it's all one big picture. 393 00:19:46,221 --> 00:19:48,296 If you were just looking let's say at a 394 00:19:48,295 --> 00:19:50,769 a very simple segment, then 395 00:19:50,769 --> 00:19:53,327 the amount of detective and analysis work 396 00:19:53,318 --> 00:19:55,128 that you have to do maybe limited. 397 00:19:55,128 --> 00:19:57,128 But when you're troubleshooting 398 00:19:57,128 --> 00:19:59,361 on an enterprise level network, 399 00:19:59,353 --> 00:20:00,664 if you're trying to figure out 400 00:20:00,664 --> 00:20:02,730 something in a CCIE lab, 401 00:20:02,721 --> 00:20:04,516 you're trying to figure out something, 402 00:20:04,524 --> 00:20:07,894 why a production system is completely failing 403 00:20:07,894 --> 00:20:11,540 in a DMZ, there's a lot of things that 404 00:20:11,540 --> 00:20:12,583 you're going to need to look at 405 00:20:12,583 --> 00:20:14,829 and it's not just limited to Wireshark. 406 00:20:14,820 --> 00:20:16,742 Wireshark is just a tool 407 00:20:16,742 --> 00:20:17,800 that will allow you 408 00:20:17,800 --> 00:20:21,694 to perform a deep set of troubleshooting 409 00:20:21,694 --> 00:20:23,762 analytics to allow you to 410 00:20:23,762 --> 00:20:25,124 peer into the data 411 00:20:25,124 --> 00:20:27,789 and get more, more information. 412 00:20:27,783 --> 00:20:29,802 A great example would be 413 00:20:29,802 --> 00:20:31,365 in a MPOS network 414 00:20:31,365 --> 00:20:32,787 you may want to find out 415 00:20:32,787 --> 00:20:36,524 what data is traversing. 416 00:20:36,524 --> 00:20:38,723 You may need to take a look at the labels 417 00:20:38,723 --> 00:20:41,347 that will be very apparent to you 418 00:20:41,347 --> 00:20:42,988 when you capture the data. 419 00:20:42,988 --> 00:20:45,063 Look at it in Wireshark, you sort it 420 00:20:45,062 --> 00:20:46,922 and you can figure it out by filtering 421 00:20:46,922 --> 00:20:48,547 through it and seeing exactly 422 00:20:48,532 --> 00:20:50,922 where things are going and why. 423 00:20:50,922 --> 00:20:52,922 And if it's not going there 424 00:20:52,922 --> 00:20:54,789 perhaps you may need to look at 425 00:20:54,789 --> 00:20:57,654 in the network, a routing problem. 426 00:20:57,654 --> 00:21:00,053 You may need to see if something is 427 00:21:00,053 --> 00:21:03,149 getting dropped somewhere 428 00:21:03,149 --> 00:21:05,709 So those are good examples of why 429 00:21:05,709 --> 00:21:07,475 you would really need to focus 430 00:21:07,475 --> 00:21:10,353 with Wireshark on source to destination, 431 00:21:10,375 --> 00:21:13,080 multiple sources to multiple destinations, 432 00:21:13,249 --> 00:21:15,249 but remember the foundation of 433 00:21:15,418 --> 00:21:16,588 where you're starting from, 434 00:21:16,588 --> 00:21:18,104 and where you're going to, 435 00:21:18,104 --> 00:21:20,104 where you're going to put Wireshark, 436 00:21:20,104 --> 00:21:22,104 how you're going to capture the data... 437 00:21:22,104 --> 00:21:23,554 You want to recreate the problem, right? 438 00:21:23,554 --> 00:21:25,554 You don't want to just install Wireshark 439 00:21:25,554 --> 00:21:28,056 and, and you know, just run it. 440 00:21:28,056 --> 00:21:30,180 You want to run Wireshark 441 00:21:30,180 --> 00:21:32,056 and try to recreate the problem. 442 00:21:32,056 --> 00:21:34,056 Maybe have a baseline of how it operates. 443 00:21:34,056 --> 00:21:35,847 It's normally to compare against. 444 00:21:35,847 --> 00:21:38,006 So these are some of the key elements. 445 00:21:38,006 --> 00:21:43,599 And again with data encapsulation, 446 00:21:43,599 --> 00:21:46,573 what you're going to be looking in Wireshark is 447 00:21:46,590 --> 00:21:48,664 you're going to see the data encapsulated. 448 00:21:48,664 --> 00:21:50,697 So for example, if you're just looking 449 00:21:50,697 --> 00:21:51,893 in a layer 2 problem, 450 00:21:51,885 --> 00:21:54,590 you'll see it encapsulated in ethernet. 451 00:21:54,590 --> 00:21:58,529 Right? So, generally as our profession 452 00:21:58,529 --> 00:22:00,171 moves into the future 453 00:22:00,171 --> 00:22:01,345 you're not going to be looking at 454 00:22:01,345 --> 00:22:03,971 the things with token ring really much anymore 455 00:22:03,971 --> 00:22:05,638 even though you can use tools 456 00:22:05,638 --> 00:22:09,115 to sniff out and find problems with it 457 00:22:09,102 --> 00:22:10,788 but you're mostly going to be, you know 458 00:22:10,788 --> 00:22:12,709 concerned about ethernet, 459 00:22:12,827 --> 00:22:14,827 TCP/IP and that kind of stuff. 460 00:22:14,944 --> 00:22:18,149 But from encapsulation point 461 00:22:18,149 --> 00:22:20,382 when you're capturing data in Wireshark 462 00:22:20,381 --> 00:22:23,250 you're going to be able to see particularly 463 00:22:23,250 --> 00:22:24,584 the header information, 464 00:22:24,584 --> 00:22:25,519 and you're going to be able to see 465 00:22:25,519 --> 00:22:26,532 when you capture it 466 00:22:26,532 --> 00:22:28,181 what's under the hood. 467 00:22:28,181 --> 00:22:29,696 You're going to see details to be able 468 00:22:29,696 --> 00:22:30,932 to solve these problems. 469 00:22:30,932 --> 00:22:33,489 And when you look at the actual data 470 00:22:33,489 --> 00:22:36,911 and this is in the details of a packet, 471 00:22:36,911 --> 00:22:37,816 you'll be able to see 472 00:22:37,813 --> 00:22:39,945 the encapsulation type ethernet. 473 00:22:39,968 --> 00:22:42,016 Ok, well that's really good. 474 00:22:42,016 --> 00:22:43,140 because that's very simple 475 00:22:43,140 --> 00:22:43,953 and it's the first type 476 00:22:43,953 --> 00:22:45,695 of things that we would look at 477 00:22:45,695 --> 00:22:46,714 but more importantly, 478 00:22:46,714 --> 00:22:48,634 we would be able to see things like 479 00:22:48,634 --> 00:22:51,398 what's the frame length, what, 480 00:22:51,398 --> 00:22:54,608 is it having issues, something with FCS. 481 00:22:54,606 --> 00:22:55,918 You'll be able to see these things 482 00:22:55,919 --> 00:22:58,474 as you're digging through your capture 483 00:22:58,468 --> 00:23:00,468 and looking through the network. 484 00:23:00,468 --> 00:23:06,766 Alright, so as we wrap up this first module 485 00:23:06,784 --> 00:23:10,134 some of the things that we want to cover is 486 00:23:10,134 --> 00:23:11,498 when you capture data, 487 00:23:11,498 --> 00:23:13,215 you want to inspect it for issues, 488 00:23:13,215 --> 00:23:14,615 you're going to be doing 489 00:23:14,615 --> 00:23:16,353 some deep protocol analysis 490 00:23:16,353 --> 00:23:18,365 you're going to be looking opening up 491 00:23:18,365 --> 00:23:20,050 after you capture the data 492 00:23:20,050 --> 00:23:22,050 and you're going to inspect it. 493 00:23:22,050 --> 00:23:23,781 We're going to do things such as like 494 00:23:23,781 --> 00:23:27,375 pre-capture filters, display filters; 495 00:23:27,375 --> 00:23:28,999 we'll be able to write expression, 496 00:23:28,999 --> 00:23:30,863 and then we'll be able to really drill down 497 00:23:30,863 --> 00:23:32,713 into the data that we want to see. 498 00:23:32,713 --> 00:23:34,713 But just remember, at a very high level, 499 00:23:34,708 --> 00:23:36,475 we're not going to be able 500 00:23:36,465 --> 00:23:38,816 this stuff without Wireshark. 501 00:23:38,819 --> 00:23:41,607 There's tool you can use for example 502 00:23:41,607 --> 00:23:43,187 on an ASA, you can, 503 00:23:43,174 --> 00:23:46,145 you can run a cap and you see data. 504 00:23:46,146 --> 00:23:48,353 There's other things like fluke, 505 00:23:48,350 --> 00:23:51,676 has some tools that you can capture data with. 506 00:23:51,677 --> 00:23:53,677 But just remember with Wireshark 507 00:23:53,677 --> 00:23:54,931 in particularly, 508 00:23:54,940 --> 00:23:57,546 it's going to open up the captured data 509 00:23:57,546 --> 00:23:59,527 and allow you to see very deeply within it, 510 00:23:59,527 --> 00:24:03,199 filter on it in a GUI and at the command line. 511 00:24:03,199 --> 00:24:06,594 It will also help you do 512 00:24:06,582 --> 00:24:08,537 traffic analysis, network analysis 513 00:24:08,530 --> 00:24:10,258 that you could find key problems 514 00:24:10,258 --> 00:24:11,332 with your network. 515 00:24:11,332 --> 00:24:14,766 Remember, you're not just going to use Wireshark, 516 00:24:14,766 --> 00:24:17,803 your fundamental tools will still apply. 517 00:24:17,803 --> 00:24:19,380 You'll still want to run a ping, 518 00:24:19,380 --> 00:24:22,840 a path ping, a trace route. Look in router logs, 519 00:24:22,834 --> 00:24:27,030 look at router, routing tables, switch logs 520 00:24:27,030 --> 00:24:30,429 firewall logs, the actual system itself. 521 00:24:30,429 --> 00:24:32,005 Run the performance monitor 522 00:24:32,005 --> 00:24:34,949 or run it, look at the processes on the Unix box, 523 00:24:34,948 --> 00:24:37,206 see how healthy those systems are. 524 00:24:37,206 --> 00:24:39,212 All this is going to play 525 00:24:39,209 --> 00:24:42,166 in your overall traffic analysis 526 00:24:42,160 --> 00:24:45,727 and that concludes module 1. 527 00:24:45,727 --> 00:24:47,345 One of the things that we want to do is 528 00:24:47,326 --> 00:24:48,716 we want to make sure 529 00:24:48,718 --> 00:24:51,001 that with everything that we're doing 530 00:24:50,995 --> 00:24:54,862 we look at Wireshark as a tool. 531 00:24:54,862 --> 00:24:56,266 We want to make sure 532 00:24:56,257 --> 00:24:59,658 that everything that we look at is not 533 00:24:59,666 --> 00:25:01,435 in a way where we're going to look at it 534 00:25:01,435 --> 00:25:02,984 Wireshark and say Wireshark 535 00:25:02,984 --> 00:25:04,839 is going to give me the specific 536 00:25:04,839 --> 00:25:06,642 problem that we're seeing, 537 00:25:06,642 --> 00:25:08,204 it's going to tell me what the problem is. 538 00:25:08,204 --> 00:25:10,069 Just remember, it's just a tool, 539 00:25:10,069 --> 00:25:12,640 it's an extention of your experience, 540 00:25:12,640 --> 00:25:14,698 it's an extention of your knowledge, 541 00:25:14,690 --> 00:25:17,920 and you'll always be learning. 542 00:25:17,920 --> 00:25:20,587 So just remember that, learning Wireshark 543 00:25:20,587 --> 00:25:23,384 is a lifetime event as the networks change, 544 00:25:23,402 --> 00:25:25,402 as technologies change, 545 00:25:25,420 --> 00:25:28,086 so that's what you see with Wireshark.