WEBVTT 0:00:08.140000 --> 0:00:13.720000 So again, as we talked about, what's important with Wire Shark is understanding 0:00:13.720000 --> 0:00:19.680000 the fundamentals of networking and where some of us may be training to 0:00:19.680000 --> 0:00:24.080000 become higher level professionals or experts or some of us may already 0:00:24.080000 --> 0:00:26.140000 be in that area. 0:00:26.140000 --> 0:00:29.760000 Understanding how to configure a device is a little bit different than 0:00:29.760000 --> 0:00:33.540000 actually troubleshooting the data going to and from the device. 0:00:33.540000 --> 0:00:38.440000 So what's key to learning about networking is not only how to configure, 0:00:38.440000 --> 0:00:40.600000 how to design, but also how to troubleshoot. 0:00:40.600000 --> 0:00:44.940000 So that's a lot of the design, run, build elements of networking. 0:00:44.940000 --> 0:00:47.360000 So you're going to design it. 0:00:47.360000 --> 0:00:50.400000 You're going to make sure that you say, oh, if I want resiliency, do I 0:00:50.400000 --> 0:00:52.180000 want things to be secure? 0:00:52.180000 --> 0:00:54.420000 Do I want redundancy? 0:00:54.420000 --> 0:00:56.220000 Do I want density? 0:00:56.220000 --> 0:00:59.620000 What do I want actually want to produce? 0:00:59.620000 --> 0:01:02.620000 And then it has to be built or engineered. 0:01:02.620000 --> 0:01:05.620000 So then we're going to go through the process of building all these components. 0:01:05.620000 --> 0:01:07.400000 We're going to deploy them. 0:01:07.400000 --> 0:01:12.200000 We're going to test them, possibly lab them up prior to, you know, make 0:01:12.200000 --> 0:01:15.340000 sure that our theories and our designs are accurate and then we're going 0:01:15.340000 --> 0:01:17.440000 to deploy them. And then there's run. 0:01:17.440000 --> 0:01:23.160000 So that's the actual operations position where you'll likely be using 0:01:23.160000 --> 0:01:24.900000 Wire Shark the most, right? 0:01:24.900000 --> 0:01:30.860000 So if you're in a network situation where, you know, you get hired or 0:01:30.860000 --> 0:01:34.680000 you're a consultant and you step into the role of handling operations, 0:01:34.680000 --> 0:01:39.360000 you're likely going to be using troubleshooting tools pretty much on a 0:01:39.360000 --> 0:01:43.360000 daily basis. Now, Wire Shark will likely not be your only tool. 0:01:43.360000 --> 0:01:47.680000 You'll probably be using things as simplistic as ping and trace route 0:01:47.680000 --> 0:01:53.720000 and basic logs all the way to enterprise monitoring tools that we discussed 0:01:53.720000 --> 0:01:57.680000 earlier, which some of the ones that are more specific to data capture 0:01:57.680000 --> 0:02:05.000000 and analysis is ones from Riverbed and from NetScout as an example. 0:02:05.000000 --> 0:02:10.220000 So just to highlight what we've already discussed as far as source to 0:02:10.220000 --> 0:02:14.100000 destination, that concept still applies when you're talking about other 0:02:14.100000 --> 0:02:16.400000 network hardware. 0:02:16.400000 --> 0:02:20.820000 What we're really going to talk about in this module is specifically the 0:02:20.820000 --> 0:02:24.620000 security devices because they really change your data a lot and it makes 0:02:24.620000 --> 0:02:30.280000 it more difficult to look at the data with Wire Shark, either whether 0:02:30.280000 --> 0:02:35.180000 it's blocking it or it's changing it through Net or you can't actually 0:02:35.180000 --> 0:02:39.860000 use the, or use Wire Shark to capture the data because it's being blocked 0:02:39.860000 --> 0:02:44.440000 completely. No matter what that is, that's going to be some of the things 0:02:44.440000 --> 0:02:50.000000 that you encounter when using Wire Shark in this fashion. 0:02:50.000000 --> 0:02:55.500000 So some of the things that Wire Shark can do as of 1.8, a lot of radical 0:02:55.500000 --> 0:03:00.580000 changes that we will talk about some really good things like some simple 0:03:00.580000 --> 0:03:13.260000 things like you can annotate the data, or you can see the data that you're 0:03:13.260000 --> 0:03:17.900000 trying to look at as you can see from the screenshot. 0:03:17.900000 --> 0:03:22.700000 So there's a lot of things that you need to understand about using Wire 0:03:22.700000 --> 0:03:28.040000 Shark in this fashion because as we have mentioned earlier, these firewall 0:03:28.040000 --> 0:03:31.680000 devices are going to block. 0:03:31.680000 --> 0:03:33.320000 By default it's very restrictive. 0:03:33.320000 --> 0:03:38.720000 It's likely to block the traffic unless you specifically ask the firewall 0:03:38.720000 --> 0:03:45.620000 to allow it. It's going to have an implicit denial on pretty much anything. 0:03:45.620000 --> 0:03:51.900000 There's fix up protocols that allow you to do things and as ACLs and there's 0:03:51.900000 --> 0:03:56.840000 all kinds of tools within the firewall but with Wire Shark specifically 0:03:56.840000 --> 0:04:05.340000 there are some tool sets within it as well. 0:04:05.340000 --> 0:04:08.400000 So what is an ACL? 0:04:08.400000 --> 0:04:10.880000 An ACL is an access control list. 0:04:10.880000 --> 0:04:17.880000 It's basically used to say, I am going to either allow data to pass or 0:04:17.880000 --> 0:04:21.020000 I am going to deny it from passing. 0:04:21.020000 --> 0:04:33.300000 There's many things that create ACLs. 0:04:33.300000 --> 0:04:36.300000 That's something that you would take into account immediately. 0:04:36.300000 --> 0:04:38.460000 You'd say, well, I can't get the data through. 0:04:38.460000 --> 0:04:40.060000 I'm going to check the Cisco router. 0:04:40.060000 --> 0:04:41.320000 I'm going to look at the firewall. 0:04:41.320000 --> 0:04:43.240000 It's likely an ACL issue. 0:04:43.240000 --> 0:04:44.900000 But there's a couple of different things. 0:04:44.900000 --> 0:04:50.240000 Now if we go back to our concept from earlier that you're not looking 0:04:50.240000 --> 0:04:53.900000 at when you're using Wire Shark to troubleshoot problems, you're not looking 0:04:53.900000 --> 0:04:59.420000 at it in a tube or you're not looking at it specifically at one point, 0:04:59.420000 --> 0:05:01.440000 you're looking at everything holistically. 0:05:01.440000 --> 0:05:06.220000 You're saying from the source to the destination, what are all the things 0:05:06.220000 --> 0:05:10.660000 involved? So, we talk about the tip of the arrow. 0:05:10.660000 --> 0:05:12.640000 We say, oh, the client. 0:05:12.640000 --> 0:05:15.180000 All right. So what could be wrong with the client? 0:05:15.180000 --> 0:05:18.220000 The client could be performing horribly. 0:05:18.220000 --> 0:05:20.620000 It could have malware on it. 0:05:20.620000 --> 0:05:25.340000 There's so many things that can impact the client, memory, disk space. 0:05:25.340000 --> 0:05:30.220000 So, when we talk about traffic problems, we just got to remember that 0:05:30.220000 --> 0:05:34.580000 it's not necessarily just specifically, let's say, the router ACL. 0:05:34.580000 --> 0:05:37.660000 We might have other things that are blocking it. 0:05:37.660000 --> 0:05:40.640000 So, for example, it may not be a Cisco router. 0:05:40.640000 --> 0:05:42.780000 It may be a checkpoint firewall. 0:05:42.780000 --> 0:05:47.680000 It may be a Sidewinder firewall. 0:05:47.680000 --> 0:05:50.860000 Pao Alto, it could be any particular thing, but they're also going to 0:05:50.860000 --> 0:05:59.020000 be using ACLs. With Windows Server, you can use NetSH to configure firewall 0:05:59.020000 --> 0:06:00.740000 rules. There's the GUI. 0:06:00.740000 --> 0:06:02.420000 You can configure firewall rules. 0:06:02.420000 --> 0:06:06.640000 Those are technically ACLs that will block traffic. 0:06:06.640000 --> 0:06:11.800000 On a Windows client, it could be blocking with the Windows firewall. 0:06:11.800000 --> 0:06:15.760000 So, you may be trying to run a capture and can't figure out why data's 0:06:15.760000 --> 0:06:19.520000 not traversing. It could be as simple as looking at the client. 0:06:19.520000 --> 0:06:22.920000 With Linux or Unix, IP tables, the same thing. 0:06:22.920000 --> 0:06:27.580000 Firewall, ACLs, blocking the traffic, and many others. 0:06:27.580000 --> 0:06:32.500000 So, just remember, when you're using Wire Shark that when you're reviewing 0:06:32.500000 --> 0:06:36.460000 something such as a firewall, a firewall may not just be the device that 0:06:36.460000 --> 0:06:39.660000 you're used to like a Cisco Pixern, ASA. 0:06:39.660000 --> 0:06:41.100000 It may be something different. 0:06:41.100000 --> 0:06:43.780000 It may be a checkpoint firewall. 0:06:43.780000 --> 0:06:46.620000 It may be one of many different flavors of firewalls. 0:06:46.620000 --> 0:06:49.660000 It could be a router with a simple set of ACLs. 0:06:49.660000 --> 0:06:53.580000 It could be a client with a client firewall. 0:06:53.580000 --> 0:06:57.920000 It could be a Linux or Unix system with a client firewall. 0:06:57.920000 --> 0:07:00.000000 So, just remember these concepts. 0:07:00.000000 --> 0:07:02.920000 So, when you're troubleshooting with Wire Shark, if you can't get the 0:07:02.920000 --> 0:07:07.440000 traffic and you don't understand why, there's many things from source 0:07:07.440000 --> 0:07:11.200000 to destination that could be blocking their traffic. 0:07:11.200000 --> 0:07:18.260000 So, troubleshooting network or trying to capture data to analyze it in 0:07:18.260000 --> 0:07:24.920000 this sense where you have a firewall that may be the source of the problem 0:07:24.920000 --> 0:07:31.420000 and or blocking your view of it, it's very, very simple to understand. 0:07:31.420000 --> 0:07:37.960000 If you're trying to capture and analyze traffic from the router, let's 0:07:37.960000 --> 0:07:42.660000 say from the laptop computer with Wire Shark installed and you're not 0:07:42.660000 --> 0:07:49.300000 seeing the traffic from the server, the simplest answer could be, well, 0:07:49.300000 --> 0:07:52.680000 in this instance, there's likely a firewall in between. 0:07:52.680000 --> 0:07:57.240000 Maybe that's, that could be the problem or it's blocking it. 0:07:57.240000 --> 0:08:02.260000 Maybe I don't have Wire Shark on the right side of the firewall. 0:08:02.260000 --> 0:08:03.960000 Maybe I need them on both sides. 0:08:03.960000 --> 0:08:07.120000 Maybe I need to allow the traffic through the firewall. 0:08:07.120000 --> 0:08:11.380000 And we have to remember if we're using Wire Shark in a lab, we could pretty 0:08:11.380000 --> 0:08:13.860000 much do whatever it is that we want to do. 0:08:13.860000 --> 0:08:20.720000 We can install things in a way where, you know, if we wanted to test any 0:08:20.720000 --> 0:08:24.920000 theory, if it's in a lab environment, we can, you know, change the firewall 0:08:24.920000 --> 0:08:28.420000 rules. We can, we can do pretty much anything we want. 0:08:28.420000 --> 0:08:31.440000 What's important to remember in production and likely we're going to, 0:08:31.440000 --> 0:08:35.380000 you're going to be using Wire Shark the most, is two important concepts 0:08:35.380000 --> 0:08:41.760000 to remember. One, you're using a protocol, a packet capture device on 0:08:41.760000 --> 0:08:46.000000 a production network and therefore you may not be allowed to. 0:08:46.000000 --> 0:08:51.240000 One of the reasons is because Wire Shark is also used for security analysis. 0:08:51.240000 --> 0:08:57.860000 So with the protocols we talked to already, with let's say just TCP IP 0:08:57.860000 --> 0:09:03.240000 protocol suite version four, a lot of the protocols involved in within 0:09:03.240000 --> 0:09:09.320000 that suite such as, let's say, Telnet SNMP and others, they will send 0:09:09.320000 --> 0:09:12.960000 information in clear text, non-encrypted. 0:09:12.960000 --> 0:09:17.800000 So if you're not doing extra encryption, if you're sending this data in 0:09:17.800000 --> 0:09:20.820000 clear text, Wire Shark can capture it. 0:09:20.820000 --> 0:09:24.660000 So you may be called to troubleshoot a problem with Wire Shark, configure 0:09:24.660000 --> 0:09:30.860000 it on a network and start capturing data that in reality may expose a 0:09:30.860000 --> 0:09:37.540000 lot of the things that are meant to be kept secret on the network itself. 0:09:37.540000 --> 0:09:42.540000 So just remember that when you're using Wire Shark it is also used primarily 0:09:42.540000 --> 0:09:46.480000 as a security tool and you need to have permission to use it specifically 0:09:46.480000 --> 0:09:48.360000 on a production network. 0:09:48.360000 --> 0:09:53.160000 Also as we were talking about before at the firewall, you may see data 0:09:53.160000 --> 0:09:57.180000 that's encrypted and you may not be able to see it and you could use Wire 0:09:57.180000 --> 0:10:00.960000 Shark to add the keys to decrypt it. 0:10:00.960000 --> 0:10:03.760000 So that's one of the interesting things about Wire Shark. 0:10:03.760000 --> 0:10:07.580000 It can be used in the security sense that it can be, you can reconstruct 0:10:07.580000 --> 0:10:13.480000 voice calls, you can use it to capture data that can be decrypted, you 0:10:13.480000 --> 0:10:18.520000 can capture unencrypted data that can be used to log into devices. 0:10:18.520000 --> 0:10:25.200000 You may see reading write strings, private and public strings from SNMP 0:10:25.200000 --> 0:10:28.980000 that you can capture and now manipulate a device with. 0:10:28.980000 --> 0:10:33.560000 So just remember with Wire Shark that there is a lot more that you can 0:10:33.560000 --> 0:10:35.180000 do with it than just troubleshooting. 0:10:35.180000 --> 0:10:43.600000 So simple firewall concepts, obviously a firewall will block traffic. 0:10:43.600000 --> 0:10:48.280000 This is tricky when you're trying to troubleshoot with Wire Shark because 0:10:48.280000 --> 0:10:53.060000 if you're trying to see for example why a source cannot communicate with 0:10:53.060000 --> 0:10:57.820000 a destination and let's say you don't have access to the firewall and 0:10:57.820000 --> 0:11:01.620000 they're asking you to solve that problem with Wire Shark, okay well how 0:11:01.620000 --> 0:11:03.220000 are we actually going to do that? 0:11:03.220000 --> 0:11:08.080000 Well as we reflect back to the simple lab where we had the source to the 0:11:08.080000 --> 0:11:12.940000 destination, we had let's say a firewall in between. 0:11:12.940000 --> 0:11:18.660000 If you see that you're not able to traverse that let's say with RDP but 0:11:18.660000 --> 0:11:29.900000 you are able to but it may be blocking specific traffic that is required 0:11:29.900000 --> 0:11:32.680000 for an application to function. 0:11:32.680000 --> 0:11:36.840000 And why would that be an issue because let's say we're troubleshooting 0:11:36.840000 --> 0:11:40.940000 a new problem where they said you know just recently something on the 0:11:40.940000 --> 0:11:45.240000 DMZ stopped working we don't understand you know as being network professionals 0:11:45.240000 --> 0:11:50.020000 our brains would start working and say well what was the last change on 0:11:50.020000 --> 0:11:54.600000 the firewall, what could have possibly you know made this happen is it 0:11:54.600000 --> 0:11:56.400000 a new deployment. 0:11:56.400000 --> 0:12:01.560000 We know that with the complexity of what it is that we do we try to be 0:12:01.560000 --> 0:12:07.120000 masterful and perfect every time but you can fat finger something and 0:12:07.120000 --> 0:12:09.540000 you can knock something else off the network. 0:12:09.540000 --> 0:12:14.100000 But in regards to that if it's blocking the traffic and you do not have 0:12:14.100000 --> 0:12:17.820000 information back from the firewall that anything changed or there's any 0:12:17.820:09:08,747 telnet, SNMP, and others. 227 00:09:08,754 --> 00:09:11,574 They will send information in clear text, 228 00:09:11,574 --> 00:09:13,767 non-encrypted so if you're not 229 00:09:13,766 --> 00:09:16,070 doing extra encryption, 230 00:09:16,069 --> 00:09:18,937 if you're sending this data in clear text 231 00:09:18,937 --> 00:09:20,937 Wireshark can capture it. 232 00:09:20,937 --> 00:09:23,012 So you may be called to troubleshoot 233 00:09:23,012 --> 00:09:25,097 a problem with Wireshark configured on a 234 00:09:25,094 --> 00:09:28,139 network and start capturing data that 235 00:09:28,139 --> 00:09:31,190 in reality may expose a lot of 236 00:09:31,195 --> 00:09:35,273 the things that are meant to be kept secret 237 00:09:35,276 --> 00:09:37,462 on the network itself. 238 00:09:37,462 --> 00:09:40,313 So just remember that when you're using 239 00:09:40,325 --> 00:09:42,924 Wireshark, it is, it is also used primarily 240 00:09:42,924 --> 00:09:45,242 as a security tool and you need to have 241 00:09:45,242 --> 00:09:47,015 permission to use it specifically 242 00:09:47,015 --> 00:09:48,055 on a production network. 243 00:09:48,055 --> 00:09:51,716 Also as we're talking about before, the firewall 244 00:09:51,716 --> 00:09:54,155 you may see data that's encrypted 245 00:09:54,155 --> 00:09:56,251 and you may not be able to see it 246 00:09:56,243 --> 00:09:58,925 and you could use Wireshark to, 247 00:09:58,924 --> 00:10:00,958 to add the keys to decrypt it. 248 00:10:00,966 --> 00:10:02,765 So that's one of the interesting 249 00:10:02,765 --> 00:10:03,874 things about Wireshark. 250 00:10:03,874 --> 00:10:05,463 It could be used in a security sense 251 00:10:05,463 --> 00:10:06,860 that it could be - 252 00:10:06,860 --> 00:10:08,588 you can reconstruct voice calls, 253 00:10:08,596 --> 00:10:11,794 you can use it to capture data 254 00:10:11,794 --> 00:10:13,203 that can be decrypted. 255 00:10:13,203 --> 00:10:15,203 You can capture unencrypted data 256 00:10:15,203 --> 00:10:18,401 that can be used to log in to devices. 257 00:10:18,401 --> 00:10:21,371 You may see read and write strings, 258 00:10:21,367 --> 00:10:24,009 private and public strings 259 00:10:24,005 --> 00:10:26,418 from SNMP that you can capture 260 00:10:26,412 --> 00:10:28,504 and now manipulate the device with. 261 00:10:28,506 --> 00:10:31,049 So, just remember, 262 00:10:31,049 --> 00:10:33,363 with Wireshark, that's there's a lot more that 263 00:10:33,350 --> 00:10:35,049 you can do with it than just troubleshooting. 264 00:10:35,049 --> 00:10:39,304 So simple firewall concepts 265 00:10:39,304 --> 00:10:43,114 obviously, a firewall will block traffic. 266 00:10:43,114 --> 00:10:46,628 This is tricky when you're trying 267 00:10:46,637 --> 00:10:48,017 to troubleshoot with Wireshark 268 00:10:48,025 --> 00:10:50,161 because if you're trying to see 269 00:10:50,160 --> 00:10:52,359 for example, why a source cannot 270 00:10:52,358 --> 00:10:54,646 communicate with the destination 271 00:10:54,652 --> 00:10:56,959 and let's say, you don't have access 272 00:10:56,959 --> 00:10:58,651 to the firewall and they're asking you 273 00:10:58,651 --> 00:11:00,836 to solve that problem with Wireshark. 274 00:11:00,834 --> 00:11:02,961 Ok, well, how are we actually going to do that? 275 00:11:02,950 --> 00:11:06,958 Well, as we reflect back to the simple lab 276 00:11:06,958 --> 00:11:08,958 where we had the source to the destination, 277 00:11:08,958 --> 00:11:13,076 we had, let's say, a firewall in between 278 00:11:13,076 --> 00:11:16,248 if you see that you're not able to traverse that 279 00:11:16,248 --> 00:11:18,209 let's say, with RDP 280 00:11:18,209 --> 00:11:20,882 but you able to ping through it, 281 00:11:20,889 --> 00:11:23,134 it may give you the false impression that 282 00:11:23,147 --> 00:11:26,515 the firewall is not the source of the issue. But 283 00:11:26,515 --> 00:11:30,505 it may be blocking specific traffic that is required 284 00:11:30,505 --> 00:11:32,505 for an application to function. 285 00:11:32,505 --> 00:11:35,539 And why would that be an issue because 286 00:11:35,539 --> 00:11:37,600 let's say, we're troubleshooting a 287 00:11:37,600 --> 00:11:38,976 a new problem where they said 288 00:11:38,976 --> 00:11:40,196 "You know just recently 289 00:11:40,189 --> 00:11:42,356 something on the DMZ stopped working, 290 00:11:42,356 --> 00:11:43,647 we don't understand." 291 00:11:43,647 --> 00:11:45,422 You know, as being network professionals, 292 00:11:45,422 --> 00:11:47,573 we, our brains would start working - 293 00:11:47,572 --> 00:11:50,899 say, when was the last change on the firewall? 294 00:11:50,897 --> 00:11:53,282 What, what could have possibly, you know, 295 00:11:53,281 --> 00:11:55,844 made this happen, as in a new deployment. 296 00:11:55,849 --> 00:11:58,280 We know that with 297 00:11:58,280 --> 00:12:00,499 the complexity of what it is that we do, 298 00:12:00,498 --> 00:12:05,419 we try to be masterful and perfect everytime, but 299 00:12:05,419 --> 00:12:07,419 we could fat finger something and 300 00:12:07,419 --> 00:12:09,419 we can knock something off the network. 301 00:12:09,419 --> 00:12:12,333 But in regards to that if it's blocking the traffic 302 00:12:12,333 --> 00:12:15,093 and you do not have information back 303 00:12:15,093 --> 00:12:17,065 from the firewall that anything changed, 304 00:12:17,065 --> 00:12:18,644 or there's any specific 305 00:12:18,644 --> 00:12:20,050 problems that they can see, 306 00:12:20,050 --> 00:12:21,425 a simple solution would be 307 00:12:21,425 --> 00:12:22,538 to set up Wireshark 308 00:12:22,545 --> 00:12:24,545 on both sides of the firewall 309 00:12:24,545 --> 00:12:26,211 and take a look at the source 310 00:12:26,202 --> 00:12:28,548 to destination traffic in 2 captures. 311 00:12:28,547 --> 00:12:32,485 If you see that you're sending data 2 312 00:12:32,485 --> 00:12:34,704 and you're not receiving on the other side 313 00:12:34,705 --> 00:12:36,703 then it could be implied that the 314 00:12:36,699 --> 00:12:39,096 firewall is actually blocking the traffic. 315 00:12:39,101 --> 00:12:42,188 We will learn in future modules 316 00:12:42,188 --> 00:12:43,977 how do you time that, right? 317 00:12:43,970 --> 00:12:45,354 So, you would want to 318 00:12:45,354 --> 00:12:46,717 actually look at timestamps 319 00:12:46,717 --> 00:12:48,529 from one capture to the other. 320 00:12:48,529 --> 00:12:51,410 to see exactly when things are 321 00:12:51,410 --> 00:12:52,897 going from one side to the other. 322 00:12:52,897 --> 00:12:54,618 You can look at the handshakes. 323 00:12:54,618 --> 00:12:56,581 There's lots of ways to figure that out. 324 00:12:56,581 --> 00:12:58,352 But a very simple capture would be 325 00:12:58,352 --> 00:13:00,250 the time it capture on both ends. 326 00:13:00,250 --> 00:13:01,000 Take a look - 327 00:13:01,000 --> 00:13:03,467 is the source getting to the destination? 328 00:13:03,462 --> 00:13:06,237 Yes or no? And if not, 329 00:13:06,244 --> 00:13:08,436 then likely it's blocking that traffic. 330 00:13:08,444 --> 00:13:12,056 Firewall also translates traffic. 331 00:13:12,048 --> 00:13:12,881 It will do that through 332 00:13:12,881 --> 00:13:14,365 Network Address Translation. 333 00:13:14,365 --> 00:13:17,533 It also does it with Port Address Translation. 334 00:13:17,533 --> 00:13:19,533 And when it does that 335 00:13:19,533 --> 00:13:21,533 it will send the data, 336 00:13:21,533 --> 00:13:23,533 the source will send the data. 337 00:13:23,533 --> 00:13:25,820 It will hit the NAT device, 338 00:13:25,820 --> 00:13:27,820 maybe a router, maybe a firewall. 339 00:13:27,820 --> 00:13:31,989 And that device will then send the data 340 00:13:31,984 --> 00:13:34,693 as it appears from a different IP address, and 341 00:13:34,693 --> 00:13:36,438 it can do that from a pool. 342 00:13:36,438 --> 00:13:38,916 And the reason it does that is it generally hides 343 00:13:38,927 --> 00:13:42,364 the privately addressed network 344 00:13:42,364 --> 00:13:43,902 from the outside world. 345 00:13:43,902 --> 00:13:47,887 It would translate a larger set of addresses 346 00:13:47,894 --> 00:13:50,887 to a smaller subset of public addresses. 347 00:13:50,893 --> 00:13:53,173 But regardless, it's something that you need 348 00:13:53,176 --> 00:13:54,951 to understand because when you're capturing 349 00:13:54,951 --> 00:13:56,104 the data with Wireshark 350 00:13:56,104 --> 00:13:58,104 if you did not know it was NATting 351 00:13:58,104 --> 00:14:02,635 and, and you weren't capturing specifically 352 00:14:02,635 --> 00:14:05,219 and looking for specifically that data, 353 00:14:05,220 --> 00:14:07,448 it may confuse you. Here's an example. 354 00:14:07,441 --> 00:14:10,154 Let's say, you're capturing 355 00:14:10,171 --> 00:14:13,438 a source to destination problem where 356 00:14:13,439 --> 00:14:16,200 you know that the source address is, 357 00:14:16,193 --> 00:14:19,517 you know, 192.168.1.10 358 00:14:19,520 --> 00:14:22,963 and the destination is 10.1.1.20. 359 00:14:22,957 --> 00:14:25,580 You're not going to necessarily as 360 00:14:25,581 --> 00:14:27,954 you're troubleshooting the segments through 361 00:14:27,945 --> 00:14:30,914 see that all the way through. 362 00:14:30,914 --> 00:14:32,458 You're going to see different things happening. 363 00:14:32,458 --> 00:14:34,326 As we talked about earlier in the modules, 364 00:14:34,319 --> 00:14:36,964 these devices change the data from hop to hop, 365 00:14:36,973 --> 00:14:39,072 and if you're not, if you do not understand 366 00:14:39,073 --> 00:14:40,946 what's happening from hop to hop, 367 00:14:40,946 --> 00:14:44,532 you may not what you're looking at or looking for. 368 00:14:44,524 --> 00:14:49,306 And again, as we talked about earlier, 369 00:14:49,311 --> 00:14:52,734 ports and IP addresses, firewalls will generally 370 00:14:52,731 --> 00:14:56,176 block or, or translate the data by IP 371 00:14:56,178 --> 00:14:59,107 and or block the port. 372 00:14:59,112 --> 00:15:06,033 So just a simple example of a network firewall, 373 00:15:06,033 --> 00:15:08,687 just want to make you aware that 374 00:15:08,684 --> 00:15:12,429 again, we're very, we try to learn things very 375 00:15:12,428 --> 00:15:17,283 in advanced forms and get to expert levels and 376 00:15:17,283 --> 00:15:20,466 what ends up happening sometimes is it gets 377 00:15:20,466 --> 00:15:22,911 your brain thinking at the highest level. 378 00:15:22,902 --> 00:15:26,053 And sometimes it happens to me and I have 379 00:15:26,066 --> 00:15:28,466 to actually stop myself and think 380 00:15:28,460 --> 00:15:30,460 simplistically in a way where - 381 00:15:30,460 --> 00:15:32,408 "Hold on a second, 382 00:15:32,408 --> 00:15:35,304 did I really look at the client close enough"? 383 00:15:35,295 --> 00:15:37,295 Simple things, you know. 384 00:15:37,295 --> 00:15:39,918 And sometimes, you wind up spending, 385 00:15:39,932 --> 00:15:41,932 at least it happened to people I know, 386 00:15:41,932 --> 00:15:43,216 as well as myself, 387 00:15:43,216 --> 00:15:45,216 very, very smart people - 388 00:15:45,216 --> 00:15:47,579 they start looking very deeply into things 389 00:15:47,579 --> 00:15:49,383 and it's something they missed 390 00:15:49,383 --> 00:15:51,115 because it's something very simple. 391 00:15:51,115 --> 00:15:53,859 So as a reminder, a network firewall could be 392 00:15:53,853 --> 00:15:56,360 something as simple as the client itself. 393 00:15:56,360 --> 00:15:58,355 It can have a role configured 394 00:15:58,355 --> 00:16:01,075 and it may be throwing your whole capture off 395 00:16:01,075 --> 00:16:02,228 for not allowing to do 396 00:16:02,228 --> 00:16:03,969 some specific troubleshooting. 397 00:16:03,969 --> 00:16:06,115 So just a reminder to be a aware 398 00:16:06,098 --> 00:16:08,159 that those things do exist 399 00:16:08,159 --> 00:16:10,120 and it's very important 400 00:16:10,120 --> 00:16:13,217 to be mindful of them. 401 00:16:13,217 --> 00:16:19,069 Alright, some other hardware - hubs. 402 00:16:19,069 --> 00:16:22,006 So, hubs are something we've almost 403 00:16:22,006 --> 00:16:25,114 completely eradicated from our networks 404 00:16:25,111 --> 00:16:27,689 with the inception of switching 405 00:16:27,689 --> 00:16:30,396 and data traveling a gigabit 406 00:16:30,408 --> 00:16:32,444 and now at 10 gigabit speeds. 407 00:16:32,447 --> 00:16:34,384 Hubs are just dinosaurs, 408 00:16:34,384 --> 00:16:35,645 they're things of the past. 409 00:16:35,645 --> 00:16:40,291 But, it's interesting because still to this day, 410 00:16:40,291 --> 00:16:43,508 I find hubs available. 411 00:16:43,508 --> 00:16:45,854 Now, not only they're available, 412 00:16:45,846 --> 00:16:48,036 but I find them available to people 413 00:16:48,038 --> 00:16:52,319 who try to expand their networks using them. 414 00:16:52,334 --> 00:16:54,385 And why, and most times it's not from the 415 00:16:54,391 --> 00:16:57,084 the people who actually run the network. 416 00:16:57,092 --> 00:16:59,961 So if you're, if you're locking down your networks 417 00:16:59,965 --> 00:17:02,102 and you're only allowing the ports open, 418 00:17:02,096 --> 00:17:03,937 if you're using port security as an example, 419 00:17:03,937 --> 00:17:07,218 and you're blocking everything that's not open, 420 00:17:07,218 --> 00:17:11,868 then these are less likely to be used. But 421 00:17:11,868 --> 00:17:16,457 if you're not using port security or using a device 422 00:17:16,457 --> 00:17:18,457 that doesn't have that feature 423 00:17:18,457 --> 00:17:21,000 you may be in for a surprise. 424 00:17:21,000 --> 00:17:22,340 You may go into a, let say, 425 00:17:22,340 --> 00:17:25,399 conference room where they needed 426 00:17:25,407 --> 00:17:29,388 to host 30 people and they didn't have 427 00:17:29,394 --> 00:17:31,813 as an example, wireless connection. 428 00:17:31,813 --> 00:17:35,032 They may all jack in from a hub 429 00:17:35,030 --> 00:17:38,361 that they actually, you know, purchased from 430 00:17:38,376 --> 00:17:39,739 let's say, Best Buy and they connect 431 00:17:39,739 --> 00:17:40,842 and configure. 432 00:17:40,842 --> 00:17:43,569 So these things do exist, they're out there, 433 00:17:43,569 --> 00:17:44,685 you need to be mindful of them. 434 00:17:44,685 --> 00:17:46,142 Hubs are actually dangerous 435 00:17:46,142 --> 00:17:47,931 because you can create a gigantic 436 00:17:47,931 --> 00:17:49,418 loop on your network and 437 00:17:49,418 --> 00:17:51,418 I've see hubs completely blowup, 438 00:17:51,418 --> 00:17:53,418 take down an enterprise network. 439 00:17:53,418 --> 00:17:55,491 So that's another reason why you should 440 00:17:55,491 --> 00:17:57,046 lock down your unused ports. 441 00:17:57,030 --> 00:17:59,439 But, just be aware that they do exist. 442 00:17:59,447 --> 00:18:03,649 But as the Wireshark expert, 443 00:18:03,649 --> 00:18:05,149 the network analyst, 444 00:18:05,149 --> 00:18:07,995 the person who's doing protocol analysis 445 00:18:07,995 --> 00:18:10,139 a hub is a quick way for you to 446 00:18:10,143 --> 00:18:13,304 quickly span out a section of a network. 447 00:18:13,309 --> 00:18:15,195 So if you understand networks 448 00:18:15,195 --> 00:18:17,062 and you do not create a loop, 449 00:18:17,062 --> 00:18:20,185 and you know how to masterfully use the hub, 450 00:18:20,185 --> 00:18:24,793 you can quickly look between 2 451 00:18:24,793 --> 00:18:26,793 2, a source and a destination 452 00:18:26,793 --> 00:18:28,793 and figure things out by hubbing out 453 00:18:28,793 --> 00:18:31,948 so they are useful in that matter. 454 00:18:31,940 --> 00:18:34,743 They create a larger domain 455 00:18:34,730 --> 00:18:36,730 and they will allow you to 456 00:18:36,730 --> 00:18:39,937 look at traffic traversing from a group of host. 457 00:18:39,935 --> 00:18:43,501 But remember, it may confuse things, 458 00:18:43,501 --> 00:18:45,893 it may be dangerous, so just make sure 459 00:18:45,876 --> 00:18:48,880 that if you do use it, you're careful. 460 00:18:48,874 --> 00:18:52,275 Again, load balancers, as we already discussed, 461 00:18:52,284 --> 00:18:53,995 the use of virtual IP. 462 00:18:53,995 --> 00:18:56,433 There may be one or many devices 463 00:18:56,425 --> 00:18:59,044 behind it as standby's and 464 00:18:59,053 --> 00:19:01,355 this is for network resiliency. 465 00:19:01,355 --> 00:19:05,477 You want to be very careful, or should say, 466 00:19:05,468 --> 00:19:07,867 you should be very mindful of their existence 467 00:19:07,867 --> 00:19:09,851 because if you're troubleshooting problem 468 00:19:09,851 --> 00:19:13,119 from host to a gateway, you may not realize 469 00:19:13,124 --> 00:19:15,406 that the gateway is multiple gateways. 470 00:19:15,408 --> 00:19:19,949 So, just remember that it's a virtual IP or VIP, 471 00:19:19,949 --> 00:19:22,651 commonly called the VIP that may be 472 00:19:22,652 --> 00:19:26,513 in the path from source to destination. 473 00:19:26,513 --> 00:19:30,266 And also inspection units, such as IPS, 474 00:19:30,257 --> 00:19:33,106 IDS, moreso IPS today - 475 00:19:33,112 --> 00:19:35,379 with the IPS modules that you could put in 476 00:19:35,378 --> 00:19:38,842 too many ASA firewall. There's a lot of devices 477 00:19:38,834 --> 00:19:41,527 that also inspect the traffic, a lot like sniffer. 478 00:19:41,526 --> 00:19:42,629 They look for heuristics. 479 00:19:42,628 --> 00:19:47,276 They, they monitor the traffic for anomalies. 480 00:19:47,295 --> 00:19:52,492 So these, these do the same function of sniffing 481 00:19:52,492 --> 00:19:54,317 Nessus as an open source is one, 482 00:19:54,320 --> 00:19:56,740 like Wireshark is an open source tool. 483 00:19:56,741 --> 00:19:59,594 Just beware that they are in a path 484 00:19:59,591 --> 00:20:02,208 so when you troubleshoot with Wireshark, 485 00:20:02,242 --> 00:20:04,736 there may be another thing in the hop. 486 00:20:04,736 --> 00:20:10,353 And all these devices, 487 00:20:10,354 --> 00:20:14,194 what's important about them with Wireshark is 488 00:20:14,200 --> 00:20:16,737 when you capture the data, again, 489 00:20:16,751 --> 00:20:19,923 the mantra over these next 3 days is 490 00:20:19,923 --> 00:20:22,730 you have to look at this as very holistically, 491 00:20:22,740 --> 00:20:25,242 high-level, wide. 492 00:20:25,240 --> 00:20:27,910 Remember that you're looking at the 493 00:20:27,910 --> 00:20:29,378 forest through the trees. 494 00:20:29,378 --> 00:20:31,690 You're trying to capture the whole entire 495 00:20:31,685 --> 00:20:34,240 essence of what's going on on the segment, 496 00:20:34,242 --> 00:20:37,670 the enterprise network, the area in which you are 497 00:20:37,660 --> 00:20:40,124 using Wireshark to troubleshoot the problem. 498 00:20:40,127 --> 00:20:44,163 The very important - that you look at it 499 00:20:44,156 --> 00:20:48,606 in a way where you're aware of these devices. 500 00:20:48,624 --> 00:20:51,021 Hopefully, when you go in to do this, 501 00:20:51,021 --> 00:20:52,861 it's either the network that you work on 502 00:20:52,861 --> 00:20:56,419 so you'll have, let's say, a blueprint or some 503 00:20:56,419 --> 00:20:58,419 Visio documentation for it. 504 00:20:58,419 --> 00:21:01,336 If it's a customer or client, 505 00:21:01,336 --> 00:21:03,336 maybe they do, hopefully they do. 506 00:21:03,336 --> 00:21:05,183 Maybe they do some network discoveries 507 00:21:05,183 --> 00:21:06,779 to find these devices or 508 00:21:06,779 --> 00:21:08,510 talk to the network manager. 509 00:21:08,510 --> 00:21:09,704 Likely they know, if it's not documented 510 00:21:09,704 --> 00:21:11,699 if it's not documented, what's in the path - 511 00:21:11,699 --> 00:21:14,295 then maybe draw out a quick document, 512 00:21:14,292 --> 00:21:16,458 the segment or segments in which 513 00:21:16,458 --> 00:21:18,177 you're going to be troubleshooting. 514 00:21:18,177 --> 00:21:20,563 Where you will playing, placing Wireshark 515 00:21:20,561 --> 00:21:23,222 and where these other devices, hubs, switches, 516 00:21:23,235 --> 00:21:26,113 routers, firewalls, load balancers, 517 00:21:26,122 --> 00:21:28,996 NAT devices, proxy servers, all these 518 00:21:28,995 --> 00:21:31,406 things, what will be in the path 519 00:21:31,411 --> 00:21:35,253 and how it will change the interpreted data. 520 00:21:35,253 --> 00:21:37,812 And then specifically, 521 00:21:37,815 --> 00:21:40,370 the protocol analysis that you're going to do 522 00:21:40,379 --> 00:21:43,354 when you're capturing how these, 523 00:21:43,353 --> 00:21:46,144 these devices actually impact your data. 524 00:21:46,141 --> 00:21:48,544 If it's NAtting, it's going to change the address. 525 00:21:48,544 --> 00:21:49,529 If it's routing, 526 00:21:49,529 --> 00:21:51,157 it's going to change the MAC address. 527 00:21:51,156 --> 00:21:53,556 If it's load balancing, it may be a VIP. 528 00:21:53,556 --> 00:21:55,340 So, just remember, 529 00:21:55,340 --> 00:21:58,246 that these devices are very specific 530 00:21:58,246 --> 00:22:00,618 to protocol and traffic analysis, 531 00:22:00,618 --> 00:22:01,838 when you're doing either, 532 00:22:01,838 --> 00:22:04,741 to make sure that you're aware of them 533 00:22:04,741 --> 00:22:07,490 Tip is to again look for documentation and or 534 00:22:07,487 --> 00:22:10,582 make a landscape document, document 535 00:22:10,589 --> 00:22:12,792 of what area you'll be troubleshooting, 536 00:22:12,790 --> 00:22:15,484 so you're aware, do some network discovery 537 00:22:15,484 --> 00:22:18,096 and, and then use Wireshark to start 538 00:22:18,080 --> 00:22:20,216 capturing data and, and troubleshooting. 539 00:22:20,222 --> 00:22:22,222