WEBVTT 0:00:13.800000 --> 0:00:19.240000 All right. So why is protocol analysis important? 0:00:19.240000 --> 0:00:25.860000 Well, specifically, once we start getting into more detailed, you know, 0:00:25.860000 --> 0:00:31.260000 learning environments and or production networks, you're going to use 0:00:31.260000 --> 0:00:36.740000 Wireshark to capture the data and start looking within it and finding 0:00:36.740000 --> 0:00:38.920000 anomalies and troubleshooting problems. 0:00:38.920000 --> 0:00:41.660000 So where are these things relevant? 0:00:41.660000 --> 0:00:47.580000 So specifically, when you're capturing the data, you may find some specific 0:00:47.580000 --> 0:00:50.500000 stuff in it that will give you a clue. 0:00:50.500000 --> 0:00:55.540000 This is where you may not know anything about the problem and you're trying 0:00:55.540000 --> 0:01:02.500000 to figure it out completely from scratch or you may know some hints such 0:01:02.500000 --> 0:01:07.000000 as collecting the information from the clients and or the administrative 0:01:07.000000 --> 0:01:13.060000 staff or the help desk and trying to do some preliminary analysis of what 0:01:13.060000 --> 0:01:14.940000 the problem may be. 0:01:14.940000 --> 0:01:20.460000 So it's a recommendation that when you are called in to use Wireshark, 0:01:20.460000 --> 0:01:25.960000 you put on the detective hat and you take a complete report on everything 0:01:25.960000 --> 0:01:31.340000 that you can before you even light Wireshark up and start capturing data. 0:01:31.340000 --> 0:01:38.180000 For example, it's been in the past, I've seen where desktops support or 0:01:38.180000 --> 0:01:41.620000 field services teams are very savvy in what they do. 0:01:41.620000 --> 0:01:45.760000 They're masterful at knowing the client workstation and some of these 0:01:45.760000 --> 0:01:50.360000 tools like Wireshark and they've already run and captured some data for 0:01:50.360000 --> 0:01:54.780000 you. Sometimes they can give you the data and it might be your baseline 0:01:54.780000 --> 0:02:00.160000 that you were looking for to know how this machine operates normally. 0:02:00.160000 --> 0:02:04.000000 When I say machine, I should drill down on that. 0:02:04.000000 --> 0:02:09.440000 How when it's using the network to use resources, what that view looks 0:02:09.440000 --> 0:02:16.020000 like normally. Let's say from 24 by 7 operation normally all the time 0:02:16.020000 --> 0:02:20.320000 or with normal production operating hours. 0:02:20.320000 --> 0:02:25.580000 So that is the first thing that we want to do is start looking around 0:02:25.580000 --> 0:02:29.540000 us and saying if we're going to start doing some analysis work, what's 0:02:29.540000 --> 0:02:33.300000 already been captured, what's already been done and what's kind of the 0:02:33.300000 --> 0:02:39.280000 problem, what has been reported and is that actually something that we 0:02:39.280000 --> 0:02:41.440000 can use Wireshark to troubleshoot. 0:02:41.440000 --> 0:02:46.720000 So as an example, let's say you have a problem where a database server 0:02:46.720000 --> 0:02:54.580000 is operating horribly and it's causing clients to have application issues. 0:02:54.580000 --> 0:02:59.220000 So a lot of times what we do is we go to the client machine and we may 0:02:59.220000 --> 0:03:03.860000 see well the internet works great, their email works fine and we've isolated 0:03:03.860000 --> 0:03:06.200000 it to this application. 0:03:06.200000 --> 0:03:10.100000 So what we want to do is we want to specifically look down that path. 0:03:10.100000 --> 0:03:15.860000 So you want to run a general capture, you want to look at things, everything 0:03:15.860000 --> 0:03:20.280000 very quickly but you want to say, all right, well I want to do some detective 0:03:20.280000 --> 0:03:24.940000 work and I want to start streamlining my troubleshooting path down into 0:03:24.940000 --> 0:03:27.960000 specifically what is wrong with this application. 0:03:27.960000 --> 0:03:31.300000 Now you don't know it's a database problem yet, we will find that out 0:03:31.300000 --> 0:03:35.400000 but you know at least specifically it's this application. 0:03:35.400000 --> 0:03:37.980000 All right so let's drill down a little bit further. 0:03:37.980000 --> 0:03:41.540000 Let's say you're troubleshooting the application and you find that everything 0:03:41.540000 --> 0:03:45.160000 works pretty well except for when they log in. 0:03:45.160000 --> 0:03:47.620000 That's the problem, very slow log in. 0:03:47.620000 --> 0:03:52.640000 Or they're using an application and one of the modules or components within 0:03:52.640000 --> 0:03:56.120000 the application is problematic. 0:03:56.120000 --> 0:04:00.280000 The reason why we mention this before getting deep, deep, deep into Wireshark 0:04:00.280000 --> 0:04:04.500000 and how it works, that's the whole key to using Wireshark. 0:04:04.500000 --> 0:04:08.140000 The key to using Wireshark is to figure out specifically what it is that 0:04:08.140000 --> 0:04:09.820000 you want to drill down to. 0:04:09.820000 --> 0:04:12.660000 Otherwise you're just collecting data and sifting through it. 0:04:12.660000 --> 0:04:18.640000 You can do that too but to be masterful with it you want to really, really 0:04:18.640000 --> 0:04:22.720000 try to put the detective hat on and try to figure out a few things first. 0:04:22.720000 --> 0:04:26.980000 You want to figure out things that I had just mentioned, is it specific 0:04:26.980000 --> 0:04:27.820000 to an application. 0:04:27.820000 --> 0:04:31.040000 All right so let's say you didn't know to drill into the components of 0:04:31.040000 --> 0:04:35.180000 the application and maybe you didn't know that you would drill down to 0:04:35.180000 --> 0:04:39.640000 the log in as being an issue but you at least knew that it was that application 0:04:39.640000 --> 0:04:41.140000 and why is that important. 0:04:41.140000 --> 0:04:46.060000 Well the destination from the source may be that application server and 0:04:46.060000 --> 0:04:49.020000 it may be an N-tier application where you have three tiers. 0:04:49.020000 --> 0:04:54.760000 You have the application front end which is on a load balanced web servers. 0:04:54.760000 --> 0:04:59.520000 It may have a middleware tier where a lot of calm components are flowing 0:04:59.520000 --> 0:05:02.400000 around and it may have a database tier. 0:05:02.400000 --> 0:05:05.320000 Each one of those tiers may be firewall and ACL. 0:05:05.320000 --> 0:05:09.420000 So it's very important that when you're doing analysis work you're not 0:05:09.420000 --> 0:05:13.860000 just looking at it from the client and you're just running a capture because 0:05:13.860000 --> 0:05:17.480000 the client said that they had bad performance but to actually kind of 0:05:17.480000 --> 0:05:21.620000 drill down more into what traffic you're going to try to filter. 0:05:21.620000 --> 0:05:24.080000 Yes we will learn how to build filters. 0:05:24.080000 --> 0:05:26.520000 Yes we will learn how to drill down to the traffic. 0:05:26.520000 --> 0:05:28.180000 Look for specific ports. 0:05:28.180000 --> 0:05:34.900000 Look for specific time to live specific offsets, specific everything but 0:05:34.900000 --> 0:05:37.460000 you have to understand what application is the problem. 0:05:37.460000 --> 0:05:41.540000 Maybe that gives you a clue as to what protocol you need to start drilling 0:05:41.540000 --> 0:05:46.760000 down into and again from earlier you may want to do the other checks as 0:05:46.760000 --> 0:05:50.500000 well. Send some data downstream via paying a trace route. 0:05:50.500000 --> 0:05:52.860000 Maybe something is slow. 0:05:52.860000 --> 0:05:55.740000 That may not be the problem with login but it may be the problem where 0:05:55.740000 --> 0:05:59.620000 it's the overall application itself has bad performance. 0:05:59.620000 --> 0:06:04.280000 If all the applications have bad performance what does that mean? 0:06:04.280000 --> 0:06:10.860000 So again just in sum analyzing 101 is not just lighting up wire shar capturing 0:06:10.860000 --> 0:06:13.900000 data and go. It's let's look at everything. 0:06:13.900000 --> 0:06:18.580000 Let's put on the detective hat and look at everything that we can. 0:06:18.580000 --> 0:06:24.920000 So what does this mean when we do this and we try to now start drilling 0:06:24.920000 --> 0:06:30.340000 down. So let's say you had a problem where a specific device wasn't registering 0:06:30.340000 --> 0:06:33.220000 correctly with a network monitoring tool. 0:06:33.220000 --> 0:06:34.800000 What could that be? 0:06:34.800000 --> 0:06:38.680000 All right well we knew enough to say I am going to start capturing data 0:06:38.680000 --> 0:06:49.600000 to show SNMP and specifically what is going on at that capture point. 0:06:49.600000 --> 0:06:51.140000 What is happening here? 0:06:51.140000 --> 0:06:55.940000 So a couple of things that we found is we found the string and in this 0:06:55.940000 --> 0:07:00.100000 particular incident we were finding that there were some data some hosts 0:07:00.100000 --> 0:07:04.660000 that weren't configured correctly via SNMP and there was an access control 0:07:04.660000 --> 0:07:05.700000 that's configured. 0:07:05.700000 --> 0:07:10.100000 So certain things weren't happening and we were able to figure that out 0:07:10.100000 --> 0:07:16.220000 with wire shar. But again what's important to remember is that we wouldn't 0:07:16.220000 --> 0:07:18.140000 have known to look for that. 0:07:18.140000 --> 0:07:20.480000 Filter down to that. 0:07:20.480000 --> 0:07:23.920000 Drill down to that and look for those specific things without understanding 0:07:23.920000 --> 0:07:28.020000 one the network and the fundamentals of it. 0:07:28.020000 --> 0:07:31.720000 Two the protocol what's being used. 0:07:31.720000 --> 0:07:35.920000 Three doing some detective work around all this to figure out that my 0:07:35.920000 --> 0:07:44.820000 problem is not accessing a file share it was specifically this device 0:07:44.820000 --> 0:07:50.100000 connecting from one to the other and trying to communicate via SNMP. 0:07:50.100000 --> 0:07:55.500000 This is why it is important to remember that specifically you want to 0:07:55.500000 --> 0:07:59.540000 have a lot of knowledge behind you when you're troubleshooting. 0:07:59.540000 --> 0:08:02.140000 All right so next. 0:08:02.140000 --> 0:08:07.180000 When you're doing protocol analysis you're capturing data to and from 0:08:07.180000 --> 0:08:11.600000 source to destination, sources to destinations or through hops. 0:08:11.600000 --> 0:08:16.000000 It's going to reveal some specific things just to recap you may have some 0:08:16.000000 --> 0:08:17.980000 bandwidth issues. 0:08:17.980000 --> 0:08:19.660000 Data may be corrupted. 0:08:19.660000 --> 0:08:23.380000 Things may be configured incorrectly. 0:08:23.380000 --> 0:08:27.100000 You may have some latency issues. 0:08:27.100000 --> 0:08:31.640000 The client itself or the destination may have some IL issues. 0:08:31.640000 --> 0:08:34.520000 The database may need to be re-indexed. 0:08:34.520000 --> 0:08:37.240000 There may be a synchronous route. 0:08:37.240000 --> 0:08:39.820000 The firewall may be blocking it. 0:08:39.820000 --> 0:08:46.480000 There may be some proxy server issue where it's not allowing something 0:08:46.480000 --> 0:08:49.480000 and it's manifesting as a different issue. 0:08:49.480000 --> 0:08:51.860000 You may have a routing issue. 0:08:51.860000 --> 0:08:54.780000 You may have a storm causing performance. 0:08:54.780000 --> 0:09:00.680000 So just remember when you're doing analysis this data captured is going 0:09:00.680000 --> 0:09:05.820000 to reveal what those issues are but you may need to really figure out 0:09:05.820000 --> 0:09:09.480000 and drill down to essentially what it is that you're looking for which 0:09:09.480000 --> 0:09:12.360000 again forces you. 0:09:12.360000 --> 0:09:15.940000 And I wholeheartedly say forces you because if you really want to learn 0:09:15.940000 --> 0:09:20.220000 and dig deep into this tool you're going to have to really start looking 0:09:20.220000 --> 0:09:24.500000 at how does TCP operate particularly. 0:09:24.500000 --> 0:09:27.620000 Most if not all of you may know the handshake. 0:09:27.620000 --> 0:09:32.580000 We'll cover it in a liter module for those that may not know it but that 0:09:32.580000 --> 0:09:36.960000 is going to be the predominant thing that when we do a flow graph, when 0:09:36.960000 --> 0:09:39.960000 we pull a flow graph through a wire shark those are the things that you're 0:09:39.960000 --> 0:09:41.160000 going to need to look for. 0:09:41.160000 --> 0:09:45.320000 You're going to need to see, okay well I've had duplicate acts. 0:09:45.320000 --> 0:09:45.960000 What does that mean? 0:09:45.960000 --> 0:09:50.880000 What is an act? So those are the things that will require you to dig deeper 0:09:50.880000 --> 0:09:54.340000 into understanding the protocols and again the different layers of the 0:09:54.340000 --> 0:10:00.020000 OSI model. So we're just going to briefly talk about some of the analysis 0:10:00.020000 --> 0:10:05.400000 tools. One of the key things with analysis tools is that there are many 0:10:05.400000 --> 0:10:07.240000 tools within wire shark itself. 0:10:07.240000 --> 0:10:12.080000 Wire shark itself has analysis tools within it. 0:10:12.080000 --> 0:10:15.140000 There are analysis tools outside of wire shark. 0:10:15.140000 --> 0:10:18.740000 There are analysis tools that are handheld that you can plug into your 0:10:18.740000 --> 0:10:23.840000 network. There's analysis tools that are enterprise wide that require 0:10:23.840000 --> 0:10:27.660000 probes and all other types of devices. 0:10:27.660000 --> 0:10:32.240000 Whatever those devices are just remember these tools are simply for the 0:10:32.240000 --> 0:10:38.180000 form to help you analyze what a potential problem can be. 0:10:38.180000 --> 0:10:41.640000 And the reason I put the expert up here which is a tool within wire shark 0:10:41.640000 --> 0:10:44.880000 and we will have a whole module dedicated directly to it. 0:10:44.880000 --> 0:10:51.360000 This tool will give you some specific information but it will not in particularly 0:10:51.360000 --> 0:10:54.800000 tell you exactly what the problem is. 0:10:54.800000 --> 0:11:00.860000 And that's been a concern for many in the past is, well this really tell 0:11:00.860000 --> 0:11:02.700000 me what the problem is. 0:11:02.700000 --> 0:11:08.280000 When I install wire shark it immediately says, here's the problem, you 0:11:08.280000 --> 0:11:10.820000 need to do this, you need to do that. 0:11:10.820000 --> 0:11:14.660000 And that's why to start off this foundations course I really wanted to 0:11:14.660000 --> 0:11:20.140000 drill into and get some awareness around the fundamentals of how this 0:11:20.140000 --> 0:11:25.380000 tool is really used and what information you will need to be successful 0:11:25.380000 --> 0:11:29.120000 with it. This tool is going to tell you that a retransmission is suspected 0:11:29.120000 --> 0:11:33.140000 and if you really think about it what does that really mean to you? 0:11:33.140000 --> 0:11:36.500000 And worse it's telling you it's suspected. 0:11:36.500000 --> 0:11:39.700000 So that's what the expert and other analysis tools do. 0:11:39.700000 --> 0:11:45.380000 They allow you to view things and do some deeper diving into them. 0:11:45.380000 --> 0:11:47.620000 So what will we find? 0:11:47.620000 --> 0:11:50.820000 We're going to do some deep packet inspection. 0:11:50.820000 --> 0:11:53.120000 We're going to review the data packets. 0:11:53.120000 --> 0:11:55.020000 We're going to look at time stamps. 0:11:55.020000 -9:01,563 --> 00:09:04,653 reveal what those issues are but you may need 224 00:09:04,661 --> 00:09:07,269 to really figure out and drill down to 225 00:09:07,275 --> 00:09:09,030 essentially what it is you're looking for. 226 00:09:09,030 --> 00:09:12,820 Which again, forces you, and I, 227 00:09:12,820 --> 00:09:14,711 and I wholeheartedly say, forces you 228 00:09:14,711 --> 00:09:16,238 because if you really want to learn and 229 00:09:16,238 --> 00:09:17,606 dig deep into this tool, 230 00:09:17,606 --> 00:09:20,352 you're going to have to really start looking 231 00:09:20,350 --> 00:09:23,693 at how does TCP operate particularly. 232 00:09:23,693 --> 00:09:27,687 Most, if not all of you, may know the handshake. 233 00:09:27,693 --> 00:09:29,663 We'll cover it in a later module for those 234 00:09:29,653 --> 00:09:32,999 that may not know it, but that is 235 00:09:32,997 --> 00:09:35,139 going to be the predominant thing 236 00:09:35,144 --> 00:09:36,620 that when we do a flow graph, 237 00:09:36,614 --> 00:09:39,153 when we pull flow graph to Wireshark, 238 00:09:39,153 --> 00:09:39,922 those are the things that 239 00:09:39,922 --> 00:09:41,141 you're going to need to look for. 240 00:09:41,141 --> 00:09:43,009 You're going to need to see, ok well, 241 00:09:43,006 --> 00:09:45,158 I've had duplicate ACK's. 242 00:09:45,166 --> 00:09:45,898 So what does that mean? 243 00:09:45,898 --> 00:09:47,177 What is an ACK, right? 244 00:09:47,177 --> 00:09:49,177 So those are the things that 245 00:09:49,177 --> 00:09:51,035 will require you to dig deeper 246 00:09:51,035 --> 00:09:53,439 into understanding the protocols. And again, 247 00:09:53,443 --> 00:09:56,258 the different layers of the OSI model. 248 00:09:56,269 --> 00:09:59,283 So, we're just going to briefly talk about 249 00:09:59,283 --> 00:10:01,172 some of the analysis tools. 250 00:10:01,172 --> 00:10:03,934 One of the key things with analysis tools 251 00:10:03,930 --> 00:10:05,909 is that there are many tools 252 00:10:05,909 --> 00:10:07,658 within Wireshark itself. 253 00:10:07,658 --> 00:10:11,491 Wireshark itself has analysis tools within it. 254 00:10:11,491 --> 00:10:14,974 There are analysis tools outside of Wireshark. 255 00:10:14,974 --> 00:10:17,584 There are analysis tools that are handheld 256 00:10:17,584 --> 00:10:19,584 that you can plug in to your network. 257 00:10:19,584 --> 00:10:21,584 There's analysis tools that are 258 00:10:21,584 --> 00:10:24,838 enterprise-wide that require probes 259 00:10:24,838 --> 00:10:27,928 and all the types of devices. 260 00:10:27,928 --> 00:10:30,122 Whatever those devices are, just remember 261 00:10:30,122 --> 00:10:33,748 these tools are, are simply for the form 262 00:10:33,745 --> 00:10:35,989 to help you analyze 263 00:10:35,989 --> 00:10:37,989 what a potential problem can be. 264 00:10:37,989 --> 00:10:40,304 And the reason I put the Expert up here, 265 00:10:40,304 --> 00:10:41,746 which is a tool within Wireshark 266 00:10:41,746 --> 00:10:43,115 and we will have a whole module 267 00:10:43,115 --> 00:10:44,914 dedicated directly to it. 268 00:10:44,914 --> 00:10:48,262 This tool will give you some specific 269 00:10:48,256 --> 00:10:52,014 information, but it will not in particularly 270 00:10:52,014 --> 00:10:54,734 tell you exactly what the problem is, 271 00:10:54,734 --> 00:10:58,146 and, and that's, that's been a concern 272 00:10:58,136 --> 00:10:59,841 for many in the past is 273 00:10:59,841 --> 00:11:02,663 will this really tell me what the problem is. 274 00:11:02,650 --> 00:11:04,511 When I install Wireshark, 275 00:11:04,511 --> 00:11:07,409 well, it'll immediately say -bing-bing-bing. 276 00:11:07,409 --> 00:11:09,110 Here's the problem, you need to do this, 277 00:11:09,110 --> 00:11:10,353 you need to do that. No. 278 00:11:10,353 --> 00:11:12,959 And that's why to start off this 279 00:11:12,948 --> 00:11:15,019 foundation's course, I really wanted to drill 280 00:11:15,025 --> 00:11:18,589 into and get, get some awareness around 281 00:11:18,589 --> 00:11:20,554 the fundamentals of how these tools 282 00:11:20,554 --> 00:11:24,248 are really used and what, what information 283 00:11:24,255 --> 00:11:26,149 you will need to be successful with it. 284 00:11:26,138 --> 00:11:27,946 This tool is going to tell you that a 285 00:11:27,946 --> 00:11:29,380 retransmission is suspected, 286 00:11:29,362 --> 00:11:31,083 and if you really think about it, 287 00:11:31,083 --> 00:11:32,576 what does that really mean to you? 288 00:11:32,576 --> 00:11:37,001 And worst, it's telling you it's suspected, so 289 00:11:37,001 --> 00:11:38,374 that's what the Expert and 290 00:11:38,374 --> 00:11:40,038 other analysis tools do. 291 00:11:40,038 --> 00:11:43,052 They allow you to view things and 292 00:11:43,055 --> 00:11:45,217 do some deeper diving into them. 293 00:11:45,210 --> 00:11:47,210 So what will we find? 294 00:11:47,210 --> 00:11:50,773 We're going to do some deep packet inspection. 295 00:11:50,773 --> 00:11:52,773 We're going to review the data packets. 296 00:11:52,773 --> 00:11:54,773 We're going to look at timestamps. 297 00:11:54,763 --> 00:11:57,098 We're going to look at communications patterns. 298 00:11:57,099 --> 00:11:58,788 We're going to look at a whole bunch of stuff 299 00:11:58,790 --> 00:12:02,042 in the next 2 days, 2 to 3 days, 300 00:12:02,045 --> 00:12:04,495 and really dig deep into this data 301 00:12:04,485 --> 00:12:06,593 and start seeing some specific stuff. 302 00:12:06,603 --> 00:12:08,766 And that should be interesting 303 00:12:08,766 --> 00:12:10,003 to everybody, and exciting. 304 00:12:10,003 --> 00:12:12,003 Because a lot of times, you get 305 00:12:12,003 --> 00:12:14,003 really good at configuring devices, 306 00:12:14,003 --> 00:12:16,003 you get really good at designing devices, 307 00:12:16,003 --> 00:12:18,945 but what's really good is when you know 308 00:12:18,943 --> 00:12:20,907 how to solve problems with them. 309 00:12:20,903 --> 00:12:24,320 Because what we will find is, and, and I 310 00:12:24,322 --> 00:12:27,041 I've seen this many times in the past. 311 00:12:27,038 --> 00:12:30,642 We spend a lot of time, put a lot of effort 312 00:12:30,642 --> 00:12:32,374 into designing a perfect network, 313 00:12:32,374 --> 00:12:35,562 or augmenting it perfectly. 314 00:12:35,562 --> 00:12:39,663 We spend a ton of time looking to engineer 315 00:12:39,674 --> 00:12:42,271 the best solution, the most secure, 316 00:12:42,290 --> 00:12:46,172 the most flexible, one with the most a 317 00:12:46,172 --> 00:12:49,246 and a bandwidth, and one that's 318 00:12:49,246 --> 00:12:51,157 to deliver optimal results. 319 00:12:51,157 --> 00:12:53,311 And you know what winds up happening, 320 00:12:53,311 --> 00:12:54,940 this is what we've seen. 321 00:12:54,940 --> 00:12:57,867 Networks are augmented 322 00:12:57,867 --> 00:13:00,784 and a lot of times the staff turns over 323 00:13:00,784 --> 00:13:02,126 and new people come in. 324 00:13:02,126 --> 00:13:03,589 Maybe it wasn't documented well. 325 00:13:03,589 --> 00:13:06,070 Mistakes are made. And this is no fault 326 00:13:06,070 --> 00:13:09,527 to anybody. This is just how we live our lives 327 00:13:09,526 --> 00:13:11,328 in an enterprise networking world. 328 00:13:11,317 --> 00:13:14,648 Things change. New solutions are put in place. 329 00:13:14,648 --> 00:13:16,482 Sometimes they don't the time to lab them up 330 00:13:16,478 --> 00:13:21,297 correctly or staff with a, they don't have the exact 331 00:13:21,282 --> 00:13:23,559 skill sets needed but they give it the best try. 332 00:13:23,564 --> 00:13:25,134 Sometimes things just go in. 333 00:13:25,134 --> 00:13:26,196 You have other groups. 334 00:13:26,196 --> 00:13:27,835 So, their servers are getting added. 335 00:13:27,838 --> 00:13:31,241 Maybe they didn't turn things off like, you know. 336 00:13:31,246 --> 00:13:33,852 Zero config on printers and 337 00:13:33,852 --> 00:13:35,272 and what ends up happening is 338 00:13:35,272 --> 00:13:37,884 there's just so much stuff in a big network 339 00:13:37,884 --> 00:13:41,419 that the more we lab up, and the more 340 00:13:41,427 --> 00:13:43,745 we learn about the design-build-run 341 00:13:43,737 --> 00:13:45,737 and the more that we learn about Wireshark 342 00:13:45,737 --> 00:13:47,249 and how to troubleshoot and dig 343 00:13:47,249 --> 00:13:48,440 deep into the networks, 344 00:13:48,440 --> 00:13:51,663 the better off we will be to solve problems. 345 00:13:51,664 --> 00:13:54,391 And that is the key to solve issues. 346 00:13:54,391 --> 00:13:57,040 The fire alarm goes off, things are broken, 347 00:13:57,040 --> 00:13:58,328 the application's down. 348 00:13:58,328 --> 00:14:01,585 It's a critical application. People are panicking. 349 00:14:01,585 --> 00:14:04,127 And you come in, very calm, cool and 350 00:14:04,130 --> 00:14:06,314 collected and you strategize 351 00:14:06,327 --> 00:14:10,106 the exact way to solve or fix this issue 352 00:14:10,107 --> 00:14:12,107 and that's what we're striving for. 353 00:14:12,107 --> 00:14:18,390