WEBVTT 0:00:09.580000 --> 0:00:15.200000 T-Shark is a command line tool that you can run from a Linux based distribution. 0:00:15.200000 --> 0:00:20.160000 It is helpful in capturing packet data. 0:00:20.160000 --> 0:00:24.340000 It's very similar to what you do in Wireshark. 0:00:24.340000 --> 0:00:29.240000 However, it is Wireshark at the command line, at the terminal. 0:00:29.240000 --> 0:00:35.020000 So although it does a lot of the same things, you have to learn how to 0:00:35.020000 --> 0:00:43.380000 manipulate it in a way where you can get those specific things or those 0:00:43.380000 --> 0:00:50.380000 actions out of them by using switches and command line data. 0:00:50.380000 --> 0:00:56.060000 So what can you do with in capture packets? 0:00:56.060000 --> 0:00:57.720000 You can display packets. 0:00:57.720000 --> 0:01:00.080000 You can select different interfaces. 0:01:00.080000 --> 0:01:02.620000 You can run statistics. 0:01:02.620000 --> 0:01:05.180000 You can use profiles. 0:01:05.180000 --> 0:01:09.760000 You can use a lot of the same things, although not everything that you 0:01:09.760000 --> 0:01:10.800000 can do in a GUI. 0:01:10.800000 --> 0:01:16.060000 But as mentioned earlier, in the Q &A, there's a lot of things that are 0:01:16.060000 --> 0:01:19.540000 very similar. You can merge capture files. 0:01:19.540000 --> 0:01:25.260000 There's separate command line utilities for doing those specific functions. 0:01:25.260000 --> 0:01:32.920000 However, it requires a basic knowledge of Linux and Unix command line 0:01:32.920000 --> 0:01:35.300000 to be able to manipulate. 0:01:35.300000 --> 0:01:40.460000 So some examples of important things that you should take note of. 0:01:40.460000 --> 0:01:45.680000 You would need to be either a super user. 0:01:45.680000 --> 0:01:50.920000 Preferably, we do not like to log in as root on a Unix or a Linux box, 0:01:50.920000 --> 0:01:56.660000 but you would obviously have to have super user permissions to do certain 0:01:56.660000 --> 0:02:05.340000 functions. So you may have to modify some files to be able to use T-Shark 0:02:05.340000 --> 0:02:07.800000 in all its functionality. 0:02:07.800000 --> 0:02:14.700000 You have to remember that with Unix and Linux, there's a lot of upper 0:02:14.700000 --> 0:02:19.000000 case, lower case settings, things that you would type in. 0:02:19.000000 --> 0:02:23.240000 And with Unix and Linux, it's primarily case sensitive. 0:02:23.240000 --> 0:02:25.440000 So you have to be aware of that. 0:02:25.440000 --> 0:02:33.740000 To navigate the command line or the shell in Unix, you have to be aware 0:02:33.740000 --> 0:02:40.680000 of setting the shell and being aware of how that's going to output. 0:02:40.680000 --> 0:02:46.020000 If you wanted to modify files, sometimes you would use the Vi editor as 0:02:46.020000 --> 0:02:50.860000 an example. So there's some Unix and Linux basics that you're going to 0:02:50.860000 --> 0:02:52.540000 have to be able to use this. 0:02:52.540000 --> 0:02:58.040000 Otherwise, a good way to learn as I have up on the screen now is you can 0:02:58.040000 --> 0:02:59.960000 download VMware. 0:02:59.960000 --> 0:03:08.160000 You can get any of many different distributions of Linux to load up and 0:03:08.160000 --> 0:03:15.940000 to test with. It's you're going to set up a Linux machine to do packet 0:03:15.940000 --> 0:03:18.260000 capture that it's not on a VM. 0:03:18.260000 --> 0:03:20.580000 This is just for instructional purposes. 0:03:20.580000 --> 0:03:24.300000 You'd want it on the base machine interacts directly with your NIC instead 0:03:24.300000 --> 0:03:27.040000 of the the the VNIC. 0:03:27.040000 --> 0:03:31.880000 So although this is helpful, it's only really looking and analyzing stuff 0:03:31.880000 --> 0:03:33.600000 on the host machine right now. 0:03:33.600000 --> 0:03:35.860000 So it's limited. 0:03:35.860000 --> 0:03:40.980000 But if you're going to really do this and install Linux on a machine to 0:03:40.980000 --> 0:03:46.040000 use in the field to do protocol packet network analysis, you can install 0:03:46.040000 --> 0:03:49.140000 that directly to the host machine. 0:03:49.140000 --> 0:03:57.060000 That being said, you can basically also load the wire shark GUI on Linux. 0:03:57.060000 --> 0:04:03.300000 So whatever you weren't using T-Shark for, anything that you wanted to 0:04:03.300000 --> 0:04:06.500000 use in the GUI, generally it's also loaded. 0:04:06.500000 --> 0:04:10.800000 Also, when you install wire shark, you have the options to put it in or 0:04:10.800000 --> 0:04:14.520000 take it out. So just be aware that when you did install it, hopefully 0:04:14.520000 --> 0:04:17.240000 you chose everything and it's already there. 0:04:17.240000 --> 0:04:20.780000 If not, you may need to add it. 0:04:20.780000 --> 0:04:29.860000 So as we mentioned earlier, T-Shark is capable of running a packet capture 0:04:29.860000 --> 0:04:35.620000 on your system. It is customizable. 0:04:35.620000 --> 0:04:40.920000 We talked about in Q&A, there's different things that you can do with 0:04:40.920000 --> 0:04:49.360000 it. There's a man page if you are familiar with Linux, Unix-ish man pages, 0:04:49.360000 --> 0:04:54.740000 you can type man m-a-n space T-Shark and it will give you many of the 0:04:54.740000 --> 0:04:56.620000 option settings that you need. 0:04:56.620000 --> 0:05:00.320000 You can do that with EddyCap, MergeCap, the rest as well. 0:05:00.320000 --> 0:05:04.440000 Basically, they're just executables that you're trying, or I should say 0:05:04.440000 --> 0:05:09.120000 binaries, that you're trying to figure out switches for or arguments so 0:05:09.120000 --> 0:05:14.800000 that you can customize the string and pull exactly what it is that you 0:05:14.800000 --> 0:05:17.240000 need from T-Shark. 0:05:17.240000 --> 0:05:22.980000 And how do you use it? 0:05:22.980000 --> 0:05:28.280000 Obviously, you would need some basic Unix and Linux systems administration 0:05:28.280000 --> 0:05:33.200000 skills. I already went over basically what they need to be. 0:05:33.200000 --> 0:05:36.560000 It's not impossible to do. 0:05:36.560000 --> 0:05:43.080000 Most of you, if you're using Cisco devices, Linux is fairly easy because 0:05:43.080000 --> 0:05:46.460000 you're used to manipulating the command line. 0:05:46.460000 --> 0:05:50.500000 There's also, obviously, if you're using Bash or some kind of shell, it's 0:05:50.500000 --> 0:05:52.280000 a GUI-like window. 0:05:52.280000 --> 0:05:56.580000 So between the two, it's very simple to use. 0:05:56.580000 --> 0:06:00.980000 Just make sure that when you install it, you follow the same criteria 0:06:00.980000 --> 0:06:03.860000 of adding the things that you need. 0:06:03.860000 --> 0:06:07.620000 You have the proper systems requirements, which you can find on wireshark 0:06:07.620000 --> 0:06:14.760000 .org. You have permissions to install, which generally and configure the 0:06:14.760000 --> 0:06:20.160000 wireshark installation and configuration files, which would require something 0:06:20.160000 --> 0:06:23.160000 other than a user privilege. 0:06:23.160000 --> 0:06:27.200000 And as we noted before, you're going to be running this from the terminal 0:06:27.200000 --> 0:06:30.580000 window, T-Shark Terminal. 0:06:30.580000 --> 0:06:35.940000 And you should learn how to use the man pages, which is basically your 0:06:35.940000 --> 0:06:44.000000 view into help files, if you will, as if you were going to type a question 0:06:44.000000 --> 0:06:50.020000 mark and a command prompt in Cisco, where you were trying to figure out 0:06:50.020000 --> 0:06:52.360000 more information. 0:06:52.360000 --> 0:06:56.920000 Man pages are generally where you can find many of these different switches 0:06:56.920000 --> 0:07:00.140000 and so on and so forth. 0:07:00.140000 --> 0:07:06.320000 So there's been a lot of questions about the Nexus and its packet capture 0:07:06.320000 --> 0:07:12.740000 capabilities. So you have the ETH Analyzer, you have the ability to capture 0:07:12.740000 --> 0:07:18.400000 packets and get them into a device such as wireshark to analyze. 0:07:18.400000 --> 0:07:22.920000 I believe the question was, is T-Shark directly on the Nexus platform? 0:07:22.920000 --> 0:07:24.200000 I do not believe so. 0:07:24.200000 --> 0:07:29.280000 I believe that it is not T -Shark, it is ETH Analyzer. 0:07:29.280000 --> 0:07:35.700000 Just as it may have the same functionality, but it's named different. 0:07:35.700000 --> 0:07:38.580000 So I do not believe that it is called T-Shark. 0:07:38.580000 --> 0:07:41.000000 So I hope that answers that question. 0:07:41.000000 --> 0:07:42.920000 But they can be used. 0:07:42.920000 --> 0:07:48.780000 Together you can take the data and you can use it in wire shark. 0:07:48.780000 --> 0:07:54.200000 So we will talk about that in the last two modules, I believe, is file 0:07:54.200000 --> 0:07:59.020000 formats. And that's why file formats is so important because with file 0:07:59.020000 --> 0:08:03.240000 formats, you're going to be moving the data around and opening it and 0:08:03.240000 --> 0:08:07.740000 other things. And if you do not have it in the correct format, then you 0:08:07.740000 --> 0:08:12.040000 either may not open it or you may lose data, such as we mentioned when 0:08:12.040000 --> 0:08:13.320000 we were talking about time stamps. 0:08:13.320000 --> 0:08:18.560000 You can put it from one to the other and it will lose, for example, nanoseconds. 0:08:18.560000 --> 0:08:25.460000 If the other analyzer you opened it in does not allow for that. 0:08:25.460000 --> 0:08:29.580000 Hope I answered that question. 0:08:29.580000 --> 0:08:34.080000 Let's see what else we have. 0:08:34.080000 --> 0:08:42.060000 Launching T-Shark, multiple T-Sharks. 0:08:42.060000 --> 0:08:47.560000 So you can open up T-Shark, multiple instances of T-Shark, yes, and you 0:08:47.560000 --> 0:08:50.680000 can use it to capture different things, yes. 0:08:50.680000 --> 0:08:58.760000 So as an example of hiding it on the system as a background process, yes. 0:08:58.760000 --> 0:09:12.120000 Let's see what else. 0:09:12.120000 --> 0:09:20.000000 And as far as trying to determine packet loss, yes, if you did Wireshark 0:09:20.000000 --> 0:09:25.420000 or T-Shark on one close to the source or on the source or close to the 0:09:25.420000 --> 0:09:29.120000 destination or on the destination and you ran the same statistics that 0:09:29.120000 --> 0:09:34.060000 we did when we looked at the GUI version of Wireshark, you can then determine 0:09:34.060000 --> 0:09:38.060000 the same types of things, which would be the round trip. 0:09:38.060000 --> 0:09:45.100000 Packet loss could be determined by many things but Wireshark and or T 0:09:45.100000 --> 0:09:47.180000 -Shark can help you come to that conclusion.