WEBVTT 0:00:08.160000 --> 0:00:15.080000 So, a question came up when reviewing the last bunch of modules we discussed. 0:00:15.080000 --> 0:00:17.660000 We talked about client server response. 0:00:17.660000 --> 0:00:20.820000 We talked about analyzing DNS. 0:00:20.820000 --> 0:00:24.620000 We've looked at HTTP a little bit and actually the next two modules that 0:00:24.620000 --> 0:00:29.400000 we're going to get into is a deep look at HTTP or web-based traffic. 0:00:29.400000 --> 0:00:35.860000 But the question was, as we learned to learn them separately, how do we 0:00:35.860000 --> 0:00:37.440000 tie them all together? 0:00:37.440000 --> 0:00:43.260000 So, and that is a great question because that's essentially what we're 0:00:43.260000 --> 0:00:48.140000 trying to teach you in the foundations course is to look at the specifics 0:00:48.140000 --> 0:00:53.120000 of them because when you're really confronted with a network issue, it's 0:00:53.120000 --> 0:00:57.680000 really going to require you to take a look at everything that it is you 0:00:57.680000 --> 0:01:01.780000 know. And you're going to have to do that detective work that we continue 0:01:01.780000 --> 0:01:05.980000 to talk about where you're going to have to say, all right, let's use 0:01:05.980000 --> 0:01:07.640000 this as an example. 0:01:07.640000 --> 0:01:15.560000 You get a request to troubleshoot a problem and its client can't access 0:01:15.560000 --> 0:01:18.120000 the network. So, you do a little bit more analysis. 0:01:18.120000 --> 0:01:22.020000 You talk to the client directly and you say, well, what do you have a 0:01:22.020000 --> 0:01:24.720000 problem with? So, maybe you remote to their machine and you look at a 0:01:24.720000 --> 0:01:28.520000 few things yourself which I recommend if you can do because as you're 0:01:28.520000 --> 0:01:32.660000 talking to them, you can take a look at a few things that they may be 0:01:32.660000 --> 0:01:35.620000 mentioning, do some quick checks yourself. 0:01:35.620000 --> 0:01:40.040000 So, as an example, you can do like an IP config, slash all or an if config 0:01:40.040000 --> 0:01:43.920000 and you can start looking at things and say, okay, well, I see the DNS 0:01:43.920000 --> 0:01:45.720000 servers are configured. 0:01:45.720000 --> 0:01:51.800000 I see certain things that their problem statement was, I couldn't access 0:01:51.800000 --> 0:01:55.360000 a website. I couldn't get to a resource. 0:01:55.360000 --> 0:02:00.740000 Well, why? So, by doing that, you're starting to look at a few things. 0:02:00.740000 --> 0:02:04.040000 You see the DNS server configured, maybe run a ping to it. 0:02:04.040000 --> 0:02:08.100000 Okay, well, I can get to it, run a dig or something and see if it's replying 0:02:08.100000 --> 0:02:11.240000 back to you as an authoritative server. 0:02:11.240000 --> 0:02:17.160000 You can install Wireshark and start running a capture to start looking 0:02:17.160000 --> 0:02:21.520000 at some data. And then when you do and you're doing these things, you 0:02:21.520000 --> 0:02:25.640000 could start looking at, all right, well, I'm going to check DNS quickly. 0:02:25.640000 --> 0:02:30.220000 I'm going to see if I can respond to that server or that server is responding 0:02:30.220000 --> 0:02:34.240000 to me. I'm going to look at basically the web server. 0:02:34.240000 --> 0:02:35.300000 I'm going to try to ping it. 0:02:35.300000 --> 0:02:39.900000 So, yes, we're learning things individually, but as the course builds 0:02:39.900000 --> 0:02:45.420000 and as we get into future courses, it's really to teach you the specifics 0:02:45.420000 --> 0:02:51.300000 of using all of these tools together and really thinking very wide as 0:02:51.300000 --> 0:02:53.200000 well as going very deep. 0:02:53.200000 --> 0:02:57.780000 So, one of the concepts I like to use is you think very wide and you look 0:02:57.780000 --> 0:03:02.360000 at things as an entire forest and then you zoom into a tree. 0:03:02.360000 --> 0:03:05.820000 Okay, I think this is maybe something I need to look at. 0:03:05.820000 --> 0:03:09.600000 There's an anomaly and then I come back out and I look at it wide again 0:03:09.600000 --> 0:03:11.200000 and whole as a whole. 0:03:11.200000 --> 0:03:15.820000 So, hope that answers the question, but essentially what we're looking 0:03:15.820000 --> 0:03:23.300000 at is we're looking at everything in pieces and hopes that you learn certain 0:03:23.300000 --> 0:03:27.040000 things that allow you to look at them as a whole because when somebody 0:03:27.040000 --> 0:03:32.720000 tells you that there's a problem or you are responding to a problem, it's 0:03:32.720000 --> 0:03:39.760000 very similar to not knowing exactly what it is that you're being told, 0:03:39.760000 --> 0:03:43.480000 not knowing what it is that you may essentially see up front. 0:03:43.480000 --> 0:03:45.620000 It may be something very different. 0:03:45.620000 --> 0:03:47.720000 You may get some false positives. 0:03:47.720000 --> 0:03:51.160000 You may be able to access some things, but not others. 0:03:51.160000 --> 0:03:57.100000 And by doing all this work collectively with the tools, primarily using 0:03:57.100000 --> 0:04:02.660000 Wire Shark for what tools that you learn about. 0:04:02.660000 --> 0:04:08.160000 Hopefully by then you can use these tools to help resolve what the issues 0:04:08.160000 --> 0:04:13.160000 may be and come to root cause, isolate the problem and try to correct 0:04:13.160000 --> 0:04:19.840000 it. Okay, hope that answered your question. 0:04:19.840000 --> 0:04:24.620000 With that, we're going to move directly into the next module which is 0:04:24.620000 --> 0:04:31.620000 very relevant to what we were just talking about which is capturing HTTP. 0:04:31.620000 --> 0:04:34.620000 So, what is HTTP? 0:04:34.620000 --> 0:04:41.880000 Hypertext Transfer Protocol is basically the higher layer OSI model protocol 0:04:41.880000 --> 0:04:49.980000 that allows you to access web servers and content from a web browser. 0:04:49.980000 --> 0:04:55.260000 This tends to be very complex in troubleshooting, although it seems simplistic 0:04:55.260000 --> 0:05:02.060000 in theory. There's a lot of things that can cause issues such as the fact 0:05:02.060000 --> 0:05:10.660000 that we don't really, I should say, we access a lot of what we get as 0:05:10.660000 --> 0:05:14.080000 resources through a web browser as an example. 0:05:14.080000 --> 0:05:19.440000 You may have a fat client for email such as Outlook, but a lot of times 0:05:19.440000 --> 0:05:21.660000 you can access it through a browser. 0:05:21.660000 --> 0:05:25.580000 A lot of applications today are accessed through browsers. 0:05:25.580000 --> 0:05:33.620000 A lot of troubleshooting tools such as your network monitoring tools or 0:05:33.620000 --> 0:05:37.000000 access via web browser. 0:05:37.000000 --> 0:05:40.220000 You access websites via your web browser. 0:05:40.220000 --> 0:05:46.100000 There's a lot of things that you access with it, applications, email, 0:05:46.100000 --> 0:05:48.400000 system monitoring tools. 0:05:48.400000 --> 0:05:53.940000 The clients are very wide in many. 0:05:53.940000 --> 0:05:57.580000 What does that mean is you have many different vendors, many different 0:05:57.580000 --> 0:06:01.560000 makes and models and browsers, many different versions. 0:06:01.560000 --> 0:06:09.860000 As we move in time, they grow more and more complex. 0:06:09.860000 --> 0:06:14.480000 I remember the very earliest versions of Internet Explorer. 0:06:14.480000 --> 0:06:17.740000 I remember Netscape Navigator. 0:06:17.740000 --> 0:06:24.840000 It was an awesome browser, but it was very fat and very cumbersome. 0:06:24.840000 --> 0:06:28.900000 I remember Internet Explorer being very light, however, being very problematic 0:06:28.900000 --> 0:06:30.960000 and prone to malware. 0:06:30.960000 --> 0:06:36.360000 As we've grown to where we are today, there's many security tools integrated 0:06:36.360000 --> 0:06:39.960000 into the web browsers, the web clients. 0:06:39.960000 --> 0:06:45.800000 Basically, a lot of these things may cause issues that may have nothing 0:06:45.800000 --> 0:06:47.340000 to do with your network. 0:06:47.340000 --> 0:06:54.560000 As an example, you may have lists and zones and security agents in your 0:06:54.560000 --> 0:06:58.380000 browser that disallow you from access in a website. 0:06:58.380000 --> 0:07:04.020000 You may immediately think that you have a problem with the web server 0:07:04.020000 --> 0:07:08.460000 as an example. You may think that you need to run Wireshark to figure 0:07:08.460000 --> 0:07:11.100000 all that out. Actually, no. 0:07:11.100000 --> 0:07:17.040000 That's why we're going to talk about some common issues with the clients 0:07:17.040000 --> 0:07:21.760000 and the servers before we actually get into a capture, because many times 0:07:21.760000 --> 0:07:26.520000 you can dig into and find issues without Wireshark. 0:07:26.520000 --> 0:07:31.160000 When you do have to load up Wireshark, it will, packets will tell you 0:07:31.160000 --> 0:07:34.800000 exactly what's going on and you will be able to find issues. 0:07:34.800000 --> 0:07:41.120000 But just remember, there's certain things that you can find without Wireshark. 0:07:41.120000 --> 0:07:47.680000 Okay, that being said, some common issues, slow response time. 0:07:47.680000 --> 0:07:52.740000 I've heard this many, many times troubleshooting issues, especially with 0:07:52.740000 --> 0:07:59.320000 web-based applications on premise or off, internally in your network or 0:07:59.320000 --> 0:08:06.040000 externally. And many times you'll try to access these sites and you'll 0:08:06.040000 --> 0:08:06.940000 get slow performance. 0:08:06.940000 --> 0:08:10.380000 It'll be choppy, it'll disconnect. 0:08:10.380000 --> 0:08:14.440000 You'll get error codes such as 4-4-5-0-1. 0:08:14.440000 --> 0:08:15.860000 It's very common. 0:08:15.860000 --> 0:08:19.200000 You will not get a page returned to you. 0:08:19.200000 --> 0:08:21.600000 The page will appear broken. 0:08:21.600000 --> 0:08:28.520000 So there's quite a few things that can happen and there's a whole bunch 0:08:28.520000 --> 0:08:30.240000 of reasons why they could happen. 0:08:30.240000 --> 0:08:34.200000 So what is Wireshark going to show you? 0:08:34.200000 --> 0:08:40.360000 Well, Wireshark can absolutely hands down help you find issues with clients 0:08:40.360000 --> 0:08:42.500000 trying to talk to sites. 0:08:42.500000 --> 0:08:47.920000 It can do so by capturing the traffic and showing you specifics about 0:08:47.920000 --> 0:08:53.360000 the traffic that will allow you to isolate or try to isolate down the 0:08:53.360000 --> 0:08:58.340000 root cause. So let's pull up and capture here. 0:08:58.340000 --> 0:09:07.940000 And within the capture, we're going to see here that we just access the 0:09:07.940000 --> 0:09:13.300000 basic site and we're trying to look within it to gather some information 0:09:13.300000 --> 0:09:18.980000 about it. And by doing so, the quickest and easiest way we can do this 0:09:18.980000 --> 0:09:22.640000 is to quickly look at the stream and see what's going on. 0:09:22.640000 --> 0:09:25.620000 So here we saw our GET. 0:09:25.620000 --> 0:09:30.960000 It was the request to visit a site and by doing so we were able to see 0:09:30.960000 --> 0:09:36.080000 the server, the web server that responded and was able to give some information 0:09:36.080000 --> 0:09:47.460000 back. And let's see, we were able to see some XML information so it started 0:09:47.460000 --> 0:09:51.360000 providing the page information that was pulled. 0:09:51.360000 --> 0:09:55.300000 You will see a great amount of information in here. 0:09:55.300000 --> 0:09:59.920000 So as you can see from the stream, you're able to see inside the page, 0:09:59.920000 --> 0:10:05.800000 you're able to see inside the content you're able to see errors that pop 0:10:05.800000 --> 0:10:11.220000 up. If you get a page error, you're able to see the server that responds. 0:10:11.220000 --> 0:10:14.700000 You'll see GET requests, you'll see posts. 0:10:14.700000 --> 0:10:21.640000 And there's a lot of information that you will see within the stream itself. 0:10:21.640000 --> 0:10:25.540000 Now, just to park and back as to why we looked at the stream in the first 0:10:25.540000 --> 0:10:30.020000 place, the stream here can also get a little convoluted. 0:10:30.020000 --> 0:10:33.740000 So essentially a lot of things that we look for is at the top of the stream. 0:10:33.740000 --> 0:10:37.380000 I basically want to see what the request was and I want to see what the 0:10:37.380000 --> 0:10:41.480000 response was. And this will give me some information. 0:10:41.480000 --> 0:10:48.060000 We can also look at a flow. 0:10:48.060000 --> 0:10:55.360000 And by doing so I can also see specifically the HTTP information, the 0:10:55.360000 --> 0:10:59.040000 GET, the download and how TCP responded. 0:10:59.040000 --> 0:11:01.080000 With the three way handshake. 0:11:01.080000 --> 0:11:06.760000 And if there was any issues there, if I continuously see a huge amount 0:11:06.760000 --> 0:11:15.920000 of GET requests, it may indicate that I need to maybe streamline the communication 0:11:15.920000 --> 0:11:21.520000 where I allow for less content to be sent in chunks. 0:11:21.520000 --> 0:11:27.100000 And I can send more information such as an entire cascading style sheet 0:11:27.100000 --> 0:11:31.740000 in one chunk instead of sending it in many chunks. 0:11:31.740000 --> 0:11:35.100000 I can see constant responses back. 0:11:35.100000 --> 0:11:39.100000 So there's ways I can see where poor performance can come in. 0:11:39.100000 --> 0:11:44.280000 I can look at the size of the packets as we looked in the summary from 0:11:44.280000 --> 0:11:50.360000 the other day. I can start looking into the expert to see specifically 0:11:50.360000 --> 0:11:54.180000 if there's any breaks in communication there. 0:11:54.180000 --> 0:11:56.360000 This one looks pretty good. 0:11:56.360000 --> 0:12:01.140000 But I can also go into the details and scroll down into HTTP and check 0:12:01.140000 --> 0:12:05.640000 out specifics on the GET requests and post. 0:12:05.640000 --> 0:12:10.320000 And another thing which we'll learn about is I can export the objects 0:12:10.320000 --> 0:12:14.720000 and take a look at exactly what's taking place here. 0:12:14.720000 --> 0:12:20.240000 So I can see that there was two websites accessed and what the size of 0:12:20.240000 --> 0:12:21.820000 the traffic was. 0:12:21.820000 --> 0:12:28.060000 So as we mentioned, there's many tools that we can look at to find problems 0:12:28.060000 --> 0:12:32.380000 with HTTP. And the next module, we'll take a deeper dive and we'll look 0:12:32.380000 --> 0:12:35.120000 at some of those tools in depth. 0:12:35.120000 --> 0:12:41.320000 But in Wire Shark, basics, you can follow the TCP stream which will allow 0:12:41.320000 --> 0:12:43.340000 you to filter the conversation. 0:12:43.340000 --> 0:12:49.840000 It will allow you to see the entire conversation and see the client request, 0:12:49.840000 --> 0:12:52.300000 the GET, the response. 0:12:52.300000 --> 0:12:57.840000 You can see posts, you can see page errors, you can see page content, 0:12:57.840000 --> 0:13:01.860000 you can see specifics as to what's taking place in that stream. 0:13:01.860000 --> 0:13:06.560000 And it's very interesting because there's so much happening in HTTP when 0:13:06.560000 --> 0:13:07.300000 you look at the stream. 0:13:07.300000 --> 0:13:12.200000 You can really see why when you pull a simple page, why you might pull 0:13:12.200000 --> 0:13:16.960000 100 packets is because as you can see, there's a lot taking place there. 0:13:16.960000 --> 0:13:21.540000 And by looking at all that data, you can identify problems within it. 0:13:21.540000 --> 0:13:27.420000 And again, the stream itself, you can either right click and look at the 0:13:27.420000 --> 0:13:33.400000 TCP stream off a packet or you can filter TCP.stream equal to the number 0:13:33.400000 --> 0:13:40.740000 of the stream. And this will help you to capture and to start looking 0:13:40.740000 --> 0:13:42.760000 into HTTP traffic.