1
00:00:02,320 --> 00:00:09,630
The most detailed type of analysis data packet captures with packet captures you can see all of the

2
00:00:09,630 --> 00:00:14,100
network layer information plus actual data payloads.

3
00:00:14,100 --> 00:00:20,190
You can analyze information like web page images passwords and even voice call conversations

4
00:00:22,440 --> 00:00:28,740
Cisco's firepower Management Center as a sweet feature that actually allows you to download packet capture

5
00:00:28,740 --> 00:00:37,460
files for intrusion events so find the event I want to analyze last click the drill down arrow and then

6
00:00:37,460 --> 00:00:41,240
if I scroll to the bottom I have the option to download all packets.

7
00:00:41,360 --> 00:00:48,500
So I'll download this and then we'll use our wireshark software to open up the picquet file to analyze

8
00:00:48,920 --> 00:00:53,620
the security artifacts while that's downloading.

9
00:00:53,930 --> 00:01:00,950
If we look here in this packet information section right from the firepower Management Center we can

10
00:01:00,950 --> 00:01:06,890
actually look at some of the data that we would see right in our pre-cap file.

11
00:01:06,890 --> 00:01:13,760
So I guess in this case you really could probably get by just by using the data that's provided in the

12
00:01:13,760 --> 00:01:20,330
fire power management center but you're not always going to have that luxury plus wireshark has some

13
00:01:20,330 --> 00:01:23,970
additional features that can be used to help you analyze the data.

14
00:01:28,120 --> 00:01:32,350
OK so it looks like the download is done.

15
00:01:32,530 --> 00:01:34,740
I open up the zip file.

16
00:01:35,140 --> 00:01:39,730
Double click it and it should open up the file with my wireshark software.

17
00:01:45,310 --> 00:01:52,300
So we can see that the first packet that was collected in the security event was the acknowledgement

18
00:01:52,300 --> 00:01:56,720
to open up the TCAP session on port 80 to the web server.

19
00:01:57,070 --> 00:02:03,610
And then once the connection was established we can see that there was an age to get and we can see

20
00:02:03,610 --> 00:02:09,970
our protocol header information and all of our addressing for each network model layer and then the

21
00:02:09,970 --> 00:02:14,040
most interesting part is the HTP section.

22
00:02:14,370 --> 00:02:21,670
It can provide information such as images that were pulled down in the HTP get as well as the final

23
00:02:22,270 --> 00:02:27,820
destination you are I and the DNS hostname information.

24
00:02:27,850 --> 00:02:33,460
So as you can see having a peek at file of a security event can give you all the information that you

25
00:02:33,460 --> 00:02:37,440
would need to properly analyze it at a network level.