1
00:00:00,120 --> 00:00:03,270
‫So let's examine the packets and protocols with Wireshark.

2
00:00:04,050 --> 00:00:10,020
‫Wireshark is a free, open source and it's the world's foremost network packet analyzer.

3
00:00:10,290 --> 00:00:14,250
‫And it's also the de facto standard across system and network administrators.

4
00:00:14,760 --> 00:00:21,210
‫Wireshark has the ability to listen and record traffic, as well as contain some pretty advanced filtering

5
00:00:21,210 --> 00:00:22,290
‫and reviewing options.

6
00:00:23,220 --> 00:00:30,650
‫So first, I'm going to visit and website and then an HDTV s website.

7
00:00:32,610 --> 00:00:34,560
‫Let's go to Carly and run Wireshark.

8
00:00:35,820 --> 00:00:38,970
‫You can open a terminal screen and type Wireshark to start it.

9
00:00:40,880 --> 00:00:44,960
‫So these are the network interfaces that Wireshark is able to listen to.

10
00:00:46,070 --> 00:00:51,950
‫They opened another terminal screen and run the ifconfig command to see the network interfaces.

11
00:00:52,760 --> 00:00:57,380
‫So as you know, if config stands for network interface configuration.

12
00:00:57,710 --> 00:01:03,380
‫So if we use the command without any parameter, it'll list all the interfaces available.

13
00:01:04,670 --> 00:01:07,850
‫We have E0 as a network interface to listen to.

14
00:01:09,470 --> 00:01:14,450
‫So now I'll turn back to Wireshark and double click eth0 to select it.

15
00:01:15,600 --> 00:01:19,740
‫Now, Wireshark starts to listen to the Ethernet interface of Carly.

16
00:01:20,650 --> 00:01:26,140
‫And to create some traffic, I'll open a Web browser and just visit an arbitrary website.

17
00:01:36,720 --> 00:01:41,490
‫And now we have enough packets to examine, so I'll click the stop button at the upper left corner of

18
00:01:41,490 --> 00:01:43,890
‫Wireshark to stop listening to the traffic.

19
00:01:44,580 --> 00:01:50,820
‫So first, we have some DNS packets to find out the IP address of the visited site.

20
00:01:51,630 --> 00:01:56,640
‫We'll look at these kinds of packets soon, but right now, let's just have a brief look.

21
00:01:57,210 --> 00:02:00,720
‫So a DNS query for the IP version four.

22
00:02:01,880 --> 00:02:04,820
‫Another DNS query for IP version six.

23
00:02:05,150 --> 00:02:08,210
‫Don't worry about the versions right now, we'll cover them soon, I promise.

24
00:02:09,080 --> 00:02:14,990
‫These DNS queries are transferred as UDP packets in transport layer.

25
00:02:15,500 --> 00:02:17,540
‫The destination port is 53.

26
00:02:18,530 --> 00:02:23,120
‫This is the IP packet with a source and the destination IP addresses.

27
00:02:24,090 --> 00:02:29,970
‫So we'll go through the layers one by one, and we'll see all these packets, data grams and frames

28
00:02:30,120 --> 00:02:30,930
‫in detail.

29
00:02:31,320 --> 00:02:32,250
‫So we'll keep going.

30
00:02:33,880 --> 00:02:36,610
‫This is the structure of the Ethernet frame.

31
00:02:41,390 --> 00:02:46,370
‫First, there are two DNS queries for Dub, Dub, Dub, Hacker Academy Dot UK.

32
00:02:47,330 --> 00:02:55,490
‫One for the IPv4 address, and the other one is for the IPv6 address, and because the website is redirected

33
00:02:55,490 --> 00:03:01,160
‫to hacker academy Duke, there are two more DNS requests for this address.

34
00:03:02,540 --> 00:03:06,410
‫Next, DNS packets are the DNS query responses.

35
00:03:06,590 --> 00:03:08,090
‫This response is type A.

36
00:03:08,480 --> 00:03:12,020
‫That means it's an answer for the IPv4 request.

37
00:03:13,010 --> 00:03:14,240
‫And here's the answer.

38
00:03:14,990 --> 00:03:16,520
‫The IP address of the website.

39
00:03:18,590 --> 00:03:26,870
‫Now, Dan's response packet uses UDP at the transport layer, IP at the network layer, et cetera.

40
00:03:28,050 --> 00:03:32,550
‫Here we have a TCP handshake between Kali and the Web server.

41
00:03:33,090 --> 00:03:35,340
‫We'll also see this in detail later on.

42
00:03:36,800 --> 00:03:43,880
‫A sin packet, a snack as a reply and an act packet to complete the handshake.

43
00:03:45,970 --> 00:03:49,180
‫This is an HTTP get request.

44
00:03:49,960 --> 00:03:55,570
‫We learned the IP address of the website, and now the system is ready to receive the web page.

45
00:03:57,780 --> 00:04:00,480
‫FTP protocol and application layer.

46
00:04:01,410 --> 00:04:04,560
‫Now you can see the headers and the parameters of the request.

47
00:04:06,220 --> 00:04:12,670
‫TCP protocol and transport layer, source, port, destination, port flags, etc..

48
00:04:14,200 --> 00:04:16,450
‫IP protocol in network layer.

49
00:04:17,730 --> 00:04:20,370
‫Here are the source and destination addresses.

50
00:04:21,780 --> 00:04:24,060
‫And Ethernet frame in layer two.

51
00:04:26,060 --> 00:04:33,440
‫These are the TCP packet, which will build the HTTP response, so in this example, it's the web page.

52
00:04:33,890 --> 00:04:40,430
‫In other words, the response is transferred between the web server and our system as fragmented packets

53
00:04:40,430 --> 00:04:41,690
‫in transport layer.

54
00:04:44,100 --> 00:04:46,470
‫Here's the fdcp response to.

55
00:04:46,890 --> 00:04:49,620
‫OK, so the Web page is received.

56
00:04:49,950 --> 00:04:52,410
‫And here's a data, which is our web page.

57
00:04:54,050 --> 00:04:58,610
‫These are the response, detailed response type, headers, et cetera.

58
00:05:01,080 --> 00:05:07,710
‫Here there's additional information produced by Wireshark, which says that the fdcp response is created

59
00:05:07,710 --> 00:05:11,610
‫by reassembling five TCP segments or packets.

60
00:05:12,600 --> 00:05:19,200
‫So now I'd like to show you the difference between that and HTP s traffic.

61
00:05:20,780 --> 00:05:24,590
‫So I'll go to the browser and visit an HD https page now.

62
00:05:26,260 --> 00:05:28,960
‫But before visiting the page, let's start Wireshark.

63
00:05:29,620 --> 00:05:32,470
‫Here's a start button continue without saving.

64
00:05:34,370 --> 00:05:36,020
‫OK, now we have a clean sheet.

65
00:05:37,050 --> 00:05:39,150
‫So I'll go to the browser and hit Enter.

66
00:05:39,570 --> 00:05:39,940
‫Wow.

67
00:05:39,960 --> 00:05:41,580
‫Lots of packets in milliseconds.

68
00:05:41,850 --> 00:05:44,450
‫So we've got plenty of packets to investigate.

69
00:05:44,460 --> 00:05:46,170
‫Just click the stop button once again.

70
00:05:47,430 --> 00:05:55,650
‫OK, so the DNS request and the response packets first here is a response with an IPv4 address.

71
00:05:57,660 --> 00:06:04,410
‫Here there is a TCP three handshake between Cali and Port 443 of Google's web server.

72
00:06:05,490 --> 00:06:06,570
‫And now a client.

73
00:06:06,600 --> 00:06:12,630
‫Hello, TLC packet to start the TLC handshake again between Kali and Google server.

74
00:06:14,090 --> 00:06:21,080
‫Now, to get rid of the other traffic records, I'd like to filter the results by the IP address of

75
00:06:21,080 --> 00:06:22,070
‫the Google server.

76
00:06:23,300 --> 00:06:30,890
‫Now, while the mouse pointer is on the server IP address, right click and go to apply as filter and

77
00:06:30,890 --> 00:06:33,080
‫select the selected option.

78
00:06:34,250 --> 00:06:40,850
‫So as you can see here in the filter bar, the IP address is assigned as the destination IP address.

79
00:06:41,630 --> 00:06:49,040
‫Now we only have to see the traffic where the destination is the Google server, but we'd like to see

80
00:06:49,040 --> 00:06:51,290
‫both the incoming and the outgoing traffic.

81
00:06:51,650 --> 00:06:59,690
‫So I'll change the DST part of the filter to ADR and click the blue arrow to activate the new filter.

82
00:07:00,350 --> 00:07:02,870
‫Now we can see the traffic in both directions.

83
00:07:04,140 --> 00:07:07,980
‫OK, so here we are at the hello to your last message.

84
00:07:09,190 --> 00:07:17,770
‫Here are the details of the message TELUS uses TCP protocol in transport layer the Google server replies

85
00:07:17,770 --> 00:07:22,330
‫a server hello message as a second step of the TLS handshake.

86
00:07:23,430 --> 00:07:30,300
‫Then comes the certificate and server key exchange and the server Hello, done message is sent by the

87
00:07:30,300 --> 00:07:30,690
‫server.

88
00:07:32,330 --> 00:07:37,100
‫Carly sends the client key exchange, Google server sends a new session ticket.

89
00:07:38,330 --> 00:07:40,850
‫And the encrypted communications starts.

90
00:07:43,330 --> 00:07:48,010
‫Here is some encrypted application data, which is meaningless for others who listen to the traffic.

91
00:07:49,610 --> 00:07:55,700
‫And as you can see here, the message is encrypted at the application layer, so you can still see the

92
00:07:55,700 --> 00:07:59,050
‫source and the destination addresses the ports, et cetera.