1
00:00:00,840 --> 00:00:08,640
‫Wireshark is free, open source and the world's foremost network packet analyzer, and it is the de

2
00:00:08,640 --> 00:00:11,790
‫facto standard across system and network administrators.

3
00:00:12,760 --> 00:00:18,490
‫Wireshark has the ability to listen and record traffic, as well as advanced filtering and reviewing

4
00:00:18,490 --> 00:00:19,000
‫options.

5
00:00:19,300 --> 00:00:25,000
‫We're not going to do a deep dive into Wireshark right now, since that's a subject of network layer

6
00:00:25,000 --> 00:00:25,510
‫attacks.

7
00:00:26,440 --> 00:00:32,110
‫So here let's let's see a summary of the traffic and the system is related to the interfaces we listen.

8
00:00:34,530 --> 00:00:37,080
‫Let's go to Carly and start Wireshark.

9
00:00:37,950 --> 00:00:44,340
‫You can start Wireshark from the applications menu or open a terminal window and type Wireshark to start

10
00:00:44,340 --> 00:00:44,760
‫the app.

11
00:00:45,690 --> 00:00:50,270
‫Don't worry about the ampersand in the end of the command, putting an ampersand at the end of a command,

12
00:00:50,280 --> 00:00:52,620
‫it causes a shell to run the process in the background.

13
00:00:53,010 --> 00:00:54,450
‫It's sort of multitasking.

14
00:00:55,410 --> 00:00:59,910
‫You can have many processes running, but only one in the foreground at any given point.

15
00:01:00,510 --> 00:01:06,150
‫The process in the foreground is the process that appears to have locked up the terminal, whatever

16
00:01:07,440 --> 00:01:10,740
‫the first message is, because we are a super user on.

17
00:01:11,820 --> 00:01:12,480
‫No worries.

18
00:01:13,080 --> 00:01:13,380
‫OK.

19
00:01:13,800 --> 00:01:18,600
‫The welcome page of Wireshark asks which interface we would like to listen to first.

20
00:01:19,880 --> 00:01:21,890
‫So let's have a look at the interfaces of our system.

21
00:01:23,350 --> 00:01:30,010
‫To look at the interfaces and to remember the IP address of Carly over the terminal and type if config.

22
00:01:31,240 --> 00:01:36,700
‫There are two results yet of the ifconfig command, if zero and l o.

23
00:01:37,770 --> 00:01:45,720
‫If zero is the first Ethernet interface, additional Ethernet interfaces would be named if one is etc..

24
00:01:46,680 --> 00:01:48,150
‫Here we have only one.

25
00:01:49,180 --> 00:01:51,760
‫Now, Ello is the loopback interface.

26
00:01:52,120 --> 00:01:56,740
‫This is a special network interface that the system uses to communicate with itself.

27
00:01:57,780 --> 00:02:00,630
‫If zero is the interface that we're interested in at the moment.

28
00:02:01,770 --> 00:02:08,280
‫Double click to open the E0 on the main page of Wireshark to start capturing the packet passing through

29
00:02:08,280 --> 00:02:09,660
‫our Ethernet interface.

30
00:02:10,230 --> 00:02:13,470
‫Now to speed it up, let's create some network traffic.

31
00:02:13,950 --> 00:02:18,330
‫Open one of my virtual machines OWASP, BBWAA and Ping Kali.

32
00:02:21,690 --> 00:02:24,520
‫To stop Ping Command, press control.

33
00:02:24,540 --> 00:02:28,890
‫See ifconfig to learn the IP address of the machine.

34
00:02:30,270 --> 00:02:34,350
‫Now I go to another VM, Metasploit and paying the last VM first.

35
00:02:43,030 --> 00:02:44,560
‫And then Ping, Carly.

36
00:02:53,340 --> 00:02:56,640
‫Here we have a lot of ICMP and art traffic at the moment.

37
00:03:01,310 --> 00:03:02,660
‫So let's generate some traffic.

38
00:03:02,960 --> 00:03:07,940
‫I open the browser in Cali and visit the website served by the OWASP a machine.

39
00:03:18,440 --> 00:03:24,470
‫And even more traffic, I visit NHS Dot UK, my favorite website.

40
00:03:25,830 --> 00:03:26,760
‫OK, that's enough.

41
00:03:27,000 --> 00:03:28,410
‫Let's turn back to Wireshark.

42
00:03:29,280 --> 00:03:34,590
‫As you see, we have a lot of packets captured and new package arrive every second.

43
00:03:35,400 --> 00:03:41,490
‫Our packets, TCP packets, TLC packets for HTTPS traffic, etc..

44
00:03:42,210 --> 00:03:44,790
‫Here, we don't investigate the packets in detail.

45
00:03:45,300 --> 00:03:48,840
‫We want to learn about the systems which are interacting with us.

46
00:03:49,770 --> 00:03:53,220
‫So go to statistics menu and select conversations.

47
00:03:53,880 --> 00:04:00,420
‫There are five tabs in a conversation window by default, and we're on the IPv4 tab at the moment.

48
00:04:00,990 --> 00:04:09,630
‫Here there are IP packets grouped by Address A. and Address B, and each line we see how many packets

49
00:04:09,630 --> 00:04:11,010
‫sent up to now.

50
00:04:11,730 --> 00:04:19,530
‫Total size of the packets in byte number and size of the packets from A to B, and from B to A, et

51
00:04:19,590 --> 00:04:19,980
‫cetera.

52
00:04:21,370 --> 00:04:25,140
‫There is traffic between 8.8.8.8 and my colleague.

53
00:04:26,120 --> 00:04:34,190
‫Now, I know that 8.8.8.8 is the IP address of Google DNS, so I must have set the Google DNS as the

54
00:04:34,190 --> 00:04:35,270
‫DNS of my colleague.

55
00:04:35,480 --> 00:04:37,490
‫You know, I'd like to look at the network config.

56
00:04:43,030 --> 00:04:47,830
‫And yes, my DNS address is 8.8.8.8.

57
00:04:51,660 --> 00:04:55,170
‫The Ethernet tab, we can see the Mac addresses of the systems.

58
00:04:56,190 --> 00:05:02,970
‫The address is full of F's, meaning that the packet is broadcasted AAP requests or the examples for

59
00:05:02,970 --> 00:05:03,960
‫these kind of packets.

60
00:05:04,980 --> 00:05:12,360
‫In the DCP tab, we can see TCP packets grouped by the addresses and this time by ports as well.

61
00:05:13,640 --> 00:05:19,280
‫Because the system may have different interactions with any other system, for example, calling may

62
00:05:19,280 --> 00:05:26,270
‫have aged HTTP traffic through Port 80 and at the same time, it may have an associated connection through

63
00:05:26,270 --> 00:05:27,410
‫22 as well.

64
00:05:29,060 --> 00:05:34,700
‫Same as TCP packets are grouped by ships and ports in the UDP tab.

65
00:05:36,310 --> 00:05:40,150
‫Here we have learned a lot of live systems, IP addresses and Mac addresses.

66
00:05:40,540 --> 00:05:43,540
‫Just listening to the traffic go through our network interface.

67
00:05:44,650 --> 00:05:50,800
‫If you like to investigate the traffic between the two machines, select a line, right click if you

68
00:05:50,800 --> 00:05:52,840
‫choose, apply is filter from the menu.

69
00:05:53,830 --> 00:05:57,160
‫Only these kinds of packets will be seen in Wireshark.

70
00:05:58,510 --> 00:06:00,430
‫I'll choose find at this time.

71
00:06:01,330 --> 00:06:04,360
‫As you see automatic query string is prepared.

72
00:06:05,050 --> 00:06:08,560
‫I can navigate between the packets by clicking the Find button.

73
00:06:12,570 --> 00:06:19,200
‫Go back to the conversation window at the bottom right, there is a conversation type's button when

74
00:06:19,200 --> 00:06:19,890
‫you click on it.

75
00:06:20,400 --> 00:06:22,530
‫A lot of different protocols are listed.

76
00:06:24,150 --> 00:06:27,990
‫These selected five are the default selected protocols.

77
00:06:28,860 --> 00:06:34,560
‫You can add any protocol from the list when you select one of them, a new tab is added to the conversation

78
00:06:34,560 --> 00:06:34,950
‫window.