1
00:00:00,920 --> 00:00:05,840
‫So Wireshark is not a disaster movie set in the wide open sea.

2
00:00:06,140 --> 00:00:13,430
‫It is a free, open source and the world's foremost network packet analyzer, and it is the de facto

3
00:00:13,430 --> 00:00:18,830
‫standard across system and network administrators with a graphical user interface.

4
00:00:19,310 --> 00:00:25,280
‫Wireshark has the ability to listen and record traffic, as well as advanced filtering and reviewing

5
00:00:25,280 --> 00:00:25,730
‫options.

6
00:00:26,450 --> 00:00:32,900
‫So I'm going to visit a HDTV website first, then an HD TPS website.

7
00:00:34,910 --> 00:00:36,860
‫Let's go to Carly and run Wireshark.

8
00:00:38,120 --> 00:00:41,240
‫You can open a terminal screen and type Wireshark to start it.

9
00:00:43,180 --> 00:00:47,260
‫So these are the network interfaces that Wireshark is able to listen to.

10
00:00:48,350 --> 00:00:54,230
‫You open another terminal screen and run the ifconfig command to see the network interfaces.

11
00:00:55,070 --> 00:00:59,690
‫So as you know, if config stands for network interface configuration.

12
00:01:00,020 --> 00:01:05,690
‫So if we use the command without any parameter, it'll list all the interfaces available.

13
00:01:06,950 --> 00:01:10,160
‫We have E0 zero as a network interface to listen to.

14
00:01:11,780 --> 00:01:16,730
‫So now I'll turn back to Wireshark and double click eth0 to select it.

15
00:01:17,900 --> 00:01:22,040
‫Now, Wireshark starts to listen to the Ethernet interface of Carly.

16
00:01:22,980 --> 00:01:28,440
‫And to create some traffic, I'll open a Web browser and just visit an arbitrary website.

17
00:01:39,020 --> 00:01:44,450
‫And now we have enough packets to examine, so I click the stop button at the upper left corner of Wireshark

18
00:01:44,750 --> 00:01:46,190
‫to stop listening to the traffic.

19
00:01:46,880 --> 00:01:53,120
‫So first, we have some DNS packets to find out the IP address of the visited site.

20
00:01:53,930 --> 00:01:58,910
‫We'll look at these kinds of packets soon, but right now, let's just have a brief look.

21
00:01:59,510 --> 00:02:03,020
‫So a DNS query for the IP version four.

22
00:02:04,180 --> 00:02:07,120
‫Another DNS query for IP version six.

23
00:02:07,450 --> 00:02:10,510
‫Don't worry about the versions right now, we'll cover them soon, I promise.

24
00:02:11,380 --> 00:02:17,290
‫These DNS queries are transferred as UDP packets in transport layer.

25
00:02:17,800 --> 00:02:19,840
‫The destination port is 53.

26
00:02:20,840 --> 00:02:25,400
‫This is the IP packet with the source and the destination IP addresses.

27
00:02:26,390 --> 00:02:32,270
‫So we'll go through the layers one by one, and we'll see all these packets, data grams and frames

28
00:02:32,420 --> 00:02:33,230
‫in detail.

29
00:02:33,620 --> 00:02:34,550
‫So we'll keep going.

30
00:02:36,190 --> 00:02:38,920
‫This is the structure of the Ethernet frame.

31
00:02:43,670 --> 00:02:48,670
‫First, there are two DNS queries for Dub, Dub, Dub, Hacker Academy, not UK.

32
00:02:49,630 --> 00:02:57,790
‫One for the IPv4 address, and the other one is for the IPv6 address, and because the website is redirected

33
00:02:57,790 --> 00:03:03,460
‫to hacker academy Duke, there are two more DNS requests for this address.

34
00:03:04,840 --> 00:03:08,710
‫Next, DNS packets are the DNS query responses.

35
00:03:08,890 --> 00:03:10,390
‫This response is type A.

36
00:03:10,810 --> 00:03:14,320
‫That means it's an answer for the IPv4 request.

37
00:03:15,310 --> 00:03:16,540
‫And here's the answer.

38
00:03:17,290 --> 00:03:18,820
‫The IP address of the website.

39
00:03:20,890 --> 00:03:29,170
‫Now, Diane's response packet uses UDP at the transport layer, IP at the network layer, etc..

40
00:03:30,350 --> 00:03:34,850
‫Here we have a TCP handshake between Kali and the Web server.

41
00:03:35,390 --> 00:03:37,640
‫We'll also see this in detail later on.

42
00:03:39,100 --> 00:03:46,210
‫A sin packet, a snack as a reply and an act packet to complete the handshake.

43
00:03:48,270 --> 00:03:51,480
‫This is an HTTP get request.

44
00:03:52,260 --> 00:03:57,870
‫We learned the IP address of the web site and now the system is ready to receive the web page.

45
00:04:00,080 --> 00:04:02,780
‫FTP protocol in application layer.

46
00:04:03,710 --> 00:04:06,860
‫Now you can see the headers and the parameters of the request.

47
00:04:08,500 --> 00:04:14,980
‫TCP protocol and transport layer, source, port, destination, port flags, etc..

48
00:04:16,500 --> 00:04:18,750
‫IP protocol in network layer.

49
00:04:20,030 --> 00:04:22,670
‫Here are the source and destination addresses.

50
00:04:24,090 --> 00:04:26,340
‫And Ethernet frame in layer two.

51
00:04:28,360 --> 00:04:33,350
‫These are the TCP packets which will build the HTTP response.

52
00:04:33,370 --> 00:04:35,770
‫So in this example, it's the web page.

53
00:04:36,190 --> 00:04:42,730
‫In other words, the response is transferred between the web server and our system as fragmented packets

54
00:04:42,730 --> 00:04:43,990
‫in transport layer.

55
00:04:46,420 --> 00:04:49,640
‫Here's the fdcp response 200, OK.

56
00:04:49,900 --> 00:04:51,940
‫So the Web page is received.

57
00:04:52,270 --> 00:04:54,700
‫And here's a data, which is our web page.

58
00:04:56,350 --> 00:05:00,910
‫These are the response, detailed response type, headers, et cetera.

59
00:05:03,380 --> 00:05:10,040
‫Here there's additional information produced by Wireshark, which says that the HTTP response is created

60
00:05:10,040 --> 00:05:13,910
‫by reassembling five TCP segments or packets.

61
00:05:14,900 --> 00:05:21,530
‫So now I'd like to show you the difference between that and HTP s traffic.

62
00:05:23,080 --> 00:05:26,890
‫So I'll go to the browser and visit an HD https page now.

63
00:05:28,560 --> 00:05:31,260
‫But before visiting the page, let's start Wireshark.

64
00:05:31,920 --> 00:05:34,770
‫Here's a start button continue without saving.

65
00:05:36,670 --> 00:05:38,320
‫OK, now we have a clean sheet.

66
00:05:39,350 --> 00:05:41,450
‫So I'll go to the browser and hit Enter.

67
00:05:41,870 --> 00:05:43,880
‫Wow, lots of packets in milliseconds.

68
00:05:44,150 --> 00:05:46,750
‫So we've got plenty of packets to investigate.

69
00:05:46,760 --> 00:05:48,470
‫Just click the stop button once again.

70
00:05:49,730 --> 00:05:57,950
‫OK, so the DNS request and the response packets first here is a response with an IPv4 address.

71
00:05:59,990 --> 00:06:06,710
‫Here there is a TCP three way handshake between Cali and Port, four for three of Google's web server.

72
00:06:07,790 --> 00:06:08,870
‫And now a client.

73
00:06:08,900 --> 00:06:14,930
‫Hello, TLC packet to start the TLC handshake again between Kali and Google server.

74
00:06:16,370 --> 00:06:23,390
‫Now, to get rid of the other traffic records, I'd like to filter the results by the IP address of

75
00:06:23,390 --> 00:06:24,380
‫the Google server.

76
00:06:25,600 --> 00:06:33,190
‫Now, while the mouse pointer is on the server IP address, right click and go to apply as filter and

77
00:06:33,190 --> 00:06:35,380
‫select the selected option.

78
00:06:36,550 --> 00:06:43,150
‫So as you can see here in the filter bar, the IP address is assigned as the destination IP address.

79
00:06:43,930 --> 00:06:51,340
‫Now we only have to see the traffic where the destination is the Google server, but we'd like to see

80
00:06:51,340 --> 00:06:53,590
‫both the incoming and the outgoing traffic.

81
00:06:53,950 --> 00:07:01,990
‫So I'll change the DST part of the filter to ADR and click the blue arrow to activate the new filter.

82
00:07:02,650 --> 00:07:05,170
‫Now we can see the traffic in both directions.

83
00:07:06,440 --> 00:07:10,280
‫OK, so here we are at the hello to your last message.

84
00:07:11,490 --> 00:07:20,070
‫Here are the details of the message TELUS uses TCP protocol in transport layer the Google server replies

85
00:07:20,070 --> 00:07:24,630
‫a server hello message as the second step of the TLS handshake.

86
00:07:25,730 --> 00:07:32,600
‫Then comes the certificate and server key exchange and the server Hello, done message is sent by the

87
00:07:32,600 --> 00:07:32,990
‫server.

88
00:07:34,630 --> 00:07:39,400
‫Carly sends the client key exchange, Google server sends a new session ticket.

89
00:07:40,630 --> 00:07:43,150
‫And the encrypted communications starts.

90
00:07:45,640 --> 00:07:50,320
‫Here is some encrypted application data, which is meaningless for others who listen to the traffic.

91
00:07:51,940 --> 00:07:58,000
‫And as you can see here, the message is encrypted at the application layer, so you can still see the

92
00:07:58,000 --> 00:08:01,360
‫source and the destination addresses the ports, et cetera.

93
00:08:02,480 --> 00:08:05,900
‫This is how an IPv4 packet is seen on Wireshark.

94
00:08:07,010 --> 00:08:09,200
‫So it's a DNS query response.

95
00:08:10,070 --> 00:08:12,980
‫The fields we mentioned are seen pretty clearly.

96
00:08:14,060 --> 00:08:14,960
‫Versions for.

97
00:08:16,710 --> 00:08:20,280
‫At length is five words, which means no options for you.

98
00:08:21,630 --> 00:08:23,520
‫Total length is 96 bytes.

99
00:08:24,730 --> 00:08:27,430
‫Mfe and deer flags are not set.

100
00:08:28,730 --> 00:08:32,840
‫And you can see the source and the destination addresses and all the rest.