1
00:00:00,720 --> 00:00:07,650
‫So in typical traffic capturing on a network interface, there are a lot of packets received from and

2
00:00:07,650 --> 00:00:09,570
‫delivered to all over the network.

3
00:00:09,810 --> 00:00:11,940
‫And, well, the internet as well.

4
00:00:12,660 --> 00:00:16,980
‫So let's see how we can take a picture of that network.

5
00:00:18,620 --> 00:00:21,170
‫Let's go to Carly and start Wireshark.

6
00:00:22,040 --> 00:00:28,430
‫You can start Wireshark from the applications menu or open a terminal window and type Wireshark to start

7
00:00:28,430 --> 00:00:28,820
‫the app.

8
00:00:29,780 --> 00:00:34,360
‫Don't worry about the ampersand in the end of the command, putting an ampersand at the end of a command,

9
00:00:34,370 --> 00:00:36,680
‫it causes a shell to run the process in the background.

10
00:00:37,100 --> 00:00:38,540
‫It's sort of multitasking.

11
00:00:39,500 --> 00:00:44,000
‫You can have many processes running, but only one in the foreground at any given point.

12
00:00:44,600 --> 00:00:50,210
‫The process in the foreground is the process that appears to have locked up the terminal, whatever

13
00:00:51,530 --> 00:00:54,830
‫the first message is, because we are a super user on.

14
00:00:55,910 --> 00:00:56,570
‫No worries.

15
00:00:57,170 --> 00:00:57,470
‫OK.

16
00:00:57,890 --> 00:01:02,690
‫The welcome page of Wireshark asks which interface we would like to listen to first.

17
00:01:03,960 --> 00:01:05,970
‫So let's have a look at the interfaces of our system.

18
00:01:07,440 --> 00:01:14,070
‫To look at the interfaces and to remember the IP address of Carly over the terminal and type if config.

19
00:01:15,330 --> 00:01:20,790
‫There are two results yet of the config command, if zero and l o.

20
00:01:21,840 --> 00:01:29,400
‫If zero is the first Ethernet interface, additional Ethernet interfaces would be named if one is two,

21
00:01:29,400 --> 00:01:30,110
‫et cetera.

22
00:01:30,750 --> 00:01:32,250
‫Here we have only one.

23
00:01:33,260 --> 00:01:35,840
‫Now, Ello is the loopback interface.

24
00:01:36,200 --> 00:01:40,820
‫This is a special network interface that the system uses to communicate with itself.

25
00:01:41,870 --> 00:01:44,720
‫If zero is the interface that we're interested in at the moment.

26
00:01:45,860 --> 00:01:52,370
‫Double click to open the E0 on the main page of Wireshark to start capturing the packet passing through

27
00:01:52,370 --> 00:01:53,750
‫our Ethernet interface.

28
00:01:54,320 --> 00:01:57,560
‫Now to speed it up, let's create some network traffic.

29
00:01:58,010 --> 00:02:02,420
‫Open one of my virtual machines OWASP, BBWAA and Ping Colli.

30
00:02:05,770 --> 00:02:08,600
‫To stop Ping Command, press control.

31
00:02:08,620 --> 00:02:12,990
‫See ifconfig to learn the IP address of the machine.

32
00:02:14,340 --> 00:02:18,420
‫Now I go to another VM, Metasploit and paying the last VM first.

33
00:02:27,110 --> 00:02:28,640
‫And then Ping, Carly.

34
00:02:37,420 --> 00:02:40,720
‫Here we have a lot of ICMP and art traffic at the moment.

35
00:02:45,400 --> 00:02:46,750
‫So let's generate some traffic.

36
00:02:47,050 --> 00:02:52,030
‫I open the browser and call and visit the website served by the OWASP BWR machine.

37
00:03:02,520 --> 00:03:07,100
‫And even more traffic, I visit NHS Dot UK.

38
00:03:07,410 --> 00:03:08,550
‫My favorite website.

39
00:03:09,910 --> 00:03:10,840
‫OK, that's enough.

40
00:03:11,080 --> 00:03:18,070
‫Let's turn back to Wireshark, as you see, we have a lot of packets captured and new package arrive

41
00:03:18,070 --> 00:03:27,550
‫every second our packets, TCP packets, TLC packets for HTTPS traffic, etc. Here, we don't investigate

42
00:03:27,550 --> 00:03:28,870
‫the packets in detail.

43
00:03:29,380 --> 00:03:32,920
‫We want to learn about the systems which are interacting with us.

44
00:03:33,850 --> 00:03:37,300
‫So go to statistics menu and select conversations.

45
00:03:37,960 --> 00:03:40,990
‫There are five tabs in a conversation window by default.

46
00:03:41,960 --> 00:03:49,130
‫And we're on the IPv4 tab at the moment here, there are IP packets grouped by Address A. and Address

47
00:03:49,130 --> 00:03:59,840
‫B and each line we see how many packets sent up to now total size of the packets in byte number and

48
00:03:59,840 --> 00:04:04,040
‫size of packets from A to B and from Betway, et cetera.

49
00:04:05,460 --> 00:04:09,240
‫There is traffic between 8.8.8.8 and my colleague.

50
00:04:10,210 --> 00:04:18,280
‫Now, I know that 8.8.8.8 is the IP address of Google DNS, so I must have set the Google DNS as the

51
00:04:18,280 --> 00:04:19,340
‫DNS of my colleague.

52
00:04:19,570 --> 00:04:21,580
‫You know, I'd like to look at the network config.

53
00:04:27,120 --> 00:04:31,920
‫And yes, my DNS address is 8.8.8.8.

54
00:04:35,730 --> 00:04:39,240
‫The Ethernet tab, we can see the Mac addresses of the systems.

55
00:04:40,280 --> 00:04:47,060
‫The address is full of F's, meaning that the packet is broadcasted AAP requests or the examples for

56
00:04:47,060 --> 00:04:48,050
‫these kind of packets.

57
00:04:49,050 --> 00:04:56,450
‫In the TCP tab, we can see TCP packets grouped by the addresses and this time by ports as well.

58
00:04:57,700 --> 00:05:03,370
‫Because the system may have different interactions with any other system, for example, calling may

59
00:05:03,370 --> 00:05:10,330
‫have aged traffic through Port 80 and at the same time, it may have an associated connection through

60
00:05:10,360 --> 00:05:11,500
‫22 as well.

61
00:05:13,140 --> 00:05:18,780
‫Same as TCP package are grouped by ships and ports in the UDP tab.

62
00:05:20,390 --> 00:05:24,230
‫Here we have learned a lot of live systems, IP addresses and Mac addresses.

63
00:05:24,620 --> 00:05:27,620
‫Just listening to the traffic go through our network interface.

64
00:05:28,730 --> 00:05:34,880
‫If you like to investigate the traffic between the two machines, select a line, right click if you

65
00:05:34,880 --> 00:05:36,920
‫choose, apply is filter from the menu.

66
00:05:37,910 --> 00:05:41,240
‫Only these kinds of packets will be seen in Wireshark.

67
00:05:42,590 --> 00:05:44,510
‫I'll choose find at this time.

68
00:05:45,410 --> 00:05:48,440
‫As you see automatic query string is prepared.

69
00:05:49,160 --> 00:05:52,670
‫I can navigate between the packets by clicking the Find button.

70
00:05:56,650 --> 00:06:03,310
‫Go back to the conversation window at the bottom right, there is a conversation type's button when

71
00:06:03,310 --> 00:06:03,970
‫you click on it.

72
00:06:04,510 --> 00:06:06,610
‫A lot of different protocols are listed.

73
00:06:08,240 --> 00:06:12,080
‫These selected five are the default selected protocols.

74
00:06:12,920 --> 00:06:18,650
‫You can add any protocol from the list when you select one of them, a new tab is added to the conversation

75
00:06:18,650 --> 00:06:19,040
‫window.