1
00:00:00,410 --> 00:00:06,430
Hello, my name is Steve Bowen and in this lecture you will learn wireshark packet capture approach,

2
00:00:06,440 --> 00:00:10,310
wireshark dependencies, capture filters, etcetera in detail.

3
00:00:10,310 --> 00:00:17,510
In this section we are covering basics to get you started with Wireshark and here in order to start

4
00:00:17,510 --> 00:00:23,510
the Wireshark, you can also go to the application menus here and write Wireshark in the search button

5
00:00:23,510 --> 00:00:28,550
and you need to start Wireshark as a root user with superuser privileges.

6
00:00:28,550 --> 00:00:30,410
You can enter the password.

7
00:00:30,410 --> 00:00:31,040
When you win.

8
00:00:31,040 --> 00:00:37,130
This dialog appears and you can see the everything you need, the network adapters and so on.

9
00:00:37,130 --> 00:00:41,600
So you can also start the Wireshark from the terminal in order to start terminal.

10
00:00:41,780 --> 00:00:47,960
If you if you just write the Wireshark here and here, as you can see here, we can see the Ethernet

11
00:00:47,960 --> 00:00:50,030
or any network interface cards.

12
00:00:50,030 --> 00:00:58,010
That's why we need to start Wireshark on Sudo Wireshark you will enter the password and that's it.

13
00:00:58,010 --> 00:01:04,470
Once the application is launched, the main interface is shown, including sections for basic capture

14
00:01:04,470 --> 00:01:07,470
controls, capture filters and display filters.

15
00:01:07,470 --> 00:01:13,200
Now you will select the desired interface from the list by clicking and hit the start capture button

16
00:01:13,200 --> 00:01:13,740
to capture.

17
00:01:13,740 --> 00:01:18,370
In this case, we have the Ethernet zero and any you can also select any you.

18
00:01:18,390 --> 00:01:23,100
In this case it will also listen to Bluetooth, to wifi and so on.

19
00:01:23,100 --> 00:01:27,540
In this case we will select the Ethernet because we don't have any connected device.

20
00:01:27,540 --> 00:01:30,900
So the internet and here, that's it.

21
00:01:30,900 --> 00:01:33,480
So we started the Ethernet if anything occurs.

22
00:01:33,480 --> 00:01:35,670
And as you can see here, our.

23
00:01:38,220 --> 00:01:40,490
Router and switches are talking.

24
00:01:40,500 --> 00:01:44,100
And here, as you can see here, who has this IP address.

25
00:01:44,100 --> 00:01:45,690
Tell to this IP address.

26
00:01:45,690 --> 00:01:49,800
And as you can see here, there's a like I'm so excited with Wireshark here.

27
00:01:49,800 --> 00:01:52,890
So here we have we can start the capture here.

28
00:01:52,890 --> 00:01:58,710
So the capture from here and you can specify the filters and that's it.

29
00:01:58,800 --> 00:02:07,200
So when capture is in progress by default, it shows live the packets being captured in various colors.

30
00:02:07,470 --> 00:02:12,750
And we can start again here so we can go to our vulnerable web application here.

31
00:02:12,750 --> 00:02:15,300
In this case, it's target.com.

32
00:02:15,300 --> 00:02:16,740
And let's log out.

33
00:02:16,740 --> 00:02:24,240
And whenever we are doing something on the Wireshark or whenever someone does something on our local

34
00:02:24,240 --> 00:02:30,630
area network, it will show us the exact bytes, byte by byte representation.

35
00:02:30,720 --> 00:02:35,760
And here we can start stop capture with this buttons here.

36
00:02:35,760 --> 00:02:38,830
And let's first understand the packets here.

37
00:02:38,830 --> 00:02:39,370
Right?

38
00:02:39,790 --> 00:02:43,690
So it's time to investigate a capture at the individual level.

39
00:02:44,610 --> 00:02:48,980
And this is an example of one of the TCP packets captured here.

40
00:02:48,990 --> 00:02:49,950
Now, we will.

41
00:02:50,730 --> 00:02:53,040
Go to here and enter our password.

42
00:02:53,040 --> 00:02:53,400
Right?

43
00:02:53,400 --> 00:03:00,600
So that's for example, consider this as a Facebook or any banking website here.

44
00:03:00,600 --> 00:03:05,910
So now we will have admin and we'll enter our password and that's it.

45
00:03:05,940 --> 00:03:08,820
Now, Wireshark should capture this.

46
00:03:08,970 --> 00:03:12,090
And here, as you can see here, we are seeing something.

47
00:03:12,090 --> 00:03:13,740
Let's actually stop it now.

48
00:03:13,740 --> 00:03:14,820
We will analyze it.

49
00:03:14,820 --> 00:03:19,890
And here we are seeing something neat to see like login here, login, PHP and as you can see here,

50
00:03:19,890 --> 00:03:24,210
its application w-w-w form URL encoded here.

51
00:03:24,210 --> 00:03:28,290
So now let's select this by clicking on it.

52
00:03:28,290 --> 00:03:33,810
You can select the packets and here in this here you the packets details will appear.

53
00:03:33,840 --> 00:03:35,190
Let's actually use the.

54
00:03:37,050 --> 00:03:38,070
Grommet here.

55
00:03:38,070 --> 00:03:40,200
I will draw links on the screen.

56
00:03:40,320 --> 00:03:41,220
That's it.

57
00:03:43,670 --> 00:03:46,460
And here we have the.

58
00:03:53,260 --> 00:03:54,590
Let's start the grommet.

59
00:03:54,610 --> 00:03:57,400
Here we have tool painting, clear screen and.

60
00:03:58,400 --> 00:03:59,060
Yes.

61
00:04:00,870 --> 00:04:03,090
As you can see, we have also have the.

62
00:04:05,140 --> 00:04:06,640
Application drawing thing.

63
00:04:06,670 --> 00:04:07,370
That's it.

64
00:04:07,390 --> 00:04:11,020
So now when a packet is selected.

65
00:04:11,050 --> 00:04:15,130
Wireshark opens the bottom panel.

66
00:04:15,160 --> 00:04:19,850
Here you can see here, bottom panel, this is the bottom panel of Wireshark.

67
00:04:19,870 --> 00:04:25,960
So this bottom panel, which gives us important information of the on the features that are conveniently

68
00:04:25,960 --> 00:04:31,180
presented in the same way as the OSI model.

69
00:04:31,180 --> 00:04:36,430
So the number of layers seen changes as the protocol selected changes here in this example from the

70
00:04:36,430 --> 00:04:39,430
top down, we can see the frame layer.

71
00:04:39,700 --> 00:04:48,460
It has the protocol Http, as you can see here, and it's in the Ethernet data link layer.

72
00:04:48,460 --> 00:04:52,990
And the we can also see the IP network layer.

73
00:04:53,110 --> 00:04:59,170
We have Ethernet to Internet protocol version four source address and destination address transmission

74
00:04:59,410 --> 00:05:03,340
protocol and we have port and so on.

75
00:05:03,340 --> 00:05:10,950
And we also have the hypertext hyper protocol, which we will get some pretty confident information,

76
00:05:10,950 --> 00:05:13,470
confidential information from that here.

77
00:05:13,470 --> 00:05:18,470
So we will get the passwords we entered the last time we visited our website, right?

78
00:05:18,480 --> 00:05:25,560
So if there are more layers or headers in the packet, it is sequentially decoded in the Wireshark packet

79
00:05:25,560 --> 00:05:25,800
view.

80
00:05:25,830 --> 00:05:32,310
So for a packet with multiple encapsulated protocols to decode it properly, there must be a dissector

81
00:05:32,310 --> 00:05:35,790
available that decodes the corresponding protocol layer.

82
00:05:35,790 --> 00:05:39,180
So every packet decode starts with a frame.

83
00:05:39,180 --> 00:05:40,860
The sector, right.

84
00:05:41,370 --> 00:05:48,650
It dissects the detail of the captured metadata itself, as you can tell it the timestamps.

85
00:05:48,660 --> 00:05:49,040
Right.

86
00:05:49,050 --> 00:05:55,260
So the, the frame, the sector passes the data to the lowest level data, the sector in the data link

87
00:05:55,260 --> 00:06:02,460
layer, for example, the Ethernet Ethernet, the sector gets triggered from the for the Ethernet heater.

88
00:06:02,460 --> 00:06:09,200
So the packet is then passed to the next sector and the network layer, for example, IPV, IP version

89
00:06:09,200 --> 00:06:13,340
four or version six, the sector gets triggered and so on.

90
00:06:13,340 --> 00:06:22,040
So each stage of the sector decodes and displays the details of the packet and the sectors can be righted

91
00:06:22,040 --> 00:06:30,830
as Self-registering plugin, for example, a shared library or DLL or built into Wireshark source code.

92
00:06:30,830 --> 00:06:37,220
So the biggest benefit of going with the plugin approach is that rebuilding a plugin is much faster

93
00:06:37,220 --> 00:06:43,790
and if the the sector is built into the source code, the wireshark needs to be completely recompiled

94
00:06:43,790 --> 00:06:44,720
and rebuilt.

95
00:06:44,720 --> 00:06:47,810
Hence it makes more sense to variety the sector as a plugin.

96
00:06:47,810 --> 00:06:48,260
Right?

97
00:06:48,260 --> 00:06:54,080
So you will learn more details on these sectors in next lectures also.

98
00:06:54,080 --> 00:06:59,180
But let's firstly get started with the capture filters in Wireshark.

99
00:06:59,180 --> 00:07:04,760
So we will discuss in detail capture filters in the next lectures, but only basics have been included

100
00:07:04,760 --> 00:07:09,710
here in this section for completeness on getting started discussion.

101
00:07:09,710 --> 00:07:17,600
So capture filters are used to decrease the size of captures by filtering out only relevant packets,

102
00:07:17,600 --> 00:07:21,440
matching the condition before they are added to the capture file.

103
00:07:21,830 --> 00:07:27,740
So clicking on the capture options button shows a screen containing a list of interfaces.

104
00:07:27,830 --> 00:07:34,790
So in order to do that, you will need to find this setting icon and it's usually there.

105
00:07:35,060 --> 00:07:39,980
And here when clicking on that, you will see this dialog here.

106
00:07:39,980 --> 00:07:48,080
So to set a filter, either an interface can be double clicked like this or a custom filter can be entered

107
00:07:48,080 --> 00:07:49,490
in the box.

108
00:07:49,490 --> 00:07:50,060
Right?

109
00:07:50,060 --> 00:07:58,460
So now we will open the again or before that let's actually enter our.

110
00:08:01,040 --> 00:08:03,380
Password again because our.

111
00:08:04,360 --> 00:08:10,090
Previous packet analysis is lost because we don't save them as earth here.

112
00:08:10,090 --> 00:08:11,170
And that's it.

113
00:08:11,770 --> 00:08:14,460
And now we're going to see the post login here.

114
00:08:14,470 --> 00:08:16,960
This is usually the login pages.

115
00:08:18,030 --> 00:08:19,860
Uh, that uses the post method.

116
00:08:20,600 --> 00:08:23,870
And here now, we will go to that again.

117
00:08:23,870 --> 00:08:25,400
So we stopped the filter.

118
00:08:25,490 --> 00:08:30,830
And here we as I said, you can double click on the capture options.

119
00:08:30,830 --> 00:08:37,760
But remember, before double clicking on any interface on this dialog, you need to save the file in

120
00:08:37,760 --> 00:08:41,210
order to not get lost and captured interface.

121
00:08:41,210 --> 00:08:51,110
So here to set a filter, you can also select a custom filter can be entered in the text box.

122
00:08:51,200 --> 00:08:58,160
So there's a list here that shows example of simple capture filters.

123
00:08:58,160 --> 00:09:06,080
For example, we can use the SRC here SQ Host so we will enter the SRC.

124
00:09:06,110 --> 00:09:09,440
Host So let's actually scan our host with Nmap.

125
00:09:09,440 --> 00:09:11,390
So nmap sv here.

126
00:09:11,990 --> 00:09:12,770
Typhoon.

127
00:09:13,100 --> 00:09:16,610
Typhoon target.com.

128
00:09:16,610 --> 00:09:24,320
And now we will get that host domain IP address, IP version four address and now.

129
00:09:26,460 --> 00:09:27,060
Sorry.

130
00:09:29,440 --> 00:09:34,660
We'll just put this and here, yes, we can see the IP address here.

131
00:09:35,410 --> 00:09:46,480
192168 13 142 And now we will use this filter to just listen to the packets from this host.

132
00:09:46,810 --> 00:09:51,520
And here, in order to do that, we will just write that IP address down.

133
00:09:55,160 --> 00:10:06,110
Because 13 point yes, one for two and you can press on start and we can also save them before starting

134
00:10:06,110 --> 00:10:10,100
a new capture or we will not save them in this course.

135
00:10:10,100 --> 00:10:16,430
And as you can see here, whenever we restart this page, there is something new will come here.

136
00:10:16,430 --> 00:10:17,930
And as you can see here, it's.

137
00:10:19,140 --> 00:10:20,490
The new information is gathering.

138
00:10:20,490 --> 00:10:23,270
So now we will go press on logout.

139
00:10:23,280 --> 00:10:32,640
And here we also have this 302 font and we can read it from the hypertext transfer protocol.

140
00:10:33,810 --> 00:10:35,130
We have no cash.

141
00:10:36,210 --> 00:10:37,410
Connect type.

142
00:10:37,440 --> 00:10:38,550
Connect length.

143
00:10:38,550 --> 00:10:39,870
And so on.

144
00:10:39,990 --> 00:10:44,130
Now, what are we going to do is we will do that example again.

145
00:10:44,130 --> 00:10:49,110
We will enter our passwords, in this case admin and our password.

146
00:10:49,110 --> 00:10:49,590
That's it.

147
00:10:49,590 --> 00:10:50,670
And click on login.

148
00:10:50,670 --> 00:10:56,610
And here, as you can see here, we are seeing that familiar post request again.

149
00:10:59,260 --> 00:10:59,740
Yes.

150
00:11:01,530 --> 00:11:02,700
We have this, this.

151
00:11:02,700 --> 00:11:03,540
This here.

152
00:11:10,720 --> 00:11:15,340
Let's log and log out again and admin here and.

153
00:11:17,990 --> 00:11:18,800
Passport.

154
00:11:23,060 --> 00:11:26,000
And here, as you can see here, we have several information here.

155
00:11:26,000 --> 00:11:28,160
So you can also use another.

156
00:11:30,280 --> 00:11:32,350
Filters as well like.

157
00:11:32,380 --> 00:11:33,060
Net.

158
00:11:33,070 --> 00:11:33,640
Right.

159
00:11:33,640 --> 00:11:36,520
So we can with this net here.

160
00:11:37,850 --> 00:11:41,630
And you will need to delete this and 24 subnet mask.

161
00:11:41,630 --> 00:11:49,280
So we will listen to the packets to and from all host part of the network here.

162
00:11:49,280 --> 00:11:53,090
So from 0 to 255 IP address.

163
00:11:53,090 --> 00:11:53,730
Right, right.

164
00:11:53,810 --> 00:12:03,530
So we can also use the port here port and we will listen to only packets that.

165
00:12:05,940 --> 00:12:07,800
Connected within this port here.

166
00:12:07,800 --> 00:12:10,440
So communicating with this port here and.

167
00:12:11,460 --> 00:12:16,770
Now, since we are communicating on Port 80, we will see informations here.

168
00:12:19,380 --> 00:12:25,820
And we also have the display filters on Wireshark, which we will discuss in next lecture.

169
00:12:25,830 --> 00:12:29,040
My name is Stefan and I'm waiting you in the next lecture.