1
00:00:10,460 --> 00:00:11,660
Welcome back everyone.

2
00:00:11,750 --> 00:00:18,020
Let's do a quick dumb one Wireshark and see how exactly wireshark captures Bakhit so you can go to start

3
00:00:18,500 --> 00:00:24,150
tightwads shark can right click on it and we can open it doesn't diminish.

4
00:00:25,800 --> 00:00:27,170
We can guess.

5
00:00:28,090 --> 00:00:33,690
The UI LOTES and you can see all the capturing interfaces d'Agde wireshark was able to figure it out.

6
00:00:33,850 --> 00:00:41,110
If you see on the local area or correction that's where the traffic is currently flowing from my virtual

7
00:00:41,110 --> 00:00:47,860
machine on going all the way out to my internet to the internet so I can just double click on it and

8
00:00:47,860 --> 00:00:50,610
it will start capturing the packets for me.

9
00:00:51,690 --> 00:00:57,180
You'll see that a bunch of activity going on there is some Microsoft Update activities going on as well

10
00:00:57,180 --> 00:00:59,050
which aren't captured.

11
00:00:59,050 --> 00:01:12,640
Let's go to Chrome and just with it any web site and come back to our shark and see a bunch of DNS requests

12
00:01:12,890 --> 00:01:18,280
and a lot of other Internet activity when you will launch wireshark you will see that it's capturing

13
00:01:18,280 --> 00:01:23,650
a lot of traffic so your machine is constantly doing some the other network activity like operating

14
00:01:23,650 --> 00:01:30,210
system updates some application trying to update itself all your browser is trying to update the add

15
00:01:30,210 --> 00:01:34,930
on or trying to make some connection to check if there are new words it's available and things like

16
00:01:34,930 --> 00:01:35,470
that.

17
00:01:35,470 --> 00:01:42,090
So Warszawa will constantly capture a lot of information once you started.

18
00:01:42,250 --> 00:01:49,720
Let's wait for a while so that we have enough graphic capture and once we are done with capturing we

19
00:01:49,720 --> 00:01:59,500
can click on stop and Dave Packard Gotcher will stop down let us come to the display filter that we

20
00:01:59,500 --> 00:02:02,110
talked about in previous few videos.

21
00:02:02,110 --> 00:02:07,000
So to begin with let's just look at all the DNS requests that were made.

22
00:02:07,330 --> 00:02:12,310
So if you can see here we have a request to Microsoft we have requests to Google.

23
00:02:12,300 --> 00:02:16,470
We have a request to read if that was the one that was made to our browser.

24
00:02:16,630 --> 00:02:21,040
And if you keep scrolling down you'll notice a lot of different requests.

25
00:02:21,040 --> 00:02:29,890
For example Rediff tried to launch e-mails it launched some ads went to bookstore to dot com and so

26
00:02:29,890 --> 00:02:30,130
on.

27
00:02:30,130 --> 00:02:35,760
So that's all the DNS requests that was captured by wireshark while the session was active.

28
00:02:35,770 --> 00:02:44,030
Similarly we can go to should be requests press enter and it will give us all the authority to request

29
00:02:44,090 --> 00:02:45,530
that were made during the session.

30
00:02:45,530 --> 00:02:48,540
You can see that was a Microsoft update request.

31
00:02:48,630 --> 00:02:54,390
Then there were a few more it should be a request made directly to a page in.

32
00:02:54,410 --> 00:03:00,520
There are some chrome browser requests then drif makes some specific requests.

33
00:03:00,530 --> 00:03:05,150
So these are usually the subsidiary redirects that a web site does.

34
00:03:05,150 --> 00:03:12,830
Once you make a request the Web site for example we type really dot com but really dot com in internally

35
00:03:12,830 --> 00:03:14,660
called a lot of different websites.

36
00:03:14,660 --> 00:03:19,410
For example if you look here that is a get request that was made to an image.

37
00:03:19,490 --> 00:03:21,740
So this image might be there on the page.

38
00:03:21,810 --> 00:03:29,080
And if trying to fetch an image from it's from somewhere and that's why I get Scatchard as a get request.

39
00:03:29,090 --> 00:03:32,570
So this is how you can look at all the GDP packets.

40
00:03:32,660 --> 00:03:38,680
You can also look at all the DCP backorders similarly and curial get much more details about the DCP

41
00:03:38,680 --> 00:03:41,610
data or that when in and out.

42
00:03:41,740 --> 00:03:49,030
So if you look here this is the first get request back to the page to read if dotcom using our web browser.

43
00:03:49,030 --> 00:03:58,470
Now the 3 DCP requests right above it are pretty interesting if you look at the first one you'll see

44
00:03:58,470 --> 00:04:05,130
that it's a sin request that went from your machine to the server.

45
00:04:05,190 --> 00:04:11,200
Then there is a sin packet which was sent by the server back to your machine.

46
00:04:11,280 --> 00:04:18,770
And finally there was an AC kit package which was sent from you to the particular server.

47
00:04:18,780 --> 00:04:25,370
So what exactly this is if you guessed correctly this is the PC Trivett handshake.

48
00:04:25,820 --> 00:04:33,940
It's basically a method used in DCP IP networks to create a connection between a local host and a server.

49
00:04:33,950 --> 00:04:40,100
It's a three step method that requires both declined and servers to exchange sin and get packets before

50
00:04:40,100 --> 00:04:42,410
the actually communication begins.

51
00:04:42,410 --> 00:04:49,860
So once they threeway Hamrick is that sets foot that's when you get a response Orfield get request I'll

52
00:04:49,870 --> 00:04:55,450
create a small exercise on triva handshake for this video so that you can read more about it in much

53
00:04:55,450 --> 00:04:56,640
more details.

54
00:04:56,650 --> 00:05:03,550
So this is how you can basically interact with your or your y y Sharkey Y and you can understand what

55
00:05:03,550 --> 00:05:05,880
is actually going on inside your network.

56
00:05:06,280 --> 00:05:09,890
Scrolling down here if you look down.

57
00:05:09,910 --> 00:05:14,400
You have the transmission that DCP control protocols details.

58
00:05:14,500 --> 00:05:20,950
So you have this source for the destination for it then you'll have source IP you'll have destination

59
00:05:20,950 --> 00:05:26,050
IP you'll have all different flags you'll have options you have sequence and analysis.

60
00:05:26,050 --> 00:05:27,430
So these are not.

61
00:05:27,610 --> 00:05:33,930
But all the different headers that constitute APCP packet.

62
00:05:33,940 --> 00:05:39,220
So if you read about VCP or if you'd read about PSAP Hellers these are the fields that you are going

63
00:05:39,220 --> 00:05:45,910
to see in that you will see source for the destination board you'll have information about sequence

64
00:05:45,910 --> 00:05:46,690
numbers.

65
00:05:46,720 --> 00:05:50,830
So what sequence number tells you is if Bakare transmits.

66
00:05:50,830 --> 00:05:55,510
And if it gets divided into different chunks then they will all have different sequence numbers so this

67
00:05:55,510 --> 00:05:59,940
is what the sequence number that contains that information for you.

68
00:05:59,980 --> 00:06:02,960
So let's try something else.

69
00:06:02,960 --> 00:06:09,050
For example if let's say we want to see all the get request they get strictly be requests that were

70
00:06:09,050 --> 00:06:10,540
made from this machine.

71
00:06:10,610 --> 00:06:17,890
So we type DCP contains the kit and we'll press enter.

72
00:06:18,110 --> 00:06:19,630
So this is a string match.

73
00:06:19,630 --> 00:06:24,730
We save that give me all the VCP packet that contains get in it.

74
00:06:24,800 --> 00:06:30,100
So this is where we get all the get requests that are made to our machine.

75
00:06:30,230 --> 00:06:38,400
Similarly if let's say you want to know about the traffic going in and out to a specific IP address.

76
00:06:38,420 --> 00:06:49,690
For example let's say 20 3.6 dog one by 9 or 10 and you can type your idea or 80 are equals 23 dot 6

77
00:06:49,690 --> 00:06:52,670
dot 1 9 9 or 10.

78
00:06:52,730 --> 00:06:57,290
You can press enter and you get everything figured out based on the IP address.

79
00:06:57,290 --> 00:07:05,360
So this is how display filters help you in narrowing down your traffic to look for specific information

80
00:07:05,450 --> 00:07:11,500
or to look for a specific package that can help you in answering the questions in much more detail.

81
00:07:11,870 --> 00:07:14,160
So this was a quick demo about white shark.

82
00:07:14,290 --> 00:07:15,590
That's it for this video.

83
00:07:15,590 --> 00:07:16,010
Thanks a lot.