1
00:00:01,200 --> 00:00:01,500
Okay.

2
00:00:01,500 --> 00:00:04,230
So let's see if we can answer these questions together.

3
00:00:04,500 --> 00:00:08,580
First question is which version of OSPF is used in the topology?

4
00:00:09,060 --> 00:00:16,230
So all I've done is run a filter on this Wireshark capture for OSPF.

5
00:00:16,230 --> 00:00:22,620
So OSPF allows me to filter out the other protocols and only see the OSPF messages.

6
00:00:23,280 --> 00:00:28,680
What we're seeing here is a router with this IP address ten one, two, three, two, five, one and

7
00:00:28,680 --> 00:00:31,760
another router with this IP address ten one, two, three, two.

8
00:00:31,800 --> 00:00:38,130
Sending multi costs to the well-known multicast address of 224005.

9
00:00:38,250 --> 00:00:43,770
So we see some hello packets and then we actually see a message directly from one router to the other.

10
00:00:44,100 --> 00:00:50,850
We see continued hello packets and then we get some database description messages, request messages,

11
00:00:50,850 --> 00:00:56,160
so link state to request and update messages, database descriptions and so forth.

12
00:00:56,490 --> 00:01:00,720
But just off these hello messages, we should be able to determine a lot of information.

13
00:01:01,770 --> 00:01:03,930
I'm going to go into a little bit more detail here.

14
00:01:03,960 --> 00:01:05,010
I hope that's okay.

15
00:01:05,010 --> 00:01:08,670
But I want to make sure that everyone understands how the protocol works.

16
00:01:09,660 --> 00:01:10,410
First thing.

17
00:01:10,500 --> 00:01:13,200
Layer two Notice Source Mac Address.

18
00:01:14,650 --> 00:01:17,890
Destination is the OSPF multicast address.

19
00:01:17,890 --> 00:01:20,290
So IP version for multicast.

20
00:01:20,350 --> 00:01:24,050
This is the MAC address for IP version for multicast.

21
00:01:24,070 --> 00:01:33,580
01005e and then this portion, the lost 23 bits actually is determined by multicast addresses.

22
00:01:33,580 --> 00:01:39,510
The well-known multicast address, as we can see here for OSPF is 224005.

23
00:01:39,520 --> 00:01:43,000
So the MAC address is 000005.

24
00:01:43,120 --> 00:01:50,530
So multicast MAC address for OSPF at layer two, we see that the layer three protocol is IP version

25
00:01:50,530 --> 00:01:51,130
four.

26
00:01:51,310 --> 00:01:53,950
So the type field is set to zero 800.

27
00:01:54,910 --> 00:01:58,210
So IP version four, source IP address, destination IP address.

28
00:01:58,210 --> 00:02:00,910
We can see once again, he has an interesting field.

29
00:02:00,910 --> 00:02:08,199
Notice the DHCP or differentiated services code points is set to see a six clause selector six.

30
00:02:08,320 --> 00:02:14,320
That is actually a higher priority than expedited forwarding, which is used for voice of IP.

31
00:02:14,320 --> 00:02:18,820
Routing protocols are deemed to be more important than voice of IP.

32
00:02:19,480 --> 00:02:24,430
In other words, this is some of the most important traffic that you can have have on a network, and

33
00:02:24,430 --> 00:02:26,530
it makes sense if you can't route.

34
00:02:26,530 --> 00:02:31,150
In other words, if routing protocols can't communicate and can't send writing updates to each other,

35
00:02:31,180 --> 00:02:33,430
you will not be able to afford traffic in your network.

36
00:02:33,430 --> 00:02:35,020
So everything else will break.

37
00:02:35,020 --> 00:02:39,760
So you need your routing protocols to be prioritized over other traffic types.

38
00:02:39,760 --> 00:02:44,920
So see us six in other words, very, very important traffic in the network.

39
00:02:45,850 --> 00:02:47,440
But let's go down a bit further.

40
00:02:47,470 --> 00:02:48,100
I'll.

41
00:02:48,850 --> 00:02:51,490
Make the shock window bigger.

42
00:02:51,790 --> 00:02:56,610
Notice protocol ospf IGP Protocol number 89.

43
00:02:56,620 --> 00:03:00,250
This is the well known protocol number for OSPF.

44
00:03:00,520 --> 00:03:01,840
It's a good one to remember.

45
00:03:01,840 --> 00:03:05,600
So 89 is OSPF, which actually makes it easy for us.

46
00:03:05,620 --> 00:03:09,010
It's interpreting the protocol number automatically.

47
00:03:09,220 --> 00:03:10,300
Source IP address.

48
00:03:10,300 --> 00:03:12,640
Destination IP address once again displayed.

49
00:03:12,790 --> 00:03:15,550
This implies that this is OSPF.

50
00:03:15,790 --> 00:03:19,210
So in Wireshark at layer four, we see OSPF.

51
00:03:19,450 --> 00:03:26,020
So layer two Ethernet, layer three IP, version four, layer four OSPF.

52
00:03:26,710 --> 00:03:29,890
There's a bit of debate whether OSPF is layer three or layer four.

53
00:03:30,310 --> 00:03:31,720
We won't get into that debate.

54
00:03:31,720 --> 00:03:36,710
But essentially OSPF relies on IP version four in this case.

55
00:03:36,730 --> 00:03:39,310
So which version of OSPF are we running?

56
00:03:39,340 --> 00:03:41,530
It's OSPF version two.

57
00:03:41,950 --> 00:03:45,790
So which version of OSPF v2?

58
00:03:46,450 --> 00:03:50,980
We can see that clearly in the Wireshark capture over there.

59
00:03:51,400 --> 00:03:52,940
This is a hello packet.

60
00:03:52,960 --> 00:03:54,460
This is the size of the packet.

61
00:03:54,460 --> 00:03:55,570
So it's length.

62
00:03:55,810 --> 00:03:58,810
This is the source of the message.

63
00:03:58,840 --> 00:04:02,290
This is actually the IP address of router one.

64
00:04:02,740 --> 00:04:08,410
This IP address ten 13252 is the IP address of router two.

65
00:04:09,250 --> 00:04:10,330
But for now.

66
00:04:10,360 --> 00:04:12,100
Note IP address.

67
00:04:13,160 --> 00:04:18,690
Of right one area ID 0000 backbone area.

68
00:04:18,709 --> 00:04:25,280
So we can actually answer this question as well, the backbone area and I'll make this a different color,

69
00:04:25,970 --> 00:04:27,170
let's say blue.

70
00:04:28,050 --> 00:04:29,370
Area is.

71
00:04:30,100 --> 00:04:34,390
The area in this example is area zero.

72
00:04:34,420 --> 00:04:40,660
It can be written as zero or it can be written like this same thing.

73
00:04:40,690 --> 00:04:41,500
Is it a router?

74
00:04:41,530 --> 00:04:42,370
Is it a router?

75
00:04:42,400 --> 00:04:43,360
Is it a tomato?

76
00:04:43,390 --> 00:04:44,650
Is it a tomato?

77
00:04:44,680 --> 00:04:46,840
Same concept.

78
00:04:46,960 --> 00:04:48,340
It's area zero.

79
00:04:49,450 --> 00:04:50,020
Okay.

80
00:04:50,020 --> 00:04:52,070
So check some is correct.

81
00:04:52,090 --> 00:04:54,010
That means there's no problem with a packet.

82
00:04:54,220 --> 00:04:57,730
Notice your authentication type is simple password.

83
00:04:58,150 --> 00:05:01,300
So is authentication used?

84
00:05:01,420 --> 00:05:02,980
Yes, it is.

85
00:05:03,460 --> 00:05:07,480
So authentication is simple.

86
00:05:07,660 --> 00:05:09,010
Simple password is used.

87
00:05:09,040 --> 00:05:10,710
Very bad idea.

88
00:05:10,720 --> 00:05:12,250
But that's what we've got here.

89
00:05:12,340 --> 00:05:13,860
Notice she has the password.

90
00:05:13,870 --> 00:05:15,850
It's OSPF pos.

91
00:05:16,090 --> 00:05:18,080
So that is the password.

92
00:05:18,100 --> 00:05:24,250
Not a good idea to use clear text protocols in a network.

93
00:05:24,280 --> 00:05:27,970
It's very, very simple to capture the passwords.

94
00:05:28,000 --> 00:05:28,960
There you go.

95
00:05:29,170 --> 00:05:33,280
There's the password shown clearly in the Wireshark capture.

96
00:05:33,370 --> 00:05:37,960
So be careful using clear text passwords with OSPF.

97
00:05:37,960 --> 00:05:41,320
We actually want to use MD5, not clear text.

98
00:05:41,710 --> 00:05:43,720
Better to use MD5 passwords.

99
00:05:44,960 --> 00:05:45,290
Okay.

100
00:05:45,290 --> 00:05:48,440
Another question, what are the OSPF router priorities?

101
00:05:48,770 --> 00:05:51,950
So let's dig down a little bit deeper.

102
00:05:52,310 --> 00:05:56,030
We can see the Hello packet notice network mask.

103
00:05:56,060 --> 00:05:56,450
Notice.

104
00:05:56,450 --> 00:05:56,740
Yeah.

105
00:05:56,750 --> 00:05:57,560
Priority.

106
00:05:57,830 --> 00:05:59,480
So this is right on one.

107
00:06:00,890 --> 00:06:06,950
If you didn't know the answer to that, you could just say the one writer has a priority of 101.

108
00:06:07,310 --> 00:06:13,160
And if we jump to a 2/2 writer, notice it's Priorities 102.

109
00:06:13,610 --> 00:06:17,300
So write a 202.

110
00:06:18,860 --> 00:06:20,510
Very easy to read.

111
00:06:20,510 --> 00:06:24,650
Why Shock captures if you understand the data or understand what you're looking at.

112
00:06:25,340 --> 00:06:31,100
Once again, you get free access to my Q&A course if you want to learn more about this.

113
00:06:31,280 --> 00:06:33,260
Have a look at my CCNA course.

114
00:06:33,260 --> 00:06:34,370
But in brief.

115
00:06:34,790 --> 00:06:38,900
OSPF is a routing protocol run within an autonomous system.

116
00:06:39,250 --> 00:06:45,470
Router priorities for determining who's in charge of a segment is done based on rate of priority.

117
00:06:45,470 --> 00:06:47,060
One of the determining factors.

118
00:06:47,060 --> 00:06:48,740
Highest priority wins.

119
00:06:49,490 --> 00:06:53,900
Notice at this point we don't see designated Rada and back up designated Rada.

120
00:06:53,930 --> 00:06:56,200
There is an election that takes place.

121
00:06:56,210 --> 00:06:58,220
That election hasn't completed.

122
00:06:58,220 --> 00:07:00,020
So let's go right to the end.

123
00:07:00,590 --> 00:07:01,970
In other words, later.

124
00:07:02,600 --> 00:07:03,710
Hello packets.

125
00:07:03,710 --> 00:07:06,410
Once the Rada started talking to each other.

126
00:07:06,620 --> 00:07:09,560
So notice here we've got no back up designated Rada.

127
00:07:09,650 --> 00:07:15,920
But if we go through the messages, you'll see they will negotiate a bunch of stuff.

128
00:07:16,100 --> 00:07:22,610
And then we should start seeing in the hollow messages like here.

129
00:07:22,640 --> 00:07:28,460
Who the designated Rada is and who the backup designated Rada is.

130
00:07:29,030 --> 00:07:29,900
So who's.

131
00:07:30,790 --> 00:07:31,900
Designated rider.

132
00:07:32,810 --> 00:07:36,050
The designated rider in this topology.

133
00:07:37,660 --> 00:07:41,920
Is 10.1232252.

134
00:07:42,190 --> 00:07:44,350
As we can see over there.

135
00:07:45,090 --> 00:07:46,350
Highest party wins.

136
00:07:46,350 --> 00:07:48,690
This writer has a high priority 102.

137
00:07:48,690 --> 00:07:51,090
So it's going to be the designated writer.

138
00:07:52,110 --> 00:07:52,380
Okay.

139
00:07:52,380 --> 00:07:54,810
So I've answered all those questions.

140
00:07:54,810 --> 00:07:55,590
How did you get on?

141
00:07:55,590 --> 00:07:57,420
Were you able to answer these questions?

142
00:07:58,860 --> 00:08:05,940
The thing about Wireshark is you can dig really deep, but you need to understand the protocols.

143
00:08:05,940 --> 00:08:09,300
So you need to spend some time learning the theory of protocols.

144
00:08:09,990 --> 00:08:13,140
I mean, this means nothing if you don't understand what you're looking at.

145
00:08:13,170 --> 00:08:15,810
So you need to spend some time learning about OSPF.

146
00:08:17,490 --> 00:08:24,570
Once again OSPF version to later releases of OSPF OSPF version three would be used in an IP version

147
00:08:24,570 --> 00:08:25,470
six environment.

148
00:08:25,470 --> 00:08:29,310
In this example, we just looking at OSPF for IP version four.

149
00:08:29,430 --> 00:08:33,570
If you don't understand what a backbone router is, it doesn't make any sense.

150
00:08:33,600 --> 00:08:35,700
It's important that you learn your writing protocols.

151
00:08:35,850 --> 00:08:38,490
So let's actually have a look at the consoles of the routers.

152
00:08:39,330 --> 00:08:40,710
This router one.

153
00:08:42,169 --> 00:08:47,780
He has wrought a to just to prove that what I've explained through my shock is actually true.

154
00:08:48,200 --> 00:08:55,790
So show IP and let's do the easy one to show IP interface brief rather.

155
00:08:55,820 --> 00:09:00,890
You can see this is the Router's IP address on gigabit zero one.

156
00:09:01,130 --> 00:09:06,800
This interface here on router to show IP interface brief.

157
00:09:07,250 --> 00:09:10,460
This is the IP address on gigabit zero zero.

158
00:09:10,490 --> 00:09:11,510
This interface.

159
00:09:12,230 --> 00:09:20,750
Show IP ospf neighbor notice this router rather one has a neighbor relationship with router two.

160
00:09:21,080 --> 00:09:23,380
We can see that it's a full relationship.

161
00:09:23,390 --> 00:09:31,760
The other router, in other words, rather two is the designated router per what we worked out in Wireshark.

162
00:09:31,760 --> 00:09:34,130
So show IP interface brief on this side.

163
00:09:34,890 --> 00:09:35,880
Make that bigger.

164
00:09:36,600 --> 00:09:38,340
Notice that's the wrong command.

165
00:09:38,460 --> 00:09:47,430
Sorry to show IP OSPF neighbor rather so rather two sees right one as a backup designated router full

166
00:09:47,430 --> 00:09:53,970
relationship on a Ethernet segment, the designated rod and backup designated router form full relationships

167
00:09:53,970 --> 00:09:54,830
with other routers.

168
00:09:54,840 --> 00:10:02,490
In other words, they exchange the topology database with other routers and we can see that over here.

169
00:10:03,390 --> 00:10:06,330
Notice we've got hollows and then we've got a database description.

170
00:10:06,510 --> 00:10:10,710
So in the output here we can see a description of the database.

171
00:10:11,340 --> 00:10:18,450
So some information about the database is shown in the capture.

172
00:10:19,140 --> 00:10:21,960
So you see some information about the database.

173
00:10:21,960 --> 00:10:29,340
But the one I want to point out is notice as we go down, we've got a link state request message and

174
00:10:29,340 --> 00:10:32,310
then we've got a link state update message.

175
00:10:34,200 --> 00:10:36,030
Notice Alyssa type one.

176
00:10:36,360 --> 00:10:41,460
So if you've learned a bit about OSPF, you'll know about LSA type one, two, three, four and five

177
00:10:41,460 --> 00:10:42,450
as an example.

178
00:10:42,480 --> 00:10:48,660
Notice we can see in network information this is a stub network ten 120.

179
00:10:48,840 --> 00:10:52,110
He has another stub network ten 130.

180
00:10:52,350 --> 00:11:00,450
This was advertised by ten 123252, which is actually rather 210 1230 is the segment between the routers.

181
00:11:00,480 --> 00:11:03,900
Notice you can see ten one three something being advertised here.

182
00:11:04,110 --> 00:11:16,290
This network is ten 120 and we can see that once again over here, ten 120 is the subnet on this interface.

183
00:11:16,320 --> 00:11:20,470
Gigabit zero one if you actually want to see that, we can do it this way as well.

184
00:11:20,490 --> 00:11:27,090
So run interface gigabyte zero one notice this is.

185
00:11:28,280 --> 00:11:30,680
The configuration of that interface.

186
00:11:30,680 --> 00:11:40,010
And if I type show run or show IP interface gigabit zero one, you can see the IP address and the subnet

187
00:11:40,010 --> 00:11:41,810
mask on that interface.

188
00:11:44,220 --> 00:11:44,550
Okay.

189
00:11:44,550 --> 00:11:51,900
So we can see here the networks that are going to be advertised by the two riders to each other.

190
00:11:52,680 --> 00:11:54,550
Here we see a database description.

191
00:11:54,570 --> 00:11:56,280
He has another update.

192
00:11:56,640 --> 00:12:01,210
So basically the routers are communicating information to one another.

193
00:12:01,230 --> 00:12:01,950
This is right.

194
00:12:01,950 --> 00:12:03,690
A one note is two five.

195
00:12:03,690 --> 00:12:08,070
One different network is shown here, ten 110.

196
00:12:08,190 --> 00:12:10,600
So we see ten 130.

197
00:12:10,620 --> 00:12:14,070
That's the network between the two routers and ten 110.

198
00:12:14,100 --> 00:12:15,550
Advertise between.

199
00:12:15,570 --> 00:12:20,490
Or should I say from router one to right or two, we can see the metric or the cost to get there.

200
00:12:20,490 --> 00:12:25,140
So network subnet metric of this network, it's a.

201
00:12:25,740 --> 00:12:26,820
It's a stub network.

202
00:12:26,820 --> 00:12:30,090
In other words, there's no other router connected to this network.

203
00:12:30,360 --> 00:12:34,620
A lot of information can be gleaned from Wireshark.

204
00:12:34,920 --> 00:12:36,390
You see acknowledgements.

205
00:12:36,570 --> 00:12:39,240
OSPF doesn't rely on TCP.

206
00:12:39,300 --> 00:12:42,300
So if you have a look here, there's no TCP protocol.

207
00:12:42,330 --> 00:12:47,610
If it sends a link state update to the other router, it needs an acknowledgement back to make sure

208
00:12:47,610 --> 00:12:49,590
that the other router got to the update.

209
00:12:49,710 --> 00:12:56,040
Otherwise it's going to retransmit that data because there's no TCP to do the transmissions and make

210
00:12:56,040 --> 00:12:57,100
sure that data gets through.

211
00:12:57,120 --> 00:12:59,610
OSPF has its own mechanism to do that.

212
00:13:00,060 --> 00:13:06,030
And you can see that once again through the Wireshark captures link state update link state acknowledgement.

213
00:13:06,420 --> 00:13:12,750
So the one router requests data, the other person updates, and then we give back an acknowledgement

214
00:13:12,750 --> 00:13:14,700
to make sure that it got through properly.

215
00:13:15,670 --> 00:13:19,300
Well, acknowledge to the other person that we received what they were sending us.

216
00:13:20,200 --> 00:13:20,590
Again.

217
00:13:20,590 --> 00:13:20,830
Why?

218
00:13:20,830 --> 00:13:21,790
Shock is brilliant.

219
00:13:21,820 --> 00:13:25,300
You can see so much information just by looking at a CAPTCHA.

220
00:13:25,570 --> 00:13:32,290
There are other protocols running on this network we can see broadcast share so up we can see spanning

221
00:13:32,320 --> 00:13:33,760
three other protocols.

222
00:13:33,760 --> 00:13:40,150
But by simply searching for OSPF, we can see the OSPF messages and then interpret what's going on.

223
00:13:41,190 --> 00:13:41,610
Again.

224
00:13:41,610 --> 00:13:45,270
How did you get on if you weren't able to answer the questions?

225
00:13:45,270 --> 00:13:45,930
Don't worry.

226
00:13:45,960 --> 00:13:47,010
Just to learn.

227
00:13:47,520 --> 00:13:48,300
Learn.

228
00:13:48,300 --> 00:13:49,430
Wireshark.

229
00:13:49,440 --> 00:13:53,040
It will help you tremendously in the real world.

230
00:13:53,190 --> 00:13:58,990
It's an important skill for any networker to have or anyone interested in sort of ethical hacking.

231
00:13:59,010 --> 00:14:04,880
You want to be able to learn what's going on in the network, and by simply running a sniffer like Wireshark,

232
00:14:04,890 --> 00:14:07,950
you can actually see a whole bunch of stuff on the network.