1
00:00:00,860 --> 00:00:05,900
So in this genius three topology, I'm going to add a device that will allow me to capture traffic,

2
00:00:05,900 --> 00:00:10,060
basically as if I had a monitoring station in my network.

3
00:00:10,070 --> 00:00:15,350
So let's pretend this ubuntu PC is a monitoring device.

4
00:00:16,990 --> 00:00:19,300
I'm not actually going to use that for monitoring.

5
00:00:19,300 --> 00:00:23,110
I'm going to use Jenna three to do it directly.

6
00:00:23,200 --> 00:00:25,810
But let's pretend you were running.

7
00:00:27,230 --> 00:00:29,900
Why shock on the xubuntu pc?

8
00:00:30,380 --> 00:00:37,250
I could, as an example, use a windows pc here rather than ubuntu, but I'm going to simply capture

9
00:00:37,250 --> 00:00:38,360
the traffic this way.

10
00:00:38,750 --> 00:00:42,080
So again, if I start capturing on this link.

11
00:00:43,130 --> 00:00:47,720
Will I see the traffic from the PC to the server?

12
00:00:48,050 --> 00:00:49,730
I'll filter for http here.

13
00:00:49,760 --> 00:00:51,140
Nothing at the moment.

14
00:00:52,070 --> 00:00:53,210
On the client.

15
00:00:54,270 --> 00:00:55,820
I'll refresh this page.

16
00:00:56,130 --> 00:00:57,060
Don't see anything.

17
00:00:57,060 --> 00:00:58,470
Manually type it in.

18
00:00:59,250 --> 00:01:00,240
Don't see anything.

19
00:01:01,030 --> 00:01:02,200
Shut that down.

20
00:01:02,230 --> 00:01:03,460
Open it up again.

21
00:01:04,239 --> 00:01:06,190
Try and connect to the server.

22
00:01:06,910 --> 00:01:09,220
We don't see any http traffic.

23
00:01:09,990 --> 00:01:11,100
On this link.

24
00:01:11,490 --> 00:01:16,500
But what I'm going to do now is span or mirror the port on the switch.

25
00:01:17,420 --> 00:01:24,710
So on switch one going to go into global configuration mode, I'm going to type monitor this is this

26
00:01:24,710 --> 00:01:33,440
goes by different terms it's known as span or monitor or mirroring span is known as switched port analyzer.

27
00:01:34,070 --> 00:01:36,110
We're going to use the term monitor here.

28
00:01:36,110 --> 00:01:38,840
So I'm going to monitor a session.

29
00:01:38,840 --> 00:01:40,460
I'm going to give it a number one.

30
00:01:40,580 --> 00:01:45,110
I'm going to specify the source interface as gigabit.

31
00:01:46,310 --> 00:01:47,650
0/0.

32
00:01:47,660 --> 00:01:50,210
So this interface is going to be the source.

33
00:01:50,690 --> 00:01:54,350
And then I'm going to say Monitor Session one.

34
00:01:54,680 --> 00:02:00,080
Destination interface gigabit gigabyte zero three.

35
00:02:00,650 --> 00:02:03,680
So source interface, destination interface.

36
00:02:03,680 --> 00:02:08,570
The switch is going to copy all traffic from this interface to this interface.

37
00:02:09,380 --> 00:02:14,940
So let's prove that this is the Wireshark capture from gigabit 203 to the Ubuntu host.

38
00:02:14,960 --> 00:02:18,710
In other words over here on the client.

39
00:02:19,780 --> 00:02:21,310
Refresh the page.

40
00:02:21,340 --> 00:02:24,280
Notice I suddenly see a HTTP traffic.

41
00:02:24,880 --> 00:02:26,320
Refresh the page again.

42
00:02:27,750 --> 00:02:29,520
I see more http traffic.

43
00:02:30,290 --> 00:02:35,390
So because I'm spanning the port, I can see the HTTP traffic.

44
00:02:35,780 --> 00:02:41,900
So if I had a monitoring station here, so I was running a Windows computer or some other computer with

45
00:02:41,900 --> 00:02:43,760
Wireshark directly on it.

46
00:02:43,910 --> 00:02:47,810
I would need to span the port like I've done here to be able to see the traffic.

47
00:02:50,630 --> 00:02:59,240
Again network vendors use different terms mirroring monitoring span but notice show monitor session

48
00:03:00,080 --> 00:03:01,520
and let's say session one.

49
00:03:02,360 --> 00:03:10,970
You can see that we are capturing traffic in both directions on this port and the destination port is

50
00:03:10,970 --> 00:03:12,320
gigabit zero three.

51
00:03:13,050 --> 00:03:14,370
Encapsulation is native.

52
00:03:14,400 --> 00:03:17,760
We're not adding any additional frames to the captures.

53
00:03:18,430 --> 00:03:25,240
So you'll actually see the original frame share notice source Mac address PC going to the server source

54
00:03:25,240 --> 00:03:32,230
IP address of PC to the server as a frame packet segment, random port number going to port 80 and you

55
00:03:32,230 --> 00:03:35,290
can see the actual request made there.

56
00:03:35,980 --> 00:03:41,410
So if we look at the server response, we can see, for instance, the.

57
00:03:42,300 --> 00:03:43,590
PNG file.

58
00:03:43,680 --> 00:03:45,540
Notice nothing was modified.

59
00:03:45,540 --> 00:03:46,470
So.

60
00:03:47,070 --> 00:03:48,300
With a browser.

61
00:03:48,330 --> 00:03:53,910
It often caches the data locally, so it doesn't re request all the data.

62
00:03:54,690 --> 00:03:56,150
To save on bandwidth.

63
00:03:56,160 --> 00:04:06,420
But if I shut that browser down, open it up again and go to the server and I'll go right down.

64
00:04:06,930 --> 00:04:09,390
Again, we see not modified.

65
00:04:10,030 --> 00:04:11,800
So let's actually do this.

66
00:04:11,920 --> 00:04:16,209
I'm going to open up a private window and go to the server.

67
00:04:16,240 --> 00:04:18,820
That way, to force it to do everything again.

68
00:04:21,649 --> 00:04:22,450
So here we go.

69
00:04:22,460 --> 00:04:23,600
Client request.

70
00:04:23,790 --> 00:04:25,880
Here's the reply from the server.

71
00:04:26,510 --> 00:04:32,750
I notice you can see all the data from the server, so you can see title of the web page.

72
00:04:32,780 --> 00:04:35,390
You can see the actual text in the web page.

73
00:04:35,810 --> 00:04:36,380
So.

74
00:04:37,170 --> 00:04:41,850
In summary, be careful of where you capture traffic.

75
00:04:42,210 --> 00:04:50,010
In this example, we wouldn't see the traffic on this link or on this link unless we enabled port monitoring

76
00:04:50,010 --> 00:04:51,450
or span the port.

77
00:04:51,870 --> 00:04:57,930
In other words, you need to get the switch to copy frames from this interface out of this interface.

78
00:04:58,050 --> 00:05:02,550
It wouldn't normally do that if traffic was going from the client to the server.

79
00:05:02,580 --> 00:05:07,950
You have to enable the mirroring of traffic to be able to see it on a switch with a hub.

80
00:05:07,950 --> 00:05:08,850
You wouldn't have to do that.

81
00:05:08,850 --> 00:05:11,970
A hub floods traffic out of all ports, but a switch doesn't.

82
00:05:12,450 --> 00:05:17,940
So once again, don't forget, you need to be careful where you monitoring traffic if you want to see

83
00:05:17,940 --> 00:05:18,870
what's going on.

84
00:05:19,350 --> 00:05:23,850
As an example, if you want to see what's going on on this side of the network, you want to put a probe

85
00:05:23,850 --> 00:05:28,200
or some device on that part of the network so that you can see what's going on.

86
00:05:28,230 --> 00:05:33,600
You could implement remote span where you copy traffic through a tunnel from one side of the network

87
00:05:33,600 --> 00:05:34,350
to another.

88
00:05:34,770 --> 00:05:39,960
But you need to be careful with that because of overhead and because of the amount of traffic that you're

89
00:05:39,960 --> 00:05:41,040
going to be receiving.

90
00:05:41,220 --> 00:05:44,460
So we'd be better to capture traffic locally if you can.