- Now I'm going to
demonstrate stuff practically using GNS three, but rather than you trying
to bolder this typology and replicate what I've done, you can simply download the pcap files and then follow along. The pcap files that I'm sharing are the actual captures
that I'm gonna do now, so you'll be able to follow along and also use wireshark to
see the results that I get. In this topology, I've got two Windows PCs, PC one and PC two. See here's PC one, here's PC two. PC One has IP address, 10, one, one, one, default gateway is 10,
one, one, two, five, four, which is the router in the topology. PC two has IP address 10, one, two, one, default gateway is 10,
one, two, two, five, four, which is the router in the topology. So I'm simulating an entire
network here in GNS three, and I'm gonna show you
how to capture packets, or capture frames, and we'll talk about
those terms in a moment, and then you'll be able
to see what's going on. I've also got a server in this topology. The server is a web server,
FTP server, TFTP server, and runs other services. So what I'll do is send traffic from the hosts to each other, so PC one to PC two back again, and also from the PCs to the server, and then have a look at
the captured packets, and hopefully you'll be
able to see what's going on and get an understanding of
the frames, packets, segments, and so forth, and also get an understanding
of how to use wireshark. (upbeat music) Okay, so I'm gonna open up a web browser from PC one to the server. The server's IP address, and this is a Linux server is 10.1.1.100. I used the command ifconfig to
see the server's IP address. So what I'll do is start capturing traffic between the PC and the switch. GNS three makes this very easy. It allows us to capture traffic directly within the topology, rather than having to
install a hub or a wiretap, or something to see the traffic. So I'm gonna capture the traffic between the PC and the switch, and we'll be able to see
exactly what's going on within this wireshark capture. So you can see that we've
got spanning tre traffic, we've got EIGRP traffic, dynamic trunk protocol
traffic already displayed, and being captured by wireshark. What I'm gonna do, however,
is filter for HTTP. There's no HTTP traffic at the moment, but what we'll do is open
up a web browser on the PC and connect it to the server. So let's use PC one. Open up a web browser. I'm gonna browse to 10.1.1.100, which is the server. And as you can see, the
web page is displayed. That's nothing fancy, it's just a basic web
page hosted on the server, but it's enough for us
to see what's going on. So in wireshark, you can see that traffic was
sent from a source IP address, 10, one, one, one, to a
destination IP address of 10, one, one, 100. This is HTTP traffic. You can see the protocol there is HTTP. You can see the length. You can see that it's an HTTP GET, in other words, the PC is trying to get a
webpage from the server. Now, before I go through
the wireshark capture in more detail, let's explain some of the basics
that you see in wireshark. The first thing you see is a frame. Now in networking, this is known as layer
two of the OSI model. Information captured
here are known as frames, so this is known as a frame. We've captured an ethernet II frame. In other words, we've captured traffic on ethernet. There are different
types of ethernet frames, but Ethernet II is the most common. The source Mac address is a VMware host. Destination Mac address is this. So the source Mac address is the PC. This PC is actually
running inside of VMware. If I type ipconfig/all, you'll be able to see the
Mac address of the host, zero, zero, zero, C29,
ending in DCD, seven. And hopefully that's
what we see over here. So notice this Mac address
is the Mac address of the PC, destination address is this. That's the Mac address of the server. Notice the Mac address over here, 36, E, four, five, C, 40, 91, A, two. There you go. That's the IP address of the server, Mac address of the server. Here's the IP address of the PC and the Mac address of the PC. So in networking, we use the term frame at layer two. You get different types of frames. On ethernet, typically ethernet II, but on a WAN connection or
wide area network connection, you could be using something
like point to point protocol or PPP or HDLC, or in the old days you had
encapsulations like frame relay, or ATM. In other words, the layer two frame changes depending on the physical
technology that you're using. Most common technology today is ethernet. Most common ethernet
frame type is ethernet II. So this is known as a frame. Now just to make it more confusing, in wireshark, they talk
about frames here as well, but this is actually just
metadata used within wireshark that tells us about the frame. So again, this is just metadata. We don't typically talk
about that as a frame. In networking, this is known as a frame. This is known as layer
two in the OSI model. So this is a frame. At layer three, we have what's called a packet. So when we refer to the
layers in the OSI model, we use terms such as frame at layer two, packet at layer three, and segment at layer four. At layer three, we've captured the IP
version four addresses. So this is IP version four information. The protocol used at layer
four is IP version four. What I'll do actually at this point is stop my wireshark capture so that the capture that I
share with you isn't too big. And I'll save this as basic wireshark capture one. Notice it's a pcapng file, or pcap next generation wireshark file. So that's the file that you'll download and you'll be able to do something similar to what I've done here. So again, protocol at layer three
is IP version four. Source IP address is this, destination IP address is this. IP version four contains
a lot of information. Differentiated services code points, or differentiated services field, DSCP, differentiated services code points is to do with quality of service. Quality of service or QOS, or QOS, allows us to differentiate
some traffic types from others. So in other words, we could say that voice traffic is more
important than FTP traffic. So when you make a voice call, it should be prioritized
over file transfer protocol or FTP traffic. This is a way to indicate to the network how important the traffic is. A lot of other information
is shown in this header, including as an example
that to the protocol used at layer four is TCP. So at layer four, once again, this is layer two, frame, layer three is packet, layer four is segment. At layer four in the OSI model, we are using TCP here and you can see source and
destination port numbers. HTTP or hypertext transfer protocol uses the well-known port number of 80. The server was listening on port 80, that's why when the client made
a connection to the server, the webpage displayed. The client initiated a session to port 80. The server was listening on port 80. It served because it's a server. It served a webpage to the client, in this case using the protocol HTTP. So it basically has this page, this webpage hosted on its hard drive, and it served that page to the client when the client connected on port 80. The client uses this random port number or ephemeral port number
to use the correct term. So it connects to the
server using an ephemeral or random port number going to a well-known port number of 80. And then you can see here, the application used is
hypertext transfer protocol. Now in networking, we
talk about the OSI model, but typically it's a hybrid
model between the TCP model and the OSI model. At the top of the OSI model, we have application,
presentation and session. Those layers are often
grouped into a single layer called application. So notice we have layer two here. Layer one is the physical medium, so that's not shown in
the wireshark capture. The physical medium here is ethernet, it could be copper or could be fiber. In our example, this is
just a virtual network, but in the real world, this would be physical ethernet, in this case, perhaps copper. So the physical media is copper, so that's the physical connection. Here is just a virtual logical connection. So layer one, physical, layer two, data link on
this case, it's ethernet. Layer three is network, in this case, we've got IP. Layer four is transport, in this case, it's TCP. And then the top three layers are kind of combined into
one layer, application layer, so notice hypertext transfer protocol. And inside here we can see
details such as the client used. It shows up still as Windows NT 10, win 64 bit, using a browser Mozilla 5.0. So in this example, I'm
actually using Microsoft edge, that's the browser used within Windows 10. So this is a Windows 10 virtual computer. In other words, it's a virtualized. I'm actually running on a Mac here, recording on a Mac,
but I'm running VMware, which allows me to
virtualize multiple devices within my GNS three typology. So the wireshark capture sees the client as a Windows 10 computer, which is correct, using 64 bit Windows. Mozilla is the browser. It's actually Microsoft edge. And then the server replies back. Notice in the server example, the Mac addresses are swapped round. In this example, I've
got a layer two switch. A layer two switch means that it's just simply switching frames. In other words, layer two
data from one port to another. It's not trying to router the data from one network to another, these two hosts are in the same
sub-net or the same network. So switch is simply switching the traffic from one port to another. So in this example, the IP addresses are swapped round, and so are the Mac addresses. Going back to the first example, notice source Mac address is this, destination Mac address is this. When the server replies, those are simply swapped around. So the server is replying with its Mac address as the source, destination Mac address
is the Windows computer. IP addresses are swapped
round and so are port numbers. And if we look at the hypertext protocol, notice we can see services 200 OK. 200 means that the server
was able to provide the data to the client. We didn't have a 404
HTML error as an example. Some data was provided to the client. Notice you can see here, the actual webpage that
was served to the client. So you can see it says network as toolkit. You can see the PNG file. Notice, network is toolkit. And if I look at that
webpage on the client, notice you can see the output here. It says www files located at var www.HTML. And if we look here, that's actually what you see. File's located at var www.HTML. So if I scroll to the right, notice, you see the full output. You get to root off the logging in. Notice, we told you you can
place files in TFTP boot, and that's exactly what you see over here. So wireshark has read the HTTP traffic. Be careful with HTTP, it's clear text. So through wireshark, you can see exactly what's going on. Here the client is trying
to get the PNG image. So it's trying to get
the actual PNG image, and he had the server, which is an Ubuntu server
is providing the PNG file, so that's the actual file. And you can actually export that. And I'll do this again in other videos, but let's do it right now. GNS three image. So I'm gonna export that to my desktop, and on my desktop, I'm gonna change that to a PNG file. And then when I open it up, notice there's the actual image. So wireshark captured all
the data from the server, as well as the image, and that's the image that
we have on the server. So once again, to do that, click portable network graphics, because it's a PNG file, and then go export packet bytes. Save it to your hard drive. So I'm gonna save it once
again, as GNS three image two, and then I'm gonna rename it. So it's saved it as a burn file. I'm gonna rename that as
PNG because it's a PNG file, and then when I open it up, you can see that it say PNG file, and there's the actual image. So you can see here, it's getting the favicon, and then we're getting something, HTTP 404 error, something not found, so something went wrong here. But the point is is that you can read the actual HTTP traffic. And remember, because these devices
are on the same sub-net. All that happens is the Mac
addresses are swapped around, IP addresses are swapped around, port numbers are swapped around
during that communication. So source IP is host. Here source IP is the server. So when the server replies back, it's replying back from
port 80 to the client. So that was a very basic
example of using wireshark to see what's going on in the network. Were you able to download the pcap file? Were you able to open it up in wireshark and actually do something
similar to what I've done here? There is no better way to learn than to practically use
wireshark capture frames and see for yourself what's going on. I've made it a little bit more simple by giving you some pcap files, but hopefully they mean something because you're using the actual files that I'm recording right now, rather than just some random file that you got off the internet. Now, please note it means a lot to me if you provide feedback on the course. So if you're enjoying the video, then please say so. ♪ We both deserve it ♪
