How I Use Wireshark

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

the trouble with Wireshark is most people don't even consider it as a tool to use in the midst of network troubleshooting so as I thought about how do I make it training around that I thought why don't I just show people how I use it [Music] so let's just say I'm troubleshooting something I don't know I'm kind of making this up as I go I'm gonna start a capture and just start watching the data flow through and this is where a lot of people bail because they're like oh no too much stuff that's another issue so I'll go over to edge right here and I'm just gonna go to Twitter just to get some network traffic that's there let's go to Oh Yahoo where did that come from Yahoo I haven't been there in like 15 years so so I'm coming back here I I see now 8,000 some packets and again this is where a lot of people bail on Wireshark is there like too much data what do I do first thing that I do when I get all this data is I want to look for what I'm looking for usually I'm not opening Wireshark unless there's an issue in this case let's just say I was looking at the Twitter connection right I would go back to Wireshark and I would find where did that twitter conversation begin a couple ways that I can do that one and the one that I like using most the time is by using the DNS lookup I'll look right there and go okay DNS looks like a round packet 172 is where it did a standard query for twitter.com okay so that's my starting point in my conversation so as soon as I hit X and removes that DNS filter I'm already at packet 172 which is where it looked up Twitter then I can find quickly after that where it tried to contact Twitter this is the TCP 3-way handshake syn syn ack ack ooh this is actually gonna be kind of fun up more on that in just a second the other way that I can find things inside of here just on a broad scale is to do a string query frame contains quote Twitter close quote if the Enter key and I see every single packet where Twitter was involved again in this case it led me right to that DNS query is one of the first things but I can also see right here is it's it's seeing Twitter in the name of the security certificate exchange again my whole goal in doing this is to give myself a starting point to troll through those 9,000 some packets of data and go okay that's where I begin so let's go back to that first DNS query right there where I got the IP address of Twitter scroll down a little bit because right after that anytime you see a DNS query the computer is trying to contact that so you can pre pretty much guaranteed that right after that it's going to try and set up the TCP session and that always starts with the t's P three-way handshake no it looks right you're like my computer's got a stutter it's like Hello right because it's like since in to that from my computer right here source IP address to the same destination well a lot of times computers are trying to be a little bit more efficient that is they're trying to set up multiple TCP sessions to the same host at a time to get different types of traffic it's like it's like when my wife is talking to me and the kids are all like you know she's can continue the conversation and then she'll turn and be like okay okay and she'll address them I am NOT a Multi TCP stream I'll be talking my wife and one of the kids are talking I'm like stop stop talking to me I can't focus back to you the question is which conversation do I want to look at truth be told I probably want to look at both but the way that I can tell them apart is by this stream index right here you see right here stream seven I click on this ah stream eight okay well let's look at this okay we're on stream eight right there back to stream seven okay so stream seven you guys looking at this right here right stream index eight so so I go okay okay I've got two simultaneous TCP conversations let's just grab the first one and I'll right-click on this I'll go conversation filter oh man such such a handy thing follow the conversation if you want if you want nothing else out of this remember conversation filter it helps you track down one conversation that's happening on the network in this case I'm going to say follow the TCP stream but sometimes I also go right here and do follow the ipv4 conversation so I can see all the communication between those two IP addresses but let's just look at this one session so I'm looking right here I've now zoned it down now I've got my three-way handshake syn syn ack ack by the way if you don't know what network protocols Wireshark will make you learn network protocols and the biggest tip I can give you is be curious see the conversation be like what's syn syn ACK sag you know Google Google Google just learn protocols this way you'll gain so much from this brief side note that's why I think a lot of people get frustrated with Wireshark is they're using it when everything's on fire and they don't have time to learn and they're like ah what is all this junk and they abandon it so quickly when the time to learn is when things aren't on fire again beaker is what's going on with my conversation with Twitter what I see right here is that it's doing a security certificate exchange my client is sending a security hello message it's going right here from the server side saying hello it's doing a little key exchange to make sure that we can do encryption between my computer and Twitter so if I'm looking I'm kind of scrolling down right here okay this is this is a pretty decent conversation other thing that I'm looking at is what is the length of all of this communication 15 14 is the maximum transmission unit of Ethernet so if I see a bunch of those frames I go okay I happen to tap in to the stream that is the major data conversation whereas I might have tapped into another string let's let's look at the other one just for fun scroll back up that first syn clear the filter let's click on the second syn right there right click conversation filter TCP ah look at how short this one is see I'm scrolling up and down right there this is probably just a security certificate exchange I can see right here since in ack ack got a few hellos a little application data but not much going on there and this is where that TCP stream ends so that tells me the bulk of the data exchange probably happened in that first TCP stream I'll put that conversation filter back on the next way I use Wireshark all the time is the header information these are literally the headers of the OSI model layer one ish layer two with the MAC addresses from source to destination layer three IP addresses source and destination layer for TCP information source and destination port number and all the data there in these can give us clues oh and I should tell you that as I'm thinking about ways I use Twitter twit Twitter ways I use wires are wires arc is rarely a Silver Bullet where I'm like dah bingo that's it we're I mean like maybe one out of a hundred times that I use it when I'm like bingo that's exactly what's going on most of the time Wireshark is just my Sherlock Holmes I looking a go whoa it looks like okay that one's talking to that one okay something's going on there I'm gonna go check out that host it just gives me a clue as to where to look like for instance the security certificate exchange that we just saw in may seem that you know the clients sent and then the server never sent one back I'd go that's funny let's go look at the server and look at the event logs on the server and try and figure out why it's not taking the SSL communication from the client okay other ways that I use Wireshark quic protocol focus the beauty of the display filters is it's freeform you already saw DNS I want to see what's going on with some DNS queries ICMP if I want to see what's going on with some P messages that I'm sending oh look at that I didn't even know that was there so somewhere this is trying to ping me who who is that or it's actually not paying me in this case it's telling me that there's a destination that's unreachable using ICMP that piques my curiosity right they're going why is it doing that that just just happened and so you see what I mean that that's where you're like hmm investigate show me all the TCP conversations show me all the UDP conversations that are going on again zonin into the specific protocol look at that my bedroom my bedroom talks to us maybe I want to see all the communication coming from my bedroom I would do a search for IP address equals equals 1 I 2 1 6 a 1.90 and Fuu oh there's not much conversation there I used this filter all the time to just zone into a specific IP address and say show me everything from that guy or maybe I'm just looking at a specific port TCP port might be equals equals 443 to show me all the SSL conversations that are happening on the network and maybe I just want to see all the SSL conversations from the IP address oh I just see one there in list 204 dot 79.1 97 dot 200 enter when it comes to filter complexity that's about as far as I go off the top of my head I can build a lot more complex filters but a lot of times use wire sharks automated way of doing it I most of the time zone into a specific IP address specific port number specific TCP streams at times or a specific protocol last way that I used Wireshark is right here under statistics conversations a lot of times you just saw this is my home network and there was like a thousand packets within just a few seconds of opening this you might have a span session going on where you're monitoring many different network ports all at the same time and it doesn't take long for Wireshark to we reach a million packets in a matter of seconds that are coming through the conversations filter allow you to see all the conversations that are happening and you can tune this and look by MAC address by IP address and so on and so forth but if you're looking for a specific conversation oh no better way than the statistics place to see a lot of times who's sucking up all the bandwidth in our network and it's kind of like if you if you get into the network side net flow but much simpler you can just look at the conversations and see oh looks like we'll say 40.1 1 for 54 to 23 is consuming a ton of bandwidth let's zone into that and create a filter around that one I hope this was helpful I hope that you can look at some of the examples I gave and use it in your own home or your own office environment ooh careful with that and some places don't like that and you might get fired don't do that the best thing that you can do is open Wireshark and just tinker a little bit do it walk through the same examples that I just did but with your own Twitter capture and see what you can find and what you can learn through this whole thing curiosity is your biggest ally in learning a tool like this um I hope this has been informative for you and I'd like to thank you for viewing

Info

Channel: Viatto

Views: 65,180

Rating: undefined out of 5

Keywords: Keeping IT Simple, Jeremy Cioara, Wireshark, it blogs, it specialist, information technology (industry), information technology, it, tech, networking, it jobs, it fundamentals, how to, learn IT, networking tutorial for beginners, home network, How I use Wireshark, How to use wireshark, Wireshark tutorial

Id: 7CYpjf19GkA

Channel Id: undefined

Length: 10min 21sec (621 seconds)

Published: Wed Oct 02 2019