- Hey everyone. It's David
Bombal back with Chris. Chris, you recently passed
a security certification, and I'm hoping that we could
do a security video today, but firstly, welcome. - Hey, it's great to be here, David. And wow. That's a way to
come out the gate, so. (David laughing) - Yeah. What so did you do? - I went ahead and did these
certified ethical hackers, CEH. I know, I know, I know, I know, I know, there's a lot of different
opinions floating around around that one, and definitely
will dig into that one. But I actually had a client. What happened is I had
a client that went ahead and asked me to get it and they went in and helped me out with that. So boy, did I learn a lot, David? That said, the test is another thing, but I certainly enjoyed
getting into a lot of different new topics for me coming
from a packet background. (bright upbeat music) - I'm hoping you're gonna
teach us something about Nmap. - Oh yeah, for sure. This is a tool that I've used for years, but I just hadn't used it to this level until I started really digging into it. For me, I'm the kind of guy, if I don't see it at the
packet level with Wireshark, I don't really understand it. I came from a background of, that's what I would first do with a tool. I see a tool, I start up Wireshark, and then I compare what Wireshark sees with what that tool output gives me. So that's why we're here about Nmap. - Yeah. So explain what
are we gonna look at today? Because I'm hoping that
you're gonna run Nmap and then do something, and then we are gonna
actually look at the packets. Is that what we're gonna do? - Yeah, for sure. If you are out there studying for a cybersecurity certification, Nmap switches are gonna be on your test. I mean, you're gonna have to know 'em. Now learning them is another story. Really, we have one of
two ways of doing it. You can either flashcard and, okay. What is dash, S, capital
S, dash ST, dash S what, what are all those switches
and what do they do? Or you can use it practically and have a lot more fun doing it. So, which one sounds better to you? - The base way to learn any
protocol is to just capture it and have a look at what
it's actually doing, not what the textbook
tells you it's doing. So take it away, Chris,
show us what you know. I'm hoping you're gonna start
Wireshark like right now and show us what's going on. - Yeah. Why not? That's always fun. Let's get those packets going. So Nmap, let's just take a look at Nmap. So basically, what Nmap does
it's network mapper. All right. So it allows us to discover
devices on a network. Why is that important? Well, how are we going to go
in and try to hack a device or even inventory devices? I've used Nmap just scanning
around my own network and taking a look at what's there and what ports are available. Even doing like an internal pen test on, and Nmap allows us to do that. Now there's a thousand
switches with Nmap or options. And if you look through
the actual help of Nmap, there's a lot that it can do. And we can see some of those here, David. Look at all these switches. So we have host discovery,
target specifications, scan techniques, port specification, looking at services, even
enumerating operating systems. So we can take Nmap and we
can launch it at a device, and we can learn a lot
more about the type of OS that that device is running. Why important? Because how can I find a
vulnerability to then exploit if I don't know the operating system? Okay. So yeah. - I'm hoping you're gonna
show us at some point. I believe that's in a separate video. We're gonna cover that as well. - Yeah. We'll get there. But first we wanna just
talk about some basics and understand more about how Nmap works. So let's just do this. - Now. Like a question would be like, what's the difference
between like a normal scan and a stealth scan? And you know, there's a
lot of options in Nmap, so hopefully you're
gonna show some of that. - Yeah, for sure. So I think the two biggest ones are, I should say, maybe
biggest is the wrong word, but two of the ones that you're
definitely gonna be learning and using, have to do with
TCP connections, all right. And you're gonna find that
there's two major ones. If we come here to scan techniques, you can see the first two here, sS and sT. So this is TCP SYN and connect. Now, those are different. There's a difference between
TCP SYN scan and connect scan. And that's what we're gonna
really focus on today. Maybe in other videos, we'll
get into FIN, Xmas scan and some of these other
ones, even UDP scan. But for today, we're really
gonna focus on those first two. So does that sound like
a good time to you? - Yeah. I mean, it be good to
know the difference, so yeah. Hopefully you're gonna like
show us farther packets. - Absolutely. So let's do this first. I'm just gonna say Nmap, and
here's the way to remember it. If it's a scan, then use dash S, lower S, use your small S. And then the next letter that you use, that's going to tell you the type of scan that you're gonna do. Is it an up scan? Well, that's up Oops. There we go. Bottom S that would be an up scan. How about a UDP scan? How about a connect scan? Is T. All right. So a lot of times you can
just use the name of the scan to figure out the type of scan. It is a FIN scan. Now there's different reasons
why you would use each one, and we'll build on that, but just to get this right out the gate, let let's have everybody,
if you don't have Nmap, then go get it and follow
along with me here. You can just do Nmap and you can just do, let's just do a SYN scan,
and I'm gonna come over here. I'm just gonna start this up here. Let's start up this capture. You can see a lot of our
traffic going on here in the background. What I'm gonna do is just launch it. Okay. Let's just grab a device, and let's just see what we do. What I am going to do, though, I'm just gonna do dash F. There's a reason for
that. It's a fast scan. It's only going to test the top 100 ports. The number of ports that are available, again, another test question
that you might find, there's 65,535 ports that TCP can possibly have opened, right? So we don't wanna have
to just destroy a device as we're trying to scan it. Let's just be a little
bit more simple with it. And we're just, oh, look at that. Sorry. I forgot about out my root privileges. Gotta come back. I'm just gonna do sudo, A lot of scans require
administrative privileges on the system. So it's a lot of times
you're gonna have to do sudo. So there we go. And let me just run this.
One second, password. - Are you running this
on your Mac or on Linux? - The I'm running this
on my Mac right now. The nice thing is that the commands are gonna be all the same, right? So if you're in Kali and
really, even on windows, I mean, except for the sudo part, you're just gonna have
to run your terminal as administrator, okay. So if you notice here on
my capture, over here, and I'm just gonna set a filter. If you didn't know, you can set a filter while
you have a capture running, and that'll filter on just the
traffic going to this device. All right. So I've got a device out here. I'm just gonna stop my capture. I've got a device out here
and I have TCP 53 is open. There's one open port and
then the other one is 1900 using the SYN scan. Okay, cool. Well, let's go ahead and take a look at, just on this live capture. I'm gonna show you this live, David, and then I'm gonna open up another capture that has a few more interesting ports. And we're actually gonna
be able to share that with everybody. You can go down to the
description down below and you can download the Stealth scan pcap, and you'll be able to
follow right along with me. So we'll get to that in just a moment. But what I wanna do is
I just wanna filter. So let's just do, okay 4.1 was
our device and let's just do, and TCP port equals equals 53. Let's see what we get. All right. So here we can
see that here's our client. It established a connection or it sent out that TCP SYN to 4.1. That was our target. And we're sending this to TCP port 53. Well, seven milliseconds
later, we get a SYN ack back. But notice what happens right after that. Our client says, "Nah, let's reset." This is known as a half open scan. The reason is because we only have half of the connection open. a TCP connection is not open
until you have sent a SYN and you have received an ack for that SYN. So as a client, I got my ack. So I sent my SYN and I
got the ack for that SYN. But the server sent his
SYN, I never sent no ack, I just went, "Nah, reset." So that's why it's called half open. Now in Nmap that type of scan
is called a stealth scan. Right, so sS, okay. So, that's any port that
is open and available is going to respond with that SYN ack. If it's a port that is not open, let's go ahead and try port 80. This is what we're gonna see. I send out my SYN and
I got a reset ack back. So this one closed. - The survey reset it because it doesn't have
that port open yet. - Correct. When you hit a port that is closed, sorry, talk to the hand. Reset. Yeah. All right. - That's how Y shock knows
that the ports are open. Sorry, not Y shock. That's how Nmap knows
that the ports are open because it's getting an ack. - Correct. When I send a SYN, then I get
a SYN ack, that port is open. Simply, let's just call
that the stealth scan. Now let's think about this though. Why would this be called a stealth scan? Well, basically back in the
day it was thought, well, okay, if I send this SYN and
then it gets a SYN ack and I reset it right away, well, maybe that device that
I'm trying to enumerate, I'm trying to attack,
maybe it won't log it. Where if I do a full TCP connect scan, the potential is there that it'll go, "Oh, there was a connection
attempt and it was reset." Really anymore, most systems
today, even on the Nmap, if you go out to the Nmap
website, they even tell you, they're like, yeah, stealth
might not be the right word for it anymore 'cause a lot of IDS systems will find this anyway, right? So it's not like one is
really clandestine and secret, and the full connect scan is
gonna be just out in the open. If you're enumerating network,
if you're pen testing, likely you're gonna be found if you just launch this
thing on a network. So should we contrast the connect scan? - Yeah, I was gonna ask
you how's that different to a standard like connect scan, right? - Shall we? Let's do it? I'm just going
to start up another capture. And then what I'll do, is I'll
flip over to the other ones that we're gonna share with everybody. So everybody can be on
the same packet page. All right. So let's do this. I'm gonna go ahead and
start my little capture. Got it going now. Let's come over here. I'm just gonna do sudo again, but this time I'm gonna do sT. That's all I changed now. Let's
see how that changes things. All right, so we have
those same two ports open, and I'm gonna go come over here. Let's just do an and TCP
port equals equals 53. So let's take a look
at this connection now. What's different here? Right, I have a SYN and I got a SYN ack, but this time the client
or the tool acks back, this is a full connection. Right after that only a
whopping 18 microseconds later we send a reset. So basically, Hey David, you there? Yep. I'm here. Great. Bye.
That's a full connect scan. Now there are some other differences here that I'd like to point out that if you are looking at
traffic on your network, there's some differences
between these two types of scans that if you see them in Wireshark, you'll be able to quickly
tell the difference, more than just the half
open and the full handshake. There's also some things
that Nmap is doing or not doing with these scans
that I'd like to pull out too. Let's go and flip over
to the other trace file. All right. So in this pcap, which I'm going to share with everybody, you can hit that link in
the description down below. What I did is I went ahead and scanned a much more open device, a device that had a whole
lot more ports open. So in this scan, what we're gonna do is we're gonna take a look
at just that, that SYN scan, but how certain things
would jump out to us if we were looking at
normal network traffic. This is where it turns
into the real world, David. If we're a sock analyst, blue team, if we're looking at pcaps
from our environment, how can I know if my
stuff's getting scanned? And that's what my clients come to me for. They'll send me, here's a terabyte, a hard drive full of stuff. Here's a bunch of captures, like what's going on and
where are we getting attacked? Okay, so let's go ahead and take a look from a scan perspective anyway. Let's just pick a port here. So I'm just gonna do TCP
a port equals equals 80. All right. So right out the gate, we can that this was a scan
going to port 80 among others. So if everyone put that port scan there, so here we have SYN SYN ack
and then we have a reset. There's our stealth scan. But there's a few other things
that we can take a look at that look a little bit
interesting in this type of scan. So I'm just gonna go to that at first SYN. Now here's the thing. When we send a SYN scan, the stealth one, Nmap is actually generating that scan. It's actually coming from the tool itself. So Nmap is generating that
SYN, putting in things like, for example, oh, let's just
pick out some stuff, window. The window is 1024. If everybody's seen some
of our TCP deep dive stuff that we've done, David, you know that I'm advertising
that I only have enough room in my receive buffer for 1024 bites. That's teeny. Okay. So that's something that
might catch my attention. Something else. If I look at that SYN, if I come down here to
options, the only TCP option that the Nmap stealth scan
is offering to the other side is an MSS. In the real world, when you're looking at
true TCP connections, true SYNs that are happen,
that's not the case. You're gonna have a lot of TCP options. You're gonna have things. You're gonna see stuff like timestamps, and you're gonna see window size and selective acknowledgement, SACK. You're not gonna just see only
one TCP option, typically. - So in other words,
what you're saying is, you know this is dodgy traffic,
for lack of a better word, because the window size is really small and they're not enough options. - Oh, that would flag my
attention in a heartbeat. Absolutely. - How would you find that
in like a terabyte of data, is how do you find this stuff, Chris? Because needle and haystack top stuff. - Glad you asked David. Well, why don't we come down a window, and let's actually talk
about that for a moment. How would I set a Wireshark filter that will directly find this? So first of all, finding a packet that I would be interested
in finding later is a great way to do it. What is it that makes this packet unique? Well, first of all, I got a window, right? So let me go ahead and right click that. And I'm gonna come up here
to prepare this filter and I'm gonna go to selected. Okay. So TCP dot window, underscore
size underscore value equals equals 1024. Ugh. That's a mouthful. Do I ever want to have to type
that out? No, of course not. That's why I can find a
packet with that field. I can borrow from down
here on the bottom left, ttp.windows, size value, all that. And I can send that upstairs. Or what I could do is
I could just take this, this is another kind of
cool thing about Wireshark. You see how I'm dragging this right now. I can also drag and drop that filter. Super cool. In fact, another thing that
would to be weird about this, I only have so many options. There's not a whole lot here.
There's only one option. So something else that
might catch my attention, there's a couple ways that
we could filter on this. Let's come up to header length, and I'm just going to right
click prepares filter. And I'm gonna say, And Selected. Now, let's see what we just did. I said, show any packet that
has 1024 as the window size. And also the TCP header length is 24. All right. What does that mean? Well, basically the TCP
header without any options, without anything else
going on is 20 bytes. You've got your source
board, destination port, sequence numbers, acknowledgment
numbers, flags, window, all that stuff right up to urgent pointer. That's the last part of the 20 bytes. After that, if I have options,
there is some extra stuff. If this isn't the
beginning of a handshake, which by the way, let's not forget that need
this to be a SYN, right? So let's go ahead and
write click flags as well. And I'm just gonna say, Prepare
as Filter, And Selected. So look at we're building this filter out. If this is a SYN, which is flags, what I'm doing is instead of just focusing on that individual bit of a SYN, I'm saying take that whole flag's field. And the only bit that will be set is SYN. If I say SYN, if I do this another way, if I say TCP dot flags,
SYN equals equals one, that's gonna get SYNs and SYN acks. I only want the SYNs.
Let's go ahead and back up. So I'm just saying flags as a whole. Here's the hexa decimal value. And if you look sideways down here, that's for the hexa
decimal people out there, I've got 0 0, 0, 0 1 0. That's a two. That's why it's 002, right? So I just want that
SYN location to be one. That's why my flags are 002. So let's see what we did with this filter. This is only SYNs. This is SYNs that are advertising a TCP window size of 1024. And that header length is
only gonna be 24 bytes. Now let's talk about
that for another moment. The header length. Again, TCP is gonna have a 20 byte header. And at the beginning, if there's
a lot of different options, that header length is
going to be much larger, it's gonna be another 20 bites or so. So this would catch a stealth scan. - Is it always 24 on Nmap or is it like, can you change that? Or was that just the default? Yeah. - For the stealth scan, tell you what, why don't we test this against
a couple other packets. Let's actually apply this thing. All right. So I gotta a thousand packets. And I know for a fact
that I sent a thousand, when I did this scan, I did it with the thousand,
most common ports. Right there I'm able to see
that it caught everything. - And you just did like a stealth scan like we did a few minutes ago with no, you didn't specify anything else. So that was just the default values. - Correct. If I want to, I can come over here, and this is probably a good
way to actually show it, so we learn it better. If I do dash P that's for port, and right after that,
that's where we can specify. Do we want specific ports? Do we want a range of ports? If I wanna be specific,
I can say one to 1000. Or let's just say, if we don't leave this, then what it's gonna do is
it's gonna try the top 1000. It's gonna say these are
the most common ports. If I don't want a thousand, if I don't want to run a little faster, that's that dash F, it's
just gonna be the top 100. - Yeah, what's interesting
is that it's using like a window size of 1024
and the TTP headers 24. So that's just looking for 24 bite header is an easy way to see if
someone's scanning your network, unless they've made specific changes to try and hide what they're doing. - Exactly, and that's the thing, you know, when we're talking about cyber security, it's hard to make absolutes. All an attacker would need to
do is change this to 25 bytes. - How did you discover this is? Is just, you were looking through data, and then suddenly you thought,
well, this just looks weird. - Yeah. That's exactly what I did. Let's go ahead and run
that full scan again. And what I'd like to do is
show you how that would change when I'm looking at a full scan. Let's go ahead and check that out. All right. So I'm gonna start my capture. And let's just run this guy, only this we're gonna do the sT. And I'm gonna show you 'cause remember that was for the stealth. So what I started to do is, I was just looking at these
scans. I started to realize, oh, and we already caught that scan. Let me stop. Okay. So let's see what's different. Let's see if everybody can pick this out. Full connect. So first of all, what's
our header length, right? That's different, and SYNs the same. But if I come down to my window, I've got a complete 65 535 window. So on the full connect scan,
look at all the options I have. - Yeah. Very different. - SACK, timestamps window scale. - And that's more realistic for proper traffic in the network. - Exactly. Here's the reason
why these are different. Now the audience might be thinking, "Great. Okay. So the
stealth scan looks weird, but the can next scan doesn't." And that's because Nmap, doesn't
generate this on its own. What it does is it issues a connect call down to the operating system kernel stack. And it says, "Hey, you TCP,
you generate this connection. I'm not gonna do it as a tool. I want the actual
operating system to do it." That's why this SYN
looks so much different 'cause the true OS stack is the one that actually generated this. And that's why it looks much more real. A real window, a useful TCP window. So instead of saying, "Hey
David, do you wanna connect? You can only send me a thousand bites." Now I'm saying, "Hey David,
do you want to connect? I'm gonna start out
with 65 535 as a window. By the way, you're gonna
be able to multiply that bad boy by 64. So we're gonna have a big, cool bucket of data to work with." That's why that caught my attention when I was looking at those stealth scans 'cause this was so low. - I mean, in some ways the
stealth scan is less stealthy compared to this, isn't it? - To me. yeah, I would catch it way faster than I would this for sure, yeah. - Is there anything here
though, that looks weird? Is it just because she see... How would you catch this? - I would come to this part of Wireshark, and this is called TCP
conversation completeness. Now what on earth is
conversation completeness? Well, glad you asked. Basically, what this
does is it assigns values to different aspects of
the TCP conversation. So here's a standard conversation. So basically what
conversation completeness does in Wireshark, this is basically, it it's a cool little feature. It's come out just in
the recent year really. So basically, a full TCP conversation that is normal and healthy,
it has has a beginning. So a handshake. Okay? And the first packet of a
TCP handshake, everybody is? - SYN (laughs). - Good job. All right. Yes. You got a gold star. - Thanks. All right. I can't believe
I'm giving David Bombal gold stars, anyway. - Yeah, no I know nothing.
I know nothing about this. - Okay. All right. No
yet. No, a lot of things. Okay. How about the second packet? Everybody? What's that one called? - Called SYN ack. - Good job. Okay. Here we go. And oops. All right. Flushed out. All right. Last packet is, ack, good
job with our handshake. Okay. We've already seen
this in our INAP scan. Okay. There's a handshake. So a connection began. Data gets exchanged. Okay. Acknowledged. Okay. And then
this connection gets shut down. So this could happen any
way either through a FIN or a reset. Okay. So let's just say, I'm just gonna shorten this out and just call this FIN, okay. This is a complete conversation
in TCP so called, all right. Now what Wireshark does, it assigns values to each one of these functions. SYN, this gets a little deep
and we're gonna actually, I'm gonna link the Wireshark page and the actual information or the Wiki where it talks about each of these values, but we'll just go over it together. So basically the SYN gets a value of one. SYN ack gets a value of two. The ack gets a value of three
or of four. This is binary. Okay. A reset down here is 32 and the FINs are 16 and
data is eight. All right. Do you see the binary way we count? So 1, 2, 4, 8, 16 32. So basically, the way that TCP
completeness is calculated, all right, so we have a
TP completeness of 39. All right, so what this
means is we saw a one, we saw a two, we saw a four ,that's seven, and then we saw a reset. We add all that up. And when we say a handshake
followed by a reset, that is a TCP completeness of 39. - Yeah. So no data sent you
and that's why it says no data. - Yeah. So in this case. - That's weird, isn't it? - Oh. Boy. Yeah. Well, I mean it means... Okay, does happen in the
real world? Yes, it does. It does it happen often in
the real world? It shouldn't. If I said TCP completeness, and this is where I would do this, David. This is where I would
look a little closer. I would say prepare is filter
and let's do, And Selected. And I'm gonna go ahead and
remove my port off of this just to keep things more open. Oh, you don't like the
parentheses. Hang on. All right, so anything
to, and from this host, TCP completeness is 39. This is going to show me when
a connection was attempted. SYN ack came back, ack went out and a reset happened right away. Right away I would be thinking
if I saw one of these, David, maybe I wouldn't be
super worried about it. If I saw thousands of these, Hey. - Someone scanning. - Absolutely. So this is one way that
we can filter for that. TCP completeness is 39. - How did you discover this, Chris? Is it just like you just captured packets and then you looked at what was weird based on what you normally see, yeah? - Good question. And yes. For me, as far as the TCP
completeness thing goes, what I thought was, okay,
how can I capture a handshake that is immediately reset? That's a tough filter to build, right. It's like, if you do that by
hand, that's a long filter. I gotta say. - Yeah. Exactly. Yeah. - Yeah, I mean, basically
what I gotta do to, to do the equivalent thing, that conversation completeness is doing, first, I gotta set a filter for SYN and then I gotta set a filter for an ack that has a sequence number of
one and an ack number of one, and reset on the same port number. Uh, it's just, I'm
confused even explaining what I just explained. So that's part of the reason why the amazing people behind Wireshark came up with conversation completeness is because we could do
these kinds of tests where we could say, "Hey, how far did the
TCP conversation get?" And this is really useful
when it comes to port scans. So another thing that I could do is I could set TCP completeness. Let's just say that I'm only
looking for a SYN and a reset. Well, the SYN is one, the reset is 32. That could be 33. Now I can use that feature of Wireshark to get a better handle on how much of this scan activity has. And it all goes back to if I see it once, maybe I'm not super worried,
but if I see a pattern here, or even if someone comes into
Nmap and slows the scan down, which by the way we can do, we can say, "Hey, be really stealthy. Only let out a few of
these every couple minutes or seconds." - You'll still pick it up though. - You can still pick it up. - I mean, I suppose the
problem is if you do it over a long period of time,
you're gonna have so much data. So you are capturing device
has to have the capacity. And Chris, that gets us
to another conversation. Are devices good enough today to capture huge amounts of data? Or do you need specialist devices? - That's a great question. Okay. So here's your threshold
and this is what I do. Okay, So I'm a packet consultant, right? I get paid to go in and find problems. The last thing that I want is missing data because sometimes it comes
down to that one packet that the analyzer missed. And as soon as I see that, I start to doubt my
whole trace file. Okay. So sometimes people will send me pcaps, even from YouTube, they were watch a video
like this and they'll say, "Hey, I just need some help
analyzing this certain problem." Which is great, they can
interact and send a pcap and right away, if I see
previous packet not captured or if I see symptoms, if almost looks like
false three transmissions, which it does take some time
to learn how to identify that, which you and I can
continue to chat about. But the point is, if I have,
I call it dirty data (laughs) if my data's missing, then I start to question
my whole pcap, right. That's like a gold standard. - It's unreliable. - It's unreliable. - Yeah. It's unreliable. - So your question was, how well does a hardware keep up? Well, I think everybody knows
that Wireshark with a laptop in normal data center world, it can't keep up with
super high data rates. Most network engineers know that. If I ask them, "Can a copy
of Wireshark on a laptop keep up with 10 gig?" Most people are gonna say, "Oh, no." Okay. Then when does it start to fall? - Yeah, exactly. - My benchmarking shows
that most of the machines that I have had and done
my best to optimize, I'm not able to accurately
to capture timestamp and everything much over
100 megabits per second. - Oh, wow. That's low. That's low. When you go to site, do you
have a laptop or what do you do? Do you have like specialist
hardware? What do you? - So, yeah, Dave, that's a good question. And let me just show you what I use, just because it's
backpackable, if that's a word. So this is actually the profits app IOTA, and literally what it
is is it's a hard drive, terabyte hard drive with
a tap built in, right. So I can go network one way then device under test the other way, or I can connect it between
two switches on the uplink, but it comes in 10 gig as well and beyond, depending on the money you wanna spend. And then it's got a management port. All I have to do is I literally
plug this guy in power it, and then there's a little button here. See how little guy, that button? - Yep. - Capture. - And you just let it run for a while. - Yep. - I let it cook, let it grab
all the traffic that it can. And then what I can do
is interface with it. I can pull pcaps back from it, or I can also use some of the
analytics that are built in. So a lot of times I have this running, even on my home network, just to keep an eye on things
and look for scan activity. Like we're talking about a lot
of times I find my own, but, (laughter) Part of what this does
is it allows me to go to a period of time where I say, "Hey client, Hey customer, what time was it when this happened?" And I train them to tell me, "Oh, it happened at 3:30, Chris." Okay, cool. At least I can go to that time index and I can back up five minutes
and go forward five minutes and I can extract that component, right. So capture better, capture smarter. No one should be digging
through a single pcap that is, you know, a terabyte. - I mean, that's important to know. I mean, the, the other question is, okay, so you've got like a terabyte
of data, whatever it is. I mean that, it's going
back to that whole question. How on earth do you find things? So, I mean, you've
given us some good tips, but have you got any other,
like, just from your experience, you know, you've got this crazy big file, how do you even start
to look at that stuff? - Right. So there's two ways. One you can make use of
the command line tools. So from there, when you install Wireshark, you also have command line
tools like T shark, Edit Cap, Merge Cap, these other tools, you actually install like
nine different tools, something like that, when
you put Wireshark on there. Those tools have a much better time with their very large trace files. So sometimes what I'll do, if someone just literally
gives me a hard drive full of data, what I might do,
if it's a super large pcap, what I'll do is I'll
go in and break it up. I can go in and say, just break
this up into smaller pieces. Better though, let me show
you the real thing that I do. - Yeah, please. - This is legit real world. Something that I train my
students, in my classes. I talk a lot about this and I
know we've left off from Nmap, but this is a really important
part of capturing this stuff in the real world. What I do is I try to train
them from the beginning to capture wisely. And one way is by using,
let's just go ahead and use dumpcap. Now, a lot of times when
you're in Wireshark, Wireshark, actually calls dumpcap to do the actual capturing. Dumpcap, is a tool that gets
installed with Wireshark. If you don't already have it, or another one that a lot of
people might use on a server, on interfaces, tcpdump, right? So what I'll do is, I'll say, "Okay, let's just go ahead and do this. Let's go to dumpcap." Okay. Now, if I go to dump cap dash D, this is going to show
me all the interfaces that I have access to for
doing pcaps to capture from. Let's just grab the first one.
This is a WI-Fi interface. Okay. So let's just do dumpcap dash I, so that's interface, one. So I'm saying, "Hey, dumpcap, go grab a bunch of packets
off of this interface." And if I just let this thing
fly, it's gonna go great. It's gonna start to dump that
traffic into a temp folder. And it's just gonna
call it Wireshark Wi-Fi. And David, this will go until I stop it. This is gonna be a big trace file especially if I leave it for a full day. Well, I don't want that. So instead, what I'm gonna do, let me just back outta that guy. What I'm gonna do is
give it some parameters. So I'm gonna say, actually, it's called, if you look at the help
menus, you'll see this, but if you go dash B,
you can do file size. And in kilobytes, I give
it the amount of traffic. So my file size, let's just
say, okay, so one kilobyte, 10 kilobyte files, a
hundred kilobytes meg. That's a hundred meg file. So what I'm saying is dump
this into a 100 megabyte file, then dash B, files. And I can say, let's just start with 10. Okay. So what that does,
the files switch is it says, save 10 of them. And then let's just say, I'm
just gonna write this out. And I know there's a lot
of switches here, but. - You know, it makes sense though. And I mean, this is a lot more efficient than grabbing traffic
rather than the Y shark gui. Like you said, the Y shark gui
actually goes and uses this. - Absolutely. Yeah. I just started, what's
called a ring buffer. Now this gets back to your question. How do you, you find this
in an ocean of packets? How do you find the three
that make the difference? Well, first of all, let's capture smarter. So what I did is I started a capture. I said, I want 100 megabyte
files, and I want 10 of them. So what this does is it starts, it's called a ring buffer on my machine. Now I'm gonna grab 10
of 100 megabytes each. And after the 10th one, it's gonna go override the first one. - Okay. So it's continuous. - Yep. Ring buffer. So now I can play with these numbers. I can go, you know, a hundred
megabytes is too small. Why don't we bump that
up to 500 megabytes? And I got some horsepower to
work with on my hard drive. So why don't I ahead and
up this to a hundred files, and that'll give me more time. Point is, David has a problem and he goes, "Oh, that weird thing happened
that I'm troubleshooting." Or things look kind of funny. It happened whatever
we're troubleshooting. And I say, "Hey, David,
around what time was that?" And if you say, he's like,
"Oh, it was about 8:30." Cool, I can go back to my ring buffer and I can look at my time date
stamps that are right here. And I can say, okay, "Look
at us, we're at 222 222. For me it's 10:56 AM. And I can just find the one that happened. Okay, I'll change from 8:30
in your example to 11:00 AM. So I can find the one that was capturing during that period time. And now I just went from
a terabyte hard drive down to a hundred megabyte file. - Yeah. Yeah. So capture smart. - Capture Smart. I try to make
my pcaps as small as I can. And also when we're looking at real data, really be focused on the when, the what. The wrong thing to do,
David is just to jump in and just hope that we
get the right packets at the right time right. We need more information.
When did it happen? What type of thing occurred? And when we're doing cybersecurity,
open captures like this, just, it's a lot easier
and more digestible when we're dealing with
these smaller pcaps. - I remember, you know, doing a lot of network troubleshooting, the hardest problems or the transient, like weird things that just
happen seemingly randomly. It's so hard to try and
troubleshoot that stuff. So I like what you're doing,
you know, like, let it run. You know, this is running continuously and just overriding itself, then you know, and correct me if I'm wrong, but like the client's running this. And then when something
happens, they can call you, "Okay, it's happened now." Or, you know, they can
try and give you a time when it happened that day. And then it gives you time to go back and look at actually what
happened at that time, rather than just trying to guess. - Absolutely, in fact, let
me show you one other thing that I do is I'll get this capture going either locally on their system
or somewhere on the network off of a spa port or a tap. And what I'll do is I'll come in, and imagine this is the
user's machine, okay? I just have a test copy
of windows running. Here's a VM. But what I'll do is I'll go
into their system and I'll say, let's go ahead and just do new... Let's just do a shortcut. And I'm literally just gonna
type in my personal website. (indistinct chatter) pioneer.com. Okay. The reason is because it's
unlikely that that person, that end user, that I'm trying to resolve is just going to go out
to my personal website. That's an unlikely thing to happen. It used to be that we would
do this with Telenet back in, you know, when Telenet was just a, it was a part of a standard tool set that was still on Windows. People didn't use
Telenet because it's open and you can see the traffic,
like that's actually happening. You can grab passwords and things, but now SSH people are doing
that through putty and such. What I just need to do is I
just need to find something to trigger on, right? So what I do is I name
this, It happened, okay? I put that right over
here on their desktop. And then I say, "David,
go about your business, do your work." And then the next time it happens, just go double click
that, and it'll go out and it'll go to my website. What does that do? Well, now I can stop my capture. And this is a great little example here. And let me... Gotta find where that file went. I think it's just on my
route. There we go. Yeah. Okay. So now I'm back in Wireshark, right? So I've got a ton of stuff here. I've got a hundred thousand packets. How do I find the one where? - It happened? - It happened, right? So let me just do frame
contains packet pioneer, and I'm going to get all the
packets that contain that name. Now, I am packet pioneer, right. So, but I actually
tested this once in here. We have it again. So usually, you're just
gonna see right here, now I have a bookmark. Now I've got packet pioneer. This is where this was actually generated. And I can now look around that
period of time in the pcap. And that allows me to set other filters for when it happened. - That's great. So, in other words, you find the timestamp just off that black marker, and then you can say like
five minutes after that or 10 minutes before it or whatever. - Yep, then I can come up here
to View, Time Display Format, Time of Day. And now David said it happened at 11:03, and he hit the It Happened icon. And now I two bookmarks. I have a period of time, but just in case my
time sync isn't correct on the capture device, now I can know also from
the packets themselves, he hit the, It Happened icon. - That's brilliant, but I
mean, are there anything, any last like parting thoughts about tips that you've got from the real world? I mean, we started with Nmap and we kind of like morphed
into like real world stuff, but I think it's important because you like highlighting
what's weird on networks. Any other quick tips before we wrap it up? - Yeah. I think for me, I don't get something until
I see it at the packet level, especially getting into cyber security with those that are, if
they're new to cybersecurity or if they're learning
how these tools work, Wire shark is a great
way to have that open and get that thing capturing
while running these tests. Don't do that thing
where you just become... You're just generating a
tool or you're using a tool and hitting a button, and then watching some
that you don't understand. Wireshark is a tool that can
help you to understand it. And David, hopefully you and I continue to do this kind of content where we can walk people through what to look for on the Wire. - To the audience, please
put in the comments below stuff that you want
Chris and I to discuss. I mean, the good news, Chris
is we're planning to do a whole bunch of videos and I think we want to cover
as many protocols as we can. I want to twist you to get back for more TCP deep dive stuff, UDP deep dive, and some other protocols. So yeah, it's a lot to cover. Chris, really wanna thank you, you know, for sharing
your knowledge for free. Really appreciate it. - Thanks for having me back, David. I always enjoy hanging out with you. And of course, everybody who watched too. - Brilliant. Thanks, Chris. (bright upbeat music)
