How to troubleshoot issues in Computer Networks? // Wireshark Tutorial

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

wireshark is an amazing tool for any network or security guys so let me show you how to capture and analyze network packets with wireshark all in an ethical way of course [Music] when i started to work in cyber security and i needed to troubleshoot network security products i used wireshark nearly every single day and it is absolutely a life saver it is a perfect tool to troubleshoot network issues or analyze what's going on in the network it is extremely powerful and you probably could make an entire training course or serious about what you can do with it but here we will cover the most important features everybody will need so let's just get started wireshark is a free and open source packet analyzer it is the absolute gold standard across many companies and used by nearly every network or security guy so whenever you want to analyze network packets troubleshoot issues or just do it for educational researching wireshark is a tool that you're going to be using it can capture network packets that are sent to the network card of your computer and you can also import packet captures that you have created on other machines as well and it allows you to inspect all the details of these raw network packets that are captured and it also interprets them so it automatically detects certain aspects of the package just like ports protocols and many other things you can easily follow and understand what's going on you could download it from the official homepage wireshark.org and just click on download and then you can install that on windows linux and of course also mac os this is wireshark when you open it the first time and before we can actually start capturing network packets you need to select your network card interface so depending on your setup that usually shows up any wireless adapters ethernet cards and etc so in my case you can see i have many network card interfaces and this is because i also have some virtual machines on my windows pc just like the windows subsystem for linux i have a default switch for my hyper-v machines and also my vpn connectors for tail scale and whatever so first of all you need to identify your main network card interface usually your physical network card or your wireless adapter you want to capture any network packets in my case it is the v ethernet bridge and this is a virtual bridge between my physical network card interface and a virtual switch for all my virtual machines right so when i select this and i can start capturing all network packets by just doing a double click or selecting it and click on this blue icon on the top bar so let's click on that and it automatically starts capturing all the network packets that are going in or sent out by my network card interface and you can see it captures a lot so there's a lot of stuff going on in the background usually so when you click on a specific network packet you can inspect all the details of that packet and read everything for example the mac address the ip address the ports and also the data that is sent over the network card but before we step into analyzing the network packets and how to see ip addresses ports traffic streams etc let's take one step back and talk a little bit about network basics because if you don't understand networking it will be fairly hard to use a tool like wireshark by the way if you want to learn networking the comptia network plus and also the cisco ccna are both really great and valuable it certifications for any it professional so if you are searching for great training courses on them then check out it pro tv for example with a link in the description down below you will get 30 of all subscription plans of form id pro tv forever so just check it out okay so as i said in wireshark we only capture network packets that are sent out or received on the specific network card we do the capture so in any wired network we usually only see packets for our pc and not for other devices in the network that was a bit different back in the days when we had hubs but nowadays network switches are smart enough to know on which ethernet ports our pc is connected and it will only send out traffic that's intended for our pc so in wi-fi networks this is a little bit different of course because every device that gets the radio signal can also technically capture these packets so that's an important thing to keep in mind if you want to capture network packets for other devices within your network then you should always make sure that you're capturing it at the right point in the network topology so for example on gateways where all traffic is passing through or servers or clients where you're expecting to receive certain network packets i will later explain how to create packet captures on remote linux servers and how to import them into wireshark to analyze them that's very helpful if you want to check whether traffic is going through a specific gateway interface or vpn network but for now we are capturing only network traffic that is hitting the physical network card of my pc okay so let's start capturing actually useful information for example something like a dns request to start a new capture we can just click on the same icon and wireshark will now ask us if we want to continue without saving or if we want to save our current packet capture to a text based file but we can also do something else for example click on capture options to select different network card interface you want to capture on and we can also apply a capture filter here so for example if you only want to see icmp packets here or we want to capture the traffic between our pc and a specifically new server by entering the ip address here so note this will only capture any network packets where the filter applies to so you won't be able to capture anything else even if it's hitting the interface so this can be very useful to shrink down the size of the packet capture file for example i was once doing packet captures on big data center gateways where those files get really really large in a very short amount of time for example every second it grows in a few gigabytes right in this kind of situation it can make sense to shrink down the size by only inspecting specific protocols or specific ip addresses but on a normal pc you usually can capture everything here and filter it later in wireshark so let's start another capture and actually try to do some dns requests and analyze them so for example let me open a new terminal here and i will use my windows pc to generate some dns requests for example let's do an anna's look up to golem dot d e and when i hit enter my pc will generate a dns request to my primary dns server that i've configured in this case software.creative.home and the server will respond with an ipv6 and an ipv4 address okay so let's go back here to wireshark and let's stop the capture and try to find the dns request so you can see this can be usually hard right because there's a lot of stuff going on in the background but we can also filter here so let's only filter dns packets for example and you can see there are a few dns requests my pc has done in the time frame when we did the packet capture so for example you can see there is dl.acronis.com which may be some telemetry from my acronis backup software that is running on my pc or outlook office 365 is doing some email stuff or whatever but we also have our golem.de request and you can see that we actually have four packets here for golem.te we have two requests and two responses even though we only did one ns lookup and this is because ns lookup will always try to resolve an ipv4 and an ipv6 address so we have two requests here and two answers and if we select a specific packet we can now inspect the raw bytes but also wireshark helps us to translate this in a human readable way and when you try to analyze network packets you should always follow the general pattern because they are encapsulated in different protocols these work on different network layers if you are familiar with the aussie model layer one two three four five six and seven you are very familiar with that so we always start with the ethernet frame the physical layer the preamble stuff and so on is usually hidden by wireshark but you always start with the ethernet frame and analyzing this and here we have the ethernet 2 protocol so now we are at layer 2 we're talking about mac addresses so here's the mac address to the destination this is the mac address from sophos and also the source address this is my pc and you can also see wireshark is smart enough to analyze it has something like a database recognizing okay this the first part of the mac address belongs to the s-rock vendor so this is my main board that i'm using so it can actually tell so which kind of network vendor is using these mac address ranges and wiresharks help us to identify those kind of things it also has a type ipv4 protocol so that means that everything is in the ipv4 protocol so when we click on that wireshark will automatically select those raw bytes where this information is coming from right and in the ipv4 protocol we are now talking about layer 3 ip addresses here so here's the source address and the destination address of my pc and the gateway and when we go one step further we are taking a look at the udp protocol so now we are at layer four we are talking about protocols and ports so the udp port 53 is reserved for dns and therefore wireshark knows okay this is a dns request and i need to interpret all this data that is included in the packet as a dns package and when you click on that you can also see there's a query here our query is to golem.e it is a type a query which means ipv4 we can also select the corresponding ipv6 request there's the type aaa which means ipv6 all right you can see it here and we also have a corresponding response from our gateway this is the first one this is the ipv4 address when we scroll down you can also see the answer here so that means golem.e is at this public ip address and there is the ipv6 address so this is how you can analyze network packets and you can also inspect all the data what is included in the package okay but what about web traffic let's for example try to capture web traffic so let's do another capture and i will try to open a website for example let's open the website the digitallive.com which is a really great blog if you want to become an it professional and you want to learn more about tutorials about linux devops docker python cyber security read other stuff about me and about my resource and github pages yeah there's a lot of great stuff on that home page and because i just did this request let's go back in wireshark stop that packet capture and let's try to find the https packets now we can still only see the dns packets this is because the dns filter is still active so click on that x to remove that filter and now we see all the packets that have been captured you can see there's a lot of stuff going on there and it can be quite hard to find the https packets you can also see there is something like http this is unencrypted traffic so this is a great example let's first of all take a look at this here i don't know what that is but http traffic is unencrypted so we are able to see all the data we are seeing the http request and the response with the 200 okay and we can actually see the data but anyway let's search for our https request so now we can filter based on http but then we only see the http and not the https request so how can we filter on that we could basically filter by port because you probably should know that https operates on the tcp protocol on port 443 so maybe search for the protocol tcp and search for port is equal equal 4 for free so now we only see https connections that are operating on that port regularly and we can all scroll up and try to find our specific requests you can search for different things here and i will show you how to identify the specific requests even though the data is encrypted and we don't see the html code inside these packets but an https request always starts with a client hello and the client hello is part of the handshake that the client does with the server so they do something like an ssl key exchange and all this stuff right so we can always search for tls handshake for example so let's apply this filter and then we only see packets that are part of handshake processors from the tls protocol for example client in a server hello the certificate in the key exchange that's happening here although all this traffic here is encrypted there's one particular part that is still unencrypted inside the client hello and this is the sni the server name identifier which usually contains the domain of the website you are browsing and we can also filter by that so let's try to search for tls handshake because included in handshake and then extensions underscore server name so the server name and then we can search for a text that digital live.com and now we get our specific client hero the request that our client does to the digital live web page and you can see the information is unencrypted in here so anyone that is sitting between your pc and the network traffic maybe at the gateway or anywhere in the network in between can actually see which websites you're browsing maybe some of you didn't know that okay so let's take a look how we can actually see all the traffic that are corresponding to that particular connection because all the requests are separate connections so now in wireshark we can use something like this here we do a right click and select follow tcp stream so now we get all the information the whole tcp stream requests that my pc was doing you can see it is going to thedigitallive.com and it is an http 1.1 uh protocol request but then all this information that comes here that is usually the data is encrypted information so we can see inside the html code or can inspect any passwords or anything like this so that is a good news right even though you can always read the url because you can inspect the sni and then encrypted web traffic you can't see the data okay so i hope this was quite interesting and you can also analyze what is going on i will also show you something else so for example if we scroll down here you may see some re-transmission here for example this here the encrypted handshake messages we also see duplicate acknowledges here spruce retransmissions there's even more stuff going wrong so this is something you usually see in network traffic so there are always things going wrong there are always packets that are missing and this is because the network protocols always have issues right especially in wireless networks are much more errors happening and this is kind of normal this is nothing you should be worried about but if you're really trying to find out what's going wrong and you're seeing a lot of re-transmissions or maybe some other issues happening inside the network package something like this here and you always see black and red colors then something is going wrong and you probably want to take a closer look into that and try to find out what's going wrong so in the tcp protocol you will always see messages like this here where the client or the server has requested to re-transmit specific network packets that have been lost on the wire so you can see wireshark is an extremely powerful network tool i mainly use it for studying id certifications do researching or just troubleshoot issues and as i initially said if you're working in a computer network where you have many devices like servers gateway switches or whatever you may want to capture network traffic not just on your local pc but also on a remote server as well so in this case you can't use wireshark for capturing the traffic because it is just running on your local pc on windows servers you probably can install wireshark of course but on linux servers where you don't have a graphical user interface but you still want to be able to capture those traffics there is another possibility to do that and i will show you that in a second okay so let's try to reproduce a realistic scenario for example i'm now connected to one of my cloud instances and my cloud instance is connected through a vpn with my local pc i'm using tail scale for doing this because tail scale is a very great and easy way to use something like a managed vpn provider that is powered by wireguard so i've made a tutorial about tailscale and if you want to learn more about this just check out the link in the description down below it's really an awesome tool so tailskin is now connected to my cloud instance and my local pc and i just want to run a simple web server here to just capture a request and for example i want to run a simple docker container that is running an unencrypted web server here but only in the range of my local network so i'm just limiting the access to this particular private ip address and i want to be able to capture the packets that are coming from my local pc to my cloud instance on that particularly ip address here and i want to capture the packets on the cloud server itself because i want to know if the web requests is hitting that server so to capture the network packets on a cloud server i want to use a tool that is called tcp dump so tcp dump is a tool that is very similar to wireshark but it doesn't have a graphical user interface it simply just does a packet capture but it is able to save that packet capture to a text based file and you can later download this file and analyze in wireshark so let's do a tcp dump and i first of all want to specify a specific interface just like in wireshark so with the dash i parameter i want to select an interface and in my case i want to capture the packets that are not hitting my public interface but my internal vpn interface because i want to see the packets that are unencrypted now so the tail scale 0 is the internal vpn interface i want to do the packet capture on and i want to write this to a file that is located in my home folder and just call it http dot pcapp and pcap stands for the packet capture file format so let's do this and i need a suited permissions of course and now i want to try to initialize an http connection from my local pc to that cloud server so because i'm connected to my vpn i simply can just execute this web request on that private ip address so let's open another browser tab and do http on this ip address and if i hit enter congratulations you are now running the nginx proxy manager so you can see that is something different let me just go back ah yeah so i have used another port that is uh one six eight zero so let's do another request here to this particular part and this is a web request to our nginx web server when we go back here and we stop the packet capture on our remote server we can see that 22 packets have been received by the filter and they are now stored in that file so when we cut that file you can see that everything is in a text-based format it is the rare packets but you can also see some html code inside here because everything is captured right but there's still some stuff that you're not able to see correctly so let's download this file and open it in wireshark so we can see the destination the private ip address and here's a private ip address of my windows pc that is connected via the tail scale vpn and because we are capturing on that vpn interface and not on the external interface we're able to see all the packets that are inside the vpn tunnel and we are seeing them unencrypted right because we have captured this at the internal vpn interface so this is very important to understand where you are capturing this what you want to see and when we go here and follow this tcp stream we can see the full rank request that we've done and we also see our internal server message so this is probably the nginx proxy manager remember i've done the real web requests at a different port so let's scroll down so this is a real request not to the nginx proxy manager this is the second one and we can differentiate that by the source port that remember i've used the port 1680 to make this request and if we now follow this a second connection we can actually see that there is our html code for online documentation this is welcome to nginx so this is our real web request and we can all use that to analyze it or do some troubleshooting whatever is going wrong okay so this is really quick what you can do with wireshark i know you can do so much more with it but this was just a short presentation on how i've used this tool to troubleshoot network traffic or to find out whether specific traffic is hitting my servers or going through a vpn or whatever so please tell me which tools are you using so what is your experience with it and if you enjoyed this video please don't forget to hit the like button and of course subscribe if you want to watch more tutorials and content for it professionals and if you want to support my channel even more then just sign up to my new youtube membership program okay guys so thanks everybody for watching and as always enjoy the rest of your day take care of yourself and i see you in the next video bye bye

Info

Channel: The Digital Life

Views: 3,990

Rating: undefined out of 5

Keywords: wireshark ip sniffing, wireshark ip sniffing ps4, wireshark, wireshark filter, wireshark filter destination ip, wireshark filter ip address, wireshark filter protocol, wireshark network analyzer, wireshark network traffic, wireshark network troubleshooting, wireshark troubleshooting, wireshark tutorial, packet sniffing, tcpdump filter ip address, tcpdump wireshark

Id: kthHizueMiY

Channel Id: undefined

Length: 21min 19sec (1279 seconds)

Published: Tue Jul 13 2021