Wireshark Tutorial for BEGINNERS // Where to start with Wireshark

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so let's go ahead and jump into lesson one now the important thing about wireshark when you're starting to look at a trace file with it is the setup now albeit when you're looking at wireshark at the start it's a daunting thing to look at especially when you're first getting going with using the analyzer so i want to show you a few things a few tricks that you can use to get a bit more comfort with it now as you can see here on my copy of wireshark this is the default profile now that's the first thing you want to learn about setting up wireshark if you look at the lower right hand corner you can see which profile you're using but what's a profile well a profile is basically a set of configurations or settings think about it this way if i go out to my car i'm six foot two i want a certain setup for my seat and i want my steering wheel in a certain place and the rear view mirrors and a lot of cars have the ability to just touch a button and everything goes to me well my wife goes out there and she's five foot one so she can't just jump in the same kind of settings that i like to use when i drive so she's got another setting button and when she hits that button it all adjusts just to her now in a similar way with the profiles within wireshark if i'm troubleshooting tcp i might want a certain set of columns and coloring rules and filters just for that protocol or maybe i'm looking at voiceover ip or tls or quick now i'm going to want different things depending on the protocol i'm looking at and that's exactly what profiles allow you to do to save filter buttons coloring uh even dissectors i don't always need every single wireshark dissector for every profile so one of the first things i want to teach you with the wireshark analyzer is going down and let's go ahead and go to the right hand part of the screen we're going to right click this now if you're on default that's fine everything that you do in change will be saved to that profile but let's go ahead and create a new profile and as you can see there's several in my copy of wireshark but i'm going to go ahead and start a new one and we're going to call this wireshark master class doesn't that sound pretty cool and then we're going to hit ok so now we can see in the lower right wireshark masterclass at least this is just how we're going to begin in getting wireshark set up now if you notice up on top i've got the frame number i've got the time source and destination ip addresses protocol length and information now this is where i want to start to customize things first of all text is a little bit small for me so i'm going to go to my magnifying glass gonna boost that up just a little bit and you also notice that the columns have kind of come together they've almost collided a little bit so i'm going to go over here to the right and i'm just going to click my little column adjuster and that will set up everything so nothing's overlapping now another thing that i like to do now this is a personal preference is typically if i'm looking at the the packet detail and the packet bytes in most cases when i'm looking at protocols i'm looking at header values that are over here on the left and i typically have this white space that's over here on the right so another thing that i like to do with many of my profiles is i like to put the packet bytes up here on the right so i'm going to show you how to do that and an important thing to learn about wireshark is the preferences that's where we can set up the layout and the columns and the buttons and some of the customization with the protocols and we can do all that under wireshark preferences now to get to preferences if you're on a windows machine you're going to go to the edit menu and you're going to come down to preferences down around this area but i'm on a mac system so i'm going to go to wireshark preferences over here on the left this brings up my preferences and what i'd like to do is go ahead and go to layout and this is where i can set up do i want the packet detail packet bytes packet list all stacked on top of each other depending on if i have a very large monitor i might want to adjust that i usually use the next one over to the right now another thing that's pretty fun is in a recent version of wireshark here i'm running 3.4.3 i believe now under the packet any of the panes you can also select packet diagram which is pretty interesting to do in fact just to show you that or demonstrate that i'm going to go to packet diagram on this one and let's go ahead and hit ok and now we can see that our screen has reconfigured and i also have this really neato feature where i can see the actual frame layout and packet layout for the packet that i've selected so for example if we take a look at packet number one which by the way i hope that you downloaded this trace file down in the description and you can follow along packet for packet but if we go to packet number one here we can see that encapsulated within this packet we have ethernet ip and tcp well over here on the right now that i have that packet layout i can see the ethernet framing so there's my six byte destination six byte source and my ether type and then i have the ip header values and in fact if i right click this guy and i can go to show field values it'll actually pull the values over from the packet itself and put them in that layout now this is pretty handy nice way to visualize a protocol and the structure of that protocol for the headers and neat feature that was just added so i'm going to go ahead and go back to preferences and i'm actually going to change this on my layout let's go to pane three i'm going to go back to packet bytes all right now while i'm here under preferences there's a couple other things that we're going to adjust again just to make things a little bit easier for us i'm going to go to columns and every packet head has to know how to use and read a delta time column alright if you haven't done that yet this is something that surely you want to make sure that you know how to add so i'm going to come down here under columns hit plus and i'm going to name this column delta and i'm going to choose the type is going to be delta time displayed alright once i have that set up i can go ahead and drag it up next to the time column so now i can have a running total of time or i can have a time of day or i can have utc time and then right next to that column i can have a delta time which is going to display the amount of time between displayed packets very useful column to have when i'm troubleshooting so i'm going to go ahead and select ok and if we notice up top we have our running total of time and our delta time now by the way the time column this is an adjustable time column like i mentioned it can be time of day it can be a year month day and then actual time of day if i want so to adjust this and what it shows that's where we can go to view and we go to time display format and this is where we can select how we want time to be represented in that time column now usually i start out with seconds since beginning of capture but hey sometimes i have a client in new york city and they send me a trace and i go ahead and open it and if i do time of day wireshark will get the time of day off of my system clock so if it says three o'clock for them that means noon for me so sometimes that's also why i would like to use utc time all right so we went ahead and adjusted our screen layout we looked at the packet layout view or those header values and we went ahead and added a delta time now another thing that i like to do is i like to color certain things because if we look over here on the right this is our intelligent scroll bar and at least for this trace file you can see how there's just a lot of beige and light blue and not a lot's going to jump out at you in this trace because there's not a lot of tcp errors and such but this is where you would look for things like black lines with red letters those are tcp errors but something else that i like to do is i like to color my tcp syns and i'm going to show you how to create a coloring rule because then that will help certain things jump out to you now again uh there's a as a side note i just want to thank hansung if he's watching this video he's a friend of mine from shark fest but he has a really good saying if you will and he often says my way or the highway that means your settings for wireshark are good for you that's your troubleshooting style so no one can ever tell you that that's wrong if it works for you go to town that's why there's all these great configurations within wireshark i like to paint my tcp sins bright green you might like to make them some odd color of brown that's totally up to you and it's your way or the highway but right now you're on my highway so let me show you how to paint those green i'm going to go ahead and go up to the view menu and i'm going to come down to coloring rules and this will show you the standard default coloring rules that come with the default profile some people hate these coloring rules they delete them all or they just turn off coloring altogether to do that you just hit the button up on top that'll enable or disable the coloring altogether but to add a coloring rule we hit our little plus button and i'm going to call this one tcp syn and my filter is going to be tcp dot flags dot sin equals equals one so i like to color any packet with a sin flag even the syn and syn ack i want that to be green both of them so i want to see the client trying to connect and the server response now you might think well i just want to have only this in or only the synax this is where you can start to goof around with our display filter you can come back here to flags show me that flags field equals equals 0x002 i'm going to show you how to get to that value but this would just color the sin not the synack i don't like that i like to go tcp.flags.sin if i could type equals equals one so there's my display filter so what i'm saying is any packet that meets this filter this is how you should color it okay so now that i've got my tcp.flags.sin equals one now i want to come down and actually color it so i'm going to go to the background and i'm going to go over here pick a nice bright packet pioneer green if you will a nice packet head green and i'm going to say ok and there we go so now all packets that meet tcp.flags.cent equals equals one all of those will be green but what i want to do is i'm going to actually drag this below the bad tcp so what this means is if i have a sin if i send off that sin and if i have to retransmit it the first sin is going to be bright green the second one will be according to the bad tcp rules it'll be black and red right so i only want the first sin to be green any re-transmissions go ahead and make those that that error indicator that bad tcp let's say okay now initially you notice how my first packet is white and the second one is green if you come up here and just do a refresh it's called another pass that'll just refresh the view and run this trace file back through the rules that we have enabled so that will make sure that we have everything colored right so there we go we just added a coloring rule now again you can add coloring rules for all kinds of things do you want to color the tls handshake do you want to color the fins do you want to have the resets be some type of interesting color that really jump out of you so the coloring rules are a nice thing to add now along with that in this profile what we also want to do is learn how to add buttons now throughout this course and if you take any of my courses you're going to notice our display filters we quickly get into how to set different display filters so let's go ahead and create a button that will set a filter just for our tcp synths how about that so if i come down here and go ahead and pick that first packet i'm going to show you a trick so you don't have to remember the syntax for display filters if you select our packet that has whatever it is you're going to filter for come down into our detail view i'm going to go down to flags and i'm going to go down to syn let's say i want to filter for only packets with the send bit so i come down here and i'm going to right click that and i'm going to say prepare as filter selected not not selected so i'm not saying everything but let's go and hit selected okay so we can see up above in the display filter we got tcp dot flags that's in equals equals one okay that's great so if i apply that now i can see just the two packets in the trace that have that send bit set but i don't want to have to type that again it's just one of those things i just want to click a button and have it be there but to do that if i come over here to the plus button now i'll go ahead and see our filter button where we can add a label i'm going to call this tcp syn and my filter is that same filter as above and i can say ok now i have a button over here on the right so if i ever open up a trace file and i quickly just want to see the sims i can come over here and click that button and i only see those packets now this is where we can do a lot of customization with wireshark you can have a lot of buttons up here and that can highlight things that you're specifically looking for in a trace file don't worry as we go forward those are the kind of things that i'm going to teach you now one final thing i'd like to teach you in this first lesson is how to add columns up on top that's something that you're going to constantly be doing now to add a column we i showed you how to do it the long way we can go to preferences we can go to columns and we can manually add one like we did with the delta time view but instead let's go ahead and add one the more typical way that you're going to do this so what i'm going to do is i'm going to come down to tcp and i'm going to take a look at tcp segment length i'm going to right click this and i'm going to come down to apply as column now if you notice i have the standard frame length here by default but i want to see the tcb segment length and the reason is that i'm often interested in how much data is actually encompassed in the payload so this shows me how much is this packet actually carrying in form of bytes of data length is nice but this is often what i'm digging for so tcp segment length is a frequent one that i have up here in fact it's so frequent i'll often come over here to length and i'll right click this and i can either come down to length and uncheck it so it will disappear or i can remove this column from this profile completely so i'm going to say remove column and now i just have my tcp segment length so this is an initial way that you can set up wireshark what did we learn let's go down our list we talked about our screen layout so how to adjust that we talked about how we can change from packet bytes to the actual header values of the packet or the protocols we also talked about how to add a button how to do a coloring rule how to add and remove columns how to add a custom column for our delta time and to do some simple display filters so look how much you were able to learn in lesson one of the wireshark master class so thanks for stopping by make sure that you subscribe and hit the notification bell because as i come out with these master classes i want to make sure that you're notified great to have you and we'll see you on the next class [Music] you

Info

Channel: Chris Greer

Views: 200,739

Rating: undefined out of 5

Keywords: intro to wireshark, wireshark, how to use wireshark, wireshark class, tcp/ip analysis, wireshark masterclass, introduction to wireshark, network analysis with wireshark, chris greer, wireshark course, free wireshark training, free wireshark course, getting started with wireshark, wireshark for beginners, network troubleshooting, network security, wireshark tutorial, wireshark tutorial 2021, wireshark basics, wireshark training, wireshark tips, network analysis

Id: OU-A2EmVrKQ

Channel Id: undefined

Length: 16min 14sec (974 seconds)

Published: Wed Feb 24 2021