Wireshark Tutorial for BEGINNERS // How to Capture Network Traffic

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so in lisselson it's all about packet capture so how can we actually take data off the network and bring it into our analysis point now in this lesson we're not going to talk about where to place the analyzer we're going to leave that for a future lesson but specifically we're going to talk about the interfaces that you see when you go to capture traffic with wireshark what they mean and even how to do this on the command line so first let's go ahead and get started by looking at what happens when we install wireshark now in order for wireshark to capture traffic it needs to use a packet driver so one way that we can see which one our machine is using is by going up to the top and i'm on a mac system here so i'm going to go ahead and go to wireshark about wireshark and here i can see after some of those details that i can see upon the installation if i come down here to the operating system that i'm running here's my mac os and if i come down here a little bit lower i can see i'm using lib pcap version 1.9.1 now on my windows box i'll just flip over there for a moment and if i come and do exactly the same thing going to go up to help going to come down to about wireshark and here i can see on my windows box i'm actually using the npcap library so what that does is that on windows machines allows me to bring those packets into my analyzer and capture them so while i'm on the windows box let's go and take a look at the kind of interfaces that we see right at the outset now if you ever come in here in wireshark and you don't see anything it's possible that we either don't have that packet captured driver installed or it's possible that we don't have administrative access to actually access that level of the system which we need to be able to do with wireshark so here i can see several interfaces on this system i've got bluetooth network connection local area connection here's my wi-fi analysis point and several different things now on this machine i don't have a lot of different physical connections to it so many times you'll see virtual interfaces especially if you have a lot of vpn adapters or if you're using tools like gns3 for example that create virtual adapters many times you'll see those in this list now depending on how i'm capturing either on the wi-fi or if i plug in an actual physical interface that's where i'll start to see traffic and activity coming in so on that line it won't be flat anymore it'll actually show me where that traffic is so on my mac system coming back here i can see i have my wi-fi interface i definitely have some information coming and going from there i can see that utilization and i also see youtune and thunderbolt and a few other interfaces now again right now i don't have a physical cable installed and if i did if i plugged in a cable to a thunderbolt interface that's where you would probably see that light up and i'd see some activity now to go a little bit deeper into these interfaces what i'd like you to do is come up to our little setup button or our capture options looks kind of like a setup gear let's go ahead and click that and that will bring us into our wireshark capture options and from here you can see a little bit more detail about each one of these interfaces now this is where things can get a little bit confusing especially when we have interfaces that are virtual that we just don't capture on all the time so as a practice what i like to do is i like to come into manage interfaces and so what i'll do here is i'll just check the ones that i know i'm actively using so for example wi-fi maybe for now i'll uncheck these guys maybe i'm plugging in a thunderbolt interface so i'll leave that one active or if i know for sure one of these is mapped to a vpn interface and i want to capture on that but what this does is it just simplifies my list so instead of having 14 interfaces many of which are virtual that i may or may not be actively using i just like to leave that to the ones that i know for sure i'm going to use so i'm going to go ahead and say ok and i can come back to my list and i can see that that's a bit more simple now now another thing i'd like to talk to you guys about is snap length so here this is where i can tell wireshark if i'm capturing traffic to only capture a certain amount of data per frame so say i'm in a secure environment and i don't want to capture the entire payload this is where i can come in and i can say snap length 64. and that will just give me the first 64 bytes of the frame and usually that's good enough to get through the ethernet part of the frame the ip packet information so the ip header and then also the tcp header values that'll give me about what i need now be careful with that because it's possible that you could under capture we could slice it so far just have such a small amount of data that it's not really useful so it's just a good place to remember if you don't want to capture the entire payload it's possible just to capture the first hundred or so bytes and snap length is where you would configure that so right next to that is buffer two now that just means two megabytes of kernel buffer for our capture process in most cases i find that's fine you don't have to adjust this number unless you're in a very very high throughput environment and we also want to make sure that we always have enable promiscuous mode on all interfaces because what this does is it allows wireshark to capture traffic not just to and from itself but also other machines that are unicasting traffic between each other okay so how about our output now i'd like to briefly take a look at that for you let's go to output so what this allows me to do is configure the place that i want wireshark to save to and also allows me to configure some other settings that can make wireshark traffic easier to read now for me personally when i'm doing my analysis i don't like doing analysis on trace files anything larger than about 500 megabytes if a trace file or a pcap is larger than that it takes a long time to open i've got to set some pre-filters on it to really get it to open well so what i like to do is i like to keep those as small as possible so what i'm going to do is show you how you can do a longer term capture with wireshark instead of creating a very very large pcap that runs over a long period of time instead let's capture many smaller pcaps and then when a problem strikes we just go back in time to the one that was capturing when that problem occurred so let's go ahead and configure this so first i'm going to set a location where i want to save this data to so i'm going to go ahead and say browse and i'm just going to put this for now under chris data there we go and i'm going to save this as test dot pcap okay pcapng there we go i'm gonna say save all right so now i have my location that i want to actually save and the name and next i'm gonna come down i'm just gonna leave this output format pcapng but now what i want to do is create a new file automatically so what this does is allows me to set either an amount of time do i want to capture or is there a number of packets i want to capture in this case what i'm going to do is create a new file automatically after and i'm going to put 500 kilobytes megabytes gigabytes let's do megabytes and so that will now create a new packet capture after 500 megabytes now if i just hit start at this point what's going to happen is every 500 megabytes it's going to add a new packet capture and it's going to be named test and it's going to have a time date stamp just after it now that will continue basically until my hard drive fills so if i would prefer not to fill my entire hard drive with p caps what i can do is i can use a ring buffer and i can create a certain number of files that will give me whatever amount of time i hope to achieve so let's say for example if i punch in 10 here what's going to happen is i'll have 10 500 megabyte files so after the 10th file what's going to happen is it's going to go back and overwrite the first one then the second one then the third one and so on but i'll only ever have that rolling amount of data i only have 10 files of 500 megs each now in a low throughput environment that could get me a whole day's worth of capture but if i'm on a data center in front of a really important database this could just be a few minutes so these are the numbers that you can tune do you want to have more data in each trace file and maybe use more ring buffer so for example 100 files that we overwrite you can start to do the math and figure out how much of your hard drive do you want to take up and how large do you want those packet captures to be so once we have this set now i don't have the start capture button highlighted because i never selected an interface so i'm going to go back to input and i'm just going to select wi-fi and then once i hit start now wireshark is going to do that ring buffer off of the wi-fi interface and then i can go to that location that i'm saving those trace files to after the fact after an issue happens now i have the data there and i can do some post capture analysis so that's a trick that i use quite a bit when i'm trying to capture a problem especially one that's intermittent then i don't know exactly when it's going to strike so that was our lesson for today how to actually do packet capture with wireshark within the graphical user interface now on our next lesson we're going to talk about how we can do packet capture from the command line so stay tuned for lesson three thanks for stopping by and i'll see you on another lesson in the wireshark master class thanks a lot guys [Music] you
Info
Channel: Chris Greer
Views: 169,104
Rating: undefined out of 5
Keywords: intro to wireshark, wireshark, how to use wireshark, wireshark class, wireshark masterclass, introduction to wireshark, network analysis with wireshark, chris greer, wireshark course, free wireshark training, free wireshark course, getting started with wireshark, wireshark for beginners, wireshark tutorial, wireshark tutorial 2021, wireshark training, wireshark tips, packet capture, traffic capture, wireshark basics, wireshark interface
Id: nWvscuxqais
Channel Id: undefined
Length: 10min 5sec (605 seconds)
Published: Mon Apr 05 2021
Related Videos
Intro to Wireshark Tutorial // Lesson 3 // Capturing Packets with Dumpcap
Chris Greer
92K
Wireshark Tutorial for BEGINNERS // Where to start with Wireshark
Chris Greer
571K
Wireshark Basics for Wi-Fi Hacking
SecurityFWD
94K
Wireshark Tutorial for BEGINNERS || How to Capture Network Traffic || Skilled Inspirational Academy
Skilled Inspirational Academy(www.sianets.com)
8.9K
Wireshark Tutorial for Beginners | Network Scanning Made Easy
Anson Alexander
45K
Intro to Wireshark Tutorial // Lesson 4 // Where do we capture network traffic? How?
Chris Greer
65K
Wireshark Packet Sniffing Usernames, Passwords, and Web Pages
danscourses
2M
Decrypting HTTPS Traffic With Wireshark
HackerSploit
85K
tcpdump - Traffic Capture & Analysis
HackerSploit
213K
TCP Fundamentals Part 1 // TCP/IP Explained with Wireshark
Chris Greer
380K
Wireshark Tutorial // Fixing SLOW APPLICATIONS
Chris Greer
34K
Hands-On Traffic Analysis with Wireshark - Let's practice!
Chris Greer
22K
SPYWARE Analysis with Wireshark - STOLEN LOGINS!
Chris Greer
11K
Troubleshooting slow networks with Wireshark // wireshark filters // Wireshark performance
David Bombal
116K
Wireshark - Capture Filters
HackerSploit
74K
Wireshark Display & Capture Filters
HackerSploit
21K
Spotting Packet Loss in Wireshark
Plaintext Packets
6.4K
Full Wireshark Tutorial For Absolute Beginners 2023: Learn Wireshark Step by Step| Wireshark Filters
Sunny Dimalu The Cyborg
31K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.