Intro to Wireshark Tutorial // Lesson 4 // Where do we capture network traffic? How?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right thanks for coming back for another lesson in this wireshark tutorial so we've already talked about in lesson two and lesson three how to capture with wireshark either within the user interface or on the command line but now we're gonna talk about where to capture so stick around [Music] okay where do we capture the problem this is a very common question when we're first getting going with packet capture do we capture on the endpoint do we install it on the server really where do we put it well the answer has a lot to do with what the problem is and where we have access to on the network so if we were capturing a problem of a single client that's having connectivity problems to a server versus a security incident that affected an entire region of the network well that would be two different points of capture so we want to have very clear in our minds what is the problem that we're trying to look at with wireshark after we get a good definition of that then we can make a better decision about where to place wireshark so let's imagine that we're troubleshooting a problem that's intermittent where several users are having issues connecting to an application so where would we put wireshark in that case okay so in this scenario i'm just going to draw it really simply on the client side here we just have a client and let's just say that that client is wi-fi connected okay as many clients are even mobile devices or pcs anymore that's often the way that they're connected so i'm just going to draw a little connection to an access point okay so right there i'm thinking okay wireless environment there could be other users in that environment that's just something i'm going to consider and how about we connect that access point to a switch and then from that switch let's go to between a firewall or edge router and let's just say from there we're going up into our provider all right so that's more on the client side of things now obviously in your environment this could be much more complex but let's just try to keep this simple now on the server side ideally what i'd like to see is some way to capture data over on that end now server side gets tricky because now what kind of systems or networking do we have access to is this server in a data center that you control can you actually get access to that server do you have access to the virtual network that it's connected to what if this server is an instance within aws and you only control that instance and nothing outside of it so these questions will guide the capture points that you even have access to in the first place so ideally what we'd like to do when we're capturing a problem is i'd like to see the packets from the client side and in this case a good place to capture might be just inside that access point so i can see this user and maybe a few others that are attached to it and then on the server side if i had the ability to tap or span in case i only have access to span and put my copy of wireshark here off of that switch that would be ideal even then it would also be nice to have another capture point maybe even somewhere else along the chain maybe off of the network let's just say i had a tap that was connected here and then i can divert that traffic off to wireshark where i'm capturing now this is an ideal circumstances what i just showed you would involve three network taps which physically go in line on the cable and divert that traffic over to an analyzer where i capture it from but let's be honest not all of us have access physically to these connections we can't just break them in broad daylight and three taps in three locations is a tall order so the next thing we can do if we don't have physical access to the network we can't break it in broad daylight and we don't have a bunch of taps lying around is we could make use of span or monitor ports and that's where we tell the switch to send data from one interface to another interface we'd copy it over now switch vendors do this in a lot of different ways so they have to take a look at what kind of switches you have in order to be able to configure this type of monitoring on the network but let's just say you don't have any taps you don't have any access to a network where you could span traffic over to an analyzer what do we do then well in those cases we might just start by installing wireshark directly on the client and getting a perspective from the client side that's a simple way to start capturing we're not worried about a lot of other users but we're able to see from this client's vantage point what it is experiencing with that server now we want to take this with a grain of salt because we're installing wireshark on an active system that is having a problem we want to take into consideration that we're adding a bit of load to this client and also we're capturing from the packet driver perspective on that client so there might be some funny things that we see in terms of timing or internal perception of packet size inside that box but we'll go into those details on another video the point is this is a quick and dirty way that many people begin an analysis simply by installing wireshark directly on the endpoint under test however preferably we want to try to capture it on the network itself either on a tap as close as possible or off a span port now on the server side we could try our best to get a simultaneous server-side capture that's what i always try to do my goal is i want to see it from several vantage points at least client and server simultaneously what that does is it allows me to see for example a tcp syn i can see a syn come in i can see it arrive at the server i can see the server respond and i can see that hopefully that synap come back i get a lot of timing information and i can also see any back-end transactions that that server has to have with databases or other servers involved in the application however this is where i got to really think about my environment where is this server located what kind of access do i have to it should i use a virtual tap should i use a virtual span and one thing i strongly recommend against if at all possible is installing wireshark directly on that server let's think about it that server is already busy doing a lot of things we want to be careful about adding to its load while it's already trying to serve a lot of different users and other services so only do this if you have very good control over that server and you have a very clear picture of its present resources and how busy it is so where do we install wireshark it all depends what is our goal of analysis are we troubleshooting a problem what we want to do is get as close as we can to each endpoint client and server and get a simultaneous capture if at all possible and if at all possible we would don't want to do it physically on those endpoints we want to get as close as possible either with a tap or span off the network if we have control to it now in other cases if we're troubleshooting security incidents or something like this well then we would want to take a look at the pipe coming in from the network we want everything on that connection going over to wireshark we want as much visibility as possible to be able to see traffic coming and going so hopefully this gave you a few ideas of where to install wireshark when you're using it for analysis and troubleshooting thanks for stopping by i'll see you on another video [Music] you
Info
Channel: Chris Greer
Views: 8,230
Rating: undefined out of 5
Keywords: intro to wireshark, wireshark, how to use wireshark, wireshark class, tcp/ip analysis, wireshark masterclass, introduction to wireshark, chris greer, wireshark course, free wireshark training, free wireshark course, getting started with wireshark, wireshark for beginners, network troubleshooting, wireshark tutorial, wireshark tutorial 2021, wireshark basics, wireshark training, wireshark tips, network analysis, how to capture, where to capture, where to install wireshark
Id: Atde35_9AAc
Channel Id: undefined
Length: 7min 30sec (450 seconds)
Published: Tue May 11 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.