The Complete Wireshark Course Beginner To Advanced [Complete Course]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey there scott here your video is going to start in just one moment i just wanted to say thank you for stopping by my channel the video that you're about to see is part of a series of videos all of these videos are educational they're teaching you a strategy or they're teaching you about a new tool or they're walking you through a campaign or somebody's delivering insight all of the people that teach over in these videos some of them are me but a lot of them are other individuals who are subject matter experts in their field i hope that these videos will be useful there's a variety of sales videos marketing videos videos that highlight and discuss different tools and technology as well as videos that discuss high level as well as granular strategy these are meant for individuals that are looking to level up in their own career or if you're going down an entrepreneurial road and you want to understand how to build a business from the ground up a lot of these videos can help you as well if you enjoy the video and you watch the whole thing if you got some value from it which i really hope you do please like obviously hit that subscribe button it means a lot but also i want you to check out two other free resources there's a newsletter a bi-weekly newsletter called roi overload that basically highlights the best the latest the greatest the tools strategy insights articles case studies for sales marketing entrepreneurship and if newsletters aren't your thing then you can also check out the roi overload medium publication again it's a free resource that allows you to read case studies learn from people that have done it before a wide range of authors contribute to the roi overload medium publication again link is in the description of this video i hope you enjoy these resources i hope you get some benefit out of them that's all i got here's your video [Music] hello and welcome to this wireshark tutorial series before we start digging deep down into all that technical stuff i would first like to give you a bit of an intro so that you may have a better understanding of what the course is about and what you can expect to learn from it let me just begin by saying that this course is meant to teach you how to effectively use wireshark to capture and analyze network traffic a key thing to note here is that the course layout is such that it really does not matter whether you are a beginner or an advanced user either way you will be able to benefit from it to a great extent and now let's just deal with some questions i mean what is wireshark and what it what was it what it what do you use it for why should you learn how to use it well wireshark is an open source program that is used to capture and analyze network traffic it is a must-have for pretty much every network admin out there it is a number one piece of software for its purpose number one in the real world out there on larger scales it has countless applications ranging all the way from tracing down unauthorized traffic to confirming firewall settings and so on i will talk more of this as we continue to progress through the series but for the time being i just wanted to give you a glimpse of it if you go on the net and take a look at job postings for network administrators more often than not at any of the bigger companies advanced knowledge of wireshark will be stated as a requirement or it will be listed as a big plus so either way you either way it's beneficial so if you're preparing yourself to work as a network administrator this course will undoubtedly be of great use to you but regardless even if you are a casual user it will help you to better understand how your computer and not only your computer but all of your devices your smartphone i don't know laptop desktop computer router switch etc how all these devices communicate in local area networks or with the rest of the world okay so before i wrap this up i would like to make a personal note as you can see here on my screen i have wireshark installed and configured it is up and running there is currently a live capture session in progress this is approximately how our tutorials will look like this is me this will be our working space this is where we will conduct pretty much all of our activities however if this is your first time that you have encountered something of a kind it might seem a little bit intimidating especially if you don't have any networking ex previous networking experience believe me when i say it is not if you stick with me by the end of this course you will be able to understand everything that is written on this screen and much much much more what i would advise you to be i would i would i would advise you to be curious as it does stimulate you to mess around with stuff although if you do decide to conduct some sort of experiments or something of a kind i would strongly recommend that you set up some sort of virtual machines as it does make things a lot easier and remember in general if you wish to learn something you must be willing to devote a certain amount of time and labor and in our line of work more often than not you will require nerves of steel in the beginning things will seem a bit difficult you will try to solve problems they won't make sense it'll be frustrating but stick with it get through the first steps and things will be and things will become a lot smoother as we continue our program as we continue our progression through the through this uh through this course now that we got all of that stuff out of our way we can now begin with our first lesson in the next video i sincerely hope that you will join me there hello everybody and welcome to this first tutorial of the series here we will review some of the basic concepts in regard to the network traffic it is very important for you to understand some of the basic terms so that information that we will later gather with wireshark can be understood keynote here if you feel that you are already familiar uh with basic concepts such as ip addresses mac addresses ports protocols and so on you can go ahead and skip to the installation and setup tutorial okay then most likely at some point of time you have heard the term ip address but you never really understood what it actually is or what it is used for ip addresses in essence were designed in order to make it possible for devices to be able to communicate with one another within local networks or in general over the internet and that is the primary purpose of an ip address aside from that it can also be used to pinpoint the exact physical location of any device that is using it basically you can compare it to a mailing address it is unique and used for sending packets computers and other devices work on similar principles as your local mail you specify recipient and sender address take the letter or packet to the mail office and send it computers pretty much do the same thing except instead of a street address they use an ip address internet protocol or ip as it is more commonly known is just a set of predefined rules that dictate the terms under which communication shall be conducted for example it enables you to browse the web by enabling you to contact a series of servers who also operate on the same protocol ip addresses consist of four numbers and each of the four numbers can go from 0 to 255 delimiter used to separate them is a dot here's an example of how it looks like now i'm just gonna i have my terminal here set up and i'm just gonna type ifconfig that's gonna list out all of my interfaces so i don't know i have a loopback which is hello the first one i have p8p1 which is my ethernet connection i have vr vr1 that's my virtual machine that's for the virtual machines the one that we're going to be focusing now is vlp 2s0 which is my wireless interface so i'm just going to type i've just got to clear the screen first and i'm going to type ifconfig vlp2s0 uh no ifconfig vlp2s0 there we go so it gives you a bunch of information here and what is what so we're not interested in most of it as most of it is of really no use to us at the moment the part that we are interested in is the inet so the address the ip address of the interface you have 192 168 1 2. so this is basically how it looks like so 192 168.1 0.1.2 so each one of these numbers for example let's take this 2 it can go from 0 to 255. and you can literally make billions upon billions of combinations with these numbers very simple to very very simple concept to comprehend nothing there's nothing too complicated about it we'll later deal with the interfaces and other things but for the moment i just wanted to show you what an ip address is and how how you can how it is used where it is assigned and where you can find it anyway there are two basic types of ip addresses static and dynamic most private users have a dynamic ip address while on the other hand business users and servers mostly have static ip addresses static addresses once assigned do not change and facilitate a stable and reliable way for other devices to communicate with the given server i don't know in which various services are running while dynamic ip addresses change every time a device connects to the internet or the local network making it a lot more difficult for anyone to contact you simply because they won't know your address as it changes quite often both dynamic and static ip addresses are provided by internet service providers okay now that we have basic understanding of what ip addresses are we can move on to ports computer ports are in essence docking points for all the information coming to our devices and all the packets that are being transmitted by them they work in combination with ip addresses directing all outgoing and incoming packets their proper places port ranges are defined and numbered for example there are most common ports that range between 0 and 1023 but the numbers go a lot higher than that so no worries there you have a pretty big pretty big range to work with here's a simple list of some well-known services and ports on which they run so for example you have ftp which runs on 421 ftp is a file transfer protocol if you haven't heard about it also you have http which we all use on pretty much daily basis and https same scenario there except the information on port 443 over https is encrypted and we have a dns which works on 53. so with the with the other ones i'm sure that you've already heard about them or familiar to an extent but let me just quickly and briefly say what dns does so it basically resolves domain names to ip addresses and vice versa so for example google.com would be a domain name i don't know the ip address of it but here let me just find out so we can just do ping google.com and i'm going to drop the ping here so you have it here this is the ip address of google.com basically what dns does is resolves this into this and it can also be used to do to for vice versa pretty much but enough about this i will i will expand on this subject later uh at the later stages of this uh at some other point of time during these tutorials when we actually go into the wireshark and once once we do filters once we actually start doing talking about filters and filtering protocols etc and so on but for the time being let's just keep our focus on the ports each individual port range has its particular purpose and will direct all packets in pre-defined directions here um allow me to do a bit of a demonstration here so i'm just going to clear my screen and i'm going to show you what ports are open on my computer what ports am i listening on so if i just do nmap local host and map host there we go just disregard this upper part and concentrate on this one here so you see you have it says port it says one one one state open rpc bind that's the service 631 ipp ipp is an internet printing protocol i should probably close that because i have no use of it but uh here i'm gonna start my apache web server and immediately after that you will see that i will start listening on port 80. so service pd start there we go and i'm just gonna do the nmap again there we go so now you can see that i am listening on port 80 it is open and the service is http so all traffic coming to me on this port will be directed here so see i have localhost there so http localhost and it throws me to this page to the beginning page of the apache server that is not configured anyway that's just a bit of how traffic gets directed and we will expand on ports a bit more later on as we dig into wireshark but for the moment i just wanted to give you some basic ideas so that you would have some sort of basic understanding upon which we will later be able to expand and now we can deal with mac addresses mac it is filled so you see mac it stands for media access control address and that is a burnt in hardware address that uniquely identifies not your regular device in terms of networking but rather instead your network card here's a short demonstration so i'm just going to clear the screen out now i'm going to do ifconfig and you can see that there are various interfaces here as before so each one of these interfaces has its own mac address that is the mac address of the network card uh to which the interface is configured so you see this one is bc8556c68505 my wired interface is 7486 and so on so you see each one of these that is used to connect to the internet or something of a kind has its own mac address and it is uniquely identified so on the local network not on the internet but rather instead on the local network anyway let me just round up this uh with protocols protocol in any system in general is just a set of predefined rules that that determines how something should be done in regard to computer protocol in regard to computers protocols are agreed upon or standardized ways of communication to give you a real life example or a comparison just try to imagine two people trying to communicate what would they need well for starters they would need to agree upon which language to use and preferably when one talks the other should listen but as you know this is commonly not the case and that would be that would be a protocol basically they agree okay you will talk now and i will listen then i will speak and you will listen we will use this language to communicate and those are the predefined rules that make up a protocol one of the most famous protocols today one of the most used ones would be a more a proper proper thing to say is a tcp ip tcp stands for transmission control protocol and ip i have mentioned before that is internet protocol we will deal in great detail in later tutorials with tcp udp and other protocols of similar kind but for the moment i just want to give you a hint of what is to come and it would be unwise of me to deal with it now as that is a subject for itself now that we are acquainted with some of the basic terms you see how by just getting an ip address of advice we more or less by default are given a sea of useful information for example uh you can from an ip address you can conclude where the device is located physically i mean not only a country figure out from which country is it coming from from which city from where in the city etc you have websites today that you go on to and you can type in an ip and it will give you its location it won't be as precise but it will be good enough trust me and if and if we and if we just figure out if we do a scan of the system and if we and if we figure out which ports are open on which ports is the system listening we will we will be able to conclude in a good in a good amount of cases what applications are running on the server or wherever anyway next up we need to go over the osi model briefly and immediately after that we will actually start using wireshark we will start dealing we will first go through the installation and then we're going to configure it and then i'll show you the various options that it has and most importantly of all we need to go over traffic filtering traffic capturing and filtering in any case thank you for watching i bid you farewell till next time now that we are acquainted with some of the basic terms you can see how by just getting an ip address of the device we get it we can get a large amount of information for example with that ip you can figure out the physical location of that device you have websites today you can just type in an ip address and it will give you a relatively precise physical location of that ip and by just figuring out which ports are open we are able to conclude in a good amount of cases what applications are running all of this will be of great use to us later on primarily because we will do uh ip filters and port filters and protocol filters so all these things will come will come together once we actually start up the wireshark and start using it next up we will go over the osi model but briefly and immediately after that we will actually start using the wireshark first we will do the installation configuration and then we'll actually start capturing the capturing network traffic analyzing it and so on and so forth in any case thank you for watching i bid you farewell till next time hello everybody and welcome to this tutorial today we will deal with open system interaction but more commonly known as the osi model it consists out of seven layers and before we begin let me just say that it is not necessary to understand each one of them in great detail for this course in particular but i do highly recommend that if you wish to work with networks explore on this subject further now let me just go briefly over to seven layers and see what each one of them is responsible for and more importantly what sort of information is contained within each layer so that later on we might when later on when we open wireshark we might segment them we might we might filter them in such a way or do something of a kind but in general just to better understand better understand the information that we take from wireshark anyway first up is physical layer but before i start explaining them let me just expand this picture for you and here you can see that they're all listed from one to seven so you have physical data link network transport session presentation application and we're just gonna begin from the physical layer that is not that important to us in general primarily because it is mainly responsible for the transmission of signals through the network but at electrical level so physical layer deals with hardware such as network cards and cables which is not which is not needed today which is not needed for this course we are primarily interested in the software and how things happen on that level next up immediately after immediately after physical layer is data link which is layer two here you have encoding and decoding of data packets as they are translated into bits it is also responsible for handling any errors that might have occurred in the physical layer conducting flow control and synchronizing frames it is made up of two sub layers one of them we already talked about that's mac in the previous tutorial i mentioned mac addressing and the second one is llc that stands for logical link control so mac controls permissions in terms of how a computer will gain access to the data and the permission to send the same while on the other hand llc synchronizes frames ensures flow control and conducts error checking network is layer 3 it is there to provide for switching and routing it creates virtual circuits they're just logical paths in order to transmit data it is also in charge of addressing error handling and it controls packet sequencing as well next up transport layer transfer transfer of data from one host to another basically so it does it so it conducts a transfer of data from one host to a server or just from two hosts in between themselves or something of a kind while ensure but this is the important part while ensuring transparency and it also performs error recovery in short it preserves the integrity of data so here lies dcp transmission control protocol guaranteeing the delivery of data and it also guarantees that they will be delivered in the order that they have been sent in very important session session that's layer five that's next so coordinates communication between applications uh meaning it manages and terminates connection dealing with sessions more we shall talk a bit more about that later on as we go into the wireshark itself but here we go presentation layers presentation is layer six it provides independence from differences in data representation simply by translating from application to network format and the other way around so let's say i don't know your skype skype application so voip it and it converts your voice into bits of information and it has a very specific way of doing that but then you have a presentation at layer 6 one general encapsulation so it doesn't matter what is inside of it the application the application layer which is next layer will be able to take it anyway unwrap it and forward it to the proper application anyway all it does is convert data into the suitable application into the suitable form for application layer that's all it's in short it formats and encrypts data for transmission and finally uh we have application which is layer seven now here we will stick for a very long time in wireshark and you will see that most of the things that you see there will be layer seven as the name it's as the name says it supports applications running on your computers it it takes into consideration authentication privacy and it also handles quality of service it provides services for all manner of file transfers and here lies http telnet ftp and other network services so this was a very brief overview of the osi model and the processes that take place when data is sent over the network you will soon see how all the information gathered in wireshark is layered and how much time you can save by just knowing where the desired information is most likely to be found and in the next tutorial we will install and configure wireshark to see how all this fits in thank you for watching and i bid you farewell till next time hello everybody and welcome to this tutorial here i will show you how to install and set up wireshark before i begin the installation process itself let me just say a few words about the environment that i'm using so my operating system is linux to be more precise fedora 20. is a 64-bit system so you will see how this comes into play when we go into packets so i'm just going to exit root mode to make a point here and i'm going to clear the screen in fedora which is a red hat based distro we have a yum which is basically your installation manager that's the best explanation i can give for it and we go ahead and type in search wire shark and every package within the repositories that are to be used that has wireshark name in it be it in the actual name of the package or in the description of the package will be displayed here you can go ahead and skip these things immediately so you see development headers and libraries we don't actually need that we need the program itself so down below we have wireshark for 32-bit architectures and for 64-bit architectures if you're not sure which one you are using you can just type in you name all and here you go just just look for this one or for this one here so linux localhost local domain kernel fedora 20 and here we go x86 underline 64. no problems now we know for sure that it is a 64-bit system and i'm just going to go ahead and begin the installation process but i am going to install wireshark gnome even though i am using a kde desktop there's gnome desktop there's kde desktop and there are a ton load of other desktops for linux distros i have found out these two have some serious problems in them i mean they don't work well with fedora in any case so just go ahead and grab this one copy it and go ahead and type yum install and paste this oops what has happened here it says you need to be rude to perform this command so as i said previously i exited root deliberately just to show you that you need to be rude or have such permissions as a regular user so you need to be a super user or something of a kind in order to be able to perform any sort of installation from the repositories on the system just go ahead and type su you can also type sudo su i don't know depends on the distro that you're using i just type in su and type in the password there we go i'm just going to change directory now that that makes any difference but i did anyway clear the screen and go ahead and type again yum install fire shark no i don't actually i don't actually need to type it i have it here so just gonna paste it enter and it's gonna begin the installation process it's gonna give you a ton load of information but i wanted to stop it here for a reason i didn't give it the dash y command to go ahead and skip through this so you can see that it is installing where sharp gnome and it is automatically installing for its dependencies as well so just type press here type in y here press enter and the installation process will go ahead while this is happening just in case you are using some other distribution or something of a kind or a different operating system so just going to clear the screen out here and in case you're using a debian based distribution you would type a command that looks like this so app get install and then the name of the package like wire shark i think if you just type in wireshark it's gonna start it's gonna find by default the one that you need especially in ubuntu if i'm not mistaken but in case you're not using linux in case you're using windows you need to go out to the web type in well i'm just going to type it in here i have no idea why but just a habit i suppose wire shark go ahead and search for it and see what comes out so the first one is the official website go ahead visit it let me just expand this across the screen so that the the website is www.wireshark.org and on their website you have a ton load of stuff i mean you even have some videos here and stuff of a kind but most important even books but most importantly of all as i wanted to say is the download button so you press the download and there you go you have windows installer two of them for 62 and 32-bit versions and you even have like portable apps wireshark is a portable app have it for os x etc if you are unsure i mean some a lot of people out there will scream at me for saying this but uh if you are uncertain which which architecture do you have is it 32-bit or 64-bit and you don't know how to check it in a specific point at a specific point of time even though you can just go online and type in how do i check the architecture on pretty much any operating system out there but in case you're lazy and you don't want to find out or you don't know how you can always install 32-bit versions and they should work 99 guaranteed the process does not work vice versa 32-bit can work on 64-bit but 64-bit cannot work on 32-bit this is this this what i've just said does not just apply to wireshark this is in general so pretty much for all the applications out there i'm going to go ahead and close this browser i do believe that the installation process is complete yep there we go so we get a lot of information here along with the installation process so it has is installing this installing this and verifying the installation so it says installed wireshark gnome and dependencies installed wireshark x8664 so you do need the ground part in all of this anyway uh we're going to start up the wireshark but we're going to start it as root now why is why can't we just start it as a regular program from a ordinary user well you basically can you need to extensively configure it but even so even so you will be prompted for a root password and some of the services that run in the background that you don't actually notice will be ha will have to run as rude generally uh some people claim that it's a security issue but i mean if you're the only person that's gonna use that computer if this is your computer uh obviously you're not gonna do any sort of shenanigans or anything like that and go ahead just go ahead and start this route and don't worry about a thing so wire shark just started it's an open source application so you know that there is nothing even though you perhaps probably cannot understand the code you can rest assured that there is nothing malicious in it primarily because pretty much everybody out there can see it so certainly there would be somebody out there screaming if there was something wrong with it anyway there you go wireshark is installed and ready to be used i'm just going to go ahead and start a live capture to do a small demonstration before i wrap this up so we have look at the amount of interfaces it has recognized on my computer so we have bluetooth i have i don't know which ones are these but anyway this is for the virtual you can even capture traffic from usb unfortunately my laptop has only three usb 3 usb so i have to use extensions uh etc so you can even you can you even have an option to listen on any of these interfaces so if you don't know or if you don't want to bother finding out which interface you are using which through which interface are you connected to the net you can just listen on all of them and whatever traffic comes you can capture it but i don't really recommend that if you're troubleshooting an issue or if you are really looking for something specific there are there are uses for this option but what i generally like to do is simply go ahead uh open up my terminal open up my terminal this is one method that you can use but there are there's another one which i will show uh in a moment so just type go ahead and type in i have config press enter and as before you have a list of interfaces here i know that i'm using p8p1 wired interface primarily because my network cable is plugged in and my wireless router is turned off for the moment so i can't even connect to it even if i wanted to so you can see i don't have an ip address assigned here this virtual interface this is just for traffic from virtual machines none of them are up and running uh i know that's not loopback because that's only for local communication that's only for local things on the computer itself and you can see that the internet address has been assigned you have a net mask you have a broadcast down here you have numbers these values are not empty so packets are being are passing through this but a much much much easier way to figure out which interface you are actually using would be to go to your local network manager mine is in upper right corner just open it up and you can immediately see it says p8p1 connected active connections in the active connection list and down below you have available connections to which i'm not connected where your network manager is it really depends how you've configured your desktop by default i do believe that it's in bottom right corner and you can click on it open it but i'm sure you won't have any problems finding it that's the easy part anyway once we know that once we figured out which interface we're using and where do we want to capture traffic we just find it here so there we go p8p1 and one key thing to note if you're using some other distro uh for example a debian based is true or something of a kind you're probably going to have marketing such as these for your interfaces eth0 and eth one the mean conventions are not the same so yeah that can be a bit confusing but no problems you still be able to figure it out it won't the names won't be exactly as mine are but you'll still be able to figure it out just by looking at it eth0 usually represents the wired connection and eth1 wireless connection as far as i've seen anyway it doesn't have to be the case but usually is just check it out see it and as a final resort you have your network manager where you can be absolutely certain so php1 you click on it you mark it it needs to turn blue it needs to turn blue like this and there is this green glowing shark tail in upper left corner when you go over it with a mouse it says start new live capture and that is exactly what we shall do at this point of time just click on it and we should start getting in packets any moment now there we go so in the next tutorial i will explain the features of wireshark so what these what what these buttons are doing what you can do with these uh menus what is where but most importantly of all this will be our working space this where it says filter this is where we shall apply various filters to basically seclude portions of traffic or to only get certain kinds of traffic because look at look at look at this now i mean you're getting all sorts of information all sorts of protocols coming in on all ports and it's just chaos this is basically one could interpret this as white noise because you cannot distinguish relevant information but what you can do is apply filters and then see what you want to see or see segments of that just before i finish i just want to show you so look it's installed it's set up it's running everything's fine it's working but if you install it for the first time this issue can arise so this uh this bar or this window let me just try to grab it there we go come on come with me up pop up there we go it climbs up all the way to the top so your first wireshark can look like this this lower window is completely expanded and it's blocking the upper one so you can't see it and you might think oh man there's an error or i didn't do the installation the proper way or something of a kind uh it took me about 20 minutes to figure it out a bit of an annoying thing basically just pull it down that's it i don't know a bit of an annoying thing i think it's fixed with updates but it does it it tends to happen from time to time and you don't know what's wrong with it just need to like tamper with it a little bit and then figure it out that would be it i thank you for your time and i bid you farewell till next till next tutorial hello everybody and welcome to this tutorial today i will be explaining various features of wireshark and its interface so we can we can begin from where we left off you have an interface list here and as you know you can pick an individual interface to listen on or you can pick to listen on all of them aside from this you can also click on interface list and here you are prompted with this window where you are able to where you are actually able to pick multiple interfaces that you wish to listen on but not all of them so i don't know i can pick my wired interface and i can pick my wireless interface to listen on and as you can see it is not connected so you see none none none and it's gray it's not colored it's not black this is also one of the one of the ways one of more universal ways i would say to determine which interfaces are functional uh where the packets are coming in and out which ones are working and so on and so forth so you can just see here where the packets are going through uh p8p1 that's the active one and apparently my usb as well because i have things that are plugged in there a lot of things that are plugged in there through a single usb port but you get you get you get the general idea behind this interface list menu so i'm just gonna go ahead and close it also there is a very nice feature here under capture you click on it and you see there is this last line it says last option it says refresh interfaces now since all of my interfaces are up and since i know for a fact that wireshark sees all of them this option doesn't make much sense but here let me do is let me do a small demonstration here so i have my vlp2s0 wireless interface and it is up but i will just uh just gonna open up my terminal and we'll bring it down so here we go i'm gonna go i've config and it's gonna list out all my interfaces that are up you see the vlp 2s0 wireless interface is up but it is not running at the moment however if i just uh i do need to be root for this i'm just gonna relog there we go and will it go no it will not authentication failure so just one more time i can't believe how many times i've got my password wrong and my passwords are ridiculous i can tell you that much usually i don't know i have some of them which are 20 characters long but that's besides the point we just we're just going to bring the interface down now and vo p2s0 down there we go okay so i'm just going to show to you that it is actually down and not being shown or displayed here there we go so we have three interfaces that are listed here but my wireless interface is not however if i go back into wireshark you can see that it is still listed here even though it is down that's why we need to refresh and pay attention to the vlp 2 0 to the one that is highlighted now just refresh interfaces and it's gone it's no longer here wireshark has figured out that it is down however this is not a real life scenario a real life scenario would be you were starting up wireshark and you're in without bringing up your interface before that so when you started up your wireshark your interface is not going to show here primarily because it's down and then you remember oh okay i need to bring it up and you go ahead and open up your terminal or some other way of bringing your interface up and you say ifconfig vlp2s0 up there we go and then you confirm that it is up and here yeah here you can see it here vlp20 is up and okay you open you go back to your wireshark and now you want to start a live capture but hey your interface is not listed here so what do you do oh if you haven't guessed it already you just kind of you just go to capture and refresh interfaces you click on it there we go it has recognized vlp to zero my wireless interface no problems so just a bit of a trick or a tip here what you can do in case you didn't bring your interface up or in case your interface was not listed here so any changes that you make to the system in regard to the interfaces uh wireshark probably won't catch them by default you do need to do cap you do need to click on capture and then refresh interfaces and then it's going to pull a new set of information and be able to display them here for you next up we have uh edit and then we go into preferences just click on it it's all the way at the bottom and you will be prompted with this window where there are a lot of options let me just say that there are a lot of options here so we'll begin from the trivial ones and moved move on down to the technical ones so over here you have user interface it's layout and how do you want it to actually appear before you if you just read through all of these things here uh they're pretty much self-explanatory i mean save window position save window size save maximized state i actually don't know what this one is but it's not important at all this is just how it looks like nothing more right there you click on layout now here is something interesting that you can do so you have three panels when you start a packet capture session they can be their positions can be like this one two three and this is how they are at the moment but you can also have you can also have them spread out like this like this or you can have any of these variants here aside from that each pane can be assigned these attributes of a sort so you can say okay i want number one i want pain number one to display packet lists while pay number two shall display i don't know packet bytes and paint three can display packet lists so it doesn't have to be configured as it is configured here and now you can configure it any way you like whatever whatever suits you whatever suits you basically so we go down next up it's columns and here we have some interesting things in the technical sense as well so this is these are this is basically the information that is to be displayed upon uh when the session begins when the capture actually begins so these columns you have number number of a packet you have the time uh when it was captured a source address destination address these are ip addresses uh protocol packet length in terms of bytes and some general inform and some information about it but in addition to that you can just click here on add and it creates a new column for you so you have two fields that you can fill in you have the name of the column so you can you can put here whatever you want it makes no difference i would advise to put something in that will associate with the information that you wanted to display but for the sake of this tutorial i'm just going to type in not something but what ever just to demonstrate that this doesn't have any bearing on this this is uh purely for your comfort and then you just click on it go ahead and there's this it says field type just click on it and here look at look at all the information that wireshark can display in regard to network traffic that it captures so you can basically tell it to display any of these things i won't go in great detail here explaining what every one of each and every one of these uh can do but rather instead when we move on to filters there we will be dealing with things such as these because i'm going to be adding stuff into filters and we're going to be uh we're going to need this for traffic in order to analyze the traffic that we capture and in order to filter it basically anyway you can see that some of the items here are already listed for example protocol the one that is lit in blue now is already being displayed so if you just take a look at the left side you can see that you have a title protocol and you have field type protocol as well you can add as many as you like but i would advise you not to do too many because there is only so much that you can fit into a screen and then you have to scroll back and forth uh it's not it get it gets it gets a bit hairy and you can't you can't get to places you start missing out on information so just have it clean neat and only that only they have it displayed only information that you actually require and not some not something that you don't need so the less redundancy you have the better it is for you i'm just gonna go ahead and remove this panel and now we can go to fonts and colors there is one thing that i like to do here um i change i don't change this font itself but i do like to increase size to 14 i don't know probably because i'm blind or something like that even my doctor says i have perfect eyesight but there is another reason why i'm doing this a lot of information is displayed during a live session capture and i just you spend a lot of time looking at it and it's my personal belief that the bigger the letters are the bigger the numbers are the easier it is to spot information of importance now that is only my personal preference that doesn't necessarily need to be the thing that suits you so just do whatever you wish here configure it however whatever suits you change to change the font if you wish change the size whatever down below you have colors you can also play around with colors and how things will be displayed but i would gen how things will be highlighted but i generally wouldn't recommend it primarily because you can have overlapping colors so for example you can have two things that are the same color and when they are displayed they will cover each other up so one of the typical mistakes that can be made or that some people make that i have made long time ago in the past is basically i've gave the same text color as the background which is amazing i mean you couldn't see the text that's why i would recommend just going out onto the net and getting get yourself an xml file those xml files can contain are for imports and they can change the color schemes of your interface here so for example if you want a darker interface you can get you you can get such formats from the net and just import them and it will be set by default for you that's just a recommended that's just a personal recommendation but i'm obviously not going to do anything here now as the default layout is perfectly fine for this course anyway we're now going to go down into capture and here there are some very very interesting things for example you can configure your default interface so you do not need to you do not need to specify it every time you start the wireshark up so for example i can either type in p8p1 and say that that will be my interface or i can go ahead and click here and i'm going to have a drop down menu and i can pick an interface from it in case i don't know which one it is in case i don't know the name for it now this is very important here it says capture packets in promiscuous mode on all network cards now there are two modes which with which we shall deal we have promiscuous mode and when a network card functions in a promiscuous mode it means that it will only and only process traffic that is meant directly for it and if it's running in monitor mode pretty much all traffic that it comes by it's gonna take it process it and you will be able to see it very important for lan networks or something of a kind primarily because you can spoof the network and see what's going on on it you can capture information and it can be actually it is a pretty pretty bad security risk anyway down below you have some of some of the some of the display things for example automatic scrolling in live capture definitely have that ticked and update packets in real time but these things are configured by default so no worries there for example it's going to scroll automatically for you but if you manually scroll up it will stop the scrolling process very nice feature i will show all this a bit later on once we actually start to capture and once we actually start uh dealing with filters themselves so we're gonna go down and hit filter expressions see what happens here so you here you can add filters and yeah so let you have it enable label and filter expression keep in mind that you can create multiple profiles in wireshark and every profile you can design to do a specific thing to capture specific packets so you don't need to like do the configuration over and over and over again in the same profile rather instead you can configure one profile to do one thing and another to do another thing and then when wireshark starts just choose the one that you want and that's it here you can create a list of custom filters for the profiles so i'm just going to go ahead and remove that because we don't really need any custom filters for the time being go ahead and go ahead and jump down into name resolution so here you have uh here we go result mac addresses we've we talked about them a bit before uh result transport names resolve network ip addresses use external network name resolver etc etc so up to here up to up to enable concurrent dns name resolution that is what we want to that is what we want to look at for the time being you can disregard the rest except for except for this one you have geoip database directories so these things are available on the net and you can download them but keep in mind that you will always need to update them and they are not always precise for example in terms of countries they are they can always assign ip addresses to correct countries but when you come down to the cities oh that can be that can be a bit tricky there's always there's all mistakes are bound to happen there so this is something that you would obviously need to download from the internet it's just a it's just a file you download it and there you go and basically click edit here i'm just gonna show it to you uh new [Music] there you go so now you can pick it here from wherever you wish it's bound to be some i don't know depends where you install it and from there it will be it will be accessible to you so you just need to go to gip database directory i have a different tool for that which i can update rather fast and with greater ease perhaps we can discuss it in some of the further tutorials as we go on into the into the actual practical part into some exercises and into some real life scenarios but for the time being just be aware of it that that is a possibility uh printing we can just go ahead and skip that self-explanatory and there aren't even that many options anyway now i'm gonna go ahead and click on protocols and i don't want you to freak out or anything of a kind there's going to be a lot of them and we are not going to go through all of them there is no need but we will go through those that are used on daily basis those that you are most likely to encounter because let's face it i mean even the most of even most experienced network admins are not likely to encounter all of these protocols not during their lifetime they usually uh are they usually are very specific and they deal with very specific stuff that are predefined in advance they won't need to know all of these things because that that would be i mean you just you can have some sort of general knowledge of what they are but that's about it uh as far as the requirements go however like tcp udp ips such stuff you such protocols you really really really need to know they are used on daily basis and we will deal with them in great detail a bit later on once we actually start the capture process and once you can see all those small segments that give you a ton load of information down below you have statistics uh we're just gonna we're just gonna skip this for now this there's there's no point uh nothing nothing of importance lies here so i'm just gonna click ok and i am running out of time here so i will make a part two for this uh for this particular tutorial so this will be a two part tutorial we'll have next time when we come around we're gonna actually go into the live pack live capture and we're gonna see what we can actually do there and what sort of options we have in that part so in any case i bid you farewell and i thank you for your time hello everybody and welcome to part two of this tutorial i am just gonna go ahead and start a live capture so i can show you some of the things that we can actually do there first up will be view so in top right top left corner and here you can i mean okay you have zoom in zoom out but all that you can do on the keyboard like pretty much in any other program so just control plus plus or control minus minus i should be minus minus it says plus plus here i'm pretty sure that minus minus works as well uh but in any case you're able to configure which toolbars do you want to be displayed to have like main toolbar filter toolbar you can even punch this one for wireless toolbar if you wish but i'm not sniffing traffic on wireless and i am primarily listening on my at the moment anyway i'm listening on my wired connection so that's kind of pointless but if you feel that some of these bars are actually obstructing your view or anything of a kind you can just uh click on them and not have them not have them there they won't take up any of your space or anything of a kind so you also have uh down here coloring rules so you might think oh but didn't we like do that already or something like that in the previous tutorial well yes for the text background and such things but look at this uh here you have a currency current uh current setup so look bad tcp packets they will have this color and they will look so these sort of packets down below will look so etc etc so you know here you can actually see what colors apply to which packets and to the state of those packets as well so just uh just a nice tip there if you you can also customize them you can also specify which which colors you want for every specific package and so on and so forth here you have import and export options here i'm just gonna cancel that because i haven't done anything and i don't really want to mess around with that at the moment up we have capture menu so i'm just gonna uh uh yes no maybe yep there we go uh all of these things we have already seen and done but we haven't yet started to dig into capture filters you also have this restart button that says restart you have it in the main menu as well so if you just you have a shortcut ctrl r if you click on it you see what happens is that the whole process will be restarted but it hasn't prompted me whether i wanted to save the session or not so that's that's generally not a good idea to do i mean you you stand to lose a lot of data or something of a kind better just stop save and then play the play start the start the session all over again without any sort of problems the stop button is of course the red one in the upper left corner in addition to that you also have a lot of these buttons here so we go we can take a look at them one by one have list available capture interfaces and then you have these two gray ones uh stop running live capture which is a stop button restart it and then you have uh the next one is open a capture file so this is a very nice feature obviously you can't do that while running live capture that would make no sense but suppose you were not you could actually click on it and open a previously captured file and it would be displayed just as a live session is displayed of course you wouldn't continue on capturing you would just be analyzing what you have already captured uh save file which is pretty much the same like in any other program or you can just clo you have a close option here there it's very simplified pretty much for anybody to be able to pretty much made so if anybody would be able to use it reload very nice feature there to reload this captured file just in case you feel like you're missing out on something or you feel that it's not doing what you wanted to do or you've made some changes in the back end so you can also use the search option but just click on it and there we go so you have it you can search for a particular package but generally i don't know i'm not i don't i don't use it i mainly i mainly use filters and then find it primarily because i wouldn't know where to start with a single package rather instead you always find a group and then within that group you try to find that which you need so you have back back and forth options as well and go to the packet with number yes you can specify a packet you can specify a packet number but usually that's something you approximately just type in and then around there you are able to find what you're looking for now these two nice looking errors are of great use to us so for example if i scroll look automatic scrolling is enabled but if i scroll up it's gonna stop scroll it's gonna i mean the scrolling continues but it's just gonna leave me on the screen that i am now and i don't know this is this is usually a lot bigger so and let's say you are somewhere up here and this file gets really big you don't want to manually scroll down all the way down to the bottom so you just use this arrow that is highlighted now you click on it and it should throw you at the bottom yep there we go and you're back at the bottom and you can see live incoming packets once again no problems right next to these arrows there is call i mean you can enable and disable color colors of these packets so if this is annoying if you feel that it's giving you nothing useful these colors you can just turn them off here and they will no longer be displayed there you go you see everything is now basically uh yeah single color actually there are three colors in total that are a constant but i like to have color turned on just makes the interface look nicer and it does it does it it does enable me to spot the things that i want to spot a bit faster actually a lot faster so manual zoom out zoom in options resizing of columns you don't really want that you can do that manually anyway by just dragging them uh here so you see like hubs there we go protocol column has been expanded and contracted really easy to do next up i mean again you have coloring rules preferences shortcut for preferences and you have a help bar here i have never used it honestly if you need help with anything uh well the internet is there for you let's just uh let's just say that you can always go there find out whatever you want to find out okay so next up would be uh this you see this filter bar here i'm just gonna type in dns into it and i'm gonna press enter just to give you a glimpse of what is to come we're mainly be dealing with this filter bar that will be our working space everything that we need to do we will pretty much do in this filter bar so you can click here on expressions and there we go these are the sort of expressions that you can use to filter various traffic so i don't know for for all these different things it usually equals equals this means the blue one means equal equals next one means uh exclamation mark equals that's basically not if as soon as you have an exclamation mark anywhere in the programming world it usually means not so this means not equals greater than lesser than uh greater than or equal lesser than or equal contains matches is present i think there are a few others as well listed somewhere around here but we will go through all of them once we actually start using our filters but these things you do need to know i mean uh equals equals not equals greater than lesser than and greater than or equals or lesser than or equals those are the basic ones and those are the ones that we will be using the most there are some other logical operators with which we shall deal i will show them to you they're very simple to understand nothing too complicated uh for for example you can type in dns here or you can type in and so obviously none of these expressions would be used now but if we were to i don't know say an ip address you could say source ip here let me just show it for you src oops sorry ip dot src equals equals and i don't know now here you would type an ip address let's go ahead 92.160 there you go and now you have apply so as soon as you type in the filter you need to click apply or a simpler way just to press enter and it should clear them out yep there we go so all traffic coming uh all traffic that has 192.168.11 listed as a source ip address will be listed here but i didn't want to show a filter here rather instead i wanted to show uh this expression so it's equals equals there are some others which you will need to know which were not listed there you have and that oops nope that's not it oh god there we go and and that means when you when you have multiple conditions that you want to look linked together and when you want to say match this rule match this rule and this rule and this rule and this rule you just use and percent and percent signs and that basically links all those rules together makes them mandatory so they all have to be adhered too there's another one which is also used basically this double line uh in essence that's or just type it is as if you typed or so you have one rule and then you have another rule and you say basically either adhere to this filter or adhere to another one if this if you didn't quite figure it out now if you didn't catch it don't worry about it in the next uh in the next tutorial we will start dealing with filters and i will explain these things in far far far greater detail you will understand that i guaran i guarantee it to you no problems in any case uh that would be it as far as the interface of wireshark is concerned and its basic functionalities next up we will deal with filters and that is the most interesting part of wireshark that is where this program truly shows its purpose and it shows you what it can do i bid you all farewell and hope to see you in the next tutorial hello everybody and welcome to this tutorial today i will be talking about filters to be more precise about protocol filters i will mention some of the protocols that we've talked about a bit before but we'll get into more detail now and i will also mention and explain some of the newer ones so you have the option in wireshark to filter all traffic uh via specific protocol although those are very loose filters and they will give you a lot of information you want to downsize you want to trim that information further so we will at later stages apply some other filters to it as well however before we begin withdrawal i just want to explain to you what you are seeing at the moment so in the upper left corner you have a filter bar and in the field you can type in whatever whatever you want but there we will be typing in our filters but let me just show it to you uh whatever you see it is displayed there it is marked as red which means it is not a valid filter but in the bottom right corner it is retyped and re-shown here so to say uh this thing that you're seeing in the bottom right corner this is not a part of wireshark or anything of a kind this is just a magnifier app that i have gotten and that i've installed that comes in with kde or something like that for linux and here you will be able to see with greater clarity what i'm going to type in the filter field this i've done primarily because i can't resize it it is the way it is and the letters are a bit small from a recording from the perspective of viewer who is watching this tutorial so you will be able to see whatever i typed there down at the bottom right corner excellent now that we got that out of the way we can go ahead and start using our very first protocol filters so as you can see at the moment there's a certain variety of protocols that are being displayed here you have dns traffic tcp tls this is encryption and you have icmp which is a ping we will deal with that separately but for the time being what i want to show you is this this bottom bar where information is displayed in regard to the amounts of packets captured and the amount of packets displayed so you see that the numbers are exact and next to the displayed packets you have a percentage of total packets displayed so if we just go ahead and go to the filter field type in dcp there are some other options below it but we're just going to press enter for a regular tcp filter and if we go down back again if we take a look at how much uh what percentage of the total amount is being displayed you see it's 83 now 80 you might think oh excellent we've downsized the tr we've downsized information that we need to process by 20 percent but let me tell you that is nothing uh four thousand packets here is a fairly low amount primarily because i don't have a lot of active internet connections at the moment while i'm doing this tutorial but if i was on the net if i was doing something if my dns server was up if i was communicating with other computers in lan the number of these packets would jump to hundreds and hundreds of thousands eventually into millions etc i have no doubt that after a while it would probably the live capture process would probably crash my computer because i would simply run out of ram therefore we're going to go ahead and try a different protocol filter aside from tcp so these are some basic protocols which you do need to be acquainted with so we're just going to type udp that's we didn't talk about it much i think i've just mentioned it or something of a kind before but udp is a user datagram protocol and i will explain it to you in a second but i just want to show to you packets captured in packets displayed so this is displaying only 10 of the total content primarily because there isn't that much udp traffic in general not unless you're using some sort of a voip applications or like skype if you were using skype you would have a ton load of udp traffic however as you can see here it's only 10 percent and 10 is something manageable it's something you can deal with it is fantastic you can see that most of the traffic out of that 10 are dns requests so i don't know here you can see uh i'm connected to google drive docs uh mail etc these are my dns requests that i have made in dns by the way functions over udp i will talk more about it in a moment but for the time being we're just going to stick with it udp unlike tcp does not guarantee delivery at all it just transmit back it just packets just go through it it sends packets and there's no guarantee of whatsoever for you that the other side will receive them that's why it's very unreal it's not very reliable especially if you're using it for some sort of chat applications for messengers or something of a kind but it is extremely fast it is much faster than tcp and that's why some other things like dns servers or voip applications do tend to use them but whether you're going to whether an application uses a dns or not sorry not dns whether an application uses tcp or udp protocol that's purely left to the person developing the application it is not a mandatory requirement by any means okay so next up i want to do some dns filtering and there are two ways in which we can do that the first one is relatively obvious so you can go ahead click on the filter field and type in dns let me just show it to you down there yep there we go press enter and it's going to filter out all dns traffic so you can see all the queries on the right side you have google docs docs again google.com i don't know i'm going to open some other things in my browser and later tutorials when we do some real time exercises but uh for the time being you can just see what it is and how the filter works there's also another way of doing this as i said since we know that dns servers they function on port 53 and all queries are made on that port as well and we also know that dns functions over udp although it can function over tcp as well so we can just do this udp dot port oops it escaped a bit so you can see it here better the port equals equals 53 and there we go we can also spoof dns traffic like this we can monitor it in such a way by port rather by just typing in dns i don't know dns it's a lot simpler to type in and all that but this is a much more precise thing to do in addition to this you can also say for example or you can put in a logical or and you can type in tcp dot port equals equals uh 53 so this is also a very nice way of doing things it makes sure that all traffic be it udp or tcp on port 53 is displayed which in my case is five percent of total traffic that goes on my network at the moment this is primarily because i have not made i have stopped the capture and during the capture i have not made that many queries i have not opened pretty much any websites or anything of a kind just that which was already opened in my browser stood like that and a few pages that i refreshed but nothing much so five percent of total traffic that is it okay so next up we have icmp uh more commonly known as a ping so it is a fantastic tool it is a fantastic protocol a fantastic utility to test and troubleshoot connections so basically here's an example you know one of those days when you've opened up your browser and not no page wants to open basically you're uncertain whether you have connection issues or whether it's browser issues or something of a kind well you can solve your dilemma with a ping by simply doing this so you open up your terminal i have mine here so you just go ahead and go to a free tab i'm just going to lower it because i want to show you how these things happen and before we actually start any ping processes any on the terminal i would like my filters to only capture icmp packets i don't want it to show all these things because it's going to be confusing and we're not going to be able to see them so i'm just going to go ahead and type i cm p and that's going to be my filter press enter there you go the screen is clear there are no icmp packets primarily because we have not transmitted any so we go ahead and type in ping google.com when i press enter just watch what happens watch how many packets are gonna come out and there we go it's starting so you see protocol icmp ping request reply request reply it just goes on and on and on uh if you're using a windows machine this is going to repeat five times if i'm not mistaken if you're using a linux machine it's going to repeat god knows how many times but you can specify the amount of things you want to send in any case as i said before a fantastic way to test out your connection so you see this is just a communication between me and i am 192.168.1.2 and the google server which is well not google server but yeah it basically is a server but this is a this is an ip address of google.com so 208 208 117 229 and two one nine i have pinged it i now know that i have internet connectivity that i have the ability to reach the outer world and if my browser won't open a page or something like that it could be that there's something wrong with the browser or that a firewall in my local network is preventing me a proxy server that could be a proxy server that's preventing me to exit on the net in any case uh that would be it for this tutorial here i will wrap things up and in the next tutorial we will be dealing with ip string and port filters so we'll be able to see how those function and after that we will we should be able uh to do some live exercises i'll make a setup for you guys so we'll have more than one machine and we will see how they can communicate in between each other and more importantly at later tutorials we will see how we can actually capture that traffic how we can analyze it and get some useful information from it in any case i bid you farewell until next time hello everybody and welcome to this tutorial today i will be talking about another set of filters that we're going to need in order to be able to analyze packets in depth and in order to minimize the amount of packets that we will capture so that we have smaller capture files that have greater precision and that will provide to us what we need exactly and not a lot of redundant information that we don't really want in any case i'm just going to go ahead and select my filter here the first thing that i want to explain is src and dst so usually you will see these two keywords being used in all sorts of filters src simply stands for source and dst stands for destination it can refer to an ip to a protocol and in general in a linux sort of environment src and dst those are locations for sources and destinations they can be used as such anyway the first filter that i want to show you is ip dot src so in and then you type in equals equals and in this manner you can filter all traffic coming in coming uh that has that contains a certain ip address so all packets that contain a source ip address that you specified will be displayed aside from that you can also type in ip dot sorry dst there we go that's gonna do exactly the opposite thing that's going to display all the packets with a specific destination ip address so if you want to for example see who is transmitting what or something like that or who is receiving what on the network you can use these sort of filters aside from that you have a general ip filter you can see it's the first one that wireshark offers us it's ip.addr and when you do this ip.addr will is a sort of filter that is general so all packets containing a certain ip address will be displayed regardless whether it's a source or a destination ip address they will be displayed no matter what aside from the ip filters you have port filters which are usually used in combination with them so ideally you want to combine two three or four filters and then get very specific information without any redundancy of whatsoever so you can go ahead and type in tcp dot source dot source port yep there we go so you can use src keyword here as well and you can just go ahead and type equals equals and i don't know you can type in whatever you want here you can type in for example port 80 or 53 basically any port number that you want aside from this you can also do as we did with the ip addresses you can type in dst so destination port and if you want a more general filter you can just type in port there you go that's not that wasn't so difficult just dot port equals equals and then specify a port aside from that you can also say udp dot port and equals equals as well now more often than not you will be uncertain whether something is using a tcp or a udp protocol so you see how we're combining three different types of filters here we have an ip address we have well we're not combining them yet but you see how they can come and work together we have as i said an ip address filter we have a port filter and we have a protocol filter so let's say you want to make some sort of a statement in order to be very precise but you are uncertain of certain things like you're not sure whether it's tcp or udp you can do the following thing and use an expression so you can just type in ip.a r equals equals and i'm going to use my local ip address in lens 192.168.1.2 in addition to that i'm going to put in double n percent sign open up a bracket open up parentheses sorry and within this parenthesis i will write tcp dot port equals equals to i don't know we're gonna use dns because dns has both dc because dns recognizes both tcp and udp it's compatible with both so we type in tcp.port equals equals 53 and then we use or notation udp dot tcp equals equals to 53 as well close parentheses okay so i made a bit of a typo here and i wrote udp dot tcp the screen the field has immediately turned red it is not allowing me to implement this filter as it does not recognize it it is not valid so instead of udp.tcp which makes no sense i will type in udp.port and this set of rules when applied is effectively going to display all dns traffic coming all dns traffic that my machine has generated so as i said previously 192.168.1.2 is me that's the ip address of my machine within lan and my dns server is 1i2.168.1.1 which is basically my router there are no dns records there it just well maybe there's a caching process of some sort going on i do not know that's in the router specifications but that's not relevant for us now what is relevant however is that all the dns traffic is more or less being forwarded from my router to my isp provider and then they are responding again to my router and my router is telling my machine is giving my machine the necessary information the filter itself it goes like this so this first segment here where it says ip address it states that all packets containing this ip address shall be displayed double and percent sign simply means and and then i've opened up a bracket another bracket parentheses and i've stated within that parentheses that either tcp port has to be 53 or udp port has to be 53 if either of these two conditions are met along with the ip address you will be display the packet will be displayed you will be able to see the packet and then i don't know you can do stuff with it you can click on it and all this information down below is displayed but uh in the next tutorial when we actually start analyzing the packets themselves then i will show you what all this means and don't worry you won't need to read any of these hexadecimal numbers they're quite it's quite easy to figure it out uh what they represent in general you don't need to read them all you just need to read like a first set or something like that and you can figure you can infer from that what it might be in any case i hope you farewell and i thank you for watching till next time hello everybody and welcome to this tutorial today i will be talking about packet analysis before i actually began recording this tutorial i made a live i had a live capture session running and i made a request towards a random website that random website apparently was i love cookies here in this list there are a lot of http requests as you can see i have specified my filter to be http as that is this as those are the sort of packets that i would like to analyze today and to show you what sort of useful information can you extract from them so i'm just gonna go ahead and click on the first one so it's get http one one and we're no longer going to need the the upper window or the upper pane whichever way you want to refer to it so i'm just gonna maximize this one that we have a better overview of all the things that we have a better view of all the things that we're going to see here so first off is frame uh we're not going to be dealing with this as you you as a network admin generally won't be extracting information from this layer in any case this is the physical layer remember when we talked about the osi model this is the physical layer i don't know this gives you look it's a just look at the title uh 285 356 bytes on wire so that's not really that interesting to us we're just going to go ahead and click on ethernet 2. by the way ethernet 2 is a standard that's the name for a general standard used worldwide right after the coma it says src and i don't know then it says then some sort of a name is written it says on high pr underline and then a portion of a certain mac address but that's besides the point right next to it the next line see i'm just going to go ahead and click on it so you can see it better it says bc 8556 and so on and so forth that is the mac address of my network card of my wireless network card and right next to it you have dst some name again and then you have another mac address it's it goes something like it goes something along the following lines zero zero colon zero e cones eight f and so on you can read the rest that is the mac address of my router my router is a point that i use to access the internet so all my traffic that goes outside of my lan network has to go through my router and this how this is a very useful way of pretty much figuring out which devices are communicating on the network without knowing their ips so you can just have a look at the mac addresses and you can know who is communicating with who aside from that the first three sets of hexadecimal numbers within mac addresses tell you who can tell you who the producer of the device is who made the device which company this sort of information you can just browse on the net it's fairly easy to find you won't have any difficulties there so we're just going to go ahead and close ethernet 2 and dig into internet protocol so ip internet protocol version 4 there's also version 6 just so you know and once again we have src as source and dsd as destination is going to go ahead and mark it for you there you have it so i am the source 192.168.1 and the destination is this time the destination ip address is not my router this time for http request the destination ip address is 198.25273.207. that is the ip address of the website call of the website whose domain name is ilovecookies.com it has already been resolved we are not analyzing dns packets here rather instead http http packets and if i just scroll down below there is a ton of information here and you have version header length uh total length of the package and so on and so forth but what is interesting to us is down here you can see that the protocol being used is tcp and below it you have source and destination ips but again once again just go one more field below and take a look at what i've marked now it says source go ip and destination guip unknown this is not because wireshark cannot determine these two this is not because wireshark can not determine the geographical location or something of a kind rather instead this is because i have not configured wireshark to interact with any of the databases containing such information and so if not configured wireshark is just going to give you unknown i do not know where this ip belong to which country does this ip belong to or to which city or something of a kind i'm just going to go and go ahead and close that and now we're going to dig down into the transmission control protocol or tcp lots of information here once again but i just want to stick to what is relevant to us at the time being you have src port once again and dsd port so they are right here where i have marked them and destination port is http port 80. that's all fine we know what that is but as you can see before it you have the source code the source port sorry and the source port is forty thousand one hundred and thirty one so what what on earth is that what is that now this is not the port on which we are listening this is the port on which we are transmitting our information towards the destination port these the source ports are randomly generated by our machines and they can they can be pretty much any number within a given range so yep there we go let me just minimize this it has escaped a bit and finally finally we go into the text part of this of this conversation of this request so to say so we go into hypertron hypertext transfer protocol or http and you can see the method is get down below yep there we go request method get path to the uri is backslash backslash in all unix systems everything that's linux based and every other system out there except windows is basically a marketing for a root folder and that is the folder that we are requesting from that web server in windows it's backslash so just this is just a bit of information unrelated to wireshark if you are curious in that regard down below we can see that the host is www.ilovcookies.com but here's some interesting information right below the host this is the sort of info all of this you are transmitting to the web server and sometimes this this this sort of information you don't really want to give away you don't really want to transmit so it says user agent 5 mozilla 5 0 it says that i'm running linux on a 64-bit architecture so the web server to which i made the request knows that i am running mozilla that that is my browser it knows the version of my browser it knows my operating system and it knows the my processor architecture if we go further down below we see that the language that the language that i'm using is also being passed this language will always be the same as the one that is configured in your browser so the default language of your browser will also be sent this is one of the ways in which websites can determine uh which language should they display to you as a user by default but that's not what they usually use these days as far as i know they general they tend to use ip addresses so if you have an ip address that is coming from a certain country it's gonna the layout of the page the page itself which will display in the language of that country which can be annoying really annoying from time to time but there are there are workarounds there's some you can you can go about things there it's not that complicated to bypass such mechanisms and plus on top of all that you have add-ons for pretty much all the popular browsers out there which enable you to actually uh modify this information so i don't know instead of you instead of this being user agent mozilla it can be chrome or something like that while in fact you're using i don't know internet explorer so there are these add-ons which can fake information here and transmitted should you wish to do that no harm there it's just uh just something that you can play around with in any case that would be it as far as this particular package is concerned we will analyze a great deal more in later tutorials but i just wanted to give you an idea of what sort of information can you extract from these individual packages later on as we progress i will create real scenarios and exercises which we will do i will create problems for us to solve and we will see how we can use wireshark in order to track down particular problems on the network but for the time being i bid you all farewell and i thank you for watching hello everybody and welcome to this tutorial today i will demonstrate how dangerous it is to use http protocol to log into your email account i don't know to your paypal account or pretty much anywhere as all the information as i mentioned before is sent in clear text before i begin the capture and before i show you how it is done key thing to note all that i'm doing here is within my own network so this is my home network setup the router is mine the computer is mine all the other devices are in my possession so i can do with them as i please however you cannot do this on a public network that you do not have permission to either access or sniff traffic or anything of a kind now that we have that out of the way let us begin with the demonstration and let's see how we can use wireshark to actually extract credentials from unencrypted web traffic first things first we actually have to start the capture i've changed my interface i'm now on my wired connection so the interface is p8p1 and i'm just i will go ahead and start it there we go before the capture goes before the capture goes ahead and starts displaying information let me just enact a preemptive measure here i'm going to type in http so it doesn't display any other packets or anything of a kind although if you take a look at the bottom where packets captured in packets displayed are listed their numbers you can see that i only have 16 packets in total now 26 30 etc it's growing but it's growing at a really slow rate primarily because i do not have uh pretty much anything open in my browser i'm not doing anything the network is inactive these 33 packets this is the standard communication between my computer and a router so not much going on there let me just open up my browser there we go and you can see that i've already tried to log into this site it says 401 unauthorized authorization required take a look at the address bar it says http colon slash and then the ip address this what i have highlighted now the ip address colon and slashes they are of no interest to us at this point of time but this part of the address is this http a protocol that we have mentioned before over which all unencrypted trap it transmits everything in clear text nothing is encrypted or anything of a kind so let me just reload this page i will attempt to log in here now clearly i'm going to use wrong username and password it's going to the authent it's going to say 401 unauthorized again but it doesn't matter we will be able to capture the information sent and you will see that if you use real credentials for something of a kind you would basically be volunteering them on the net as public information so here for username which is going to type in user name and for password we're just going to type in pass word okay authorization failed do you want to retry no i do not wish to retry there's no point so just coming back here into the wireshark and start examining these packets to see which one of them contains our credentials from which one of them can we extract useful information that we want so let's just go ahead and scroll down pick the third one from the top it's five three three get http one one and we're gonna omit all of this information like frame ethernet internet protocol transmission control protocol and we're gonna go straight to the hypertext transfer protocol we need to scroll down a bit and it's pretty simple so you will see that the wireshark itself has authentication field so you can just go ahead and click on it it says basic and there you go you have credentials we've typed in username for username and password for password those are the simplest two two simplest terms that i could think of and i've just typed them in there this pretty much applies for any any lan network or anything of a kind you can monitor for all traffic that goes back and forth on it this is just my what i've done now i have monitored traffic locally so from my computer to the internet and that's pretty easy to do but there are setups where you can actually monitor other compute well not the other computers directly but you can just monitor what is in the wires what moves through it and all the packets that are coming to you but are not meant to you that's what i talked about in the previous tutorials when i mentioned promiscuous and monitor modes of network cards in any case we shall deal with that in later tutorials i will explain that in great detail as it is of great importance to us to be able to monitor all sorts of traffic in any case i bid you farewell and i thank you for your time hello everybody and welcome to this tutorial today i will show you how you can confirm your firewall settings with wireshark or how you can monitor them to an extent in any case and what happens to all the packets once they get once the firewall is configured for them to be dropped and how that affects your interaction with other devices on the network so as always i'm just going to go ahead and select my interface that i'm currently using start a live capture session before anything pops up here i will enact a preemptive measure and just type in icmp there we go i don't want to see anything else there isn't much traffic going on here in the first place but just in case primarily because i'm not doing anything on the net pretty much while i'm recording this so anyway uh you see there's an empty screen here nothing is displayed there are no packets nobody's picking anyone anybody and now i can open up my virtual machine this is something that is usually blocked on businesses businesses block this sort of a protocol icmp however here i left it open and later on i will block it so you will see what happens there so i'm just going to type in ping 192.168.1.2 i do believe that that's in my ip address if it's not we can do a check but just keep an eye on this white screen of wireshark and see what sort of incoming traffic are we going to get so press enter and there we go we have request reply request reply i'm going to cancel the ping here and you can see we're going to just going to select the first field and there's a request from 192.168.1.6 uh that's sending packets to the destination 192.168.1.2 that is me and i in turn am replying so i am confirming saying something like i am alive i exist there is connectivity etc etc uh request reply request reply request reply that is the logic that we're following here but i'm just going to go ahead now and open up my terminal within my terminal i will block all things so i will no longer users will still other machines other devices will still be able to ping me however i will not reply so there is no feedback information for me and that's generally a good thing to do as you kind of minimize or downsize potential threats or risks to your server but i mean it's not really that big of a deal it used to be a big deal back in the days when there was a thing of death but today that's that's fixed and you're not gonna have any problems there hopefully anyway in any case we're gonna go into our firewall here so ip tables and i want to insert a line so dash capital i in output i don't want to output you have output and input rules so outbound and out inbound traffic i do not wish to reply to icmp packets so i'm just going to specify a protocol so dash p for protocol i cmp and j to confirm to specify a command to specify the behavior of the firewall and i'm just going to say drop so do not reply anything that comes that's marked as this as this protocol drop it you do not care about it it's something that i have prohibited press enter there we go rule has been applied and this list still stands as it is but i'm going to go back to my virtual machine clear the screen here and repeat the ping process again so i have pinged myself and you can see that there is a there is a ping coming in hold on let me just do this scroll down to the bottom yep there we go that's why automated scrolling is very nice and here we go the ping is going through it is passing it is reaching us but we are not responding our network card due to our firewall rules does not do anything it just takes the packet in it sees that it's something that the firewall has prohibited and it doesn't do it does not react there is no outbound traffic nothing is happening so i can be pinged but nobody knows i am not responding to anybody there is nothing happening so this is a very nice feature that you can implement especially in linux since the fire since firewalls are completely open source and you can do whatever you want with them there is a vast sea of filtering commands and usually and usually you can apply those similar filtering commands to wireshark as well so there's a very nice interaction happening there in any case i thank you for watching and i hope to see you again in the next tutorial hello everybody and welcome to this tutorial today i'm going to do a bit of a demonstration of how you can actually spot suspicious or unauthorized packets from your network so i'm just going to go ahead and open up my browser and i want to generate some random traffic so let's say just going to type in here test in the search query and while i'm at it i'll just start a live session as well so there we go live session has started it's now listening and i don't know what i can do whatever you want yeah we can go to the speedtest.com i'm sure we've all been here countless times when our isp providers don't give us the speeds that we want and we've cried about it on end i don't know we can go head over to google and head over to youtube as well all of these requests will be recorded we'll see what i mean by it and this is my only browser that is currently open as you can see there is nothing else here so i'm just going to go ahead and close it oops what is this so we have some red warnings red ones are usually the packets that drop i'm not too sure about this but it doesn't really matter i see i don't seem to be getting http traffic at all this seems to be ridiculous i'm just getting ssh traffic which is encrypted it stands for secure shell and let me see where have my http packets gone they're probably being overrun type in http and press enter and look at this since we have a large amount of packets it takes it a very long time i mean it's not very long time but for only maybe a hundred thousand packets it took you that much but imagine if you were capturing traffic for an hour that would that would have been a pretty big problem and here are our http traffic uh packets but i need to clear this i need to figure out where what is happening with those ssh packets what is that what is being transmitted so let's see if we can actually dig down into the packets themselves and see what sort of information can we pick up from them so at this point of time i'm being overrun by them there's just so many of them i will cause this is going to cause me to crash so i'm just going to stop this capture from going on and i'm going to click on one of them to see what what on earth is going on here so down here i see who is communicating with who as we've discussed before you have mac addresses but i obviously know both of these mac addresses and this is local connection these are all local connections but for the sake of the tutorial we can just assume that i have no idea that these are some strange addresses to me addresses to me and that i don't know to whom do they belong below we have internet protocol and it says source port a source ip address and destination ip address now you can conclude what it might be by this destination ipa address of course again i obviously know to which devices this ip address belong to but any ip address could be here and if you're not familiar with it you can always go on the net and search for it but that's generally that's not going to lead you anywhere it might tell you who owns it or something of a kind but not necessarily that person is using it might tell you like this and this telecom is the owner of it it's a vpn or it's a proxy or something of a kind and it's not going to give you that i mean it might give you hints but it's not going to give you definitive answers for sure down below we go into transmission control protocol and it says that the communication is going over destination port 22. interesting so i'm just going to go ahead into the filter field and type in what am i going to type in here i'm going to go tcp dot port equals equals to 22 and i'm going to filter out all traffic on port 22. you see how many packets there are there are too many for wireshark to be able to do it that fast so it even gives me the time left in order to go through all these packets to filter it through and to show me what i want to see so they all look pretty much the same to me except for the red ones i'm guessing yep there we go and if we click on another one here and if we go down to ssh protocol do you remember when do you remember the tutorial about http protocol and how i said everything was unencrypted all the information could be seen in plain text but look at what ssh protocol looks like i mean the information that i think that it the information that sent over ssh protocol it says encrypted packet and you cannot make heads or tails out of this i mean it is completely useless to you uh if it has some sort of weak weak very weak encryption you might be able to brute force it but that that is not the case that is very rarely the case these keys are really long and you it is very unlikely that you'll be able to brute force or crack this so the bad news of it all is that we don't know what sort of what sort of communication is going on here what is happening we just know that we are communicating with this address and that there are some packets that are being sent so what are we going to do now the thing that we're going to do now is i'm going to open up a terminal because wireshark managed to tell me a great a great deal of things basically i wouldn't be able to figure out what was going on if i didn't have wireshark here and that's that's where this tool really begins to shine that's where it shows its purpose and so on and so forth so i'm just gonna clear this screen here and i'm gonna do ls off dash i call oops sorry dash uh small i colon and i want to see what is going on and that poor 22 i want to get the process id that is using that port i press enter and of course i got the wrong i got the command wrong uh it's like this excellent okay so i see that the process is running hold on i can do this i can do a better job of this let me just go ahead and expand the terminal a bit there we go and let's look at it like this yeah this is much better so i do believe that this communication is over as it says close weight but this is the pid command is ssh this is this is the most important part so once you have the process id if you're a root you can always kill it the good news is that the user currently using this process is not root user so you can be safe to an extent but still it is not good to have unknown processes on your computer that you have no idea what are and most likely are form processes in any case what anybody would do at this point of time is just kill and type the name type the name of the process 0 0 57 that's it we go back into wireshark and uh damn it's now slowing down a little bit and no i don't want to reload the capture file i want to start the capture process again and close it without saving i have applied this filter but it would seem that no packets are being captured as i have closed all my browsers and i have killed this process so once again we have absolutely no unauthorized communication of whatsoever this is also one of the good ways of actually verifying what is going on on your computer is just by close your browser close all the programs that you know of that are yours and after that point of time go into wireshark and observe the traffic see what is going on if you see that there are some sort of that it's still communicating uh to the outside world that something is going on then there's something wrong for sure in any case i thank you for watching i hope that you've enjoyed the tutorial hope this was informative and i beat you farewell till next time hello everybody and welcome to this tutorial today i'm going to be talking about a command line interface for wireshark but before i go into all of that let me just say that we went over the first portion of our tour of our course and we have learned some of the basic and fundamental things needed for us to use wireshark and to successfully capture traffic with it now from this point onwards we will be dealing uh we will start to deal with semi-advanced things and we will move on to advanced things if you haven't watched the first part and you've never encountered wireshark before make sure to tune in there and have a look have a look at those videos and then come here because here i am not going to be using the graphical interface for wireshark now you might wonder yourselves why why why should anybody not want to use the graphical interface i mean surely it is easier well yeah theoretically it is easier primarily because people are used to just clicking places instead of typing in commands however however not all environments support will support uh graphical interfaces especially server environments and that is most likely where you will need to go and capture traffic routers for example will not support graphical environments but you won't be able to install a wireshark on a router anyway for routers i will have a separate section where i will explain how you can capture traffic be it on your local router inside of your home or on some remote or some remote router within lan or something of a kind in any case today i want to focus on this command line interface and i want to show you how you can actually do this within an environment that doesn't have a graphical interface at all that does not support for example some sort of a server such as a web server i don't know a dns server or something of a kind you won't be able to do anything else other than to use the command line interface or there is actually another option which is quite common these days as well you can you can set your server up in such a way that it forwards information to a certain place and that certain place can be your computer workstation with wireshark installed and in such a way you can capture traffic as well that is what they mostly do on routers they set up one port on the router to to which all data is copied and transmitted and in such a way you can also monitor traffic but with that we shall deal a bit later on for the time being i just want to introduce you to this command line interface and i want you to see how it works what are its capabilities and what you can actually do with it one more thing to note is that you can have an interaction you can have an active interaction between your command line interface and your graphical interface for example you can create a file on a server somewhere that doesn't have a command that doesn't have a graphical interface and then you can use the command line interface from wireshark to capture all the packets put them into that file afterwards you can either send the file via mail or you can save it to a usb and bring it physically to a different computer or something of a kind where you have graphical interface afterwards all that information that is saved within a file pcapp file that's the extension for wireshark files it's just dot b cap you know you have different extensions like dot txt or dot dot x or something of a kind well for wireshark files it's dot pcapp so p and then cap cap anyway you can import that file into wireshark the one that actually has graphical interface and analyze it there apply filters uh during it's not gonna be a live capture session but you're gonna have a file which you'll be able to filter out see the packets etc and so on i will show this in greater detail as we progress through this tutorial but for the time being i just wanted to introduce you to the command line interface of wireshark so without further ado i'm just going to go ahead and type in the shark oops that didn't work out so t shark which is a command for wash for wireshark command line interface and i'm going to type in the dash dash help press enter and this is going to list out this is going to give us a list of possible arguments that we can pass to a command let me just explain this a bit better so t shark is a command and then you can use dash and i don't know h you're just passing arguments to this command these arguments can vary i don't know you have dash h for list of all the options that you can list of all the options that you have you can have dash w to write the output to a file or something of a kind worry not about it i will go pretty much through all of these arguments separately i will explain in detail what each one of them does and by the end of the day you will be able to use command line interface successfully without any problems or anything of a kind and you will understand the power of it what you can do with it and where it will excel the most because you know speaking in all in all honesty you will need the command line interface uh whether you like typing commands in or not eventually at some point of time as a network administrator you will have to use it primarily because you will encounter these environments where you simply don't have any sort of graphics of whatsoever that being uh that being left aside for the time being i'm just gonna go ahead and scroll upward and you can see all the incredible amount of arguments that you can actually pass uh ranging from filtering the outputs to giving flags when to stop the capture or even when to start the capture so for example you can specify start the capture in an hour uh capture packets for i don't know 30 minutes stop then repeat the process again in two hours or something of a kind the possibilities are practically infinite which is very nice because it fits tools it can be made to fit to all situations so to say and here we go i have typed in t-shark help here and the listing begins from there i don't know you have some copyright things here regarding wireshark it's completely open source so you don't have to worry about that you see the copy right here says uh that it doesn't claim responsibility for the use of wireshark and that it doesn't guarantee that it's fit for any particular purpose so if you don't succeed doing anything with it it's not their problem they didn't guarantee anything but more of more likely than not it will come in handy and very and be very useful in a lot of situations anyway in the follow-up tutorials i'm going to explain these commands these arguments what they do we're gonna use a lot of them and demonstrate how they can be effective in various situations thank you for your time and i hope i'll see you in the next tutorial hello everybody and welcome to this tutorial today i will start going over various arguments that can be passed to t shark command if you remember uh from the previous tutorials one of the very first things that i've taught you is how to select how to select an interface that you want to conduct a live capture on within the graphical user interface of wireshark same thing here you do need to pick a network interface to capture traffic on but of course you don't have you don't have them neatly listed anywhere you can't actually see them unless you pass in the proper arguments to the command and then the program will list them for you their width i'm just going to go ahead and type t uh nope d shark and pass the argument dash capital d press enter and there we go we have a list of interfaces here that we can conduct a live capture on since i'm running in root mode all of them are displayed and i can actually listen on all of them if i wasn't in root mode i wouldn't be able to do this at all as t-sharp wireshark they both require either root mode or a user with elevated privileges depending on the system that you are using i'm talking about linux of course in windows as long as you have the default user under the installation the default user from the normal installation you should be able to do this without any problems by the way t-shirt command works both in windows and linux without any sort of problems it's pretty much the same so you shouldn't you shouldn't have any worries there anyway i'm gonna take a look at my interface list and i know that i'm using the number nine interface i'm just going to go ahead and select it here for you it's p8p1 if you're not sure how to check which interface are you using you can go ahead and rever you can just go ahead back in terms of videos go back in terms of videos and i have explained this how i have explained how to do this in great detail how you can figure out which interface are you using at the moment and then how to start a live capture process on it i will not do that now but rather instead i will go ahead and immediately start the capture process so i'm just going to type t shark dash i is the argument which you require in order to specify the interface which you want to use and then just type in the name of the interface p8 p1 press enter and this will start a capture session on that particular interface now keynote here the information displayed here is not saved and there with it is less useful to us we need sort of information that will be saved somewhere in a file which we can review at a late at a later time or on a different machine where we actually have a graphical interface like this just just by performing live capture mode without any sort of saving process or anything of a kind generally people use it to monitor traffic at a particular point in time when they know that something is going to happen so for example you want you want to see what is going on with pings somebody's you're pinging yourself and you know that you're pinging yourself at a very particular point in time so you just start to like after process here apply a capture filter and then you have a look and see whether it's passing or not what is going on there if it's being dropped if it's reaching you or something of a kind also if you know you can spot people using facebook on your network during work hours or something of a kind there are better ways to do it but this is just one of them anyway i will start i will stop the capture process now and show you another thing which you can use with your interfaces so just going to go ahead and clear the screen type in t shark dash d once again press enter get a list of these interfaces and notice how next to the name php one there is a number nine as well also you can type in t shark dash i space 9 and press enter but this is i personally wouldn't advise this primarily because you can have multiple interfaces for example like this so you can have t shark dash i p8 sorry p8 p1 and then you can have it again so dash i any sorry oops any press enter and there you go it's going to be performing a live capture session on p8p1 and also on any other available interface of course this command doesn't make much sense now or it wouldn't make any sense at all in general primarily because what's the point of specifying one interface and then after it specifying telling telling the t-sharp program to actually listen on all of the interfaces as well what would generally be what would be a general practice is t shark oops the shark dash i p8 p1 and then dash i perhaps on another interface that you have that is running i don't have any other running interfaces here but you could list them for example if you had a usb wireless card and if you were connected to your if you were connected via your integrated wireless card network wireless card you could specify those two interfaces here after the argument i and it would perform a live capture session on all three of them or just on one of them depending how you wanted to set it up i'm gonna go ahead and delete this clear the screen now type in d shark dash d so once again same command and once again i have the list of my interfaces but instead of actually using the name of an interface i am going to have a look i'm going to take a look at what is right next to it there is a number nine here you can see that they are all enumerated so one two three four five six seven 8 9 10 11 and this number 9 can also be used to identify interface p8 p1 so just type in t oh i've gotten that wrong again so t shark dash i and just type in nine press enter and there you go it's gonna start capture it says capturing on p8p one it recognizes that as my wired interface p8 p1 no problems although i'm i would not advise doing this i really wouldn't primarily because you can specify multiple interfaces to listen on and when you have three or four and you have a longer list of arguments it's going to be a lot harder to identify them and to see which interface corresponds to which number of course to a computer it's not a big deal not a problem but to you as a user when you take a look at it when you take a look at the syntax of the command it's going to be a lot harder to distinguish what is what that is why i would definitely recommend using the actual names of the interfaces primarily because you can you can tell wireshark to listen on multiple interfaces via command line as well so just type in t shark dash i php one which is my wired interface and then dash i again vlp 2s0 oops vlp 2s0 which is my wireless interface press enter and there we have it it says capturing on p8p1 and vlp2s0 so it is capturing on two interfaces now imagine if you had like one interface and then a set of filters and then another interface set of filters and another interface and a set of other commands that you can apply it would be very difficult to find your way around if the names of these interfaces were just numbers it's much simpler to have them as they are here and now as they are shown by ifconfig command just going to go ahead and clear the screen the thing to be aware of is that if i type in t shark it's not and press enter it's not going to start listening on all of my interfaces by default nor will it start listening on the interface that i'm using at the moment by default rather instead what it will do is that it will it will start listening on the first listed interface that we get from t shark d command so here we go it says capturing on bluetooth 0 and of course there is nothing here primarily because there is no traffic on bluetooth.bluetooth0 interface network interface none of whatsoever as i am not using it at the moment i'm not transferring any files or anything of a kind but if i type in t shark dash d you can see that bluetooth 0 is listed as my first interface here in the list so by default if you just type in t sharp the first interface that it will start the capture process on will be the first interface listed here none of the others just just felt like mentioning this primarily because a lot of people they type in t shark and after it they type in a lot of arguments and commands etc etc start to capture process and then it starts capturing on their first interface which is most likely something like this bluetooth or something of a kind and there's no traffic of whatsoever and they they start figuring out what is wrong they start looking at it and it takes away about five minutes on average so just to save you some time i wanted to make this fact rather clear in any case i bid you farewell and i hope to see you in the next tutorial hello everybody and welcome to this tutorial today i will show you how you can actually save your capture file how you can output it to a pcap file and then later on open it elsewhere this will be a case this will be your regular practice if you're capturing files with it with wireshark command line interface primarily because you'll be doing a capture in an environment that doesn't have any sort of graphical interface of whatsoever and it can be a bit tricky or a bit difficult to analyze packets in such a way therefore you will say therefore your general practice will be okay let's save it to a file either mail that file or take it to a usb or something of a kind save it to a usb and then later on bring it to an environment where you actually have a gui where you can analyze it with these where you have all those color coloring options where it is a lot simpler but in the later tutorials i will also show you how you can actually analyze and filter through a file with dshark with command with command line interface it can be a bit tricky but as i said however sometimes you just don't have the time or you don't have the option to take it elsewhere and you are for you are simply forced to do it in any case without further ado i'm just going to go ahead and type in t shark dash i to specify my interface so p8p1 my wired interface space dash w and here i will type in my output file file to be file for writing however it can be a bit tricky especially in linux unix-like environments here's what i'll show in a moment what i mean by it so if i specify some random directory let's say let's go into home which is my home directory and then let's go into user chronic chronic slash and i don't know i'm just gonna go ahead and name this file uh test cap keep in mind that you do need to give it an extension so pcapp as i mentioned in the previous tutorials pcapp is the file type asso that wireshark associates with and if i press enter even though i am rude even though i have all the privileges within the system i can do whatever i want which route i can even change some of the some of the key components of the system which can eventually end up missing messing with it i mean practically destroy rendering the system inoperable i'm just demonstrating this to tell you that i have maximum permissions there is nothing i cannot do with root but even so if i run t sharp command as it is now and press enter i'm gonna get this t-shirt the file to which the capture would be saved home chronic test cap.bcap could not be opened permission denied now as i said a moment ago root has all the permissions that you can imagine it has it has the right to access and to write to any portion of the system however if you run t-shark like so for security reason the program itself will prevent you and you will not be able to create such a file therefore what we generally tend to do what is considered good practice you go ahead and type in backslash tmp backslash again testcap.bcap so you have a tmp folder where pretty much anything can be written there are no execution privileges there uh so pretty much anything that you download from the net or something of a kind that could potentially be dangerous uh is stored there for security reasons and if i press enter now look excellent i am now conducting a live capture process i'm now conducting a live capture and everything that i have captured will go into this file here now since i am not doing anything on the net you can see that i only have two packets so this is this this number here this is a very good indication i mean it tells you that it is actually doing something you know that something is happening i'm just going to go ahead and generate at least some sort of traffic so that we wouldn't okay open up my browser press reload and that should that should do the trick yep there we go immediately i have 348 packets so just by reloading the home page on my browser i got 300 and let's just circulate to 350 packets there with that i'm just going to go ahead and cancel the capture process control c is the default key in linux environments within a terminal to actually stop any running processes that are running within that terminal in this foreground anyway follow to follow this up let's just open up wireshark's graphical interface so wire shark type in wireshark open it up as root so that we would have the necessary permissions to run it and it can every time you start it this is a bit of a painful procedure especially with the loading time it can be a bit annoying but eventually you get used to it sometimes it goes really fast sometimes it goes really slow i have no idea why that is so in all likelihood now at this point of time because i have a recording software in the background so it is simply eating up my cpu but in case something of a kind is happening i have left it for a reason you can always go file so let's just go ahead and it has opened it just as i say this never mind i just want to show i just want to show it to you anyway so i have another terminal opened here and i'm just going to type in the command top so in case it's running slow or something of a kind you can immediately type in top command top top within the terminal and you can see what on earth is eating up your memory ram or your cpu and you can see that vlc is currently eating up 120 you can see the cpu consumption here that's that's a bit ridiculous for vlc but oh well i am recording this in high high definition so it stands to reason that it is so but that does not matter to you what matters to you is that if wireshark runs low or something of a kind immediately open up another tab type in top and see what is going on if there is nothing going on okay then basically it's your computer and wireshark is too heavy for it or something of a kind but if you see some other processes that are uh consuming your resources that are consuming your computer's resources such as ram and cpu time you can kill them and in such a way you can accelerate the opening up you can accelerate wireshark anyway now we're not going to go ahead and do things that we did before we're not going to select an interface because there is no point as this is the one the first time the first time that we're actually not conducting a live capture rather instead we are analyzing what we have captured before so you see i've already i've already done a test test run for this but here we go i'm just going to go ahead and click on file uh straight away just press open or i could have just pressed ctrl o that is a shortcut for this go ahead and navigate to the temp folder which is under uh sorry not under root file system let's see there we go tmp and there we go testcap.bcap open it up should open up any moment yep there we go you have a ton load of traffic here you can see down there that we have 350 packets and now we can apply display filters here and see what sort of traffic do we want to get i mean even though it's not a live capture it will be automatically what is displayed will automatically be updated by just typing in the filter so dns sorry not cap this is case sensitive dns press enter and you can see that it immediately uh trims everything else away and just leaves dns traffic here for you to see and analyze now we will go we will do we will deal with the subject more a bit later on but for the time being i just want to show you something else now suppose you don't have a wireshark program running and you think oh well i mean i can just open up a file with my i don't know uh text editor or something of a kind let me just show you what will what will happen so let me just show you how the file actually looks like if you open it up with some sort of a text editor or something of a kind i mean you can still get bits and pieces from it but not really advisable as you won't really get any useful information from it it's going to be a binary file as you'll see soon enough so i'm just going to go ahead and type in less slash tmp slash test cap pcap and press enter so let me just explain this less is generally a command used to list a text file of some sort and or to list pretty much any sort of file to open it up and to give you a preview of it but you cannot edit anything it's fantastic because it's a safeguard against accidentally editing files that you don't really want to be tampering with this is not the case here but it's for ease of use and for simplicity's sake i've decided to use it so as you can see immediately after i've tried to open it it gives me a path to it and it says maybe a binary file see it anyway so yes just type in y that's all you need to do there and just take a look at how it actually looks like this is ridiculous so you can still see some of the packets you can see you can see this part here this is readable it says a linux and fc fc20x 8664. uh again it is repeated here this this sort of this sort of a this sort of thing is sent on regular basis so you can see it pretty much throughout this file but here we can actually see some of the websites that we've visited so it says duckduck go and there's no dots just calm i suppose this should be a dot or something of a kind anyway it doesn't really matter because you will absolutely never be reading a file like this it would just be ridiculous and useless but i just wanted to show you that you do need wireshark to open these files up i mean that's that's where they excel that's where they're best read and open them up with it anyway that would be it as far as the file output is concerned i will continue to deal with the subject of arguments that can be passed to t-sharp command line interface and so i bid you farewell till next time hello everybody and welcome to this tutorial today i will show you how you can actually start a live capture give it the limit and then t shark will by default shut down and exit well not shut down the computer but just exit the program once it is done so anyway i'm just going to go ahead and type in the shark and i will use the help option here primarily because i want to demonstrate that you do not need to know all of these things by heart i mean it's far simpler just to know just to have an approximate idea of what you can do with it and what the command might be and then just use the help option go through it read through it it's a brief description and you'll be able to figure it out so much much more convenient way of figuring things out as opposed to just memorizing every single thing that that's definitely not something that i would recommend in any case today the option that we want to use is a or auto auto stop so you see you can there are several parameters that you can pass it you can say okay after an x amount of seconds i want you to terminate the capture as you can see stop after some number of seconds or you can actually go ahead and tell it as soon as the file size becomes this big stop the file so this is in kilobytes uh you're gonna need to specify a pretty large number here if you want the file to be if you want it to be meaningful in any way however i mean on you don't want your files to be humongous or something of a kind and you do have an option below it says also stop after a certain number of files so you might not understand what this last option means now but what d-shark offers you what it uh it gives you the ability to do is that you can start a capture process and you can say i want my file maximum size to be i don't know x amount of kilobytes and once it is done it captures files within that within that file it captures packets within that file it says okay i don't have any more space here do i have a parameter to create another file yes i do okay if it has been passed prior to that it creates another file so you can have i don't know a certain amount of packets captured within 10 different files the you have various naming options usually people use dates and then they just put numerators like 1 2 3 4 5 6 7 and so on and so forth or something that would have meaning to them anyway i'm just going to go ahead and do a bit of a demonstration here how you can do this i mean it's fairly simple and self-explanatory let me just exit this help menu and type in t shark dash i p 8 p1 i hope you know what this means by now and afterwards i will say a so i'm passing the auto stop option and what was the see yeah even i forget from time to time so just uh duration i'm gonna go ahead and copy that down there i have no idea why am i copying it but it just seems simpler like this and i'm gonna tell it i don't know 10 seconds so keep in mind that the number that you pass here is in seconds so if i wanted to have if i wanted to capture if i wanted to have a minute long capture i would have to type in 60 seconds uh you're gonna have to do some calculations with this if you want specific amount of hours etc but let me just go ahead and say that an hour has three thousand and six hundred seconds so just multiply this number by pretty much anything you want any any amount any integer i don't know like 24 this time 3600 times 24 would be for a whole day so that would be one day worth of capture that is not something you want to do on a busy network the file would be humongous you would run out of this you would not have sufficient disk space i guarantee it to you for the time being i will just type in a rotation 10 seconds and of course i want my output to be written i don't know somewhere let's say as i've mentioned the previous tutorial i'm afraid that you will have to save files within this folder unless you do some sort of extensive tampering which i definitely would not recommend just use the default one go into the temporary folder and save all the captured files there anyway temp i don't know i'm going to go ahead and type in irritation.p cap press enter and you can see it's it's now running so there it doesn't matter if it doesn't capture much i mean just has two packets it says capturing on p8p1 and very soon there we go so after 10 seconds after 10 system seconds capturing process on interface p8p1 has terminated it has a file under this name in this folder and that is it now this can be combined with various scripts i mean you can have a mailing script so for example you can use this dshark command to capture packets save them to a file and then just pipe it through a mailing command so when the capture is done it can send the file to your email of course if the file isn't too big or something of a kind so you can just leave it running on the server it's going to shut down by default and by the time you get to your house you're going to have it in your mail not a bad trick i will show more of them but i want to get through the basic ones and then i'm going to get into combinations and how you can integrate this with other system scripts which which can be used to resolve common date scenarios common problems that you will encounter on various networks and servers thank you for watching and i hope to see you in the next tutorial hello everybody and welcome to this tutorial today i will give you a few more auto stop options but more importantly than that i would like to combine them with the ability to split your capture into several different files so they don't need to be like in one file you can specify parameters and say i don't know every five megabytes i or kilobytes i want you to split to split and create a new file and store all output into it or something of a kind you will see soon enough what i mean by it now also you might have noticed that i have split my terminal view here i have split it for two reasons i primarily want to be able to view the files as they are created in the folder in which they are created but before we get into all of that i would just like to show you what we're going to do today so i'm just going to type in t shark t shark dash h press enter and get the help menu as before and up here it says capture stop conditions and below it you have capture output as well so a bit of a formatting in terms of output and we're going to use it in combination with the auto stop conditions as well so something that we haven't talked about is this c flag here or c argument basically you can specify the amount of packets that you want to capture and i'm not sure how wise is that because i mean how will you know how many packets you want to capture but it doesn't matter it's just an option there that you can use it it can come in handy in certain situations but it is unlikely that you will encounter them down below you have auto stop which we've talked about before and we've only used the rotation we haven't actually used file size or files now let me just go ahead and explain them here before explain them here before i use them so the rotation you already know you specify a certain amount of seconds and the the capture process stops the program terminates down below you can also specify the file size so if the file size exceeds a certain limit or if it gets to a certain limit would be a better way to put it it will stop the file capture all sizes are are interpreted by default in terms of kilobytes and seconds and down below finally you have this files flag and that works in combination with capture output now you see it says stop stops after a certain amount of files well first of all you need to create multiple files and in order to create multiple multiple files you will need to use dash b argument or ring buffer to split your output into several different files and then you can use this flag as well in combination with it basically saying okay i don't know you've created 30 files stop that is the limit i do not want anymore down below you can see that you have pretty in the capture output you have pretty much the same flags and don't worry about it you don't need to memorize them i will show you a quick trick in a moment how you can actually get the computer to tell them to you once you get to the point where you want to use them but down below you see you have the same flags but over here they have a completely different meaning basically the rotation here it switches to the next file after a certain amount of seconds so it splits it creates a new file and files same thing goes for file size as well no problems there and we're not going to be dealing that much with the last flag as it is not something i like to use and not something that is used that much in general but over extended periods of time it can be used to replace the files however let's just go down into it as once again if you didn't memorize all of them doesn't really matter you you basically just need to have a basic idea of what you can do as i've said before and to approximately know these arguments basically but you can always take a look at them in the help menu so that's not a problem let me just go ahead and clear the screen here type in d shark dash i specified interface so php one and now i'm gonna well i might as well pass a filter filtering option here capture filter let's just just tell it uh port port 80 and port 443 sorry not and you see this this is one of the common mistakes that people make even me you basically want to capture information on two ports and you say port 80 and 443 basically what this what this will effectively do is capture literally nothing because these two conditions will not be met it states that every packet must meet these two conditions and of course they won't be met and that will be a problem rather instead you need to type or so it's either one or the other and then you will get a reasonable output and do i want anything else yes i might as well type in or port five three excellent uh port 53 that would be a that would be my dns traffic everybody's dns traffic has dns service worker port 53. anyway now comes the part now comes the new part so basically what we want to do is say first specify the break first specify the fragmenting and you see now i've typed b and let's say i don't know what to type in i i forgot what was written in the help menu or something of a kind what can what can i do well two things i can open up another terminal and type in help there but that's not really an effective way of doing things rather instead you can just press tab two times really fast or just several times really fast and you're gonna get the possibilities the computer itself the terminal it will tell you what you can actually type in there that will fit it gives you a list of possibilities now this doesn't always work sometimes the list of possibilities can be iq you can have 200 possibilities and that doesn't really help you that much but more often than not you just have a couple of them and quickly press double tab and you will get them so a very good reminder here you can see it no problems so what shall we use here uh okay let's use file size the one that we have not used before file file size colon and what shall we specify for the file size let us say that the file size will be five kilobytes which is rather small but okay we really want the split to get going we don't want to wait for an eternity of time for the split to happen and in addition to that i want to specify an auto stop option so once again you can just press tab double time and you will get it and i want the auto stop function to kick in after i have after the t-sharp program has created three files so i'm just gonna go ahead and type in files colon sorry three and now i can start the capture process but i don't want to do that quite yet uh before we actually do that we need to do something else so in the temp in the tmp folder where the files are going to be captured uh i need to specif i need to be able to actively monitor that folder in order to see what is being created in it so if i just type in ls command like this it's going to list the current the current contents of the folder however that is not something i want at this point of time i want it to automatically update without me having to type it in 100 times so just clear it out and there is a very neat command here it goes like this it says what watch and you would you pass it an argument the same way with t-shirt you basically type in well i'm gonna pass it one second because i want the update process to go really fast i open up my quotation marks type in the ls command pass ltr that's just a set of arguments that is passed to the ls command if you want to see what all of them mean just type in man space ls and they will be listed there press enter and there we go now the tmp folder is being watched and its status is being updated every single second let's just go back here use what we've learned before pass the pass the right argument and need to specify a folder so it's going to be dmp and what are we going to name these files uh update date i'm going to use all capital letters so that we know but it's going so that we can actually see them clearly press enter there we go it's capturing there we go the first one has been created so you have update i don't know zero zero zero zero one two zero one blah blah blah some sort of a number here which is completely relevant to you uh there are some sort of naming naming conventions which are far better then you have a dot and pcap now since i don't have a lot of traffic here i'm just gonna go ahead and generate some okay it's opening up definitely let's open up this this this i don't know pretty much everything in my pretty much everything in my browser just bookmarks close all of that as we don't really need it and there we go three files have been made you have one two three and over here on the right side you can see that the process that the capture process has stopped everything else that i would generate after that capture process all the other traffic that i would generate afterwards would be completely meaningless for the d-shark as it simply would not uh capture it or do anything with it at all in any case that would be all for this tutorial and i sincerely hope that i'll see you in the next one hello everybody and welcome to this tutorial today i will i will show you the difference i will demonstrate it between capture filters and display filters now display filters we have used extensively before in wireshark graphical user interface i mean we all the filters that we've typed in there they were actually display filters and what that means is that all of the packets coming in on an interface going in and out from an interface were actually captured but only the one only ones that you wanted to be displayed were displayed however that is not always very effective in fact more often than not that is not a realistic solution to your problem primarily because if you're doing this capture if you're conducting this capture on a busy network on a larger network or something of a kind you will find that you will run out of disk space very very fast that the resources on your system will be pretty much eaten up alive and you will encounter some serious problems there that is why you have capture filters it specifies a very narrow band of traffic that you want to capture and there with your file sizes are a lot smaller that said i'm just going to go ahead and use my first filters capture filters however i will use them in a bit of a different way even though the syntax of the capture filters differs to a significant extent it is a good idea primarily because you're here in terminal to make it as clean and as neat as possible and here's a trick on how you can do that so just type in t shark d shark dash i for interface so mine at the moment is p8 p1 that's my wired interface and in addition to that i will specify i will pass an f argument now f argument is a filter the first thing i'm going to do there is open the quotation marks press enter and you can see that i have this greater greater than sign and here i can list my filters one at a time and i will be able to see them in a clear way so i know exactly what i'm filtering now see here's what i mean here's what i mean by it so just type in port i'm just going to go ahead and type in port 80 press enter again so this can go on to pretty much infinity well relative infinity as the resources in my computer are limited i'm just going to go ahead and type or port 443 and with this i am making sure that pretty much all the traffic uh generated by well not maybe not all but pretty much all the traffic related to the websites and stuff of a kind will be captured namely http and https traffic will for sure be within this capture filter and i'm going to go ahead close in the quotation marks press enter i yep there we go so it's now conducting a like out here but since there is nothing really happening there is nothing for it to do there's nothing for it to capture and that said i'm gonna go ahead and open up a browser so that i would generate some sort of traffic so i have my default page there i already have some traffic in addition to that i don't know i'm going to open up a google and i'm going to go ahead and open youtube that should generate a significant amount of traffic just by loading those websites you burden it to a very large to a very significant extent and there we go you see just how much traffic there is from opening up those simple three websites here we go we have contacted that capture i'm going to break it up here i just want to show you that you can use it that you how you can use these filters and how you can use them in different ways notice that this that this particular display option only has captured http and https traffic or related to it pretty much everything on port 80 and port 443 although 443 have some other encryption you have encryption in general going on so it might it might capture a lot of other things as well in any case there's let me just go ahead and show you another thing and you see when i go with my arrow with my up up arrow i can list out my commands and you can see how neatly is it displayed here i mean you can literally have like a hundred of these filters and you do not want them all in one line believe me that is never a good idea you will lose yourselves you will not be able to see them it is much better to list them here one or a group of them per line and then you will have a clear overview of everything happening here one more thing that i would like to go over here is the syntax of the command so not the syntax of the command but the syntax of the filter itself notice that i have written port 80. so it's not dst it's not like uh tcp port or dst or something of a kind where you use dots to pass in different to specify different uh not values but different types of traffic rather instead you just type in port space 80 and then type in or literally the word or board space 443. okay so i've just cleared the screen and the thing that i wanted to show you is that not only can you continue passing arguments within these quotation marks but rather instead you don't actually need to delete them or anything of a kind in order to continue you can just do this dash f and open a second series of filters as well especially useful if you want for example this set of filters to apply to this interface and then you can say dash i vlp 2s0 which is my wireless interface and have a second set of filters that will apply to that particular interface so on this interface i do not i don't know i want to capture dns traffic so port 53 all traffic coming in or out on port 53 will be recorded press enter and this command yep there we go it says capturing on p8p and vlp2s0 i'll just go over this command once more so go ahead type in dshark i p1 specify the interface specify a filter or a set of capture filters for that particular interface however i have another interface and for that interface i don't want to use the same set of filters as i have used here rather instead i want to specify a different set of filters in this case i've just chosen port 53 the dns traffic in general anyway i hope that this was helpful more to come in the follow-up tutorials i hope that i'll see you there until then i bid you farewell hello everybody and welcome to this tutorial today i will be showing you primarily command line interface of wireshark but i will also be using the graphical user interface to figure some things out such as the syntax of the filters primarily the display filters because just take a look if i for example click on the main name server and you see domain name service and in black in parentheses here you see it says dns and that is what we can use to filter things out no problems so you see dns id uh standard query it says dns flags all of this that i'm showing like dns flags this is in bottom left corner uh it's a bit small and i don't really have a way of zooming it at the moment but it's high resolution so you'll be able to read it no problems and we're not going to stick around here for too long what i want to show you today is how you can actually edit capture files in command via command line interface how you can separate the fields how you can get the desired output and so on and so forth this what you see here before you this is a captured file that i have opened i have just literally generated some random traffic as it is really not relevant what kind of traffic it is today i primarily want through dshark command that can be used to separate the ip addresses from protocols from info etc so without further ado let's just go ahead and skip into the command line interface there we go skip into the terminal and then from there i'll start up wire t shark so first of all i'm just going to type in t shark dash help and let's have a look around one of the first things that we're going to need is up somewhere up here yep there we go so dash r take a look at the description it says set the file name to read from no pipes or stdns std ins allowed now pipes we have already seen that's just when you pipe it from one command to another the the output of one command to the input of the other so to say and std in that's a that's a programming library uh which basically serves yeah you do not need to know that at the moment if you're really that interested in std in you can go ahead and go on the net those are libraries used for output for inputs sorry enough for outputs for inputs basically when you have a program you can input something into it etc via this library or something of a kind that's what i use them in c anyway uh we're gonna need dash r and in addition to this so this is just gonna read from a file and when it reads you're gonna get a k you're gonna get a chaotic output so that's not something you want you want to be able to filter it to separate different fields and so on and so forth that is why we're going to use dash d command in combination with fields so we will be able to specify exactly which fields we want outputted either to the screen or to a file anyway without further ado i'm just going to go ahead and demonstrate how you can use these arguments so just type in t shark dash r to read from a file slash dmp slash i don't know you need a you need a captured file i've just named my test cap just make it you should know how to do that by now if you don't in my previous tutorials there are a good amount of demonstrations so not a big deal just feel free to go back have a look at it but it doesn't matter a test file can be pretty much anything just uh just capture some random traffic and use it to test your filters and the arguments of t-sharp command out anyway so that's hard to read from this file dash t to specify fields and space now in combination with fields we need to specify which ones do we want so i'm just going to go ahead and type in ip dot well actually no i'm just going to go ahead and type in ip i could have typed in ip.src or dsd or something of a kind but no i want internet i want ips to be printed out so internet protocol and let's just go ahead and see what happens excellent so now i got a whole bunch of source and destination ip addresses and keep in mind that you can pass pretty much and there's no limits to what you can do with this i mean here let me just show you a couple more example before i wrap this up i mean you can also specify hold on destination and oops come on open up please anytime thank you very much you can also specify source and destination ip addresses all you need to do is read through what it says in the bottom left corner and get some practice with it memorize some of them but you can't memorize you get onto the net or you get it you get it here so let me just type in ipdst to give you that example of what you can do with that and there's also an option to output these things to a csv csv file so that it is readable so that you can actually load it up into excel and read it from there so that this is readable in such a way but let me just go ahead and delete this ip filter and type in ip dot src press enter excellent so now i got a list of source ip addresses and the list of source ip addresses alone in the next tutorial i will show you how with with a few more examples of these how you can actually create a csv file which you can then read on pretty much any system that has excel or excel like program which can read comma separated or semicolon separated values fields and just load them up can come quite in handy especially i mean to carry around with you or to have somewhere in the net a pcap file knowing that you can only open it that you can't open it with that many programs i mean it's a wireshark it's a wireshark extension there are some programs out there which will read it through but it's not really that general you need something that you can open with pretty much anything and that is not just anything but that is readily available on pretty much any computer out there or any mobile device or anything of a kind because you will always have something like excel on a desktop machine or a laptop i don't know on your pad on your cell phone or something of a kind in any case till next till next tutorial i bid you farewell hello everybody and welcome to this tutorial today i will start talking about network card modes thus far we have only been using promiscuous mode which is one of six and it allows you to capture when your network card is functioning in that mode it only receives traffic intent for it and thus wireshark allows you to capture traffic only intent for you and the traffic that you are transmitting to somewhere however network cards have different modes namely monitor mode which is especially important for us today enables you to monitor the traffic of the entire network basically of all the packets that are passing either through you or by you via wireless or something of a kind in any case i will just go briefly over the other four so that you have a general idea of what they are and what they can be used for but of main importance of greatest importance is this monitor mode as it allows you to monitor the traffic of the network there are other ways to do this and i will show them to you in the next tutorials but for now i wish to go over this over this method so first off you have of course promiscuous mode which i already talked about so i'm just going to go ahead and skip it here next up is monitor mode i've also mentioned it and it we shall do here in great detail i will show you how to enable your wireless card to go into monitor mode and more importantly you will need to know whether your wireless card actually supports it or not but there are workarounds for that as well if it does not if your system does not support it if the driver is not supported that is you have a master mode which basically uh if you set up your network card as a master mode that can also be a good idea to monitor traffic as your computer but generally this is not done by a computer you can have a small linux computer whereby you configure you configure its network card to be in master mode and there with it is an access point so other devices can connect to you you are connected to internet i don't know by some router or something of a kind and all the traffic goes directly through you so that's also one of the other options but usually master mode run those are your routers uh modems switch maybe some switches and so on and so forth next up you have ad hoc network at ad hoc network card mode basically ad hoc is peer-to-peer you can connect two devices to communicate to each other via wireless or something of a kind which is not really of interest to us today but i just wanted to mention it there next up you have mash now mash is an inter node communication now here's what i mean by it let's say that you have three devices so a b and c a would communicate to b over c so they just keep jumping from one to another to another and so on and so forth until they reach their destination you have the final mode that you have that i have not mentioned here is a repeater mode so you can set your either router switch or your linux box or something of a kind to be a repeater basically not the machine itself but the network card all the all the information all the packets that that it receives it just repeats them it doesn't do anything else it just repeats them a very good idea if you want to boost us boost the range of your wireless network or something of a kind you have can have several repeaters and you can cover a large area although the greater area you cover the more hops need to be made therefore the connections can get a bit slow that can be somewhat problematic however yeah there are workarounds for that as well you just buy more expensive hardware and there you go now in the follow-up tutorials i will explain in great detail how you can figure out whether your network card or your network adapter supports monitor mode or not this is very important to know primarily because there are a good amount of network adapters network cards out there that do not support this mode at all and in that case if you have an integrated wireless card you will need to go and get a usb network card network card which you can use for monitor mode prior to that you would of course check its compatibility with the mode in any case uh this will be a mini series within a course that will enable you to monitor traffic uh on wireless networks so general traffic on wireless networks not just one that is coming from your machine very important especially if you're if you have a business of some sort or something like that and you wish to figure out what is going on on your network this is only one of the ways in which you can do it of course there are other ways and i will show them to you in the follow up tutorials but for the time being we will deal with this i bid you farewell and i hope to see you in the next tutorial where i will explain this in great detail and i hope that it will be of great use to you hello everybody and welcome to this tutorial today i will show you how you can check whether your network card supports monitor mode or not and how to enable it so there are several ways to do each one of those things however the simplest the absolute simplest thing for you to do now is simply to go ahead and open up your favorite web browser mine is firefox you can open up whatever you want doesn't really matter type in the search field of whichever search engine you're using airmon ng so airmon ng oops i got a mistake there come on press enter and just see the first couple search results that come up one of them will be your answer so look it's the first one here just click on it and see where it takes you you're gonna go ahead to their website they will not show the compatibility options on their home page rather instead they will show usage examples and so on and so forth but we're not interested in that just yet go ahead and click on compatibility drivers in the upper left corner scroll down it's telling you they are determined the chipset and so on and so forth uh some other resources that you can use etc but you're not interested in any of that not just yet anyway down below you have the lists of compatible network cards so if you can find the one that you are using here you can rest assured that it does support monitor mode and you will be able to do the things that we're going to do in this tutorial with your own network card so look it says ataros i'm using that one and then you have some versions here etc etc uh down below you have this one i've never actually heard about this but down below you have broadcom and most likely like most likely you're either going to have broadcom or you're going to have atros so one of those two most likely i don't know depends which computer you have and what you're using you could have something else but most likely you're going to have those two and it should work for those two pretty much whatever you have just in case it doesn't you have a list here so you can check before you start any other troubleshooting make sure to check whether it supports it or not so as this is no longer needed i'm just going to go ahead and close the browser go ahead and enter my terminal clear the screen from this and remember the command ifconfig so very useful i'm just going to go ahead and type it in i have config and for this i want my wireless interface i do not want my wired interface even though currently i'm connected via both so vlp 2s0 press enter it's going to list it out but you can't really see much of the things here i mean the information is like there's a lot of i mean not a lot of information but certainly enough for you not to be able to see the mode however it is not shown here anyway and just just to be certain of that you can type in vlc ifconfig vlp2s0 you can pipe that to grab pass i argument to make the graph command case insensitive and type in mode i specified case insensitive primarily because this first m can be capital or a small letter and that can sometimes be a problem so just press enter you can see that nothing comes out you do not have a you do not have a mode option here it does not tell you in which mode is your interface running but you also have another option you can type in iv config this is another command that you can use for network card so iw sorry not iv iw config press enter and there you go you get a listing of all the all the interfaces that have wireless extensions and those that do not have them it just says no wireless extensions now here it says mode managed but we can do pretty much the same thing as before if you want to check the mode of a specific interface which is much simpler to do as opposed to doing this as you get a lot of information and you need to actually manually with your own eyes go through all that information it can be confusing from time to time especially if you have a lot especially if you have several wireless network interfaces uh with usb cards etc so just go ahead and pick the interface that you want from if config c vlp 2s0 i know that's fine but yours can be something else just check it out in ifconfig and then go ahead and type i iw config vlp2s0 grep and pass the pass just in case pass the e pass the argument dash i to ignore case to ignore cases of letters and go ahead and type mode press enter excellent so what we get here is it says mode semicolon managed we know that the mode of our wireless interface is managed here you can see the frequency the general frequency for wireless that the wireless frequency anywhere in the world it's 2.4 there is another one which is not which is not used that much 2.4 is the one that is generally used and that you will generally see here uh this is the access point this is the mac address etc there's some other information there but we're really interested in this mode field so it says managed here but we don't really want that we want uh we want it to be able to receive all traffic even traffic not intended specifically for it within a network so we're just going to go ahead and i'm i will go ahead and demonstrate two ways in which this can be done so i'm just going to go ahead and type in iw config with that command i want to bring my network wireless wireless network adapter into monitor mode so just go ahead and pass the name of your wireless interface field p2s0 and if you don't know the syntax for setting the mode for it just press tab and the system will basically give you a list of possible options and look here it says mode so go ahead and type in mode space you can press tab again to get the to get the listings of possible modes and so on and so forth but in this particular case we know that we want to type in monitor as that is the mode that we want our network card to operate in when i press return now i will get an error and there we have it it says device or resource busy what this means is that my system is already using it and in order to perform this task to set it into monitor mode it needs to actually bring it down and then it needs to be brought back up again it cannot bring it down because it is being used in order for us to bring it down keep in mind that you need to be root you need to be either a root user you see it says root at localhost or you need to be a user with sudo privileges so the user in linux that can act as root with the command sudo so if you were a user with sudo privileges you would just type in sudo you would type in the command that you wanted so i have config here and then pass the arguments press enter you'll be prompted for a password if the password is correct it would execute if not you would stop there and you would basic you would basically be stopped there by the system in any case i'm just going to go it just felt like i should tell that to you because it is very important so you wouldn't get some unnecessary errors basically saying permission denied or something of a kind just to save everybody a bit of time i'm gonna go ahead now and type ifconfig because i want to bring my wireless interface down so that i may do so that i may apply these changes go ahead and pass the name of your interface so vlp 2s0 and what might the command be to bring the interface down well simple enough just type in down the interface will be brought down if i type in ifconfig again alone you will see that wlw my wireless interface is not listed here at all as it is down to do a follow up of that command let's just go ahead and clear the screen so you have a better overview of things type in iw config vlp 2s0 mode monitor there we go press enter and our wireless network adapter is in monitor mode at the moment however do not forget to bring it back up otherwise you will not only will you not capture any traffic at all but you will not be connected to anything at all you will not have internet access just go ahead and type ifconfig blp2s0 and just as we've typed in down just go ahead and type up that's it simple as that press enter the interface will be up just to make sure that it is up you type in ifconfig once again and there we have it vlp2s0 is up clear the screen firm it is very important to confirm that your wireless network card is in fact in monitor mode in order that is a very simple thing to do you can do it very fast and it can save you a lot of trouble later on because sometimes this fails and you just go ahead and try to capture packets with wireshark in monitor mode but it doesn't want to work it doesn't function the way you want it to it can be problematic you can spend a good amount of time troubleshooting the issue all of that can be circumvented you can do all of that without any sort of problems by just confirming that you are that your network card is in fact in monitor mode with a simple command iw config and type in vlp2s0 notice how you don't actually need to just type in ifconfig i have done this before in order to get a listing for your wireless interfaces rather instead you can pass the argument which is the name of a specific interface and get information only for that particular interface press enter and there we go it says vlp 2s0 is mode monitor excellent so now we have our wireless interface in monitor mode however this method doesn't always work there can you can have some hidden problems that you are not aware of that can interfere with your packet capture process with the functioning of the network card within this mode and there is another way of doing this which is usually a better way primarily because it gives you a listing of possible processes that might interfere with the functioning of your network card in this particular mode that is what we shall do in the follow-up tutorial in any case i hope to see you there and i hope that you have enjoyed my tutorial hello everybody and welcome to this tutorial today i will show you another way which you can use in order to put your network card into monitor mode you will need a separate program in order to do this uh it is chances are that it is not installed by default on your system so you will need to perform an installation the good news is that it is in default repositories so no extra work is needed rather instead just pass along the install command and you're going to get it if you're using a red hat distro like i am fedora just go ahead and use your default packet manager which is yum if you're using a debian based distro you can type in app dash get install and such pass the packet name and in such a way install it on the system that you're using but for this uh for this tutorial i will demonstrate how to install it in fedora so yum oops yum dash c i'm gonna pass the c argument because i don't want my packet manager to do any sort of updates of any kind i don't want to waste time here and search for search search for air crack press enter and surely enough my packet manager has found the program which i need so you can see in the description of the packet it says sniffer and v ep vpa key cracker that is not what we're going to use it for in this tutorial primarily i want to use a tool embedded into this program which can set my car network card mode into monitor and give me a feedback after it has after it has attempted to do so just to get some just that feedback is basically the program telling me what processes might interfere with my network card functioning in monitor mode so i'm just going to go ahead if you would want if you it is installed on the system at the moment but if you wanted to perform an installation of it very simple to do just type in yum install and copy paste this name here you can also type it in no need to copy paste it but for the sake of this tutorial i'm just going to do this to save a bit of time paste excellent so yum install and then the name of the package this is the install command for aircrack aircrack-ng and you can also pass in y arguments so you wouldn't be asked anything this is just going to go through the installation no problems you will need internet connection of course to do this to pull the package from the official repositories let's just clear the screen there we go now that we have all of that set up i'm going to go ahead and use a tool within aircrack it is called airmon ng and if i type it in like this without any sort of arguments or anything like that press enter it's going to give me the list of possible interfaces for wireless that i can use so here you have it and right next to it you also have the chipset it's it gives me the name of the chipset which i can use to check whether it's compatible what are what it can function whether it supports monitor mode on the website which i have showed previously this is also one of the ways in order to check the chipset a far simpler way if i may add not the default way of the system but a far simpler way all you need to do is install a program the program is open source it is in official repositories so you don't need to worry about a virus or anything of a kind anyway let's just go ahead and attempt to enable monitor mode air on dash ng start vlp2s0 press enter and there we go so first off it says found five processes that could cause trouble so these are some other tools that were that are a part of aircrack package and if they stop working after a short period of time as it says here you may want to kill some of them so you have these processes here listed and you have their pids process identifications you can just go ahead and kill them no problems uh if you're afraid that you will mess something up that you will break something or something of a kind don't all you need to do in order to bring you can of course bring these processes up individually with the command line interface with the terminal but a lot of people are afraid and they think they might mess something up don't worry about it if you don't know how to do it just reset your computer restart your computer and it will all be fine basically you will undo any of the changes that you have made here no problems so you don't need to be afraid in that regard but the good thing about this program is that it immediately tells us what processes could interfere with our with our network card that is functioning in monitor mode so you can try killing some of these processes and yeah that doesn't always work i mean surely enough roo as root you are entitled to kill any sort of process of whatsoever and believe me i have learned this the hard way by killing my graphical interface and then it was quite difficult to get it back but you can always restart the machine and that's simple enough in any case what you should do it says that the network manager can pose a problem it doesn't tell you that network manager usually poses a problem in an indirect fashion so here let me just show you what i mean by it i'm not connected to anything at the moment but if i go over and check out my connections here where they are managed so i'm just going to go ahead and click on something as that is my that is my wireless in my house and i want to edit it so here i have some security general configuration ipv4 ipv6 and here here here is where the problem can lie usually automatically automatically connect to this network when it is available so for example you kill your dhcp client and okay it's down you disconnect from the internet completely what your network manager does is it immediately notices that you are disconnected it sees that there is a wireless available for which it has proper authentication credentials and it is labeled to automatically connect to this network when it is available so what what will the network manager do it will automatically connect to this network and your dhcp client will be brought back up in a millisecond uh that is why it can pose a problem pretty much a similar story with some other processes as well but mainly once you kill the network manager you can kill pretty much everything else without greater problems of whatsoever uh if you have killed some of the processes and you are uncertain whether they are still running of course you can use a ps command you can use a top command etc etc but you don't really want to use all of those primarily because you would need to go and list through hundreds and hundreds of processes filter them through see what's bothering you it's basically the long way around uh the two the airmont tool allows you for allows you to check whether your interface is running it has any whether your interface the monitor interface the interface which is in monitor mode has any potential problems by just typing in airmon-ng type in check so there are three arguments which you can pass here's uh start stop and check notice that it says interface vlp2s0 but it says monitor mode enabled on mon 0. so this is the interface that we want to be checking now and just type in mon 0 press enter and there we go sure enough it's going to list the processes which might pose a problem for us at the time being uh so just keep go through the processes if someone if you encounter errors along the way make sure to kill them if you can't kill them see what the reason is uh see if they're being brought up automatically by another process running in the background namely the network manager will always be a problem they're uh not in a direct sense but rather instead this will be bringing up things by default so just just make sure to tick automatic just make sure to tick the option automatically connect to the network or something of a kind and you will solve yourself a lot of trouble you will get rid of a lot of problems now when you are before we actually go and start capturing things with in monitor mode i just want to show you one more thing one more very basic and quite important thing for you all out there if you want to stop listening on this if you want to stop listening on this interface basically if you want to stop using it if you no longer wish it to be in monitor mode a very simple thing to do just type in air mon ng stop select the monitor mode on the proper interface of course which is mon zero type in mon zero press enter and there we go it's a it gives you a feedback immediately it specifies the interface and it says monzero atros something uh this year this is the driver name just so you know sometimes these things can possess a pr can pose a problem upon the installation of the system so it's always a good thing to figure out which drivers you are using so you can install them manually if there are problems or reinstall them and it says removed that that's basically all you need to do as part of your cleanup you just uh you started you started a monitor mode on an interface and when you're done you basically stop it that's it or you simply reboot the machine with a simple reboot command press enter and from from root this will immediately reboot the machine no matter what you have opened of course that is not advisable just go via a graphical interface where things will look to an extent they will look differently and more importantly than more important than that things will be saved so things during a session will be saved in any case i hope that you've enjoyed this tutorial and i bid you farewell till next one hello everybody and welcome to this tutorial today i will perform a live capture of traffic not from my own machine but rather instead from other devices connected to my wireless network one of the first things that we need to do that i've showed you in the previous tutorials is put our wireless network card into monitor mode so to make capture traffic not in not specifically intended for it rather instead just general traffic on the network all those signals passing through or passing by anyway i have demonstrated two methods and i am going to use the later one as it gives a verbose output where i can actually see the processes that might interfere with its workings so the first thing that i need to do is of course type in airmon dash oops dash ng start vlp2s0 press enter and there we go it says monitor mode enabled on interface mon 0 so we have our primary problem here which is network manager and it's just going to generate a whole lot of problems for us so if we run oops not this but rather instead if you run a check on mon zero search check command zero press enter we see uh that with network that network manager has actually generated an additional problem here we need to kill it first of course if we want if you want to have any chance of doing this properly don't worry about it i mean you can restart your network manager and it's going to restart these processes by default however should that not be the case you can just restart the machine as i have stated before and everything will work out just fine so 89.50 is the process id that i wish to kill that is my network manager now it is dead automatically the dhcp client is dead as well here let me just demonstrate that for you yup all there we go all that is left now is the vpa supplicant and i'm just going to kill it as a precaution as a precautionary measure as it can interfere from time to time and it can be a drag so kill excellent let's run a check now excellent so when you run a check and when there's no output of whatsoever you're in a great position you're in a great spot that means that the program has determined that there is nothing that will interfere with its process and that it will perform the function without any problems so let's just clear the screen and in order to perform a capture i'm not going to use wireshark i'm going to use arrow dump and aft store the output into a file open it up with a fire shark and analyze the grip and decrypt it there so the first thing that i need to do is arrow dump dump dash oops dash ng mon zero there we go so now the live capture process has been well this is still not a live capture process this is still just a capture process whereby i have i have conducted a surveillance of a sort of a network of pretty much all the networks around me and i see a lot of other networks here around me none of these are mine so i'm not going to tamper with them in any way whatsoever this one here however is mine something and today i will be tampering with it as it is mine it is very important to state that you should not do this on a network that you that you do not that you yourselves do not own or that you do not have an explicit permission to tamper with now that that's out of the way i'm going to go ahead and repeat the command that i have just written now specify the channel channel this is another argument it can be passed to it as you can see you have here ch the one that i have selected and then you have channel six channel six channel one and so on and so forth if you're wondering what these channels are those are the three those are the operating frequencies of your access points so the general operating frequency for wireless is 2.4 and then you have 2.4 and the additional two decimal places are reserved for signals you can review this on the net it will give you a range of signals and a range and a range of frequencies although it is not really necessary for the for you to know that at this point of time i just want to throw it in there somewhere so that you would be aware of it what is important for you however is to spot this channel so mine is working on channel six and that is what i'm going to pass here next up i need bssid now bssid is right here you can see that you have a field called bssid and i'm just going to go ahead like i don't want to retype this hexadecimal number and that is what i'm going to paste in here so let me just go ahead and type in right out press enter and there we go the capture process has started right out out is the file to which these things will be written to and that is the output file we will be outputting to that file and we're going to have it saved in multiple formats so that multiple programs can open it however we're not interested in other formats we're primarily interested in the cap file dot cap because that is one of the formats that wireshark will recognize and will open without any problems or difficulties i do believe that the capture is sufficient for the time being let's just go ahead and clear the screen press ll to list it out and there we go so these are the this is a very stupid folder to save things in by the way you should never be saving things in your root folder but since i'm doing this capture and i'm since i'm going to delete these sample files after i'm done it's fine and okay but if you're performing a live capture of some sort if you're doing something serious on the network do not save things into root folder in fact you probably won't be able to as it will be as it will be right protected anyway so you see we have these different formats here they all contain the same information however uh different formats can be read by different programs so you have a csv file which will you can open this with excel so no problems uh fields will be delimited either by a coma or a semicolon or a tab or something like that depends how the csv file has been written or created you have some other formats down below which are of no interest today for us and you have this final format which is out dash01.cap now for safety reasons i am not going to decrypt this particular file for you i'm going to decrypt the one that i have found on the net the sample file however i'll just demonstrate how you can open it and what you can see in the encrypted format so if i just type in wire shark work there we go and let me just tell you that when you start a program such as wireshark and pretty much most of the things that you start from a shell you can pass an argument to it so for example i don't need to open wireshark now open the graphical interface and then within that from that graphical interface open up a file rather instead i can just pass an argument here like this out dash zero one dot cap press enter and that alone is sufficient for wireshark to realize which file it needs to open where the file is and to actually display it for us as it starts so i don't need to load anything this is not a live capture this is post capture analysis so to say and here we have a lot of packets you have acknowledgement power saves etc but none of these are really of any use to us i mean if i can just find one there we go oops so if i click on one of them and it says data 32 bytes i press here and look at look at what's what happens you can't see anything it's encrypted completely and the only way you can pretty much view this is either if you're some sort of a genius and you break the encryption uh no nobody has publicly broken it yet however it is possible that somebody has broken it as somebody said once a while ago not that long ago but certainly a while ago you cannot prove that a system is safe rather instead you can only prove that it can be broken into anyway here you have completely encrypted data very similar to what we've seen with https packets except here if we are on our own wireless network if we have a key of our own that we have in our router we will actually be able to decrypt this now i have shown you how you can open up an encrypted file that we have captured and we have captured in fact foreign traffic even though you can't really see it now you will see that in the next tutorial when i actually decrypt it and show you the show you the contents of the file show you what users have been requesting however i do apologize because i cannot decrypt this particular file for safety reasons not because i do not possess the key it is my network i do possess the key but i simply cannot decrypt it because i would show you all of my personal information the procedure is exactly the same you will type in wireshark as i have typed it in and you will simply pass a different name to the wireshark command and there i will show you how you can actually decrypt it with sample decryption keys and how you can actually view what is what sort of information do the packets contain in any case i bid you farewell and i thank you for listening till next time hello everybody and welcome to this tutorial today i'm going to do a follow up on my previous one and i will actually decrypt a file i will decrypt the file that i have captured in monitor mode and the traffic which is not my own in terms that it is not from my own that is not from my own computer rather instead it is from other computers that are on the same network and to do so i will of course first need to open up the file in wireshark and as i have mentioned previously i will not open the file which i have captured rather instead i will open up a sample file from the internet in order to perform in order to perform this decryption i cannot open i cannot decrypt my own file obviously for safety and security reasons you know what so with that out of the way i'm just going to go ahead and navigate to a folder where my sample file is i'll just go cd to tmp when you're downloading things from the net you should generally store them in the tmp folder and not give them any permissions especially if the if you don't trust the source i do trust the source but still it is good practice anyway we'll just go ahead and see what is located in the temporary folder and i have yep it's the last one you see vpa induction pcap i'm just going to go ahead and type in wire shark and you can actu as i've said before you can pass an argument to wireshark and that argument can be a file and it will open up that file so just go ahead and type vp oh nope that's vlp so vp press tab and it will auto complete the rest of the name press enter and wireshark will now open this file it is in an encrypted format and as before you won't be able to see or recognize pretty much anything you'll be able to recognize some of the protocols and stuff like that but other than that you will not actually be able to see what the information contained within is for example if i click on this nope that's not the one that we're looking because it doesn't really contain anything there's nothing really encrypted in it we need something with information so just go ahead and scroll down you also need to go past the authentication so just go deep deep deep down and there we go april talk data and as before you can see that it is completely encrypted you cannot make heads or tails out of this this is completely useless information to you in order for us to be able to decrypt this we need to provide wireshark with decryption keys so the first thing that we need to do is go over to edit we have learned how to what each of these options does for you what you can use it for where is what in the previous tutorials where we dealt with wireshark interface so go ahead and click on preferences we've been here before so nothing new shouldn't be too difficult just click on it it will open up and here you have a bunch of options that we went over we're going to go ahead and click on protocols and there are a lot of them so don't just go scrolling down to it rather instead just click on one any doesn't really matter just pick a random one click on it and then start typing capital i and triple e and there we go we are at ieee 802.11 that is a wireless standard pretty much that is universal in the world here we need to do following things and please pay attention because this is quite important it says here enable decryption it is very important that you toggle this that you click on it because it is not marked by default and even though you even if you pass your decryption keys and everything and apply it and say okay nothing will actually happen wireshark will simply store the decryption keys but it will do nothing with them i mean absolutely nothing so you do need to enable decryption first and then head over to decryption keys click on edit new as you need to create a new decryption key that is very important and i don't know for some strange reason it pops in the upper right corner i have no idea why that is happening so you have a key type here you have a web you have vpa uh pwd and you have vpa ps key psk so wp is a very old style of wireless encryption it's uh it ensures it's wired equal protection something like that i'm not too sure about that but doesn't really matter nobody uses this anymore all the people who are using web today i mean there are very few of them maybe out of about a hundred thousand people one person is still using it for some strange reason that nobody knows why but in general you won't find anybody using it down below is what you need it's vpa pwd so a password key and this is a personal key which is also used but for the time being we need this one so depending on what sort of encryption it is what sort of a traffic you have captured uh take a pic from these two so from these three for wireless it can be these three and that's it you just need to figure out which one have you captured and usually i mean 99 percent of the cases you will know this prior to the capture itself because as soon as you click in your network manager icon and when you want to connect to any of the wireless wireless access points around you it will basically tell you this one has vpa this one has vpa2 this one has wep and so on and so forth so this is the one that you need now and for key i'm just going to go ahead and paste the key here that i have taken from elsewhere and in this key there are several things which you need to pay attention to so the first thing here you don't need this i've just copied it like that but that is basically stated here already above where it says wpa-pw d so the first one the first portion of this before the semicolon that i've marked that's the wireless password so that that is the password for the wireless which you wish to decrypt then you type in colon and after colon you need to type the name of the wireless network the name of the wireless network can be anything just like a password it is public anybody can see it so you can name it whatever you want it doesn't really matter but it what is important however is that you will need that name in order to perform the decryption process successfully if you do not pass the name argument wireshark will try to decrypt this with the last known uh with the last known name of a wireless and more often than not that will not work out to your advantage believe me so you do need to pass this argument even though it's not mandatory you do need to pass it because wireshark will only get confused and you will not get proper output press ok remember to click apply and confirm with ok you can see that the background has changed a bit press apply again just to be just to be on the safe side nothing else really i'm pretty sure it has already figured it out and click ok that is pretty much all that we need in order to start in order to decrypt these packets some of them will of course still be encrypted and you won't be able to read them but if you scroll down if you scroll down to the bottom the closer you get to the bottom of the packet the more and more packets will be decrypted so there we go we now have http traffic there we go there we go we have a get method there [Music] we can pretty much see what websites have been visited there we go again we have http more http gets there we go we have a tcp segment somewhere along the way you can see that somebody has apparently yep there's there it is it's jpeg that somebody has apparently downloaded or loaded into their browser a jpeg from somewhere you can figure it out from from where by just going through these packets going a bit backward and seeing which website has been visited and following through the lane and following up on the link on the connection and so on and so forth but now you can see that the information contained oh let me just see if i can do this if i can name it perfectly yep there we go i'm just going to minimize this and there we go now we have all this information in decrypted format and the last one is what we want to know that's data you see that the hypertext transfer protocol is no longer encrypted you can see everything that is going on here all the information is there for the taking uh from the user agent to the brow user agent is mozilla macintosh you can see what it has accepted an image and in other packets you can see also from where and so on and so forth so in this manner you can decrypt these packets and you can figure out what is going on you can monitor your own network or the network you have a permission on to monitor and you can pretty much see all the traffic going on as long as you have the decryption keys all traffic going over that network will be perfectly visible to you and nobody can hide it there from your site especially need for small offices or something like that where you need to quickly figure out what is going on or something of a kind in any case this concludes this mini-series within the course in regard to the monitor mode i hope that you've enjoyed it and i hope to see you in the next one hello everybody and welcome to this tutorial today i will show you how you can make a csv file a customized csv file which is more universal so to say it can be opened in more systems with greater ease as it ha as it more programs can pretty much access it open it and read it in any case you will require a catcher file you should know how to make that by now if you don't feel free to go to some of the previous tutorials no big deal you can you can see it there i have explained it in great detail but for the time being i'm just going to go ahead and use this rather large command that i have typed in a moment ago i didn't want to type it in during the tutorial it would take it would take up some unnecessary time rather instead i have touched up previously and here i can break it down for you so first off we have the shark so that's the command line interface you have dash r which basically states that we shall read from this sample i've named it sample capture but that we shall read from this sample file dash t is the option for fields so you can pass it we can pass to the argument dash d option fields and after that you can specify as much fields as you would like to be extracted from the file so dash e basically specifies the name of the field and then the program knows okay how you want that field very well i shall extract it for you so i have basically specified that i want my frames to be enumerated so that i know which frames when i take a look at the csv file i want to know which frame am i looking at i don't want to count from the beginning the next thing you have is again dash you can pass as many as you like so i want source ip address the next one i want the destination ip address and in addition to that i would like to have a tcp destination port now i have discussed in the previous tutorials that source ports are not that useful to us primarily because they are randomly generated by our machines upon transmission and they don't really give you that a lot that much information in any case that is that is primarily why i've chosen just to pick the destination port tcp no particular reason this file has that we're reading from has no other significance then for demonstration and training purposes and in addition to these e's i also have a capital e here and a capital e specifies a header so i could have instead of y here let me just show it to you instead of y i could have also typed in n for no so do not show headers or why yes show headers which is very nice because you want to when you start reading things from the top you want to know which colon uh which colon is displays what sort of information i mean sure you can infer by just looking at it but it's much better when you have it written nice and neat so you can read it without any problems next up we have again capital e and we have separators now separators are field delimiters basically it tells excel like up axle-like program to okay when you reach this mark that means you should separate it to another field whatever remains separated to another field go to the next coma separate to another field we have a double quote here so basically equals d is double as well and we have an occurrence actually occurrence basically i wanted to start from the first packet i could have said like start from the middle or something like that but no start from the first packet and this greater than sign that means output to this file here so this command will generate something and then it knows to that it will output things into this file primarily because of this greater than sign and then right on the right on the right side of that greater than sign you have sample well i've named it sample cv dot scv kind of weird kind of a weird name for a file but doesn't matter it makes the point quite clear now if you are uncertain in regard to these field names and that's that can be a bit tricky because i mean there's there's very little chance to memorize all of them and quite frankly there isn't a need i mean you can't see it in the cannot see it in the help option but what you can do is go ahead and open up your graphical user interface i have it opened up here and then wherever you click on these packets pretty much anywhere on any of them it will always list something so here i have interface id look at look at the lower left corner it says frame dot interface underline id so if i just typed in that so if i just type that in dash e space type this in it would extract this field and so on and so forth here let me just show you one for dns which is a bit clearer and i'm not and i'm not going to go to layer one rather instead i'm going to go ahead and go to iplayer enter to the ip protocol and if i just click on it it says ip okay but i don't want to be that general i want to be more specific let's say if i click on protocol it says ip.proto okay so let's go on to source ip address ip.src and so you just keep on typing them you type in as many fields as you like customize your csv file to your liking or to the requirements of your job or whatever and you will save yourself a lot of trouble and you will save yourself a lot of time these things are incredibly handy in csv files there is a reason why this option has been left and there is a reason why people use it so much okay so i'm gonna go ahead and go back to the terminal press enter there we go it takes it takes a very short amount of time to generate the csv file let's just go over to my to my browser to my folder browser and there we go we have sample csv dot csv double click on it and libreoffice will open it no problems now it doesn't matter if you don't have libreoffice like excel will open it no problems either as well and here you have an option for example it says separator options so you can say fixed width or you can say tab semicolon space other text delimiter whatever it gives you so many options but since we know that we have actually chosen uh double quotation marks and if we have chosen coma i'm just going to go ahead and say ok as i don't really need anything else and now here you have a small example of a capture file of a filter through capture file and conversion to its to a c csv file there we go it says you have port number you have frame numbers here in column a you have ipsource address in column b ip destination colon c and you have destination port in column d i would advise you to play around with these things that is really the best way to learn you have every possible prerequisite here every possible basic knowledge that you would require to continue on your own and quite frankly there is there is not that there is not that much variety in terms of what you can do here basically just keep adding fields taking away fields changing delimiters separators that is and see what sort of an output will you get even though you have a lot of combinations the logic of it doesn't really change the logic pretty much stays the same it's always the same you just add more or less options but they're pretty much the same you add them in the same way and you pretty much can just read from wireshare graphical user interface what you need you can read the field names put them there and perhaps memorize those which you find most useful to you in any case i hope that you've enjoyed this tutorial and i'll see you in the next one hello everybody and welcome to this tutorial today i will be demonstrating how you can extract something more other than an address or a port or something of a kind from packets captured in fact you can extract real time information so to say such as a video or a picture or something of a kind in fact you can pull entire video streams but i'm not going to pull an entire video stream i'm just going to show you how you can get fragments of video stream from the packets themselves i want to show you that those packets contain real real readable information so to say that a human eye can interpret distinguish and so on something other than an ip address port as i've already mentioned or just a protocol or something of a kind so let's just go ahead and start a capture on p8p1 and see how that goes i got a lot of traffic going on here very soon it'll start showing but i don't really want to see at all it's completely relevant to us at this point of time what i wanted to do is open up some sort of a live stream so i'm just going to take a news site from somewhere so iptvplayer.com watch russia today news tv okay so excellent these new sites they have a ton of live streams that go on 24 7 guaranteed not to go down or anything of a kind so i will turn off the sound because i couldn't care less for the news but the video stream comes quite in handy in such situations for demonstrational purposes and such it's a bit slow to load don't know exactly why perhaps slow connection or the streaming is not as good as it should be but anyway there we go it is starting some oh please shut the sound off thank you very much now let us go over back to our packets captured and there seems to have been some sort of previous filter here i'm just going to go ahead and clear it out now one of the first things that we need to figure out is where are we connected to where are we pulling the stream from so i'm at the top of my capture filter i need to go down down down and there we go so this seems like a viable ip address you see most of the packets are from there we are streaming so a lot of packets are being generated there i'm just going to go ahead into my filter field type in ip dot a dd actually a better a better better idea would be ip dot dst and let's say that that shall equal to oops a bit of a mistake here did that shell equal to uh what is the ip address okay 204 204. press enter i want to apply that filter and in addition in addition to this filter i would also like for http http traffic to be filtered out and you should know how to do this by now http excellent so we're just going to get those packets and nothing else let me just scroll all over over here and you can see that there are a lot of fragments from the video every one of them has their individual id and so on and so forth going over them like this i mean sure you can extract a ton load of useful information and you can figure out a lot of stuff but in this particular tutorial i just wanted to show you that you can actually extract things from these packages that how should i put this that you yourselves can actually read or see and interpret that are not just these binary or hexadecimal digits or something of a kind i want to show you that there are real information contained within all of these packets so let's just go to one of them oops these are all the same these are just guest methods okay so let's just change the filter up a bit uh ip.address let's just go ahead like this and see what happens will something a fuse pop up i am doing this deliberately i could have of course prepare the filters and everything of a kind and just pop the stream here but instead i want to show you that when you're typing in these things mistakes are bound to happen you're going to stumble you're going to encounter errors errors and no matter how much practice you have you will always need to go back delete correct or something of a kind so there we go we have one and it says hypertext transfer protocol and we have below it says media type it says video mp2t i do believe that's a format and over here you have the size of it so that's one chunk of the video let's just go ahead and right click on it you can see it turns blue down here those are the binary digits representing that video chart video chunk and look at how big how many of them there are they're practically infinite down the stream down the road so to say uh we don't really want any of those things uh i'm just gonna go ahead and you see there is this option which i have not mentioned before it says export selected packet bytes okay let's go ahead and export them i'm just going to name this sample video and i'll save it in my temporary folder where i pretty much save all my stuff that i download from the internet uh so under root now file system sorry where's tmp here excellent so oh i don't want to rewrite that sorry it's just going to be video sample ah video sample excellent so save it there and as we save it i'm just going to go ahead and open it up in my file manager to see what i can actually extract from it so here we have i've clicked on it it says video sample i have a vlc media player installed so it will quite literally play pretty much any known video image format out there in existence so unless you have some sort of software like that i'm not sure will this always work but yeah you can try with bass player or something of a kind should also generally work but vlc will pretty much is pretty much guaranteed to work under any circumstances opening up any sort of files so i'm just prompted here because it doesn't really recognize the format of the file by default you'll probably be asked you'll probably be prompted and asked what the computer will ask you what sort of software should i use what sort of program should i use to open up this file because i don't exactly know what it is but it's okay once you say okay use vlc or something of a kind it will be decoded it will be decoded by default sorry there for the sound but doesn't matter it's a proof that you can actually get a segment so as you can see i'm just replaying it it's a segment of the video and there's real information these packets that's basically the lesson of today's tutorial and the way you can actually extract it it's not much i've extracted a very small sample i didn't want to go ahead and extract the whole thing that seems kind of burdening to download and to display here really serves no purpose but other than that let me just see if i can show you something else you see all these zeros ones and zeros that's a binary stream you if you remember correctly there were hex numbers here i've changed to binary streams doesn't matter either way we won't be able to read them but just look at the amount that exists for that short portion of the video look at how many of them there are now imagine how many there are for a i don't know one gigabyte movie or something of a kind let me tell you a lot actually you can know exactly how many i'll leave that question to you there's a very simple answer to that go ahead and find it out in the net i won't tell it to you but it's pretty simple just try to figure it out the answer is pretty much obvious in any case i bid you farewell and i hope to see you in the next tutorial hello everybody and welcome to this tutorial today i will be talking about nmap and how you can analyze its traffic with wireshark so nmap is a tool for scanning network you use it to scan networks basically it can give you a great deal of useful information for example if you're in lan if you're in lan it can give you mac addresses off the of the machines that are within lan provided of course that you know the ip addresses but even if you don't know the ip addresses you can just scan the entire subnet or something of a kind it can also determine which operating systems are running on remote machines whether they are in lan or outside it doesn't matter it will conduct a scan but primarily it can tell you what ports are opened on the system and if it tells you what ports are open in the system you can conclude a great deal of things from that for example you can figure out which services are running and you can assume which operating system is running there because you have some default open ports on some systems and in such a way you can get more information now you shouldn't scan a system that you do not own or have an explicit permission to scan because that is not permitted however today uh within my lab environment i will be scanning my own virtual machine and i will show you how you can actually reduce the how you can monitor the traffic and monitor more importantly how you can monitor the size of the traffic because the less packets you have the lower the probability is that your scan will be detected and you have a lower chance that the firewall will actually stop your scan as well now this is very important for people who are into penetration testing they tend to use these sort they tend to use this method basically just scan a virtual machine with nmap and then have wireshark monitor the scan and in such a way see which sort of which parameters which sort of scan of nmap will generate the least amount of traffic in any case as i said for people in pen testing who do this they have a permission to scan the systems and to perform this these kind of tasks so unless you own the system or have a permission to scan the system do not do it as it is not permitted anyway what you will need for this tutorial is nmap installed on your system uh on linux it's pretty much easy there is there isn't that much science there is really that much thinking to it so to say as you can see i've just typed in ups i've just typed in here yum search nmap this dash c option is basically just tells my packet manager yum do not perform updates at this time just try to find and just try to find package and map you don't need to worry about that and as soon as you type that you get a output down here so i don't know you have some sort of things here which you're not really that interested in this is also a very very interesting tool it says nmaps and cat replacement but nothing's ever going to replace and ncat i mean seriously like that's one of the tools that has been around for quite a while and if you don't know what it is i strongly advise that you get familiar with it that's that is one small task that i have for you if you wish to learn more about networking monitoring networks and troubleshooting them netcat is a fantastic tool it allows you to connect on pretty much any port in any way it supports a great deal of protocols and it is fantastic for testing it's it's completely free you don't need to pay for anything for it it's open source so yeah i'm not selling anything or anything of a kind just have a look at it it's going to be if you plan to do something with networks or have a career you're definitely going to need that tool anyway coming back to the subject down below you have nmap.x86 underline 64. it says network exploration tool and security scanner basically that is precisely what it is as i said it just scans the networks and it gives you a lot of information if you wish to install it just type in yum install and then nmap sorry and map and there you go that should do that should do it you will install whatever you need to that will install the package without any problems as you can see i've pressed tab with a wrong argument and it has given me some weird rather weird options but irrelevant you just type in gum install space nmap and it's going to run through let me just go ahead and clear the screen now i do have my virtual machine set up here one of them anyway it's just a different edition of fedora the next one 21 where i'm testing it this is a live boot not an actual installation that's why it's running a bit slower so its ip address is 192.168.1.4 and that is the ip address which i wish to scan and monitor the traffic so let me just go ahead and start a live capture on my wired interface p8p1 apply my filter here so you should know this filter by now apply there we go so there isn't any traffic now i mean there is traffic but nothing is really being displayed because i have told it that the source ip address has to be me basically this is the ip address or the machine that i'm using at the moment and the destination ip address has to be the virtual machine which is this is the ip address of the virtual machine that you've seen a moment ago so as you can see there is no traffic now nothing of a kind down below you have packets the amount of packets it sets back as 21 and displayed zero excellent that is precisely what we want now we can conduct our scan so let's begin with the basic fundamental nmap scan i'm just going to go ahead and type nmap and type in the ip address so 192.168.1.4 and remember remember to pass the option double v so not w but double v uh you can also say one or two basically this defines the verbose the verbose output how much information do you want the program to tell to give you in regard to what it is doing at the moment and i always like to be informed so i always pass the double v here it is quite in handy it's quite in handy because i don't know sometimes nmap scans will take a while and you will just see a blank screen you won't see anything happening there will be no progression bar or anything of a kind and you will think oh it's bug there is something of a kind and you will interrupt the scan and then you will need to do the whole thing all over again like this you can see what it is telling you there we go it says starting nmap initializing our pings yan scanning 192.168.14 and it's clearly telling you what is what it is doing there we go the traffic is now being generated and we have a lot of things here that are going back that are going back and forth and there you go the scan is finished this is a very fast scan obviously because this is all in lan so the scans can be conducted rather fast but look at down here where it says packets displayed it's the bottom bottom the middle of the screen in the bottom it says that i have 1500 packets approximately and that my nmap scan has consumed 120 packets that is a huge amount i mean this is bound to be detected for sure if there is a network admin on the other side they will see they will notice the scan no problem so we need to actually work on reducing the size of our nmap scan one of the first things that i am going to do aside from clearing my screen and making a more neat working environment is go ahead and type in nmap double double dash help press enter and this is going to prompt a help bar let me just expand this a little bit for you so you have a better overview and repeat the process because the terminal doesn't it doesn't not resaw it does not resize the text by default and so here you we have some other options in the example it says these are just miscella arguments for wireshark itself but we have a ton load of other options one of the most look at how many of them there are pretty much the same procedure as with t-shirt you type in help and you figure out what is where so this is one of the more one of the one of the options that people would use on more frequent basis so dash oh so let's try dash o and let's see how much how much traffic will that generate before i do i wish to reset my capture as i don't want this as i want to see exactly how many packets will be will be recorded so let me just find it yep there we go and i'm going to pass dash o capital o press enter here we go it's initializing the scan and you can see that there are packets already streaming in it says 57 50 almost 60 there we'll see how much it will be how much how much packets will generate in total so not that no oh it's still going on it's still going on it stopped and this is not good either so it says almost 1600 packets this is more than our previous scan but this is something that you would need to do from time to time on your network as a pen tester as a network admin to figure out what is going on what system is being used on the other side if you can't physically go over there or something of a kind but as a pen tester this is not good it's seven it's 1600 packets and again you are bound to be detected but these are just some basic options that you can pass in the follow-up tutorial i will explain in great detail how you can conduct stealth scans and you will see how wireshark when it monitors the traffic it will there will be a significant reduction of the amount of packets transmitted in any case i bid you farewell and i hope that you've enjoyed the tutorial hello everybody and welcome to this tutorial today i'm just going to continue from where i left off in the previous tutorial now thus far we i have been trying to reduce the my scan size but i have not been very successful with it as you can see wireshark has recorded quite a bit of traffic old all of my recorded traffic was above 1000 packets which is uh which is pretty high uh one was 1700 1600 etc and so on and so forth so i'm going to try doing something else there is an option in wireshark to emit host discovery and simply to assume that a host is online and i'm hoping that that will reduce my packet size so my total number of packets sorry 192.168.1.4 and press enter see see how see what's how much traffic will that generate uh probably not a whole lot less but certainly less let me put it to you so one of the best things that you can do primarily if you're scanning a large amount of ip addresses is to make a file and in that file just list the ip addresses that you want to scan and then pass the port so don't scan on all the ports see it says it has scanned 1000 ports that's uh that's a lot i mean not shown 999 filtered ports anyway it says packets displayed 1446 which is still i mean it's it's a bit less from 1600 but uh still it is a pretty large amount of packets so as i have said just a moment ago try try doing a port scan uh try typing in nmap uh 192.168.1.4 and let's say that i want to scan on port 80. and i also want to no wait i'm just going to go ahead and scan on port 80 and then in the next follow-up command i will add an additional argument uh so it's it has oops sorry sir sir wait wait wait there we go i just wanted to restart the live capture session so that you would be able to actually see the amount of packets and there we go now i want now i'm conducting a scan on port 80 and i want to see how many packets will i capture this will definitely have less traffic from the previous scans so it had there there were only two packets look at this only two packets uh okay it says destination unreachable host administrator administratively prohibited the reason why it says that it's because the port on my virtual machine port 80 is closed and firewall is dropping all connections on port 80. but it doesn't matter now we know that it is closed it says service http however what is of importance to us here is that it has only generated two packets and this is fantastic this is not something that's going to be problematic that's going to be noticeable or something of a kind especially as i said before if you have like a range of i don't know 100 or 200 ip addresses it would take you forever to conduct full full port scans on all 100 ip addresses rather instead you want to focus your attention to the server think of it in terms of services okay i want to test these services out so i'm going to scan on the ports on which those services are most likely to run for example if i wanted to go ahead and scan for port 22 which is ssh i'm going to go ahead and pass this argument but before that i need to reset my capture even though there are only two packets there so probably i didn't need to do that it doesn't matter so let's go ahead and do port 22 and let's see if the pn option is going to be of any help to us here the pn option usually is good when wireshark concludes that the host is down even though it's up and then you pass pn then the scan flies anyway so now we have determined that port 22 is closed when it says filtered here it simply means that wireshark cannot determine whether the port is open or closed however if it says filtered it's most likely closed it's most likely you're not going to be able to do anything on it as the firewall is dropping it but here ssh it clearly states that it is closed and look at this we have reduced our packet size by one so we only generated one single packet now think about it how much have we reduced traffic our traffic our scanning traffic from sixteen hundred packets we've come down to a single packet that's a significant reduction that's not something that's i mean it's detectable but nobody's gonna notice or care for a single scan and that is what people in pen testing industry are usually counting on hide and they hide in the mass of information and then attempt to do something from there but you can you could have also said i don't know port 80 so do do a scan like this do scans on port 80 and 22 oops sorry need a comma there so do do scans on port 22 and 80 and that's very helpful primarily because you will be able to specify pretty much as many ports as you like here and then you will be able to conduct scan and figure out what is going on with those particular services nothing else look it says displayed here for but i did not reset it in total there are three packets here so with the pn option that we've passed we have generated only three packets and we figure out what is going on on poor 22 and 80 as opposed to just generating a huge amount of traffic and getting pretty much the same amount of information as pretty much this scan that we've done now which is nothing i mean three three packets is nothing not something noticeable as i've said before in any case before i conclude this tutorial let me just go ahead and mention again that you that it is not okay to scan networks that you don't have a permission to scan or that you do not own uh people who work in pen testing industry they get contracts and are allowed to do particular things so that they would test the security of the network if you wish to conduct tests of your own i would advise you to construct some virtual machines it's ridiculously easy to do all you need is virtualbox or any other uh virtual machine client where you can install your virtual machines and then you can do pretty much whatever you want you can also install uh router operating systems and have your virtual machines act as routers as well and in such a way you will be able to conduct any sort of test that you want there is there are no boundaries there there are no legal limits there you can literally destroy the machines there because they're virtual machines and they are your machines most importantly of all in any case that that would be it as far as wireshark and nmap is concerned i hope that you've enjoyed this tutorial and i hope to see you in the next one hello everybody and welcome to this tutorial today i will show you how you can conduct a remote capture of a machine that is not necessarily within lan or within the range of your wireless card in the previous tutorials i have shown you how you can actually conduct a remote capture of all the folder traffic that is up in the air around you provided of course that it is in the range of your wireless card and provided of course that you do have the necessary decryption keys this was done through the managed mode of a network card we will not need it in this tutorial primarily because the machine from which we will be capturing traffic can be anywhere else in the world so we are capturing traffic over it that will be sent over the internet to us what this means is that you can be in germany let's say in berlin and the other machine can be in tokyo and you will be able to stream the network information over the internet to your machine in berlin and capture it and analyze traffic in wireshark there now depending on the amount of traffic and depending on the available bandwidth this can be either slow or fast depends how you do it but it is possible to do it and that is what i want to demonstrate today now there are prerequisites there are a few things that you're going to need if you wish to if you wish to be able to fully follow through this particular tutorial the first off the very first thing that we will need is a protocol called ssh now ssh is a tunneling protocol and it will ensure that all the traffic transmitted from the machine in tokyo to machine in berlin will be heavily encrypted so even though somebody could be in the middle of your communication in the middle of the communication between two machines and capture the traffic they will they won't be able to do anything with it i have shown you in the previous tutorials how encrypted traffic looks like and as you could have seen there isn't much that you can actually do with it you can extract a bit bits and pieces of information but you cannot actually get the data itself without the decryption keys of course and the chances of somebody getting the decryption keys are very slim to none and of breaking the encryption and in order to break the encryption without decryption keys i mean it would take an eternity of time to brute force it for something of a kind anyway i will show you how to install this you will need this on both machines not just on one so key thing to note here is that you will need it on both machines fairly easy to install i will show i will show it to you in the follow-up tutorial but for the time being you will also need one more you will need additional things so tcp dump is next tcp dump it works in a similar fashion as d shark command as wireshark's command line d-shark you just pass arguments to it and it can capture traffic filter it pipe it etc this will only need to be installed on a remote machine where the capture will be performed you will not need this on your destination machine as you will be using wireshark there i will show you how to install tcp dump as well but on linux machines tcp dump in all likelihood is installed like 90 chance and i am using tcp dump primarily because in 90 of cases it will be installed on linux machines this is for ease of use you can also use d-shark here but you're most of the time you're not sure and in all likelihood it will not be installed on the remote machine i have shown you how to install wire t-shark as well so that's not a big deal basically just install wireshark and it comes packaged with it but uh we will be using tcp dump on a remote machine and you won't you will not need to install it there of course as it will be installed but i will show the installation procedure just just just in case that it is not installed you will see the command for it is pretty simple there won't be any complications there next up uh you will need to be able to configure wireshark in order to capture traffic not on any of your interfaces rather instead we will need to create a named pipe for wireshark it is a file from which it will extract information and display it in the graphical user interface where you will be able to analyze it filter it and do pretty much whatever you want with that i will show you how to make that file pretty simple as well no no complex stuff there the biggest problem is establishing a establishing an ssh connection and making sure the data is encrypted and that there is a steady flow due to bandwidth and such things so we will need to pass some extra arguments to tcp dump in order to ensure that our data is streamed in a proper manner now we will also need to configure ssh just a bit on one end so on the source machine in tokyo that is where we will need to configure ssh to allow for root logins because keep in mind for all these operations you need to be either root or you need to have sudo or you need to your user needs to be in suitor's file so it can have root permissions in any case that would be it this was an introductory video to what we shall do here if you don't have the prerequisites you can try and get them on your own try to do it you sh as the installation procedures are the same with any other packet that we've installed thus far you can try doing it yourselves i would strongly advise that you do so and then in the next tutorial i will show you how you can actually do this so if you have so if you have had any problems with it you may refer to the tutorial and see okay this i didn't do this the right way or i didn't do that the right way and in such a way you will be able to learn better so i bid you farewell and i hope to see you in the next tutorial hello everybody and welcome to part two of the series here i will just continue from where i left off in the previous in in the previous tutorial the intro so first off the first thing that we need to do is actually install and configure ssh protocol on both machines what i will do here is simply use my default packet manager and type in yum search the packet name is open ssh so open ssh let me just go ahead and cancel all updates and there we go it's going to start searching for it if it finds it it's going to pop it i sincerely hope that i've written it in a proper manner as i'm notorious for my spelling errors however it is necessary for you to do this in order to find this package so you know where it is and what it actual so you know where it is and from where you can pull it and there we go i took it took it took it a while because i do need to do the updates at a certain point of time when i get around to it but it says open ssh.x86 underline 64. it says an open source implementation of ssh protocol version one and two so you have two versions of this ssh protocol and it is very important that you have compatible versions not only in terms of version one and two but also in terms of updates you need to keep it up to date or you need to keep it uh you need to keep it compatible with the ssh version on the other end because there are some uh patches of ssh which are not compatible with one another especially the really old ones are sometimes they're not compatible with the new ones this is this these pro these sort of problems are usually encountered when you're logging into your home router routers by ssh rarely anybody does that but if you do try it you will see that sometimes it says that it's just a mismatch version mismatch it cannot allow it cannot log in the protocols do not match anyway in order for you to install it you would just type in yum install and type in open oops not this one just open ssh dot x 86 underline 64. press enter and this will install it you can also pass an additional y command i have explained what this is in the previous tutorials just just to skip any sort of prompting of questions and this is going to fly you're going to be able to install ssh in such a way so there is no need to do any additional configuration on the destination computer and the destination machine however when we switch over to our virtual machine so i'll just go ahead i have several of them running here it's eating up my resources but oh well i do need them if i go ahead and go into my fedora 21 virtual machine as you can see i've already been tampering with the configuration here so i'm just going to go ahead clear the screen go back to my root directory clear it again and now the configuration file for ssh is located within so etsy ssh press enter ls and i don't want this out but just type in double l it's much better that way so you have i don't know moduli ssh host host that rca key all of that we're not really that interested in all of those things rather instead what we want is this sshd underlined config that is of great importance to us and that is what we need to be dealing with now so just go ahead and use your favorite editor i would advise you to use terminal text editors because they are able to run within root permissions if you try to run anything else with root permissions like g edit or something of a kind it can be problematic so just use the terminal one if you don't want to use vi i can understand you it's kind of complicated but nano is fairly simple and anybody can use it so ssh d typify it and you're going to be prompted with this configuration file so you won't need to be doing any serious tampering here you don't really need any programming knowledge to do this it's fairly simple these hashtags they represent comments they're commented outlines basically what commented outlines means is that system will completely ignore that line it will not take it into consideration by removing these hashes uh you will be the system will be able to interpret these commands and then act accordingly so what we need it says permit root login scroll down and go to where it says permit root login it says yes by default however it is commented out and all the ssh protocols on all linux machines wherever ssh is installed by default permit root logins will be disabled either by having a different argument here or by just being commented out so what you need to do is remove the comment line press ctrl o to save it enter and control x to exit uh it is necessary for us to log in as root primarily because we won't be able to do anything if we're not root primarily especially with wireshark but we're not doing anything with fireshark however here on the desk on the remote machine however the same the same permissions apply for tcp dump as i've explained it works in a very similar fashion as dshark so the next thing you need to do after you have changed the configuration you need to restart the service or if it's not running you need to start it so type in service ssh d we start sorry let me just correct my command here there is ssh restart and there we go if you get this output it means that everything has went fine and that the service has been started in case your service was not started prior to this in case it was not running you can just type in service sshd start service the service command supports several several arguments so you have start stop and restart is not listed here but you can also write restart and it will recognize it no problems excellent now that we have our ssh protocol configured on the remote machine as well the next thing that we need to make sure is that you need to install tcp dump although on this machine it is already installed but here's how you would do it so basically you type in yum search dcp dump press enter and you should be able to find it here it's going to be listed pretty soon there we go you have this packet here which fits our description so it says tcpdump.x86 underline 64. description is network traffic network traffic monitoring tool pretty much the same as d-shark anyway in order to install it you type in yum as pretty much with any other package sorry install and type in the name of the package here so let me just go ahead and copy it so i wouldn't make any mistakes paste nope okay so tcp dump dot x 86 underline 64. it doesn't want to copy paste for some strange reason in this virtual machine it doesn't matter this is the command that you would use in order to install dcp dump press enter and it's going to run install that's it so this is all the necessary configuration that you need to do on your remote machine you don't actually need to do anything else from this point on you can just close it sit back and relax and go back into your into the machine that you want to save the output too and from there from this point on we will only be working on the destination machine there we will need to create a pipe and we don't need to do any more ssh configuration there in any case thanks for watching i hope that you've enjoyed this tutorial and i hope to see you in the next one hello everybody and welcome to this tutorial today i am going to show you how to make a pipe named pipe file for wireshark and how you can invoke an ssh command in order to begin your capture now here's what you need to do first you must make that named file named pipe that i've talked about and in order to make it you cannot just type mkdir or create it with a touch command it is not an ordinary text file it is a pipe file in order for you to make it you will need to use a special command but before we do so i'm going to go ahead and list the contents of my tmp folder you can see it's marked with yellow it says packet capture that is my pipe file let me just remove it for you there we go yes clear and now i'm going to make it so in case you don't know the command in order to make pretty much any file under linux unix type operating systems you use mk and there are various things that you can do with this let me just show you press tab twice and you can see how many options does mk have and i'm just stating this because i want to reassure you that you do not need to memorize all of these commands just need to know a bit of basics and have a general idea and from there just use tab and help menu that's pretty much how we all learn so what i do need is f will be my next argument and you can see that it immediately lowers down to a smaller amount of combinations what i need is mk f i f o that is how you that is a command in order to make a pipe file since i already am in my tmp folder i'm not going to specify a folder in which to make it because it's going to make it by default in the one that you already are but in case you're not you just type in slash dmp tmp and then you would write the name of the file here i'm just going to go ahead and write the name of the file it's going to be packet capture sure there we go now that i have made it i have tested this out before and i realized that you do need to change the permissions on this file in order to run in order to write into it from a remote system now i do not want to allow root login from other places to my original system so i'm just going to go ahead and this can be very dangerous so chmod 777 i'm going to assign global mode to this particular pipe and depending on the situation and depending on the source machine from which to from which the packets are coming you should go online and check proper permissions and suggestions for permissions depending on various situations you can have a good amount of them and there are you will be able to adapt the situation so that you may be able to adapt to situations however since i'm running this in a lab and my other machine is my own virtual machine that i have just installed uh there is no reason why i shouldn't give it 777 i mean the global mode primarily because i own both machines and i'm the only person that's going to use both of them and i know exactly what sort of files am i going to stream from one to the other so it's for me it is safe now to issue global mode 777 however for you it probably won't be if you're doing this over the internet and just go ahead check it on the net which file permit which file modes or permissions to use uh depending on various situations because there are a good amount of them but this is how you do it you just type in ch mod assign assign a mod with numbers and then specify a file to which you are assigning this mode this this mod uh you don't need to call it mode you can just call it permissions or basically there are permissions read write and execute permissions anyway now that that file has been created now that we have the pipe and the permissions for it haven't changed let me just go ahead and clear the screen now there is a bit of a longer command that i have prepared here for you and this is the command that you will issue on a remote system somewhere now you can log into it first via ssh and then issue it or in my case where i have two virtual machines set up you can just go ahead and click on your virtual machine and issue it there it's very simple so you have tcp dump and then you have parameters that are passed to tcp dump you see this eth0 uh that's a bit of a mistake i have done this on my ubuntu machine so there it's called eth0 but on the fedora machine from which i'm going to perform a capture this will be called something else we will see when we actually get into it uh dash i interface since tcp dump has very similar arguments as t shark so just type in dash i for interface specify the interface dash w for right and space dash to write to standard output then we have a pipe command i have shown in previous tutorials tutorials what pipe is next to pipe we type in space and then ssh ssh command invokes ssh protocol and then you need to say say it where you're connecting it where do you want to connect and who do you want to be on the remote system so this username here okay i'm just gonna delete mine and just for the sake of yeah let me just go ahead and delete that for the simplicity sake so that you would be able to see it better user name so you would just type in the username here and this is not who you are on your current system this is who you want to be on the remote system somewhere then you have add sign and type in the ip address or the host name of the uh of the remote system 90 of time it's going to be an ip address as it is unlikely that somebody is going to have a domain name on their personal pc or anything of a kind next up there is dash c dash c means you're specifying the ciphers ciphers to be used for ssh we have arc4 that's a cipher and we have blowfish cbc cipher or a method of encryption let's just put it so that's what they are right next to it you have dash c which means you're basically telling ssh to compress all information that are that are to be transmitted very nice argument there and afterwards you have dash p for port you would specify a port here mine is 22 but i don't know ssh could be configured to run on so many ports out there basically you could type in something like this i don't know you get the idea you see ten thousand is this ten thousand yep this is on poor ten thousand basically if you configure your ssh to run over it of course but there is no need to do that now some people advise it for security reasons but so that people couldn't figure out which on which port you're running ssh but i mean it doesn't matter a full port scan of the system will reveal this anyway so just use the default one port 22 open up the quotation marks and now you're going to be passing the command to write what to write the tcp dump into an output into a file so we have cat cat is basically you're just concatenating just basically taking something whether it's from the standard output or it's from a file or something like that you're just taking a cert just taking the text or taking the information within the file then putting it standard output and from there uh outputting it to a file that you have specified so i have specified mine to be that uh slash tmp slash packet cup oops packet packet capture yeah i hate it when the terminal does this when it splits the letters like this it kind of makes it inconvenient to see but you get the idea i know where it is precisely so i can just type it in anyway close the quotation marks and this will effectively uh gather information on network information network related information on one system transmit them over pipe them to ssh and then ssh will encrypt them and transmit them to your desired destination so now that we have that done let me just close that open up my fedora 21 virtual machine and you can see i already have the setup made here my ip address is this 192.168.13. my username is here we have the cipher is listed have the compression the port forward the cat command and tcp dump is set up and running so if i press enter here it i will be prompted for a password and you do need to type type the password in if you don't have the password this is not gonna work i assure you of that so yep there we go press enter and surely enough the capture will start at the moment now that the capture has started in the next tutorial i will open up wireshark and there within wireshark we will see how you can actually extract information from the pipe and how you can display and how you can have it displayed in real time pretty much in any case i thank you for watching and i hope that you've enjoyed the tutorial hello everybody and welcome to this tutorial today i will show you how you can conduct a lot today i will actually open up wireshark and show you how you can conduct a live capture from a file thus far we have been using interfaces to perform live captures and to read from files afterwards however this time we will actually be performing a live capture from a file itself this file is pipe is of type pipe and we have previously created it in the previous tutorial it is still here it hasn't gone anywhere so the first thing that we will need to do here is start up wireshark so just type in wireshark as root it's going to go ahead and start it and go over to your virtual machine mine is fedora 20 yours can be pretty much anything you want it doesn't really matter and i have a prepared command here for you that i'm going to use i have explained if this command isn't too clear to you now i have explained it in great detail in my previous tutorial so you can just go back one one video back and you will be able to see what each segment does here what the tcp dump is what ssh is and what are what all of these arguments mean and do press enter here you can see it says tcp dump listening on a specified interface and it's prompting me for password so i'm just going to go ahead and type it in press enter and even though it seems like nothing is happening believe me it is it's just that the output the standard output is being redirected to a pipe file elsewhere namely to the destination machine and in wireshark what you need to do is go ahead and click on capture interfaces here you have a list of those interfaces but they are of no use to us at the time you go ahead and click on options and you have in the right corner it says managed interfaces i have mentioned this briefly at the very beginning of this tutorial but we really haven't had the chance to use this option now we do so just go ahead and click on click on manage interfaces you have two two types of management you have pipes and you have local interfaces so just go ahead and click on pipes new browse and find where your find go go ahead and navigate to where you have created your pipe file mine is in tmp i would advise you that yours be as well click on it double just double click on it and there we go tmp packet capture press save you need to save it otherwise this is not going to work close and up here you see where i'm scrolling at the moment down at the bottom you will have it listed it's going to be tmp packet capture and it's going to be marked as well so just go ahead and start the capture and you can see that there's uh data streaming here pretty much this data with you the one that you're looking at now this is all our ssh encrypted traffic and it is really not of that much use to us we could decrypt it of course because we have the encryption keys i have showed you how to do this with wireless encryption similar process with this as well but for but but for this for the sake of this tutorial i'm going to go ahead and eliminate these ssh packets as that is our own traffic and we do not want to be looking at that usually would apply a filter to tcp dump command however i did not as i wanted the traffic to begin streaming immediately so that you may see that it works so that you would get a bit bit of a more verbose output so to say i'm just going to go ahead and i want the ping to be filtered out i see m p that's ping that's a protocol for pings not all the all the packets are gone there's a ton load of them down here you can see at the bottom however none are displayed because i do not have any icmp packets but here i'm just going to go over to my fedora machine and i'm going to generate a few of them so just type in ping and you can ping whoever you want i'm just going to go ahead and type yahoo.com press enter and i have pings going over it's going to take a while for them to be received by wireshark as we are going through a pipe and there is always a delay so you can see the delay is quite significant they're coming in one after another my ping has stopped here but here you can see that i have indeed pinged yahoo.com you can see the destination ip address is here and there you go the second one is coming in and it's going to take a while for all of them to pass through and we'll stop the ping here it seems that yahoo has stopped me before i managed to do that but look at this i have transmitted 36 packets and i have only received 10 10 of them back which means i have a 72 percent packet loss don't know why i wonder if i think google.com what will happen doing google.com and these packets seem to be passing without any problems let's see if they will reach the same amount as the yahoo ones yup they're definitely going through i don't know maybe there's a connection problem there or something like that on the server side or maybe it's not even a connection problem maybe it's just a firewall rule blocking a starts blocking after a certain amounts of pings have passed i'm just going to go ahead and cancel this it's going to take a while for them to for all of them to be listed here but that is not really important to us i'm just going to go ahead and stop this capture process because the file size is becoming ridiculous i have way too many packets here and you can see that i have indeed captured traffic from a remote machine onto my own now i have done this between one virtual machine and one physical machine however which are inland basically one is within another but it doesn't matter the other one could have been as i said in the beginning of the series in tokyo and the other one in berlin and you would have pretty much the same thing happening although you would have a pretty big delay there uh it would be pretty slow to uh wireshark would be pretty slow to receive those packets it's not wireshark's fault it's basically bandwidth if you had like fiber optics or something like that that would go much faster but you get the general idea of how you can do this the process can be replicated to go over internet there are no changes that you need to make of whatsoever except if a computer is behind a router then routers need to be configured to tran to be able to pass through this traffic to allow this traffic to pass through anyway this concludes this series i hope that you have enjoyed it and this concludes the tutorial the course as well if you have any questions or something of a kind i will be on uldami udemy and there i will be answering them in any case i hope [Music] so

Info

Channel: Scott D. Clary - Success Story Podcast

Views: 20,547

Rating: undefined out of 5

Keywords: wireshark, wireshark tutorial, how to, tutorial, network security, tcp, networking, how to use wireshark, packets, ip, http, cyber security, hacking, packet analyzer, network, technology, wireshark tutorial 2020, wireshark filters, tcp/ip, ccna, hack, hacker, hacks, hackers, how to hack, cyber, it, tech, networking tutorial for beginners, free wireshark tutorial, network scanner, software, security, computer security (software genre), ethical hacking, wireshark tutorial for beginners

Id: zOYohNOnWp4

Channel Id: undefined

Length: 296min 17sec (17777 seconds)

Published: Sat Feb 20 2021