1
00:00:00,860 --> 00:00:09,140
‫Wireshark is free, open source and the world's foremost network packett analyzer and is the de facto

2
00:00:09,140 --> 00:00:11,840
‫standard across system and network administrators.

3
00:00:12,780 --> 00:00:18,540
‫Wireshark has the ability to listen and record traffic, as well as advance filtering and reviewing

4
00:00:18,540 --> 00:00:19,060
‫options.

5
00:00:19,320 --> 00:00:25,050
‫We're not going to do a deep dive into Wireshark right now, since that's the subject of network layer

6
00:00:25,050 --> 00:00:25,530
‫attacks.

7
00:00:26,460 --> 00:00:31,650
‫So here, let's let's see a summary of the traffic and the systems related to the interfaces.

8
00:00:31,650 --> 00:00:32,130
‫We listen.

9
00:00:34,530 --> 00:00:41,640
‫Let's go to college and start Wireshark, you can start Wireshark from the applications menu or open

10
00:00:41,640 --> 00:00:44,680
‫a terminal window and type Wireshark to start the.

11
00:00:45,670 --> 00:00:50,350
‫Don't worry about the ampersand in the end of the command, putting an ampersand at the end of a command

12
00:00:50,350 --> 00:00:54,480
‫because it's a shelter run the process in the background, it's sort of multitasking.

13
00:00:55,420 --> 00:00:59,980
‫You can have many processes running, but only one in the foreground at any given point.

14
00:01:00,510 --> 00:01:06,160
‫The process in the foreground is the process that appears to have locked up the terminal, whatever

15
00:01:07,480 --> 00:01:11,170
‫the first message is, because we are a super user on Colly.

16
00:01:11,830 --> 00:01:12,520
‫No worries.

17
00:01:13,110 --> 00:01:18,670
‫OK, the welcome page of Wireshark asks which interface we would like to listen to first.

18
00:01:19,870 --> 00:01:21,940
‫So let's have a look at the interfaces of our system.

19
00:01:23,380 --> 00:01:30,040
‫To look at the interfaces and to remember the IP address of Kali, open a terminal and type if config.

20
00:01:31,280 --> 00:01:36,740
‫There are two ResultSet of the Afghan fingerman, either zero and L.O..

21
00:01:37,800 --> 00:01:44,460
‫Ethe Zero is the first Ethernet interface, additional Ethernet interfaces would be named ethe one,

22
00:01:44,790 --> 00:01:46,070
‫two cetera.

23
00:01:46,720 --> 00:01:48,180
‫Here we have only one.

24
00:01:49,170 --> 00:01:51,790
‫Now, Ello is the loop back interface.

25
00:01:52,170 --> 00:01:56,780
‫This is a special network interface that the system uses to communicate with itself.

26
00:01:57,810 --> 00:02:04,650
‫E0 is the interface that we're interested in at the moment, double click to open the e0 on the main

27
00:02:04,650 --> 00:02:09,700
‫page of Wireshark to start capturing the packets, passing through our Ethernet interface.

28
00:02:10,230 --> 00:02:16,380
‫Now, to speed it up, let's create some network traffic, open one of my virtual machines, a WASP

29
00:02:16,380 --> 00:02:18,360
‫Liwei and paying Pinkly.

30
00:02:21,750 --> 00:02:28,980
‫To stop Pinkman press control, see if config to learn the IP address of the machine.

31
00:02:30,290 --> 00:02:34,400
‫Now I go to another Métis boy and paying the last PVM first.

32
00:02:43,030 --> 00:02:44,560
‫And then Pengelley.

33
00:02:53,330 --> 00:02:56,680
‫Here we have a lot of ICMP and art traffic at the moment.

34
00:03:01,310 --> 00:03:02,700
‫So let's generate some traffic.

35
00:03:02,960 --> 00:03:08,000
‫I open the browser and Cali and visit the website served by Voysey Machine.

36
00:03:18,440 --> 00:03:24,530
‫And even more traffic, I visit NHS, Dot, UK, my favorite website.

37
00:03:25,820 --> 00:03:26,820
‫OK, that's enough.

38
00:03:27,020 --> 00:03:28,440
‫Let's turn back to Wireshark.

39
00:03:29,300 --> 00:03:36,440
‫As you see, we have a lot of packet's captured and new package arrive every second hour, packet's

40
00:03:36,590 --> 00:03:41,530
‫TCP packets, less packets for HTTPS, traffic, et cetera.

41
00:03:42,200 --> 00:03:44,760
‫Here we don't investigate the package in detail.

42
00:03:45,350 --> 00:03:52,340
‫We want to learn about this systems which are interacting with us to go to statistics menu and select

43
00:03:52,340 --> 00:03:53,280
‫conversations.

44
00:03:53,900 --> 00:03:56,960
‫There are five tabs in a conversation window by default.

45
00:03:57,900 --> 00:04:05,070
‫And we're on the IPV for tab at the moment here, there are IP packets grouped by Address A and address

46
00:04:05,070 --> 00:04:15,810
‫B in each line we see how many packets sent up to now total size of the packets and byte number and

47
00:04:15,810 --> 00:04:20,030
‫size of packets from A to B and from B2K, et cetera.

48
00:04:21,410 --> 00:04:25,190
‫There is traffic between eight eight eight eight eight eight and my colleague.

49
00:04:26,150 --> 00:04:32,510
‫Now, I know that eight eight eight eight eight eight is the IP address of Google DNS, so I must have

50
00:04:32,510 --> 00:04:35,320
‫set the Google DNS as the DNS of my colleague.

51
00:04:35,510 --> 00:04:37,550
‫You know, I'd like to look at the network config.

52
00:04:43,030 --> 00:04:47,860
‫And yes, my DNS address is eight eight eight eight eight.

53
00:04:51,650 --> 00:04:55,230
‫The Ethernet tab, we can see the Mac addresses of the systems.

54
00:04:56,190 --> 00:05:03,030
‫The address is full of F's, meaning that the packet is broadcasted, AAP requests or the examples for

55
00:05:03,030 --> 00:05:04,020
‫these kind of packets.

56
00:05:04,980 --> 00:05:12,390
‫In the DCPI tab, we can see TCP packets grouped by the addresses and this time by ports as well.

57
00:05:13,640 --> 00:05:19,820
‫Because the system may have different interactions with any other system, for example, Carly may have

58
00:05:19,830 --> 00:05:27,110
‫HTP traffic through Port 80 and at the same time it may have an S.H. connection through twenty two as

59
00:05:27,110 --> 00:05:27,470
‫well.

60
00:05:29,060 --> 00:05:34,760
‫Same as TCP packets are grouped by IPS and ports in the UDP tab.

61
00:05:36,310 --> 00:05:41,650
‫Here we have learned a lot of live systems, IP addresses and Mac addresses, just listening to the

62
00:05:41,650 --> 00:05:43,600
‫traffic go through our network interface.

63
00:05:44,650 --> 00:05:50,830
‫If you like to investigate the traffic between the two machines, select the line right click if you

64
00:05:50,830 --> 00:05:52,860
‫choose, apply his filter from the menu.

65
00:05:53,860 --> 00:05:57,180
‫Only these kinds of packets will be seen in Wireshark.

66
00:05:58,510 --> 00:06:00,460
‫I'll choose find at this time.

67
00:06:01,330 --> 00:06:04,420
‫As you see, automatic query string is prepared.

68
00:06:05,080 --> 00:06:08,620
‫I can navigate between the packets by clicking the find button.

69
00:06:12,600 --> 00:06:19,260
‫Go back to the conversation window at the bottom right, there is a conversation type's button when

70
00:06:19,260 --> 00:06:22,620
‫you click on it, a lot of different protocols are listed.

71
00:06:24,120 --> 00:06:31,440
‫These selected five are the default selected protocols, you can add any protocol from the list when

72
00:06:31,440 --> 00:06:35,010
‫you select one of them, a new tab is added to the conversation window.