1
00:00:00,810 --> 00:00:08,670
‫Wireshark is free, open source and the world's foremost network packett analyzer, and it is the de

2
00:00:08,670 --> 00:00:11,820
‫facto standard across system and network administrators.

3
00:00:12,760 --> 00:00:18,520
‫Wireshark has the ability to listen and record traffic, as well as advance filtering and reviewing

4
00:00:18,520 --> 00:00:19,030
‫options.

5
00:00:19,330 --> 00:00:25,000
‫We're not going to do a deep dive into Wireshark right now, since that's the subject of network layer

6
00:00:25,000 --> 00:00:25,510
‫attacks.

7
00:00:26,440 --> 00:00:31,630
‫So here, let's let's see a summary of the traffic and the systems related to the interfaces.

8
00:00:31,630 --> 00:00:32,140
‫We listen.

9
00:00:34,500 --> 00:00:41,610
‫Let's go to college and start Wireshark, you can start Wireshark from the applications menu or open

10
00:00:41,610 --> 00:00:44,750
‫a terminal window and type Wireshark to start the app.

11
00:00:45,680 --> 00:00:50,310
‫Don't worry about the ampersand in the end of the command, putting an ampersand at the end of a command

12
00:00:50,310 --> 00:00:52,620
‫because it's a shell to run the process in the background.

13
00:00:53,010 --> 00:00:54,480
‫It's sort of multitasking.

14
00:00:55,410 --> 00:00:59,940
‫You can have many processes running, but only one in the foreground at any given point.

15
00:01:00,480 --> 00:01:06,150
‫The process in the foreground is the process that appears to have locked up the terminal, whatever

16
00:01:07,440 --> 00:01:11,160
‫the first message is, because we are a super user on ungodly.

17
00:01:11,790 --> 00:01:12,510
‫No worries.

18
00:01:13,070 --> 00:01:18,630
‫OK, the welcome page of Wireshark asks which interface we would like to listen to first.

19
00:01:19,850 --> 00:01:21,920
‫So let's have a look at the interfaces of our system.

20
00:01:23,350 --> 00:01:30,010
‫To look at the interfaces and to remember the IP address of Kali overdetermined and type if config.

21
00:01:31,240 --> 00:01:36,700
‫There are two ResultSet of the config command, if zero and L.O..

22
00:01:37,770 --> 00:01:44,430
‫Ethe Zero is the first Ethernet interface, additional Ethernet interfaces would be named ethe one,

23
00:01:44,760 --> 00:01:45,920
‫two cetera.

24
00:01:46,750 --> 00:01:48,180
‫Here we have only one.

25
00:01:49,150 --> 00:01:51,740
‫Now, Ello is the Lookback interface.

26
00:01:52,120 --> 00:01:56,760
‫This is a special network interface that the system uses to communicate with itself.

27
00:01:57,750 --> 00:02:04,620
‫E0 is the interface that we're interested in at the moment, double click to open the e0 on the main

28
00:02:04,620 --> 00:02:09,670
‫page of Wireshark to start capturing the packets, passing through our Ethernet interface.

29
00:02:10,200 --> 00:02:16,320
‫Now, to speed it up, let's create some network traffic, open one of my virtual machines, a WASP,

30
00:02:16,320 --> 00:02:18,330
‫BBWAA and paying Colly.

31
00:02:21,720 --> 00:02:28,950
‫To stop Pinkman press control, see if config to learn the IP address of the machine.

32
00:02:30,270 --> 00:02:34,380
‫Now I go to another VA medicine and paying the last PVM first.

33
00:02:43,000 --> 00:02:44,530
‫And then Pengelley.

34
00:02:53,310 --> 00:02:56,660
‫Here we have a lot of ICMP and AAFP traffic at the moment.

35
00:03:01,280 --> 00:03:02,670
‫So let's generate some traffic.

36
00:03:02,930 --> 00:03:07,970
‫I open the browser and Cali and visit the website served by the OAS BBWAA machine.

37
00:03:18,410 --> 00:03:24,500
‫And even more traffic, I visit NHS, that UK, my favorite website.

38
00:03:25,770 --> 00:03:26,800
‫OK, that's enough.

39
00:03:27,000 --> 00:03:28,400
‫Let's turn back to Wireshark.

40
00:03:29,290 --> 00:03:36,420
‫As you see, we have a lot of packet's captured and new package arrive every second hour, packet's

41
00:03:36,570 --> 00:03:41,510
‫TCP packets, less packets for HTTPS, traffic, et cetera.

42
00:03:42,180 --> 00:03:44,770
‫Here we don't investigate the packets in detail.

43
00:03:45,300 --> 00:03:52,320
‫We want to learn about this systems which are interacting with us to go to statistics menu and select

44
00:03:52,320 --> 00:03:53,250
‫conversations.

45
00:03:53,880 --> 00:04:00,410
‫There are five tabs in the conversation window by default and we're on the IPV four tab at the moment.

46
00:04:00,990 --> 00:04:05,430
‫Here there are IP packets grouped by Address A and address B.

47
00:04:06,090 --> 00:04:16,140
‫In each line we see how many packets sent up to now total size of the packets and byte number and size

48
00:04:16,140 --> 00:04:20,010
‫of packets from A to B and from B2K, et cetera.

49
00:04:21,370 --> 00:04:25,150
‫There is traffic between eight eight eight eight eight and my colleague.

50
00:04:26,120 --> 00:04:32,750
‫Now, I know that eight eight eight eight eight is the IP address of Google DNS, so I must have set

51
00:04:32,750 --> 00:04:35,290
‫the Google DNS as the DNS of my colleague.

52
00:04:35,480 --> 00:04:37,520
‫You know, I'd like to look at the network config.

53
00:04:43,000 --> 00:04:47,830
‫And yes, my DNS address is eight eight eight eight eight.

54
00:04:51,640 --> 00:04:55,200
‫The Ethernet tab, we can see the Mac addresses of the systems.

55
00:04:56,160 --> 00:05:02,850
‫The address is full of F's, meaning that the packet is broadcasted, AAP requests are the examples

56
00:05:02,850 --> 00:05:03,990
‫for these kind of packets.

57
00:05:04,950 --> 00:05:12,380
‫In the DCPI tab, we can see TCP packets grouped by the addresses and this time by ports as well.

58
00:05:13,610 --> 00:05:19,820
‫Because the system may have different interactions with any other system, for example, Carly may have

59
00:05:19,820 --> 00:05:27,110
‫HTP traffic through Port 80 and at the same time it may have an S.H. connection through twenty two as

60
00:05:27,110 --> 00:05:27,440
‫well.

61
00:05:29,060 --> 00:05:34,730
‫Same as TCP, IP packets are grouped by IPS and ports in the UDP tab.

62
00:05:36,310 --> 00:05:41,620
‫Here we have learned a lot of live systems, IP addresses and Mac addresses, just listening to the

63
00:05:41,620 --> 00:05:43,570
‫traffic go through our network interface.

64
00:05:44,620 --> 00:05:50,830
‫If you like to investigate the traffic between the two machines, select the line right click if you

65
00:05:50,830 --> 00:05:52,830
‫choose, apply his filter from the menu.

66
00:05:53,830 --> 00:05:57,180
‫Only these kinds of packets will be seen in Wireshark.

67
00:05:58,480 --> 00:06:00,460
‫I'll choose find at this time.

68
00:06:01,300 --> 00:06:04,390
‫As you see, automatic query string is prepared.

69
00:06:05,050 --> 00:06:08,560
‫I can navigate between the packets by clicking the fine button.

70
00:06:12,570 --> 00:06:19,230
‫Go back to the conversation window at the bottom right, there is a conversation type's button when

71
00:06:19,230 --> 00:06:22,590
‫you click on it, a lot of different protocols are listed.

72
00:06:24,120 --> 00:06:31,410
‫These selected five are the default selected protocols, you can add any protocol from the list when

73
00:06:31,410 --> 00:06:34,980
‫you select one of them, a new tab is added to the conversation window.