1
00:00:00,750 --> 00:00:07,710
‫So in typical traffic capturing on a network interface, there are a lot of packets received from and

2
00:00:07,710 --> 00:00:11,980
‫delivered to all over the network and, well, the Internet as well.

3
00:00:12,690 --> 00:00:17,010
‫So let's see how we can take a picture of that network.

4
00:00:18,610 --> 00:00:25,720
‫Let's go to Charlie and start Wireshark, you can start Wireshark from the applications menu or open

5
00:00:25,720 --> 00:00:28,890
‫a terminal window and type Wireshark to start the app.

6
00:00:29,790 --> 00:00:34,430
‫Don't worry about the ampersand in the end of the command, putting an ampersand at the end of a command

7
00:00:34,430 --> 00:00:36,730
‫because it's a shell to run the process in the background.

8
00:00:37,120 --> 00:00:38,590
‫It's sort of multitasking.

9
00:00:39,500 --> 00:00:44,080
‫You can have many processes running, but only one in the foreground at any given point.

10
00:00:44,600 --> 00:00:50,260
‫The process in the foreground is the process that appears to have locked up the terminal, whatever

11
00:00:51,550 --> 00:00:54,880
‫the first message is, because we are a super user on.

12
00:00:55,900 --> 00:00:56,620
‫No worries.

13
00:00:57,190 --> 00:01:02,740
‫OK, the welcome page of Wireshark asks which interface we would like to listen to first.

14
00:01:03,950 --> 00:01:06,020
‫So let's have a look at the interfaces of our system.

15
00:01:07,470 --> 00:01:14,130
‫To look at the interfaces and to remember the IP address of Kali overdetermined and type if config.

16
00:01:15,340 --> 00:01:20,800
‫There are two ResultSet of the Afghan fingerman, if zero and L.O..

17
00:01:21,880 --> 00:01:29,440
‫Ethe Zero is the first Ethernet interface, additional Ethernet interfaces would be named ethe one Etha,

18
00:01:29,470 --> 00:01:32,290
‫etc. Here we have only one.

19
00:01:33,280 --> 00:01:35,870
‫Now, Ello is the loop back interface.

20
00:01:36,250 --> 00:01:40,890
‫This is a special network interface that the system uses to communicate with itself.

21
00:01:41,870 --> 00:01:48,740
‫E0 is the interface that we're interested in at the moment, double click to open the e0 on the main

22
00:01:48,740 --> 00:01:53,790
‫page of Wireshark to start capturing the packets, passing through our Ethernet interface.

23
00:01:54,320 --> 00:02:00,440
‫Now, to speed it up, let's create some network traffic, open one of my virtual machines, a WASP,

24
00:02:00,440 --> 00:02:02,450
‫Bway and Pinkly.

25
00:02:05,830 --> 00:02:13,060
‫To stop Pinkman press control, see if config to learn the IP address of the machine.

26
00:02:14,380 --> 00:02:18,460
‫Now I go to another VA medicine and paying the last PVM first.

27
00:02:27,110 --> 00:02:28,670
‫And then Pengelley.

28
00:02:37,420 --> 00:02:40,770
‫Here we have a lot of ICMP and ARC traffic at the moment.

29
00:02:45,390 --> 00:02:46,780
‫So let's generate some traffic.

30
00:02:47,040 --> 00:02:52,080
‫I open the browser and Cali and visit the website served by Voysey Machine.

31
00:03:02,520 --> 00:03:08,610
‫And even more traffic, I visit NHS, that UK, my favorite website.

32
00:03:09,890 --> 00:03:10,920
‫OK, that's enough.

33
00:03:11,120 --> 00:03:12,520
‫Let's turn back to Wireshark.

34
00:03:13,440 --> 00:03:20,540
‫As you see, we have a lot of packet's captured and new package Ribe every second hour, packet's,

35
00:03:20,660 --> 00:03:28,860
‫TCP packets, TLM packets for HTTPS, traffic, etc. Here we don't investigate the packets in detail.

36
00:03:29,420 --> 00:03:36,440
‫We want to learn about this systems which are interacting with us to go to statistics menu and select

37
00:03:36,440 --> 00:03:37,360
‫conversations.

38
00:03:37,970 --> 00:03:41,060
‫There are five tabs in a conversation window by default.

39
00:03:41,990 --> 00:03:49,160
‫And we're on the IPV for tab at the moment here, there are IP packets grouped by Address A and address

40
00:03:49,160 --> 00:03:59,900
‫B in each line we see how many packets sent up to now total size of the packets and byte number and

41
00:03:59,900 --> 00:04:04,100
‫size of packets from A to B and from B2K, et cetera.

42
00:04:05,480 --> 00:04:09,260
‫There is traffic between eight eight eight eight eight eight and my colleague.

43
00:04:10,230 --> 00:04:16,590
‫Now, I know that eight eight eight eight eight eight is the IP address of Google DNS, so I must have

44
00:04:16,590 --> 00:04:19,400
‫set the Google DNS as the DNS of my colleague.

45
00:04:19,590 --> 00:04:21,630
‫You know, I'd like to look at the network config.

46
00:04:27,120 --> 00:04:31,950
‫And yes, my DNS address is eight eight eight eight eight eight.

47
00:04:35,730 --> 00:04:39,310
‫The Ethernet tab, we can see the Mac addresses of the systems.

48
00:04:40,270 --> 00:04:47,110
‫The address is full of F's, meaning that the packet is broadcasted, AAP requests or the examples for

49
00:04:47,110 --> 00:04:55,210
‫these kind of packets in the DCP tab, we can see TCP packets grouped by the addresses and this time

50
00:04:55,210 --> 00:04:56,490
‫by ports as well.

51
00:04:57,720 --> 00:05:03,930
‫Because the system may have different interactions with any other system, for example, Carly may have

52
00:05:03,930 --> 00:05:11,220
‫HTP traffic through Port 80 and at the same time it may have an SS connection through twenty two as

53
00:05:11,220 --> 00:05:11,550
‫well.

54
00:05:13,170 --> 00:05:18,840
‫Same as TCP packets are grouped by IPS and ports in the UDP tab.

55
00:05:20,390 --> 00:05:25,730
‫Here we have learned a lot of live systems, IP addresses and Mac addresses, just listening to the

56
00:05:25,730 --> 00:05:27,680
‫traffic go through our network interface.

57
00:05:28,730 --> 00:05:35,300
‫If you like to investigate the traffic between the two machines, select a line right click if you choose,

58
00:05:35,300 --> 00:05:36,940
‫apply his filter from the menu.

59
00:05:37,940 --> 00:05:41,270
‫Only these kinds of packets will be seen in Wireshark.

60
00:05:42,600 --> 00:05:44,570
‫I'll choose find at this time.

61
00:05:45,410 --> 00:05:48,500
‫As you see, automatic query string is prepared.

62
00:05:49,160 --> 00:05:52,700
‫I can navigate between the packets by clicking the fine button.

63
00:05:56,680 --> 00:06:03,340
‫Go back to the conversation window at the bottom right, there is a conversation type's button when

64
00:06:03,340 --> 00:06:06,700
‫you click on it, a lot of different protocols are listed.

65
00:06:08,230 --> 00:06:15,520
‫These selected five are the default selected protocols, you can add any protocol from the list when

66
00:06:15,520 --> 00:06:19,090
‫you select one of them, a new tab is added to the conversation window.