Wireshark Crash Course | Kyle Slosek | Skillshare

Playback Speed

  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

20 Lessons (1h 54m)
    • 1. Instructor Introduction

    • 2. What is Wireshark

    • 3. The OSI Model

    • 4. Install Wireshark on Windows

    • 5. Install Wireshark on Mac

    • 6. Install Wireshark on Linux

    • 7. Where to Place Wireshark

    • 8. Your First Capture

    • 9. Capture Filters

    • 10. Working with the Wireshark Interface

    • 11. Display Filters

    • 12. Follow Network Conversations

    • 13. Exporting Objects

    • 14. Carve Packet Streams

    • 15. Tshark field extraction

    • 16. Find Malicious IPs

    • 17. TCPDUMP Introduction

    • 18. First TCPDUMP Capture

    • 19. TCPDUMP Filters

    • 20. TCPDUMP for Carving

  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.





About This Class

Wireshark is the most widely used network capture and protocol analyzer on the market. It is used by IT and Network administrators to troubleshoot network connectivity issues and by Network Security analysts to dissect network attacks. This free and open source application is so widely used in the industry because it works. It is cross-platform, meaning that it runs on Windows, Mac, Linux, and FreeBSD.

This course is an introduction to the application and goes over the basics to get you started capturing and analyzing network traffic. It will build your base by explaining the theory behind how networks work and then get you into real-world applications of the software.

In this course you will learn:

  • The basics of how networks operate
  • How to capture traffic on Wireshark
  • How to use display and capture filters
  • How to use command line Wireshark to work with large packet captures

Meet Your Teacher

Teacher Profile Image

Kyle Slosek

IT Security Ninja - CISSP, GCIH, GPEN


Kyle Slosek is a security practitioner with several years of experience in enterprise Information Technology environments. Kyle works for a large IT company based in the D.C. Metro Area and has performed everything from certification and accreditation to penetration testing and forensics. He holds a Bachelor of Science in Information Technology, a Master of Science in Information Assurance, as well as several industry certifications.

Kyle's interest in computers started at a young age. When he was young, he was fascinated with the family computer and proceeded to build his own with used parts he found lying around or purchased on eBay (ironically, it was named Alexa...long before Amazon's). He was fir... See full profile

Class Ratings

Expectations Met?
  • Exceeded!
  • Yes
  • Somewhat
  • Not really
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.


1. Instructor Introduction: thank you for taking my course and wire Shark Network analysis. This course will help you learn how to use wire shark, an open source tool to capture and allies network traffic. This course will cover basics with wire shark. We'll go over how wire shark works, how to install this software and how to capture network traffic. Finally, how to use wire sharks. Powerful analysis tools. The course was originally designed for I T professionals looking to use wire shark to monitor their networks as well. A security professionals who want to use wire shark to find malware and a PC Actors. This course will include labs, so you'll need a computer with a modern operating system such as Windows seven, Mac OS X or Lennox. And the computer should have a wired network card. The computer should have at least two gigs of RAM and roughly five gigs of free hard drive space, and you'll need to download wire shark from wire shark dot org's. So let me give you a quick introduction about me. I'm Kyle Slauson and I'll be your instructor for this course. I have a little more than five years of experience in the eye teen security fields. I've done everything from basic desktop and server support to certification and accreditation to pen testing and incident response. I got into the security field when I was in high school, was hosting a Web server from my room on some old hardware, and Hacker was able to get in and replace my home page. From that moment on, I wanted to learn everything there was about how hackers break into systems. I'm currently working for a large I T firm in the Washington D. C. Area, doing some security work. I have a bachelor's degree in information technology with focus and information security and a master's of science and information assurance cybersecurity. I hold several industry standards certifications, including EEC councils certified at the Quacker. Now that you know a little bit about me in the course, let's jump right into wire Shark 2. What is Wireshark: So in this lecture will discuss what wire shark is first and foremost. Wire shark is a network protocol analyzer. Now what does that mean? A network protocol analyzer takes the ones and zeros that travel across the wire and decipher what they seemingly random numbers mean. As an example, Wire short can take data that crosses the wire for simple http transaction and tell you which parts of the package the source and destination i p address or the http Status Code. Why shark currently can decipher hundreds of protocols and more being added all the time. This will make a little more sense as we get into using wire shark to analyze network traffic. The other beauty of wire shark is that it runs a multiple operating systems. It currently has ports for Windows, Lennox, Mac and FreeBSD. It also has a graphical user interface, which is important for many people, as well as a command line version that could be used in scripting languages such as Bash. So in 1998 a computer science graduate at the University of Missouri Kansas City named Gerald Combs released a program called Ethereal. It was the first of its kind network analysis tool. Mr. Combs released the application under the G N u GPL license, which means that the software is free to use for private and commercial applications. Now, due to some trademark issues, Combs had to rebrand. Ethereal is wire shark In 2006 washers used by I T professionals from many different tasks but the most common for network troubleshooting system Administration and Security Administration network engineers will often run wire shark to determine if routing on a local area network is happening properly and efficiently. System administrators will use wire shark to ensure that their servers are properly communicating with each other and determine if the network is down. And finally, security administrators use it to identify malicious traffic, such as that from a PC Actors. The beauty of wire shark for this application is that it can do live analysis as well a za analysis in a forensics capacity by looking at packet captures that have been taken previously or by other applications or hardware. So this may or may not be your first time looking at the wire shark interface. But as you can see, the wire shark gooey is broken into three distinct sections. The first section piloting red shows the individual packets that were captured by default. In this pain, you see packet number, time source I p address Destination I p. Address protocol and of short blurb about what? The payload of the pack it actually is. Now these fields could be changed to fit your individual preferences. The Blue Pain shows the detailed view of the highlighted packet. This is the protocol analyzer at work. Is it? Dissect the pack it into smaller pieces such as the data link or the network layer information. If you were to hit the plus sign next any of those fields, it would expand to see additional information, and we'll work heavily in the detail Pain in future lectures. Finally, the green pain is the asking and the hex view of the highlighted packet. When you highlight a particular field in the packet detail pain, the blue pain. Uh, that location is also highlighted in the hex and asking in this pain. Now, for security professionals, this can assist you in creating signatures for particular network traffic in an intrusion detection system. However, that's a little bit on the scope of this course. So in the next lecture, I'll give you an overview of what the OS I model is and how it relates to wire shark. 3. The OSI Model: in this lecture, I'll give you an overview of the U. S. I model and how it relates to wire shark. The open systems interconnect, or OS I model is a way to visually depict how data is transferred across networks and applications. Send communication from one note to another. The U. S I model includes seven layers. The's seven layers operated in order, meaning that data travels from one from the application layer to the physical layer, or vice versa, depending on the direction of the data flow at each layer, information is added or removed again, depending on the direction of the data. But don't worry too much about that right now. We'll cover that in a minute. First, let's talk about each layer. The first layer is the physical layer. This layer depicts the physical medium of transmission, and this could be an Ethernet cable or a fiber optic cable. Even a wireless signal any medium that transmits the ones and zeros from one note to another is located at the physical layer. The second layer is the data link layer. This slayer data is assembled and disassembled. Two frames this layer. We also see media access control or MAC addresses introduced. This is also layer where devices like bridges and switches lie, and protocols such as Ethernet and token ring also live in this layer. Third layer is the network layer. This layer is responsible for encapsulating and D capsule eating packets. It adds. Source and Destination I P addresses to the data that traverse is the network, so routers live it. This layer and protocols such as I P also live in this layer. The fourth layer is the transport layer. This layer adds ports and socket numbers to the data to allow the data to be read by the correct process on the receiving or transmitting note. Protocols such as TCP and UDP live at this layer. The fifth layer is the session layer. Now this layer is responsible for creating a communication session between two nodes and then also closing the communication channel. When that note, when the channel is no longer needed. Protocols such as net bios living this layer the six layers the presentation layer. This layer is responsible for compression and encryption of data, and finally, the seventh layer is the application layer. This is the later layer where data has been sent over. The network is sent to the application. It's important to note that applications do not live at the application layer, but rather protocols for transmission. So, for example, http, is the protocol that lives at the application layer. Browsers such as Chrome and Firefox use http, but do not themselves live at the application layer. So that's a quick overview of the O S I seven layer model. Now, why is that important? Since wire shark is a protocol analyzer, it can actually read and decipher the information from Layer one delay or seven. As you can see by this screenshot, this is a packet detail pain of a DNS Query Myer. Shark segments The detail Pain by the OS I Layers, as you can see with the 1st 2 lines, indicate layer to data link layer data. I also noticed the source and destination Mac addresses here. The next line depicts the network layer. As you can see, I P addresses air presented here. The next line depicts the transport layer. Like I explained earlier, this layer helps with application to application communication by implementing ports and socket numbers. Finally, the last line is the application layer data. This is often referred to as the payload of the package. So let's talk about a concept called encapsulation and D caps elation. When two nodes want to communicate with each other, the data goes up and down the OS I layers. In this example, node one is the communicate is initiating communication. The application generates a payload that it wants to send No. Two and then sends it down the layers. Encapsulation means that at each layer, some data is added. For example, source and I destination I P address are added it Layer three and source and destination Mac address are added at layer two. When that data gets to layer one, it is transmitted across the wires, ones and zeros. When the data reaches no to each layer strips the encapsulated data from node one and passes it up the information up the OS I model until the payload reaches the application layer. So I hope this once you understand how networks work a little better in the next section, I'm gonna show you how to install wire shark on several different operating systems. 4. Install Wireshark on Windows: so welcome to Section two, installing wire shark. Now, you might think that installing wire sharp should be pretty straightforward. And it is for most operating systems. So in this section, I'm gonna kind of just go over some of the nuances of, ah, installing wire shark And what? That maybe we'll start here with windows. So what I've done is I've downloaded the wire shark 64 bit. Um, version 1.10 point seven, and we'll go ahead and double click install give you the U. A. C. All right. It's a basic wizard. Ah, just like you would expect for any other Windows application. Well, greeted the license term. One thing I want to note here is that it has a bunch of components installed. If you take a look, you'll see that t shark is there. T shark is basically command line. Um, wire shark. And it's really great for scripting if you want to, ah, run a network capture or network parses a script. It also is a very efficient in, um, kind of pulling just the packets that you need or carving just the baggage that you need out of a very large peak cap that you have. So you want Make sure that you install that, um, plug ins and extensions are pretty straightforward tools. You have things like Edit cap and Merge Cap. Both are really great kind of command line tools for first out of capital at it. P caps that you already have moved. Certain things merge, Cap basically would take multiple p caps that you have and merge them together into one. So lots of good tools here. What next? Give it the basic options. Here. Start menu item and quick launch icon, uh, will insult the default location. And right here, you want notice that it says And still wind P cap 4.1 point three Now win P cap is Theo. Back end to wire sharks network capture. Um, it is three Windows version of lib p cap, which is kind of the UNIX, um, engine and library that that runs wire shark and Lennox runs TCP dump. Um, you know, all the network capture tools, so we'll go ahead and just click install. Oh, pretty straightforward. All right, Miss, It comes up now with the wind P cap guide, and you just have to go through that and agree to the license and automatically start the wind. P captor ever at boot time. Finish that. All right. Next and just for fun will run wire shar just to make sure installed properly. And there you go, where shark is fully installed on windows. 5. Install Wireshark on Mac: All right, so in this lecture, we're gonna go over had installed wire shark on Mac and what I have here, I'm running os x Mavericks, and, um, we're gonna install wire shark 1.10 point seven. So the first thing you need to know with wire shark on Mac is that it actually needs an X 11 client. And the best one that I found at least is X courts. And I only this is also the one that's recommended by wire shark when you install it. So we'll go ahead and will open up exports. Then we'll install the package. Pretty simple wizard. Agree to the license terms and click and stall. All right. And, you know, it takes a couple minister install, but by the magic of video editing, it's almost instantaneous for you. So now that X courts is installed will close that out. And just to show you open up. Ah, my applications folder here and then Utilities folder, You can see exports. All right, so now we've got our excellent for the viewer. We'll open up wire shark. I will run there. So again, very standard basic installer continue except license agreement. Install all right, and it is successful. All right, so the very first time you see you run wire shark, it's gonna take a couple of minutes to open up. It's got to work with ex courts and kind of set up all of the settings, so we'll open wire shark. And as you can see, it opens up X courts right here. And it'll take a couple minutes, but won't make you wait through that. Right. So first time and it takes a couple of minutes since, you know, set up in everything. But now you see, we've got it working here on Mac. 6. Install Wireshark on Linux: so in this lecture will go over how to install wire shark on Lennox. And my recommendation, honestly, is to use a distribution called Callie Lennox. It's designed for penetration testing designed for hacking. Um, and it actually comes with wire shark preinstalled. So that's really the easiest and most efficient way of running wire shark in the Lenox environment. But for the sake of this lecture, and for sake of showing you how to install wire shark, I'm gonna go ahead and use you bun to here. And you can see that if I go to settings and click on the details, I'm running bun to 12.4 All right, so easiest way to install wire shark from here is open up a terminal and type in Sioux Do See you dio su do basically runs whatever command you want as the root user. Um, well, do ap get install wire shark and it's gonna ask you for your password and then it goes out and builds. This dependency list pulls all the ah libraries it needs in. And it says after this operation, 62.2 megs of additional dis space will be used. Do you want to continue type, why it enter and it goes out to the Internet that you bun to archives and pulls down all of the libraries it needs and the wire shark application. So it should only take a few seconds, depending on your in and at speed. And now we're installing and packing. All right, so now it's installed. So now to run it. It's a simple, as typing wire shirt, and there you go. You have wire shark installed on your Lennox system. 7. Where to Place Wireshark: all right, so welcome to Section three. In this section, we're going to look at how to capture network traffic. But before we get into the demonstrations, we need to discuss a little bit of network theory. Modern networks are pretty efficient, and they have network devices that allow for segmentation network. Now, this is great for through putting performance, but it makes our lives a little more challenging when it comes to capturing network traffic . Firstly, in order to capture network traffic, you need to have a network card that will operate on purpose. Kivas moved when a packet is received on the neck. It looks at the destination information. The I P address or Mac dress match, the one that's assigned to that neck in the packet will continue up the OS I layers. If the destination address does not match, the packet is discarded. Promiscuous mode allows network cards to capture all packets that come across the wire, even if they are not destined for that particular host and most modern knicks will allow for promiscuous mode. Next, we have to think about what hardware is present on our network. Most enterprise networks are made up of a multitude of hubs, switches and routers and in the context of packet captures, these devices segment the network in ways that prevent are sniffing host from capturing all packets that cross the network. Each device has its own special procedures for setting up a successful packet capture, and we'll discuss all of them in this lecture. Sniffing using hub has to be the easiest way to capture all the traffic on the network. The way hubs are designed is that when a packet is sent from one host to the hub, the hub will send the packet out every port on that device. In the example here, Host one wants to send some dated host three. Host one will start sending data with the destination address of host three. When that data is received by the hub the Hubble Ford out all back it out each each for the ports. Now, this means that host to will see all the data being sent Toes three. Now, if host to is not our sniffing host, then it will simply drop the packets and continue it. Listen, however, that post to is are sniffing host. It will capture packets. It will capture every packet that is being exchanged between host one and host three switches are much different when compared to hubs. They both provide the same result of connecting multiple devices. Together, However, switch is a much smarter. Instead of sending data from one host out all the ports, it builds a table of what hostess attached to what poor. When data is sent from one host to the other on the same switch switch Comptel that and will only send data out the ports of for the destination host. So what this means for us is when we attempt to capture network traffic off the switch, we will only see the broadcast traffic or traffic that is specifically destined for our sniffing host. So to counter act that we have four different methods for capturing packets off of a switch . And they are port nearing in line, hoping using a tap or our cash poisoning. So let's dive a little deeper into each one of these. Port mirroring is the first in, in my opinion, the most effective way of capturing traffic from a switch. This is a setting in most enterprise switches that allows an administrator to forward traffic from a particular host or all hosts out one port. In the example here we have three hosts attached to switch and one sniffer. When the host talk with each other, the sniffer wouldn't see that traffic. But if the administrator made the port the sniffers attached to a mirror import and data from host one toast to would go to host to and to the sniffer or the administrator could've signed the mirroring port Tamir all traffic. In that case, any conversation on the network will be sent from the source host to the destination host and to our sniffing host. And this is how many modern network intrusion detection systems work as well. So in line, huh? Bing is a technique where you essentially place a hub in between one host in the switch. The sniffing host is then attached to the hub. So in our example, when host three cents or receives data, it must first go through the hub. As we learned a few slides ago, hubs forward traffic received out all of its ports, so not only would host three receive the traffic, but this living host would as well. Now this method is particularly effective if you want to capture traffic to and from a single host. So in our example, any traffic between host one and host to would not be received by the hub. Because this switch knows that Host three is on a different port and does not need that traffic. A tap is a device that sits in between the network and the device. It acts similarly to placing a hub in line like we talked about in the previous slide, but it passes all the traffic between the network and the device in real time, while also mocked, mirroring the data to the sniffing host. So there are two types attemps, aggregated and on aggregated. Aggregated taps have a single mirror import, and it sends that bi directional traffic through on a non aggregated port has to me reports and one mirrors traffic from the switch and the other mirrors traffic from the host. This means that you would need to network cards on your sniffing host in order to capture all the traffic, mostly aggregated taps or usually your best choice. However, non aggregated taps are used when there's high volume of traffic to and from the host or when you only want to capture traffic from one side of the conversation. The final way of capturing traffic from a switch is a technique called Are Poisoning Are Poisoning is probably not the best way to capture traffic because it involves creating a man in the middle attack on your own infrastructure, our or address resolution protocol is a way to map Layer two Mac addresses toe layer three i p addresses. In our example, Host one had dated Ascend Host to Host one has the i. P address of host to, but not the Mac address Host One sends broadcast the entire network, saying, Who has this I P address? Tell me host to respond, saying I have that I p address and here's my Mac address Now The act of our poisoning inserts the sniffing host in the middle of that conversation. So take the example we just talked about Host One needs to find host twos. Mac address its host one. Broadcast the AARP request instead of host to responding. Are sniffing Host would actually say I have that I p address and here's my Mac address, effectively Impersonating host to when data is sent to host to. It's actually sent to the sniffing host and then the sniffing host. Ford's data on toast to now. This is not the most effective way of sniffing traffic off of a switch, because it means that art must be enabled on your network and could potentially slow down communication between hosts because the sniffing hosts now needs to ford the traffic it receives to correct host. So we finally come to placing wire shark on the network in order to sniff traffic destined for the router. In this scenario, it's important to understand the flow of your network as well as apology. If you're trying to troubleshoot network connectivity issues between nodes connected to rather one and notes connected two out of four, you may need to place a sensor between each of the routers. Runners will not forward traffic that is destined for the land, and you will therefore, Onley received data that needs to be routed from network to network. Make sure you understand your network topology, and that will help you to place your sniffer in the right location. So we discussed a lot in this lecture, talked about sniffing on a hub network, a land connected by switches and a win connected by routers. In the upcoming lectures, we're gonna go over how to initiate your first packet capture and how to filter the results . You get future lectures in this section assumed that you know where to place wire shark. 8. Your First Capture: All right. So we've gone through all the theory of networks and how they work. We've gone through how to set up wire shark. Now we're ready for the meat of it, Right? We're ready for your very first packet capture. So first thing we want to do before we even start with the program is gonna talk just a little bit about, um, ethics. First thing you want make sure of is that you actually have permission to sniff the network that you're on. Um, there's a lot of sensitive information. Ah, on networks and by using wire shark to sniff them that you could be, um, it could be construed as, Ah, malicious hacking. Are you having malicious intent upon whoever owns the network? So make sure first and foremost you get permission off. It's your home network, you know, No big deal, right? You can. It's your network. If you are doing this for your job in a corporate setting, um, you wanna make sure that networking and, you know, system administration is in your job description? Make sure you ask for the proper permissions to use this program and ah, you treat it with the respect it deserves. So first thing. Now we've gone over that. Let's let's talk about wire shark. Let's talk about the the interface here. First thing we want to show you is at it preferences. And we bring up this window here and I want to go to the capture setting. Now, here's some some preferences. As faras captures concerned, um, you can set a default interface. If this is an interface that you're gonna be using every time, all the time, you can go ahead and set that you can look at some of the other interfaces here. So right, you've got this, um, you can set a default buffer size. Um, looking the early in, here's our option for promiscuous mode we talked about. And, um, if this is an interface that you don't want to use, perhaps this is Ah, you have several v ems and you've got some of those virtual interfaces. You don't want them anymore. You can hit the hide interface button here home. A couple of options here, right? You want to capture promised capture packets and promiscuous mood. And we talked about that in the previous lecture. What promiscuous mode is and you want to capture packets and P cap n G format. And what this means is that, um it is Mawr compatible with other programs, and we're gonna go over and kind of future lectures about how to take the peak cap in the file capture that you have and using other programs. So you want, make sure that's checked up. They list two packets in real time. You know, it's kind of fun to watch the packets come in Israel time, and you'll see that here once we get started on then auto scrolling of the live capture also helps with that, um, as well. And, uh, yeah, so that's the interface. So that apply Boyd. Okay, All right. So now let's take a look here. This is our capture interface. There's a couple ways there's a couple ways to get to the capture. Ah, first is by clicking this interface list here, and you see all the lists of the interfaces and you can see if they've got I. P's. Ah, signed to them. And here we are, you know, live. This is my wife. I interface, and it's it's capturing Packards from my network so you can do that you can also go to the capture and click on interfaces and get to the same window. Um, we'll talk about some capture options here, so if you just hit go, it's gonna take the defaults, Which in most situations, air probably. Fine. But let's ah, look at a few things. You can click this right here, capture on all interfaces. So if you got this some hooked up to multiple networks or say, you know, we talked about a, um, a tap that has incoming and out coming incoming and outgoing, um, streams. So if you needed to next to capture from from the network here in question, you would want to capture all interfaces. We're gonna talk about capture filters in a previous life there in a in a future elections lecture. So we're not going to talk about it here. You can sit where to save it. Um, you can say, you know, use multiple files and this is helpful if your plan on doing this for a extended period of time, so you may want to ah, said it. You know, every 100 megabytes, new file or, you know, minutes are or what not you can tell it to stop the capture automatically. So if you need toe, start to capture and then move away and go do something else. You can say, you know, stop it after five minutes, Um, and then these air, some of the same, you know, things that we've seen in the ah, in the, uh, other options that we took looked at earlier. So those are capture options. I'm going to say not use multiple files. Um, we're just gonna do a standard capture here, so we'll click on in her face list. We've checked my wireless and we'll click. Start, as you can see now, you've got live packets coming into the network thing I want to note down here. Right. Is packets coming in back? It's displayed. Um, so you can see live. How many packets were we're getting hand. When you are finished, you can just hit the stop button. And there you go. I captured in the span of a couples, you know, about 30 seconds or so I captured, um, 235 packets, and actually, it was only 21 seconds. If you look at the very last packet that we captured here. Um, it was 2021 seconds from the very beginning of the packet capture. So there you go. There's your very first packet capture. What will do in future elections will talk about how to filter and what to do with this data. Um, but for now, that's the end of this lecture. 9. Capture Filters: All right, So let's talk a little bit about capture filters captured filters really important, especially if you're trying to capture a large amount of data from networks that have a high amount of traffic. So say you're trying to capture just a small subset of that data. Um, and that's important, especially when you talk about packet captures being very large, uh, depending on the amount of data coming through. So we would put a capture filter on to say, We only want this small subset of packets that come into our network, and we really don't care about the rest of them. So drop him so we would implement that capture filters used the same scent taxes, TCP dump filters. And the reason for this is because wire shark on the back end uses the lib P cap in the window when P cap libraries to do its processing. And so the CCP dump So it's in. The reason for this, again is TCP. Dump is much faster, much more efficient at capturing packets, but it doesn't have that same granularity had a wire shark filter would normally have, so you won't get the down and nitty gritty into deep packet inspection. Um, of each packet that comes in, you're gonna have to go in a more high level for your capture. Filters, capture filters. Air filters are formatted. As you know, you have filter. You can negate it with using the word not, um, you can string filters together using and and or um so you know our examples here, right? UDP and Port 53. That's all UDP traffic. And that came in on Port 53. And we know that that's that's DNS traffic again TCP Port 80 and not host 192.1680 dot five . And what that means is that we want LTCB traffic coming in on port 80 but we don't want traffic coming from 192.16805 Now, we can string together multiple filters with the parentheses, um, and using and or or function. So in our example here, right, we want all TCP traffic, but we also want to be traffic on Lee that he's to be traffic that's coming in on Port 53 or port 80. Um, now you can use greater than and less than logic as well. So in our example here, right, we want TCP port is greater that in 1500 TCP port is less than 1700. And what? This will actually capture all packets between 1517 100 on TCP on the TCP Protocol. Now, there's an easier way to do this. We're gonna show you that in the next slide. But I was wanted to show you that as an example off how to use the greater than unless then in a capture filter. So here's some real example. Some real world examples, right? All traffic from 192.168 dot 0.1 network. So there's two ways to do this right when you're talking about getting all the traffic from a particular network we wanted do source or destination DST network, and we give it the I P address. Now, when we talk about that, we need to give it a sub net mask until it to capture the entire network. There's two ways to do that. One you type mask and then give it the subject mask in our example to 55 to 55 to 55.0. Or you can give it the cider range off slash 24. And that does the same thing. Um, if you want to capture all DNS requests, right, we know that DNS requests come in on u dp and they come in on port 53. So we would do you D p and Port 53 nuts are TNS requests. Same with http requests, right. You want TCP and Port 80. Now, that's all in Alte Speed traffic that comes in on Port 80. And then finally our last example here, right? All ports between 17. 04 in 17. 25. Now we, in our previous example, we use the greater than unless then we string them together. Um, with an end function here, we're just gonna give it the TCP Port range, which says the same exact thing. So you can use both of those. All right, so now that we've talked about how to build a capture filter, let's show you how that's done within the wire shark interface. Now there's a couple of different ways to do it first way I want to show you, and I think the easiest way to do it is You open up the capture options thing of dialogue box here, and we'll see right here. Capture filter at enter your capture filter. Now, I'm gonna give us a simple capture filter. Um, we're gonna do, um, TCP port 80. Now you can see that it turns green. Say, hey, that Centex is correct. If I were to remove that, see how it turns red? A TCP port? But what poor. But you didn't give me one. So red. Bad green. Good. So once you've got that, you can see right here on our WiFi interface that are capture filter is set to port 80. So we'll close this out. And will it start? And her comes some traffic. Right. So you've got some http traffic coming in. Don't stop that here. Um and ah, we'll close that out. I don't care about saving it. So the other way to do it here is if you capture and then go to capture filters, you can see that it's kind of got some ones already built in for you. So if you want, you know, I p address here you can hit OK, and then hit your your capture and go from there. The beauty of using this dialogue boxes that you can click new and creating new filter string. Maybe this is something that you use often. You can save it and, uh, and go from there. So that's how to build capture filters. I'm gonna put some more Resource is more information in the The resource is paying here for you to look at, um it will help you build some more complex capture filters. But we've kind of gone over the basics here in this lecture on how to, ah build effective, uh, capture filters. 10. Working with the Wireshark Interface: so welcome to our new section here. We're going to talk about, um once. Now that we've captured traffic in wire shark. We needed to, you know, use the dissection tools and use the tool for what it's made for, right? It's a protocol dissector. So let's talk first about the interface and what it looks like. Um, up here you have the summary window. And what this shows is all the packets starting from the very first. Pack it all the way down to the very last packet. You can scroll, and you can see that there's a lot of traffic in this pea cap. Here, you can click on a particular packet, and it changes the lower frames, the lower windows. About how that what What data shows up? Um, so the second frame, the next one here is our protocol tree window. And we talked a little bit about this at the very beginning, of course, but I want to go on to a little more detail here. You can see that each layer of the, uh oh assigned model is represented here. So here we can open up. We've got you know, our Mac address information and you can see this is a three com address source information . So you can drill down into these layers here and pull out some really interesting stuff to source and destination. I p addresses here, Um, and then you get into, you know, your TCP, and you've got your source port number and sequence number for the pack at lots of interesting details. And then finally, this is our you know, this is the payload of the packet. What was the packet really meant for this would be, you know, you're your application layer data, and, uh, it is when Not really that, uh, interesting. But it's ah, you know, I r c pack. It gives you kind of some some information there. Now, the the bottom window here is the data view window. And this shows the Hexi decimal representation of every packet, and you can actually click on things like so here I'll click on this right here, the prefix. And when you click on that which highlights what part off the packet that is represented by so you can see that truly is a protocol dissector, and that it will give you We're in that packet everything kind of kind of sits. Now what we're looking at is here is we're looking at the default layout off, um, wire shark when you install it. This is this is what it comes with. Um, but you can change it up, and you can you can get some really cool information by just changing the view. So So the change of change the layout of, um, Why are shark? What we'll do is we'll go to edit, and we'll open a preferences. And here we've seen this window before. Um, first thing we can do is we could go toe layout by default. You've got the 123 packet, you know, layout and you've got you know, the first pain are packet list are summary window. Um, the second pain is the packet details of the protocol tree. And there the packet bites so you can arrange it any way you like. Um, and kind of look at, you know, some of the how it's viewed, right? Alternating role colors and and so on and so forth columns. Um, this is what you see as faras the default columns that are in, um wir shock. Now you can add a remove some of these things to say you wanted to add a new column, right? And will dio um, let's find a good one here about source port, right? We want to add source port and we can do. And now if we had apply, it's got to re process all the packets. But now we've got next info. We have sore sport here, and we can filter on our not filter. But we can, you know, reorganize based on the sore sport so you can add kind of any field you'd like within that . Next thing I want to show you is is time. So each of these packets has a time stamp and you can change this right now by default. What we have is seconds from the very first packets. You can see that our very first pack it is zero, and it just increments from there. If you go to view time display format, you can change it to date and time. A day can change it to just the time of day seconds from the iPAQ, um, all kinds of great things. So I'm gonna change it to time a day and you can see thou It changes. Um, this is a kind of an old pea cap, but it does the job of representing what we're trying to do. What we're trying to show you here. Um now, the other thing you can dio is set a time reference. So if you right click on a packet, you can set the time reference. And yes, we do want to switch two seconds from And what What we've done here basically is we've said this packet here is now the very first packet that comes in. We want you to start counting up all the packets from, you know, here on out. And this is really helpful if you have an activity, you see activity that within this pea cap that you want to kind of map out a timeline of what happened. Um, and you want this to be kind of your your time? Zero. This is when the incident started and, you know, go on so forth from there. So that's how you would you would set that time reference. And I'm just gonna untargeted here just to show you one further thing. With time, you can right click and you can do time shift and you can shift all packets by a certain number, right? So but default, it's takes the time reference from the computer that is taking that is actually doing the capture. So if, for example, you have a machine that normally sits on the East Coast and you take it over to the West Coast and it you do a packet capture, it's gonna capture in East Coast time. But you want to see it in West Coast time so you could add three hours to every packet here or, um, you know, some of these other these other packet shifting time shifting, um, functions here last and final thing I want to show you in the interface is how to merge packet captures we talked about in the previous section. When you are capturing, if you do a very large packet capture, you may want to break that pact. Those P caps up into smaller chunks. Say you want a new P cap every 100 megabytes or every gigabyte. Um, but say you need to merge. Couple of packet captures together. You open up the 1st 1 like we've done here, and you go file merge, and now you're gonna pick up another one. And I've got this telling that pea cap here that I'm gonna open up and now you can see that it's added that Tell that data to this and we can then take that and you can go save as. And you could see that as a azan entirely different P cap file. So that's kind of a brief overview of what the interfaces, like in a few of the really cool functions on on managing packets and the future lectures, we're gonna actually talk about doing some filtering and some really cool advanced functions of wire shark. 11. Display Filters: All right, So now that we've gone through what the interface looks like in a couple of the cool features of wire shark, let's get into the meat of wire shark. Why, we use it? Um, and I think the most powerful feature of wire shark is the filter window and display filters. So I want to show you a couple of ways to build some display filters. But you would build a display filter basically, to either just show the data that you are particularly looking forward, just the packets you're looking for, or to filter out extraneous noise and things that you may not want to see. So there's a couple of ways to do it. First we're gonna show you is by using the expression builder. So here you will click on the expressions button, and it brings up this window within this window here on your field. Then you have a whole bunch of protocols out here. Um, and you can open up a few of, um here and you can see the sub, um, fields and what they mean now. A lot of these you may not, you know, but, um, it's a very long list, and it's very easy to search for. So, you know, for example, right, we're going to search for http, and I just type, and it brings up http hypertext transfer protocol. I'm open up this window and you can see that comes with quite a few fields within the http you know, cookies, um, hosts the one I want to show you Is the request full? You are I and that is, you know, the basically the URL off the no HD to be get or post requests. Now you click on that. You have your relationships here you can say is present. That's gonna for this particular one. It's gonna show up. Ah, lot of packets or you can say equals Equals is purely just equals, um, and asked match. Exactly. The exclamation point equals is not equals. So, you know, negating equals. This is the greater than less than greater than or equal that to less than or equal to contains allows it to do a search within that field and, you know, match on just a single term. Within that field, a supposed to the equals equals which is exactly, you know, word for word bite for bite. What you're searching for and matches allows you to write regular expressions to search for patterns within the field or the packets. So this one we will to contains and we'll type about, ah index dot html So full you are. I contains index dot html and you can see that it right here it builds TheStreet Inc for you. Now it shows it up his green meaning that this is a valid san tax for this, um, particular strength. If I were to delete one character, you can see that it turns reds telling you that this is not a valid San Tex for that. Ah, that particular strength. So once we've got the green, we can hit, apply, and it will go through and filter out. And you can see that only one right here, right? This is a GATT. There's are indexed at html. So there's that way off of building that expression. We'll clear that out for now, and I kind of show all of our packets again the next way to prepare filter and ability filters and is to go through the, um, protocol tree here. Now, when you open up the protocol tree. And here I've got it opened up right here to our http payload data. And here's our get. You can see a lot of things like the user agent field, the host, lots of information. Now, all of these fields are filter bubble. So say I'm looking for all requests from this host. All I would have to do is click on that field, right click and do prepare filter selected will say exactly that. I'll show you right, http dot host equals, equals and the i P. Address. Now, I'm gonna right click again, just to show you can do not select it. And we'll get into this end or, um, stuff here in a minute. But you can negate it. Us well. And here you go. You can now just hit. Apply. And these are all the ah packets that match that field. This is my favorite way of building a filter because I think it's the easiest. You go when you find a particular field you're looking for and right click Prepare filter. Now there's another option here. A says apply a filter and essentially does the same thing. The difference between preparing apply is that prepare just puts the filter into the filter window and doesn't hit. Basically doesn't hit the apply button for you. Apply a film. A filter puts the filter into the window and hits the apply button. Now I like to use Prepare Felt there, especially when I'm working with a very large P cap file because it allows me to edit the filter. If I wanted to say, um, this may not show up anything, but if I wanted to change the I p address around just a little bit, um, I could do that and had applying. Yeah, see, it doesn't doesn't really show up anything, but I can modify the filter before hitting. Apply. Oh, and I think that's really powerful with in a very large P cap. If you hit, apply a filter. It may take a wild process that now you have to wait for it to finish processing before you can change your filter parameters and then hit apply again and let it process all over again. So my suggestion always use the prepare filter house. Now the next way in the final way to really do, um building a filter. Is this auto complete? function. Um, you can click into the window here and you can start typing. For example, if we wanted to find some FTP traffic, you can see that I've got FTP and I've got two options. I got FTP and FTP data. Well, if I want to look at some of the fields with an FTP all I did do a set period and there are all of the ftp fields and I could say, you know, request Argh! And I could do contains something and I could hit, apply, and it would go through and do its filter. So that's, you know, kind of another way of doing doing it. I'm let's do the and in or hear what I want to show you on. When I said when I showed you the prepare filter, you saw that there was an selected or or selected Um, let's go open up the I p stack here and you can see source and destination I P addresses. So say I want to have all the communication between these two. With this I p addresses a source in that I p is the destination. I can right click and do prepare filter selected. That's my I P source and then my destination do the same thing that I could say and selected. And you can see that it builds out the filter for me and puts both of those parameters in. Now the ampersand ampersand stands for and you could also type in and and that works just as well when I can hit, apply here, and that shows me all of those Now I could put in front of our I could change any of these to say not And it doesn't like that, really. This is yellow, meaning that it it may not work, but you can see that it actually it does pull back some stuff. It's just kind of warning you that maybe that's not the best filter in the world, so we'll flip it back here. Now say, this is something that you use. This kind of filter is something that you use on the regular basis. Um, you can save those filters for re use later, and there's a couple ways to do that first and the easiest way. Build your filter when it says green, it's safe and you can call this Ah, you know i p direction and there it goes right here. It shows up right on your, um, menu here, and I can hit I p direction, and it automatically applies that. Now. The other way to do that is to click on, um, analyze and click on display filters. And you've got a couple of common display filters here, um, that you can use or you can click new and, um, right out your new filter there and save it. Here is, well, the two ways of of saving your filters for later reuse. So that's all I have for I p filters. I'll put some Resource is in the discussion area to show you, um, basically all of the information on all of these fields within this ah, expression builder, because there are a lot of fields and they don't always all make sense. So there is some some good wire shark resource is where you can search for a specific field , and it will give you a description on what that field actually means. Um, so that way you could kind of look at some more. Um, it's more filters and builds more complex filters. I'll also put in some information on some of my favorite filters, some of the ones that I use most often, and, ah, some examples there for you in a in a future lecture. So that is wire shark capture. I'm decide display filters. 12. Follow Network Conversations: All right, so let's talk a little bit about network conversations and how wire shark has the ability to recreate what's going on within the network. Um, so every time there's a network conversation or a transaction on the network, it's always starts with our three way handshake. And we have this right here, right? We have the sin, the sin AC and the AC, and that starts our conversation. These three packets and then the fin uh, command closes the, um, interaction closes that connection. So we call that our wire shark calls that a conversation, so it has a great ability to recreate the entire conversation. So let's do that here. Here's the first packet of our, um conversation. We're going to right click on it, and we're going to follow TCP stream. Now. What this does is it goes, and it will pick up all of the packets within that conversation and recreate the the information. Now, if it's plain text, it shows it right here, which is actually quite helpful when looking at you know what actually happened. Um, if it's SSL, however, or encrypted traffic, you're going to see a bunch of gibberish. Um, but here. We're just It's a simple http. Get requests. Um, and you see the initial in red, right? This is the first talker. So this is the host. Say, Hey, I want to get, um this file. And then this is the server responding in blue with what is, you know, the actual data, right? And so weaken hit, save as if we wanted to. We could save that entire conversation as a text file if we wanted to, but essentially, what it's done is supplied a filter that says TCP dot stream equals 00 being the very first TCP stream within this pack capture. Now you can do the same thing. Clear out our expression here. And you saw that this UDP stream and SSL stream. So if they were UDP conversations or SSL conversations within this packet capture, we could choose those as well. Now, what if you wanted to see you know, all the conversations you wanted to find a very specific conversation in a very large packet capture? Um, wir shark will go through and actually show you where all those conversations are. So if you go to statistics and conversations, it comes up with all of the conversations within wire shark and breaks them out by, um, the Ethernet unique Ethernet addresses. I'm actually gonna One thing I I think is great about wire Shark, is that it does name resolution, But sometimes it gets, um, confusing. So I like to turn name resolution off here. What that does is it shows just the raw data, right? As opposed to trying to tell you what type of who's the manufacturer Nick is. Um, but you see, a bunch of, you know, two different talkers, right? You can go toe i p v four and these air unique I p pairs. Um, but let's take a look. These are all the TCP transactions. Are TCP conversations within this packet capture and we see a couple here, like this one right here is larger than the rest of them, right? You know, kind of 10,000 bytes here, So we'll click on that and we can click follow stream, and that will bring up the stream information for that particular conversation. So that's kind of a quick overview. How how to do. Um, look at conversations. Look. A TCP streams within wire shark 13. Exporting Objects: All right, so in this lecture, we won't talk about, um, getting files out of a, you know, packet capture. Um, what I have here is I've opened up one of the sample packet captures from wire shark, and it's the http with J pegs capture and Allah post a link to that in the lecture information. But essentially, it's it's, you know, a bunch of http transactions that quite a few of them have J pegs. And I've highlighted this Ah, packet here because this is the http response right, and it says it's a J peg Jiff image. So I'm going to right click and follow TCP streams. So you see that here's our initial, um, request. And then here's the response and you say there's a lot of a lot of junk in here, so stuff that you know we can't make out, but the computer can and we can actually take this data and turn it into a J peg image. So when I want to do is I want it right here. I've got the entire conversation I actually wanted to say. Give me just, um, the response. Right. So this is, you know, not the request. Just the response. No, I'm gonna save that. And I'm just gonna call it test that text for now. And I'll close that out. Let's open up that file. So you see, it's very, you know, similar. Right? We've seen all this junk before. What we really want to dio is we want to get rid of this. Http. Header information. So we'll delete that on and believe the extra white space on, and we'll see that close. Now. What I'm gonna do is I'm going to rename this to test that J peg and yet we're gonna use djejp. And now, if you see that there we go. We've opened it up in there. Now we see the J pack. Um, so that works perfectly for http. Um, transactions where you can kind of recreate the files. Now, there's an easier way to do that. And I'm gonna show you that. So we're clear and basically wire shark has automated what I just did manually, so you can go to file export objects and you can see that you can export, http. Or if you had SMB, which is kind of the windows, um, file sharing protocol if you had us and be traffic in there, you could export stuff from S and B. But we know that this is http traffic. We're gonna ask support the http traffic and it goes through all the packets and shows you what was transmitted. So hero, the file names. And we're gonna go down to the bottom and actually pick that one out and we can hit save as and we'll call that just what it's called. There will say that and that is the same picture, the one we just pulled out manually. It was actually just done automatically. So that's a really great feature. Especially if you're doing incident response or are looking at traffic, maybe perhaps malicious traffic. And you want to pull out, perhaps be some malware or an infected image, or you just want to see what your users are browsing. Um, this This is a very powerful tool to use, so that is pulling objects out of wire shark 14. Carve Packet Streams: all right, I want to share with you a special program that comes with wire shark. It's program called T shark and essentially what it is, is it's command line wire shark. Now, why is this important? Wise to shark important? Well, for two reasons. First, its script herbal. So if you want to automate certain tasks or run them on a regular basis, T sharks your your program. Second, it allows you carve packets. You may have come across a very large P cap file. A couple of gigs big and wire shark, depending on your hardware, may choke on it and may not be able to open it on Run your your, um your filters quickly. So T shark is way of basically pulling certain subsets of data out of wire shark and making its own P cap file. Let's take a look at the help file real quick, so type T shark help and we'll take a look at the beginning. A couple of things I want to know. Did you notice? Right? The dash I The interface will show you if you want to capture traffic, use the dash I and tell what interface um, looks the right down here. This is what we're gonna use it foreign. This lecture is the dash, our function, the input file. Um, it will read in a big P cap file and then run whatever you want on it. And then you also have the dash capital are which is your read filter. And that is the same type of display filter that we built in previous lectures within wire shark. So the beauty of wire shark here t shark here is that you can build a filter in wire shark . And when it shows green in that filter window, you can copy and paste it into T shark and run your, um you're carving out. And then finally, the last one that we really want to highlight here is the dash w function, and that says, Write it out to a file. So let's see it in action here. I've got a folder here, and I've got this large dot cap. Finally, you can see that it's about 3 18 bag, you know, on a very large p cap. But we just want to see a small subset of that data. We want to see the http traffic so we would run t shark and will with the dash. Little are will read in the file and then with the dash big are we will put in our filter Just http traffic and then with a dash w function will write it out. We'll call it we called small guppy cap. And here we go. We run. All right, so it took a couple of minutes, but through the magic of video editing, you didn't really have toe. Wait here. It's so long, but you can see that it finished in. If I type h here, you can see that large dot cap is 380 mag, whereas small guppy cap is 2.9 back. So let's open it up in wire shark and we'll take a look at what the small guppy cap looks like. All right, you can see that if you just look in the protocol here. Just http. Traffic, some TCP. But there you go. That is T shark and packet carving. 15. Tshark field extraction: Hey, guys, Welcome back to the wire shark crash course with council. Osik, Um, today I'm gonna give you a little bit more in depth into T shark. And the reason I'm preparing this lecture is because I actually had a student ask, You know, we go a little more in depth into T shirt. What? What else can it do? And, you know, one of the things they asked was about particularly pulling out data sets from http traffic . So what I've got here is I have a http p cap file. It's about 100 Magas. You can see it's got about 100 and 68,000 packets in it all, http and I pulled all this data from a very low, large p cap of a capture the flag event. So there may or may not be some interesting stuff in here, so just be careful if you're playing with it and and I've uploaded the file to the resource is pain so you can download it and actually run through these exercises if you'd like. But let's take a look at this first request method. There's a bunch of different request methods. There's get. There's put There's had there's, you know, a bunch other ones as well. What if we wanted to see all of them within this packet? Capture? Well, we can use T shark, so let's take a look A t shark real quick. I want to show you, too. Fields are to skim and line switches that we're gonna use, and I have to find them. There they are. So the capital dash Capital T says format the text output, we're gonna use the fields. And what that saying is that we want to just see the field, um, that we specify. And then the dash e function says, you know what field, What field do we want to particularly look at? So let's do this. Let's do t shark dash. Little are reads in a file. Right? So we're gonna read in the http dot p cap file and we're gonna give a dash T or C fields and we're gonna get a dash E and then we're gonna go back over the wire. Shark wouldn't take a look at this, right? So request method. If we right click on it and we do prepare filter is selected. You can see in our bar http dot request stop method is the field. So let's put that in. And if we hit enter, you can see that it's coming through and getting a lot of just basically showing us just the http request method for every packet in this pea cap file. So that's interesting. We could output that and do a little statistical analysis if you want to, but we actually do that. Analytics. Now, I'm gonna show you some commands at work just for Lennox, and we'll work in MCAS. Well, but and I'm sure Windows has the power shell options to do this, but we're just gonna look at the Lennox version right now. So what we're gonna do is we're actually pipe this to a sort, and that's going to sort all of the request methods, um, alphabetically. And then we're gonna dio pipe it to a unique which says, Just show me the unique, um, data sets and will do. Dash C says count them. So we want to count how many of each request method shows up, and this is gonna take a while, so I'll edit out the filler. All right, so as you can see, it went through uncounted. Um, you know, there were, uh, 4600 forehead requests. Oh, 588 post requests. So pretty cool. Lots of, ah, interesting ways of going about doing it. Um, and getting that information, another cool use feature right here is if you wanted Teoh switchback. Tow wire shark. Um, you have this request you are I, which is basically in this case, it's a, uh, not a file. But if you wanted to have files, right, that would be where they would be, um, in the HDTV packet. So what if you wanted to see all of these requests? You are eyes. Well, again. That's pretty simple as well, right? T shark Dasha are well read in the http packet. We'll do dash capital T fields. That will do. Dash e, we'll come back. Will say right. Click here. Prepare filter as selected. That's http request that you are I so http dot you are I Now we go through, and you could output this to a file and do some searching on it if you wanted to. Some interesting things may pop up in something. This All right, So The last thing I want to show you is how to get, um the I p addresses off the servers that were contacted. So in here, we take a look at this, right? This is an http get requests. And, um, basically, what we want is we want the destination i p address for all of the get requests and what that means in this example. Right. The source i p address that 102 is asking 1020.2034 this file so we can go to t shark on weaken dio The shark attacks are reading the file dash big. Our is our, um is our display filter will go down here and we'll look at request method. Get right, And I've already done it here. Basically, the field is http dot that request stop method equals, equals get. So I'll copy that, and I'll paste it and put it into another quote here. And then we'll do the same thing. Will do Dash T fields, Dash e And now we want to go and find here in our I p destination, right? And so, just to find out what that field number is, its I p dot DST So copy that and well paced it and we'll run here. And now these is the I p. Address of all of the servers that were contacted that were issued. Get requests. Second, run that. And just like in our previous example, I can run sort ik Dash C again. This may take a little bit. All right. And there we go. So we now have all the unique I P addresses and how many times they were contacted. So that's kind of an advanced overview of tea shark. And I can use it for feel extraction within a P cap file. Have you enjoyed it up? You learn something? Um, if you have other questions, please leave him up in the discussion board. A direct message. Me. And, you know, if I think it's worth, uh um, a video. I'll be sure to make one for you guys as soon as possible. So thanks again. Bye. 16. Find Malicious IPs: Hey, guys, welcome back. And, um, this is one of the bonus lectures. And I had a question from a student about how to use wire shark to figure out if you've got a virus or some sort of malware running on your machine. And so I thought about that. And, um, this is the solution they came up with. It's not a perfect solution. There could be possible false positives and false negatives. So, um, if you run through this at home, you just because you have a hip, um doesn't necessarily mean you have a virus at the same time. Just because you don't have any hits doesn't necessarily. I mean, you don't have a virus. I would highly suggest using anti virus to really figure out whether or not you've got, um, any type of malware running on your machine. So what I've got here is I've got wire shark open, and I have downloaded a sample P cap with some malware in it, and I'll post the link to this in the notes section. But what I would do is I would open it up and I'd hit statistics and go to conversations and will help over to the I P. V four and you see, you've got a whole bunch of I p addresses. Um, so you can probably rule out 172 that 16 because that's unreliable. I p address. Um, you can roll out 000 You can rule out to 55 because that's a catch all and that's the broadcast. So that leaves you with 64 to 35 43 1 30 one. And, uh, what we'll do is we'll open up grown here and go to virus. Total virus total is a service that is free, allows you toe upload files and ah, it will run that file against, like, 30 or 40 different antivirus engines and tell you whether or not, um, that file hits as a as a virus. But it also has this other cool feature called Search allows You to search I P addresses domains. You RL's so on and so forth. So we're gonna put that 64 address into virus total, and we'll hit search, All right. And so what you can see here is just a little bit of information about it. Um, it's located in the U. S. Ah, probably in a Las Vegas day centre. But you have latest detected you girls and these air you URLs hosted by this I p address detected by at least one u R l scanner. Malicious. You, Earl. Data set. And so what you can see here is that it scans it via 52 different your l scanners being anti virus or what not? And only one of them hit as a malicious you, Earl. So you can click on that and come up with a report and tell you, um, you know, Web sense threat seeker says this is a malicious site. And, um, you know, you can go through and see some of the There may be comments here from other users of virus total. You can go back here, and this is the one that I really care about here, um, latest files submitted to virus total that are detected by one or more anti virus solutions and communicate with the I P address provided when executed. So this is the hash of the file. It was submitted this year, and nine antivirus engines hit as a virus so we can go to the report here and we can see all the different Ah, antivirus engines that hit as a virus. We see that the file name here is using that. Fetcher, um, you can go into some file detail and see a little bit more about the P headers, Um, to some more analysis on the actual file itself, Um, and that additional information, same thing. You could go back and see comments, if not, but because nine hit, I think it's a safe assumption that if you have this file and it's communicating back with this I p address, um, there's a fair chance that you probably have some sort of malware running on your machine. But again, I want to caveat that with just because virus total says that this I p addresses hosts malware doesn't necessarily mean that you have malware on your machine. Uh, so use this at your own discretion. All right, so I want to show you one other way of doing this finding the I p addresses, and that's using T shark. Now, the file I'm using only has a small number of I P addresses, But if you're using this at home and you're capturing a lot of traffic, You're probably gonna have a lot of I p addresses. So I want to use T Shark to just gather a list of relevant and unique I p addresses out of this pea cap file that I got. So I'm gonna go and type T shark dash, are I'm going to read in this file, all right? And then I'm gonna do dash t fields, And that says print only the specific fields that I tell you to. I'm gonna do dash e and tell it to print i p dot source and I p dot destination All right. And so what this is going to do is just print out all the I P addresses, source and destination. Now again, Pretty small list here and a lot of duplicates. So if this were a larger list, what I would do as I would sort them first, then I would unique thumb, and I'm gonna put the dash c in there. What sort of unique does sort is gonna sort him by numbers unique is going to give you just the unique I P addresses The dash C function counts. How many occurrences off that I P address are in this file, and then I'm gonna sort by numbers again just to give me, um, highest lowest. So you can see here that, um, the 000 shows up two times this 1 72 16 to 35 1 30 shows up 17 times, but the next highest is are malicious I p address at five times within the peak cap file. So I would search. Probably start with the highest talkers and go down. Um, if you're doing this search manually on your own, um but I hope this helps. And I hope this will help you in your, um, further network analysis when you're trying to find ah hackers in the future. So again, if you guys have any more questions, please post them up in the discussion area. And, ah, I'll see if I can make mawr, um, tutorials for you. 17. TCPDUMP Introduction: All right, guys, Welcome back to the wire shark crash Course I'm creating this section based on student feedback and some questions that some students have given me regarding TCP dump. So I figured I'd create a new section with a couple new videos and a couple new lectures on what is TCP dump? How do you use it? How is it different from wire shark? So let's first talk about what TCP dump is. It is a command line application of the Lib P cap library. So if you remember at the beginning of the course, we talked about how wire shark captures data off the line and uses this library called limpy cap. What TCP dump is is it's just a command lying usage off that library. So the difference between TCP dump wire shark is this. It is not a protocol dissector like wire shark, which means that TCP dump can't reach in and look at the payload of the packet. It can only look at the metadata, the headers of the packet, things like source and destination I P address source and destination, port source and destination Mac address So on and so forth. So what are the benefits. One of the trade offs here. One. It's faster and has less overhead than wire shark or T shark because it doesn't have to do the processing of the payload of each packet. However, on the other hand, it doesn't do the processing and payload detection. That wire shark a T shirt does so in real world applications. I've used this on many occasions just because it is so fast. Um, one of the things I use it for is packet carving. So when you've got a very large P cap, usually a client will give me Ah, full packet capture. Could be, you know, 10 20 gigs large, and I'm never gonna be able to open that up with wire shark. And I only want the traffic from a certain host. So I'll use TCP dump to read in that file and then right out just the packets that match a filter that I give it, Um and then I'll use wire shocker T shark to do the analysis. Another application that I see all the time is that when companies or even people at home want to implement full packet capture on their networks, TCP dump is a great free option to do that. As long as you have this storage, all you need is a Lennox box and TCP dump, and you have full pack capture on your network. So that's what TCP dump is. That's it's different between wire shark. So in the future lectures. What I'm going to show you is how PCP dump works and how to write filters, how to capture and how to use it to carve packets out of a larger pickup. So with that, I'll see you guys in the next lecture by. 18. First TCPDUMP Capture: Alright, guys. Well, welcome back to the white Shark crash course. And in this lecture, what we're gonna do is we're gonna go over some of the command line switches and actually use TCP dump. So the first thing I want to do is I want to show you the manual page for TCP dumb. And you can see that, um, we're gonna go through some of the more common command line switches. So the 1st 1 here is the dash Capital D. And what that does is it prints the list of network interfaces that are available for you to use, um to capture then will go on to the dash. I function and you can see that it says, Listen on an interface. So dash, I takes one argument and that's the interface name. Or if you can use the dash d function, it's the interface number. We'll show you that here. When we get in a second, the dash end function basically goes through and says, Don't convert the addresses. So by default, just like in wire shark PCP dump tries to analyse port numbers and I p addresses and give them a name as opposed to a number and that, you know, can be helpful. I find it to be, you know, just more confusing. So I usually like to put the dash and function in and say Just give me than the port numbers and the I p addresses. And don't try and convert them. Oh, the next one we want to show you is the dash lower case s. And this is the snap length now in. If you don't use this function What What this function means is that it tells TCB dump How much of each packet you want to capture by default. It captures the entire package, but you can say instead to capture a certain number of bytes of each packet. So our example would be if we did a dash lower case s 96 say captured the 1st 96 bytes of every packet. That's just the headers, and you strip out all the payload information so it could be useful if you're just trying to see who's talking to who on the network. Next we have the dash V and you can see that there are three versions of the Dash V. There's a dash d dash TV and dash pvv, And that's the verbosity level. How much of the information that it's capturing? Do you want it to print to the screen helpful When you're doing that we're using. TCP Dump is part of a script on. We'll show you the difference between using the V and not using the V and then our last one past. It is Dash W and the Dash W says right the packets out to a file. So by default, if you don't use the dash, W TCP Dump writes all the packets out to standard Out, which is just the screen. So if you give it a dash, W you can say right all the packets out to AP Cap File so that you can use it later, um, with wire shark or T shark to analyze. So with that, let's go through and run a couple of these commands. So first thing we'll do is we'll see what active interfaces we've got. And these are all the active interfaces on my computer. Now I'm running a max, so the interface names are a little different than you would find on a Lennox machine. But N zero is my interface that we're gonna capture on normally in a Lennix environment, it would be zero. So I'm gonna show you what it capture looks like, Let's say in her face and zero. Or I could put a number one there because we ran Tous p Dump dash D to find all the interfaces and zero is the first interface. So we'll run that and you'll see that it prints out everything to the screen to stop it. I just hit control C You can see at the bottom. It said 56 Packard's captured and no package drop. So now that we've done that, you can see in a few of these here that they you know, TCP Dump has tried to convert port numbers and I p addresses. So let's run the same command. But let's give it the dash end and say, Don't do that. Don't show you the difference. You can see the difference that all of these now have port numbers and instead of, you know, being trying to convert it. So let's show you the verbosity section, so I'm gonna just do V v V for all verbosity you noticed above. We have just basically one line for each packet that goes across now we're going to do the same thing. But as you can see, it prints a lot of the data. The metadata that came it can decipher from each packet by using the V V V. So let's capture a synthesis of traffic using to speed dump, and we'll write it out. What files? We're gonna use the same, um, command line switches. We're just gonna add a dash W. And I'll put it as test up p cap. And that's going to save it in the Fatah in the current working directory that I have. So we'll capture a couple of seconds worth. You can see. It's telling you how many packets it's got, and that seems like a good good enough. So open up, wire shark here and open, and you can see that now we can just go through each one of these and do our parsing if we want to. So I want you just see this. This is the full packets. Now I want to see. Let's show you the difference between capturing the full packets and using the snap length to, say, Just capture the headers so I'm gonna do a dash ass and I mean to say 96 which is just the headers. We'll run that for a little bit. Okay? And now go back to wire Shark, open that file up again, and you can see that there's no data in any of these packets. So just by doing the snap length of 96 allows us to say no more dead. So that's how you use wire Sharp to do captures in the next lecture, we're gonna talk about capture filters and just capturing the data you want, so we'll see in the next lecture by 19. TCPDUMP Filters: Hey, guys, Welcome back to the wire shark crash course, and in this lecture, we're gonna talk about TCP dump filters. And so what I provided here is ah, cheat sheet that I created for you, and I'll provide that in the next lecture. But it goes over some common filters that we use all the time de speed down. Unlike wire shark uses, the Berkeley packet filter built their san tax. Is this the same filter sand tax that we discussed when we talked about capture filters in wire shark? Very simple. Doesn't have the ability to actually go into the packet and do packet inspection and decode the actual payloads. So, for example, here we've got host and then the i p address of you know, the host that's going to give you just packets to and from that specific I p address that you give it the same with just below it. You've got destination source hosts the same thing, right? Show me all the packets where the I P address that provide is the destination I p address or the source. Then you can do ports. You can do port number, give a specific number. You can give it a range. Um, and the same thing applies to ports where you can add the, you know, destination and source modifiers to it. Then you can add TCP or UDP and specify the protocol. And then finally, we have our net command. What are net command does is says, instead of capturing from a specific host, we want to capture from entire network. So in that case, we need to give it a network mask. Um, so if I wanted to capture all of my traffic, I would do net and then my network I p address and my network mask, and I'll show you an example of that here in a minute. But again, just like port and host, you can add the source and the destination, um, modifiers to that. Let's take a look and will actually play with some of these. And let's run TCP dumb. Come and capture traffic to and from my computer. So don't dash I Andi, I'm going to say, and TV host my I p addresses 10 0.0 dot 1.21 and you should see a whole bunch of packets come up here. So now I can say OK, well, that's great. That's all my traffic. What if I want to do just when traffic I want to end the and modifier and add Port 82 that so then what? I'm gonna dio I'm gonna flip over to Google Art. I'm sorry to chrome and go to Google. Andi, you should see in my terminal Whole bunch traffic. That's just to port 80. You can see that The source port. I'm sorry, the port is 80 on all of these. Okay, Now, finally, I want to show you the same thing, but for the network. So I'm gonna run the same command. But instead of doing just mine, I want to put next and do zero. I'm going to say slash 24. And that says my entire network, it's like 24 is my cider. I could also run a mask and due to 55 to 55 to $55. But instead, I'm gonna use the cider range because I think it's easier. And this is listening to all of my traffic online network. If I go back and I refresh Google, I should see some traffic. Nope, It's cached. Let's do? Yeah, you see a whole bunch of traffic here. So that is packet filtering, um, writing packet filters with TCP dump. Next lecture. We're going to talk about using that to carve larger data sets so we'll see in the next lecture by 20. TCPDUMP for Carving: All right, guys, welcome back to the wire shark crash course. And in this lecture, we're going to talk about using TCP dump to carve through larger P cap files. So what I've got here is a home p cap that I downloaded from Sands. And it's 100 60 magnets. Got a lot of traffic in it. So we're gonna use that to do our our packet carving. So just like when we in our previous lectures, when we wrote capture filters we're gonna use those same filters to, well used to kind of break out what we want from the larger p cap. So let me show you what I mean. First things first, the dash, our function says read in a file. So I'm as I read in that pea cap file and I want to see Web traffic here. So I'm gonna Teoh TCP and Port 80 and you can see that it goes through very quickly and prints out all of the http traffic from that packet so I can then take that and I can write it out too. A file You can see. That was really quick. Now you can see that there's a difference in the packet, um, sizes. It's not a large difference, but it is a difference. So what if I just wanted to pull out traffic to him from a specific host? I happen to know that there's just a little bit of traffic from a host an I p address in this. So I'm gonna change the right out to say bad I peed on. He capped. I must say, host and put in 20 eat. Done a a 1 54 to 25. Now you can see that bad. I p has about 80 k in it, as opposed to 160. Meg. So 80 k is a lot easier to look at. So is very similar to just writing your capture filters. But instead of capturing it from an interface, you're going to read in a peak cap and you're gonna write out to another's. The beauty of this over using t sharp, which is what I've shown you in the past is that this is much, much faster. T shark will probably take on on a much larger, um, pickup thought file will probably take minutes, maybe hours, to carve out a several gigabyte pickup. Um, I've seen TCP Dump chew through a 12 gig P cap in a about 30 seconds. So it's It's very, very quick. So that's it for the TCP dump, um, carving section. If you guys have any more questions on TCP dump, please feel free to ask in the course discussion and will answer any questions you may have . So thanks again. Bye.