1
00:00:00,990 --> 00:00:06,900
Graphic enters a network interface card in a binary form one frame at a time.

2
00:00:06,900 --> 00:00:08,010
So there's an.

3
00:00:08,910 --> 00:00:09,240
Here.

4
00:00:09,240 --> 00:00:17,010
As you can see here, we have source IP source port and here Ethernet Ethernet to source address and

5
00:00:17,010 --> 00:00:18,390
so on.

6
00:00:18,570 --> 00:00:26,640
Type IP version four Internet Protocol Version four Flags, Time to Live one protocol UDP.

7
00:00:26,640 --> 00:00:31,230
And there's so much information that we will need to analyze, right?

8
00:00:31,290 --> 00:00:40,260
So while this space the wireshark uses the enhanced packet analyzer Epan, which decodes the bits into

9
00:00:40,290 --> 00:00:41,880
human readable format.

10
00:00:41,880 --> 00:00:48,920
So let me take my grommet to draw things on the screen and here apply.

11
00:00:48,930 --> 00:00:51,510
So this is our.

12
00:00:52,740 --> 00:00:53,490
Bits.

13
00:00:53,490 --> 00:00:56,390
So these are the hex codes and so on.

14
00:00:56,400 --> 00:01:02,400
So obviously you can't read this in your batteries and there's some information about that.

15
00:01:02,400 --> 00:01:11,700
And here after getting this raw information, Wireshark translates it to in with enchants packet analyzer

16
00:01:11,700 --> 00:01:18,810
engine which decodes as I said decodes the bits into human readable format here.

17
00:01:19,970 --> 00:01:20,540
Perfect.

18
00:01:20,540 --> 00:01:24,340
So now we will step through the pan.

19
00:01:24,350 --> 00:01:29,690
So prior to 2006, Wireshark was called ethanol.

20
00:01:30,440 --> 00:01:34,220
So, yeah, so the name has changed.

21
00:01:34,220 --> 00:01:38,030
However, as obviously the main score is the same, right?

22
00:01:38,030 --> 00:01:44,570
So it is the packet analyzing engine for Wireshark that use the sisters, also known as Decoder.

23
00:01:45,140 --> 00:01:53,240
The So the sectors provide information on how to create the protocols in the proper format according

24
00:01:53,270 --> 00:01:58,160
to the appropriate requests for comments RFC or other specification.

25
00:01:58,160 --> 00:02:04,970
So IPAM contains four main APIs, which is the first is protocol three.

26
00:02:05,000 --> 00:02:06,230
The sisters.

27
00:02:07,010 --> 00:02:12,020
Sorry for this, the sectors, the sector, plugins and display filters.

28
00:02:12,800 --> 00:02:18,890
So we have the protocol three, which is this displays the detailed analysis of a single packet.

29
00:02:18,890 --> 00:02:19,500
We can.

30
00:02:19,500 --> 00:02:26,070
We also have the sectors so these provide information how to break down the protocols into proper format.

31
00:02:26,100 --> 00:02:28,650
We also have the sector plugins.

32
00:02:28,890 --> 00:02:31,680
So these use the sectors as a separate functions.

33
00:02:31,680 --> 00:02:38,370
And lastly, we have display filter and this allows you to filter captured data.

34
00:02:38,370 --> 00:02:43,410
In most cases, Wireshark is able to correctly identify and dissect the protocol.

35
00:02:43,680 --> 00:02:47,310
However, there are times when you will need help.

36
00:02:47,760 --> 00:02:49,740
Wireshark decode the protocols, right?

37
00:02:49,740 --> 00:03:01,230
So you can achieve this by right clicking on the frame here and here you will go to decode as here,

38
00:03:01,230 --> 00:03:04,890
which will bring up this dialog.

39
00:03:05,630 --> 00:03:05,960
Here.

40
00:03:05,960 --> 00:03:09,470
As you can see here, we have several options here.

41
00:03:09,470 --> 00:03:14,990
So once in this window, you can modify the values to match the appropriate protocol.

42
00:03:14,990 --> 00:03:20,510
And this function is very useful when protocols either don't have a dedicated port or they are running

43
00:03:20,510 --> 00:03:23,560
on a different port compared to the usual.

44
00:03:23,570 --> 00:03:29,960
For example, you should use decode as when the HTTP is running on port 88 instead of port 80.

45
00:03:30,200 --> 00:03:37,550
So once the bits have been converted into proper format, the next step is to display the results in

46
00:03:37,580 --> 00:03:39,410
human readable format.

47
00:03:39,410 --> 00:03:42,590
So now let's display the result here.

48
00:03:42,590 --> 00:03:48,560
So in Wireshark, along with the many other packet analysis tools, there are many options to enhance

49
00:03:48,560 --> 00:03:50,180
your graphical experience.

50
00:03:50,180 --> 00:03:57,440
So when you open a packet capture in a wireshark, the default layout for the main display is is in

51
00:03:57,440 --> 00:04:00,950
the three panels which is here.

52
00:04:04,360 --> 00:04:06,240
Let me take my pen again.

53
00:04:06,250 --> 00:04:08,590
So this is our.

54
00:04:09,010 --> 00:04:09,790
Can you see it?

55
00:04:10,700 --> 00:04:11,120
Sorry.

56
00:04:12,830 --> 00:04:14,000
Please come.

57
00:04:14,780 --> 00:04:15,590
I guess we.

58
00:04:17,180 --> 00:04:17,840
Here.

59
00:04:18,140 --> 00:04:19,790
So to painting home.

60
00:04:20,330 --> 00:04:21,020
Gift home.

61
00:04:23,220 --> 00:04:23,910
Yes.

62
00:04:24,120 --> 00:04:24,800
Perfect.

63
00:04:24,810 --> 00:04:28,950
So here, this is our packet list.

64
00:04:28,950 --> 00:04:33,090
This tab we are using for is our packet list.

65
00:04:33,120 --> 00:04:36,990
These are the packet details here.

66
00:04:37,440 --> 00:04:44,730
These are the packet details and obviously these are the raw format, which is a packet bytes.

67
00:04:45,260 --> 00:04:46,010
So.

68
00:04:47,090 --> 00:04:49,100
Uh, the packet list here.

69
00:04:49,430 --> 00:04:56,660
This is a list of all captured packet packets where each line represents a single packet, As you can

70
00:04:56,660 --> 00:05:01,790
see here, broadcast IP destination, source, destination, source, protocol length info, and so

71
00:05:01,790 --> 00:05:02,270
on.

72
00:05:02,360 --> 00:05:05,570
Everything has a source and destination, right?

73
00:05:06,140 --> 00:05:08,750
This was so philosophical here.

74
00:05:09,440 --> 00:05:12,890
So we also have packet details.

75
00:05:12,890 --> 00:05:20,900
So here this is a packet details that displays the details of a single packet and includes the protocols

76
00:05:20,900 --> 00:05:22,240
and field values.

77
00:05:22,250 --> 00:05:30,980
It also displays Wireshark specific hints, for example, when examining the TCP here, let's choose

78
00:05:30,980 --> 00:05:32,600
some TCP here.

79
00:05:32,870 --> 00:05:34,030
TCP oops.

80
00:05:34,070 --> 00:05:36,920
Of course we have to use, uh, here.

81
00:05:36,920 --> 00:05:38,670
So this is our TCP.

82
00:05:39,200 --> 00:05:45,620
So when you examining a transmission control protocol header, you will see the stream index listed

83
00:05:45,620 --> 00:05:49,140
below the source and destination force, right?

84
00:05:49,260 --> 00:05:56,550
So however, there is no field value called the stream index, and a stream is a communication between

85
00:05:56,550 --> 00:06:04,880
two endpoints that compromise the endpoint, A socket and endpoint B socket.

86
00:06:04,890 --> 00:06:09,240
So to help you keep track of all those streams.

87
00:06:10,110 --> 00:06:15,510
Wireshark lists each stream in a TCP header.

88
00:06:15,600 --> 00:06:18,990
Here we have transmission control protocol.

89
00:06:18,990 --> 00:06:25,260
Let's actually here you can also send protocol here, open this tab, transmission control protocol.

90
00:06:25,260 --> 00:06:29,490
And as you can see here, stream index one.

91
00:06:29,490 --> 00:06:31,080
That's kind of, kind of here.

92
00:06:31,080 --> 00:06:31,470
Yeah.

93
00:06:31,470 --> 00:06:32,970
Stream index one.

94
00:06:32,970 --> 00:06:35,400
So I hope you see clearly.

95
00:06:35,400 --> 00:06:37,710
So stream index one.

96
00:06:38,160 --> 00:06:45,300
So this is what I called endpoint as an endpoint B socket, which is.

97
00:06:46,590 --> 00:06:48,710
Uh, source and destination ports.

98
00:06:48,720 --> 00:06:55,830
However, there is no field called stream index in some cases, and that's how you can bring it up.

99
00:06:56,350 --> 00:06:59,130
And we also have packet bites.

100
00:06:59,140 --> 00:07:03,970
This is a hexadecimal representation of a single packet as shown.

101
00:07:04,210 --> 00:07:13,180
As you can see here and any plaintext data is displayed on the right hand side, as you can see here,

102
00:07:13,210 --> 00:07:17,830
this link dot net something, something here.

103
00:07:22,180 --> 00:07:27,910
Yes, Let's get some meaningful text here because it happens sometimes, right?

104
00:07:28,980 --> 00:07:30,000
Okay.

105
00:07:33,410 --> 00:07:39,050
You can also use your arrow keys to get user information and.

106
00:07:39,050 --> 00:07:40,610
Okay, here.

107
00:07:40,640 --> 00:07:41,480
Perfect.

108
00:07:42,230 --> 00:07:43,010
That's it.

109
00:07:43,010 --> 00:07:44,290
That's our request.

110
00:07:44,300 --> 00:07:46,260
The http request.

111
00:07:46,280 --> 00:07:47,180
So.

112
00:07:48,450 --> 00:07:54,390
Yeah, this is a hexadecimal representation of a single packet that's shown here, and any plaintext

113
00:07:54,390 --> 00:07:56,880
data is displayed on the right side.

114
00:07:57,090 --> 00:08:01,710
And these are the hexadecimal this turned to.

115
00:08:02,860 --> 00:08:03,520
Our.

116
00:08:04,400 --> 00:08:05,180
Texts.

117
00:08:05,180 --> 00:08:12,050
And after that, if it's not enough for you, the Wireshark like analyzes it itself.

118
00:08:12,050 --> 00:08:18,800
And here request version, request URI request method, post request and so on.

119
00:08:19,430 --> 00:08:24,530
In next lecture, we will also learn how to change the layout, how to analyze the package, capture,

120
00:08:24,530 --> 00:08:25,550
and so on.

121
00:08:25,580 --> 00:08:26,960
I'm waiting in next lecture.