1
00:00:00,000 --> 00:00:09,433



2
00:00:09,433 --> 00:00:14,144
Essentially, what's interesting about sample captures is

3
00:00:14,146 --> 00:00:16,737
for those of you new to Wireshark or

4
00:00:16,739 --> 00:00:22,256
have not necessarily worked with Wireshark for a long time,

5
00:00:22,256 --> 00:00:26,678
you may not know what it is 
that you're trying to look for.

6
00:00:26,678 --> 00:00:31,484
So as an example, with DHCP and DORA,

7
00:00:31,484 --> 00:00:35,158
you may not know what a complete DORA
is supposed to look like.

8
00:00:35,158 --> 00:00:42,632
So using sample captures is a way 
where you can really take a look at 

9
00:00:42,632 --> 00:00:47,180
what some of these captures should look like
so that you have a baseline.

10
00:00:47,180 --> 00:00:52,792
It helps you to study so that 
when you're looking up things in RC's or

11
00:00:52,792 --> 00:00:57,727
if you're trying to figure out technically
how something should look,

12
00:00:57,727 --> 00:01:04,121
these sample captures will provide 
some guidance into how to do that.

13
00:01:04,121 --> 00:01:07,513
So this is not going to be an incredibly long module

14
00:01:07,513 --> 00:01:13,947
but it is an important one for those who are 
starting down the path of using Wireshark.

15
00:01:13,947 --> 00:01:17,012
One of the greatest things that I've seen

16
00:01:17,012 --> 00:01:20,218
about the Wireshark website is the community.

17
00:01:20,218 --> 00:01:25,371
It's got such a robust community of people
who are really interested

18
00:01:25,371 --> 00:01:28,879
in not only making this a great product but

19
00:01:28,873 --> 00:01:34,841
a really interested in helping each other 
learn and develop.

20
00:01:34,841 --> 00:01:38,074
I've gotten a great deal out of it over the years,

21
00:01:38,074 --> 00:01:42,670
and I try to participate as much as possible.

22
00:01:42,670 --> 00:01:47,921
It's really helpful to review a lot of these data

23
00:01:47,929 --> 00:01:51,258
and see what it is that they have to offer.

24
00:01:51,258 --> 00:01:55,625
So, I've pulled a lot of it down
and we'll review some of it in this module.

25
00:01:55,625 --> 00:02:00,631
But I, I would like to say that it's,
it's in your best interest

26
00:02:00,631 --> 00:02:04,280
to definitely visit the website, 
go to the sample repository

27
00:02:04,280 --> 00:02:12,136
and start looking around and pulling 
some of the stuff and taking a look at it.

28
00:02:12,136 --> 00:02:16,629
A lot of what's on there, too, is actual problems.

29
00:02:16,629 --> 00:02:22,745
So, for example, some of the issues 
that we've seen as network engineers

30
00:02:22,745 --> 00:02:28,062
is things where we may have 
a problem with a handshake.

31
00:02:28,054 --> 00:02:30,996
or we may have a problem 
where we don't understand why 

32
00:02:31,002 --> 00:02:33,153
TCP is acting a certain way.

33
00:02:33,165 --> 00:02:36,932
If we get a whole bunch of reset packets,

34
00:02:36,946 --> 00:02:40,095
is that abnormal and why would that be abnormal.

35
00:02:40,093 --> 00:02:45,504
So when you look at these sample captures
there's some dialog with it as well

36
00:02:45,504 --> 00:02:49,753
to help you get through and understand 
some specifics as to what it is 

37
00:02:49,757 --> 00:02:52,517
and why, why it was captured.

38
00:02:52,527 --> 00:02:58,036
Other examples and some of the stuff 
that I've, I've used extensively -

39
00:02:58,036 --> 00:03:01,171
when I started learning about version 6

40
00:03:01,171 --> 00:03:04,677
is actually running a capture on IP version 6 and just

41
00:03:04,677 --> 00:03:08,837
really taking a look inside the packet
 and seeing what that's all about.

42
00:03:08,837 --> 00:03:14,613
So there's some extensive 
version 6 stuff up there as well.

43
00:03:14,613 --> 00:03:21,465
So to get this stuff, you can go to the wireshark wiki.

44
00:03:21,473 --> 00:03:28,529
It's online at wiki.wireshark.org/SamleCaptures.
The url is there.

45
00:03:28,529 --> 00:03:33,217
You can download and 
you could submit sample captures.

46
00:03:33,225 --> 00:03:41,145
So, I pulled the page so that we can see it.
I'll enlarge here for you.

47
00:03:41,150 --> 00:03:47,130
So as you can see 
there's a tremendous amount of data -

48
00:03:47,130 --> 00:03:52,841
there's SMB, there's ARP, 
there's spanning tree, telnet.

49
00:03:52,841 --> 00:03:59,091
There's literally anything that it is that you would be

50
00:03:59,094 --> 00:04:02,602
interested in looking at that 
you may not have a baseline for.

51
00:04:02,604 --> 00:04:05,623
There's a lot of good stuff up here to check out.

52
00:04:05,623 --> 00:04:09,299
What I've also done is I've downloaded some of it

53
00:04:09,299 --> 00:04:13,700
so that you can get a bird's eyeview into what it is that

54
00:04:13,702 --> 00:04:16,696
they're actually download, you can download.

55
00:04:16,694 --> 00:04:20,234
So standby, I'll pull it up in Wireshark.

56
00:04:20,234 --> 00:04:25,351
So what you can do from the launch page 
or the start page itself is

57
00:04:25,351 --> 00:04:34,004
in the file section previously we were either 
starting a capture here in the capture section

58
00:04:34,011 --> 00:04:37,256
or we were going to open one.
But what if we wanted to

59
00:04:37,274 --> 00:04:39,866
check out a sample capture.

60
00:04:39,866 --> 00:04:45,692
Well, there we go and it'll take you directy to 
whatever it is that you want to see.

61
00:04:45,692 --> 00:04:56,274
You can select it and download it. 
So we'll pick something here.

62
00:04:56,274 --> 00:05:02,608
And as you can see, you have your pcap files.

63
00:05:02,608 --> 00:05:10,001
or your gzip compressed file 
so we'll just take something here 6 to 4.

64
00:05:10,001 --> 00:05:17,561
And there you go. So as we were mentioning before

65
00:05:17,561 --> 00:05:20,547
one of the things that you can do is 

66
00:05:20,547 --> 00:05:25,607
download and navigate a whole bunch 
of sample captures for your review.

67
00:05:25,601 --> 00:05:29,395
Again, if you're not familiar with some of these stuff

68
00:05:29,395 --> 00:05:34,633
it is helpful to be able to download 
and check out some of the options.

69
00:05:34,633 --> 00:05:41,089
It's a great learning tool because 
one of the things that we've done in the past

70
00:05:41,089 --> 00:05:46,191
is be able to learn from example.

71
00:05:46,191 --> 00:05:51,439
I have in the past, set up some media labs

72
00:05:51,431 --> 00:05:55,644
in my house, at work, all over the place.

73
00:05:55,644 --> 00:06:00,831
And one of the things that I like to do is 
run Wireshark constantly against the labs

74
00:06:00,844 --> 00:06:05,537
 so I'm aware of what the traffic looks 
like from going to place to place.

75
00:06:05,537 --> 00:06:09,823
And when I come across protocols that I was not sure

76
00:06:09,835 --> 00:06:12,663
or I was unaware of what they were really doing,

77
00:06:12,674 --> 00:06:18,454
I would commonly come to Wireshark
 to just the website, the wiki

78
00:06:18,454 --> 00:06:23,493
to see if anyone was discussing it and 
or if there's a sample capture for it.

79
00:06:23,493 --> 00:06:37,908
So moving back into the module as we discussed

80
00:06:37,922 --> 00:06:42,799
find, download, cap, your captures and analyze them. 

81
00:06:42,811 --> 00:06:44,483
Check out what's in there.

82
00:06:44,508 --> 00:06:50,347
Download and, you know, 
play with what you like to see and

83
00:06:50,347 --> 00:06:56,385
you will find a great amount of sample 
captures for you to work through. 

84
00:06:56,385 --> 00:07:01,505
So, we pulled down one. There's obviously 
more that you can go through.

85
00:07:01,505 --> 00:07:05,274
That this one here is some more IPV 6.

86
00:07:05,274 --> 00:07:09,333
One of the things that came up in the questions was -

87
00:07:09,333 --> 00:07:15,073
it was asked, are we going to look at 
some way to find packet loss?

88
00:07:15,073 --> 00:07:19,622
So the question, the answer to that question is yes.

89
00:07:19,622 --> 00:07:25,272
One of the ways to find packet loss - to first filter out

90
00:07:25,268 --> 00:07:28,754
the communication from a source to destination.

91
00:07:28,775 --> 00:07:30,631
So that you're just looking at that communication.

92
00:07:30,631 --> 00:07:32,482
Let's look at specifically,

93
00:07:32,482 --> 00:07:37,175
a client talking to a server and 
you want to see specifically,

94
00:07:37,187 --> 00:07:45,927
do you have any loss, traffic or 
some packet loss between those hosts?

95
00:07:45,927 --> 00:07:51,796
So, that actually plays right into the next segment

96
00:07:51,826 --> 00:07:54,193
we're going to do which is on filters.

97
00:07:54,220 --> 00:07:59,536
So, as we've learned,
you can navigate Wireshark,

98
00:07:59,536 --> 00:08:00,864
you can capture data.

99
00:08:00,864 --> 00:08:04,479
You capture data from a source to a destination.

100
00:08:04,491 --> 00:08:07,015
You want to now analyze the saved capture.

101
00:08:07,015 --> 00:08:10,212
You want to filter specifically on that but

102
00:08:10,212 --> 00:08:17,561
one of the things that we will get into 
and learn about as we

103
00:08:17,561 --> 00:08:21,820
get through (here we go) 
as we get through our capture is

104
00:08:21,820 --> 00:08:25,808
we're going to look at statistics in a future module.

105
00:08:25,809 --> 00:08:29,444
So, as an example, if we wanted to look at packet loss,

106
00:08:29,493 --> 00:08:31,493
one of the things that we could do

107
00:08:31,541 --> 00:08:38,199
is we could look at the conversations in the capture.

108
00:08:38,193 --> 00:08:46,771
And here we could specifically filter out
which conversation and which direction.

109
00:08:46,771 --> 00:08:52,993
So it will any to B, A to any. 
So here, if we just want to look from A to B,

110
00:08:52,993 --> 00:08:57,349
now we can start looking and 
one of the filters that we can apply

111
00:08:57,349 --> 00:09:02,292
I believe it's TCP analysis loss segment 
would be a common one

112
00:09:02,292 --> 00:09:04,292
to look at roundtrip time problem.

113
00:09:04,292 --> 00:09:11,937
So, the answer is yes. 
There is a way to look at the packet analysis.

114
00:09:11,937 --> 00:09:16,300
And the key to doing that is actually starting with filter.

115
00:09:16,300 --> 00:09:25,769
So, without any further adieu, we'll move in 
to the next module which will be on filter.

116
00:09:25,769 --> 00:09:32,672
Alright, so why would we want to filter traffic?

117
00:09:32,672 --> 00:09:38,527
Before we start the module, 
we'll just highlight what we discussed earlier

118
00:09:38,527 --> 00:09:43,933
about capture filters and display filters.
We'll talk about it in the module but

119
00:09:43,933 --> 00:09:52,701
capture filters are again if you want to stop 
traffic from being captured at all in your capture.

120
00:09:52,740 --> 00:09:56,803
We don't want it to be seen. 
So again, a common scenario would be

121
00:09:56,803 --> 00:10:00,472
if I don't want to see any traffic 
for myself as a host, I can block 

122
00:10:00,479 --> 00:10:03,186
all that traffic and stop it completely.

123
00:10:03,191 --> 00:10:07,481
I will only capture other data promiscuously.

124
00:10:07,481 --> 00:10:13,721
However, a display filter would be 
all the data that I already captured

125
00:10:13,733 --> 00:10:18,404
what is it that I want to drill down to,
 what would I want to find.

126
00:10:18,404 --> 00:10:24,414