WEBVTT 1 00:00:00.080 --> 00:00:02.759 All right, ready to jump into wire Shark. I know 2 00:00:02.799 --> 00:00:05.480 you want to understand network analysis, and these excerpts from 3 00:00:05.519 --> 00:00:08.199 wire Shark one oh one are a great place to start. 4 00:00:08.279 --> 00:00:09.160 Yeah, it's gonna be good. 5 00:00:09.240 --> 00:00:11.679 We'll go way beyond just definitions today to see what 6 00:00:11.759 --> 00:00:13.119 this tool can really do. 7 00:00:13.119 --> 00:00:15.519 Like getting X ray vision into your network. 8 00:00:15.759 --> 00:00:20.199 Ooh, that sounds promising, but I'm always a bit skeptical 9 00:00:20.239 --> 00:00:24.199 of anything that claims to be magic. Yeah, so really, 10 00:00:24.280 --> 00:00:26.839 what is wire shark and what can it actually do? O? 11 00:00:27.160 --> 00:00:29.359 Think of it like this. It's a microscope. 12 00:00:29.440 --> 00:00:29.839 I like that. 13 00:00:29.960 --> 00:00:31.239 Yeah, for your network traffic. 14 00:00:31.280 --> 00:00:31.600 Okay. 15 00:00:31.839 --> 00:00:34.759 It captures and decodes the tiny packets that make up 16 00:00:34.799 --> 00:00:39.600 all your online activity, emails, browsing, everything. You get to 17 00:00:39.640 --> 00:00:42.320 see the nuts and bolts of how your network works. 18 00:00:42.359 --> 00:00:44.640 So I can see every single dday. 19 00:00:44.560 --> 00:00:47.280 Every single detail. It's super powerful, but it's not a 20 00:00:47.359 --> 00:00:50.119 magic wand Oh okay, so you might see a spike 21 00:00:50.159 --> 00:00:53.119 in traffic, but wireshark won't tell you why. It gives 22 00:00:53.119 --> 00:00:55.840 you the raw data, but you've got to interpret it 23 00:00:55.880 --> 00:00:57.200 and figure out what's causing it. 24 00:00:57.439 --> 00:00:59.960 Ah. So like being handed a box of puzzle pieces, 25 00:01:00.600 --> 00:01:02.520 we've got to figure out how they all fit together 26 00:01:02.560 --> 00:01:05.760 to see the bigger picture exactly. Okay, that makes sense now. 27 00:01:05.760 --> 00:01:09.239 The book mentions Gerald Combs, the creator of wire Shark. Okay, 28 00:01:09.439 --> 00:01:12.400 and what's really interesting is how his struggles with early 29 00:01:12.519 --> 00:01:17.439 network tools inspired him to create it. Imagine trying to 30 00:01:17.560 --> 00:01:22.120 diagnose a network problem with only basic pulse readings. 31 00:01:22.280 --> 00:01:24.400 That's like trying to fix a car engine just by 32 00:01:24.439 --> 00:01:27.879 listening to it. No wonder, he wanted something better exactly. 33 00:01:28.519 --> 00:01:31.400 He later had access to better tools, but they weren't 34 00:01:31.400 --> 00:01:34.879 always available. Okay, So that's when he started developing a 35 00:01:34.959 --> 00:01:40.319 protocol analyzer, which eventually became wire Shark thanks to contributions 36 00:01:40.319 --> 00:01:42.760 from a bunch of people. Oh wow, a bunch of people. 37 00:01:42.879 --> 00:01:46.079 So that's the origin story. But let's fast forward to today. 38 00:01:46.120 --> 00:01:49.599 How would we use wire shark in a typical analysis session. 39 00:01:49.799 --> 00:01:52.840 Well, the first thing you need to do is capture traffic. Okay, 40 00:01:52.920 --> 00:01:55.680 But here's where things get interesting. Where you capture that 41 00:01:55.719 --> 00:01:57.680 traffic makes a huge difference. 42 00:01:57.680 --> 00:02:00.200 Hold on, doesn't all network traffic look the same? Why 43 00:02:00.200 --> 00:02:01.200 would location matter? 44 00:02:01.480 --> 00:02:03.959 Not at all? Okay, think of it like intercepting a 45 00:02:04.079 --> 00:02:07.519 letter at different points in its journey. Right, The stamps 46 00:02:07.519 --> 00:02:09.400 and markings would tell you about its route. 47 00:02:09.439 --> 00:02:12.080 Okay, I get the analogy. Yeah, the book uses the 48 00:02:12.120 --> 00:02:16.719 example of an HTTP get request. Yeah, can you walk 49 00:02:16.719 --> 00:02:17.120 me through that. 50 00:02:17.479 --> 00:02:21.919 Absolutely. Imagine you're requesting a web page. If you capture 51 00:02:21.919 --> 00:02:25.280 traffic at your computer, you see the initial request with 52 00:02:25.360 --> 00:02:29.400 your MAC address and the website's IP address. But as 53 00:02:29.439 --> 00:02:33.800 that request travels through routers, they modify the frame, changing 54 00:02:34.039 --> 00:02:38.319 MC addresses to forward it toward the destination. Okay, finally 55 00:02:38.479 --> 00:02:41.120 at the server you see the final version of the frame. 56 00:02:41.159 --> 00:02:44.080 Got it with the server's MC address and your original 57 00:02:44.120 --> 00:02:47.039 request data. Each capture point tells a different part of 58 00:02:47.039 --> 00:02:47.520 the story. 59 00:02:47.639 --> 00:02:51.840 So we're basically tracing the letter's journey through the postal system. Yes, 60 00:02:51.919 --> 00:02:54.360 except it's a data packet through the network exactly. 61 00:02:54.599 --> 00:02:57.080 And speaking of tracing journeys, let's talk about the wire 62 00:02:57.120 --> 00:03:00.400 Shark interface. Okay, it can be a bit overwhelming at first, 63 00:03:00.479 --> 00:03:01.800 but we can break it down. 64 00:03:02.039 --> 00:03:04.560 Please do. I've seen screenshots and it looks a bit 65 00:03:04.759 --> 00:03:06.080 like a pilot's cockpit. 66 00:03:06.159 --> 00:03:08.680 Ahha, Well, you won't be flying a plane, yeah, but 67 00:03:08.759 --> 00:03:11.639 you will be navigating a lot of data. The packet 68 00:03:11.639 --> 00:03:14.199 list is your overview. It's kind of like a table 69 00:03:14.240 --> 00:03:17.680 of contents. The packet details. That's where things get interesting. 70 00:03:18.159 --> 00:03:21.120 It's like opening the letter and reading what's inside. Okay, 71 00:03:21.240 --> 00:03:23.960 and then you have the display filter that's your search 72 00:03:24.000 --> 00:03:25.759 bar to help you find what you need. 73 00:03:25.919 --> 00:03:27.800 Okay, So those are the key elements that I should 74 00:03:27.840 --> 00:03:30.680 focus on as a beginner, exactly. Okay, But I can 75 00:03:30.800 --> 00:03:34.800 only imagine how much data wire shark can capture, especially 76 00:03:34.879 --> 00:03:37.960 in a busy network. Oh yeah, wouldn't that be super overwhelming? 77 00:03:38.199 --> 00:03:41.400 You're absolutely right. In a busy network, you're dealing with 78 00:03:41.439 --> 00:03:45.280 a fire hose of data. Trying to capture everything would 79 00:03:45.280 --> 00:03:48.520 be like drinking from a fire hose. If Wireshark tries 80 00:03:48.560 --> 00:03:50.680 to capture it all, it can get overwhelmed, and then 81 00:03:50.719 --> 00:03:53.840 you end up with incomplete data and inaccurate analysis. 82 00:03:53.919 --> 00:03:56.960 Okay, So how do we tame this data beast? 83 00:03:57.080 --> 00:04:02.120 We have strategies. Okay, let's he first up, capture filters. 84 00:04:02.719 --> 00:04:05.120 Think of them like a bouncer at a club, only 85 00:04:05.199 --> 00:04:09.039 letting in the traffic you're interested in. Want, just web traffic. Sure, 86 00:04:09.280 --> 00:04:12.240 capture filters can do that, reducing the load on wire 87 00:04:12.280 --> 00:04:14.240 Shark and making your analysis much easier. 88 00:04:14.319 --> 00:04:15.159 Okay, that makes sense. 89 00:04:15.639 --> 00:04:19.000 What are the other strategies, Well, imagine taking a huge 90 00:04:19.040 --> 00:04:23.560 stack of papers and dividing them into smaller labeled folders. Okay, 91 00:04:23.720 --> 00:04:26.839 that's captured of file sets. It breaks the data into 92 00:04:26.879 --> 00:04:29.120 manageable chunks, so wire shark doesn't choke. 93 00:04:29.360 --> 00:04:32.439 Okay, Divide and conquer makes sense. What's the last one. 94 00:04:32.560 --> 00:04:35.959 The final strategy is ring buffers. It's like a conveyor belt. 95 00:04:36.519 --> 00:04:40.680 New data comes in, old data gets pushed off and deleted, okay, 96 00:04:40.759 --> 00:04:41.759 preventing overload. 97 00:04:41.839 --> 00:04:43.680 So it's like a first in, first out kind of thing. 98 00:04:43.759 --> 00:04:46.720 Exactly. You're always focused on the most recent activity. 99 00:04:47.120 --> 00:04:49.800 Right. So we've got these strategies for managing the data flow, 100 00:04:50.480 --> 00:04:55.040 but filtering during capture seems a bit limiting. What if 101 00:04:55.079 --> 00:04:57.160 I want to analyze the data differently later on. 102 00:04:57.360 --> 00:04:59.800 That's a great point. That's where display filters come in. 103 00:05:00.000 --> 00:05:00.439 Oh okay. 104 00:05:00.639 --> 00:05:04.040 Unlike capture filters, which work during capture, display filters let 105 00:05:04.040 --> 00:05:06.439 you focus on traffic after you've captured it. They're way 106 00:05:06.439 --> 00:05:07.120 more flexible. 107 00:05:07.399 --> 00:05:10.199 So display filters are like refining a search after you've 108 00:05:10.199 --> 00:05:11.160 gathered all the results. 109 00:05:11.199 --> 00:05:13.600 You got it. The book mentions that they use a 110 00:05:13.639 --> 00:05:17.800 specific syntax, which can be tricky at first, right, but 111 00:05:17.920 --> 00:05:20.839 with practice, you'll become fluent in display filters. 112 00:05:21.000 --> 00:05:24.399 Practice makes perfect. The book mentions some examples like filtering 113 00:05:24.439 --> 00:05:26.839 by IP address. Could you expand on that a little? 114 00:05:27.040 --> 00:05:30.839 Yeah, sure, it's super useful for isolating traffic from a 115 00:05:30.879 --> 00:05:34.639 specific device or network. You can also filter by protocol 116 00:05:34.759 --> 00:05:38.879 like HTTP or DNS to zero in on specific types 117 00:05:38.879 --> 00:05:42.639 of communication. You can even filter by TCP flags, those 118 00:05:42.639 --> 00:05:44.160 signals that control data flow. 119 00:05:44.519 --> 00:05:47.120 So many options. I'm guessing we can combine these filters 120 00:05:47.199 --> 00:05:49.480 for like laser focused analysis. 121 00:05:49.519 --> 00:05:53.399 Absolutely, you can use logical operators like ND or NOT 122 00:05:53.639 --> 00:05:57.240 to create complex filters. It's like building a super precise query. 123 00:05:57.519 --> 00:05:58.879 But for network data. 124 00:05:58.959 --> 00:06:01.759 All this filtering talk makes me realize how important it 125 00:06:01.839 --> 00:06:04.639 is to actually understand the data we're capturing. Can we 126 00:06:04.639 --> 00:06:07.600 talk more about the packet details pain? What secrets are 127 00:06:07.639 --> 00:06:08.240 hidden in there? 128 00:06:08.319 --> 00:06:10.800 It's where the magic happens. It's like opening the envelope 129 00:06:10.800 --> 00:06:14.639 and seeing the message inside. The Packet details pain breaks 130 00:06:14.680 --> 00:06:18.399 down each data packet by individual protocols. It's like a 131 00:06:18.399 --> 00:06:21.319 family tree of protocols and data fields. 132 00:06:21.000 --> 00:06:23.160 A family tree of data. That's an interesting way to 133 00:06:23.160 --> 00:06:25.480 put it. So, how does it actually help us make 134 00:06:25.519 --> 00:06:26.639 sense of all this information? 135 00:06:26.759 --> 00:06:31.480 Each protocol like IP or TCP is decoded by a dissector. 136 00:06:31.560 --> 00:06:35.160 They're like expert translators, right, turning raw data into human 137 00:06:35.199 --> 00:06:38.839 readable fields. Okay, you see things like source and destination, 138 00:06:38.959 --> 00:06:42.519 IP addresses, port numbers, those TCP flags we mentioned, and 139 00:06:42.560 --> 00:06:43.439 a lot more so. 140 00:06:43.600 --> 00:06:46.839 Dissectors are like the key to understanding the language of 141 00:06:46.879 --> 00:06:47.399 the network. 142 00:06:47.600 --> 00:06:52.120 Exactly the information you see depends on the specific protocols used, 143 00:06:52.360 --> 00:06:55.800 and HTTP packet will have different fields than a DNS packet. 144 00:06:56.000 --> 00:06:56.240 Okay. 145 00:06:56.399 --> 00:06:59.560 You can even customize the pain by expanding or collaxing 146 00:06:59.600 --> 00:07:01.040 sections to focus your view. 147 00:07:01.560 --> 00:07:03.800 Is making a lot more sense Now, I'm starting to 148 00:07:03.800 --> 00:07:06.439 feel like I could navigate a wire shark capture. Yeah, 149 00:07:06.439 --> 00:07:10.199 but we've been talking about individual packets. What about analyzing 150 00:07:10.240 --> 00:07:13.399 the flow of communication between devices? That seems like it 151 00:07:13.399 --> 00:07:15.480 would involve a lot of back and forth exchanges. 152 00:07:15.600 --> 00:07:18.800 You're spot on. Trying to understand a conversation by looking 153 00:07:18.839 --> 00:07:21.560 at individual packets is like trying to follow a story 154 00:07:21.600 --> 00:07:25.199 by reading random sentences. We need to reassemble the traffic 155 00:07:25.240 --> 00:07:26.439 into a stream to make. 156 00:07:26.319 --> 00:07:28.680 Sense of it, right, right, right? Okay, so how do 157 00:07:28.720 --> 00:07:30.800 we put the pieces of the puzzle back together in 158 00:07:30.839 --> 00:07:31.399 wire shark? 159 00:07:31.959 --> 00:07:34.720 Well, wire Shark has several ways to do that. For 160 00:07:34.879 --> 00:07:39.720 TCP and UDP conversations. Okay, we have follow TCP stream 161 00:07:39.920 --> 00:07:43.360 and follow UDP stream Okay. They gather all the packets 162 00:07:43.399 --> 00:07:46.120 that belong to a specific conversation and display them in 163 00:07:46.160 --> 00:07:48.839 a separate window so you can easily follow the flow. 164 00:07:49.040 --> 00:07:50.240 That sounds super helpful. 165 00:07:50.360 --> 00:07:50.560 Yeah. 166 00:07:50.560 --> 00:07:52.879 What if I want to actually extract files that were 167 00:07:52.920 --> 00:07:56.319 transferred during a communication, like if someone send a document 168 00:07:56.360 --> 00:07:57.199 over the network. 169 00:07:57.319 --> 00:08:00.160 For that, we have the export objects feature. Okay, you 170 00:08:00.160 --> 00:08:04.759 can extract files transferred within specific protocols like HTTP or SMB. 171 00:08:04.959 --> 00:08:07.319 So it's like pulling the attachments out of a series 172 00:08:07.360 --> 00:08:07.920 of emails. 173 00:08:08.000 --> 00:08:08.839 Yes, exactly. 174 00:08:09.000 --> 00:08:11.480 Wow, I didn't realize wire Shark could do that. It's 175 00:08:11.480 --> 00:08:16.160 pretty impressive. Are there any tips for using that export 176 00:08:16.199 --> 00:08:18.519 object's feature effectively? Yeah? 177 00:08:18.519 --> 00:08:21.360 One important thing is to make sure you enable the 178 00:08:21.720 --> 00:08:26.959 allow subdissector to reassemble TCP streams preference. Okay, otherwise you 179 00:08:27.040 --> 00:08:28.279 might not get the complete files. 180 00:08:28.759 --> 00:08:30.560 Good to know. I'll make a note of that. But 181 00:08:30.600 --> 00:08:33.559 before we move on, I wanted to ask about annotations. Yeah, 182 00:08:33.600 --> 00:08:35.759 the book mentions them, and I'm curious how they fit 183 00:08:35.840 --> 00:08:37.399 into this whole wire Shark. 184 00:08:37.360 --> 00:08:41.360 Workflow annotations are your personal notes and observations. 185 00:08:41.480 --> 00:08:41.799 Okay. 186 00:08:41.960 --> 00:08:44.120 Think of it like writing in the margins of a book, 187 00:08:44.320 --> 00:08:47.679 highlighting things you want to remember. You can add comments 188 00:08:47.759 --> 00:08:50.480 to individual packets or the entire capture file. 189 00:08:50.600 --> 00:08:53.519 So it's about documenting our thought process exactly. Okay. 190 00:08:53.600 --> 00:08:56.960 And here's the best part. You can export those annotations 191 00:08:56.960 --> 00:09:00.360 in different formats like plain text or CSV, so you 192 00:09:00.399 --> 00:09:03.039 can share your analysis or include it in reports. 193 00:09:03.320 --> 00:09:06.519 That's fantastic. Now we're not just analyzing, we're collaborating and 194 00:09:06.559 --> 00:09:09.639 sharing what we find. But speaking of sharing, can we 195 00:09:09.679 --> 00:09:12.240 circle back to dissectors for a second. We talked about 196 00:09:12.279 --> 00:09:16.279 how they break down protocols. What happens if wire Shark 197 00:09:16.799 --> 00:09:20.399 doesn't have the right dissector for a certain type of traffic. 198 00:09:20.519 --> 00:09:24.639 That's a great question. Yeah, sometimes you might encounter traffic 199 00:09:24.720 --> 00:09:28.000 on a non standard port or maybe a brand new 200 00:09:28.000 --> 00:09:30.240 protocol that wire Shark hasn't seen before. 201 00:09:30.360 --> 00:09:33.000 So does wire Shark just give up in those situations? 202 00:09:33.039 --> 00:09:37.240 Not at all? Okay, it has heuristic dissectors. They try 203 00:09:37.240 --> 00:09:40.320 to figure out the protocol based on patterns in the data. 204 00:09:40.679 --> 00:09:40.919 Okay. 205 00:09:41.000 --> 00:09:43.720 Think of them as detectives searching for clues. 206 00:09:44.200 --> 00:09:48.240 Ah. So even if wire Shark doesn't immediately recognize the traffic, 207 00:09:48.519 --> 00:09:49.960 it still tries to make sense of it. 208 00:09:50.120 --> 00:09:53.000 Exactly, and if the heuristic dissectors can't figure it out, 209 00:09:53.039 --> 00:09:56.080 it will often display the data as data indicating it 210 00:09:56.120 --> 00:09:58.919 needs some help. You can manually force a dissector if 211 00:09:58.960 --> 00:09:59.840 you know the protocol. 212 00:10:00.000 --> 00:10:02.080 Wait, so we can actually tell wire shark what it's 213 00:10:02.120 --> 00:10:03.840 looking at. Yes, okay, awesome. 214 00:10:03.879 --> 00:10:06.759 It's a bit more advanced, but very useful when wire 215 00:10:06.799 --> 00:10:07.879 shark needs a nudge. 216 00:10:08.080 --> 00:10:11.639 That's impressive. Yeah, I'm really starting to see the flexibility 217 00:10:11.639 --> 00:10:15.000 and control that wire Shark gives you. But you mentioned 218 00:10:15.080 --> 00:10:19.320 earlier that there are some more powerful tools, especially for 219 00:10:19.399 --> 00:10:20.039 power users. 220 00:10:20.200 --> 00:10:20.600 Yeah. 221 00:10:20.679 --> 00:10:22.840 Can we talk about those command line tools a bit more. 222 00:10:22.919 --> 00:10:26.559 Absolutely, if you're comfortable with a command prompt or terminal, 223 00:10:26.639 --> 00:10:30.399 these tools are game changers. Okay, for massive traffic volumes 224 00:10:30.399 --> 00:10:34.279 that would overwhelm the graphical interface, we have dump cap out. 225 00:10:34.440 --> 00:10:36.600 It's like the industrial strength capture tool. 226 00:10:36.799 --> 00:10:37.159 Got it. 227 00:10:37.279 --> 00:10:39.200 And then there's t shark, which is like the command 228 00:10:39.240 --> 00:10:41.519 line twin of the wire shark GUI. 229 00:10:41.799 --> 00:10:42.200 Okay. 230 00:10:42.279 --> 00:10:44.240 It lets you do pretty much anything you can in 231 00:10:44.279 --> 00:10:47.240 the graphical interface, but with the power of the command line. 232 00:10:47.279 --> 00:10:51.159 So I could filter traffic, extract data, even create custom 233 00:10:51.159 --> 00:10:54.240 analysis scripts, all without opening the wire. 234 00:10:54.039 --> 00:10:58.159 Shark application precisely. T shark is incredibly powerful, a real 235 00:10:58.240 --> 00:11:01.559 time saver for anyone who analys as network traffic regularly. 236 00:11:01.600 --> 00:11:02.960 It's definitely worth exploring. 237 00:11:03.159 --> 00:11:05.320 This is all so exciting, I'm feeling ready to conquer 238 00:11:05.320 --> 00:11:08.000 the world of network analysis. But before I get to 239 00:11:08.039 --> 00:11:11.399 ahead of myself, are there any common pitfalls or mistakes 240 00:11:11.440 --> 00:11:13.559 that beginners like me should watch out for? 241 00:11:14.399 --> 00:11:16.279 Well, there are a few things to keep in mind. 242 00:11:16.799 --> 00:11:20.159 First and foremost, always make sure you have permission to 243 00:11:20.240 --> 00:11:21.519 capture network traffic. 244 00:11:21.679 --> 00:11:23.679 Oh right, of course, capturing. 245 00:11:23.279 --> 00:11:26.559 Without permission can be unethical and even illegal, so get 246 00:11:26.559 --> 00:11:29.159 the necessary approvals before you start sniffing. 247 00:11:29.519 --> 00:11:33.440 That's an important reminder. Ethics are important even in the 248 00:11:33.480 --> 00:11:35.720 digital world. What other tips do you have? 249 00:11:36.000 --> 00:11:39.559 Another common mistake is using filters that are too restrictive. 250 00:11:40.039 --> 00:11:43.720 It's tempting to narrow down the data as much as possible, right, 251 00:11:43.879 --> 00:11:46.480 but you might accidentally filter out important information. 252 00:11:46.600 --> 00:11:49.720 So it's about finding that balance, being focused, but also 253 00:11:49.840 --> 00:11:52.000 keeping an open mind to data that we might not 254 00:11:52.080 --> 00:11:53.679 be expecting exactly. 255 00:11:54.159 --> 00:11:56.840 And finally, don't be afraid to ask for help. 256 00:11:57.039 --> 00:11:57.720 Oh good point. 257 00:11:58.039 --> 00:12:01.759 The wireshirt community is incredibly welcoming and supportive. If you 258 00:12:01.799 --> 00:12:04.919 get stuck, there are tons of resources like the wire 259 00:12:04.960 --> 00:12:07.240 shark Q and a forum where you can get expert help. 260 00:12:07.600 --> 00:12:10.120 That's great to know there's a community out there. Before 261 00:12:10.120 --> 00:12:12.159 we move on, I wanted to touch on security. It's 262 00:12:12.200 --> 00:12:14.159 a big concern for everyone these days. 263 00:12:13.919 --> 00:12:14.200 It is. 264 00:12:14.440 --> 00:12:15.639 Can wire Shark help with that? 265 00:12:15.840 --> 00:12:19.720 Absolutely? Security is paramount. Wire Shark is a really valuable 266 00:12:19.720 --> 00:12:24.080 tool for identifying vulnerabilities and analyzing suspicious activity. It's like 267 00:12:24.159 --> 00:12:26.039 having a security camera for your network. 268 00:12:26.080 --> 00:12:28.559 So it's not just about troubleshooting performance. It can actually 269 00:12:28.639 --> 00:12:30.000 help us protect our networks. 270 00:12:30.120 --> 00:12:33.799 Yes, you can use it to detect malware traffic, pinpoint 271 00:12:33.879 --> 00:12:38.399 unauthorized access attempts, even analyze how attackers are communicating. It's 272 00:12:38.440 --> 00:12:39.480 a powerful tool. 273 00:12:39.759 --> 00:12:43.480 Wow, that's really impressive. I'm seeing wire Shark at a 274 00:12:43.480 --> 00:12:47.879 whole new light now. But analyzing security related traffic sounds 275 00:12:47.879 --> 00:12:49.679 like it needs some pretty specialized knowledge. 276 00:12:49.720 --> 00:12:53.840 You're right, Yeah, security analysis can be quite complex. It 277 00:12:53.879 --> 00:12:59.000 often involves understanding various types of attacks, malware signatures, network 278 00:12:59.039 --> 00:12:59.960 security protocol. 279 00:13:00.639 --> 00:13:03.600 So we need more than just knowing how to use 280 00:13:03.639 --> 00:13:07.519 wire Shark. We need a good foundation in network security 281 00:13:07.600 --> 00:13:08.919 principles precisely. 282 00:13:09.759 --> 00:13:12.639 Thankfully, there are lots of resources available to help you 283 00:13:12.720 --> 00:13:17.440 learn those skills. You can find courses, online, books, training 284 00:13:17.480 --> 00:13:19.960 materials that focus on network security analysis. 285 00:13:20.039 --> 00:13:23.080 Right, I'm definitely going to look into those. But before 286 00:13:23.080 --> 00:13:25.759 we get too deep into security, let's talk about some 287 00:13:25.879 --> 00:13:29.639 of the everyday uses of wire Shark. You mentioned troubleshooting 288 00:13:29.679 --> 00:13:33.200 performance issues. Can you give me some real world examples 289 00:13:33.240 --> 00:13:34.919 of how wire shark can help with that? 290 00:13:35.600 --> 00:13:39.919 Of course, let's say you're experiencing slow website loading times. 291 00:13:40.480 --> 00:13:43.159 With wire shark, you can capture traffic between your computer 292 00:13:43.360 --> 00:13:46.399 and the website server. Okay, by analyzing the timing of 293 00:13:46.440 --> 00:13:48.919 those packets, you might discover a bottleneck. 294 00:13:49.039 --> 00:13:51.960 So it's like a network detective helping us pinpoint where 295 00:13:51.960 --> 00:13:53.200 the problem is exactly. 296 00:13:53.240 --> 00:13:56.519 It could be a slow router, congested link, or even 297 00:13:56.519 --> 00:13:59.159 a problem with the website server itself. Makes sense, Once 298 00:13:59.200 --> 00:14:01.240 you've identified it, you can start fixing it. 299 00:14:01.519 --> 00:14:05.279 Right. What other troubleshooting situations can benefit from wire Shark? 300 00:14:05.559 --> 00:14:09.240 Troubleshooting application connectivity issues is another big one. If you're 301 00:14:09.279 --> 00:14:12.600 having trouble connecting to a particular app or service. Yeah, 302 00:14:12.679 --> 00:14:14.080 wire Shark can help there too. 303 00:14:14.279 --> 00:14:14.600 Okay. 304 00:14:14.799 --> 00:14:18.039 By looking at the communication, you might find a firewalls 305 00:14:18.080 --> 00:14:23.159 blocking traffic, there's a DNS problem, or a misconfigured port setting. 306 00:14:23.320 --> 00:14:25.519 So it's not just about the network itself, but how 307 00:14:25.600 --> 00:14:27.000 applications interact with it. 308 00:14:27.120 --> 00:14:29.679 You got it. Wireshark gives you that inside view of 309 00:14:29.720 --> 00:14:33.279 the whole communication process. You can see how applications send 310 00:14:33.399 --> 00:14:37.240 and receive data, how they handle errors, all of that. 311 00:14:37.240 --> 00:14:40.360 It's really helpful. I'm starting to see how versatile wire 312 00:14:40.440 --> 00:14:43.480 shark can be. It's not just about troubleshooting, it's about 313 00:14:43.559 --> 00:14:47.759 understanding how our digital world works. But before we get 314 00:14:47.799 --> 00:14:51.440 too philosophical, let's talk about some practical tips for using it. 315 00:14:51.720 --> 00:14:55.200 We've talked about the interface, filters, annotations. Are there any 316 00:14:55.240 --> 00:14:56.840 other tips and tricks that you can share? Oh? 317 00:14:56.840 --> 00:14:57.360 Absolutely? 318 00:14:57.440 --> 00:14:57.919 Okay, good. 319 00:14:58.000 --> 00:14:59.879 One of my favorites is coloring rules. 320 00:15:00.080 --> 00:15:00.559 Oh cool. 321 00:15:00.679 --> 00:15:04.759 They let you visually highlight packets based on specific criteria. 322 00:15:04.919 --> 00:15:05.159 Okay. 323 00:15:05.159 --> 00:15:08.559 It's like adding a layer of visual intelligence to your analysis. 324 00:15:08.600 --> 00:15:10.840 So coloring rules are a way to make the data 325 00:15:10.960 --> 00:15:13.639 easier to understand visually exactly. 326 00:15:13.679 --> 00:15:16.360 For example, you could highlight all the packets that belong 327 00:15:16.440 --> 00:15:19.480 to a particular conversation, so you can follow that flow, 328 00:15:20.320 --> 00:15:24.200 or you could highlight packets with specific TCP flags, the 329 00:15:24.240 --> 00:15:26.879 ones that indicate connection problems. You can even create your 330 00:15:26.919 --> 00:15:27.519 own rules. 331 00:15:27.799 --> 00:15:31.000 That's really cool. It's like giving your analysis a visual boost. 332 00:15:31.200 --> 00:15:31.399 Yeah. 333 00:15:31.559 --> 00:15:34.840 As we're exploring all these advanced techniques, I'm realizing there's 334 00:15:34.840 --> 00:15:37.639 a lot to learn about wire shark there is. What 335 00:15:37.720 --> 00:15:40.919 resources would you recommend for someone who wants to really 336 00:15:42.120 --> 00:15:43.240 go beyond the basics. 337 00:15:43.360 --> 00:15:45.080 Well, there's some great resources out there. 338 00:15:45.159 --> 00:15:45.399 Good. 339 00:15:45.600 --> 00:15:48.799 Besides the Wireshark website and the wiki, which are great 340 00:15:48.840 --> 00:15:52.600 places to start, there are some great books and online courses. 341 00:15:52.960 --> 00:15:56.360 One book I'd highly recommend is Mastering wire shirt Okay 342 00:15:56.559 --> 00:16:01.039 by Richard Bethlitch. It's packed with practical advice and real world. 343 00:16:00.759 --> 00:16:04.039 Example Mastering wire Shark Okay. Got to check that out. 344 00:16:04.200 --> 00:16:07.679 What about online learning options? Any suggestions there for online learning? 345 00:16:07.720 --> 00:16:11.240 I'd say Chapel University is fantastic. They have a comprehensive 346 00:16:11.279 --> 00:16:15.519 wire Shark program covering everything from the basics to really 347 00:16:15.600 --> 00:16:20.440 advanced stuff. Their courses are well structured, taught by experienced instructors. 348 00:16:20.480 --> 00:16:21.639 You'll be a solid foundation. 349 00:16:22.200 --> 00:16:24.159 Awesome. So that sounds like a good option for people 350 00:16:24.159 --> 00:16:26.600 who like a more structured way to learn. 351 00:16:26.720 --> 00:16:27.200 Definitely. 352 00:16:27.399 --> 00:16:30.440 Okay, As we're on this wire Shark journey, it's important 353 00:16:30.440 --> 00:16:33.639 to remember that it's not just about the technical skills, 354 00:16:34.279 --> 00:16:37.600 it's about being curious and paying attention to details. 355 00:16:37.799 --> 00:16:41.399 You're absolutely right. Wire Shark is a tool for exploring 356 00:16:41.440 --> 00:16:44.759 and discovering, So don't be afraid to ask questions, experiment, 357 00:16:44.840 --> 00:16:47.679 and really dig into those details. The more you explore, 358 00:16:47.720 --> 00:16:48.440 the more you'll learn. 359 00:16:48.559 --> 00:16:50.799 Well said, I'm inspired to open up wire Shark and 360 00:16:50.840 --> 00:16:54.039 just start exploring. But before we wrap up this part 361 00:16:54.039 --> 00:16:55.840 of our deep dive, Yeah, I wanted to touch on 362 00:16:55.879 --> 00:16:59.440 a topic that's becoming increasingly important these days, the Internet 363 00:16:59.480 --> 00:16:59.919 of Things. 364 00:17:00.159 --> 00:17:05.160 Ah, Yes, the IoT. It's a huge ecosystem of connected devices, 365 00:17:05.160 --> 00:17:08.599 from smart refrigerators to industrial sensors, and as we see 366 00:17:08.640 --> 00:17:11.440 more and more of these devices, we see more network traffic. 367 00:17:11.640 --> 00:17:14.640 So understanding wire Shark becomes even more crucial as the 368 00:17:14.680 --> 00:17:16.119 IoT keeps growing. 369 00:17:16.400 --> 00:17:20.480 Absolutely, wire Shark's a key tool for analyzing that IoT traffic, 370 00:17:20.599 --> 00:17:23.640 troubleshooting issues, and finding those security vulnerabilities. 371 00:17:23.839 --> 00:17:27.440 I imagine analyzing IoT traffic has its own challenges, considering all 372 00:17:27.440 --> 00:17:28.920 the different devices and protocols. 373 00:17:29.079 --> 00:17:32.839 Yeah, it does. Many IoT devices use protocols that wire 374 00:17:32.880 --> 00:17:34.880 shark might not recognize right away. 375 00:17:34.920 --> 00:17:37.119 So how do we deal with that? Yeah, sounds like 376 00:17:37.200 --> 00:17:39.039 we need to get a bit creative. 377 00:17:39.079 --> 00:17:42.359 Knowledge is key here. You need to research and understand 378 00:17:42.400 --> 00:17:46.319 the protocols used by the IoT devices you're working with. Okay, 379 00:17:46.559 --> 00:17:50.200 the wire shark wiki and online forums can be really 380 00:17:50.200 --> 00:17:50.920 helpful for this. 381 00:17:51.319 --> 00:17:53.960 So it's like learning the language of the devices we're 382 00:17:53.960 --> 00:17:55.240 analyzing exactly. 383 00:17:55.680 --> 00:17:57.920 If you're working with a protocol that Wirefhark doesn't have 384 00:17:57.960 --> 00:18:00.400 a dissector for, you can always try to ecode the 385 00:18:00.400 --> 00:18:03.920 traffic and manually using your knowledge of the protocols structure. 386 00:18:04.039 --> 00:18:06.119 That sounds a bit advanced, but it's good to know 387 00:18:06.160 --> 00:18:06.960 we have that option. 388 00:18:07.119 --> 00:18:09.599 It is. But the good news is the wire shark 389 00:18:09.599 --> 00:18:12.799 community is amazing. They're always adding new dissectors and working 390 00:18:12.799 --> 00:18:14.519 to keep up with the latest protocols. 391 00:18:14.640 --> 00:18:16.640 That's great to hear. It's good to see wire shark 392 00:18:16.720 --> 00:18:19.559 keeping up with the latest technology. But before we get 393 00:18:19.599 --> 00:18:22.440 too carried away with the future of IoT Yeah, let's 394 00:18:22.480 --> 00:18:24.799 talk about some practical tips for getting the most out 395 00:18:24.839 --> 00:18:27.680 of wire Shark today. We've covered a lot we have, 396 00:18:27.920 --> 00:18:30.200 but are there any other hidden gems or tips that 397 00:18:30.240 --> 00:18:30.960 you'd like to share. 398 00:18:31.119 --> 00:18:35.720 Absolutely. One of my favorite features is the follow TCP 399 00:18:35.920 --> 00:18:39.279 stream feature. It allows you to see the entire conversation 400 00:18:39.440 --> 00:18:43.720 between two devices. It's incredibly useful for understanding the flow, 401 00:18:43.920 --> 00:18:46.279