WEBVTT 1 00:00:00.040 --> 00:00:02.480 Hey everyone, and welcome back for another deep dive. 2 00:00:02.640 --> 00:00:03.520 It's great to be here. 3 00:00:03.640 --> 00:00:06.000 Today. We're going to be taking a look at practical 4 00:00:06.040 --> 00:00:10.240 packet analysis. Oh yeah, by Chris Sanders. Love that book, 5 00:00:10.439 --> 00:00:14.000 really fantastic book about understanding how data moves online. 6 00:00:14.240 --> 00:00:16.760 Yeah, one of the definitive guides to. 7 00:00:16.760 --> 00:00:20.120 This whole topic, and it gets rave reviews for making 8 00:00:20.199 --> 00:00:22.679 this complex topic approachable. 9 00:00:22.320 --> 00:00:23.559 Absolutely, which I gon a need. 10 00:00:23.719 --> 00:00:25.800 Yeah, So before we get lost in the weeds, can 11 00:00:25.800 --> 00:00:29.120 you give me the high level view? What exactly is 12 00:00:29.199 --> 00:00:30.199 packet analysis? 13 00:00:30.320 --> 00:00:34.159 So you know, when you order something online, packet analysis 14 00:00:34.240 --> 00:00:38.079 lets you sort of track every step of that package's journey. 15 00:00:38.119 --> 00:00:40.520 But instead of a physical package, we're talking about data, 16 00:00:40.960 --> 00:00:46.759 got it, So emails, web pages, videos, anything you send 17 00:00:46.840 --> 00:00:47.880 or receive online. 18 00:00:48.039 --> 00:00:50.759 So it's more than just seeing the data arrived. You 19 00:00:50.799 --> 00:00:53.280 can actually examine how it traveled across. 20 00:00:53.000 --> 00:00:56.079 The network exactly. So every piece of data that you 21 00:00:56.159 --> 00:00:58.960 send is broken down into these small units called packets, 22 00:00:59.280 --> 00:01:02.520 and each has instructions on where it came from, where 23 00:01:02.520 --> 00:01:04.840 it's going, and what type of data it contains. 24 00:01:05.040 --> 00:01:07.760 Data travels and packets, But how did these packets actually 25 00:01:07.799 --> 00:01:08.439 know where to go? 26 00:01:08.760 --> 00:01:09.000 Right? 27 00:01:09.400 --> 00:01:11.280 I mean, computers don't speak English, right. 28 00:01:11.280 --> 00:01:14.239 No, they don't, and that's where network protocols come in. 29 00:01:15.040 --> 00:01:17.840 These are the languages that computers use to communicate with 30 00:01:17.920 --> 00:01:18.319 each other. 31 00:01:18.480 --> 00:01:18.840 Got it. 32 00:01:18.879 --> 00:01:22.000 Two of the most important ones are TCP and IP. 33 00:01:22.319 --> 00:01:25.879 TCP and IP. Yeah, I've definitely heard those terms thrown around, 34 00:01:25.879 --> 00:01:28.480 but I think most people have. But can you break 35 00:01:28.519 --> 00:01:29.480 down what each one does? 36 00:01:29.760 --> 00:01:34.200 Sure? So think of TCP as the meticulous organizer, making 37 00:01:34.200 --> 00:01:37.200 sure that all the packets arrive in the correct order 38 00:01:37.799 --> 00:01:39.560 and that none get lost along the way. 39 00:01:39.680 --> 00:01:40.000 Gotcha. 40 00:01:40.159 --> 00:01:42.159 So it's kind of like a numbered list. You can't 41 00:01:42.319 --> 00:01:44.920 proceed to step two until step one is complete. 42 00:01:45.239 --> 00:01:48.439 So TCP is all about reliability, Yeah, making sure the 43 00:01:48.519 --> 00:01:51.079 data arrives intact and in order. 44 00:01:51.359 --> 00:01:51.599 Yes. 45 00:01:51.920 --> 00:01:54.480 What about IP? What's its role in this process? 46 00:01:54.799 --> 00:01:58.200 IP is the addressing system. It ensures that each packet 47 00:01:58.280 --> 00:02:01.400 gets delivered to the correct location, like a super efficient 48 00:02:01.480 --> 00:02:03.760 postal service that never mixes up addresses. 49 00:02:03.840 --> 00:02:08.360 So KECP is about reliable delivery. Yes, IP handles the addressing, 50 00:02:08.439 --> 00:02:11.159 that's right, and together they make sure that data gets 51 00:02:11.159 --> 00:02:13.439 where it needs to go. Yes, but how does this 52 00:02:13.520 --> 00:02:15.719 all connect to packet analysis? 53 00:02:15.960 --> 00:02:16.360 Okay? 54 00:02:16.840 --> 00:02:19.560 What are we actually looking at when we analyze these packets. 55 00:02:19.599 --> 00:02:23.599 So packet analysis is about peering into these packets okay, 56 00:02:23.639 --> 00:02:27.639 deciphering the information they contain to understand how data is 57 00:02:27.680 --> 00:02:28.719 flowing on the network. 58 00:02:29.000 --> 00:02:29.240 Huh. 59 00:02:29.280 --> 00:02:32.000 We can see things like the source and destination of 60 00:02:32.039 --> 00:02:35.560 each packet okay, the protocols being used, and even the 61 00:02:35.680 --> 00:02:37.159 content of the data itself. 62 00:02:37.479 --> 00:02:39.479 So it's like having this behind the scenes look at 63 00:02:39.479 --> 00:02:42.000 how the Internet operates. Yeah, what kind of insights can 64 00:02:42.039 --> 00:02:43.199 we gain from this? Oh? 65 00:02:43.319 --> 00:02:47.800 So many things. You can troubleshoot network problems, identify security 66 00:02:47.840 --> 00:02:51.360 threats okay, you can even understand how new technologies work. 67 00:02:51.520 --> 00:02:53.159 That's a pretty wide range of applications. 68 00:02:53.280 --> 00:02:53.599 Yeah. 69 00:02:53.680 --> 00:02:56.400 So it sounds like packet analysis is more than just 70 00:02:56.520 --> 00:02:59.439 this technical skill. Yes, it's a way of thinking, I think, 71 00:02:59.479 --> 00:03:02.240 a way of un understanding this digital world around us. 72 00:03:02.360 --> 00:03:05.120 Absolutely, it's about connecting the dots, seeing the patterns in 73 00:03:05.199 --> 00:03:07.960 the data, and using that knowledge to solve problems and 74 00:03:08.039 --> 00:03:09.080 uncover insights. 75 00:03:09.479 --> 00:03:11.840 All right, so we've got the basics down, Data travels 76 00:03:11.840 --> 00:03:15.000 and packets. Yeah, TCP and IP make sure it gets 77 00:03:15.000 --> 00:03:18.319 there safely. But the Internet isn't just a bunch of 78 00:03:18.319 --> 00:03:21.840 computers talking to each other. No, there's actual hardware involved. 79 00:03:21.520 --> 00:03:22.120 Yes, there is. 80 00:03:22.319 --> 00:03:23.159 What's that hardware? 81 00:03:23.479 --> 00:03:25.879 So there are a number of devices that manage and 82 00:03:26.000 --> 00:03:27.719 direct network traffic. 83 00:03:27.960 --> 00:03:28.280 Okay. 84 00:03:28.360 --> 00:03:31.680 Three of the most common are hubs, switches, and routers. 85 00:03:32.000 --> 00:03:34.520 Hubs, switches and routers. Yeah, can we start with hubs. 86 00:03:34.639 --> 00:03:35.319 What's their deal? 87 00:03:35.719 --> 00:03:38.960 Think of a hub like a very basic, old fashioned 88 00:03:39.000 --> 00:03:39.639 party line. 89 00:03:39.759 --> 00:03:40.039 Okay. 90 00:03:40.120 --> 00:03:43.240 Everyone connected to a hub receives every piece of data, 91 00:03:43.599 --> 00:03:44.840 even if it's not meant for them. 92 00:03:45.159 --> 00:03:45.680 Ah. 93 00:03:45.719 --> 00:03:49.000 So it's simple, but not very efficient or secure. 94 00:03:49.120 --> 00:03:51.039 So it's like a town square where everyone is shouting 95 00:03:51.080 --> 00:03:54.120 their messages and whoever needs to hear it will hopefully. 96 00:03:53.719 --> 00:03:56.639 Catch it exactly. And that's why hubs are rarely used 97 00:03:56.639 --> 00:03:57.520 in modern networks. 98 00:03:57.599 --> 00:03:58.360 Yeah makes sense. 99 00:03:58.639 --> 00:04:01.400 Yeah, they're prone to congestion and security issues. 100 00:04:01.919 --> 00:04:04.319 So switches are kind of like the upgrade from the 101 00:04:04.360 --> 00:04:05.719 town square shouting match. 102 00:04:05.840 --> 00:04:09.879 Yes, much more sophisticated solution, make some different. So switches 103 00:04:09.960 --> 00:04:13.360 act like intelligent traffic directors. They keep track of which 104 00:04:13.360 --> 00:04:16.920 devices are connected to each port and only send data 105 00:04:16.959 --> 00:04:20.040 to the intended recipient. Okay, so it's much more efficient 106 00:04:20.040 --> 00:04:21.199 and secure than a hub. 107 00:04:21.639 --> 00:04:25.199 Makes sense. No more wasted bandwidth or eavedropping on everyone 108 00:04:25.199 --> 00:04:30.160 else's conversations exactly. So switches handle traffic within a local network. Yeah, 109 00:04:30.199 --> 00:04:31.959 what about routers? What do they do? So? 110 00:04:32.160 --> 00:04:34.879 Routers are the masterminds of the Internet. Okay, they connect 111 00:04:34.920 --> 00:04:39.319 different networks together, ensuring that data can travel across vast distances. 112 00:04:39.800 --> 00:04:43.199 So if switches are the local traffic cops, yeah, routers 113 00:04:43.240 --> 00:04:44.959 are the global air traffic controllers. 114 00:04:45.199 --> 00:04:48.199 That's a great analogy, keeping everything moving. They're the ones 115 00:04:48.240 --> 00:04:50.160 who know how to get your data from point A 116 00:04:50.279 --> 00:04:52.800 to point B, no matter how far apart those points 117 00:04:52.839 --> 00:04:53.040 may be. 118 00:04:53.920 --> 00:04:57.040 I think I've started to grasp the big picture here. 119 00:04:58.199 --> 00:05:03.319 Data travels and packets and IP make sure it arrives safely. Right, Hubs, 120 00:05:03.360 --> 00:05:06.879 switches and routers, they all manage the flow of traffic. Yes, 121 00:05:07.120 --> 00:05:10.839 but this is all theoretical so far. How do we 122 00:05:10.879 --> 00:05:12.680 actually see these packets in action? 123 00:05:12.959 --> 00:05:15.959 Okay, so this is where things get really interesting, right. 124 00:05:16.160 --> 00:05:19.120 We need to sniff the data from the network, which 125 00:05:19.120 --> 00:05:22.279 involves capturing the packets as they are being transmitted. 126 00:05:22.720 --> 00:05:23.639 Sounds a bit sneaky. 127 00:05:23.839 --> 00:05:26.920 It is a little bit like tapping into a phone line. Okay, 128 00:05:27.000 --> 00:05:31.000 but instead of listening to voices, we are analyzing digital data. 129 00:05:31.399 --> 00:05:33.319 How do we actually capture these packets. 130 00:05:33.759 --> 00:05:36.480 Well, there are a few different techniques, okay, and the 131 00:05:36.519 --> 00:05:39.480 method we use depends on the type of network hardware 132 00:05:39.519 --> 00:05:42.839 we are dealing with. Okay, remember those hubs we talked about, Yeah, 133 00:05:42.879 --> 00:05:45.360 well they are actually the easiest to sniff because they 134 00:05:45.439 --> 00:05:47.959 broadcast all data to every connected device. 135 00:05:48.040 --> 00:05:50.160 So going back to the town square analogy, if you're 136 00:05:50.199 --> 00:05:51.839 standing in the middle of the square, you can hear 137 00:05:51.879 --> 00:05:53.720 everything everyone's shouting exactly. 138 00:05:53.920 --> 00:05:57.920 But this makes hubs incredibly insecure. Anyone with access to 139 00:05:57.959 --> 00:06:00.399 the network can see all the data flowing through through it. 140 00:06:00.639 --> 00:06:02.680 That's one reason why they really use these days. 141 00:06:02.800 --> 00:06:07.079 What about switches, They seem trickier to sniff since they 142 00:06:07.120 --> 00:06:09.000 direct data to specific devices. 143 00:06:10.000 --> 00:06:12.560 They are more challenging. But there are ways to get 144 00:06:12.560 --> 00:06:13.000 around this. 145 00:06:13.399 --> 00:06:13.639 Yeah. 146 00:06:13.680 --> 00:06:17.319 One common technique is called port mirroring, where we configure 147 00:06:17.360 --> 00:06:20.240 the switch to copy all the traffic from a specific 148 00:06:20.319 --> 00:06:23.560 port to another port where our sniffing device is connected. 149 00:06:23.680 --> 00:06:26.040 So it's like setting up a surveillance camera to monitor 150 00:06:26.040 --> 00:06:28.040 a particular location exactly. 151 00:06:28.120 --> 00:06:31.199 Port mirroring allows us to see all the data passing 152 00:06:31.279 --> 00:06:33.720 through a specific device or segment of the network. 153 00:06:33.839 --> 00:06:36.839 That's pretty clever, yeah, but it's not always reliable. 154 00:06:37.000 --> 00:06:41.319 Right, you are right. Port mirroring can sometimes misspackets, which 155 00:06:41.319 --> 00:06:44.079 would give us an incomplete picture of the data flow. 156 00:06:44.279 --> 00:06:46.800 We don't want that, No, we don't. That's why for 157 00:06:46.839 --> 00:06:49.600 the most accurate and reliable packet capture, we use a 158 00:06:49.639 --> 00:06:50.680 special device called a. 159 00:06:50.639 --> 00:06:53.480 Network tap, a network tap. What is that? So? 160 00:06:53.639 --> 00:06:56.240 Tap is a hardware device that physically connects to the 161 00:06:56.279 --> 00:06:59.439 network cable okay, splitting the data streams so we can 162 00:06:59.519 --> 00:07:01.879 capture a copy of all the traff and passing through it. 163 00:07:02.240 --> 00:07:04.920 Okay. So it's like having a perfect mirror that reflects 164 00:07:04.920 --> 00:07:05.720 every single bit. 165 00:07:05.639 --> 00:07:09.480 Of data exactly. A tap provides the most accurate and 166 00:07:09.519 --> 00:07:11.600 reliable data for our analysis. 167 00:07:12.240 --> 00:07:15.279 So a tap gives us a completely unobstructed view of 168 00:07:15.319 --> 00:07:19.399 the network traffic. Yeah, no misspackets, no drop data. Yes, 169 00:07:19.879 --> 00:07:22.120 it's the gold standard for packet capture. 170 00:07:22.279 --> 00:07:22.680 It is. 171 00:07:23.120 --> 00:07:25.560 Okay, So we've got our sniffers set up. Whether it's 172 00:07:25.600 --> 00:07:28.519 a simple connection to a hub, port mirring set up 173 00:07:28.519 --> 00:07:32.120 on a switch, or a dedicated network tap. We are 174 00:07:32.240 --> 00:07:34.680 capturing packets left and right. Yes, but now we have 175 00:07:34.759 --> 00:07:37.199 this flood of data coming in. How do we make 176 00:07:37.240 --> 00:07:37.800 sense of it all? 177 00:07:38.000 --> 00:07:40.639 That is the million dollar question that is the question. 178 00:07:40.800 --> 00:07:42.680 That's where the magic of wire Shark comes in. 179 00:07:42.839 --> 00:07:45.439 Wire Shark, I've heard it mentioned in hush tones, like 180 00:07:46.040 --> 00:07:49.279 it's this mythical software for tech wizards. Yeah, is it 181 00:07:49.399 --> 00:07:50.519 really that powerful? 182 00:07:50.600 --> 00:07:53.920 It is incredibly powerful, but don't let that intimidate you, Okay. 183 00:07:54.480 --> 00:07:57.920 Wire Shark has a surprisingly user friendly interface that makes 184 00:07:57.959 --> 00:08:00.720 packet analysis accessible even for beginners. 185 00:08:00.959 --> 00:08:03.000 Well, it's good to hear. I'm eager to dive in 186 00:08:03.000 --> 00:08:05.079 and see what it can do. But before we get 187 00:08:05.120 --> 00:08:07.560 lost in the weeds, can you give me a sneak 188 00:08:07.639 --> 00:08:09.480 peek at some of its coolest features. 189 00:08:09.600 --> 00:08:13.600 Sure. Imagine having this giant spreadsheet filled with millions of 190 00:08:13.680 --> 00:08:17.800 rows of data, each row representing a single packet, got it. 191 00:08:17.920 --> 00:08:20.600 Wire Shark gives you the tools to quickly sift through 192 00:08:20.639 --> 00:08:24.519 all of that data, find the specific packets you're interested in, okay, 193 00:08:24.519 --> 00:08:26.680 and analyze their contents in detail. 194 00:08:26.839 --> 00:08:29.800 So it's more than just this passive viewer of packets. 195 00:08:30.199 --> 00:08:33.960 We can actually interact with the data, manipulate it, yeah, 196 00:08:34.120 --> 00:08:36.080 and extract meaningful insights. 197 00:08:36.279 --> 00:08:40.759 Precisely, we can apply filters to isolate specific types of traffic. 198 00:08:40.919 --> 00:08:41.159 Okay. 199 00:08:41.279 --> 00:08:45.919 We can reconstruct entire conversations between devices, wow, and even 200 00:08:46.000 --> 00:08:50.679 create visual representations of data flow to spot patterns and anomalies. 201 00:08:51.000 --> 00:08:54.360 So wire Shark really is the ultimate tool for unraveling 202 00:08:54.440 --> 00:08:57.200 the mysteries of the network, I think. So I can't 203 00:08:57.240 --> 00:08:59.080 wait to roll up my sleeves and start playing with it. 204 00:08:59.120 --> 00:08:59.840 All right, let's do it. 205 00:09:00.080 --> 00:09:01.639 Before we do that, we going to take a quick 206 00:09:01.679 --> 00:09:06.200 break and we'll be back in just a moment. All right, 207 00:09:06.399 --> 00:09:09.000 I am fired up and ready to dive into wire Shark. 208 00:09:09.360 --> 00:09:10.840 It's free to download, right absolutely. 209 00:09:10.840 --> 00:09:12.679 You can find it at wireshark. 210 00:09:12.159 --> 00:09:13.960 Dot org wireshark dot org. 211 00:09:14.200 --> 00:09:16.200 And one of the things that makes it so powerful 212 00:09:16.279 --> 00:09:20.519 is that it's open source, meaning anyone can contribute to 213 00:09:20.559 --> 00:09:21.240 its development. 214 00:09:21.399 --> 00:09:24.279 So I've got wire shark installed, okay, and I'm staring 215 00:09:24.320 --> 00:09:26.759 at the interface. All right, where do we even begin. 216 00:09:27.200 --> 00:09:31.159 Well, we've already captured some packets using our trusty sniffing techniques. 217 00:09:31.759 --> 00:09:35.720 Remember we talked about connecting to a hub, setting up port, 218 00:09:35.799 --> 00:09:39.720 mirroring on a switch, or using a network tap. So 219 00:09:39.799 --> 00:09:43.559 wire Shark lets us open those captured files and start 220 00:09:43.600 --> 00:09:44.600 digging into the data. 221 00:09:44.960 --> 00:09:47.679 It's a little overwhelming at first glance, it can be. 222 00:09:47.720 --> 00:09:52.519 There's so much information rows and columns, of data, timestamps, 223 00:09:52.559 --> 00:09:53.480 cryptic codes. 224 00:09:53.679 --> 00:09:54.360 I know what you mean. 225 00:09:54.639 --> 00:09:56.000 It's like staring into the matrix. 226 00:09:56.279 --> 00:09:59.360 Yeah, it can feel like drinking from a fire hose 227 00:09:59.399 --> 00:10:02.559 of information, especially when you're first starting out. 228 00:10:02.840 --> 00:10:06.519 Give me an example, what's one feature that can help 229 00:10:06.600 --> 00:10:08.440 tame this wild beast of data? 230 00:10:09.080 --> 00:10:12.000 So one of the most powerful features is filtering. It 231 00:10:12.080 --> 00:10:14.919 lets you narrow down the millions of packets to just 232 00:10:14.960 --> 00:10:16.320 the ones that you're interested in. 233 00:10:16.440 --> 00:10:16.799 Botcha. 234 00:10:16.960 --> 00:10:20.840 So let's say you're trying to troubleshoot a slow internet connection. Okay, 235 00:10:21.039 --> 00:10:23.799 you could apply a filter to show only the traffic 236 00:10:23.840 --> 00:10:25.200 related to your web browsing. 237 00:10:25.559 --> 00:10:28.360 So instead of seeing packets from every single application on 238 00:10:28.399 --> 00:10:31.240 my computer, right, I can laser focus on just the 239 00:10:31.240 --> 00:10:33.799 web traffic. Yeah. How would I actually create a filter 240 00:10:33.960 --> 00:10:34.240 like that? 241 00:10:34.519 --> 00:10:37.759 It's surprisingly easy. You just type in a simple expression 242 00:10:37.840 --> 00:10:39.639 in the filter box at the top of the window. 243 00:10:39.960 --> 00:10:44.080 For example, to see only HTTP traffic, you would type http. 244 00:10:44.720 --> 00:10:47.720 To see traffic to or from a specific IP address, 245 00:10:48.200 --> 00:10:51.960 you'd use something like ip dot adr equals one ninety 246 00:10:52.000 --> 00:10:55.519 two point one sixty eight one point one hundred zero. 247 00:10:55.720 --> 00:10:58.639 Ah. So it's a bit like searching on Google, but 248 00:10:58.679 --> 00:11:02.639 instead of keywords, we're using these filter expressions to pinpoint 249 00:11:02.639 --> 00:11:05.039 the packets we need. Exactly what other kinds of filters 250 00:11:05.080 --> 00:11:05.639 can we create? 251 00:11:05.679 --> 00:11:07.519 The possibilities are pretty much endless. 252 00:11:07.600 --> 00:11:07.919 Okay. 253 00:11:08.120 --> 00:11:11.679 You can filter by protocol, port number, packet length, a 254 00:11:12.000 --> 00:11:15.399 specific data patterns within the packets. You can even combine 255 00:11:15.519 --> 00:11:19.840 multiple filters to create highly specific views of the traffic. 256 00:11:20.039 --> 00:11:22.559 So I could create a filter to see only the 257 00:11:22.639 --> 00:11:26.000 traffic going to a specific website, or only the DNS 258 00:11:26.080 --> 00:11:28.320 request that my computer's making, exactly. 259 00:11:28.840 --> 00:11:32.000 Filtering is the key to navigating the vast sea of 260 00:11:32.080 --> 00:11:33.879 data in a wire shark capture. 261 00:11:34.000 --> 00:11:37.240 It's how we separate the signal from the noise, that's right. Okay, 262 00:11:37.240 --> 00:11:38.879 filtering helps us narrow things down. 263 00:11:39.039 --> 00:11:39.240 Yep. 264 00:11:39.360 --> 00:11:42.919 But I'm still a bit intimidated by the actual packets themselves. Okay, 265 00:11:43.080 --> 00:11:47.120 all these hexadecimal values and cryptic abbreviations. Sure, how do 266 00:11:47.200 --> 00:11:49.879 we actually read these packets once we've isolated them? 267 00:11:49.960 --> 00:11:53.200 Okay? So each packet is like a miniature story, okay, 268 00:11:53.480 --> 00:11:56.279 and learning to read those stories is the essence of 269 00:11:56.360 --> 00:11:59.440 packet analysis, got it. Every packet has a header and 270 00:11:59.480 --> 00:12:00.120 a payload. 271 00:12:00.559 --> 00:12:02.639 We packets have anatomy in a way. 272 00:12:02.720 --> 00:12:05.759 Yes, So the header contains all the essential information about 273 00:12:05.759 --> 00:12:09.279 the packet, like the source and destination IP addresses, the 274 00:12:09.279 --> 00:12:11.639 protocol being used, the packet length, and so on. 275 00:12:11.720 --> 00:12:12.039 Gotcha. 276 00:12:12.120 --> 00:12:14.840 So it's like the addressing and metadata on an envelope. 277 00:12:14.879 --> 00:12:17.320 So the header tells us where the packet came from, 278 00:12:17.519 --> 00:12:21.080 where it's going, and what kind of information it's carrying exactly. 279 00:12:21.159 --> 00:12:22.080 What about the payload? 280 00:12:22.519 --> 00:12:26.519 So the payload is the actual data being transported, Okay, 281 00:12:26.639 --> 00:12:28.960 like the contents of the letter inside the envelope. 282 00:12:29.080 --> 00:12:29.399 Gotcha. 283 00:12:29.480 --> 00:12:31.799 It could be the text of an email, the code 284 00:12:31.840 --> 00:12:35.879 for a web page, or the audio data from a 285 00:12:36.000 --> 00:12:36.679 video stream. 286 00:12:37.120 --> 00:12:38.960 So if we want to see what someone is actually 287 00:12:39.000 --> 00:12:41.440 typing in an email or what data is being sent 288 00:12:41.480 --> 00:12:44.279 to a website, we look at the payload exactly. 289 00:12:44.360 --> 00:12:48.000 Wire Shark displays both the header and the payload in 290 00:12:48.039 --> 00:12:50.519 a way that's easy to read. Ok You can click 291 00:12:50.559 --> 00:12:52.879 on a packet in the list and wire Shark will 292 00:12:52.879 --> 00:12:55.639 dissect it, showing you all the fields in the header 293 00:12:55.679 --> 00:12:57.759 and the raw data in the payload. 294 00:12:57.720 --> 00:13:00.320 So we can see the nitty gritty details of what's 295 00:13:00.360 --> 00:13:03.360 being sent across the network, right down to the individual 296 00:13:03.440 --> 00:13:04.200 bits and bites. 297 00:13:04.240 --> 00:13:04.720 That's right. 298 00:13:04.720 --> 00:13:08.159 But even if you're not fluent in binary code, you 299 00:13:08.200 --> 00:13:10.480 can still glean a lot of information just from the 300 00:13:10.480 --> 00:13:13.279 header fields. You can see which protocols are being used, 301 00:13:13.279 --> 00:13:16.200 which ports are being accessed, and the size and timing 302 00:13:16.240 --> 00:13:17.200 of data transfers. 303 00:13:17.320 --> 00:13:17.799 Yeah. 304 00:13:18.120 --> 00:13:21.720 You mentioned earlier that wire shark can reconstruct entire conversations 305 00:13:21.759 --> 00:13:26.240 between devices. Yeah, this sounds fascinating. It is, but I'm 306 00:13:26.279 --> 00:13:28.639 having trouble wrapping my head around how it actually works. 307 00:13:28.759 --> 00:13:31.039 So it's one of the most amazing features of wire 308 00:13:31.080 --> 00:13:33.559 short Okay, and it's called following streams. 309 00:13:33.840 --> 00:13:34.840 Following streams. 310 00:13:34.919 --> 00:13:39.480 Remember that TCP ensures reliable data transfer. Yes, well, it 311 00:13:39.559 --> 00:13:42.559 does this by breaking the data into segments and numbering them. Okay, 312 00:13:42.840 --> 00:13:46.080 wire shark can reassemble those segments in the correct order, 313 00:13:46.679 --> 00:13:48.879 even if they arrive out of order or are spread 314 00:13:48.879 --> 00:13:50.159 across multiple packets. 315 00:13:50.240 --> 00:13:53.600 So we can essentially easedrop on a complete back and 316 00:13:53.639 --> 00:13:57.559 forth exchange between two devices. Yeah, even if that conversation 317 00:13:57.639 --> 00:14:00.519 is chopped up into tiny packets and scattered across the network. 318 00:14:00.639 --> 00:14:03.360 Precisely, it's like listening in on a phone call or 319 00:14:03.399 --> 00:14:06.240 reading a chat log. Wow, you can see the entire 320 00:14:06.279 --> 00:14:08.360 conversation unfold packet by back. 321 00:14:08.399 --> 00:14:10.840 It Yeah, so this following streams features seems like a 322 00:14:10.840 --> 00:14:14.639 powerful tool for understanding how applications actually communicate with each other. 323 00:14:14.759 --> 00:14:19.559 It is. It's incredibly useful for troubleshooting application level problems. Okay, 324 00:14:19.600 --> 00:14:22.799 So let's say you're having trouble logging into a website. Yeah, 325 00:14:22.879 --> 00:14:25.480 you could use wire shark to capture the traffic and 326 00:14:25.679 --> 00:14:28.320 follow the TCP stream for the login process. 327 00:14:28.559 --> 00:14:28.879 Okay. 328 00:14:29.360 --> 00:14:32.240 You might see that the server is rejecting your credentials 329 00:14:32.600 --> 00:14:34.720 or that there's a problem with the authentication protocol. 330 00:14:34.960 --> 00:14:38.159 So instead of just seeing that the login failed, right, 331 00:14:38.240 --> 00:14:41.240 we can actually see why it failed by examining the 332 00:14:41.279 --> 00:14:44.960 individual messages exchanged between the client and the server exactly. 333 00:14:45.000 --> 00:14:49.200 And it's not just limited to text based protocols like HDPP. Okay, 334 00:14:49.320 --> 00:14:52.440 you can follow streams for all sorts of protocols, from 335 00:14:52.519 --> 00:14:56.519 email to file transfers to video streaming. 336 00:14:56.840 --> 00:14:59.559 Wow, the possibilities seem mless. Yeah, it's like having a 337 00:14:59.600 --> 00:15:01.480 backstay past the entire Internet. 338 00:15:01.559 --> 00:15:02.519 That's a good way to put it. 339 00:15:03.080 --> 00:15:07.200 You also mentioned that wire shark can create visual representations 340 00:15:07.200 --> 00:15:09.919 of data flow, right, what kind of magic is this? 341 00:15:10.240 --> 00:15:14.039 So these visualizations can help you see patterns and trends okay, 342 00:15:14.120 --> 00:15:16.279 that might not be obvious from just looking at the 343 00:15:16.399 --> 00:15:20.240 raw packet data. For example, you can create a graph 344 00:15:21.000 --> 00:15:23.919 of packet lengths over time, okay, which can help you 345 00:15:24.000 --> 00:15:27.759 identify bursts of activity or periods of inactivity. 346 00:15:28.399 --> 00:15:31.240 So instead of trying to decipher numbers in a spreadsheet, 347 00:15:31.840 --> 00:15:33.960 we can actually see the data flowing like a river 348 00:15:34.120 --> 00:15:37.320 with peaks and valleys representing different types of traffic. 349 00:15:37.399 --> 00:15:38.440 That's a great way to put it. 350 00:15:38.720 --> 00:15:43.919 Another useful visualization is a graph of TCP round trip times. Yeah, 351 00:15:44.120 --> 00:15:47.559 this can help you identify network latency issuesact, which can 352 00:15:47.600 --> 00:15:52.440 manifest as slow website load times or laggy online games. 353 00:15:53.000 --> 00:15:55.759 So if I'm experiencing lag while playing an online game, 354 00:15:56.240 --> 00:15:58.000 I could use wire shark to see if there are any 355 00:15:57.960 --> 00:16:00.639 spikes in the round trip times. Yep, wh might indicate 356 00:16:00.639 --> 00:16:04.120 a problem with my internet connection or the game server exactly. 357 00:16:04.519 --> 00:16:08.080 These visualizations are a powerful tool for understanding network performance 358 00:16:08.360 --> 00:16:09.720 and identifying bottlenecks. 359 00:16:09.840 --> 00:16:13.559 Okay, I'm starting to see the like sniffer, wire Shark 360 00:16:13.639 --> 00:16:16.039 is more than just a packet sniffer. It's a complete 361 00:16:16.080 --> 00:16:19.799 network analysis toolkit. It is, But I have to admit 362 00:16:19.879 --> 00:16:23.240 I'm still a bit intimidated by the technical detail. Sure, 363 00:16:23.399 --> 00:16:25.840 do I need a computer science degree to use this 364 00:16:25.840 --> 00:16:26.759 stuff effectively? 365 00:16:26.919 --> 00:16:29.480 No, not at all. Okay, remember that book we mentioned, 366 00:16:29.480 --> 00:16:33.360 Practical Packet Analysis. Yes, it's a fantastic resource for learning 367 00:16:33.360 --> 00:16:36.080 the ropes, and it's written in a way that's accessible 368 00:16:36.240 --> 00:16:37.240 even for beginners. 369 00:16:37.799 --> 00:16:40.360 So with a little bit of effort and the right resources, 370 00:16:40.879 --> 00:16:44.000 anyone can learn to use wider shark absolutely and become 371 00:16:44.000 --> 00:16:45.159 a packet analysis pro. 372 00:16:45.360 --> 00:16:48.240 Yeah. The key is to start with the basics, experiment 373 00:16:48.320 --> 00:16:51.720 with different features, and don't be afraid to ask questions. Okay, 374 00:16:51.720 --> 00:16:53.639 the more you use wire Shark, the more comfortable and 375 00:16:53.679 --> 00:16:54.519 confident you'll become. 376 00:16:55.440 --> 00:16:57.600 You've inspired me to roll up my sleeves and start 377 00:16:57.639 --> 00:17:02.559 digging into the data. But let's be realistic. What are 378 00:17:02.559 --> 00:17:06.799 some everyday problems that I could actually solve with this 379 00:17:07.119 --> 00:17:09.160 newfound knowledge of packet analysis. 380 00:17:09.200 --> 00:17:09.480 Okay? 381 00:17:10.000 --> 00:17:12.920 You mentioned slow internet speeds earlier. Yeah, can you walk 382 00:17:12.960 --> 00:17:15.240 me through how i'd use wire shark to diagnose that. 383 00:17:15.480 --> 00:17:17.799 Okay, So let's say you're trying to stream a video 384 00:17:17.920 --> 00:17:19.160 and it keeps buffering. 385 00:17:19.359 --> 00:17:20.680 Yep, I've been there first. 386 00:17:20.720 --> 00:17:23.279 You'd start a capture and wire shark, Oh yeah, making 387 00:17:23.279 --> 00:17:26.440 sure to select the correct network interface. Then you would 388 00:17:26.480 --> 00:17:29.880 initiate the video stream and watch the packets flow in. 389 00:17:30.079 --> 00:17:33.279 Okay, I'm seeing a floory of packets, all different colors 390 00:17:33.359 --> 00:17:35.039 and sizes. Now what all right? 391 00:17:35.039 --> 00:17:36.960 So you'd want to filter the traffic to focus on 392 00:17:37.000 --> 00:17:40.960 the communication between your computer and the video streaming server. 393 00:17:41.160 --> 00:17:41.440 Okay. 394 00:17:42.160 --> 00:17:45.359 You could filter by your IP address and the server's 395 00:17:45.359 --> 00:17:49.240 IP address, or by the port number used for video 396 00:17:49.240 --> 00:17:50.079 stream and traffic. 397 00:17:50.240 --> 00:17:52.759 That way I can isolate just the packets relevant to 398 00:17:52.839 --> 00:17:54.160 the video stream exactly. 399 00:17:54.359 --> 00:17:55.720 Then you'd look for signs of trouble. 400 00:17:55.920 --> 00:17:56.279 Okay. 401 00:17:56.400 --> 00:18:02.160 Remember our discussion about TCP or retransmissions and duplicate acknowledgements. Yeah, 402 00:18:02.240 --> 00:18:06.200 those are often indicators of network congestion or packet loss, right, 403 00:18:06.480 --> 00:18:09.400 which can definitely lead to buffering issues. 404 00:18:09.519 --> 00:18:12.799 Right. Retransmissions happen when a packet gets lost in transit 405 00:18:12.839 --> 00:18:16.319 and has to be sent again. Duplicate acknowledgments are like 406 00:18:16.319 --> 00:18:19.480 the receiver saying, hey, I got this packet twice. Did 407 00:18:19.519 --> 00:18:20.839 you miss my last acknowledgement? 408 00:18:20.960 --> 00:18:23.720 You got it. If you see a lot of retransmissions 409 00:18:23.759 --> 00:18:26.599 or duplicate ACKs, it could mean there's a problem with 410 00:18:26.640 --> 00:18:30.519 your Internet connection, your router, or even the video streaming 411 00:18:30.599 --> 00:18:32.599 server itself, so wire. 412 00:18:32.400 --> 00:18:35.720 Shark can help me pinpoint where the bottleneck is. Yeah, 413 00:18:35.759 --> 00:18:38.119 whether it's on my end, the server's end, or somewhere 414 00:18:38.160 --> 00:18:38.680 in between. 415 00:18:38.799 --> 00:18:41.240 It's like having X ray vision into your network. 416 00:18:41.359 --> 00:18:44.720 That's pretty amazing. It's like having a secret weapon against 417 00:18:44.759 --> 00:18:47.359 those frustrating tech problems that always seem to pop up 418 00:18:47.359 --> 00:18:48.599 at the worst possible time. 419 00:18:48.839 --> 00:18:49.200 Yeah. 420 00:18:49.599 --> 00:18:51.799 You also mentioned that packet analysis can be used for 421 00:18:51.839 --> 00:18:52.759 security purposes. 422 00:18:52.799 --> 00:18:53.400 Absolutely. 423 00:18:53.440 --> 00:18:55.240 Can you give me a concrete example of how I 424 00:18:55.319 --> 00:18:57.319 might use it to protect myself from attax? 425 00:18:57.720 --> 00:19:01.359 Sure, let's revisit that ARP cash poisoning attack we talked 426 00:19:01.359 --> 00:19:04.440 about earlier. Okay, Remember that's where an attacker tricks your 427 00:19:04.480 --> 00:19:08.000 computer and descending traffic to them instead of the legitimate destination. 428 00:19:08.480 --> 00:19:11.519 Right, It's like the attacker is intercepting my mail before 429 00:19:11.519 --> 00:19:13.119 it reaches the intended recipient. 430 00:19:13.559 --> 00:19:16.640 Exactly. If you suspect that someone might be trying to 431 00:19:16.920 --> 00:19:20.400 ARP poison your network, you can use wire shark to 432 00:19:20.480 --> 00:19:21.880 monitor the ARP traffic. 433 00:19:22.000 --> 00:19:24.680 So I'd be looking for any suspicious ARP packets that 434 00:19:24.680 --> 00:19:25.680 don't seem quite right. 435 00:19:26.039 --> 00:19:31.279 Precisely, Remember that ARP maps IP addresses to MC addresses. Yes, 436 00:19:31.599 --> 00:19:34.559 if you see an ARP packet that claims to have 437 00:19:34.599 --> 00:19:37.799 the MC address of your router, but it's coming from 438 00:19:37.880 --> 00:19:41.359 a different device on your network. Okay, that's a huge 439 00:19:41.359 --> 00:19:41.880 red flag. 440 00:19:42.000 --> 00:19:46.039 Ah, so the attacker is essentially trying to impersonate my router, 441 00:19:46.839 --> 00:19:49.839 tricking my computer and descending traffic their way. 442 00:19:49.880 --> 00:19:50.519 Exactly. 443 00:19:50.720 --> 00:19:52.720 Wire Shark can help me expose this deception. 444 00:19:53.000 --> 00:19:56.000 That's right. Packet analysis can be an incredibly powerful tool 445 00:19:56.079 --> 00:19:58.319 for detecting and preventing security threats. 446 00:19:58.599 --> 00:20:00.359 This is eye opening. I'm starting to I think that 447 00:20:00.440 --> 00:20:03.880 everyone should have at least a basic understanding of packet analysis. 448 00:20:03.920 --> 00:20:04.599 I think so too. 449 00:20:04.799 --> 00:20:07.119 It's like having this superpower that lets you see through 450 00:20:07.160 --> 00:20:09.160 the illusions of the digital world. Yeah. 451 00:20:09.279 --> 00:20:11.839 The more people understand how networks work and how to 452 00:20:11.880 --> 00:20:15.400 analyze packets, yeah, the more resilient and secure our digital 453 00:20:15.400 --> 00:20:15.960 world will be. 454 00:20:16.359 --> 00:20:19.200 Okay, we've covered a lot of ground here, from capturing 455 00:20:19.240 --> 00:20:24.160 packets to filtering traffic, to analyzing specific protocols. Yeah, and 456 00:20:24.279 --> 00:20:27.880 even using visualizations to spot patterns. Right, but we've only 457 00:20:27.920 --> 00:20:30.920 scratched the surface of what packet analysis can do. We 458 00:20:31.039 --> 00:20:34.039 have I'm eager to hear about some more advanced applications 459 00:20:34.440 --> 00:20:37.079 and the ethical considerations we need to keep in mind 460 00:20:37.119 --> 00:20:38.559 when using this powerful tool. 461 00:20:38.880 --> 00:20:41.640 All right, Well that's a perfect topic for our next segment. 462 00:20:41.839 --> 00:20:45.359 Let's do it. All right, So we're back and we've 463 00:20:45.440 --> 00:20:47.960 journeyed pretty deep into the world of packet analysis. Yeah, 464 00:20:47.960 --> 00:20:51.279 we ah exploring how data travels the Internet and how 465 00:20:51.359 --> 00:20:54.440 wire Shark helps us decode these digital conversations. 466 00:20:54.519 --> 00:20:55.599 Yeah, it's been fun. 467 00:20:56.519 --> 00:20:58.720 But what are some of the more advanced uses of 468 00:20:58.759 --> 00:20:59.440 this knowledge? 469 00:20:59.519 --> 00:20:59.880 Okay? 470 00:21:00.039 --> 00:21:01.920 I feel like we've just learned the alphabet and there 471 00:21:01.960 --> 00:21:03.240 are these whole novels out there. 472 00:21:03.319 --> 00:21:04.359 That's a great way to put it. 473 00:21:04.400 --> 00:21:05.000 What can we do? 474 00:21:05.079 --> 00:21:06.799 And you're right, there's so much more we can do. 475 00:21:07.480 --> 00:21:11.400 Let's say you're struggling with a website that suddenly stopped working. Okay, 476 00:21:11.559 --> 00:21:14.880 pack and analysis can be like having a mechanics diagnostic 477 00:21:14.920 --> 00:21:15.920 tool for the Internet. 478 00:21:16.119 --> 00:21:18.839 So instead of just seeing like an error message, I 479 00:21:18.839 --> 00:21:22.720 can use wire Shark to actually trace the communication between 480 00:21:23.079 --> 00:21:26.000 my browser and the website server exactly. 481 00:21:26.240 --> 00:21:29.359 You can see the HTTP requests your browser sends, the 482 00:21:29.400 --> 00:21:33.720 service responses, and pinpoint where the brickdown occurs is the 483 00:21:33.759 --> 00:21:38.079 server down? Is their DNS issue preventing the connection? Pack 484 00:21:38.119 --> 00:21:40.359 and analysis can reveal the answer. 485 00:21:41.240 --> 00:21:43.960 That's incredibly helpful. It's like being able to see the 486 00:21:43.960 --> 00:21:47.079 gears turning behind the scenes, not just the final outcome. 487 00:21:47.640 --> 00:21:49.880 But is this just for websites or can we use 488 00:21:49.920 --> 00:21:51.599 this for other online applications too? 489 00:21:52.000 --> 00:21:56.200 Almost anything that communicates over a network can be analyzed. Okay, email, 490 00:21:56.240 --> 00:22:00.279 file sharing, video calls, you name it, wow back at 491 00:22:00.279 --> 00:22:03.640 analysis gives you this universal translator for understanding how these 492 00:22:03.640 --> 00:22:06.200 applications work and troubleshooting problems. 493 00:22:06.319 --> 00:22:09.160 So it's not just about fixing things when they break. 494 00:22:09.839 --> 00:22:13.359 We could use this to learn about new technologies, new protocols, 495 00:22:13.759 --> 00:22:16.519 even reverse engineer things to understand how they're built. 496 00:22:16.759 --> 00:22:19.799 Absolutely, Let's say you encounter a brand new protocol you've 497 00:22:19.839 --> 00:22:23.599 never seen before. You can use wire shark to dissect 498 00:22:23.640 --> 00:22:27.480 the packets, examine those header fields we discussed, and start 499 00:22:27.519 --> 00:22:29.559 piecing together what each part means. 500 00:22:30.039 --> 00:22:33.119 So it's like solving a puzzle, decoding a secret language exact. 501 00:22:33.119 --> 00:22:35.279 But where do you even begin with something completely new? 502 00:22:35.359 --> 00:22:37.920 Well, it's a bit like detective work. You use your 503 00:22:37.960 --> 00:22:42.839 knowledge of networking fundamentals, online resources, and good old fashioned 504 00:22:42.880 --> 00:22:46.119 trial and error. Okay, you might look for patterns in 505 00:22:46.160 --> 00:22:50.559 the data, compare it to known protocols and gradually build 506 00:22:50.559 --> 00:22:52.200 a picture of how it functions. 507 00:22:52.480 --> 00:22:55.119 So within a patience and persistence, we could uncover the 508 00:22:55.200 --> 00:22:58.079 secrets of even the most obscure protocols. 509 00:22:58.119 --> 00:22:58.519 We can. 510 00:22:58.799 --> 00:23:02.559 That's amazing. Yeah, but this brings up a question. With 511 00:23:02.720 --> 00:23:06.480 such power at our fingertips, how do we ensure that 512 00:23:06.559 --> 00:23:10.000 packet analysis is used responsibly and ethically. 513 00:23:10.079 --> 00:23:12.519 Yeah, that's a crucial point. It's like any powerful tool, 514 00:23:12.720 --> 00:23:14.960 it can be used for good or for ill. Respecting 515 00:23:14.960 --> 00:23:18.480 privacy is paramount. We should never analyze traffic that we 516 00:23:18.480 --> 00:23:19.960 don't have permission to access. 517 00:23:20.319 --> 00:23:23.519 So even though I technically could snoop on my roommate's 518 00:23:23.599 --> 00:23:25.960 online activity, yeah, I absolutely should not. 519 00:23:26.279 --> 00:23:29.759 No, you should not. Ethical considerations are really vital in 520 00:23:29.759 --> 00:23:30.279 this field. 521 00:23:30.319 --> 00:23:30.640 Okay. 522 00:23:30.759 --> 00:23:35.799 Packet analysis should be used for legitimate purposes like troubleshooting problems, 523 00:23:36.160 --> 00:23:40.920 improving security, or advancing our understanding of technology, guide not 524 00:23:41.160 --> 00:23:43.400 for spying or violating someone's privacy. 525 00:23:43.480 --> 00:23:45.640 Okay, So what about in a workplace setting? 526 00:23:45.799 --> 00:23:46.200 Yeah? 527 00:23:46.240 --> 00:23:47.880 Are there guidelines to keep in mind? 528 00:23:48.200 --> 00:23:52.680 Absolutely? In most cases, you'd need explicit authorization from your 529 00:23:52.759 --> 00:23:56.960 employer or clients before capturing and analyzing network traffic, and 530 00:23:57.039 --> 00:24:00.279 even then, transparency is key, explain what you're doing and 531 00:24:00.359 --> 00:24:01.039 why so. 532 00:24:01.200 --> 00:24:05.480 No secretly monitoring coworkers' Internet usage to see who's slacking off. 533 00:24:05.720 --> 00:24:09.839 Definitely not. It's all about using these skills responsibly and ethically. 534 00:24:10.440 --> 00:24:13.680 The power to analyze network traffic comes with the responsibility 535 00:24:13.759 --> 00:24:14.839 to use it wisely. 536 00:24:15.039 --> 00:24:17.240 This has been an incredible deep dive. I feel like 537 00:24:17.279 --> 00:24:19.759 I've gained a whole new perspective on how the Internet works, 538 00:24:20.200 --> 00:24:22.759 and I'm excited to explore further with wire Shark. 539 00:24:23.279 --> 00:24:23.839 Yeah. 540 00:24:23.880 --> 00:24:26.559 Any final words of wisdom for our listeners who are 541 00:24:26.799 --> 00:24:30.279 eager to embark on their own packet analysis adventures. 542 00:24:30.359 --> 00:24:33.400 Yeah, just remember this is a journey of continuous learning. 543 00:24:33.599 --> 00:24:33.960 Okay. 544 00:24:34.200 --> 00:24:38.960 The world of networking is constantly evolving, so stay curious, experiment, 545 00:24:39.039 --> 00:24:43.000 and never stop exploring. The more you understand how networks function, 546 00:24:43.480 --> 00:24:46.039 the better equipped you'll be to navigate the digital world. 547 00:24:46.480 --> 00:24:49.640 What a fantastic way to wrap things up. If you're 548 00:24:49.680 --> 00:24:53.039 intrigued by the possibilities of packet analysis, grab a copy 549 00:24:53.039 --> 00:24:56.079 of Practical Packet Analysis, download Wireshark, and start your own 550 00:24:56.160 --> 00:24:59.559 journey of discovery. Who knows what secrets you might uncover. 551 00:25:00.319 --> 00:25:02.279 Until next time, Happy packet hunting.