Subtitles of the Movie

OK, we're in our Windows XP box and we've got Wireshark network analyzer up and running. Now, we're not seeing any traffic yet because we haven't started capturing. The first thing we want to do is click Capture and select an interface. Now, if you've got multiple interfaces on your box you'll see them listed here. We're going to just start capturing on the 30.10 interface. We may not have any traffic there initially but let's go ahead and create some traffic. Let's go on the web and pull up a little bit of traffic real quick. Let's go to a website, the VTC.com website. Let's just do that and that one little bit of going to a website probably created a lot of traffic. It did in fact. Let's go ahead and stop the capture now and then let's take a look at what we got. What we might want to do is go ahead and scroll up to the top here so we can just kind of get an idea of what we see. Now, we've got three main panes here that you'll see. First of all, this is a line-by-line network traffic capture of all the packets that you received and sent during this capture session and down here you have them broken out. If you're familiar with the OSI model, you'll see that they kind of map out the way you've got the lower level standards and protocols here and they work themselves up to the higher level through the physical data layer, network layer, transport layer, application layer and so forth. So and down here you've got hexadecimal representation of any data that's in the packet including plain text. You can see that too. If you look at our main, our top pane up here, we've got basically an index, a number of packets that we received for this capture. We've got a time index and we've got source MAC or IP addresses. If a traffic originated from a point such as our computer or another computer, the source is listed here and its destination was listed here. So you can follow entire conversations by watching the traffic capture here. You can also look at the protocol such as ARP, DNS, TCP and so forth that was used during the conversation and then some information; this is actually some pretty cool information about the traffic itself. Let's go ahead and actually start looking at some traffic. One of the first things we see is a ARP request and reply and ARP is a very basic protocol and this happens almost every time a computer needs to talk to another computer. ARP basically resolves hardware addresses to IP addresses and of course IP address, the computer, higher-level protocols in the computer use that but our computers themselves need MAC addresses to talk to so the first thing we're going to do is we're going to ARP out. It wants to know the MAC address of the firewall because it's got to get to the firewall before it does anything and the firewall is going to reply back with its IP address and MAC address and that's in the second packet right here, frame here and that's just the two way between the firewall and the client; very easy piece of traffic to follow. Then I told the computer to go to VTC.com so the first thing it needed to do was do a DNS query so it sent out a query to the firewall, which is its DNS server and it said I need to know who VTC.com is and we sent that query out and if you want to look down here at the details of this particular packet, here is the query, the DNS query here on port 53 of course and you can drill down a little bit in there and see what was actually requested and we're basically requesting the IP address of VTC.com. We want to know the host address of it. Now, we can look at the response back and the response back from the DNS server from firewall, actually .50, basically gives us the answer to that. And before we, we know that before we communicate over the web using a domain name, we have to have an IP address. That's what computers understand so it gives us the IP address here. So those are standard DNS query over port 53. Moving right along, we tried to contact the web server here. We tried to contact VTC.com and if you'll kind of look at these next three pieces of traffic, these next three packets, the one where we've highlighted right now and the two after that, we've got TCP and we've got an HTP packet but it's set with the syn flag so it's a syn packet that's sent out. Syn means synchronize. When that flag is set, that means a computer wants to synchronize and start a conversation and the reply back from that is called a synack and this basically is part of the three-way TCP handshake you'll hear about when TCP wants to start a conversation, it first, it'll do a syn, the original computer will syn and when it does the syn it will send out certain information such as its sequence number so that by sequence numbers, the sending and receiving computers can actually synchronize their communication. So it sends the syn out, the receiving computer replies back with what's called a synack and those flags are set right here and it sends out its own sequence number and an acknowledgement number, which is usually one more than the originating computer's sequence number. So you've got this 0 and 1 sent back and the third and final part of the three-way handshake is the ack and that's from the first computer and it's acknowledging the sequence number and sending one more updated relative sequence number here. So that right there as we can see is the three-way handshake. And that takes place before all TCP communication sessions. Once that synchronization and acknowledgement process has happened, the handshake has happened, now these two computers, our computer and the VTC.com website can actually start talking to each other. So then we'll be able to see some traffic come through here. We'll see different flags set and so forth. We'll see a lot of traffic through here, some retransmission maybes, another DNS query. This one is for Google. So there's a lot of traffic actually going on. That one little bit of web surfing that we did for just a few brief seconds; we got a lot of traffic going on. The more ARP requests of course and then some more synacks, some traffic was shut down. Now, Wireshark has a lot of different options and facilities that allows you to analyze, actually step through a TCP stream. We can do that; show you that process really quick. Let's go back up here to the original syn packet and let's just step through that TCP stream to see what we get out of that. So as you can see, that's basically an entire conversation, entire web session, that brief moment of going to the web. This is what all occurred during that. This is all the data that was sent. It's actually very possible if you know what you're doing to grab a session like this and basically reconstruct the entire session including the web page graphics and so forth if you know what you're doing. You can actually see the entire HTTP session here so Wireshark can give you not only a traffic analysis but it can give you an entire conversation that happened and you can also filter on different things such as protocols, IP addresses and so forth. So Wireshark actually can do a lot of cool things. It's a very multi-functional traffic analyzer and sniffer. It's probably one of the best out there and it's very popular. I would recommend highly if you're going to become a network security professional that you really get to know Wireshark, experiment with it, play with it, learn its tools, read up on it, get to know the ins and outs of it because it's a very useful multi-purpose tool and as I said, this is Wireshark, one of the best traffic analyzers out there.