Comprehensive Guide to Wireshark: Capture and Analyze Network Traffic

hello and welcome to this Wireshark tutorial series before we start digging deep down into all that technical stuff

I would first like to give you a bit of an intro so that you may have a better understanding of what the course is

about and what you can expect to learn from it let me just begin by saying that this course is meant to teach you how to

effectively use Wireshark to capture and analyze network traffic a key thing to note here is that the course layout is

such that it really does not matter whether you are a beginner or an advanced user either way you will be

able to benefit from it to a great extent and now I'll just deal with some questions I mean what is Wireshark and

what it what it was what did what do you use it for why should you learn how to use it well why shark is an open source

program that is used to capture and analyze network traffic it is a must-have for pretty much every network

admin out there it is a number one piece of software for its purpose number one in the real world out there on larger

scales it has countless applications ranging all the way from tracing down unauthorized traffic to confirming

firewall settings and so on I will talk more of this as we continue to progress through the series but for the time

being I just wanted to give you a glimpse of it if you go on the net and take a look at job postings for network

administrator's more often than not at any of the bigger companies advanced knowledge of Wireshark will be stated as

a requirement or it will be listed as a big plus so either way you either way it's beneficial so if you're preparing

yourself to work as a network administrator this course will undoubtedly be of great use to you but

regardless even if you are a casual user it will help you to better understand how your computer and not only your

computer but all of your devices your smartphone I don't know laptop desktop computer

router switch etc how all these devices communicate in local area networks or with the rest of the world okay so

before I wrap this up I would like to make a personal note as you can see here on my screen I have Wireshark installed

and configured it is up and running there is currently a live capture session in progress this is

approximately how our tutorials will look like this is May this will be our working space this is where we will

conduct pretty much all of our activities however if this is your first time that you have encountered something

of a kind it might seem a little bit intimidating especially if you don't have any networking experience

networking experience believe me when I say it is not if you stick with me by the end of this course you will be able

to understand everything that is written on this screen and much much much more what I would advise you to be I would I

would advise you to be curious as it does stimulate you to mess around with stuff although if you do decide to

conduct some sort of experiments or something of a kind I would strongly recommend that you set up some sort of

virtual machines as it does make things a lot easier and remember in general if you wish to learn something you must be

willing to devote a certain amount of time and labor and in our line of work more often than not you will require

nerves of steel in the beginning things will seem a bit difficult you will try to solve problems they won't make sense

it will be frustrating but stick with it get through the first steps and things will be done things will become a lot

smoother as we continue our program as we continue our progression through the through this through this course now

that we got all of that stuff out of our way we can now begin with our first lesson in the next video I sincerely

hope that you will join me there hello everybody and welcome to this first tutorial the series here

we'll review some of the basic concepts in regard to the network traffic this is very important for you to understand

some of the basic terms so that the information that we will later gather with Wireshark can be understood keynote

here if you feel that you are already familiar with basic concepts such as IP addresses MAC addresses ports protocols

and so on you can go ahead and skip to the installation and setup tutorial ok then most likely at some point of time

you have heard the term IP address but you never really understood what it actually is or what it is use for IP

addresses in essence were designed in order to make it possible for devices to be able to communicate with one another

within local networks or in general over the Internet and that is the primary purpose of an IP address aside from that

it can also be used to pinpoint the exact physical location of any device that is using it basically you can

compare to a mailing address it is unique and used for sending packets computers and other devices work on

similar principles as your local mail you specify recipient and sender address take the letter or packet to the mail

office and send it computers pretty much do the same thing except instead of a street address they use an IP address

Internet Protocol or IP as it is more commonly known it's just a set of predefined rules the dictated terms

under which communication shall be conducted for example it enables you to browse the web by enabling you to

contact a series of servers who also operate on the same protocol IP addresses consists of four numbers and

each of the four numbers can go from 0 to 255 the limiter used separate them is a dot here's an example of how it looks

like now I'm just gonna I have my terminal here set up and just going to type ifconfig that's going to list out

all of my interfaces so I don't know I have a loopback which is ello the first one I have P 8 P 1 which is my eternity

connection have VR VR 1 that's my virtual machine thing that's for the virtual machines

the one that we were going to be focusing now is VLP 2a 0 which is my wireless interface so I'm just going to

type I've just going to clear the screen first and going to 5 I've config field p2 at 0

no I've config field p2 is zero there we go so it gives you a bunch of information here and what is what so

we're not interested in most of it as most of it is of really no use to us at the moment the part that we are

interested in is the eye net so they addressed the IP address of the interface you have one eye 2 1 6 8 1 2

so this is basically how it looks like so 192 168 dot one dot one dot two so each one of these numbers for example

let's take this 2 it can go from 0 to 255 as you can literally make billions upon billions of combinations with these

numbers very simple to very very simple concept to comprehend nothing there's nothing too complicated about it

real later a deal with the interfaces and other things but for the moment I just wanted to show you what an IP

address is and how how you can how it is used where it is assigned and where you can find it anyway there are two basic

types of IP addresses static and dynamic most private users have a dynamic IP address while on the other hand business

users and servers mostly have static IP addresses static address is at once assigned do not change and facilitate a

stable and a reliable way for other devices to communicate with the given server I don't know in which various

services are running while dynamic IP addresses change every time a device connects to the internet or the local

network making it a lot more difficult for anyone to contact you simply because they won't know your

address as it changes quite often both dynamic and static IP addresses are provided by Internet service providers

okay now that we have basic understanding of what IP addresses are we can move on to

ports computer boards are in essence docking points for all the information coming to our devices and all the

packets that are being transmitted by them they work in combination with IP addresses directing all outgoing and

incoming packets their proper places port ranges are defined and numbered for example there are most common ports that

range between 0 and 1000 23 but the numbers go a lot higher than that so no words there you have a pretty big pretty

big range to work with here is a simple list of some well-known services and ports on which they run so for example

you have FTP which runs on 421 FTP is a file transfer protocol if you haven't heard about it also you have HTTP which

you all use on pretty much daily basis and HTTP same scenario there except the information on port 443 over HTTP is

encrypted and we have a DNS which works on 53 so with the with the other ones I'm sure that you've already heard about

them or are familiar to an extent but let me just quickly and briefly say what DNS does so it basically resolves the

main names to IP addresses and vice-versa so for example google.com would be a domain name I don't know the

IP address of it but here let me just find out so we can just do ping google.com and I'm going to interrupt

the ping here so you have it here this is the IP address of google.com basically what DNS does is resolves this

into this and it can also be used two to four vice versa pretty much but enough about this I will I will expand on this

subject later at the later stages of this at some other point of time during these tutorials when we actually go into

the Wireshark and once once we do filters once we actually start doing talking about

filters and filtering protocols etc and so on but for the time being we'll just keep our focus on the ports each

individual port range has its particular purpose and will direct all packets in predefined

directions here allow me to do a bit of a demonstration here so I'm just going to clear my screen and I'm going to show

you what ports are open on my computer what ports am i listening on so if I just do nmap local host and map

post there we go just disregard this upper part and concentrate on this one here so you see you have it says port it

says 1 1 1 state open RPC bind that's the service 631 IPP IPP is the internet printing protocol I should probably

close that because I have no use of it but here I'm going to start my Apache web server and immediately after that

you will see that I will start listening on port 80 so service PD start there we go and I'm just going to do the end map

again there we go so now you can see that I am listening on port 80 it is open and the service is

HTTP so all traffic coming to me on this port will be directed here so see I have localhost there so HTTP localhost and it

throws me to this page to the beginning page of the Apache server that is not configured anyway that's just a bit of

how traffic gets directed and we will expand on ports a bit more later on as we dig into Wireshark but for the moment

I just wanted to give you some basic ideas so that you would have some sort of basic understanding upon which we

will later be able to expand and now we can deal with MAC addresses Mac it is filled so you see mark

it stands for media access control address and that is a burnt in hardware address that uniquely identifies not

your regular device in terms of networking but rather instead your network card here's a short

demonstration so I'm just going to clear the screen out now I'm going to do I have config and you can see that there

are various interfaces here as before so each one of these interfaces has its own MAC address that is the MAC address the

network card to which the interface is configured so you see this one is BC 8 5 5 6 e 6 a 5 0 5 my wired interface is 7

4 8 6 and so on so you see each one of these that is used to connect to the internet or something of a kind has its

own MAC address and it is uniquely identified so on the local network not on the internet but rather instead on

the local network anyway let me just round up this with protocols protocol in any system in general it is just a set

of predefined rules that determines how something should be done in regard to computer program in regard to computers

protocols are agreed upon or standardized ways of communication to give you a real-life example or a

comparison just try to imagine two people trying to communicate what would they need well for starters they would

need to agree upon which language to use and preferably when one talks the other should listen but as you know this is

commonly not the case and that would be that would be a protocol basically they agree ok you will talk now and I will

listen then I will speak and you will listen we will use this language to communicate and those are the predefined

rules that make up a protocol one of the most famous protocols today one of the most used ones would be a proper proper

thing to say is a tcp/ip DCP stands for transmission control protocol the IP I have mentioned before that is

Internet Protocol we will deal a great detail in later tutorials with TCP UDP and other protocols similar kind but for

the moment I just want to give you a hint of what is to come and it would be unwise of me to deal with it now as that

is a subject for itself now that we are acquainted with some of the basic terms you see how by just getting an IP

address of advice we more or less by default or given a sea of useful information for example you can from an

IP address you can conclude where the device is located physically I mean not only a country figure out from which

country is it coming from from which city from where in the city etc you have websites today that you go on to and you

can type in an IP and it will give you its location it won't be as precise but it will be good enough trust me and if

and if we and if we just figure out if we do a scan of the system and if we and if we figure out which ports are open on

which ports is the system listening we will we will be able to conclude in a good in a good amount of cases what

applications are running on the server or wherever anyway next up we need to go over the OSI model briefly and

immediately after that we will actually start using Wireshark we will start dealing we will first go through the

installation and then we're going to configure it and then I'll show you the various option that it has and most

importantly of all we need to go over traffic filter e traffic capturing and filtering in any case thank you for

watching I bid you farewell till next time now that we are acquainted with some of the basic terms you can see how

by just getting an IP address of the device we get adel we can get a large amount of

information for example with that IP you can figure out the physical location of that device you have website today you

can just type in an IP address and it will give you a relatively precise physical location of that IP and by just

figuring out which ports are open we are able to conclude in a good amount of cases what applications are running all

of this will be of great use to us later on primarily because we will do of IP filters and port filters and protocol

filters so all these things will come to will come together once we actually start up the Wireshark and start using

it next up we will go over the OSI model but briefly and immediately after that we will actually start using the wire

first we will do the installation configuration and then we'll actually start capturing capturing network

traffic analyzing it and so on and so forth in any case thank you for watching I bid you farewell until next time bye

everybody and welcome to this tutorial here I will show you how to install and set up wireshark before I begin the

installation process itself let me just say a few words about the environment that I'm using so my operating system is

Linux to be more precise Fedora 20 it is a 64-bit system so you will see how this comes into play when we go into packets

I'm just going to exit route mode to make a point here and I'm going to clear the screen in fedora which is a redhead

based distro we have a young which is basically your installation manager that's the best explanation I can give

for it and we go ahead and type in search Wireshark and every package within the repositories that are to be

used that has Wireshark name in it be it in the actual name of the package or in the description

the package will be displayed here you can go ahead and skip these things immediately seriously development

headers and libraries we don't actually need that we need a program itself so down below we have Wireshark for 32-bit

architectures and for 64-bit architectures if you're not sure which one you are using you can just type in

you name - all and here you go just just look for this one or for this one here so Linux local host local domain colonel

fedora 20 and here we go x86 underline 64 no problems now we know for sure that it is a 64-bit system and

I'm just going to go ahead and begin the installation process but I am going to install our shark gnome even though I am

using a KDE desktop there's no messed up yours KDE desktop and there are a ton load of other desktops for Linux distros

I have found out these two have some serious problems in them I mean they don't work well with fedora in any case

so just go ahead and grab this one copy it and go ahead and type yum install and base this oops what has happened here it

says you need to be rude to perform this command so as I said previously I existed rude deliberately just show you

that you need to be rude or have such permissions as a regular user so you need to be a super user or something of

a kind in order to be able to perform any sort of installation from their repositories on the system just go ahead

and type su you can also type sudo su I don't know the pen set of this rivet you're using I just type in su and type

in the password there we go I'm just going to change the directory now that that makes any difference but I did

anyway clear the screen and go ahead and type again yum install bar shark now I don't actually

I don't actually need to type it I have it here so just going to paste it enter and it's going to begin the installation

process is going to give you a ton load of information but I wanted to stop it here for a reason I didn't give it the -

why command to go ahead and skip through this so you can see that it is installing worship gnome and it is

automatically installing for its dependencies as well so just I press here type in y here press ENTER and the

installation process will go ahead while this is happening just in case you are using some other distribution or

something of a kind or a different operating system so just going to clear the screen out here and in case you're

using a Debian based distribution you would type command that looks like this so apt-get install and then the name of

the package like wire shark I think if you just type in Wireshark it's going to cert it's going to find by default the

one that you need especially in a bun - if I'm not mistaken but in case you're not using Linux in case you're using

Windows you need to go out to the web type in I'm just going to type it in here I have no idea why but just have it

I suppose wired shark go ahead and search for it and see what comes out so the first one is the official website go

ahead visit it let me just expand this across the screen so that the website is www.antakungfu.com a cond but most

important even books but most importantly of all as I wanted to say is the download button so you press the

download and there you go have windows installer two of them 462 in 32-bit versions and you even have like portable

apps Wireshark is a portable app have it for OSX etc if you are uncertain of some a lot of people out there will scream at

me for saying this but uh if you are uncertain which which architecture do you have is it 32bit or

64bit and you don't know how to check it in a specific point at a specific point of time even though you can just go

online and type in how do I check the architecture on pretty much any operating system out there but in case

you're lazy and you don't want to find out or you don't know how you can always install 32-bit versions and they should

work 99% guaranteed the process does not work vice-versa 32-bit can work on 64-bit but 64-bit

cannot work on 32-bit this is this this what I've just said does not just apply to Wireshark this is in general so

pretty much for all the applications out there I'm going to go ahead and close this browser I do believe that the

installation process is complete yep there we go so we get a lot of information here along with installation

processor it has is installing this installing this and verifying installation so it says installed wash

our genome and dependencies installed bar shark x86 64 so you do need the green part in all of this anyway uh

we're going to start up the Wireshark but we're going to start it as root now why can't we just started as a regular

program from a ordinary user well you basically can you need to extensively configure it but even so even so you

will be prompted for a root password and some of the services that run in the background that you don't actually

notice what we have will have to run as root generally a some people claim that's a security issue but I mean if

you are the only person that's going to use that computer if this is your computer

obviously you're not going to do any sort of shenanigans or anything like that and go ahead just go ahead and

start this root and don't worry about a thing so Wireshark just started it's an open

source application so you know that there is nothing even though you perhaps probably cannot understand

you can rest assured that there is nothing malicious in it primarily because pretty much everybody out there

can see and so certainly there would be somebody out there screaming if there were something wrong with it

anyway there we go Wireshark is installed and ready to be used I'm just going to go ahead and start a

live capture to do a small demonstration before I wrap this up so we have look at the amount of interfaces it has

recognized in my computer so we have Bluetooth I have I don't know which ones are DS but anyway this is for the

virtual you can even capture traffic from USB unfortunately my laptop has only three USB three goes B so I have to

use extensions etc so you can even you can you even have an option to listen on any of these interfaces so if you don't

know or if you don't want to bother finding out which interface you are using which and through which interface

are you connected to the net you can just listen on all of them and whatever traffic comes you can capture it but I

don't really recommend that if you're troubleshooting an issue or if you are really looking for something specific

there are there are uses for this option but what I generally like to do is simply go ahead open up my Kerman I'll

open up my terminal this is one method that you can use but there are there's another one which I will show in a

moment so just like to go ahead and type in I have config press ENTER and as before you have a list of interfaces

here I know that I'm using PAP one wired interface primarily because my network cable is plugged in and my wireless

router is turned off for the moment so I can't even connect to it even if I wanted to so you can see I don't have an

IP address assigned here this virtual interface this is just for traffic from virtual machines

none of them are up and running I know that's not loopback because that's only for local communicate that's only for

local things on the computer itself and you can see that the Internet address has been assigned you have a net mask

you have a broadcast down here you have numbers these values are not empty so packets are being are

passing through this but a much much much easier way to figure out which interface you are actually using would

be to go to your local network manager mine is in upper right corner just open it up and you can physically see it says

p8 b1 connected active connections in the active connection list and down below you have available connections to

which I am not connected where your network manager is it really depends how you configure your desktop by default I

do believe that it's in bottom right corner and you can click on it open it but I'm sure you won't have any problems

finding it that's the easy part anyway once we know that once we figured out which interface we're using and

where do we want to capture traffic we just find it here so there we go p8p one one key thing to note if you're using

some other distro for example a debian based this through something of a kind you're probably going to have mark ashen

such as these for your interfaces eth0 and eth1 they mean conventions are not the same

so yeah that can be a bit confusing but no problems you still be able to figure it out it will the names won't be

exactly as mine are but you'll still be able to figure it out just by looking at it eth0 usually represents the wired

connection and eth1 wireless connection as far as I've seen anyway it doesn't have to be the case but usually is just

check it out see it and as a final resort you have your network manager where we can be absolutely certain

so be it be one you click on it you market it will turn blue it needs to turn blue like this and there is this

green glowing shark tail in upper left corner when you go over it with a mouse it says start new live capture and that

is exactly what we shall do at this point of time just click on it and we should start getting in packets

any moment now there we go so in the next tutorial I will explain the features of Wireshark

so what these what what these buttons are doing what you can do with these menus what is where but most important

for your fall this will be our working space this where it says filter this is where we

shall apply various filters to basically seclude portions of traffic or to only get certain kinds of traffic because

look at look at look at this now I mean you're getting all sorts of information all sorts of protocols coming in on all

ports and it's just chaos this is basically one could interpret this as white noise because cannot distinguish

relevant information but what you can do is apply filters and then see what you want to see or see segments of that just

before I finish I just want to show you so look it's installed it's set up it's running everything's fine it's working

but if you install it for the first time this issue can arise so this this bar or this window let me just try to grab it

ah there we go come on come with me up there we go it climbs up all the way to the top so your first Wireshark can look

like this this lower window is completely expanded and it's blocking the upper one so you can't see it and

you might think oh man there's an error or I didn't do it installation of proper way or something of a kind it took me

about 20 minutes to figure it out a bit of an annoying thing basically just pull it down that's it I don't know a bit of

an annoying thing I think it's fixed with updates but it does it it tends to happen from time to time and you don't

know what's wrong it's just it to like tamper with it a little bit and then figure it out that would be it I thank

you for your time and I bid you farewell too next door next tutorial hello everybody

and welcome to this tutorial today I am going to be talking about a command-line interface for Wireshark but before I go

into all of that let me just say that we went over the first portion of our tour of our course and we have learned some

of the basic and fundamental things needed for us to use Wireshark and to successfully capture traffic with it now

from this point onwards we will be dealing we will start to deal with semi advanced things and we will move on to

advanced things if you haven't watched the first part and you've never encountered Wireshark before make sure

to tune in there and have a look have a look at those videos and then come here because here

I am NOT going to be using the graphical interface for Wireshark now you might want to yourselves why why why should

anybody not want to use the graphical interface I mean surely it is easier well yeah

theoretically it is easier primarily because people are used to just clicking places instead of typing in commands

however however not all environments support will support graphical interfaces especially server

environments and that is most likely where you will need to go and capture traffic routers for example will not

support graphical environments but you won't be able to install a Wireshark on a router anyway for routers I will have

a separate section where I will explain how you can capture traffic be it on your local browser inside of your home

or on some remote or some remote router within LAN or something of a kind in any case today I want to focus on this

command-line interface and I want to show you how you can actually do this within an environment that doesn't have

a graphical interface at all that does not support for example some sort of a server such as a web server I don't know

a DNS server or something of a kind you won't be able to do anything else other than to use the command line interface

or there is actually another option which is quite common these days as well you can you can set your server up in

such a way that it forwards information to a certain place and that certain place can be your

computer workstation with a Wireshark installed and in such a way you can capture traffic as well that is what

they mostly do on routers they set up one port on the router to to which all data is copied and transmitted and in

such a way you can also monitor traffic but with that we shall deal a bit later on for the time being I just want to

introduce you to this command-line interface and I want you to see how it works what are its capabilities and what

you can actually do with it one more thing to note is that you can have an interaction you can have an active

interaction between your command-line interface and your graphical interface for example you can create a file on a

server somewhere that doesn't have a command that doesn't have a graphical interface and then you can use the

command line interface from Wireshark to capture all the packets put them into that file afterwards you can either send

the file via mail or you can save it to a USB and bring it physically to a different computer or something of a

kind where you have graphical interface afterwards all that information that is saved within a file pcap file that's the

extension for Wireshark files it's just dot pcap you know you have different extensions like dot txt or dot

dot sex or something of a kind well for Wireshark files its dot P cap so P and then cap C ap anyway you can import that

file into Wireshark the one that actually has graphical interface and analyze it there apply filters during

it's not going to be a live capture session but you're going to have a file which you will be able to filter out see

the packets etc and so on I will show this in greater detail as we progress through this tutorial but for the time

being I just wanted to introduce you to the command line interface of Wireshark so without further ado I'm just going to

go ahead and type in the shark oops that didn't work out so the shark which is a command for wash for wash or command

line interface and I'm going to type in the dash dash help press ENTER and this is going to list out this is going to

give us a list of possible arguments that we can pass to a command let me just explain this a bit better so

d shark is a command and then you can use - and I don't know - H you're just passing arguments to this command these

arguments can vary I don't know you have - age 4 list of all the options that you can put list of all the options that you

have you can have - W - write the output to a file or something of a kind worry not about it

I will go pretty much through all of these arguments separately I will explain in detail what each one of them

does and by the end of the day you will be able to use command line interface successfully without any problems or

anything of a kind and you will understand the power of it what you can do with it and where it will Excel the

most because you know speaking you know in all honesty you will need the command line interface whether you like typing

commands in or not eventually at some point of time as a network administrator you will have to use it primarily

because you will encounter these environments where you simply don't have any sort of graphics of whatsoever be

that being that being left aside for the time being I'm just going to go ahead and scroll upward and you can see all

the incredible amount of argument that you can actually pass ranging from filtering the outputs to giving flags

when to stop the capture or even when to start to capture so for example you can specify start to capture in an hour

capture packets for I don't know 30 minutes stop then repeat the process again in two hours or something of a

kind the possibilities are practically infinite which is very nice because it

fits tools it can be made to fit to all situations so to say and here we go I have typed into shark help here and the

listing begins from there I don't know you have some copyright things here regarding Wireshark it's completely

open-source so you don't have to worry about that you see the copyright here says that it doesn't claim

responsibility for the use of Wireshark and that it doesn't guarantee that it's fit for any particular purpose so if you

don't succeed doing anything with it it's not their problem they didn't guarantee

anything but more of more likely than not it will come in handy and very and be very useful in a lot of situations

anyway in the follow-up tutorials I'm going to explain these commands these arguments what they do we're going to

use a lot of them and demonstrate how they can be effective in various situation thank you for your time and I

hope I'll see you in the next tutorial hello everybody and welcome to this tutorial today I will be talking about

nmap and how you can analyze its traffic with Wireshark so nmap is a tool for scanning Network you use it to scan

networks basically it can give you a great deal of useful information for example if you're in LAN if you're in

LAN it can give you MAC addresses of the of the machines that are within land provided of course that you know the IP

addresses but even if you don't know the IP addresses you can just scan the entire subnet or something of a kind it

can also determine which operating systems are running on remote machines whether they are in LAN or outside it

doesn't matter it will conduct the scan but primarily it can tell you what ports are opened on the system and if it tells

you what ports are open in the system you can conclude a great deal of things from that for example you can figure out

which services are running and you can assume which operating system is running there because you have some default open

ports and some systems and in such a way you can get more information now you shouldn't scan a system that you do not

own or have an explicit permission to scan because that is not permitted however today with in my lab environment

I will be scanning my own virtual machine and I will show you how you can actually reduce the how you can monitor

to traffic and monitor more importantly how you can monitor the size of the traffic because the less packets you

have the lower the probability is that your scan will be detected and you have a lower chance that the firewall will

actually stop your scan as well this is very important for people who are into penetration testing they can

use this or they tend to use this method basically just scan a virtual machine with an map and then have Wireshark

monitor disk ad and in such a way see which sort of which parameters which sort of scan event map will generate the

least amount of traffic in any case as I said for people in pen testing who do this they have a permission to scan the

systems and to perform this these kind of tasks so unless you own the system or have a permission to scan the system do

not do it as it is not permitted anyway what you will need for this tutorial is an map installed in your system on Linux

it's pretty much easy there is there isn't that much science there is really that much thinking to it so to say as

you can see I've just typed in oops I've just typed in here yum search and map - see option it basically

just tells my packet manager yum do not perform updates at this time just try to find and just try to find package and

map you don't need to worry about that and as soon as you type that you get a output down here so I don't know you

have some sort of things here which you are not really that interested in this is also a very very interesting tool it

says n maps and cat replacement but nothing's ever going to replace and cat and cat I mean seriously I that's one of

the tools there has been around for quite a while and if you don't know what it is I strongly advise that you get

familiar with it that is that is one small task that I have for you if you wish to learn more about networking

monitoring networks and troubleshooting them netcat is a fantastic tool it allows you to connect on pretty much any

port in any way it supports a great deal of protocols and it is fantastic for testing it's it's completely free you

don't need to pay for anything for it it's open source so yeah I'm not selling anything or anything of a kind just have

a look at it it's going to be if you plan to do something with networks or have a career you're

definitely going to need that tool anyway coming back to the subject down below you have an map x86 underline 64

it says network exploration tool and security scatter basically that is precisely what it is as I said it just

scans the networks and it gives you a lot of information if you wish to install it just type in yum install and

then nmap sorry and map and there we go that should do that should do it you will install whatever you need to that

will install the package without any problems as you can see I've press tab with a wrong argument and it has given

me some we rather weird options but irrelevant you just type in your install space add map and it's going to run

through if you just go ahead and clear the screen now I do have my virtual machine set up here one of them anyway

it's just a different edition of Fedora the next one 21 where I'm testing it this is a live boot not an actual

installation that's why it's running a bit slower so its IP address is 192 168 dot 1.4 and that is the IP address which

I wish to scan and monitor the traffic so let me just go ahead and start a live capture of my wired interface bap1 apply

my filter here so you should know this filter by now apply there we go so there isn't any traffic now I mean there is

traffic but nothing is really being displayed because I have told it that the source IP address has to be me

basically this is the IP address of the machine that I'm using at the moment and the destination IP address has to be the

virtual machine which is this is the IP address of the virtual machine that you seen a moment ago so as you can see

there is no traffic now nothing of a kind down below you have packets the amount of packets it sets back is 21 and

displayed zero excellent that is precisely what we want now we can conduct our scan so let's begin with the

basic fundamental end AppScan I'm just going to go ahead and type and map and type in the IP address

so 192.168.1.0 and remember remember to pass the option double V so not W but double V you can also say one or two

basically this defines the verbose the verbose output how much information do you want the program to tell it to give

you in regard to what it is doing at the moment and I always like to be informed so I always pass the double V here it is

quite in handy it's quite in handy because I don't know sometimes then map scans will take a while and you will

just see a blank screen you won't see anything happening there will be no progression bar or anything of a kind

and you will think oh it's bug there is something of a kind and you will interrupt the scan then you will need to

do the whole thing all over again like this you can see what it is telling you there we go it says starting and map

initializing our pings and scanning one eye two one six eight one four and it's clearly telling you what is what it is

doing there we go the traffic is now being generated and we have a lot of things here that are going back that are

going back and forth and there you go the scan is finished this is a very fast scan obviously because this is all in

LAN so the scans can be connected rather fast but look it down here where it says packets displayed it's the bottom bottom

the middle of the screen in the bottom it says that I have fifteen hundred packets approximately and that my nmap

scan has consumed twelve hundred and twenty packets that is a huge amount I mean this is bound to be detected for

sure if there is a network admin on the other side they will see they will notice the scan no problem so we need to

actually work on reducing the size of our and map scan one of the first things that I am going to do aside from

clearing my screen and making a more neat working environment is go ahead and type in

nmap double-double - help press enter and this is going to prompt the help bar let me just expand this a little bit for

you so you have a better overview and repeat the process because terminal doesn't suck it doesn't not resaw it

does not resize the text by default and so here we have some other options in the example says these are just Miceli

aside arguments for Wireshark itself but we have a send load of other options one of the bills look at how many of them

there are pretty much the same procedure as with detrack you type in help and you figure out what is where so this is one

of them more one of the one of the options that people would use on more frequent basis so - oh so let's try - oh

and let's see how much how much traffic will that generate before I do I wish to reset my capture as I don't want this as

I want to see exactly how many packets will be will be recorded so if you just find it yep there we go and I'm going to

pass - oh capital o press enter here we go it's initializing the scan and you can see that there are packets already

streaming in it says 5756 t there we'll see how much it will be how much how much packets will generate in total so

not that not oh it's still going on it's still going on it stopped and this is not good either so it says almost 1600

packets this is more than our previous scan but this is something that you would need to do from time to time on

your network as a pen tester is a network admin to figure out what is going on what system is being used on

the other side if you can physically go over there or something of a kind but as a pen tester this is not good it's 7/8

1600 packets and again you are bound to be detected but these are just some basic options that you can pass

in the follow-up tutorial I will explain in great detail how you can conduct stealth scans and you will see how

Wireshark when it monitors the traffic it will there will be a significant reduction of

the amount of packets transmitted in any case I believe farewell and I hope that you've enjoyed the tutorial hello

everybody and welcome to this tutorial today I will show you how you can conduct a remote capture of a machine

that is not necessarily within LAN or within the range of your wireless card in the previous tutorials I have shown

you how you can actually conduct a remote capture of all the folder traffic that is up in the air around you

provided of course that it is in the range of your wireless card and provides of course that you do have the necessary

decryption keys this was done through the manage mode of a network card we will not need it in this tutorial

primarily because the machine from which we will be capturing traffic can be anywhere else in the world so we are

capturing traffic over it that will be sent over the Internet to us what this means is that you can be in Germany

let's say in Berlin and the other machine can be in Tokyo and you will be able to stream the network information

over the Internet to your machine in Berlin and captured and analyzed traffic in Wireshark there now depending on the

amount of traffic and depending on the available bandwidth this can be either slow or fast depends how you do it but

it is possible to do it and that is what I want to demonstrate today now there are prerequisites there are a few things

that you're going to need if you wish to if you wish to be able to fully follow through this particular tutorial the

first off the very first thing that we will need is a protocol called SSH now as this H is a tunneling protocol

and it will ensure that all the traffic transmitted from the machine in Tokyo to machine in Berlin will be heavily

encrypted so even though somebody could be in the middle of your communication in the middle of the communication

between two machines capture a traffic table they won't be able to do anything with it I have shown

you in the previous tutorials how encrypted traffic looks like and as you could have seen there isn't much that

you can actually do with it you can extract a bit of bits and pieces of information but you cannot actually get

the data itself without the decryption keys of course and the chances of somebody getting the decryption keys are

very slim to none and of breaking the encryption and in order to break the encryption without decryption keys I

mean it would take an eternity of time to brute-force it or something of a kind anyway I will show you how to install

this you will need this on both machines not just on one so keeping to note here is that you will need it on both

machines fairly easy to install I will show over to you in the follow-up tutorial but for the time being you will

also need one more you will need additional things so TCP dump is next TCP dump it works in a

similar fashion as teesh are common as Wireshark command line D shark you just pass arguments to it and it can capture

traffic filter it pipette etc this will only need to be installed on a remote machine where the capture will be

performed you will not need this on your destination machine as you will be using wireshark there I will show you how to

install TCP dump as well but on Linux machines TCP dump in all likelihood is installed like 90% chance and I am using

TCP dump primarily because in 90% of cases it will be installed on Linux machines this is for ease of use you can

also use T shark here but your most of the time you're not sure and in all likelihood it will not be installed in

the remote machine I have shown you how to install wire T shark as well so that's not a big deal

basically just install Wireshark and it comes packaged with it but we will be using TCP dump on a remote machine and

you won't you will not need to install it there of course as it will be installed but I will show the

installation procedure just just just in case that is not installed you will see the

command for it is pretty simple there won't be any complications there next up you will need to be able to configure

Wireshark in order to capture traffic not on any of your interfaces rather instead we will need to create a named

pipe for Wireshark it is a file from which it will extract information and display it in the graphical user

interface where you will be able to analyze it filter it and do pretty much whatever you want with that I will show

you how to make that file pretty simple as well no no complex stuff there the biggest problem is establishing a

establishing an SSH connection and making sure the data is encrypted and that there is a steady flow due to

bandwidth and such things so we will need to pass some extra arguments to TCP dump in order to ensure that our data is

streamed in a proper manner now we will also need to configure SSH just a bit on one end so on the source machine in

Tokyo that is where we will need to configure SSH to allow for route logins because keep in mind for all these

operations you need to be either route or you need to have pseudo primitive or you need to your user needs to be in

sudoers file so it can have root permissions in any case that would be if this was an introductory video to what

we showed you here uh if you don't have the prerequisites you can try and get them on your own try to do it you as the

installation procedures are the same with any other packages we've installed thus far you can try doing it yourselves

I would strongly advise that you do so and then in the next tutorial I will show you how you can actually do this so

if you have so if you have had any problems with it you may refer to the tutorial and see ok this will I didn't

do this the right way or I didn't do that the right way and in such a way you will be able to learn better so I bid

you farewell and I hope to see you in the next tutorial