today we're going to talk about wi shark a super handy tool for checking out what's happening on networks it's like a secret agent that can spy on all the data going through a network helping us understand how things work behind the scenes in this guide we'll cover everything you need to know about wire shark from getting it on your computer to using it to see what's going on in your network whether you're a hacker or just curious about how the internet works wi shark can teach you a lot about the magic of data flowing through networks so let's jump in and explore wire shark together all right let's kick things off by talking about wire shark wire shark is like a detective tool for computer networks it's free software that lets you Peak into the data flowing through a network in real time whether it's data traveling through Ethernet Wi-Fi Bluetooth or other types of connections wi shark can capture and analyze it all you can use wihar to figure out what's happening on your network troubleshoot issues or just learn how Network protocols work it's super handy for Tech Pros security folks and even students studying networking now let's dive into some cool things wire shark can do a wire shark works on all major operating systems whether you're using Windows Linux Mac OS or Unix wire shark has got you covered live packet capture it can capture data as it's happening on the network giving you real-time insights analyze data from other tools you can analyze data captured by other tools like TCP dump wind dump or t-shark import and analyze hex dumps if you're into the nitty-gritty details wi shark can handle hex dumps like a champ export data in different formats you can export captured data in various file formats for further analysis detailed packet analysis wire shark can show you detailed protocol information filter packets coloriz data and even search for specific packets create statistics and graphs it's not just about capturing data wi shark can also create graphs and stats based on the captured packets decode encrypted data it can decode encrypted data if you have all the necessary information and that's just scratching the surface wire shark is a powerful tool with a lot of features that can help you unravel the mysteries of network traffic if you want to download wire shark in Windows or Mac you can get it from their website just visit the site choose your operating system and the download will start automatically if you face any challenges while installing wire shark on your operating system don't worry you can always research Solutions online or ask me in the comments section however if you're using kie Linux you don't need to download wire shark separately because it comes pre-installed for those who don't have Ki Linux you can check out my video guide on how to install it I've included all the links in the video description so don't worry about missing anything to open wire shark on call Linux you can follow these steps first go to the applications menu in col Linux look for the sniffing and spoofing section and you'll find wire shark there you can open wire shark directly from this menu alternatively if you prefer a quick method just open the command terminal then type wire shark it's as simple as that now let's choose the interface you want to capture you'll see a list of interfaces available some of which may look useful but aren't relevant for our video don't worry about those just pick the interface you want to capture data from the best part wi shark does the detective work for you by automatically detecting and listing the interfaces that are active and ready to capture data so simply select the interface you're interested in and wire shark will start capturing the network traffic flowing through that interface so go ahead and choose the interface that intrigues you and let's uncover some fascinating insights into Network traffic before we begin with wi shark it's essential to understand Network protocols think of network protocols as the languages computers use to talk to each other knowing about these protocols will make using wire shark a lot easier if you're not familiar with network protocols or need a quick review I have a video explaining networking protocols it'll give you a good foundation in networking before we dive into capturing our first set of data with Wireshark let's take a moment to become become familiar with its interface firstly there's the menu bar which acts as the Central Command Center for all the tools and options within wire shark it's like the control panel of a spaceship allowing you to access different functionalities neatly organized much like navigating through the applications menu on your computer next up is the toolbar functioning as a quick access toolkit this tool bar houses commonly use tools making it easy to find what you need without the hassle of searching through menus for instance you can stop capturing or restart captures with just a click there are also options for automatically following live capturing and more next up we have the filter feature this is where you can type in specific criteria for what you want to see and wire shark will filter the captured packets accordingly it's a powerful Search tool at your fingertips allowing you to focus on the packets that are relevant to your analysis for example let's say you're interested in only HTTP traffic you can simply type HTTP in the filter box and Wireshark will show you all the packets related to http communication this makes it much easier to narrow down your focus and extract the information you need from a large data set of captured packets filters in wire shark are incredibly versatile and can be based on various parameters such as IP addresses protocols ports packet types and more it's a handy tool for pinpointing specific Network activities and troubleshooting issues shoes efficiently as we move along we encounter the packet list pane this pane serves as your window into the vast Network World it displays a comprehensive list of packets captured by wire shark as they travel through the network giving you a visual representation similar to observing a stream of data flowing by when you select a packet from the list the packet details pain becomes your treasure Trove of information it's like peeking inside an envelope to unveil its contents here you will discover details such as the packet's origin destination and the protocols it uses for communication now let's delve into the technical aspect with the bytes pain this pain reveals the actual data within the packets showing heximal bytes and their corresponding asy values it's akin to decoding a secret message as it travels through the network revealing the hidden information finally at the bottom of the interface we have the status bar acting as your assistant providing real time updates it offers valuable information such as the total number of packets captured capture duration and other essential details about wire shark's activities this quick overview of the wire shark interface provides a solid foundation for diving deeper into its functionalities as we progress in this Learning Journey we'll discuss each option in more detail so imagine you've selected the right interface in wi shark but then you look at the packet list Pane and nothing no packets in sight it can be a bit frustrating right well there are a few reasons why this might happen firstly there might not be any network traffic happening at that moment it's like trying to catch a bus when there aren't any running secondly the packets moving through the network might not be meant for your device so wire shark doesn't grab them it's like trying to Eaves drop on a conversation that's happening too far away and finally there's this thing called promiscuous mode if it's not activated or available in your settings wire shark won't capture all the network traffic now when you fire up wire shark it might not look super exciting at first glance but trust me it's the packets that are flowing around that make it fascinating yep we're talking about capturing packets that's where the real action is all right let's start our first capturing session now that you've got a grasp of the basics of wire shark and have learned how to install it I believe you're all set to dive into your first capture in this section we're going to walk through initiating your first wire shark capture we'll also cover how to save the captur data for future analysis or to share it with others all right let's get started by opening wi shark once wire shark is open you'll see a list of available interfaces to capture data from in my case I'll choose double n zero but keep in mind that this option might not appear for you if you're not using a wireless network adapter or if your system has different interface names so go ahead ahead and select the interface that corresponds to your network setup now you might notice some packets appearing in wire shark's packet list pane or you may not see any activity if there's nothing happening on your interface to test whether wire shark is capturing data effectively let's open a browser and search for something once you start browsing wire shark should start capturing the data packets related to your browsing activity if you see packets being captured then well done you've successfully captured your first set of data using wire shark as you can see there's a lot happening within these packets but don't worry we'll dive into understanding these packets later for now let's focus on the fact that we've successfully captured data for the first time now let's see how to save these captured packets for later analysis or share them with someone simply click on the save icon and a window will pop up asking you to choose a file name you can give it any name you prefer by default wire shark saves the file as a pcap NG file format but you also have the option to choose other file types like pcap or others depending on your needs this way you can store and share your captured data easily okay now I encourage you to pause this video open wire shark capture some packets and save them with a file name of your choice once you've done that you can come back to this video and continue watching capturing packets and working with wi fire shark Hands-On is a fantastic way to reinforce your understanding and skills so go ahead and give it a try I'll be here when you're ready to continue now let's delve into the different filtering options available in wihar we'll also explore how to create and use different profiles to enhance your packet analysis experience in the world of wire shark filters play a crucial role in refining your packet analysis they allow you to see precisely what you want to see and capture only the data that's relevant to your analysis making your workflow more efficient there are two main types of filters in wire shark capture filters and display filters let's begin with capture filters this feature gives you the ability to capture specific packets While discarding others capturing packets can be resource intensive requiring significant processing power and memory therefore using capture filters helps conserve resources for other tasks and Ensure that you capture only the data that meets your criteria on the other hand display filters work differently they don't discard any packets but instead hide packets that don't match your filter criteria this makes viewing and analyzing the captured data more convenient it's important to note that once packets are dropped due to a capture filter they cannot be recovered which is why it's crucial to use display filters judiciously when you apply a display filter only the packets that meet your filter specifications will be displayed in wire shark you can monitor the number of packets being displayed after applying a filter in the second column of the status bar in The Wire shark window understanding how to use capture and display filters effectively can greatly enhance your packet analysis capabilities and streamline your workflow in wi shark let's explore these filters further to maximize the insights gained from Network traffic analysis before we dive into demonstrating filtering options in wies shark I want to introduce you to a comprehensive filtering guide unfortunately I can't cover all the filter options available in wire shark in this video but fear not I have an excellent cheat sheet from station X that will provide you with a wealth of filtering techniques this cheat sheet is incredibly helpful and covers various filter options that you can apply in wire shark it's a fantastic resource to have on hand especially when you're dealing with comple filtering scenarios I'll include a link to download this cheat sheet in the video description I highly recommend reading through it and using it as a reference while working on your network analysis tasks let's explore some common filtering options in wire shark imagine you're interested in just TCP traffic in wi shark you can simply type TCP in the filter bar and voila it'll show you only TCP packets this is super handy for analyzing things like web browsing or file transfers similarly if you want to focus on UDP packets like those used in video streaming or VoIP calls just type UDP in the filter bar and wi shark will filter out everything else showing you only UDP traffic now let's say you're troubleshooting a web server issue typing HTTP in the filter bar will narrow down the packets to just HTTP traffic making it easier for you to spot any anomalies or errors let's say you're curious about the communication between your computer and a specific IP address say 192.168.1.1 typing ip. equals equals 192.168.1.1 in Wireshark will filter the packets showing you only the ones involving that IP address you can also filter based on Mac addresses for example if you're troubleshooting a network device with a specific Mac address typing ethaddr equals equals Mac address you want will highlight packets related to that device ports are crucial for network communication if you're interested in HTTP traffic which usually uses Port 80 just type TCP Port equals equals 80 to focus on packets going through that Port similarly if you want to examine DNS queries often using Port 53 you can use UDP Port equals equals 53 to filter out everything else and see only DNS related packets wire shark also supports logical operators like and or and nut for more complex filtering for instance you can combine filters using and to CCP packets with a specific IP address like TCP Port equals equals 80 and IP equals equals 192.168.1.2 the or operator lets you specify multiple conditions for instance TCP Port equals equals 443 or TCP Port equals equals 80 will show TCP packets using either Port 443 h ttps or Port 80 HTTP finally the not operator is Handy for excluding certain packets for example not ipor equals equals 192.168.1.100 will filter out packets involving the specified IP address playing around with these filters and wire shark can help you dig deep into Network traffic troubleshoot issues and gain valuable insights into your Network's Behavior wire shark offers a handy feature for enhancing our viewing experience through colorization of traffic this feature allows us to highlight specific types of traffic with different colors making it easier to distinguish between different sets of data the purpose of colorizing traffic is akin to finding a needle in a hay stack by assigning different colors to various types of traffic we can quickly spot and focus on the traffic that's most relevant to our analysis by default wire shark provides colorization rules for most protocols which is why you might already see traffic displayed in different colors in the packet list pane you can access these default color Rules by navigating to view and then clicking on coloring rules for instance wire shark May colorize bad TCP traffic differently to draw attention to potential issues or anomalies in TCP communication if you want to add your own colorization rule simply click the plus icon in the coloring rules window then specify the filter criteria you want to use for colorization such as TCP Port equals equals 80 for HTTP traffic and give your color rule a descriptive name you can also choose the color you want to assign to this rule with colorization in wire shark you can customize your analysis environment to highlight specific types of traffic making it easier to identify patterns anomalies or critical data within your network captures it's a powerful tool for improving visualization and Analysis workflows okay now one great feature of wire shark is the ability to use profiles profiles in wire shark are like personalized setups that can save you a lot of time when analyzing a network a profile includes various components such as capture filters display filters time preferences column preferences protocol preferences color profiles and more these components work together to create a customized environment tailored to your specific needs for network analysis importing and exporting profiles in wire shark is straightforward which is incredibly helpful when working on different networks or systems without your usual tools you can simply copy and paste the profile configuration files into a specific directory to use them here's how you can create a profile in wi shark rightclick on the profile column in the status bar select new in the popup dialogue give your new profile a name click okay to create the new profile once you've created a profile you'll see it activated in the status bar any changes you make within this profile such as creating capture or display filters adjusting protocol preferences or changing color settings will only apply to that specific profile this means your changes won't affect other saved profiles by using profiles you can set up different configurations for specific network analysis scenarios this flexibility not only saves time but also makes your tasks more manageable and efficient wire shark provides a wealth of Statistics related to packets and protocols involved in network communication between hosts these statistics range from basic metrics to Advanced and specific details about the protocols being used let's discuss some of the most useful tools available in wire shark's statistics menu that help us gain better insights into handling complex Network situations on a day-to-day basis all right so the first here we're diving into is the capture file properties this tab is like a treasure Trove of information about the packets you've captured here you'll find file firstly when we talk about file properties we're looking at basic details like where the file is located how big it is and some unique and this hashes that help identify the file uniquely now onto the time aspect we're interested in knowing when the first packet was captured and when the last packet was captured the elapsed time tells us that the capture lasted for what time next up the capture section tells us about the hardware operating system and the software used to capture the data for example it mentions an Intel Core i7 processor running Linux and it was using wire shark version 422 to do the capturing moving on to interfaces it's about the specifics of how the data was captur captured we're talking about the network interface used whether any packets were lost during capture here it's marked as unknown if any specific filters were applied during capture here it's none and the type of network link used along with the maximum size of packets captured lastly the statistics section is where we get into the nitty-gritty of what was captured it tells us things like how many packets were captured in total how many were actually displayed or analyzed the duration of the capture and averages like the rate of packets captured per second the average size of packets the total number of bytes captured and the average rates of data capture in bytes per second and bits per second and if you've added any notes or comments while capturing packets they'll show up here it's a great way to jot down observations or reminders for later analysis you can add comments and save them so all this information together gives us a comprehensive view of what was captured how it was captured and some statistics about the captured data and now here the end resolved addresses refers to the process of converting Network addresses from their raw format like IP addresses or Mac addresses into human readable names such as domain names or device names this conversion is done using various protocols like DNS for IP addresses and address resolution protocol for Mac addresses this feature is particularly helpful when when trying to identify devices servers or websites based on their Network addresses for example instead of seeing an IP address like some IP address in the capture wi shark can resolve it to a host name like google.com if a DNS lookup was performed and the IP address was mapped to that domain similarly for Mac addresses wi shark can resolve them to device names if ARP requests and responses were captured allowing you to see something like device name instead of just a series of of heximal numbers now in protocol hierarchy window provides us with an overview regarding distribution of protocols used in the communication process and how to spot unusual activities in your network that do not follow the Benchmark as expected it's your personal tour guide Through the Jungle of network protocols protocol hierarchy acts like your lookout tower giving you a sweeping view of how data moves between hosts it's like having a radar that scans for any weird stuff happening in your network it breaks down all the different types of protocols being used and shows you the percentage of each one plus it gives you stats like how many bites and packets are flying back and forth It's like taking a snapshot of who's chatting with who and how much they're saying and here's the cool part you can use protocol hierarchy to dive even deeper into specific specific types of traffic just rightclick on a protocol hover over apply as filter and click selected it's like putting on a pair of superpowered glasses to zoom in on the stuff you're interested in so let's say you're a bit worried about one particular host in your network acting a bit funky protocol hierarchy comes to the rescue it helps you pinpoint exactly where that strange behavior is coming from and get to the bottom of things all right let's talk about the conversation's window so picture this you've got this massive network with tons of devices all chatting away now normally devices are meant to talk to each other right but what if you want to pinpoint which device is really hogging all the bandwidth that's where the conversation window comes into play in this window you'll find a whole bunch of juicy details laid out neatly in columns it tells you things like how many packets were sent and received the amount of data transferred the flow of traffic Mac addresses of devices and lots of other useful info at the top you'll see different tabs for various protocols each with its own set of conversations and next to each tab there's a little number telling you how many unique conversations are happening now let's say you're on the hunt for the device that's been churning out packets like there's no tomorrow just head over to the ipv4 tab sort the packets column in descending order and voila the device listed at the top of the list is your culprit so in the conversations window you'll notice something interesting in the first row it shows you exactly how many packets and bites have been sent and received by each endpoint along with the total elapse duration now if you're feeling particularly investigative and want to dig deeper you can actually create filters right from this window just rightclick on the first row and choose the option to create an expression for example let's say you're interested in seeing only the conversations between address a and address B you can select the option A to B and boom it fills filters out all the packets associated with those specific addresses so it's like having a handy filter tool right at your fingertips allowing you to focus on exactly the conversations you want to explore further so the conversations window will let us collect and analyze details in a more granular form which can be used in various scenarios while troubleshooting and auditing networking infrastructures now imagine you're overseeing this bustling Network and suddenly you notice a surge in traffic that's not quite normal you're curious to know which devices are behind this unusual activity right well that's where the endpoints dialogue comes to the rescue so what are end points well they're basically the devices that share data with each other on the network and to communicate they need something called a MAC address it's like their unique ID card wire shark lets us dive deep into analyzing and collecting info about these endpoints to access the endpoints dialogue just click on any TCP packet in the packet list pane you'll see a bunch of tabs at the top each representing a different protocol if a protocol is active in your traffic its tab will light up showing you the action by default you'll probably start with the ethernet tab where you can see the Mac addresses of the endpoints each tab also tells you how many endpoints are captured for that specific protocol pretty neat huh now here's where it gets interesting you can dig into specific protocols by clicking on their tabs for example I clicked on the ipv4 tab and sorted the main pane using the packets column this lets me see which inpoint is chattering away the most but wait there's more if you want to analyze a specific endpoint even further you can create a display filter for it just right click on the row with the most packets transferred and choose selected under apply as filter boom now you've got a filter tailored just for that endpoint and you'll find some handy checkboxes and buttons you can use these to resolve the names of ethernet addresses limit the results based on a display filter copy the content in CSV format or even map the endpoints location so with the endpoints dialogue you can quickly pinpoint the devices causing a stir on your network and dive deep into their activity with just a few clicks now in packet length refers to the size of individual packets captured during network analysis it tells us how much data is contained within each packet including both the information being sent the payload and additional metadata the header required for routing and processing the data understanding packet length is important for several reasons it helps in monitoring Network performance identifying potential security threats and ensuring compliance with protocol standards by examining packet lengths analysts can spot anomalies such as unusually large or small packets which might indicate issues like Network congestion malicious activity or protocol violations all right now let's talk about IO graphs these graphs are like snapshots of the traffic in our Network they help us see the busy and slow times which can be super helpful for fixing problems or just keeping an eye on things this graph shows time on the horizontal axis and the number of packets per tick on the vertical axis if you need to adjust the scale you can do that too now looking at the graph it's amazing how quickly we can gather this in from thousands of packets with just a glance at the graph below the graph you'll find some tools and filters let's say we want to focus on just the UDP traffic and plot it with a red line easy peasy we just type UDP in the filter box deactivate graph one and activate graph 2 voila now we have a graph showing only UDP traffic looking at this new graph we can see that most of the UDP action happened if we want to compare DNS and T CCP traffic we can do that too it's like looking at two sides of the same coin comparing things helps us learn more effectively all right let's see service response time this feature is like having a stopwatch for different services or protocols it tells you how long it takes for them to respond when they're pinged so if you're wondering why a certain service is lagging or being sluggish this tool can give you the scoop it's like timing how quickly your favorite restaurant brings out your order you want it fast right similar in the digital world we want our services to respond promptly to keep things running smoothly next we have DHCP or bootup statistics this shows us stats related to DHCP or dynamic host configuration protocol traffic basically it's about how devices on a network get their IP addresses then there's net perf meter statistics this probably has to do with measuring Network performance moving on we have on ncrp programs this provides information about on ncpc open network computing remote procedure call programs which are used for communication between networked computers next let's talk about 29 West this is a protocol or service that's often associated with messaging or data distribution it's commonly used in financial markets and high performance Computing environments for fast and reliable data transfer if my understanding of 29 West is incorrect or if you have more information about it please feel free to share in the comments after that we have a NCP which stands for Access node control protocol it's used in Broadband networks to manage access nodes then there's backnet backnet and wire shark refers to the backnet or building Automation and control networks protocol which is commonly used in building automation systems for controlling and monitoring devices such as HVAC systems lighting access control and more when you encounter backnet in wire shark it means that wire shark has detected Network traffic related to the backnet protocol this traffic may include messages exchanged between backnet devices such as requests for data responses alarms and other control commands analyzing backnet traffic in wire shark can provide insights into how devices in a building automation system communicate with each other the types of data being exchanged response times error handling and overall system performance up next is collecting oh I never use this so I don't know about this again if you know about this feel free to comment now we have DNS this is the domain name system responsible for translating domain names like google.com into IP addresses all right let's talk about flow graph this tool is like your trusty detective when it comes to troubleshooting network issues imagine you're trying to figure out why your internet connection keeps dropping or or why certain data isn't getting through flow graph creates a visual summary of the traffic flow between two end points helping you pinpoint where things might be going wrong it's like drawing a map of the route your data takes from your device to its destination with flow graph you can quickly identify any bottlenecks or problems in the connection and get things back on track next we have hard IP hard IP refers to the Highway addressable remote transducer over IP protocol heart IP is an implementation of the heart communication protocol which is commonly used in process Automation and Industrial Control Systems heart or Highway addressable remote transducer is a communication protocol that allows digital communication with smart field devices such as sensors actuators and controllers in industrial applications hard IP extends this protocol by enabling communication over IP networks making it more suitable for modern networked environments heart IP in Wireshark could include data exchange between devices configuration commands status updates and other communication activities specific to the heart protocol implemented over IP networks analyzing heart IP traffic in wi shark can provide insights into the communication patterns data payloads error handling and overall performance of heart enable devices operating in an IP network environment it can be valuable for troubleshooting monitoring and optimizing heart-based systems in industrial settings then there's HP feeds to be honest I'm not too familiar with this one too if you know about this feel free to tell me on the comment today you are going to teach me aren't you next up is HTTP the hypertext transfer protocol this is what's used for communication on the web following that we have HTTP 2 this is a newer version of HTTP with some fancy features like multiplexing next there's s time Sam time is used for real-time collaboration and communication within organizations Sam time is a messaging and conferencing protocol developed by IBM similar to platforms like Microsoft teams or slack when you encounter Sam in wi shark it typically means that wi shark has detected Network traffic related to IBM samon Communications this could include messages file transfers audio video calls screen sharing and other collaborative activities facilitated by the samtime protocol analyzing samtime traffic and wire shark can provide info into how users are interacting the types of data being exchanged and any potential issues or optimizations related to samtime communication within the network all right let's dive into TCP stream graphs these are basically visual representations of TCP streams showing us how data moves over a TCP connection get to get started just pick any TCP packet from your list and open the static view when you hover over these TCP stream graphs you'll see five options let's quickly discuss each one first up is the time sequence graph this graph gives us a chronological view of packets being sent and received almost like peeking into a timeline of data events now let's break down what you'll see in this graph the x axis represents time in seconds while the Y AIS shows the TCP sequence number these sequence numbers increase with each packet sent based on the data size looking at the graph itself you'll notice three lines the line labeled TCP data segment shows the actual data being transmitted a longer line here indicates more data in that packet below that is the act stream indicating acknowledgements for received segments and at the top we have the client receiving window showing how much data the client can handle at a time the distance between the client receiving window line and the TCP segment line is the window size a closer Gap means less buffering capacity while a wider Gap means more buffering moving on to throughput graphs these show unidirectional traffic flow in bytes per second unlike IO graphs that show traffic in both directions throughput graphs Focus solely on One Direction if you encounter a blank graph try selecting another TCP packet to generate the graph next let's talk about round trip time or rtt this measures the time it takes for an act to be received after sending a packet essentially it tells us how long it takes for a scent packet to be acknowledged ensuring successful delivery lastly window scaling graphs illustrate how the size of data windows changes during transmission it's akin to observing a mailbox's size as more letters are sent and received these graphs provide valuable insights into TCP communication helping us understand data flow and network performance better after that there's UDP multicast streams imagine you have a bunch of devices on your network and you want to send the same message or data to all of them at once that's where UDP multicast streams come into play think of it like a radio station broadcasting a song instead of sending the song individually to each person the radio station sends it out once and anyone tuned in can hear it similarly UDP multicast allows one device to send data to a group of devices simultaneously now when we say UDP multicast streams in Wireshark it means we're looking at how this multicast communication is happening using the user datagram protocol or UDP which is a way for devices to send quick and simple messages to each other when we use wire shark to analyze UDP multicast streams we can see exactly what data is being sent who's sending it and who's receiving it this helps us troubleshoot any issues with multicast communication like if some devices aren't getting the message or if there's too much traffic clogging up the network then there's reliable server pooling this is a protocol for setting up pools of servers that can handle requests reliably up next is some IP this is a versatile Network protocol that excels in multitasking within the application layer it efficiently handles message transformation remote procedure calls and service Discovery in a dynamic client server setup additionally it's Adept at managing large UDP messages without fragmentation ensuring smooth communication between devices following that we have dtn which stands for dynamic trunking protocol is a protocol designed by Cisco Systems specifically for negotiating trunking between switches with of Lan next there's F5 this is likely related to load balancers or application delivery controllers which help manage traffic on large networks and finally we have ipv4 statistics and IPv6 statistics in wi shark the ipv4 statistics and IPv6 statistics provide detailed insights into Network traffic specifically related to ipv4 and IPv6 protocols these statistics include information such as packet counts bite counts and other metrics related to the utilization and performance of ipv4 and IPv6 networks analyzing these statistics can help network administrators understand the distribution of traffic identify potential bottlenecks and optimize Network performance for both ipv4 and IPv6 communication all right we're wrapping up here if I missed explaining anything or if I goofed up somewhere drop a comment and let me know and hey I'll admit it I'm not perfect so Corrections are welcome now buckle up because this video is your ticket to the Wi shark Adventure remember practice makes perfect so don't just rely on this video dive into books watch more videos and soak up all the knowledge you can if this video hasn't blown your mind yet don't give up let's dive into some network analysis and wrap up this marathon of content before you start daydreaming about your next meal all right let's delve into the world of TCP and UDP protocols understand how they communicate explore common issues and discover how wire shark can lend a helping hand we'll learn how to analyze these protocols and spot any unusual behavior but before we dive into the video make sure you're familiar with TCP and UDP Basics like TCP headers various flags and the TCP 3-way handshake if these terms sound like a foreign language don't worry like I said at first first I've got a video dedicated to this topic that will provide a deeper understanding the TCP 3-way handshake is crucial as it ensures that both the server and client are prepared to establish a connection and have the necessary resources to maintain a dedicated channel for Reliable packet delivery let's dive into a real scenario and witness the TCP 3-way handshake in action using wire shark firstly let's gather some packets and filter for only TCP to focus on this specific protocol now observe closely the TCP handshake begins with the sender client initiating The Connection by sending a TCP sin packet to the receiver or server the server responds with a sinac packet acknowledging the request and signaling its Readiness to establish the connection finally the client acknowledges this response with an AC packet confirming the connection set up voila the TCP connection is established and if you take a look now you'll notice an http get request following the successful three-way handshake now that we've covered the TCP 3-way handshake let's explore another handy feature in wi shark called follow TCP stream or HTTP stream or UDP Stream So what does this feature do you ask well wi shark allows us to reassemble a series of plain text protocol packets into a format that's easy for us to understand for example if we're dealing with an HTTP session using follow TCP stream will display the get requests sent from the client and the corresponding responses received from the server to access this feature simply rightclick hover over follow and then select either HTTP stream or TCP stream depending on the protocol being used when dealing with HTTP most of the content will be displayed in plain text making it easier to analyze however if the protocol is https where encryption is used you'll likely see ambiguous Text due to the encryption don't worry we'll discuss decrypting https traffic in an upcoming video but not now the follow TCP stream option is incredibly useful for troubleshooting HTTP sessions as well as other application layer protocols in the dialogue box you can choose to view either side of the communication or the entire communication between the client and server simultaneously moreover at the bottom of the dialogue there's a drop- down menu where you can select different formats such as ASI epd hex dump and C arrays this allows you to view the data in various formats instead of just the raw data making analysis more comprehensive and insightful if you want to save the content shown in the dialogue then click on save as then give it a name now it will save the content in a simple text format similarly and if you want to view everything except the follow TCP stream packets that you are viewing currently then click on filter out this stream to to close the dialogue click on close now I want you to imagine you're trying to communicate with a server but the server demon or the software running on the server to handle requests is not running this means the server is not actively processing requests and cannot respond to your client's attempts to establish a connection in such a scenario your client will send sin or synchronized packets to the server indicating its intent to start a communication session however since the server is not available to respond it sends back rst or reset packets in response to each sin packet it receives the rst packets essentially inform your client that the connection cannot be established because the server is not operational or reachable when you analyze this situation using wi shark you'll notice a series of sin and rst packets exchanged between your client and the non-responsive server each sin packet represents an attempt by your client to establish a connection and each rst packet signifies the server's inability to respond leading to the termination of the connection attempt it's important to note that modern web browsers often attempt multiple connections to a server when faced with a non-responsive or closed socket this is why you may observe multiple sin and rst packets in wire shark corresponding to the browser's repeated connection attempts at specific intervals one of the common scenarios that falls under this category is the situation where a connection is lost or an unsuccessful connection attempt is made as we've previously analyzed in the section about rst packets however there are several other examples of network issues that you might encounter and need to troubleshoot using wire shark for instance high latencies can occur due to longdistance Communications or when traffic gets queued up causing delays in data transmission to analyze and identify such problems effectively you can utilize the time column in wire shark by sorting it this allows you to easily spot large time gaps between packets at the top of the list pane indicating potential latency issues another example scenario involves a malicious user attempting a port scan on your network in response your firewall may send rst packets to the user to thwart the attack or because the targeted Port is closed a port scan generates a significant amount of traffic which can be observed as noise in the wire shark list pain now I am demonstrating a port scan initiated using nmap from another device our machine responded with rst packets because the scanned Port was closed this interaction between the scanner and our machine provides valuable insights into potential security threats highlighting the importance of monitoring Network traffic for anomalies additionally wire shark allows you to analyze various connection behaviors TCP headers packet flags and sequence acknowledgement or SEC act numbers with a clear understanding of these fundamentals you can easily detect and investigate unusual traffic patterns that may indicate network issues or security threats it's essential to note that while wire shark provides powerful analysis capabilities there is no automated tool that can automatically detect and alert you to all traffic anomalies customizing your environment and staying Vigilant during network monitoring are crucial steps in ensuring the security and efficiency of your network operations while we've covered some aspects of TCP analysis here it's important to note that this isn't an exhaustive exploration of TCP analysis there's a wealth of information and techniques related to TCP and other protocols that can be explored in much greater detail if you're interested in delving deeper into the analysis of specific protocols using wire shark such as TCP UDP HTTP and others I can create dedicated video tutorials for each protocol these videos would provide a comprehensive understanding of how to interpret and analyze protocol specific data captured by wire shark so if you're interested in a comprehensive exploration of protocol analysis using wire shark let me know and I'll be happy to create these informative and engaging video tutorials for you to further enhance your skills and understanding in network analysis now let's delve into a brief overview of UDP or user datagram protocol UDP is a connectionless protocol known for its efficiency in transmitting real-time data between hosts it's often referred to as an unreliable form of communication because it doesn't ensure the delivery of packets in UDP any lost packets are not retransmitted as the sender is not informed about dropped or discarded packets during transmission however several important protocols like DHCP DNS and others rely solely on UDP protocols that utilize UDP as a transport mechanism must employ other techniques to ensure data delivery and error checking capabilities despite its lack of reliability compared to TCP UDP offers faster transmission of packets unlike TCP UDP doesn't involve the initiation of connections or graceful terminations which is why it's also known as a transaction oriented protocol rather than a message oriented protocol like TCP to understand how UDP functions let's examine some protocols that use UDP as their delivery protocol first we'll discuss DHCP followed by an analysis of DNS traffic the dynamic host configuration protocol or DHCP is a crucial protocol responsible for assigning IP addresses to devices and ensuring their compatibility within a network in typical Network configurations the DHCP server operates on port number 67 while the DHCP client communicates through port number 68 by default one key aspect to note is the packet length field this field specifies the overall length of the packet from the first bite to the end of the data contained within it within a packet of for example 308 bytes a eight bytes are allocated for the UDP header leaving 300 bytes for the application data that follows when a device under goes a power cycle it initiates a DHCP request to the DHCP server to obtain an IP address this action generates several packets related to the DHCP process including requests releases offers and other Associated Communications these packets utilize UDP as the transport mechanism for their transmission within the network infrastructure analyzing DNS or domain name system traffic in wire shark based on UDP involves examining the packets exchanged during DNS queries and responses here's a stepbystep guide on how to analyze Dean's traffic using wire shark open a web browser or any application that generates DNS queries enter a domain name in the browser's address bar for example example com and press enter this action triggers a DNS query to resolve the domain name into an IP address address after performing the DNS query return to wire shark and stop the packet capture by clicking on the red stop button apply a filter to display only DNS packets in the captured traffic enter DNS in the display filter bar and press enter this filter will show only DNS related packets look for DNS query packets typically with a DNS query transaction ID in the captured traffic these packets indicate the domain name being queried locate DNS response packets corresponding to the DNS queries these packets contain information such as the resolved IP address of the domain queried select a DNS query or response packet and in the packet details pane expand the domain name system section to view detailed DNS information analyze Fields like query type query name or domain name response type TTL or time to live and answer or resolved IP address or other records pay attention to DNS Flags such as query response recursion desired recursion available and Response Code these flags provide insights into the DNS transaction and any issues encountered use wire shark's follow feature to track D transactions right click on a DNS query packet select follow and choose UDP stream or DNS this view helps in analyzing the complete DNS conversation between client and server DNS responses may include additional records like NS or name server cname or canonical name MX or Mail Exchange and text records examine these records for comprehensive DNS analysis I hope you've gained a basic understanding of wire shark from this video however I want to acknowledge that this video isn't a comprehensive guide on wire shark unfortunately I'm limited in time as I'm also creating a course and have a busy schedule however I'll do my best to cover each protocol in wire shark in future videos if you're interested in overviews of other tools or topics please leave a comment below thank you for watching and if you're eager to delve deeper into cyber security and hacking techniques consider subscribing if you want see our end map full guide click this see you next [Music] time