hey everyone it's david bomble back with chris chris you recently passed a security certification and i'm hoping that we could do a security video today but firstly welcome hey it's great to be here david and wow that's a way to to come out the gate so yeah what so did you do i went ahead and did the certified ethical hacker ch and i know i know i know i know there's a lot of different opinions floating around around that one and uh definitely we'll dig into that one but i actually had a client what happened is i had a client that went ahead and asked me to get it and they went in and helped me out with that so um boy did i learn a lot david that said the the test is another thing but i certainly enjoyed getting into a lot of different new topics for me coming from a packet background [Music] i'm hoping you're going to teach us something about nmap oh yeah for sure this is a tool that i've used for years but i just hadn't used it to this level until i started really digging into it for me i'm the kind of guy if i don't see it at the packet level with wireshark i don't really understand it i came from a background of that's that's what i would first do with the tool i i see a tool i start up wireshark and then i compare what wireshark sees with what that tool output gives me so that's why we're here about nmap yeah so explain what are we going to look at today because i'm hoping that you're going to run nmap and then do something and then we're going to actually look at the packets is that what we're going to do yeah for sure if you are out there studying for a cyber security certification uh nmap switches are going to be on your test i mean you're going to have to know them now learning them is another story uh really we have one of two ways of doing it you can either flash card and okay what is dash s capital s dash s t dash s what are all those switches and what do they do or you can use it practically and have a lot more fun doing it so which one sounds better to you the best way to learn any protocol is to just capture it and have a look at what it's actually doing not what the textbook tells you it's doing so take it away chris show us what you you know i'm hoping you to start wireshark like right now and show us what's going on yeah why not that's always fun let's take a let's get those packets going so nmap let's just take a look at nmap so so basically what nmap does it's network mapper all right so it allows us to discover devices on a network why is that important well how are we going to go in and try to hack a device or even inventory devices i've used nmap just scanning around my own network and taking a look at what's there and what ports are available even doing like an internal pen test on myself and nmap allows us to do that now there's a thousand switches with nmap or options and if you look through the the actual help of nmap uh there's a lot that it can do and we can see some of those here david look at all these switches so we have host discovery target specifications scan techniques port specification looking at services even enumerating operating systems so we can take nmap and we can launch it at a device and we can learn a lot more about the type of os that that device is running why important because how can i find a vulnerability to then exploit if i don't know the operating system okay so yeah i'm hoping you to show us at some point i believe that's in a separate video we we're going to cover that as well yeah we'll get there but first we want to just talk about some basics and understand more about how nmap works so let's just do this now like a question would be like what's the difference between a like a normal scan and a stealth scan and uh you know there's a lot of options in nmap so hopefully you're going to show some of that yeah for sure so i think the two biggest ones are i should say maybe biggest is the wrong word but uh two of the ones that you're definitely going to be learning and using have to do with tcp connections all right and you're going to find that there's two major ones if we come here to scan techniques you can see the first two here ss and st so this is tcp syn and connect now those are different there's a difference between tcp syn scan and connect scan and that's what we're going to really focus on today maybe in other videos we'll get into finn christmas scan and some of these other ones even udp scan but for today we're really going to focus on those first two so does that sound like a good time to you yeah i mean it'd be good to know the difference so yeah hopefully you're going to like show us farther packets absolutely so let's do this first i'm just going to say nmap and here's the way to remember it if it's a scan then use dash s lower s there's your small s and then the next letter that you use that's going to tell you the type of scan that you're going to do is it an arp scan well that's arp oops there we go bottom s that would be an arp scan how about a udp scan how about a a connect scan is t all right so a lot of times you can just use the the name of the scan to figure out the type of scan it is a thin scan um now there's different reasons why you would use each one and we'll build on that but just to get this right out the gate let's have everybody if you don't have nmap then go get it and follow along with me here you can just do nmap and you can just do let's just do a sin scan and i'm going to come over here i'm just going to start this up here let's start up this capture you can see a lot of our traffic going on here in the background what i'm gonna do is just just launch it okay let's just grab a device and let's just see what we do what i am going to do though i'm just going to do dash f there's a reason for that that's just a it's a fast scan it's only going to test the top 100 ports the number of ports that are available again another test question that you might find there's 65 535 ports that tcp can possibly have opened right so we don't want to have to just destroy a device as we're trying to scan it let's just just be a little bit more simple with it and we're just oh look at that sorry forgot about my root privileges got to come back i'm just going to do sudo because it does a lot of scans require to administrative privileges on the system so it's a lot of times you're going to have to do sudo so there we go and let me just run this one second password are you running this on your mac or unlimited i'm running this on my mac right now the nice thing is that the um the the commands are going to be all the same right so if you're on cali uh and really even on windows i mean you're going to find except for the suitey part you just gonna have to run your terminal as administrator okay so if you notice here on my capture over here and i'm just gonna set a filter if you didn't know you can set a filter while you have a capture running and that'll filter on just the traffic going to this device all right so i've got a device out here i'm just going to stop my capture i've got a device out here and i have tcp 53 is open there's one open port and then the other one is 1900 using the sin scan okay cool well let's go ahead and take a look at just on this live capture i'm going to show you this live david and then i'm going to open up another capture that has a few more interesting ports and we're actually going to be able to share that with everybody you can go down to the description down below and you can download the stealth scan pcap and you'll be able to follow right along with me so we'll get to that in just a moment but what i want to do is i just want to filter so let's just do okay 4.1 was our device and let's just do and tcp port equals equals 53. let's see what we get all right so here we can see that here's our client it established a connection or it sent out that tcp send to 4.1 that was our target and we're sending this to tcp port 53. well seven milliseconds later we get a syn ack back but notice what happens right after that our client says nah let's reset this is known as a half open scan the reason is because we only have half of the connection open a tcp connection is not open until you have sent a sin and you have received an act for that sin so as a client i got my act so i sent my sin and i got the ack for that sin but the server sent his sin i never sent no ack i just went nah reset so that's why it's called half open now in nmap that type of scan is called a stealth scan right so ss okay so so that's uh any port that is open and available is going to respond with that synack if it's a port that is not open let's go ahead and try port 80. this is what we're gonna see i send out my sin and i got a reset ack back so this one's closed the server has reset it because we it doesn't have that port open yeah correct when you hit a port that is closed sorry talk to the hand reset yeah all right so that's how wireshark knows that the ports are open sorry not wireshark that's how nmap knows that the ports are open because it's getting an act correct when i send a sin and i get a synac back that port is open simply let's just call that the stealth scan now let's think about this though why would this be called a stealth scan well basically back in the day it was thought well okay if if i send this sin and then it gets a syn ack and i reset it right away well maybe that device that i'm trying to enumerate i'm trying to attack maybe it won't log it where if i do a full tcp connect scan the potential is there that it'll go oh there was a connection attempt and it was reset really anymore most systems today even on the end map if you go out to the nmap website they even tell you they're like yeah stealth might not be the right word for it anymore because a lot of ids systems will find this anyway right so it's not like one is really clandestine and secret and the full connect scan is to be just out in the open if you're a numerator network if you're pen testing likely you're going to be found if you just launch this thing on a network so uh should we contrast the kinect scan yeah i was going to ask you know how's that different to a standards like connect stuff scan three shall we let's do it uh i'm just going to start up another capture and then what i'll do is i'll flip over to the other ones that we're going to share with everybody so everybody can be on the same packet page all right so let's do this i'm gonna go ahead and start my little capture got it going now let's come over here i'm just gonna do studio again but this time i'm gonna do st that's all i changed now let's see how that changes things all right so we have those same two ports open and i'm going to come over here let's just do an and tcp port equals equals 53 so let's take a look at this connection now what's different here if i i have a sin and i got a synack but this time the client or the tool acts back this is a full connection right after that only a whopping 18 microseconds later we send us a reset so basically hey david you there yep i'm here great bye that's a full connect scan now there are some other differences here that i'd like to point out that if you are looking at traffic on your network there's some differences between these two types of scans that you if you see them in wireshark you'll be able to quickly tell the difference more than just the half open and the full handshake there's also some some things that nmap is doing or not doing with these scans that i'd like to point out too let's go and flip over to the the other uh trace file all right so in this pcap which i'm going to share with everybody you can hit that link in the description down below um what i did is i went ahead and scanned a much more open device a device that had a whole lot more ports open so in this scan what we're going to do is we're going to take a look at just that's that sin scan but how certain things would jump out to us if we were looking at normal network traffic this is where it turns into the real world david if we're a sock analyst blue team if we're looking at pcaps from our environment how can i know if my stuff's getting scanned and that's what my clients come to me for they'll send me here's a terabyte hard drive full of stuff here's a bunch of captures like what's going on and where are we getting intact okay so let's go ahead and take a look from a scan perspective anyway let's just pick a port here so i'm just going to do tcp poor equals equals 80. all right so right out the gate we can see that this was a scan going to port 80 among others so if everyone put that port scan there so here we have syn synack and then we have a reset there's our stealth scan but there's a few other things that are up that we can take a look at that look a little bit interesting in this type of scan so i'm just going to go to that first sin now here's the thing when we send a sin scan the the stealth one nmap is actually generating that scan it's actually coming from the tool itself so nmap is generating that sin putting in things like for example oh let's just pick out some stuff window the window is 10 24. if everybody's seen some of our tcp deep dive stuff that we've done david you you know that i'm advertising that i only have enough room in my receive buffer for 1024 bytes that's teeny okay so that's something that might catch my attention something else if i look at that sin if i come down here to options the only tcp option that that the nmap stealth scan is offering to the other side is an mss in the real world when you're looking at true tcp connections true sins that are happening that's not the case you're going to have a lot of tcp options you're going to have things you're going to see stuff like time stamps and you're gonna see window size and selective acknowledgement sack you're not gonna just see only one tcp option typically so in other words what you're saying is you know this is dodgy traffic for lack of a bit of word because the window size is really small and they're not enough options oh that would flag my attention in a heartbeat absolutely how would you find that in like a terabyte of data how do you find the stuff chris because like needle and haystack type stuff glad you asked david why don't we come down to window and let's actually talk about that for a moment how would i set a wireshark filter that will directly find this so first of all finding a packet that i would be interested in finding later is a is a great way to do it what is it that makes this packet unique well first of all i got a window right so let me go ahead and right click that and i'm going to come up here to prepare as filter and i'm going to go to selected okay so tcp dot window underscore size underscore value equals equals 10 24. that's a mouthful do i ever want to have to type that out no of course not that's why i can find a packet with that field i can borrow from down here on the bottom left tcp.windows size value all that and i can send that upstairs or what i could do is i could just take this is another kind of cool thing about wireshark you see i'm dragging this right now i can also drag and drop that filter super cool in fact another thing that would be weird about this i only have so many options there's not a whole lot here there's only one option so something else that might catch my attention there's a couple ways that we could filter on this let's come up to header length and i'm just going to right click prepares filter and i'm going to say and selected now let's see what we just did i said show any packet that has 1024 as the window size and also the tcp header length is 24. all right what does that mean well basically the tcp header without any options without anything else going on is 20 bytes you've got your source port destination ports sequence numbers acknowledgement numbers flags window all that stuff right up to urgent pointer that's the last part of the 20 bytes after that if i have options there's some extra stuff if this isn't the beginning of a handshake which by the way let's not forget that we need this to be a sin right so let's go ahead and right click flags as well and i'm just going to say prepare as filter and selected so look at we're building this filter out if this is a sin which is flags what i'm doing is instead of just focusing on that individual bit of a sin i'm saying take that whole flags field and the only bit that will be set is sin if i say sin if i do this another way if i say tcp dot flags sin equals equals one that's gonna get sins and synax i only want the sins let's go ahead and back up so i'm just saying flags as a whole here's the hexadecimal value and if you look sideways down here that's for the the hexadecimal people out there i've got zero zero zero zero one zero that's a two that's why it's zero zero two right so i just want that syn location to be one that's why my flags are zero zero two so let's see what we did with this filter this is only syns this is sins that are advertising a tcp window size of 1024 and that header length is only going to be 24 bytes now let's talk about that for another moment the header length again tcp is going to have a 20 byte header and at the beginning if there's a lot of different options that header length is going to be much larger it's going to be another 20 bytes or so so this would catch a stealth scan is it always 24 on nmap or is it like can you change that or is that just the default yeah for the stealth scan tell you what why don't we test this against a couple other packets let's actually apply this thing all right so i got a thousand packets and i know for a fact that i sent a thousand when i did this scan i did it with the thousand most common ports right there i'm able to see um that it caught everything and you just did like a stealth scan like we did a few minutes ago with no you didn't specify anything else so that was just the default values correct if i want to i can come over here and this is probably a a good way to actually show it so we learn it better um if i do dash p that's for port and right after that that's where we can specify do we want specific ports do we want a range of ports if i want to be specific i can say one to one thousand or let's just say um if if we don't leave this then what it's going to do is it's going to try the top 1000 it's gonna say these are the most common ports if i don't want a thousand if i want to run a little faster that's that dash f it's just gonna do the top 100. yeah what's interesting is that it's using like a window size of 1024 and the tcp header is 24 so that's a just looking for 24 byte header is an easy way to see if someone's scanning your network unless they've made specific changes to try and hide what they're doing exactly that's the and that's the thing you know when we're talking about cyber security it's hard to make absolutes all an attacker would need to do is change this to 25 bytes how did you discover this is it just you're looking through data and then suddenly you saw while this just looks weird yeah that's exactly what i did let's go ahead and run that full scan again and what i'd like to do is show you how that would change when i'm looking at a full scan let's go ahead and check that out all right so i'm going to start my start my capture and let's just run this guy only this time we're going to do the st and i'm going to show you because remember that was for the stealth so what i started to do is i was just looking at these scans i started to realize oh and we already we already caught that that scan let me stop okay so let's see what's different let's see if everybody can pick this out full connect so first of all what's our header length right that's different and sin is the same but if i come down to my window i've got a complete 65535 window so on the full connect scan look at all the options i have yeah very different sac time stamps window scale and that's more realistic for proper traffic in the network exactly here's the reason why these are different now the audience might be thinking great okay so the stealth scan looks weird but the connect scan doesn't and that's because nmap doesn't generate this on its own what it does is it issues a connect call down to the operating system kernel stack and it says hey you tcp you generate this connection i'm not going to do it as a as a tool i want the actual interesting operating system to do it that's why this syn looks so much different because the the true os stack is the one that actually generated this and that's why it looks much more real a real window a useful tcp window so instead of saying hey david do you want to connect you can only send me a thousand bytes now i'm saying hey david do you want to connect i'm going to start out with 65 535 as a window by the way you're going to be able to multiply that bad boy by 64. so we're going to have a big cool bucket of data to work with right that's that's why that caught my attention when i was when i was looking at those stealth scans because this was so low i mean in some ways the stealth scan is less stealthy compared to this isn't it to me yeah i would catch it way faster than i would this for sure yeah is there anything here though that looks weird was it just because you see how would you catch this i would come to this part of uh of wireshark and this is called tcp conversation completeness now what on earth is conversation completeness well glad you asked basically what this does is it assigns values to different aspects of the tcp conversation so here's a standard conversation so basically what what conversation completeness does in wireshark uh this is uh basically it's it's a cool little feature it's come out just in the in the recent year really so basically a full tcp conversation that is normal and healthy it has has a beginning so a handshake okay and the first packet of a tcp handshake everybody is son good job all right yes you got a gold star thanks all right i can't believe i'm giving david palm ball gold stars anyway yeah i know nothing i know nothing about this okay all right no yeah no a lot of things okay how about the second packet everybody what's that one called come on snack good job okay here we go and [Music] whoops all right flushed out all right last packet is ack good job with our handshake okay we've already seen this in our um our nmap scan okay so there's a handshake so a connection began data gets exchanged okay acknowledged okay and then this connection gets shut down so this could happen any any way either through a fin or a reset okay so let's just say i'm just gonna shorten this out and just call this finn okay this is a complete conversation in tcp so-called all right now what wireshark does is it is it's assigned values to each one of these functions sin this gets a little deep and we're going to actually i'm going to link the wireshark page and the actual information or the the wiki where it talks about each of these values but we'll just go over it together so basically the syn gets a value of one synap gets a value of two the ack gets a value of three or a four this is binary okay a reset down here is 32 and the fins are 16 and data is eight all right do you see the the binary way we count so 1 2 4 8 16 32 so basically the way that tcp completeness is calculated all right so we have a tcp completeness of 39 all right so what this means is we saw a 1 we saw a two we saw a four that's seven and then we saw a reset we add all that up and when we say a handshake followed by a reset that is a tcp completeness of 39. yeah so no data sent yeah and that's why it says no data yeah so in this case that's weird isn't it oh boy yeah well i mean it means um okay does this happen in the real world yes it does does it happen often in the real world it shouldn't if i said tcp completeness and this is where i would do this day this is where i would look a little closer i would say prepare as filter and let's do and selected and i'm going to go ahead and remove my port off of this just to keep things more open oh you don't like the parentheses hang on all right so anything to and from this host tcp completeness is 39. this is going to show me when a connection was attempted synapt came back back went out and a reset happened right away right away i would be thinking if i saw one of these david maybe i wouldn't be super worried about it if i saw thousands of these hey someone's scouting absolutely so this is one way that we can filter for that tcp completeness is 39. how did you discover this chris is it's just like you you just captured packets and then you looked at what was weird based on what you normally see here good question and yes um for me as far as the tptcp completeness thing goes what i thought was okay how can i capture a handshake that is immediately reset that's a tough filter to build right it's like if you do that by hand uh that's that's a long filter i gotta say yeah yeah i mean basically what i gotta do to to do the equivalent thing that conversation completeness is doing first i gotta set a filter for sin and then i gotta set a filter for uh an ack that has a sequence number of one and an act number of one and reset on the same port number it's just i'm confused even explaining what i just explained so that's part of the reason why the amazing people behind wireshark came up with conversation completeness is because we could do these kinds of tests where we could say hey how far did the tcp conversation get and this is really useful when it comes to port scans so another thing that i could do is i could set tcp completeness let's just say that i'm only looking for a sin and a reset well the sin is one the reset is 32 that could be 33. now i can use that feature of wireshark to get a better handle on how much of this scan activity has and it all goes back to if i see it once maybe i'm not super worried but if i see a pattern here or even if someone comes into nmap and slows the scan down which by the way we can do we can say hey be really stealthy only let out a few of these every couple minutes or seconds you'll still pick it up though you can still pick it up i mean i suppose the problem is if you do it over a long period of time you can have so much data so your capturing device has to have the capacity and chris we that gets us to another conversation our devices good enough today to capture huge amounts of data um or do you need specialist devices that's a great question um okay so here's your threshold and this is what i i do okay so i'm a packet consultant right i get paid to go in and find problems the last thing that i want is missing data because sometimes it comes down to that one packet that the analyzer missed and as soon as i see that i start to doubt my whole trace file okay so sometimes people will send me pcaps even from youtube they'll watch a video like this and they'll say hey i just need some help analyzing this certain problem which is great they can interact and send a pcap and right away if i see a previous packet not captured or if i see symptoms if it almost looks like false re-transmissions which it does take some time to learn how to identify that which you and i can continue to to chat about but the point is if i have uh i call it dirty data if i have my if my data is missing then i start to question my whole uh pcap right packets of the gold it's unreliable yeah it's unreliable so your question was how well does does the hardware keep up well i think everybody knows that a laptop wireshark with a laptop in normal data center world it can't keep up with super high data rates most network engineers know that if i ask them can can a copy of wireshark on a laptop keep up with 10 gig most people are going to say oh no okay then when does it start to fall yeah exactly my benchmarking shows that most of the machines that i have had and done my best to optimize i'm i'm not able to accurately capture time stamps and everything much over 100 megabits per second oh wow that's lovely yeah so when you go to site do you have a laptop or what do you do you have like specialist hardware what do you do so so yeah dave that's a good question and let me just show you what i use um just because it's backpackable if that's a word so this is actually the profit tap iota and literally what it is is it's a hard drive terabyte hard drive with a tap built in right so i can go network one way then device under test the other way or i can connect it between two switches on the up link but it comes in 10 gig as well and beyond depending on the money you want to spend and then it's got a management port all i have to do is i literally plug this guy in power it and then there's a little button here see a little guy that button yep capture and you just let it run for a while yep i let it cook let it grab all the traffic that it can and then what i can do is interface with it and i can i can pull pcaps back from it or i can also use some of the analytics that are built in so a lot of times i have this running even on my home network just to keep an eye on things and look for scan activity like we're talking about uh a lot of times i find my own but uh right part of what this does is it allows me to go to a period of time where i say hey client hey customer what time was it when this happened and i trained them to tell me oh it happened at 3 30 chris okay cool at least i can go to that time index and i can back up five minutes and go forward five minutes and i can extract that that component right so capture better capture smarter no one should be digging through a single p cap that is you know a terabyte i mean that's important to know i mean the the other question is okay so you got like a terabyte of data or whatever it is i mean that it's going back to that whole question how on earth do you find things so i mean you've given us some good tips but have you got any other like just from your experience how would you you know you got this crazy big file how do you even start to look at that stuff right so there's two ways one um you can do make use of the command line tools so from there when you install wireshark you also have command line tools like a t-shark edit cap merge cap these other tools you actually install like nine different tools something like that when you put wireshark on there those tools have a much better time with very large trace files so sometimes what i'll do if someone just literally gives me a hard drive full of data what i might do if it's a super large pcap what i'll do is i'll go in and break it up i can go in and say just break this up into smaller pieces better though let me show you the real thing that i do yeah this is legit real world something that i train my in my students in my classes i talk a lot about this and i know we've left off from nmap but this is a really important part of capturing this stuff in the real world what i do is i try to train them from the beginning to capture wisely and one way is by using let's just go ahead and use uh dump cap now a lot of times when you're in wireshark wireshark actually calls dump cap to do the actual capturing dump cap is a it's a tool that gets installed with wireshark if you don't already have it or another one that a lot of people might use on a server or an interface is tcp dump right so what i'll do is i'll say okay let's just go ahead and do this let's go to dump cap okay now if i go to dump cap dash d this is going to show me all the interfaces that i have access to for doing pcaps to capture from let's just grab the first one this is the wi-fi interface okay so let's just do dump cap dash i that's interface 1. so i'm saying hey dump cap go grab a bunch of packets off of this interface and if i just let this thing fly it's going to go great it's going to start to dump that traffic into a temp folder and it's just going to call it wireshark wi-fi and david this will go until i stop it this is going to be a big trace file especially if i leave it for a full day well i don't want that so instead what i'm going to do let me just back out of that guy what i'm going to do is give it some parameters so i'm going to say actually it's called if you look at the help menus you'll see this but if you go dash b you can do file size and in kilobytes i give it the amount of traffic so my file size let's just say okay so one kilobyte 10 kilobyte files 100 kilobytes meg that's a that's a 100 meg file so what i'm saying is dump this into a 100 megabyte file then dash b files and i can say let's just start with 10. okay so what that does the file switch is it says save 10 of them and then let's just say i'm just going to write this out and i know there's a lot of switches here but um you know it makes sense though and i mean this is a lot more efficient at grabbing grabbing traffic rather than the y shark gooby like you said the y-shock gui actually goes and uses this absolutely yeah i just started what's called a ring buffer now this this gets back to your question how do you find this in an ocean of packets how do you find the three that make the difference well first of all let's capture smarter so what i did is i started a capture i said i want 100 megabyte files and i want 10 of them so what this does is it starts it's called a ring buffer on my machine now i'm going to grab 10 files of 100 megabytes each and after the 10th one it's going to go overwrite the first one okay so it's continuous yep ring buffer so now i can play with these numbers i can go you know 100 megabytes is too small why don't we bump that up to 500 megabytes and i got some i got some horsepower to work with on my hard drive so why don't i go ahead and up this to 100 files and that'll give me more time point is david has a problem and he goes oh that weird thing happened that i'm troubleshooting or things look kind of funny uh it happened whatever we're troubleshooting and i say hey david what time was that and if you say he's like oh it was about 8 30. cool i can go back to my ring buffer and i can look at my time date stamps that are right here and i can say okay this is look at us we're at 222 22. for me it's 10 56 a.m and i can just find the one that happened okay i'll change from 8 30 in your example to 11 a.m right so i can find the one that was capturing during that period of time and now i just went from a terabyte hard drive down to a 100 megabyte file yeah yeah so capture smart capture smart i try to make my pcaps as small as i can and also uh when we're looking at real data really be focused on um the when the what the wrong thing to do david is just to jump in and just hope that we get the right packets at the right time right we we need more information when did it happen what type of thing occurred and when we're doing cyber security open captures like this just it's a lot easier and more digestible when we're dealing with these smaller pcaps i remember the you know doing a lot of network network troubleshooting the hardest problems or the transient like weird things that just happen seemingly randomly it's so hard to try and troubleshoot that stuff so i like what you're doing you know like let it run you know if this is running continuously and just overriding itself then you know the i mean you correct me if i'm wrong but like the client's running this and then when something happens they can call you okay it's happened now or you know they can try and give you a time when it happened that day and then it gives you time to go back and look at actually what happened at that time rather than just trying to guess absolutely in fact let me show you one one other thing that i do i'll get this this capture going either locally on their system or somewhere on the network off of a span port a tap and what i'll do is i'll come in and imagine this is the user's machine okay this is i just have a test copy of windows running here's a vm um but what i'll do is i'll go into their system and i'll say okay let's go ahead and just do new let's just do a shortcut and i'm literally just going to type in my personal website okay packet pioneer dot com okay the reason is because it's unlikely that that person that end user that i'm trying to resolve is just going to go out to my personal website that's an unlikely thing to happen it used to be that we would do this with telnet back in you know when telnet was just a it was a part of a standard tool set that was still on windows people didn't use telnet because it's open and you can see the traffic that's actually happening you can grab passwords and things but now ssh people are doing that through putty and such what i just need to do is i just need to find something to trigger on right so what i do is i name this it happened okay i put that right over here on their desktop and then i say david go about your business do your work and then the next time it happens just go double click that and it'll go out and it'll go to my website what does that do well now i can stop my capture and this is a great little example here and let me gotta find where that file went i think it's just on my root there we go yeah okay so now i'm back in wireshark right so i've got a ton of stuff here i've got a hundred thousand packets how do i find the one where it happened it happened right so let me just do frame contains packet pioneer and i'm going to get all the packets that contain that name now i'm i am packet pioneer right so but i could see i actually tested this once and here we have it again so usually you're just going to see right here now i have a bookmark now i've got packet pioneer this is where this was actually generated and um we i can now look around that period of time in the pcapp and that's that allows me to set other filters for when it happened that's great so in other words you you find the timestamp just off that like marker and then you can say like five minutes after that all but ten minutes before it or whatever yep then i can come up here to view time display format time of day and now david said it happened at 1103 and he hit the it happened icon and now i have two bookmarks i have a period of time but just in case my time sync isn't correct on the the capture device now i can know also from the packets themselves he hit the it happened icon that's brilliant but i mean anything any lost like parting thoughts about tips that you've got from the real world i mean we started with nmap and we kind of like moved into like real world real world stuff but i think it's important because you like highlighting what's weird on networks um any other quick tips before we wrap it up yeah i think uh for me i don't get something until i see it at the packet level especially getting into cyber security um with with those that are if they're new to cyber security or if they're learning how these tools work wireshark is a great way to have that open and get that thing capturing while running these tests don't do that thing where you just become you're just generating a tool or you're using a tool and hitting a button and then watching some output that you don't understand wireshark is a tool that can help you to understand it and david hopefully you and i continue to do this kind of content where we can walk people through what to look for on the wire to the audience please put in the comments below stuff that you want chris and i to discuss i mean the good news chris is we we're planning to do a whole bunch of videos um and i think we want to cover as many protocols as we can i want to twist you to get back for more tcp deep dive stuff udp deep dive and some other protocols so there's a lot to cover chris really want to thank you you know for sharing your knowledge for free really appreciate it thanks for having me back david i always enjoy hanging out with you and of course everybody who watched too brilliant thanks chris [Music]