Wireshark Tutorial by Anson from AnsonAlex.com

hi everyone this is Anson from Anson Alex calm and in this video I'm going to provide a basic tutorial for using Wireshark which is an open source network scanner and monitor that allows you to take a look at all the traffic in even individual packets that are passing through the particular network interface card that you're looking at so I'm going to be showing you on a Mac computer but this runs through x11 so the user interface should look the same whether you're using Wireshark on Mac Windows or Linux so here I am I have Wireshark installed and opened up on my computer and I'm just going to go through some basic things here to get us familiar with the user interface and then we'll start to take a look at some ways that we can look at how people might be trying to hack on our network or are scanning our network stuff like that so first off when you open up Wireshark the whole goal of Wireshark is to see what's going on on your network so let's take a look at what's going on right now the first thing that we need to do is tell Wireshark which interface which network interface that we'd like it to listen to so over here on the Left we have all of our options we have our interfaces listed down here but one way to find out which interface you want to listen to if you don't already know is to click on interface list and it's going to pop up with a number of different interfaces that you have and you'll notice that one of mine is actually sending and receiving packets so that's probably the one that I want to listen to and in fact it is it's my wireless network interface on my computer here so to listen to this interface I just have the checkbox checked and I'm just going to click on start you'll notice that a new window opens up and I start to see all of the traffic that's currently happening on my network so at any time it's going to continue listening and you can eventually get too much data here in Wireshark so once you think you have enough information listed you want to take a closer look you can just hit this red stop button up here and it will stop listening to this particular interface so as you can see the information that we see we can see that the time that the packet was received or sent and we can change how we view time up here in view and then we can go to time display format and you can see that you have a number of different options you can by default its second since the beginning of capture but a helpful one is also to use second since the previous captured packet and you have a number of different options here so that's how you can change that you can change a number of things here in the View menu I'm not going to go through all of this in the video I think you all can take a look at this menu and see what you want to enable and disable but it's nice to know that it's there for us but we can see the time we can see the source either IP address or MAC address we can see the destination IP or Mac we can see which protocol was being used the length of the actual packet and then some info which is probably one of the more important pieces of data that we're going to look at here we can see there's a number of different things going on on my network right now and if we want to take a look at a packet a little more in-depth so let's say we want to just take a look at here's a request that was sent from me to a particular IP address it was in acknowledgment and when I click on it you'll notice that a lot of other information is displayed below so we can see the frame information the Ethernet information IP information TCP information and if there were more there was more information such as like HTTP information that would be displayed here below and we're going to look at some HTTP packets in a few minutes but notice that say we drop down this Internet Protocol section we can see some information here we can see the source IPS here the destined IP is down here now but in the TCP layer we're going to have a little bit more information since this was a TCP request we can see the source port in the destination port so obviously port 5500 for 0 is a temporary port on my computer so this was probably a communication between my computer or at least something on my network interface card and a website you can see you know the header length some other information down here as well now let's go ahead and let's take a look at an HTTP packet in a list here but in order to do that we have to go to a website so what I'm going to do is I'm going to start capturing again by clicking on this green shark button and I'm going to start a new capture so I'm going to continue without saving this current cap sure and now what I'm going to do it's probably going to start getting some information there but I'm just going to go to a website I'm going to go to my website and Alex calm let that load up here and then I'm going to go back and take a look at some HTTP requests so I'm going to minimize this we're back here in Wireshark I'm going to stop the capture so we don't keep bringing in more information and I can see there's some HTTP requests right here but in order to make this a little bit easier because you can see how much information isn't here we're looking at all of the packet packets across our network what we can do is we can use the filter up here at the top and there's a couple of ways we can do this first of all I can just click in the filter area and type a certain protocol that I'm looking for there's a number of different things you can type in filter you notice it's red right now when I enter a protocol that it knows is valid it turns green and I can hit enter and you'll notice that now I just have a list of HTTP packets so this is where I can see and happen to know that this is part of my website probably some things I need to fix here but I can see all the requests to and from my website so I can see the source right here I'm going to click on this one this is my MAC address and the destination is obviously the MAC address of my web server but when I scroll down here and I look at the additional information you'll notice that I now have an HTTP section down here at the bottom and I can scroll down and I can see that hey the host is Anton Alex calm and that's obviously correct that's the website I went to I can see which machine I was accessing this website from so I was on a Macintosh and I'm using Google Chrome so we've got that all in there so that's how you can look at some HTTP information here now I mentioned there's a few different ways to use this filter so for example if we wanted to look at all of the packets that are coming from this source right here this source IP address I can right-click on this packet and I could go down to apply as filter and I could say and select it so we'll look at the filter we already have in there which is HTTP and this selective source IP address when I do that you'll notice that now we sell out HTTP up here but we've also entered the source IP so now we're all able to see all of the HTTP messages that were sent from my computer to my website because I filtered by the IP address of my computer up here so we can see all the messages that were sent alternatively we could have gotten rid of the computer we're going to go back to HTTP and I could have clicked on source 2,400 starting at least with that MAC address and I could have applied that as a filter with the selected now we're looking at all the messages that were sent from the webserver to my computer so we can see there's a lot of text and CSS files obviously we can click on the particular packet and take a look down here in HTTP section to find some more information you can see I use a CloudFlare server there so there's some great information in here as well we can even look at the media type because this was an image let's down here as well we can see the size of it one thing that I do want to mention I only went to one web site so this was pretty simple but if you have a browser open and you have a number of web sites open your browser there might be some asynchronous talk going on between that web server in your client computer so when you run a capture here on Wireshark you might get a bunch of gobbledygook so it's a good idea if you're troubleshooting a specific problem to close all the other websites that you have open so that you can sift through the data a little bit easier so now we've taken a look at how we can capture some traffic on our network and how we can take a look at some of that traffic and drill down a little bit I'm going to go back and I'm going to on filter this here because one thing I want to show you now is one way that you could possibly find out if there's some malicious activity going on on your network interface card and how you could maybe stop that so I'm going to take a look at you'll notice that here's an acknowledgment I'm going to see if I can find a reset so I'm just going to scroll down here actually you know what I'll do is I'm going to run a new capture so there's too much information in this one and we'll see if we can find what we're looking for here it looks like I'm not getting any dropped packets so that's a good thing that's okay we can still look at what I want to show here basically if we take a look at one of these packets and we'll take a look at really any of these should be okay we don't want to look at a one that's being sent to myself so this is good so we've got a message that's being sent from my computer to someplace else if we take a look down here into the TCP section we can see the source port in the destination port which I talked about earlier now this message was sent from my computer so it wasn't accessing my 443 port but let's say I have a packet that I'm seeing coming from a weird IP address or MAC address and it's it's trying to talk to my computer and then my computer keeps dropping it you'll see an rst well message over here in the info section which means my network is basically saying stop talking to me and you'll see that over and over again and first of all if that request is going to multiple ports on your computer then they're probably doing a network scan to find out any ports that are listening any ports that are open within your network now at the same time if you see some data then go out from the particular port that they sent a message to from your computer to whoever this is or whatever computer this is what you can do is you can actually take a look at the port that it came out of and you can try and find the application or the process that was sending that message so let's say we had a weird IP address requesting information from us and then we sent it from our port 443 how in our computer what I could do is I can't do this within Wireshark but I can do this on Windows Linux and Mac I'm going to show you in Mac I can actually see what's going on on that port on my computer and find the different process IDs then I can go and kill those processes so for example I'm going to open up terminal here on Mac should be this would be command prompt on Windows I'm going to enter the command to see what's going on on the different ports on my computer it's going to type sudo LS 0f space - aye and then I'm going to look at port 443 I'm going to enter my password and so I can see there's a number of different things going on on my port 443 it's pretty we'll use port I can see spotlight is going is using this port calendar Google is using it as well so what I could do is you'll notice that there is a section for the PID that's the process ID so let's say here's the process that I think is causing my computer to send an information that I don't want it to send its processed to 21 so then I can open up activity monitor here on Mac and I have all my processes I could sort by the process ID I could find process 2 to 1 here it is Google Chrome and then I could kill it so that's a real quick way to find out which using wireshark find out which port your computer sending information from that you don't necessarily want it to send information from then using that port number try and find what process is sending information from that port and then you can then kill that process so that's just one useful way to use Wireshark I'm obviously using this on a client computer with just my network interface card this computer is the only thing that's using that network interface card but if you had a server or a router that you can run Wireshark on you could then see all the traffic that's going on within your internal network so at a small medium-sized business maybe somebody's having an issue with something maybe you think you might getting a DDoS attack you'll you will be able to see that like I mentioned earlier if you're getting a an attack especially a DDoS attack you're going to see I don't have any in this list here to show you but you're going to see a lot of the rst packages where your network is sending a message back saying I'd want to stop talking to you I don't want to talk to you and then that outside server continues to send packets into your server that is a DDoS you can get at least the destination IP maybe the destination MAC do what you need to do with that but Wireshark is the tool that allows you to gather that information there's a number of different filters and you can change certain things here in Wireshark so if I go to view I could change the coloring rules so by default this is where you'll see the default coloring rules that are used for for Wireshark but you could change these if you'd like as well so that's a very useful feature you can export data here within Wireshark just by going up to the file menu and you have all of these export options so you can export specific packets packet dissections different objects HTTP whatever you want to do you can always export that information so it's a very very useful tool I hope you found this video helpful if you have specific questions about Wireshark let me know in the comment section below here on youtube or on Anton Alex calm and I'll do my best to answer those questions again I hope this video was helpful if it was I would really appreciate a thumbs up here on YouTube don't forget to subscribe to my youtube channel for more technology tips and tutorials that's all I have for you for today this is Anson from Anson Alex calm

hi everyone this is Anson from Anson Alex calm and in this video I&#39;m going to provide a basic tutorial for using Wireshark which is an open source network scanner and monitor that allows you to take a look at all the traffic in even individual packets that are passing through the particular network interface card that you&#39;re looking at so I&#39;m going to be showing you on a Mac computer but this runs through x11 so the user interface should look the same whether you&#39;re using Wireshark on Mac Windows or Linux so here I am I have Wireshark installed and opened up on my computer and I&#39;m just going to go through some basic things here to get us familiar with the user interface and then we&#39;ll start to take a look at some ways that we can look at how people might be trying to hack on our network or are scanning our network stuff like that so first off when you open up Wireshark the whole goal of Wireshark is to see what&#39;s going on on your network so let&#39;s take a look at what&#39;s going on right now the first thing that we need to do is tell Wireshark which interface which network interface that we&#39;d like it to listen to so over here on the Left we have all of our options we have our interfaces listed down here but one way to find out which interface you want to listen to if you don&#39;t already know is to click on interface list and it&#39;s going to pop up with a number of different interfaces that you have and you&#39;ll notice that one of mine is actually sending and receiving packets so that&#39;s probably the one that I want to listen to and in fact it is it&#39;s my wireless network interface on my computer here so to listen to this interface I just have the checkbox checked and I&#39;m just going to click on start you&#39;ll notice that a new window opens up and I start to see all of the traffic that&#39;s currently happening on my network so at any time it&#39;s going to continue listening and you can eventually get too much data here in Wireshark so once you think you have enough information listed you want to take a closer look you can just hit this red stop button up here and it will stop listening to this particular interface so as you can see the information that we see we can see that the time that the packet was received or sent and we can change how we view time up here in view and then we can go to time display format and you can see that you have a number of different options you can by default its second since the beginning of capture but a helpful one is also to use second since the previous captured packet and you have a number of different options here so that&#39;s how you can change that you can change a number of things here in the View menu I&#39;m not going to go through all of this in the video I think you all can take a look at this menu and see what you want to enable and disable but it&#39;s nice to know that it&#39;s there for us but we can see the time we can see the source either IP address or MAC address we can see the destination IP or Mac we can see which protocol was being used the length of the actual packet and then some info which is probably one of the more important pieces of data that we&#39;re going to look at here we can see there&#39;s a number of different things going on on my network right now and if we want to take a look at a packet a little more in-depth so let&#39;s say we want to just take a look at here&#39;s a request that was sent from me to a particular IP address it was in acknowledgment and when I click on it you&#39;ll notice that a lot of other information is displayed below so we can see the frame information the Ethernet information IP information TCP information and if there were more there was more information such as like HTTP information that would be displayed here below and we&#39;re going to look at some HTTP packets in a few minutes but notice that say we drop down this Internet Protocol section we can see some information here we can see the source IPS here the destined IP is down here now but in the TCP layer we&#39;re going to have a little bit more information since this was a TCP request we can see the source port in the destination port so obviously port 5500 for 0 is a temporary port on my computer so this was probably a communication between my computer or at least something on my network interface card and a website you can see you know the header length some other information down here as well now let&#39;s go ahead and let&#39;s take a look at an HTTP packet in a list here but in order to do that we have to go to a website so what I&#39;m going to do is I&#39;m going to start capturing again by clicking on this green shark button and I&#39;m going to start a new capture so I&#39;m going to continue without saving this current cap sure and now what I&#39;m going to do it&#39;s probably going to start getting some information there but I&#39;m just going to go to a website I&#39;m going to go to my website and Alex calm let that load up here and then I&#39;m going to go back and take a look at some HTTP requests so I&#39;m going to minimize this we&#39;re back here in Wireshark I&#39;m going to stop the capture so we don&#39;t keep bringing in more information and I can see there&#39;s some HTTP requests right here but in order to make this a little bit easier because you can see how much information isn&#39;t here we&#39;re looking at all of the packet packets across our network what we can do is we can use the filter up here at the top and there&#39;s a couple of ways we can do this first of all I can just click in the filter area and type a certain protocol that I&#39;m looking for there&#39;s a number of different things you can type in filter you notice it&#39;s red right now when I enter a protocol that it knows is valid it turns green and I can hit enter and you&#39;ll notice that now I just have a list of HTTP packets so this is where I can see and happen to know that this is part of my website probably some things I need to fix here but I can see all the requests to and from my website so I can see the source right here I&#39;m going to click on this one this is my MAC address and the destination is obviously the MAC address of my web server but when I scroll down here and I look at the additional information you&#39;ll notice that I now have an HTTP section down here at the bottom and I can scroll down and I can see that hey the host is Anton Alex calm and that&#39;s obviously correct that&#39;s the website I went to I can see which machine I was accessing this website from so I was on a Macintosh and I&#39;m using Google Chrome so we&#39;ve got that all in there so that&#39;s how you can look at some HTTP information here now I mentioned there&#39;s a few different ways to use this filter so for example if we wanted to look at all of the packets that are coming from this source right here this source IP address I can right-click on this packet and I could go down to apply as filter and I could say and select it so we&#39;ll look at the filter we already have in there which is HTTP and this selective source IP address when I do that you&#39;ll notice that now we sell out HTTP up here but we&#39;ve also entered the source IP so now we&#39;re all able to see all of the HTTP messages that were sent from my computer to my website because I filtered by the IP address of my computer up here so we can see all the messages that were sent alternatively we could have gotten rid of the computer we&#39;re going to go back to HTTP and I could have clicked on source 2,400 starting at least with that MAC address and I could have applied that as a filter with the selected now we&#39;re looking at all the messages that were sent from the webserver to my computer so we can see there&#39;s a lot of text and CSS files obviously we can click on the particular packet and take a look down here in HTTP section to find some more information you can see I use a CloudFlare server there so there&#39;s some great information in here as well we can even look at the media type because this was an image let&#39;s down here as well we can see the size of it one thing that I do want to mention I only went to one web site so this was pretty simple but if you have a browser open and you have a number of web sites open your browser there might be some asynchronous talk going on between that web server in your client computer so when you run a capture here on Wireshark you might get a bunch of gobbledygook so it&#39;s a good idea if you&#39;re troubleshooting a specific problem to close all the other websites that you have open so that you can sift through the data a little bit easier so now we&#39;ve taken a look at how we can capture some traffic on our network and how we can take a look at some of that traffic and drill down a little bit I&#39;m going to go back and I&#39;m going to on filter this here because one thing I want to show you now is one way that you could possibly find out if there&#39;s some malicious activity going on on your network interface card and how you could maybe stop that so I&#39;m going to take a look at you&#39;ll notice that here&#39;s an acknowledgment I&#39;m going to see if I can find a reset so I&#39;m just going to scroll down here actually you know what I&#39;ll do is I&#39;m going to run a new capture so there&#39;s too much information in this one and we&#39;ll see if we can find what we&#39;re looking for here it looks like I&#39;m not getting any dropped packets so that&#39;s a good thing that&#39;s okay we can still look at what I want to show here basically if we take a look at one of these packets and we&#39;ll take a look at really any of these should be okay we don&#39;t want to look at a one that&#39;s being sent to myself so this is good so we&#39;ve got a message that&#39;s being sent from my computer to someplace else if we take a look down here into the TCP section we can see the source port in the destination port which I talked about earlier now this message was sent from my computer so it wasn&#39;t accessing my 443 port but let&#39;s say I have a packet that I&#39;m seeing coming from a weird IP address or MAC address and it&#39;s it&#39;s trying to talk to my computer and then my computer keeps dropping it you&#39;ll see an rst well message over here in the info section which means my network is basically saying stop talking to me and you&#39;ll see that over and over again and first of all if that request is going to multiple ports on your computer then they&#39;re probably doing a network scan to find out any ports that are listening any ports that are open within your network now at the same time if you see some data then go out from the particular port that they sent a message to from your computer to whoever this is or whatever computer this is what you can do is you can actually take a look at the port that it came out of and you can try and find the application or the process that was sending that message so let&#39;s say we had a weird IP address requesting information from us and then we sent it from our port 443 how in our computer what I could do is I can&#39;t do this within Wireshark but I can do this on Windows Linux and Mac I&#39;m going to show you in Mac I can actually see what&#39;s going on on that port on my computer and find the different process IDs then I can go and kill those processes so for example I&#39;m going to open up terminal here on Mac should be this would be command prompt on Windows I&#39;m going to enter the command to see what&#39;s going on on the different ports on my computer it&#39;s going to type sudo LS 0f space - aye and then I&#39;m going to look at port 443 I&#39;m going to enter my password and so I can see there&#39;s a number of different things going on on my port 443 it&#39;s pretty we&#39;ll use port I can see spotlight is going is using this port calendar Google is using it as well so what I could do is you&#39;ll notice that there is a section for the PID that&#39;s the process ID so let&#39;s say here&#39;s the process that I think is causing my computer to send an information that I don&#39;t want it to send its processed to 21 so then I can open up activity monitor here on Mac and I have all my processes I could sort by the process ID I could find process 2 to 1 here it is Google Chrome and then I could kill it so that&#39;s a real quick way to find out which using wireshark find out which port your computer sending information from that you don&#39;t necessarily want it to send information from then using that port number try and find what process is sending information from that port and then you can then kill that process so that&#39;s just one useful way to use Wireshark I&#39;m obviously using this on a client computer with just my network interface card this computer is the only thing that&#39;s using that network interface card but if you had a server or a router that you can run Wireshark on you could then see all the traffic that&#39;s going on within your internal network so at a small medium-sized business maybe somebody&#39;s having an issue with something maybe you think you might getting a DDoS attack you&#39;ll you will be able to see that like I mentioned earlier if you&#39;re getting a an attack especially a DDoS attack you&#39;re going to see I don&#39;t have any in this list here to show you but you&#39;re going to see a lot of the rst packages where your network is sending a message back saying I&#39;d want to stop talking to you I don&#39;t want to talk to you and then that outside server continues to send packets into your server that is a DDoS you can get at least the destination IP maybe the destination MAC do what you need to do with that but Wireshark is the tool that allows you to gather that information there&#39;s a number of different filters and you can change certain things here in Wireshark so if I go to view I could change the coloring rules so by default this is where you&#39;ll see the default coloring rules that are used for for Wireshark but you could change these if you&#39;d like as well so that&#39;s a very useful feature you can export data here within Wireshark just by going up to the file menu and you have all of these export options so you can export specific packets packet dissections different objects HTTP whatever you want to do you can always export that information so it&#39;s a very very useful tool I hope you found this video helpful if you have specific questions about Wireshark let me know in the comment section below here on youtube or on Anton Alex calm and I&#39;ll do my best to answer those questions again I hope this video was helpful if it was I would really appreciate a thumbs up here on YouTube don&#39;t forget to subscribe to my youtube channel for more technology tips and tutorials that&#39;s all I have for you for today this is Anson from Anson Alex calm

Transcript for:Wireshark Tutorial by Anson from AnsonAlex.com

Transcript for:
Wireshark Tutorial by Anson from AnsonAlex.com