3.3.3.4 Using Wireshark to View Network Traffic

By | December 11, 2019


this lab is for the netacad course and
this is the three-point 3.3.4 lab or three point three three three four using
wireshark to view network traffic and i’m going to try to keep this video in a
shorter time frame because i’m going to clip some time out of it but what you
should be doing is installing Wireshark or in my case i’m going to show you how
to do it on the indy g lapse it’s already installed for you there but i’m
going to walk through real quick and show you the install for Wireshark and
before we do that though the objectives for this is we’re going to download and
install Wireshark that’s optional if you’re using the NDG labs then you can
just it’s already installed for you but if you do need to install that I’ll walk
that through real quick you need to capture and analyze localized CPM data
and then part three is capture and analyze remote ICMP data and Wireshark
so that gives you the background here I’m not going to read through this you
can pause the video here and read down through this what it’s asking you to do
on the background of scenario but quick in a quick format Wireshark is software
that lets you analyze or sniff packets on the network it’s what they call a
packet sniffer and you can go through and anything that you in your subnet
that your that your network card can see it can capture that data and analyze it
and especially if it’s not encrypted you can read all that information if it’s
encrypted you would have to have some kind of decryption protocol or software
or be able to decrypt that with the passwords and things like that but at
the level that we’re working with it it’s just a packet sniffer and you can
just call it a packet sniffer on that so you’re going to need at least one PC
with Windows 7 Vista XP you can use Windows 10 as well and then additional
pcs on your local area network if you’re using this in a physical lab so the
optional part here is to do download and install Wireshark and I’m going to take
you over to my Windows 7 machine here and I’ve already went to wire shot in
order work I went to download and these are our download options here I’ve got
the 64 I’m going to do the 64 bit and you just do the 64 bit I’ve already got
it downloaded so I’m just going to come in here
and we’re going to install that I’ve installed at once so I’ll have to
overwrite everything so we’re just going to click on yes there and I need to
uninstall at first so it’s going to go through an uninstall and we’re going to click yes read the a
licensing agreement it’s got all the information in there after you read that
you can click on I agree if you don’t agree then back out and don’t install it
and I’m going to install it with all of the options here
Wireshark T sharp our shark did all the plugins that are on there on the tools
here I just let it go ahead and do those I don’t need the other ones here because
I’m not going to do it Android I just leave it default click Next I go ahead
and make a desktop icon unless I’m on my Windows 10 machine and that do it a
little bit different and then there’s a legacy desktop icon I’m gonna also
associate trace file extensions to Wireshark if you don’t want to do any
type of X file extension Association then just click none then go into where
you’re going to put up this this cases Program Files Wireshark click Next
I’m going to install the wind peak app that’s what allows it’s a small program
that allows widget wire start to work I’m not going to install the USB peak
app because I’m using us on a VirtualBox I don’t need that if you want to know
what it is you can click on that it’s going to take you to the website right
click install it’s going to go through I’m going to pause the video here until
it’s done okay so it’s installed when I click Next it’s going to do the wind
pcap I’m gonna agree to that automatically start the way in pcap
driver at boot time I’m going to go ahead and tell it to do that and it’s
sometimes wants you to reboot your computer this one I don’t need to
because I’ve already installed at once and rebooted so I’m just going to click
finish and let it finish up the install ok it’s all completed I’m going to click
Next and tell it to run I’m not going to run it yeah I’m just going to go and
click finish I’m going to close my browser and I should have an icon nail
on my desktop and I should be able to open that up and start working with
Wireshark and I can drop down and well I don’t have my filters yet but I can
manage filters there’s my Ethernet I’m working in a VM here so it’s a little
bit different that I’ll have to connect to but that’s the Wireshark on getting
that installed and next I’m going to switch over to the in
eg lab which already have computers with it installed and it’s makes it a lot
easier for me to video this okay so the lab walks you through the earlier
versions of winter but that’s what we did here I’m going to
just going to stroll scroll down on installing that because that’s what we
just watched on the video and this is in a lab session here and it will look a
little bit different than the one that you’re probably installing here because
this is the older versus 1.83 that’s the 1.83 that that it’s showing the the help
far and this one is the 2.2 version so if you’re doing that lab and it’s a
little bit different that’s why it’s going to look a little bit different on
there could be because this is the 1.83 but you’re going to go ed and do that
and next we’re going to move over to part 2 and to do that I’m going to move
this off the screen and I’m going to open up the virtual windows to the three
virtual boxes that I have running on in DG ok so I have my three boxes here I
have a B and C and I’ve got them all running and I’m tied into them and what
it needs to do first is we’re going to use PCA as our main box and that we’re
going to run Wireshark one so what we’re gonna do is we’re going to retrieve our
IP address and the network interface card address are all the MAC address let
me actually open move this back over here so we’re going to retrieve the IP
address and the network interface okay so what we’re going to do here is
to the ipconfig /all which is going to give us our information so we’re going
to come in here on PCA we’re going to click start and through our command
window and I’m used to used to running Windows
10 so it looks it up for me hold on a second we’re going to do it so now there
we go command window we’re going to not run it as administrator we don’t need to
do that I’m just going to go ahead and open that and that’s going to give me my
what I call a Dahl’s window but it’s a command line window and we’re just going
to do ipconfig /all which is going to give us our and I’m just going to make
this a little bit larger here which is going to give us our network information
we’re going to see our description of our notes a pro 100 our mac address
right here our IP address it’s Auto config 1 6 9
254 239 our subnet mask 255 255 these other ones here are disconnected
media so we’re not going to worry about those we’re just going to worry about
this one right here or in this case we right here this one right here or right
there there you go and what I do is I usually write that information down so
what I do is I’ll just go ahead and open up a notepad I’m going to do that on my
main machine here and I’m just going to open up a notepad I’m just going to type
that information in so I’ve got it that’s just what I do so it’s a handy
information in the MAC address and I don’t think you can copy outside of I
don’t think you can copy outside of there so if you want to do that
what I also do sometimes is I just do a just a real quick screenshot using the
using my screen capture I will also do that as well that way I’ve got a screen
capture of it so I’m just going to use my snipping tool here I’m going to go in
close to this close this window here and I’m just going to do my snipping tool
I’m going to take a quick screenshot of that that’s why I’ve got it make clear
that and then I can then I’ve got then I’ve got a copy of it here 192 or 169
254 I’m just gonna move that off the screen and next what we’re going to do is we’re going to ask a team member for
their IP address and provide the PCs IP address to them do not provide them with
a MAC address at that time so you’re just going to provide your IP address to
them so in this case let’s go ahead and do PCC and we’re going to start a
command window over here and we’re gonna do the same thing IP config slash all and I’m going to show you a trick that I
do on this once I’ve get this done and I’m going to scroll scroll back up
enough so I’ve got this one on here and I’ve got PCA there I’ve got them
together kind of close and I’ve got them where I can see both screens and then
I’m just going to do a sniffing on both of those so I’m just going to do this
right here next let me redo that so I have a PC and the PCC in there and that
way I’ve got both my information on here I’ve got PCA here and I’ve got PC C here
and then I can exchange that information so I’ve got 239 254 230 997 here I’ve
got 250 for 171 134 there and that way I can I’ve got them just real quick easy
access and I’m going to move those off the screen and next we are going to
start our start and begin capturing data so we’re just going to go ahead and
start Wireshark and create that or start that and it’s going to walk you through
the steps on doing that you know it’s going to use the 802 3 aether net there
let’s just move this off to the side it’s going to get small but we’ll just
move that off to the side there there we go
I’m just going to leave that window open it doesn’t matter I’m going to open up
wireshark start that up and we’re going click on start here and we’re going to
configure our interface so on the interfaces windows
now I click start before let me let me end this one and we’re going to click on
our interface list here and this is our list here and looking at the PDF that’s
what it’s showing you there there’s two interfaces here I’m only working with
one on this computer and we’re going to go ahead and click details and we can
see the 802 3 Ethernet here and this is going to give us our permanent address
station or our in from the MAC address information there click close click
start and that’s going to start capturing data ok so what I went ahead
and I just want to open up Internet Explorer here and try to go to Google
which even if you can’t get to the site it’s ok because what we’re doing is
we’re just creating traffic at this point and if you look in here you’ve got
our traffic on my movies down and so we’ve got our traffic window now going
through and you can see that try to go to Google if you want a regular Network
you’re gonna see all kinds of pinging and things going on if I were to go in
here and ping a you know ping Google like that it’s gonna you’re going to see
it create traffic up here you know see more traffic being created there so
that’s what its gonna do you’re gonna see the traffic and what we’re looking
for particularly is we’re looking for the ICMP traffic so we’re going to click
on that filter on there and we’re going to filter that out and we’re just going
to click on ICMP press enter and that’s going to filter out anything that’s not
ICMP we’re only going to see ICMP traffic now in this next step what we’re
going to do is we’re going to ping the IP address of other user and the other
user in this case was 169 so we’re going to come in here and we’re going to ping
169 dot to 54.1 71 dot 134 we’re going to ping that we’re getting a
reply back which is great which means those two machines can see each other
and now we’ve we have filtered for ICMP and now we can see that ping requests we
can see that that went through and that gave us our information we can stop capturing by just going up
here and clicking it looks a little bit different this is the older version
versus the newer version but if we click stop it stops collecting data our
information is still there what we collected because we can download that
and save that what we’re going to do is were going to examine the captured data
so you’re just going to go through and you’re gonna examine this and let me
just make this back larger here on the screen so you’re going to see the data
in three sections the top section displays the PDU frames and I’m going to highlight here so
displays the PDU frames well if I can get a better highlighter going here there we go we’re going to delete that there we go
now with you Adam so we’re going to delete the PD or see
the PD you frames capture with the summary of the IP information the middle
section lists the PDU information for the frame selected in the top part of
the screen and separates a captured PD frame by its protocol layers and the
bottom section displays the raw data of each layer so when we are well if I can there we go
so as we’re looking down through that this is the example here
and we’re just going to go in here and look at the actual data here so we’re
looking going to look at we’re going to look at our source we’re going to look
at our destination see we have our source where we’re coming from
destination where we’re going to we pinged so that’s an ICMP protocol and
it’s going to give us our information there down here we’re going to look at
our raw data they went through the ping information that went through and here’s
all of our frame information and you’ll learn more about this later in more
in-depth networking just keep in mind that this is the high level that we’re
working on with this lab at this point so you can see your internet protocol
there you can see all the information you can see your ICMP information
internet control message protocol and you want to answer these questions for
your lab does a source MAC address match your PCs interface does the destination
MAC address match the data of your team member and how is the MAC address of the
pinged PC obtained by your PC so how does it get that information and you
want to write that down and it’s going to give you a note there a preceding
example of the captured request we should be able to come in here and look
and find that information so if we go in here and look at these frame this frame
information there we go look at that destination and it gives us that
information oh and look there they capture the MAC address for us and if we
went over there and looked and if we looked at our MAC address we pull that
back up on the screen we look at our MAC address there we do it this way so we
look at our MAC address here which is 50 56 a be 39 f2 and if we looked here 50
56 a be 39 f2 and there we go those are the same on there which is just really
interesting that once we once we ping we can recover or find out what that MAC
address is on that other card that’s on the network just by pinging and there’s
other tools that you can go out and you can just go and start pinging and trying
to find open or live network ports and then you can start paying those and
finding more information about those okay the rest of the rest of the lab
here you’re going to click on the interface list icon to bring up the list
PC interfaces again it’s going to do a start and then when you do that it’s
going to tell you that you have to save your information that you’ve already
collected so if we go in here we are going to we’re going to start collecting
again we go up here to our interfaces go
apparently do control lie to our interfaces and we start collecting again
it’s going to ask if you want to save we’re going to continue without saving
but if you did want to save that information down to a text file or to a
file you can do that so we’re into that it’s going to start collecting again and
it’s wanting us to ping different websites and so we can just come in here
we can ping let me paint my webpage didn’t get anything on that one so you
see ping Google let’s let’s ping Yahoo are we not getting any pings going out
okay there we go we can ping Yahoo oh nope our ping is not working it’s not
going out so why is the ping not working what are we paying before okay right so
we did ping our other we’re not able to ping out to the Internet that’s right
because I did I try to do that I tried to get to a web page in at Walt so you’d
have to have internet access if you’re going to do that and you can see here on
the example on the PDF what it would look like if you’re going to ping a
particular webpage and you can capture that information if you don’t get that
for your lab then you can just ping in a regular window but you should be able to
see MAC addresses on those if you can get them from those if it shows you that
so you want to answer these questions there you also want to do it with the
reflection question here why is Wireshark show the actual MAC address of
the local host but not the actual MAC address for the remote host and just to
give you a hint on that because your routing because of the routing process
you’re not going to get that MAC information forwarded on a routing table
that’s just going to be the layer 3 and higher of information that’s being
passed on because you don’t pass that MAC information on ok so for the rest of
this lab here you’re going to look at Appendix A that’s allowing ICMP traffic
through the firewall I probably need to go set the firewall is probably the
reason it’s not going through so if you’re being blocked if you’re pinging
is being blocked you have to open up your firewall for ping traffic normally
you would block that information because you don’t want somebody pinging you if
you to block that out of your local computer
or if you have admin rights to be able to do that you want to block that out
not that pinging is that big of a deal but it’s usually blocked at the router
anyway on a lot of the newer routers and the security layers so this is if it’s
if you’re having trouble with that on lab computers you want to make sure that
your firewall is open to be able to allow let me go ahead and open that up
to be able to allow to do that and you can just follow through there or you can
find there there’s plenty of places on the Internet where you can go and find
how to open up your firewall to ping or ICMP but look for ping ping requests and
it’ll show you that ok this is the end of the lab of 4 3 3 3 4 if you have any
questions you can email me leave a comment down on the YouTube are on the
video down at the bottom and I’ll get back with you on that or you can send me
a message if you leave me a comment I get a message on that so just leave a
comment if you have any questions and I’ll try to get back with you as quick
as possible if you’re in one of my labs just email me through the course and
I’ll get back with you as quick as possible on that – usually within 24
hours

2 thoughts on “3.3.3.4 Using Wireshark to View Network Traffic

Leave a Reply

Your email address will not be published. Required fields are marked *