Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
40
00:02:11,266 --> 00:02:13,046
And I-- let me-- I'm going to flip a hand.
41
00:02:13,046 --> 00:02:16,456
I'm flipping at the preface
here, table of contents.
42
00:02:16,456 --> 00:02:17,096
All right.
43
00:02:17,556 --> 00:02:20,256
This is what she said and this is her preface.
44
00:02:20,976 --> 00:02:26,086
"Wireshark is a," and she puts it in
all capitals, "FIRST RESPONDER tool
45
00:02:26,546 --> 00:02:30,826
that should be employed immediately
when the cries of the network is slow
46
00:02:30,826 --> 00:02:34,386
or I think my network is infected
echo through the company halls."
47
00:02:34,806 --> 00:02:38,406
And, when I read that, remember
reading that years ago, and I go,
48
00:02:38,406 --> 00:02:40,806
[inaudible], it's not a first responder tool.
49
00:02:40,806 --> 00:02:45,806
This is like the last responder tool, but
seriously that's one of those statements
50
00:02:45,806 --> 00:02:50,806
that have just stuck in my head and over
these last few years, I've started using it.
51
00:02:50,806 --> 00:02:54,746
It's not-- it's still not my first
responder tool, but I've used it a lot more-52
00:02:54,746 --> 00:02:59,656
with a lot more immediacy than I have in the
past and it really has saved a lot of times.
53
00:02:59,656 --> 00:03:01,646
So, I want to get you guys
familiar with that right away.
54
00:03:01,856 --> 00:03:05,296
So, what are TCP and UDP?
55
00:03:06,306 --> 00:03:13,116
They are the primary transport protocols used
today, meaning transport layer of the OSI model.
56
00:03:13,116 --> 00:03:16,316
We've got our applications trying
to communicate data up here, right?
57
00:03:16,316 --> 00:03:21,976
In our internet explorer, our [laughs]-what other online games, whatever-58
00:03:21,976 --> 00:03:25,326
what other applications that people
use now a days, instant messengers,
59
00:03:25,326 --> 00:03:27,366
all those kinds of things are
sending their data down here.
60
00:03:27,576 --> 00:03:30,606
It reaches the transport layer and
you might remember from the OSI model,
61
00:03:30,756 --> 00:03:33,276
this is where it's going to
choose the reliability, you know,
62
00:03:33,366 --> 00:03:35,376
it's going to be reliable or unreliable.
63
00:03:35,496 --> 00:03:40,086
And then it also assigns the port numbers to
start separating the different applications
64
00:03:40,086 --> 00:03:43,356
so the operating system can
distinctly understand
65
78
00:04:39,606 --> 00:04:41,696
TCP, transmission control protocol.
79
00:04:41,696 --> 00:04:42,696
That's what they stand for.
80
00:04:42,936 --> 00:04:45,986
And that they combine together with,
you know, the subprotocols below,
81
00:04:45,986 --> 00:04:51,546
that's why TCP/IP got it's name is
it's not really that's the protocol,
82
00:04:51,546 --> 00:04:52,706
it's the suite of protocol.
83
00:04:52,926 --> 00:04:57,826
The most common being TCP and IP combined
together to make network communication happen.
84
00:04:57,966 --> 00:05:01,596
So, first of, let's get into UDP.
85
00:05:01,596 --> 00:05:05,716
And I talked one more time about the OSI model,
I got it in a little, little bit of this like,
86
00:05:05,716 --> 00:05:09,486
why would you want to send something
unreliable like, "I hope it gets there"?
87
00:05:10,216 --> 00:05:14,416
Well, the first thing to understand is
that there is a cost to reliability.
88
00:05:15,046 --> 00:05:20,256
In order to say, "I know it got there,"
there's a lot of setup that takes place.
89
00:05:20,616 --> 00:05:23,976
The first thing that happens is
something known as the 3 way handshake,
90
00:05:24,126 --> 00:05:28,596
and I'll explain that in just a
moment, but essentially the two devices
91
00:05:28,596 --> 00:05:32,126
that are talking together have to
establish a session between each other,
92
00:05:32,126 --> 00:05:34,406
make sure that, "Okay, we agree to talk, okay.
93
00:05:34,406 --> 00:05:34,886
That's good."
94
00:05:34,886 --> 00:05:39,346
Okay. That's a little time right there and
a little time to establish that session.
95
00:05:39,696 --> 00:05:45,876
Then every single packet that get sent or
every stream of communication that gets sent,
96
00:05:45,876 --> 00:05:47,526
I'm going to just write something up here.
97
00:05:48,946 --> 00:05:52,796
It's my reminder.
98
00:05:52,936 --> 00:05:55,996
[Laughs] Every stream of things that
get sent between these things has
99
00:05:55,996 --> 00:05:58,816
to get an acknowledgment
back saying, "I got it."
100
00:05:58,946 --> 00:06:05,426
Again, more overhead, more delay where some
things just may not need that sort of thing.
101
00:06:05,906 --> 00:06:10,956
I want to give you-- now, I gave you the
example back in the OSI model of things
102
00:06:10,956 --> 00:06:15,616
that do not need reliable
communications being like voice over IP
103
00:06:16,176 --> 00:06:19,326
where I have an IP phone talking to an IP phone.
104
00:06:19,646 --> 00:06:23,736
You know, there's a stream of data going between
the two, if something is dropped, it's gone.
105
00:06:23,736 --> 00:06:27,776
There's no use in retransmitting it at a
later time because it's real time traffic.
106
00:06:27,976 --> 00:06:29,816
Same thing with video over IP.
107
00:06:30,036 --> 00:06:36,466
But, there's also some other data
applications out there that use UDP as well.
108
00:06:36,666 --> 00:06:41,306
I want to give you one that you use
every single day and that is DNS.
109
00:06:43,056 --> 00:06:48,036
DNS, the domain name service,
translates names to IP addresses,
110
00:06:48,036 --> 00:06:50,206
because remember in the OSI
model, it's not-- we-111
00:06:50,206 --> 00:06:55,436
at this network layer, we can't
squeeze in www.google.com.
112
00:06:55,436 --> 00:06:56,796
It deals with IP, the IP protocol.
113
00:06:57,086 --> 00:07:01,146
So, we have to have some kind of
system that takes these friendly names
114
00:07:01,146 --> 00:07:05,756
like I put wireshark.org, I'm going to show
that to you in a moment, or cbtnuggets.com
115
00:07:05,756 --> 00:07:08,836
and translates it to what
IP address is really there.
116
129
00:07:52,086 --> 00:07:56,256
You know, just, you know, the fear of
it is what held me back for so long.
130
00:07:56,606 --> 00:07:58,776
But, this is Wireshark 1.82.
131
00:07:59,096 --> 00:07:59,946
It is free.
132
00:07:59,946 --> 00:08:04,316
You go to wireshark.org and just
go to their little download page
133
00:08:04,316 --> 00:08:06,316
and they'll automatically
detect your operating system.
134
00:08:06,316 --> 00:08:07,806
You can put it on there, it's good.
135
00:08:07,806 --> 00:08:14,636
So, once you get Wireshark installed, it's just
literally a next, next finish sort of install.
136
00:08:14,816 --> 00:08:16,226
This is what pops up.
137
00:08:16,466 --> 00:08:21,826
Now, the key icon you want to go to is
this list available capture interfaces.
138
00:08:21,826 --> 00:08:26,606
And, trust me, this is a massive utility.
139
00:08:27,276 --> 00:08:28,326
There's a lot to it.
140
00:08:28,326 --> 00:08:31,736
I just want to get you the core that will
get you started in doing what you need to do.
141
00:08:32,246 --> 00:08:33,256
So, I click on this.
142
00:08:33,336 --> 00:08:36,886
155
00:09:20,056 --> 00:09:25,526
What I'm going to start seeing is the
communication that's going across the network
156
00:09:25,526 --> 00:09:29,616
and this is where a lot of people
go, "Ooh, aah, what's going on?"
157
00:09:29,616 --> 00:09:32,296
You know, they're not too sure what to do.
158
00:09:32,456 --> 00:09:37,876
So, right now, this is-- not much is
going on, 29 packets are happening.
159
00:09:37,876 --> 00:09:41,076
I can see Spanning Tree Protocol running
in the background, some other, you know,
160
00:09:41,106 --> 00:09:45,706
just normal network traffic
discovering and communicating with things
161
00:09:45,706 --> 00:09:46,836
that are going on in the network.
162
00:09:46,836 --> 00:09:51,896
Now, as soon as I open a web browser
and let me move this to the side
163
00:09:51,896 --> 00:09:57,106
so you can see, and let's just go to msn.com.
164
00:09:57,106 --> 00:09:57,776
And look at that.
165
00:09:57,776 --> 00:10:02,706
I mean, we went from like 29, 30, 50 and
all the way up, you know, msn.com came up
166
00:10:02,706 --> 00:10:06,816
and now we're at packet number 1095, you know.
167
00:10:07,396 --> 00:10:10,386
All of these things are going
on and what just happened?
168
00:10:10,596 --> 00:10:16,666
We just had a ton of network communication that
comprised 1,200 or 1,280 individual packets.
169
00:10:16,666 --> 00:10:18,526
So, that's where people go "Huh!
170
00:10:18,526 --> 00:10:19,286
It's overwhelming."
171
00:10:19,286 --> 00:10:21,026
How do-- you know, how do I now sift
172
00:10:21,026 --> 00:10:24,796
through 1,200 individual packets
to really see what's going on.
173
00:10:25,636 --> 00:10:28,836
We'll, I'll explain that in just a moment
but let's look at the matter at hand.
174
00:10:29,026 --> 00:10:30,906
I want to talk about DNS.
175
00:10:32,086 --> 00:10:37,166
DNS resolves names to IP
addresses and I'm going to show you
176
00:10:37,166 --> 00:10:40,256
that this is using UDP as
it's protocol to do it.
177
00:10:40,256 --> 00:10:42,426
Now, the first thing that's
happening is I'm like "Aah!
178
00:10:42,716 --> 00:10:45,416
This is just-- it's too much,
I want to put a filter on."
179
00:10:45,706 --> 00:10:49,296
Let me show you one of the handiest
filters that you will likely use.
180
00:10:49,336 --> 00:10:53,636
It is coming up here, you click in this
little filter box and you'll find, I mean,
181
00:10:53,636 --> 00:10:57,716
you can build your own, you can click on this
and it let's you, you know, click through
182
00:10:57,716 --> 00:11:02,516
and kind of-- almost like that's a gooey base
like if I just want to see the UDP traffic
183
00:11:02,516 --> 00:11:08,656
or the TCP traffic, I can do that but I'm
just going to go in here and just say ip.addr,
184
00:11:08,656 --> 00:11:14,016
IP address equals 4.2.2.2, enter.
185
00:11:14,016 --> 00:11:14,866
Now, what is that?
186
00:11:15,756 --> 00:11:18,766
Actually, you know what, I'm
going to even change that further.
187
00:11:18,766 --> 00:11:22,326
Let me go 4.2.2.3, enter,
blanks it out completely.
188
00:11:22,806 --> 00:11:28,666
What that does is say, only show me
the traffic that is going to 4.2.2.3.
189
00:11:29,676 --> 00:11:30,706
Getting that so far?
190
00:11:30,706 --> 00:11:33,276
So, right now, how much traffic is going there?
191
00:11:33,616 --> 00:11:38,256
Nothing. Because nothing is actually accessing
that IP address so my display is nice and empty.
192
00:11:38,316 --> 00:11:41,686
So now, I'm going to use
DNS to do a little testing.
193
00:11:41,976 --> 00:11:46,736
I'm going to open a command prompt in
219
00:13:26,216 --> 00:13:29,826
so what it's doing is this is coming
up and say, "Okay, well, right now.
220
00:13:30,066 --> 00:13:33,226
You can ask a question of 4.2.2.2.
221
00:13:33,226 --> 00:13:33,926
And, I would say, "Okay.
222
00:13:33,926 --> 00:13:38,066
Well, I want to see who is www.cbtnuggets.com."
223
00:13:38,356 --> 00:13:43,626
And, 4.2.2.2 comes back and says, "Well,
actually, they have two IP addresses associated
224
00:13:43,626 --> 00:13:45,426
with them, this one and this one."
225
00:13:45,706 --> 00:13:47,886
Well, which one am I going to use.
226
00:13:47,886 --> 00:13:50,386
Well, the way it works is it's
going to do a round robin.
227
00:13:50,386 --> 00:13:54,026
Maybe the first time I'm going to use this
one, the second time I'm going to use this one.
228
00:13:54,316 --> 00:13:57,796
And, the name is kind of gives
me a little clue right here.
229
00:13:57,796 --> 00:13:58,996
It says, web balancer.
230
00:13:58,996 --> 00:13:59,726
I'm going, "Okay."
231
00:13:59,726 --> 00:14:01,966
So, this is some kind of load balancing.
232
00:14:01,966 --> 00:14:04,746
You know, maybe CBT Nuggets has
272
00:16:34,436 --> 00:16:38,376
I don't know of a tekcert.com.home.local,"
is the DNS server's reply.
273
00:16:38,376 --> 00:16:42,516
But, let's dig a little bit deeper
because Wireshark actually breaks
274
00:16:42,516 --> 00:16:45,796
down communication in the
layers of the OSI model.
275
00:16:46,286 --> 00:16:51,556
At the very, very, very bottom is, you
know, essentially as physical as it can get.
276
00:16:51,556 --> 00:16:54,416
It's saying, "Hey, this is
how big the data was."
277
00:16:54,416 --> 00:16:58,146
This is, you know, how many bytes
were actually sent on the wire.
278
00:16:58,146 --> 00:17:01,026
I mean think of this top
one as the physical layer.
279
00:17:01,626 --> 00:17:03,716
Then, we come right here to the data link layer.
280
00:17:04,116 --> 00:17:05,526
Now, what do we expect to see there?
281
00:17:06,076 --> 00:17:07,326
Mac addresses.
282
00:17:07,326 --> 00:17:12,086
And sure enough I see that I
have the source MAC address-283
00:17:12,086 --> 00:17:15,706
this is my computer right here
and, you know, let's prove it.
284
00:17:15,706 --> 00:17:19,006
311
00:19:03,796 --> 00:19:09,596
Now this is a well known, I'll
put W/K, well-known port for DNS.
312
00:19:09,916 --> 00:19:15,876
As in all the DNS servers in the world respond
on port UDP 53, that's where they expect
313
00:19:15,876 --> 00:19:22,026
to receive request for and all the computers in
the world by default will ask questions directed
314
00:19:22,026 --> 00:19:24,716
at UDP port 53 of their DNS server.
315
00:19:25,686 --> 00:19:28,526
Now, Windows generated a dynamic port.
316
00:19:28,526 --> 00:19:32,446
This is a not a well-known port at all, this
is considered my source port saying, "Hey,
317
00:19:32,626 --> 00:19:36,296
my question is coming from
the source port 60353."
318
00:19:36,596 --> 00:19:40,416
So when this guy replies back and says,"
I have no idea what you're talking about.
319
00:19:40,416 --> 00:19:42,786
There is no such thing as tekcert.home.local."
320
00:19:44,376 --> 00:19:45,156
Excuse me.
321
00:19:45,156 --> 00:19:50,726
He's actually going to be coming from source
of port 53 going to destination of 60353.
322
00:19:50,726 --> 00:19:51,976
But Windows expected that.
323
00:19:52,026 --> 00:19:54,976
They'd expected to get a
response back on that source port
324
00:19:54,976 --> 00:19:59,356
and that's actually one of
the reasons why DNS uses UDP.
325
00:20:00,306 --> 00:20:05,396
This is kind of a stimulus response
sort of thing to where I'm going to say,
326
00:20:05,396 --> 00:20:10,396
"I want to know who tekcert-- but
I'll just put tk.com really is,"
327
00:20:10,576 --> 00:20:13,096
and the DNS server will say,
"Okay, here's your answer."
328
00:20:13,346 --> 00:20:17,216
Now that's all the communication that
really goes on between them is, what's this,
329
00:20:17,276 --> 00:20:19,876
here's your answer, what's this, here's your
answer, what's this, here's your answer.
330
00:20:20,146 --> 00:20:25,176
It would just be a waste of time to say,
"Okay, let's build a session between us.
331
00:20:25,176 --> 00:20:27,016
You know, are you okay talking?"
332
00:20:27,016 --> 00:20:27,766
The other one is like, "Yes.
333
00:20:27,766 --> 00:20:28,426
Let's build this."
334
00:20:28,426 --> 00:20:30,876
And I'm getting into the 3 way
handshake, you know, building a session.
335
00:20:31,076 --> 00:20:36,216
Okay. Now I want to know what is the name or
IP address of tekcert.com and then, you know,
336
00:20:36,216 --> 00:20:37,936
send the acknowledgment that
is tekcert.com.home.local?"
350
00:21:19,786 --> 00:21:23,096
This guy comes back and it's like, no
such thing, I don't know who that is.
351
00:21:23,166 --> 00:21:28,136
Now notice, it's asking for an
A record, a DNS that's alias,
352
00:21:28,136 --> 00:21:30,876
that's the normal record that people ask for.
353
00:21:31,116 --> 00:21:32,626
So, it's like, no such thing.
354
00:21:32,626 --> 00:21:35,246
So it comes and say, "Okay, well let's try this.
355
00:21:35,446 --> 00:21:38,246
I would like an AAAA record."
356
00:21:38,246 --> 00:21:41,096
He's saying, "If I'm looking
for this kind of record
357
00:21:41,096 --> 00:21:44,216
for tekcert.com.home.local,
do you know who that is now?"
358
00:21:44,406 --> 00:21:46,376
And he's like, "No, still no such name."
359
00:21:47,056 --> 00:21:49,596
So okay, what's the difference here versus here?
360
00:21:50,016 --> 00:21:56,736
Well, this is looking for the IPv4
address of tekcert.com.home.local.
361
00:21:56,736 --> 00:22:00,046
AAAA record is actually an IPv6 address.
362
00:22:00,116 --> 00:22:02,146
So it's saying, "Okay, that didn't go so well.
363
415
00:25:18,056 --> 00:25:21,766
"Hey CBT Nuggets, I would like
to start a discussion with you."
416
00:25:22,606 --> 00:25:26,706
Are you-- essentially, let me put in
plain English and then I'll get technical.
417
00:25:26,886 --> 00:25:27,766
"Are you okay with that?"
418
00:25:28,236 --> 00:25:32,106
CBT Nuggets says, "Yes, I am okay with that."
419
00:25:32,266 --> 00:25:39,986
SYN ACK. That means, I'm sending a
synchronization bit, if you will.
420
00:25:39,986 --> 00:25:42,366
I'm saying, yes, I would
like to start talking to you,
421
00:25:42,366 --> 00:25:45,356
which is what these do, and
I'm acknowledging yours.
422
00:25:45,356 --> 00:25:49,116
I'm saying, "I got yours" that's the
acknowledgment "And here's mine."
423
00:25:49,636 --> 00:25:53,136
So, this guy replies back with one final ACK.
424
00:25:53,206 --> 00:25:55,486
What do you think that's there for?
425
00:25:57,506 --> 00:25:58,036
I got that.
426
00:25:58,536 --> 00:26:00,816
I got the SYN message from you.
427
00:26:00,816 --> 00:26:06,116
So I'm acknowledging that we're good and
that is what they call a TCP 3 way handshake.
428
441
00:26:58,546 --> 00:27:02,796
But, you know, what's happened is
my computer cached the DNS response.
442
00:27:02,796 --> 00:27:06,506
It remembers who CBT Nuggets is
because I've gone there before.
443
00:27:06,506 --> 00:27:09,296
Now, those caches will eventually
time out but they'll get there.
444
00:27:09,526 --> 00:27:10,326
Now, look right here.
445
00:27:10,326 --> 00:27:13,636
So, we have Google, we're talking
to Google and you might say, "Well,
446
00:27:13,966 --> 00:27:15,526
what's all this stuff happening?"
447
00:27:15,776 --> 00:27:19,336
Well, whenever you type, you know, I'm using
Google Chrome and I don't know if you've notice
448
00:27:19,336 --> 00:27:23,966
but when you start typing you're like,
Jeremy, it's starting to, you know,
449
00:27:23,966 --> 00:27:27,076
figure out who will the, you know, who is-450
00:27:27,076 --> 00:27:30,356
it's filling in all of this
data, so we're able to see.
451
00:27:30,606 --> 00:27:32,246
You know, oh, okay it's filling this in.
452
00:27:32,246 --> 00:27:34,426
So every single time, Google
is going, "Okay, well,
453
00:27:34,706 --> 00:27:38,416
let's find out who Jeremy
Cioara is and you click on it.
454
00:27:38,706 --> 00:27:41,226
That's-- it's kind of weird
[laughs], I'm looking myself up.
455
00:27:41,466 --> 00:27:43,146
But, you know, who is Jeremy Cioara?
456
00:27:43,146 --> 00:27:47,136
It's constantly going back and forth with Google
saying, "Okay, he typed an I, he typed an O,
457
00:27:47,136 --> 00:27:48,906
he typed an A, you know,
as it fills out the names.
458
00:27:48,906 --> 00:27:51,186
So that's what this little shindig was.
459
00:27:51,186 --> 00:27:52,726
Now, here's the meat of it.
460
00:27:52,726 --> 00:27:59,746
I come down right and I see, okay this is a
TCP-based message, three of them to be exact.
461
00:28:00,086 --> 00:28:08,486
Notice, SYN, SYN ACK, ACK, 3 way handshake,
SYN, SYN ACK, ACK, SYN, SYN ACK, ACK.
462
00:28:08,486 --> 00:28:12,286
Now, I want to go down a little
further because I'm noticing here-463
00:28:12,286 --> 00:28:13,476
notice the source and destination.
464
00:28:13,476 --> 00:28:15,516
It came from this server
going to this one, right?
465
00:28:15,626 --> 00:28:19,956
SYN, SYN ACK, ACK and I go down a little bit
more and all of a sudden, I see another one.
466
00:28:20,276 --> 00:28:23,176
It's like, wait second, SYN, SYN ACK, ACK.
467
00:28:23,726 --> 00:28:25,546
And so there's more than one.
468
00:28:25,816 --> 00:28:28,416
I go down and all of a sudden, I see
it looking up all the stuff, it's like,
469
00:28:28,626 --> 00:28:32,706
"I'm looking up some analytics, I'm
looking up cloudfront.net, Facebook.com."
470
00:28:32,706 --> 00:28:34,136
What on earth is going on?
471
00:28:34,316 --> 00:28:37,446
And all of a sudden I see all these-- okay,
SYN within, SYN within, SYN within, SYN within.
472
00:28:37,526 --> 00:28:40,476
All of these are SYNs and then I
started, you know, look at these SYNs.
473
00:28:40,476 --> 00:28:43,616
It's starting all of the sessions
with all these different servers
474
00:28:43,726 --> 00:28:46,506
and then they all start coming back,
SYN ACK, SYN ACK, SYN ACK, SYN ACK.
475
00:28:46,506 --> 00:28:50,266
And then, you know, it's kind of like that
we get this big merge of ACK, ACK, ACK.
476
00:28:50,266 --> 00:28:52,496
You know, it's kind of a-what on earth is going on?
477
00:28:52,496 --> 00:28:56,036
I just went to CBT Nuggets and all of a sudden,
I've got all of these sessions starting.
478
00:28:56,296 --> 00:29:00,396
Well, you remember, I think that I
talked about this in the previous Nugget
479
570
00:34:02,596 --> 00:34:08,716
of my packet numbers are going to start here
and then keep incrementing as I send you data.
571
00:34:09,186 --> 00:34:11,906
So, let's look back at Wireshark,
get some examples of this.
572
00:34:11,906 --> 00:34:14,786
So, right here, we've got our 3 way handshake.
573
00:34:14,786 --> 00:34:16,576
We've got SYN, SYN ACK, ACK.
574
00:34:16,576 --> 00:34:17,996
So that's the very first one that we do.
575
00:34:17,996 --> 00:34:19,516
So let's break this open.
576
00:34:19,876 --> 00:34:25,816
We'll look at the TCP data and it says, "Oh,
this guy is a flag, it's a SYN" but I want you-577
00:34:25,816 --> 00:34:29,236
and you can, I mean, you can dig deep and
say, "Oh, okay, well it's actually this bit,"
578
00:34:29,236 --> 00:34:32,246
and that, I mean, yeah, for
now, it's a SYN, right?
579
00:34:32,576 --> 00:34:35,196
But if you look three above that, it says, "Hey,
580
00:34:35,406 --> 00:34:38,436
we're going to be starting
from sequence number zero."
581
00:34:38,856 --> 00:34:41,926
That's it, that's was-- so I'm going
to-- that's my beginning where-582
00:34:41,926 --> 00:34:44,286
that's where my counter begins essentially.
583
00:34:44,606 --> 00:34:47,976
Now this comes back and says,
"Well, here's your SYN ACK," right?
584
00:34:48,256 --> 00:34:51,166
And what this says is, "I'm going to
be starting from sequence number two."
585
00:34:51,256 --> 00:34:52,206
That's great.
586
00:34:52,206 --> 00:34:55,626
"And by the way, I'm sending it ACK for one."
587
00:34:56,516 --> 00:34:57,656
What does that mean?
588
00:34:57,916 --> 00:35:02,586
So, I-- and so, again, let's look,
this is my computer saying, "Hi SYN.
589
00:35:02,586 --> 00:35:04,516
I'm going to be starting
from sequence number zero."
590
00:35:04,806 --> 00:35:09,626
This is them, see them, this is CBT Nuggets
you're applying back that it's saying, "Okay.
591
00:35:09,626 --> 00:35:12,826
I'm going to start from sequence
number zero, that's my SYN too
592
00:35:13,096 --> 00:35:15,346
but I'm also going to send you an ACK of one."
593
00:35:15,966 --> 00:35:21,036
Well the way the ACK works is it's always
going to be one more than your sequence number.
594
00:35:21,256 --> 00:35:24,336
So when I said, "Hey SYN, I'm going
to be starting from number zero."
595
00:35:24,576 --> 00:35:27,946
He comes back and in his ACK he
says, "I'm going to acknowledge one."
596
00:35:28,096 --> 00:35:32,806
And what that says to the computer is, "I've
received your zero and the next sequence
597
00:35:32,806 --> 00:35:35,146
that I'm expecting from you is one."
598
00:35:35,786 --> 00:35:36,896
Does that make sense?
599
00:35:36,896 --> 00:35:40,446
And then, and then, and then, I'm like
[laughs], "Oh, oh, oh, and then look at this."
600
00:35:40,446 --> 00:35:43,066
And then, when I click it on
here, it goes, "Okay, great.
601
00:35:43,216 --> 00:35:45,806
I'm going to send an ACK back of one as well."
602
00:35:46,926 --> 00:35:50,386
So, what we've done is we say, "Okay,
I started with sequence number zero.
603
00:35:50,616 --> 00:35:51,376
Is that good?"
604
00:35:51,376 --> 00:35:52,506
And he goes, "Absolutely.
605
00:35:52,506 --> 00:35:54,166
I'm going to start from sequence number zero
606
00:35:54,166 --> 00:35:57,506
and I'm acknowledging your sequence
number zero by giving you an ACK of one."
607
00:35:57,806 --> 00:36:01,056
Then I come back and say, "Okay,
ACK of one because I'm a-608
00:36:01,056 --> 00:36:02,786
I don't know why I put it aligned to that,
609
636
00:37:21,856 --> 00:37:24,716
It's all encrypted mosh going
to CBT Nuggets website,
637
00:37:24,986 --> 00:37:28,046
but all of that stuff has sequence numbers.
638
00:37:28,366 --> 00:37:32,266
So, essentially, let me boil it back down on
the slide 'cause it's a little less complex
639
00:37:32,266 --> 00:37:33,486
and busting that Wireshark.
640
00:37:33,746 --> 00:37:38,556
I've got, you know, let's say three
1,500-byte packets to send, right?
641
00:37:38,556 --> 00:37:44,696
So let's say I started with SYN zero, I send
three 1,500-byte packets to the other side,
642
00:37:45,576 --> 00:37:50,646
and it will come through and, you know,
first one will say, "Hey, I'm some data.
643
00:37:50,886 --> 00:37:53,066
I'm sequence number 1,500.
644
00:37:53,066 --> 00:37:55,786
The second one will come through and say, "Okay.
645
00:37:55,786 --> 00:37:58,006
Well, I'm sequence number 3,000."
646
00:38:00,136 --> 00:38:04,696
And third one comes through and you see where
this is going, "I'm sequence number 4,500."
647
00:38:04,696 --> 00:38:08,596
The sequence numbers are-- they are
essentially a mathematical addition
648
00:38:08,596 --> 00:38:10,796
of all of the data that's being sent.
649
662
00:38:56,796 --> 00:39:00,916
[Laughs] It's like, right there, I took
breath and I took a step back and I'm like,
663
00:39:01,196 --> 00:39:03,676
"How do you see anything on the screen anymore."
664
00:39:03,806 --> 00:39:06,206
It builds on itself so hopefully you've-665
00:39:06,346 --> 00:39:11,016
you didn't look away throughout 'cause otherwise
it's just a mess of lines going back and forth.
666
00:39:11,376 --> 00:39:16,776
But, wow, I mean, if you take that and put
it all together and you are on your way-667
00:39:16,846 --> 00:39:21,916
well on your way to becoming a network
Ninja, not only understanding how TCP works,
668
00:39:21,916 --> 00:39:25,796
the 3 way handshake, the acknowledgment,
back and forth process, but also now,
669
00:39:25,796 --> 00:39:28,666
starting to look inside of
Wireshark and been like, "Oh, oh, oh,
670
00:39:28,826 --> 00:39:30,766
I see the 3 way handshake right there.
671
00:39:30,766 --> 00:39:31,286
I get it."
672
00:39:31,286 --> 00:39:34,906
You know, and then I started seeing that, I get
referred to all these other servers, you know,
673
00:39:34,906 --> 00:39:36,776
because there're the DNS queries.
674
00:39:36,776 --> 00:39:40,476
And then, I started sessions with all those,
that's all these SYN packets, I mean, wow!
675
00:39:40,566 --> 00:39:47,716
That's a ton of info that you can say that,
I mean, it's rare to find somebody who's able
676
00:39:47,716 --> 00:39:50,236
to do that level of knowledge
in the network world.
677
00:39:51,246 --> 00:39:56,016
I have found that there is a big difference
between the amount of time I think it's going
678
00:39:56,016 --> 00:39:58,966
to take to talk about something and
then the actual amount of time it does.
679
00:39:59,526 --> 00:40:01,896
It's all a Wireshark, I'm
telling you, bringing that tool
680
00:40:01,896 --> 00:40:03,826
into this, I mean, the sky is the limit.
681
00:40:04,146 --> 00:40:06,546
But boy, do I want to-- what
I'm going to do is I'm going
682
00:40:06,546 --> 00:40:08,076
to break this into two different pieces.
683
00:40:08,076 --> 00:40:13,576
So, this will be our part one and then I'll
wrap up these other two items in part two.
684
00:40:14,106 --> 00:40:17,596
But what did we talk about and then
what do I want you to do with it?
685
00:40:17,986 --> 00:40:19,826
Two, well, we talked about a lot.
686
00:40:19,826 --> 00:40:23,076
We talked about UDP and,
you know, its simplicity.
687
00:40:23,216 --> 00:40:26,766
701
00:41:14,426 --> 00:41:17,876
[Laughs] That it's and it's just some
guy and he's been around for a long time.
702
00:41:18,066 --> 00:41:20,786
The last page you cre-- the guy who
created a website that just says,
703
00:41:20,786 --> 00:41:22,556
"You have reached the last page of the internet.
704
00:41:22,866 --> 00:41:23,936
Hope you enjoyed your browsing.
705
00:41:24,316 --> 00:41:25,816
Go outside."
706
00:41:25,816 --> 00:41:30,106
So, beautifully, simple web page to
where we won't get the confusion behind.
707
00:41:30,296 --> 00:41:35,336
And won't say confusion but the complexity
behind going to big websites like CBT Nuggets
708
00:41:35,336 --> 00:41:38,096
and seeing 50 different servers
popped into our conversation.
709
00:41:38,096 --> 00:41:39,626
So grab Wireshark.
710
00:41:40,016 --> 00:41:42,996
I want you to capture the DNS lookup.
711
00:41:42,996 --> 00:41:45,456
Create a filter, find out
what your DNS server is.
712
00:41:45,616 --> 00:41:50,336
Create a filter that allows you to see the
DNS lookup and then one that allows you
713
00:41:50,336 --> 00:41:56,256
to see the communication between you and
that last page of the internet web server.
714
00:41:56,256 --> 00:41:59,926
They'll be nice and simple so you don't
have a ton of stuffs to read through.
715
00:42:00,116 --> 00:42:07,216
Also, realized that I showed you-- I mean,
one 1,000th of the possibilities of Wireshark.
716
00:42:07,356 --> 00:42:12,866
You can create complex filters like I could
say this and IP address equal, you know,
717
00:42:12,976 --> 00:42:17,726
or I could use and or IP address
at and equals such and such.
718
00:42:17,726 --> 00:42:21,566
I mean, you can start building numbers
where you just capture a certain port number
719
00:42:21,846 --> 00:42:24,356
or I should say filters where you
just capture certain port numbers.
720
00:42:24,356 --> 00:42:25,716
There're a lot of possibilities.
721
00:42:25,716 --> 00:42:27,636
I mean, play around with
this, start tinkering around.
722
00:42:27,936 --> 00:42:33,646
And really, I would say, add some depth to your
knowledge and then jump into the next Nugget
723
00:42:33,646 --> 00:42:36,126
where we'll talk about the port
numbers and then fit it all together
724
00:42:36,126 --> 00:42:37,926
with that end-to-end communication story.
725
00:42:38,426 --> 00:42:41,486
I hope this has been informative for you
and I'd like to thank you for viewing.