Applying Filters to TCPDUMP and Wireshark Lab Part 1

00:00

Hey, everyone, welcome back to the course. So in the last video, we went over wire sharks. So again, we just captured some more packets and this video, we're gonna go over TCP dump is, well, a swire shirt. We're gonna work on setting some filters in both those tools. So part one is gonna be TCP dump, and then we'll move into wire shark a little later on.

00:17

So you should already be love to do the cyber environment. Go ahead and search for applying filters. So in the search box here, just type in applying filters

00:25

and you'll see it'll pull the lab. We actually want to use the supplying filters to TCP dump and wire sharp. So once you find that it's going and click on that and then select a launch button

00:35

again, only step by step guide here in the supplement of resource is section. So make sure you download that so you can follow along. Once you click that launch button, it's gonna give you this option and launch items. So basically it's gonna open it and in a separate tab, So to click on that and it should open it up for you

00:49

and it shouldn't take too long to get the lab environment going here. You'll see it booted right up for me. Sometimes it takes 10 to 15 seconds or so, so just keep that in mind. And also, you may see a papa box here, just click next in okay to close a papa box, and you should then be at the screen I'm at right now.

01:06

There's some other pop ups here that you'll notice kind of the corners. You could just x out of those or you're welcome to read Emma's well, but I'm just gonna x out of them for our purposes.

01:15

All right, let's go back to our lab guide here.

01:18

So we went ahead and logged into our environment. Where? At the Ubu to Lennox desktop. Now, now we're gonna go ahead and launch a terminal window. So the way we do that, we just click on the left side. Here, we cook on those little black box that's gonna be our terminal window.

01:33

Now, sometimes it's a little finicky, and it doesn't open right away as you'll see here,

01:38

and you have to click it around a little bit, and eventually it will open a terminal window for you.

01:42

National. Why does that? But hopefully they'll get that resolved quickly. But in the interim, just kind of keep clicking on it until it opens a terminal window for you.

01:52

All right, so at the terminal window, we're gonna go ahead and change the directory that we're in. We're gonna go ahead and change it to the desktop and then specifically, the Captures folder. And then from there, we'll be able to run the commands that we want to use throughout the lab.

02:04

So let's go and do that. Now we're gonna type in seedy space forward slash home forward slash student forward slash desktop with a capital D

02:13

Ford slash suit before it slash captured. So let's go and type all that in. No.

02:19

So what do we do it step by step. So see, the all over case will put a space will put afford slash lower case home

02:28

ford slash lower case student

02:30

ford slash desktop with a capital D. So capital D lowercase e s k t o p.

02:38

And then afford slash captures. And then we're just gonna press enter on her keyboard once we've done that.

02:44

All right, so now we're redirected into this directory here. So now we're gonna go ahead and run our command. So TCP dump is gonna be our command If we go back to our lab document here.

02:57

TCP dump

02:59

space National case in space Dash, lower case X X space TCP space dash are

03:06

space and then in quotation marks because we don't want it to read these as end of strings, these white spaces here. So we put in quotation marks or just read this as a actual file, and then from there, we're gonna pipe it to Les.

03:21

So let's go and do that now. No, I'm not gonna actually explain what these different flags mean because of the simple men of Resource is we have a document that does all that for you. So go ahead and download that. Make sure it's about 40 40 or so pages worth of stuff. So just take a look at that and then walking through

03:38

exactly exactly what we're doing in these this particular lab.

03:43

So let's go and type all that. And so we've got TCP dump, will put a space.

03:47

We'll put a dash lower case in. We'll put a space a dash Lower case X X.

03:53

We'll put a space than TCP Eller case.

03:57

We'll put another space national case are we'll put a space And now no, again, we need to put in our file name there. So quotation mark lab

04:05

space to point to point 3-3 dot pea cap.

04:14

So lab 2.2 point 3-3 dot pea cap will end it with a quotation mark. Put a space we're gonna pipe it

04:23

If you're not familiar with the pipe command In most keyboards, it's usually right above the enter key. So just hold on, shift in and press the enter key. Kind of looks like it just a big steak.

04:33

All right, so we're gonna pipe it to space than less.

04:36

And then let's go ahead and run that command. They're just probably pressing. Enter there, you'll see it's going to show us some different I p address and packing information

04:46

are so just taking a quick glance at it at the output there. Question number one here report numbers do you see in the output and then also what I p addresses Do you have listed there so you can go ahead and list those out if we want to. We see here that we've got this I p address 122.168 dot 0.2 and then we see it's running on Port 21.

05:04

We also see we've got one of 102.168 dot 0 to 25

05:09

and it's running on port 1110. So we see if we look around there, we've got similar results for most of these. We also see that we have, you know, 25 then we have 21 just basically swapped around here.

05:21

Let's go back to our lab document.

05:25

So now we're do we're just gonna basically back out of this. So we're just gonna use ah, letter Q on her keyboard here. That's gonna back us out of this particular area here and take us back to the command prompt. So let's do that now, So just go back over there,

05:38

put the cube button and you'll see a Texas back to our prompt.

05:42

Let's go back for a lab document. No. Now, we're gonna go ahead and type in this command here. Now the main change here is we're just gonna basically be sorting by eso we can on Lee or filtering Excuse me by just theeighty dp or the airport Haiti as it's more commonly known.

05:59

Let's go and do that. Now we're gonna type in this long command here. Thea Other option we can just do is press up on her keyboard here. You notice that gives us everything from the previous command. And so if we just use our left arrow on her keyboard, we come all the way over here

06:15

and right in front of this dash are so just right here in the space between TCP space dash are we're just gonna put another space and the rest of this type in port space A So you have noticed that we're running the basically the exact same command here. We're just adding in port 80. Now you can go through and you could type out, you know, TCP dump Space National our case and

06:34

space dash over case ***, etcetera, etcetera all the way through.

06:39

But to save time, just pressing up to a rookie and your keyboard presi left therapy to get all the way back over between the TCP and the gash, Lower case R and then just put a space in there and then put port a sport space 80. And you're good to go.

06:56

No, we have to do Just go ahead and hit. Enter a keyboard to run that command.

07:00

So let's take a look at our lab document because we have a couple of questions now. So questions, uh, three of four. What port numbers do you see in the opera? Now and then Also what? Web server I P address. Do you see? So what poor numbers do we see now? While we of course, at least on my end. I see Port 80 now is in there. So that's to be expected if we're looking for

07:19

before searching for traffic with port 80 in it.

07:24

All right, so what's the server I p address in this situation? So I've actually I've kind of given it away on the screen here.

07:30

If you guess right here. We were where we've got Port 80 highlighted. You are correct. So it's gonna be a 1 72.16 dot 2024. Now, jot that down someplace or, you know, throw it in the document. It's definitely something you want to know in just a moment.

07:46

All right, so the next thing we're doing, what's gonna quit again on this year? By the way, you should never quit in life itself. But just quit on this thing here. And then we're just gonna run one last command.

07:58

I should just come back to your terminal window there, click to Cuba in there to cancel that out. And then we're just gonna run this long command right here. So we're basically just gonna be looking for this specific A Web server I p address. We're just looking at the package capture file for this particular Web server I p address.

08:20

So a couple of ways we could do this weekend, you know, hit Thea Pero again. And then just add in the differences here. I'm gonna be ambitious here, and we're just gonna type everything in on this particular one step by step.

08:31

So we're gonna take man TCP dump and again you could just hit Thea, Pero if you want to just add in the different thing differentiating things, but TCP jump space dash lower case in space Dash lower case expects

08:43

space host that we want to specify. R P address. So again, space 1 72

08:48

That 16.20 got 24.

08:52

We're gonna put a space. We're gonna say end.

08:54

This is the hand

08:58

space.

08:58

TCP spaceport 80

09:01

space

09:05

and then dash. Lower case R will put another space than there were type are filing some quotation marks. Lab

09:13

2.2 points. 3-3 dot pea cap

09:20

quotation Mark, We ended with space. We're gonna pipe it again. That's right above the intricate and your keyboard. And that was typing less. And we'll press internal keyboard and let that run.

09:31

All right, so question here is do you only see inbound traffic? You only see inbound traffic. So question for five here to receive only inbound traffic in our results.

09:45

So the answer, at least on my end here and here should be the same, isn't no right. It's one we see in internal and external traffic. So we see inbound and egress traffic.