Applying Filters to TCPDUMP and Wireshark Lab Part 2

00:00

Hey, everyone, welcome back to the core. So in the last video, we went ahead and ran a couple commands with our TCP dumb tool. In this video, we're gonna run a couple of filters using wire shark.

00:10

So let's go ahead. Lunch wire, Shark. The way we do that is we come on the left side menu here and even click on this little blue colored shark fin icon tow. Launch it. I've found that sometimes it's similar to the terminal window where you have to click it a few times. So the easiest route, in my opinion, is just actually right clicking on it and then just clicking on we're says, wire shark.

00:31

That should launch it right away for you, as you see in the background there.

00:35

All right, let's go back to the lab documents. So once we've launched wire Shark, we're gonna go to file and then open at the very top of left. That's gonna open a new little pop of window for us. And then what we're gonna do is basically navigate to a file that we want to look at.

00:49

So at the very top left here to click on file and then open

00:54

and the next we're gonna select desk top of the left side. Here, we're gonna double click on the Captures folder. So the top option there that it should highlight by default,

01:03

and then we want to find the pea. The lab 2.2 point 3-3 point and Susan dot pea cap file. So you see, I've got a listed here that step six. So we want to click on that particular file right there, and then we're just gonna go ahead and open it,

01:19

so just click click the open button there. Now, you see, everything is kind of, uh, smashed up at the top here. We're gonna go ahead and expand this out like we have done in the previous lab. So if if you recall you just cover your mouths over top of this area here, you'll see it turns a mouse cursor into an up and down arrow. Just go ahead and left, click and then drag it all the way down. Or so

01:38

I mean, you could go further up if you want to. Kind of depends on how far you want to take it. I normally just Do you mind kind of near the bottom there. And we should be good to go.

01:48

Let's go back to our lab document.

01:49

So now that we're able to actually, like, see the information inside of wire shark here, let's go ahead and actually put our first filter in.

01:56

So we're gonna type in this one here, one type in I P.

02:00

Period destination host contains. And then this. I started part of the I P. Address as well.

02:06

Keep your port 80.

02:07

Let's go and type that end up. So here in this top left filter box, we're gonna type in I p

02:13

period D S t all of her case

02:16

underscore er host

02:20

space and then contains all over case

02:23

space quotation work

02:27

172

02:29

0.16 and then any quotation marks

02:34

space that the word and so a nd

02:38

space and an http again almost her lower case.

02:43

Won't you enter that and go and quickly apply button on the right side there and you'll see that's gonna filter it out and just give us the http request.

02:51

All right, So if we go back to our lab document here so question everyone, I should just answer that for you Has a protocol column changed with the filter. And the answer There was, of course, yes. It's changed from everything else to just Http

03:02

and question number two. Do any of the I P addresses look familiar to you?

03:09

All right, so we noticed that we've got that 1 72.16 $20. 24 again. So we've seen that in a previous life.

03:17

All right, so let's go back to our lab document here. Step number nine. We're gonna go ahead and export in html. Object s o the way we're gonna do this just basically again at the top left will select file on export objects. And then http,

03:30

so file

03:31

export objects so down near the bottom here. And then, http, the top option.

03:38

You'll see. It'll give us some information there. Let's go back to our lab document.

03:42

We're gonna be selecting on a pack of 50 there, So step number 12 here. We're gonna click on packet 50 and we're basically just gonna save it house.

03:50

So click on packet 50 at the top there and then Saito as and we're gonna name this h c g p

03:57

underscore object underscore one.

04:00

And then we're just going to say this to our desktops. We'll click on desktop there and to say that there.

04:05

All right, that was quick to save button there. Now we're back at this screen here, So if you go back to our lab document,

04:13

you'll see that we're gonna, uh, First things first, we're gonna minimize wire sharks. We're gonna close this window here. We're just going to say

04:18

ex out of that since we've already went ahead and saved it.

04:21

And then we're just gonna minimize wire shark here.

04:25

It's good and quick. That middle. Uh,

04:28

button, it kind of looks like a little minus. Sign there.

04:30

And now we're back in our main desktop screen here. We want to look at this http object file. So the one we just created and save, we want to go ahead and take a look at that file. So just go ahead and double click on that.

04:44

It's gonna open it up and you'll be able to kind of read through special. Just giving us some information about this particular web page.

04:53

Please go ahead next out of that. Once you're done reading through it, I'm not gonna spend a whole lot of time on that one on. And then what we're gonna do is we're gonna go ahead and open up the wire sharp window against again. We've minimized it. All we have to do to open it just clicked back on that little thin, and it should pop open the window for us.

05:11

All right, so we're back here in our lab document. We've already closed the file here and step 16 we're just gonna clear out that filter we had created there. So Step 17 year. What is gonna clear out the Philly filter just by clicking that clear button right there? You'll see it filters air, not back out again. And now we see TCP and you'd be traffic as well.

05:28

A cz Wells icmp.

05:31

All right, so now we're gonna filter were just by typing in ftp or file transfer protocol were attacked that in. So it's going to take that in the filter box.

05:40

And what is gonna select apply option?

05:42

All right, so just basically, truck gets it down to filter it to the just ftp.

05:47

All right, So we're going to do now is we're gonna go ahead and right. Click on a specific packet. So packet number 28 year will pick on that one right click, and then we're gonna go to the follow TCP Stream like we've done in the past.

06:00

All right, so

06:01

question here, what information do you see? So question over three here. What information do you see in this particular

06:08

Ahh. Bit of data that we're we're taking a look at

06:14

All right. So for me, I see that there was somebody logging in, right? I see. You know, anonymous, which is generally not a user name that a normal person would be using. That's normally a sign or indicator that something's amiss. Hopefully, you can catch that. But we do see that there was some kind of log in here. This is the user name and password that was used.

06:32

Your head Just close that out.

06:35

And I said before we closed it out, let me Let me take that back before we close out. We actually want to save a copy of this. So, um, it feels if you take a look at the lab document here, you'll see I have it in step 21 that we actually do you want to just say the copy of this as our traffic from FTP. So the way we do that is just clicking the safe as button.

06:53

And then we're just gonna name this fire were to call it f t p

06:56

underscore traffic

06:59

on and then dot TFC for text. We're just going to say that to the desktop like we did before,

07:04

and then just click the save button.

07:08

All right, so now we can go in

07:11

document.

07:14

So the next thing we're gonna do here to end out our lab is especially filtering with Telnet. So we're just gonna go ahead back up here, click on clear, and that will tie pin telnet all over case

07:24

and they go ahead and apply it.

07:28

All right, so now we're gonna go down, and we're gonna look for a packet 880. So it shouldn't take you too far to go down. You'll see right here. I've got mine. There might take a few seconds or so. Just a scrolled out to it.

07:39

We're gonna go ahead and write. Click once we've found that, and then select the TCP streams. So right, click. Follow TCP stream

07:45

and then we see some information in there, so let's take a look at that. Do we see any passport information?

07:51

All right, So I see something, and maybe maybe a nefarious user might also be a legit user doing something. But in any event, I do see a password there, and so I'm able to potentially use that for something bad.

08:07

All right, so our last up here, we're just gonna basically save this town, that file, and then we're gonna take a look at any traffic that's not related. Thio TCP. So the way we do that down there is we're gonna do basically an exclamation point in front of TCP.

08:22

So let's go ahead. Just information is we're killing it.

08:28

Yeah, same thing here. We're going to save to the desktop,

08:30

and then we're just gonna call it till that

08:37

underscore traffic

08:39

dot t x t.

08:41

Well, we can say that to the bus stop. Is I mentioned? Just click on safe.

08:46

Don't say that. When there we could go and close this out.

08:50

All right, so we're gonna go ahead and clear the filter, as I mentioned before, and we'll do this last little one here. The exclamation point in TCP to find stuff that's not TCP. So just click the clear button there, and then just type in an exclamation point on TCP, and they just go ahead and apply the filter.

09:05

All right, so you'll see a bunch of different protocols. They're so basically, the question is just what protocols do you see? So just make sure you got those in there. We C o S p F U c r Senator Exeter.