Capturing Network Traffic

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

57 minutes
Video Transcription
Welcome back In this episode, we're gonna take a look at a couple of tools for capturing network traffic.
Our objectives of include We're gonna take a look at the Net S H command again and then some third party tools called wire shark and Fiddler
taking a look at S H again. Remember, it's ah network shell command line utility, but we can also use it to capture network traffic. And what's really cool about it is you can configure the packet capture to persist there reboot so you can capture a network traffic before you get into the Windows desktop.
We'll take a look at how to do this in a demo and how to view the resulting E T o phile.
This brings us to our 1st 3rd party utility called Bar Shark. This is an open source and free utility that could be used to capture and analyze network packets at a very granular level. Here in the screen shot, I've captured some traffic and applied an I P address filter so I can look at specific source and destination traffic from a specific I P address.
We'll take a look at how to capture and perform this basic filter inside of her demo.
And our 2nd 3rd party utility is called Fiddler. This is used for capturing http Web traffic. What's really great? It can be used as a proxy to decrypt secure H T T. P s sessions so you can analyze the traffic that is occurring there. This is a great
troubleshooting tool to view web traffic as it interacts with a remote system
that doesn't for a slides. Let's jump back out to our workstation and take a look at these utilities.
One other NET S H command we can do is actually create a trace, and a trace is going to capture the network information on your system so you can view it inside a program like network Monitor.
In order to do that, I need a place to save my files. So I'm going to make a new directory,
and to start a trace, you need to run the net S H trace start.
You can say persistence equals Yes, which means is going to continue capturing network traffic even through a reboot. While the system comes up,
we're gonna say capture Yes, and then specify the trace file where we wanted to save.
Now they're trace started. Let's bring back up our web browser.
Remember from our demo just earlier, we saw that the workstation here was connected to server A one to the Web page. We have listed here just a screenshot of the name of this course. I'm going to refresh this a couple of times to generate some network traffic.
Let's go ahead and minimize this
and we'll stop our trace with the trace. Stop Command.
This is going to take a few minutes to generate the data collection. So I'm gonna pause the video and we'll come back when it's complete.
Now, our trace has been completed. I'm going to use a tool called Microsoft Network Monitor to open the CTL file and take a look at it.
Network monitor is an older tool. I don't believe it's has any active development, but we can still use it to view these files.
I'm going to open capture,
going to browse to mine S H trace folder
and select the TL file.
Now, if you try to load this, follow that yourself the first time. The data might not look like what you're expecting. What you'll need to do is go into tools,
go over to your parson profiles,
select the windows option here and said it as active
once it finishes re parsing the file, you can see here we have our network traffic.
We have source and destination I p addresses. And we can see here some of the traffic that we just generated.
For example, here is my local system, the 3.1 50 reaching out to 1.75 to get our web page. And I know the images. I s start dot PNG. And then here is the server given us a response back to render the web page
so easily from the command line, you can start a network trace that persists through reboots and captures traffic when the service starts back up.
Then view that in some program that can view E T l files in this case, the Microsoft Network monitor
medico head and close this trace out and minimize our command prompts here because speaking of third party tools, that brings us to our other ones called Bar Shark and Fiddler. Now, we're not gonna go too in depth in him. I just want to show you the capabilities of these. There's lots of other tutorials you can view for taking a look at them, and I've already got them installed. So let's go ahead and open wire shark.
When you first opened wire shark, you need to select the interface that you want to capture traffic on. In that case, this is my Ethernet adaptor here,
and I'm going to go ahead and click on start capturing packets and here we'll see traffics that is occurring live on our system. Start to be captured. Let's bring back up our Web page here. I'll refresh the connection and we can see. Is traffic starting to come through?
Let me go ahead and stop it.
And what's great about wire shark is you can start using filters here to find what you're looking for.
In this case, let's find everything that was going to our server hosting our Web page weaken type in I p address equal equal in the I P address that we're looking for
and this filter is gonna apply to the source and destination traffic.
So here we can see my local system reaching out to port 80 of our server
and We're performing a three way handshake here where we get a sin Cenac and act acknowledgement. And then we start interacting with the Web server in getting a response back to display it
again. Wire shark has a lot of awesome tools in it. You can do a lot of analysis, but this just to get an idea that once you get past the ping and trace route and those other commands and you need to troubleshoot a network connectivity issue or even application issue wire, shark is definitely a good way to go To capture that traffic and start analyzing it,
let's go ahead and minimize this
and go check out our other tool, called Fiddler.
Now Fiddler is great for capturing Web traffic and acting as a proxy so it can actually decrypt secure https traffic.
And as soon as you started, it's going to start capturing traffic.
If I refresh here, we can see where we reached out to the server and retrieve backed our website file.
In order to configure the https decryption need to go into tools
check out the https tag
and you'll need to capture https, connects and then also decrypted here with this box
and you're going to get a warning here. And of course, they title here was scary text. In order to decrypt this https traffic Fiddler is going to generate a root certificate and install it on your system.
So here we're going to say we're gonna go ahead and trust this root certificate.
But if you have concerns about it later, you can go back into your certificate store and delete them
and if needed to, you can restrict what traffic is captured based on processes or if their browsers or non browsers.
Let's go ahead and select one of these frames here.
You can see the image we got back when we connected to the Web server
again. Lots of things in here you can learn just wanted you to be aware of it. As you start getting more advanced in your network troubleshooting skills,
these air some other tools you'll definitely want to start looking at and be familiar with because they can help you troubleshoot and find resolution. Is the problems many times over in your career
that does it for our demo? Let's jump back to the slides and wrap this up
that does it for this lesson. In this video, we discussed how we can capture network traffic using the S H command at the command line.
How we can't analyse network packets using the wire shark utility.
And finally, how we can view secure Web sessions using Fiddler
coming up. Next, we're gonna take a look at our last lesson on how you can troubleshoot network devices, See in the next episode.
Up Next