Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,030 --> 00:00:06,460 So in this genus we topology I'm going to add a device that will allow me to capture traffic basically 2 00:00:07,090 --> 00:00:10,270 as if I had a monitoring station in my network. 3 00:00:10,270 --> 00:00:17,010 So let's pretend there's a boon to P.C. is a monitoring device. 4 00:00:17,110 --> 00:00:19,320 I'm not actually going to use that for monitoring. 5 00:00:19,330 --> 00:00:23,230 I'm going to use genus 3 to do it directly. 6 00:00:23,410 --> 00:00:33,430 But let's pretend you were running why shock on the subway to P.S. I could as an example use a Windows 7 00:00:33,430 --> 00:00:38,780 P.C. here rather than a Bunty but I'm going to simply capture the traffic this way. 8 00:00:38,890 --> 00:00:47,560 So again if I start capturing on this link will I see the HP to be traffic from the P.C. to the server 9 00:00:47,990 --> 00:00:49,960 or filter for HDP here. 10 00:00:49,960 --> 00:00:51,010 Nothing at the moment. 11 00:00:52,210 --> 00:00:56,140 On the client I'll refresh this page. 12 00:00:56,240 --> 00:00:59,260 Don't see anything manually type it in. 13 00:00:59,360 --> 00:01:00,280 Don't see anything. 14 00:01:01,190 --> 00:01:02,310 Shut that down. 15 00:01:02,330 --> 00:01:07,030 Open it up again try and connect to the server. 16 00:01:07,080 --> 00:01:15,770 We don't see any HP traffic on this link but what I'm going to do now is span or mirror the port on 17 00:01:15,770 --> 00:01:24,540 the switch so on switch one gonna go to global configuration mode to type monitor this is. 18 00:01:24,570 --> 00:01:26,040 This goes by different terms. 19 00:01:26,050 --> 00:01:34,110 It's known to span or monitor or mirror wing span is known as switched port analyzer. 20 00:01:34,230 --> 00:01:36,160 We're going to use the term monitor here. 21 00:01:36,210 --> 00:01:44,070 So I'm gonna monitor a session I'm going to give it a number one to specify the source interface as 22 00:01:44,250 --> 00:01:47,840 gigabit zero slash zero. 23 00:01:47,860 --> 00:01:56,980 So this interface is going to be the source and then I must say monitor session one destination interface 24 00:01:57,400 --> 00:02:00,380 gigabit 0 3. 25 00:02:00,830 --> 00:02:03,880 So source interface destination interface. 26 00:02:03,880 --> 00:02:11,020 The switch is going to copy old traffic from this interface to this interface so let's prove that this 27 00:02:11,020 --> 00:02:15,080 is the y shock capture from gigabit 0 3 to the boon to host. 28 00:02:15,190 --> 00:02:21,600 In other words over here on the client refresh the page. 29 00:02:21,600 --> 00:02:31,600 Notice I suddenly see HP traffic refresh the page again I see more HDP traffic so because I'm spanning 30 00:02:31,600 --> 00:02:35,830 the port I can see the HDP traffic. 31 00:02:35,980 --> 00:02:38,290 So if I had a monitoring station here. 32 00:02:38,290 --> 00:02:43,920 So I was running a Windows computer or some other computer with why shot directly on it. 33 00:02:44,050 --> 00:02:46,300 I'd need to spend the port like I've done here. 34 00:02:46,300 --> 00:02:47,620 To be able to see the traffic 35 00:02:50,720 --> 00:02:53,240 again network vendors use different terms. 36 00:02:53,240 --> 00:02:56,040 My rowing monitoring span. 37 00:02:56,990 --> 00:03:06,430 But notice show monitor session let's say session one you can see that we are capturing traffic in both 38 00:03:06,430 --> 00:03:11,560 directions on this port and the destination port is gigabit. 39 00:03:11,560 --> 00:03:14,440 0 3 cancellation is Native. 40 00:03:14,480 --> 00:03:21,660 We're not adding any additional frames to the captures so you'll actually see the original frames here. 41 00:03:21,660 --> 00:03:23,120 Notice source MAC address. 42 00:03:23,120 --> 00:03:29,580 P.S. going to the server source IP address of P.S. to the server as a frame packet segment. 43 00:03:29,590 --> 00:03:36,120 Random port number going to port 80 and you can see the actual request made there. 44 00:03:36,130 --> 00:03:43,830 So if we look at the server response we can see for instance the PSG file. 45 00:03:43,910 --> 00:03:52,620 Notice nothing was modified so with a browser it often caches the data locally so it doesn't rerecord 46 00:03:52,620 --> 00:03:53,780 just all the data. 47 00:03:54,770 --> 00:04:05,180 To save on bandwidth but if I shut that browser down open it up again and go to the server and I'll 48 00:04:05,180 --> 00:04:06,860 go right down. 49 00:04:07,070 --> 00:04:12,120 Again we see not modified so let's actually do this. 50 00:04:12,120 --> 00:04:18,650 I'm going to open up a private window and go to the server that way to force it to do everything again. 51 00:04:21,820 --> 00:04:22,470 So here we go. 52 00:04:22,480 --> 00:04:23,870 Client request. 53 00:04:23,970 --> 00:04:30,800 Here's the reply from the server and notice you can see all the data from the server so you can see 54 00:04:31,350 --> 00:04:32,980 title of the web page. 55 00:04:32,980 --> 00:04:42,400 You can see the actual text in the web page so in summary Be careful of way you capture traffic. 56 00:04:42,400 --> 00:04:49,840 In this example we wouldn't see the traffic on this link or on this link unless we enabled port monitoring 57 00:04:50,110 --> 00:04:52,000 or spanned the port. 58 00:04:52,000 --> 00:04:56,790 In other words you need to get the switch to copy frames from this interface. 59 00:04:56,860 --> 00:04:59,640 Out of this interface it wouldn't normally do that. 60 00:04:59,650 --> 00:05:05,890 If traffic was going from the client to the server you have to enable the merging of traffic to be able 61 00:05:05,890 --> 00:05:07,960 to see it on a switch with a hub. 62 00:05:07,960 --> 00:05:12,610 You wouldn't have to do that a hub floods traffic out of all ports but a switch doesn't. 63 00:05:12,640 --> 00:05:17,140 So once again don't forget you need to be careful where you monitoring traffic. 64 00:05:17,170 --> 00:05:21,610 If you want to see what's going on as an example if you want to see what's going on on this side of 65 00:05:21,610 --> 00:05:27,640 the network you want to put a probe or some device on that part of the network so that you can see what's 66 00:05:27,640 --> 00:05:28,380 going on. 67 00:05:28,390 --> 00:05:33,610 You could implement remote span where you copy traffic through a tunnel from one side of the network 68 00:05:33,610 --> 00:05:39,700 to another but you need to be careful with that because of overhead and because of the amount of traffic 69 00:05:39,700 --> 00:05:44,290 that you're going to be receiving so we'd be better to capture traffic locally if you can. 6990