Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,530 --> 00:00:05,930 You need to be careful when using Y shock to capture packets or frames from a network. 2 00:00:05,930 --> 00:00:11,900 You need to think about how traffic flows through a network and make sure that you capturing in the 3 00:00:11,900 --> 00:00:13,780 right part of the network. 4 00:00:13,950 --> 00:00:21,440 So as an example if P.S. One opens up a browser and connects to the server where do you need to capture 5 00:00:21,440 --> 00:00:22,490 the traffic. 6 00:00:22,490 --> 00:00:27,920 Now it's obvious that you may capture here or make capture here but what happens if you capture over 7 00:00:27,920 --> 00:00:28,430 here. 8 00:00:28,580 --> 00:00:33,670 Will you see the traffic sent from the client to the server. 9 00:00:33,790 --> 00:00:35,870 Notice we are seeing a whole bunch of traffic here. 10 00:00:35,930 --> 00:00:39,820 We're seeing the GOP we seeing spanning tree. 11 00:00:39,980 --> 00:00:44,550 We see other protocols but let's filter for HDP. 12 00:00:44,780 --> 00:00:54,140 At the moment we see no HDP traffic what happens when P.S. 1 opens up a browser to the server so I'll 13 00:00:54,140 --> 00:01:04,660 close this down and let's open up a browser and goatee tanned wandered one at 100. 14 00:01:04,820 --> 00:01:11,780 So the server do we see any HP traffic and the answer is No. 15 00:01:12,940 --> 00:01:17,590 If I clear the filters I'll see a whole bunch of traffic so as an example I can see DNS. 16 00:01:18,070 --> 00:01:19,420 So there's DNS queries. 17 00:01:19,450 --> 00:01:28,830 So let's filter for DNS notice the client 10 1 1 1 center DNS query you can see query here to the DNS 18 00:01:28,830 --> 00:01:35,730 server the source IP addresses 10 1 1 1 destination is 10 1 1 2 5 4. 19 00:01:35,730 --> 00:01:41,180 Now in this topology the router is acting as a DNS server. 20 00:01:41,220 --> 00:01:48,380 This is a Cisco router so show version here shows me that I'm running Cisco. 21 00:01:48,380 --> 00:01:50,730 IOW software on this road. 22 00:01:51,740 --> 00:01:57,080 If you're not familiar with Cisco again you get free access to my CCN and a course. 23 00:01:57,090 --> 00:02:02,630 So that'll teach you a whole bunch about Cisco riders but you don't need to know that to use Y shock. 24 00:02:02,630 --> 00:02:08,570 But if you want to be a serious network engineer I strongly suggest that you learn about Cisco because 25 00:02:08,570 --> 00:02:11,970 Cisco the biggest vendor out there but what I've done here. 26 00:02:12,000 --> 00:02:14,970 A top show run pipe include DNS. 27 00:02:14,970 --> 00:02:21,520 I have setup this rota as a DNS server through this command IP DNS server. 28 00:02:21,630 --> 00:02:28,170 Now these commands may be confusing so let me show you that the router is also acting as a DHS piece 29 00:02:28,180 --> 00:02:31,760 server or dynamic Host Configuration Protocol server. 30 00:02:31,800 --> 00:02:35,340 In other words it's allocating IP addresses to clients dynamically. 31 00:02:35,340 --> 00:02:41,010 The pieces are not configured with static ip addresses they dynamically get IP addresses from the DHB 32 00:02:41,010 --> 00:02:41,940 server. 33 00:02:41,940 --> 00:02:45,700 So this allows me to configure the road as a DHEA piece of. 34 00:02:45,930 --> 00:02:52,730 And this command allows me to create entries in the DNS server running on this router that says genus 35 00:02:52,740 --> 00:03:01,560 3 dot com has this IP address so as an example if I pinged Eunice 3 dot com that resolves to this IP 36 00:03:01,560 --> 00:03:11,480 address domain name server or domain name system DNS allows us to resolve easy to read names to IP addresses. 37 00:03:11,580 --> 00:03:14,210 This genus 3 topology is not connected to the Internet. 38 00:03:14,220 --> 00:03:19,410 It's running locally on my computer so genius free dot com. 39 00:03:19,410 --> 00:03:24,440 If you surf from an Internet connected device will take you to the actual genius 3 server. 40 00:03:24,630 --> 00:03:29,470 But in this example it's simply taking us to this server in the topology. 41 00:03:29,630 --> 00:03:34,320 Now what I'll do is stop this why shock capture and I'll save this 42 00:03:38,400 --> 00:03:44,640 basic why shock capture 2 so you can also once again have a look at this capture if you want to but 43 00:03:44,640 --> 00:03:48,700 notice here that the client is sending a DNS request to the server. 44 00:03:48,720 --> 00:03:53,700 The reason this was captured is we were capturing traffic on this link and the PRC is sending a DNS 45 00:03:53,700 --> 00:03:56,220 request to the router which is the DNS server 46 00:03:59,570 --> 00:04:02,660 source MAC addresses the P.C. destination address is the router 47 00:04:06,810 --> 00:04:14,790 we can prove that once again by going to the router and I can use the command show interface gigabit 48 00:04:16,100 --> 00:04:17,720 zero slash zero. 49 00:04:17,900 --> 00:04:20,030 Notice the MAC address of this rowdies. 50 00:04:20,030 --> 00:04:20,810 This. 51 00:04:20,900 --> 00:04:21,800 And that's them. 52 00:04:21,890 --> 00:04:23,810 Destination MAC address of the frame. 53 00:04:23,930 --> 00:04:29,990 So the P.C. sent a DNS request to the router source IP addresses the P.C. destination IP address is 54 00:04:29,990 --> 00:04:30,910 the router. 55 00:04:31,160 --> 00:04:36,410 I can prove that once again by going back to the writer remember I typed this command. 56 00:04:36,410 --> 00:04:37,730 There's the MAC address. 57 00:04:37,940 --> 00:04:46,250 There's the IP address of the router 10 1 1 2 5 4 source port number is an ephemeral or random or dynamic 58 00:04:46,250 --> 00:04:47,120 port number. 59 00:04:47,270 --> 00:04:55,630 Destination Port number is a well known port number 53 is the well-known port number for DNS. 60 00:04:55,790 --> 00:05:01,490 So again Layer 2 frames Layer 3 packets Layer 4 segments. 61 00:05:01,490 --> 00:05:05,770 In this case however it's a UDP or user data Graham protocol. 62 00:05:05,840 --> 00:05:11,990 It's not TTP DNS in this example is using UDP source port again. 63 00:05:11,990 --> 00:05:13,460 Destination Port. 64 00:05:13,460 --> 00:05:18,740 Forget to layer 5 to 7 so top layers of the OS model. 65 00:05:18,740 --> 00:05:24,220 You can see it's a standard query let's go through that Senate query 66 00:05:26,810 --> 00:05:30,030 so the queries are in this example for Amazon. 67 00:05:30,050 --> 00:05:35,530 So something was happening in the background but let's have a look for genius 3 dot com. 68 00:05:35,630 --> 00:05:42,530 But notice windows just right out the gate is querying for a whole bunch of stuff including Bing dot 69 00:05:42,530 --> 00:05:43,520 com. 70 00:05:43,690 --> 00:05:45,760 So a whole bunch of queries there. 71 00:05:45,860 --> 00:05:50,180 Let's see if we carry on a bunch of Microsoft and Nissan. 72 00:05:50,240 --> 00:05:52,440 Keep going. 73 00:05:52,440 --> 00:05:54,840 A lot of queries but this is the one I'm off to. 74 00:05:54,950 --> 00:05:57,040 Notice genus 3 dot com. 75 00:05:57,290 --> 00:05:58,430 So the windows. 76 00:05:58,420 --> 00:06:03,950 P.S. In this example queried for genius 3 dot com and the server. 77 00:06:03,950 --> 00:06:06,050 Hopefully at some point replies. 78 00:06:06,050 --> 00:06:06,950 Here we go. 79 00:06:07,250 --> 00:06:09,740 So reply back to the client. 80 00:06:09,800 --> 00:06:15,330 Notice source port is 53 destination port is the femoral port used by the client. 81 00:06:15,350 --> 00:06:22,700 Now notice different port numbers were used for different queries so the Bing query over here used this 82 00:06:22,850 --> 00:06:24,790 source port number from the client. 83 00:06:25,900 --> 00:06:28,570 I'd have to go back and find the genus 3 query. 84 00:06:28,570 --> 00:06:29,470 There it is. 85 00:06:29,470 --> 00:06:33,730 Notice 55 0 3 7 is the source port. 86 00:06:33,730 --> 00:06:41,140 When the query was made when the server replies It's replying back to that port number and it tells 87 00:06:41,140 --> 00:06:45,370 the client the IP address of the server. 88 00:06:45,370 --> 00:06:51,280 So the router acting as a DNS server is telling the client June 23 dot com has this IP address 10 1 89 00:06:51,280 --> 00:07:00,700 1 100 and then the client can initiate a session to the server but we don't see that if we capture traffic 90 00:07:00,700 --> 00:07:01,820 on this link. 91 00:07:01,990 --> 00:07:14,780 So again if I falter for HDP I see nothing in the output because the HDP traffic is sent directly from 92 00:07:14,780 --> 00:07:16,670 the client to the server. 93 00:07:16,670 --> 00:07:17,260 Why. 94 00:07:17,270 --> 00:07:25,800 Because this is a switch it's important to remember that switches do not flood traffic once they know 95 00:07:26,430 --> 00:07:28,830 the MAC addresses involved in a conversation 96 00:07:32,040 --> 00:07:40,360 says an example if I type show Mecca address table notice we can see the MAC addresses that have been 97 00:07:40,360 --> 00:07:48,040 learnt the switch has learnt about this MAC address on gigabit 0 0 it's also learnt about this MAC address 98 00:07:48,430 --> 00:07:52,530 and it's learnt about this MAC address on gigabit 0 1. 99 00:07:52,600 --> 00:08:03,010 Now when I sent traffic from the client so that could have timed out if I refresh that page notice it's 100 00:08:03,010 --> 00:08:06,490 learnt about this MAC address on gigabyte 0 2. 101 00:08:06,670 --> 00:08:11,630 Once the switch learns about the MAC addresses in the conversation. 102 00:08:11,740 --> 00:08:16,780 This once again is the server and just in case you don't believe me. 103 00:08:16,780 --> 00:08:21,010 Notice this is the MAC address of the server. 104 00:08:21,850 --> 00:08:28,950 This is the HDP server over here noticed this MAC address was learnt on gigabit 02. 105 00:08:29,020 --> 00:08:32,320 Once this switch has learnt about to the devices in the conversation. 106 00:08:32,320 --> 00:08:36,190 It's not going to flood the frames out of other ports it's going to be switched directly between these 107 00:08:36,190 --> 00:08:37,180 two hosts. 108 00:08:37,450 --> 00:08:50,890 So the P.C. with this MAC address 0 0 0 c ending in DC D 7 you know the words this MAC address is gonna 109 00:08:50,900 --> 00:08:56,720 have its traffic forwarded directly to the server and the server traffic is going to go directly back 110 00:08:57,050 --> 00:09:03,350 to the P.C. so if you capture traffic on this link you won't see the conversation between the server 111 00:09:03,380 --> 00:09:04,720 and the client. 112 00:09:04,760 --> 00:09:11,270 That's why you need to either span a port or mirror a port on the switch to be able to see what's going 113 00:09:11,270 --> 00:09:17,340 on or you need to have a network tap or something in the network where you can see the traffic. 114 00:09:17,480 --> 00:09:23,030 You've gotta get to the traffic to your capturing device otherwise you won't see it. 115 00:09:23,030 --> 00:09:24,680 So in the next video I'll show you how to do that. 116 00:09:25,160 --> 00:09:29,030 Let's add a mirror to the topology so that we can actually see what's going on. 11769