Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS

Rollback to version 1

0:00 - 0:02

so let's go ahead and jump into lesson
0:02 - 0:04

one now the important thing about
0:04 - 0:06

wireshark when you're starting to look
0:06 - 0:09

at a trace file with it is the setup now
0:09 - 0:12

albeit when you're looking at wireshark
0:12 - 0:14

at the start it's a daunting thing to
0:14 - 0:16

look at especially when you're first
0:16 - 0:18

getting going with using the analyzer so
0:18 - 0:20

i want to show you a few things a few
0:20 - 0:22

tricks that you can use to get a bit
0:22 - 0:24

more comfort with it now as you can see
0:24 - 0:27

here on my copy of wireshark this is the
0:27 - 0:30

default profile now that's the first
0:30 - 0:32

thing you want to learn about setting up
0:32 - 0:34

wireshark if you look at the lower right
0:34 - 0:36

hand corner you can see which profile
0:36 - 0:38

you're using but
0:38 - 0:39

what's a profile
0:39 - 0:43

well a profile is basically a set
0:43 - 0:45

of configurations or settings think
0:45 - 0:48

about it this way if i go out to my car
0:48 - 0:50

i'm six foot two
0:50 - 0:53

i want a certain setup for my seat and i
0:53 - 0:54

want my steering wheel in a certain
0:54 - 0:57

place and the rear view mirrors and a
0:57 - 0:59

lot of cars have the ability to just
0:59 - 1:01

touch a button and everything goes to me
1:01 - 1:03

well my wife goes out there and she's
1:03 - 1:06

five foot one so she can't just jump in
1:06 - 1:08

the same kind of settings that i like to
1:08 - 1:10

use when i drive so she's got another
1:10 - 1:13

setting button and when she hits that
1:13 - 1:14

button
1:14 - 1:16

it all adjusts just to her now in a
1:16 - 1:18

similar way with the
1:18 - 1:20

profiles within wireshark if i'm
1:20 - 1:22

troubleshooting tcp i might want a
1:22 - 1:25

certain set of columns and coloring
1:25 - 1:28

rules and filters just for that protocol
1:28 - 1:30

or maybe i'm looking at voiceover ip or
1:30 - 1:32

tls or quick
1:32 - 1:34

now i'm going to want different things
1:34 - 1:35

depending on the protocol i'm looking at
1:35 - 1:37

and that's exactly what profiles allow
1:37 - 1:40

you to do to save filter buttons
1:40 - 1:44

coloring uh even dissectors i don't
1:44 - 1:46

always need every single wireshark
1:46 - 1:48

dissector for every profile
1:48 - 1:49

so one of the first things i want to
1:49 - 1:52

teach you with the wireshark analyzer is
1:52 - 1:54

going down and let's go ahead and go to
1:54 - 1:56

the right hand part of the screen
1:56 - 1:59

we're going to right click this
1:59 - 2:01

now if you're on default that's fine
2:01 - 2:03

everything that you do in change will be
2:03 - 2:04

saved to that profile
2:04 - 2:06

but let's go ahead and create a new
2:06 - 2:09

profile and as you can see there's
2:09 - 2:11

several in my copy of wireshark but i'm
2:11 - 2:13

going to go ahead and start a new one
2:13 - 2:15

and we're going to call this wireshark
2:15 - 2:18

master class doesn't that sound pretty
2:18 - 2:19

cool
2:19 - 2:20

and then we're going to hit ok so now we
2:20 - 2:22

can see in the lower right wireshark
2:22 - 2:24

masterclass at least this is just how
2:24 - 2:26

we're going to begin in getting
2:26 - 2:28

wireshark set up now if you notice up on
2:28 - 2:30

top i've got the frame number i've got
2:30 - 2:31

the time
2:31 - 2:33

source and destination ip addresses
2:33 - 2:35

protocol length and information now this
2:35 - 2:37

is where i want to start to customize
2:37 - 2:39

things first of all text is a little bit
2:39 - 2:40

small for me so i'm going to go to my
2:40 - 2:43

magnifying glass gonna boost that up
2:43 - 2:44

just a little bit
2:44 - 2:47

and you also notice that the columns
2:47 - 2:48

have kind of
2:48 - 2:50

come together they've almost collided a
2:50 - 2:51

little bit so i'm going to go over here
2:51 - 2:53

to the right and i'm just going to click
2:53 - 2:55

my little column
2:55 - 2:57

adjuster and that will set up everything
2:57 - 2:59

so nothing's overlapping
2:59 - 3:01

now another thing that i like to do now
3:01 - 3:03

this is a personal preference is
3:03 - 3:05

typically if i'm looking at the the
3:05 - 3:08

packet detail and the packet bytes in
3:08 - 3:10

most cases when i'm looking at protocols
3:10 - 3:11

i'm looking at header values that are
3:11 - 3:13

over here on the left and i typically
3:13 - 3:15

have this white space that's over here
3:15 - 3:17

on the right so another thing that i
3:17 - 3:20

like to do with many of my profiles is i
3:20 - 3:22

like to put the packet bytes
3:22 - 3:23

up here on the right
3:23 - 3:25

so i'm going to show you how to do that
3:25 - 3:28

and an important thing to learn about
3:28 - 3:29

wireshark
3:29 - 3:31

is the preferences that's where we can
3:31 - 3:33

set up the layout and the columns and
3:33 - 3:35

the buttons and some of the
3:35 - 3:37

customization with the protocols and we
3:37 - 3:39

can do all that under wireshark
3:39 - 3:41

preferences now to get to preferences if
3:41 - 3:42

you're on a windows machine you're going
3:42 - 3:45

to go to the edit menu and you're going
3:45 - 3:47

to come down to preferences down around
3:47 - 3:50

this area but i'm on a mac system so i'm
3:50 - 3:52

going to go to wireshark preferences
3:52 - 3:54

over here on the left
3:54 - 3:56

this brings up my preferences and what
3:56 - 3:58

i'd like to do is go ahead and go to
3:58 - 3:59

layout
3:59 - 4:02

and this is where i can set up do i want
4:02 - 4:05

the packet detail packet bytes packet
4:05 - 4:08

list all stacked on top of each other
4:08 - 4:10

depending on if i have a very large
4:10 - 4:12

monitor i might want to adjust that i
4:12 - 4:14

usually use the next one over to the
4:14 - 4:15

right
4:15 - 4:18

now another thing that's pretty fun is
4:18 - 4:20

in a recent version of wireshark here
4:20 - 4:21

i'm running
4:21 - 4:23

3.4.3 i believe
4:23 - 4:27

now under the packet any of the panes
4:27 - 4:29

you can also select packet diagram which
4:29 - 4:32

is pretty interesting to do in fact just
4:32 - 4:34

to show you that or demonstrate that i'm
4:34 - 4:36

going to go to packet diagram on this
4:36 - 4:38

one and let's go ahead and hit ok
4:38 - 4:40

and now we can see that our screen has
4:40 - 4:43

reconfigured and i also have this really
4:43 - 4:46

neato feature where i can see the actual
4:46 - 4:48

frame layout
4:48 - 4:51

and packet layout for the packet that
4:51 - 4:53

i've selected so for example if we take
4:53 - 4:55

a look at packet number one which by the
4:55 - 4:56

way i hope that you downloaded this
4:56 - 4:58

trace file down in the description and
4:58 - 5:00

you can follow along packet for packet
5:00 - 5:02

but if we go to packet number one here
5:02 - 5:05

we can see that encapsulated within this
5:05 - 5:08

packet we have ethernet ip and tcp
5:08 - 5:10

well over here on the right now that i
5:10 - 5:12

have that packet layout i can see the
5:12 - 5:14

ethernet framing
5:14 - 5:16

so there's my six byte destination six
5:16 - 5:19

byte source and my ether type and then i
5:19 - 5:22

have the ip header values and in fact if
5:22 - 5:24

i right click this guy and i can go to
5:24 - 5:26

show field values it'll actually pull
5:26 - 5:29

the values over from the packet itself
5:29 - 5:31

and put them in that layout now this is
5:31 - 5:33

pretty handy nice way to visualize a
5:33 - 5:35

protocol and the structure of that
5:35 - 5:38

protocol for the headers and neat
5:38 - 5:40

feature that was just added so i'm going
5:40 - 5:42

to go ahead and go back to preferences
5:42 - 5:45

and i'm actually going to change this on
5:45 - 5:46

my layout let's go to pane three i'm
5:46 - 5:48

going to go back to packet bytes all
5:48 - 5:50

right now while i'm here under
5:50 - 5:52

preferences there's a couple other
5:52 - 5:54

things that we're going to adjust again
5:54 - 5:55

just to make things a little bit easier
5:55 - 5:56

for us
5:56 - 5:59

i'm going to go to columns
5:59 - 6:02

and every packet head has to know how to
6:02 - 6:05

use and read a delta time column alright
6:05 - 6:07

if you haven't done that yet this is
6:07 - 6:08

something that surely you want to make
6:08 - 6:10

sure that you know how to add so i'm
6:10 - 6:12

going to come down here under columns
6:12 - 6:13

hit plus
6:13 - 6:17

and i'm going to name this column delta
6:17 - 6:19

and i'm going to choose the type is
6:19 - 6:23

going to be delta time displayed
6:23 - 6:24

alright
6:24 - 6:26

once i have that set up i can go ahead
6:26 - 6:29

and drag it up next to the time column
6:29 - 6:31

so now i can have a running total of
6:31 - 6:34

time or i can have a time of day or i
6:34 - 6:37

can have utc time and then right next to
6:37 - 6:39

that column i can have a delta time
6:39 - 6:41

which is going to display the amount of
6:41 - 6:43

time between displayed packets
6:43 - 6:46

very useful column to have when i'm
6:46 - 6:48

troubleshooting so i'm going to go ahead
6:48 - 6:51

and select ok and if we notice up top we
6:51 - 6:53

have our running total of time and our
6:53 - 6:55

delta time now by the way the time
6:55 - 6:58

column this is an adjustable time column
6:58 - 6:59

like i mentioned it can be time of day
6:59 - 7:03

it can be a year month day and then
7:03 - 7:05

actual time of day if i want so to
7:05 - 7:08

adjust this and what it shows that's
7:08 - 7:10

where we can go to view and we go to
7:10 - 7:12

time display format and this is where we
7:12 - 7:14

can select how we want time to be
7:14 - 7:17

represented in that time column
7:17 - 7:18

now usually i start out with seconds
7:18 - 7:20

since beginning of capture but hey
7:20 - 7:22

sometimes i have a client in new york
7:22 - 7:25

city and they send me a trace and i go
7:25 - 7:27

ahead and open it and if i do time of
7:27 - 7:28

day
7:28 - 7:31

wireshark will get the time of day off
7:31 - 7:33

of my system clock so if it says three
7:33 - 7:36

o'clock for them that means noon for me
7:36 - 7:38

so sometimes that's also why i would
7:38 - 7:40

like to use utc time
7:40 - 7:42

all right so we went ahead and adjusted
7:42 - 7:44

our screen layout we looked at the
7:44 - 7:46

packet layout view or those header
7:46 - 7:49

values and we went ahead and added a
7:49 - 7:50

delta time
7:50 - 7:53

now another thing that i like to do is i
7:53 - 7:55

like to color certain things because if
7:55 - 7:57

we look over here on the right this is
7:57 - 7:59

our intelligent scroll bar and at least
7:59 - 8:01

for this trace file you can see how
8:01 - 8:03

there's just a lot of beige and light
8:03 - 8:05

blue and
8:05 - 8:07

not a lot's going to jump out at you in
8:07 - 8:08

this trace because there's not a lot of
8:08 - 8:10

tcp errors and such but this is where
8:10 - 8:12

you would look for things like black
8:12 - 8:14

lines with red letters those are tcp
8:14 - 8:15

errors
8:15 - 8:17

but something else that i like to do is
8:17 - 8:20

i like to color my tcp syns and i'm
8:20 - 8:21

going to show you how to create a
8:21 - 8:23

coloring rule because then that will
8:23 - 8:25

help certain things jump out to you
8:25 - 8:27

now again uh there's a as a side note i
8:27 - 8:29

just want to thank hansung if he's
8:29 - 8:31

watching this video he's a friend of
8:31 - 8:34

mine from shark fest but he has a really
8:34 - 8:35

good
8:35 - 8:37

saying if you will and he often says my
8:37 - 8:39

way or the highway that means your
8:39 - 8:42

settings for wireshark are good for you
8:42 - 8:45

that's your troubleshooting style so no
8:45 - 8:46

one can ever tell you that that's wrong
8:46 - 8:48

if it works for you go to town that's
8:48 - 8:50

why there's all these great
8:50 - 8:52

configurations within wireshark
8:52 - 8:55

i like to paint my tcp sins bright green
8:55 - 8:57

you might like to make them
8:57 - 8:59

some odd color of brown that's totally
8:59 - 9:01

up to you and it's your way or the
9:01 - 9:03

highway but right now you're on my
9:03 - 9:04

highway so let me show you how to paint
9:04 - 9:06

those green i'm going to go ahead and go
9:06 - 9:08

up to the view menu and i'm going to
9:08 - 9:10

come down to coloring rules
9:10 - 9:11

and this will show you the standard
9:11 - 9:13

default coloring rules that come with
9:13 - 9:15

the default profile
9:15 - 9:16

some people hate these coloring rules
9:16 - 9:18

they delete them all or they just turn
9:18 - 9:20

off coloring altogether to do that you
9:20 - 9:22

just hit the button up on top that'll
9:22 - 9:24

enable or disable the coloring
9:24 - 9:27

altogether but to add a coloring rule we
9:27 - 9:28

hit our little plus button and i'm going
9:28 - 9:31

to call this one tcp
9:31 - 9:33

syn
9:33 - 9:36

and my filter is going to be tcp dot
9:36 - 9:38

flags dot sin
9:38 - 9:42

equals equals one so i like to color any
9:42 - 9:44

packet with a sin flag even the syn and
9:44 - 9:45

syn ack
9:45 - 9:47

i want that to be
9:47 - 9:49

green both of them so i want to see the
9:49 - 9:51

client trying to connect and the server
9:51 - 9:53

response now you might think well i just
9:53 - 9:55

want to have only this in or only the
9:55 - 9:57

synax this is where you can start to
9:57 - 9:59

goof around with our display filter you
9:59 - 10:02

can come back here to flags show me that
10:02 - 10:05

flags field equals equals 0x002
10:05 - 10:07

i'm going to show you how to get to that
10:07 - 10:10

value but this would just color the sin
10:10 - 10:11

not the synack
10:11 - 10:13

i don't like that i like to go
10:13 - 10:16

tcp.flags.sin
10:16 - 10:18

if i could type equals equals one so
10:18 - 10:20

there's my display filter so what i'm
10:20 - 10:22

saying is any packet that meets this
10:22 - 10:23

filter
10:23 - 10:25

this is how you should color it
10:25 - 10:28

okay so now that i've got my
10:28 - 10:30

tcp.flags.sin equals
10:30 - 10:33

one now i want to come down and actually
10:33 - 10:34

color it so i'm going to go to the
10:34 - 10:37

background and i'm going to go over here
10:37 - 10:38

pick a nice bright
10:38 - 10:40

packet pioneer green if you will a nice
10:40 - 10:42

packet head green and i'm going to say
10:42 - 10:43

ok
10:43 - 10:46

and there we go so now all packets that
10:46 - 10:49

meet tcp.flags.cent equals equals one
10:49 - 10:51

all of those will be green but what i
10:51 - 10:53

want to do is i'm going to actually drag
10:53 - 10:56

this below
10:56 - 10:58

the bad tcp
10:58 - 11:00

so what this means is if i have a sin if
11:00 - 11:02

i send off that sin
11:02 - 11:04

and if i have to retransmit it the first
11:04 - 11:06

sin is going to be bright green the
11:06 - 11:07

second one will be according to the bad
11:07 - 11:10

tcp rules it'll be black and red
11:10 - 11:13

right so i only want
11:13 - 11:15

the first sin to be green any
11:15 - 11:17

re-transmissions go ahead and make those
11:17 - 11:20

that that error indicator that bad tcp
11:20 - 11:21

let's say okay
11:21 - 11:23

now initially
11:23 - 11:25

you notice how my first packet is white
11:25 - 11:27

and the second one is green if you come
11:27 - 11:29

up here and just do a refresh it's
11:29 - 11:32

called another pass that'll just refresh
11:32 - 11:34

the view and run this trace file back
11:34 - 11:36

through the rules that we have enabled
11:36 - 11:38

so that will make sure that we have
11:38 - 11:40

everything colored right so there we go
11:40 - 11:42

we just added a coloring rule now again
11:42 - 11:44

you can add coloring rules for all kinds
11:44 - 11:46

of things do you want to color the tls
11:46 - 11:48

handshake do you want to color
11:48 - 11:51

the fins do you want to have the resets
11:51 - 11:53

be some type of interesting color that
11:53 - 11:55

really jump out of you so the coloring
11:55 - 11:58

rules are a nice thing to add
11:58 - 12:00

now along with that in this profile
12:00 - 12:02

what we also want to do is learn how to
12:02 - 12:04

add buttons
12:04 - 12:06

now throughout this course and if you
12:06 - 12:07

take any of my courses you're going to
12:07 - 12:10

notice our display filters we quickly
12:10 - 12:12

get into how to set different display
12:12 - 12:13

filters
12:13 - 12:16

so let's go ahead and create a button
12:16 - 12:20

that will set a filter just for our tcp
12:20 - 12:22

synths how about that
12:22 - 12:24

so if i come down here and go ahead and
12:24 - 12:26

pick that first packet i'm going to show
12:26 - 12:27

you a trick so you don't have to
12:27 - 12:29

remember the syntax for
12:29 - 12:32

display filters if you select our packet
12:32 - 12:34

that has whatever it is you're going to
12:34 - 12:36

filter for come down into our detail
12:36 - 12:38

view i'm going to go down to flags and
12:38 - 12:40

i'm going to go down to syn
12:40 - 12:42

let's say i want to filter for only
12:42 - 12:44

packets with the send bit
12:44 - 12:45

so i come down here and i'm going to
12:45 - 12:47

right click that and i'm going to say
12:47 - 12:49

prepare as filter
12:49 - 12:52

selected not not selected so i'm not
12:52 - 12:54

saying everything but let's go and hit
12:54 - 12:56

selected okay so we can see up above in
12:56 - 12:58

the display filter we got tcp dot flags
12:58 - 13:00

that's in equals equals one okay that's
13:00 - 13:03

great so if i apply that now i can see
13:03 - 13:04

just the two packets in the trace that
13:04 - 13:07

have that send bit set but i don't want
13:07 - 13:09

to have to type that again it's just one
13:09 - 13:11

of those things i just want to click a
13:11 - 13:14

button and have it be there but to do
13:14 - 13:16

that if i come over here to the plus
13:16 - 13:17

button
13:17 - 13:20

now i'll go ahead and see our filter
13:20 - 13:22

button where we can add a label i'm
13:22 - 13:25

going to call this tcp
13:25 - 13:26

syn
13:26 - 13:29

and my filter is that same filter as
13:29 - 13:32

above and i can say ok now i have a
13:32 - 13:34

button over here on the right so if i
13:34 - 13:36

ever open up a trace file and i quickly
13:36 - 13:38

just want to see the sims i can come
13:38 - 13:40

over here and click that button and i
13:40 - 13:42

only see those packets
13:42 - 13:44

now this is where we can do a lot of
13:44 - 13:46

customization with wireshark you can
13:46 - 13:48

have a lot of buttons up here and that
13:48 - 13:50

can highlight things that you're
13:50 - 13:52

specifically looking for in a trace file
13:52 - 13:54

don't worry as we go forward those are
13:54 - 13:56

the kind of things that i'm going to
13:56 - 13:57

teach you now one final thing i'd like
13:57 - 13:59

to teach you in this first lesson is how
13:59 - 14:01

to add columns up on top that's
14:01 - 14:02

something that you're going to
14:02 - 14:05

constantly be doing now to add a column
14:05 - 14:07

we i showed you how to do it the long
14:07 - 14:09

way we can go to preferences we can go
14:09 - 14:11

to columns and we can manually add one
14:11 - 14:13

like we did with the delta time view but
14:13 - 14:15

instead let's go ahead and add one
14:15 - 14:17

the more typical way that you're going
14:17 - 14:19

to do this so what i'm going to do is
14:19 - 14:21

i'm going to come down to tcp and i'm
14:21 - 14:23

going to take a look at tcp segment
14:23 - 14:25

length i'm going to right click this and
14:25 - 14:27

i'm going to come down to apply as
14:27 - 14:28

column
14:28 - 14:30

now if you notice i have the standard
14:30 - 14:33

frame length here by default but i want
14:33 - 14:35

to see the tcb segment length and the
14:35 - 14:36

reason
14:36 - 14:39

is that i'm often interested in how much
14:39 - 14:42

data is actually encompassed in the
14:42 - 14:44

payload so this shows me how much is
14:44 - 14:47

this packet actually carrying
14:47 - 14:50

in form of bytes of data
14:50 - 14:51

length is nice
14:51 - 14:54

but this is often what i'm digging for
14:54 - 14:56

so tcp segment length is a frequent one
14:56 - 14:58

that i have up here in fact it's so
14:58 - 15:00

frequent i'll often come over here to
15:00 - 15:02

length and i'll right click this and i
15:02 - 15:05

can either come down to length and
15:05 - 15:07

uncheck it so it will disappear
15:07 - 15:10

or i can remove this column from this
15:10 - 15:12

profile completely so i'm going to say
15:12 - 15:15

remove column and now i just have my tcp
15:15 - 15:17

segment length so this is an initial way
15:17 - 15:20

that you can set up wireshark what did
15:20 - 15:22

we learn let's go down our list we
15:22 - 15:24

talked about our screen layout so how to
15:24 - 15:26

adjust that we talked about how we can
15:26 - 15:29

change from packet bytes to the actual
15:29 - 15:31

header values of the packet or the
15:31 - 15:33

protocols we also talked about how to
15:33 - 15:36

add a button how to do a coloring rule
15:36 - 15:38

how to add and remove columns how to add
15:38 - 15:41

a custom column for our delta time and
15:41 - 15:43

to do some simple display filters so
15:43 - 15:46

look how much you were able to learn in
15:46 - 15:48

lesson one of the wireshark master class
15:48 - 15:50

so thanks for stopping by make sure that
15:50 - 15:52

you subscribe and hit the notification
15:52 - 15:54

bell because as i come out with these
15:54 - 15:56

master classes i want to make sure that
15:56 - 15:59

you're notified great to have you and
15:59 - 16:02

we'll see you on the next class
16:02 - 16:08

[Music]
16:14 - 16:16

you

Title:: Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS
Description:: more » « less
Video Language:: English
Duration:: 16:14

	OEVIDEOS edited English subtitles for Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS
	OEVIDEOS edited English subtitles for Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS
	OEVIDEOS edited English subtitles for Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS

English subtitles

Revisions Compare revisions

Revision 3 Edited

OEVIDEOS
Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	3	OEVIDEOS
	2	OEVIDEOS
	1	OEVIDEOS

Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)