Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS

Rollback to version 2

0:00 - 0:02

So, let's go ahead and
jump into lesson one.
0:02 - 0:04

Now, the important thing about
0:04 - 0:06

Wireshark when you're starting to look
0:06 - 0:09

at a trace file with it, is the setup.
0:09 - 0:12

Now, albeit, when you're
looking at Wireshark
0:12 - 0:14

at the start, it's a daunting thing to
0:14 - 0:16

look at, especially when you're first
0:16 - 0:18

getting going with using the analyzer. So
0:18 - 0:20

I want to show you a few things, a few
0:20 - 0:22

tricks that you can use to get a bit
0:22 - 0:24

more comfort with it. Now, as you can see
0:24 - 0:27

here on my copy of Wireshark, this is the
0:27 - 0:30

default profile. Now, that's the first
0:30 - 0:32

thing you want to learn about setting up
0:32 - 0:34

Wireshark. If you look at the lower right-
0:34 - 0:36

hand corner, you can see which profile
0:36 - 0:39

you're using. But what's a profile?
0:39 - 0:43

Well, a profile is basically a set
0:43 - 0:45

of configurations or settings. Think
0:45 - 0:48

about it this way. If I go out to my car,
0:48 - 0:50

I'm six foot two.
0:50 - 0:53

I want a certain setup for my seat, and I
0:53 - 0:55

want my steering wheel in a certain place,
0:55 - 0:57

and the rear view mirrors, and a
0:57 - 0:59

lot of cars have the ability to just
0:59 - 1:01

touch a button, and everything goes to me.
1:01 - 1:03

Well my wife goes out there, and she's
1:03 - 1:06

five foot one, so she can't just jump in
1:06 - 1:08

the same kind of settings that I like to
1:08 - 1:10

use when I drive. So, she's got another
1:10 - 1:14

setting button, and when
she hits that button,
1:14 - 1:16

it all adjusts just to her. Now, in a
1:16 - 1:18

similar way with the
1:18 - 1:20

profiles within Wireshark, if I'm
1:20 - 1:22

troubleshooting tcp, I might want a
1:22 - 1:25

certain set of columns, and coloring
1:25 - 1:28

rules, and filters just for that protocol
1:28 - 1:30

Or maybe I'm looking at VoiceOver IP, or
1:30 - 1:32

TLS, or Quick.
1:32 - 1:34

Now, I'm going to want different things
1:34 - 1:35

depending on the protocol I'm looking at,
1:35 - 1:37

and that's exactly what profiles allow
1:37 - 1:40

you to do. To save filter buttons,
1:40 - 1:44

coloring, even dissectors. I don't
1:44 - 1:46

always need every single Wireshark
1:46 - 1:48

dissector for every profile.
1:48 - 1:49

So, one of the first things I want to
1:49 - 1:52

teach you with the Wireshark analyzer is
1:52 - 1:54

going down. And let's go ahead and go to
1:54 - 1:56

the right-hand part of the screen.
1:56 - 1:59

We're going to right click this.
1:59 - 2:01

Now, if you're on default, that's fine.
2:01 - 2:03

Everything that you do and change will be
2:03 - 2:04

saved to that profile.
2:04 - 2:06

But let's go ahead and create a new
2:06 - 2:09

profile. And as you can see, there's
2:09 - 2:11

several in my copy of Wireshark, but I'm
2:11 - 2:13

going to go ahead and start a new one,
2:13 - 2:15

and we're going to call this Wireshark
2:15 - 2:19

Master Class.
Doesn't that sound pretty cool?
2:19 - 2:20

And then we're going to hit 'ok'.
2:20 - 2:22

So now we can see in the
lower right, Wireshark
2:22 - 2:24

Master Class, at least this is just how
2:24 - 2:26

we're going to begin in getting
2:26 - 2:28

Wireshark set up. Now, if you notice up on
2:28 - 2:31

top, I've got the frame number,
I've got the time,
2:31 - 2:33

source and destination IP addresses,
2:33 - 2:35

protocol length and information.
2:35 - 2:37

Now this is where I want
to start to customize
2:37 - 2:39

things. First of all, text is a little bit
2:39 - 2:40

small for me, so I'm going to go to my
2:40 - 2:43

magnifying glass, gonna boost that up
2:43 - 2:44

just a little bit.
2:44 - 2:47

And you also notice that the columns
2:47 - 2:48

have kind of
2:48 - 2:50

come together. They've almost collided a
2:50 - 2:51

little bit, so I'm going to go over here
2:51 - 2:53

to the right, and I'm just going to click
2:53 - 2:55

my little column adjuster,
2:55 - 2:57

and that will set up everything
2:57 - 2:59

so nothing's overlapping.
2:59 - 3:01

Now, another thing that I
like to do...now,
3:01 - 3:03

this is a personal preference, is
3:03 - 3:05

typically, if I'm looking at the
3:05 - 3:08

packet detail and the packet bytes, in
3:08 - 3:10

most cases, when I'm looking at protocols
3:10 - 3:11

I'm looking at header values that are
3:11 - 3:13

over here on the left. And I typically
3:13 - 3:15

have this white space that's over here
3:15 - 3:17

on the right. So another thing that I
3:17 - 3:20

like to do with many of my profiles is I
3:20 - 3:22

like to put the packet bytes
3:22 - 3:23

up here on the right.
3:23 - 3:25

So I'm going to show you how to do that.
3:25 - 3:29

And an important thing to
learn about Wireshark
3:29 - 3:31

is the preferences. That's where we can
3:31 - 3:33

set up the layout, and the columns, and
3:33 - 3:35

the buttons, and some of the
3:35 - 3:37

customization with the protocols, and we
3:37 - 3:39

can do all that under Wireshark
3:39 - 3:41

preferences. Now, to get
to preferences, if
3:41 - 3:42

you're on a Windows machine, you're going
3:42 - 3:45

to go to the Edit menu, and you're going
3:45 - 3:47

to come down to preferences down around
3:47 - 3:50

this area. But I'm on a Mac system, so I'm
3:50 - 3:52

going to go to Wireshark preferences
3:52 - 3:54

over here on the left.
3:54 - 3:56

This brings up my preferences, and what
3:56 - 3:59

I'd like to do is go ahead
and go to layout,
3:59 - 4:02

and this is where I can set up...do I want
4:02 - 4:05

the packet detail, packet bytes, packet
4:05 - 4:08

list all stacked on top of each other?
4:08 - 4:10

Depending on if I have a very large
4:10 - 4:12

monitor, I might want to adjust that.
4:12 - 4:15

I usually use the next one
over to the right.
4:15 - 4:18

Now, another thing that's pretty fun is
4:18 - 4:20

in a recent version of Wireshark, here
4:20 - 4:23

I'm running 3.4.3, I believe,
4:23 - 4:27

now, under the packet, any of the panes
4:27 - 4:29

you can also select
'packet diagram', which
4:29 - 4:32

is pretty interesting to do. In fact, just
4:32 - 4:34

to show you that, or demonstrate that, I'm
4:34 - 4:36

going to go to 'packet diagram' on this
4:36 - 4:38

one. And let's go ahead and hit 'ok'.
4:38 - 4:40

And now we can see that our screen has
4:40 - 4:43

reconfigured, and I also have this really
4:43 - 4:48

neat-o feature, where I can
see the actual frame layout
4:48 - 4:51

and packet layout for the packet that
4:51 - 4:53

I've selected. So, for example, if we take
4:53 - 4:55

a look at packet #1, which, by the
4:55 - 4:56

way, I hope that you downloaded this
4:56 - 4:58

trace file down in the description, and
4:58 - 5:00

you can follow along packet for packet,
5:00 - 5:02

but if we go to packet #1, here
5:02 - 5:05

we can see that encapsulated within this
5:05 - 5:08

packet, we have ethernet, IP, and tcp.
5:08 - 5:10

Well, over here on the right, now that I
5:10 - 5:14

have that packet layout,
I can see the ethernet framing.
5:14 - 5:16

So there's my six-byte, destination six-
5:16 - 5:19

byte source, and my ether type, and then I
5:19 - 5:22

have the IP header values. And in fact, if
5:22 - 5:24

I right-click this guy, and I can go to
5:24 - 5:26

'show field values', it'll actually pull
5:26 - 5:29

the values over from the packet itself
5:29 - 5:31

and put them in that layout. Now, this is
5:31 - 5:33

pretty handy, nice way to visualize a
5:33 - 5:35

protocol and the structure of that
5:35 - 5:38

protocol for the headers, and neat
5:38 - 5:40

feature that was just added. So I'm going
5:40 - 5:42

to go ahead and go back to preferences,
5:42 - 5:45

and I'm actually going to change this on
5:45 - 5:46

my layout. Let's go to pane three.
5:46 - 5:48

I'm going to go back to packet bytes.
5:48 - 5:50

Alright? Now, while I'm here under
5:50 - 5:52

preferences, there's a couple other
5:52 - 5:54

things that we're going to adjust. Again,
5:54 - 5:56

just to make things
a little bit easier for us.
5:56 - 5:59

I'm going to go to columns,
5:59 - 6:02

and every packet head has to know how to
6:02 - 6:05

use and read a delta time column, alright?
6:05 - 6:07

If you haven't done that yet, this is
6:07 - 6:08

something that surely you want to make
6:08 - 6:10

sure that you know how to add. So I'm
6:10 - 6:13

going to come down here
under columns, hit plus,
6:13 - 6:17

and I'm going to name this column 'Delta',
6:17 - 6:19

and I'm going to choose...the type is
6:19 - 6:24

going to be Delta Time Displayed. Alright?
6:24 - 6:26

Once I have that set up, I can go ahead
6:26 - 6:29

and drag it up next to the time column,
6:29 - 6:31

so now I can have a running total of
6:31 - 6:34

time, or I can have a time of day, or I
6:34 - 6:37

can have UTC time, and then right next to
6:37 - 6:39

that column, I can have a Delta time,
6:39 - 6:41

which is going to display the amount of
6:41 - 6:43

time between displayed packets.
6:43 - 6:46

Very useful column to have when I'm
6:46 - 6:48

troubleshooting. So I'm going to go ahead
6:48 - 6:51

and select 'ok'. And
if we notice up top, we
6:51 - 6:53

have our running total of time, and our
6:53 - 6:55

Delta time. Now, by the way, the time
6:55 - 6:58

column. This is an adjustable time column.
6:58 - 7:00

Like I mentioned, it can be time of day
7:00 - 7:03

it can be year, month, day, and then
7:03 - 7:05

actual time of day if I want. So to
7:05 - 7:08

adjust this and what it shows, that's
7:08 - 7:10

where we can go to view and we go to
7:10 - 7:12

time display format and this is where we
7:12 - 7:14

can select how we want time to be
7:14 - 7:17

represented in that time column
7:17 - 7:18

now usually i start out with seconds
7:18 - 7:20

since beginning of capture but hey
7:20 - 7:22

sometimes i have a client in new york
7:22 - 7:25

city and they send me a trace and i go
7:25 - 7:27

ahead and open it and if i do time of
7:27 - 7:28

day
7:28 - 7:31

wireshark will get the time of day off
7:31 - 7:33

of my system clock so if it says three
7:33 - 7:36

o'clock for them that means noon for me
7:36 - 7:38

so sometimes that's also why i would
7:38 - 7:40

like to use utc time
7:40 - 7:42

all right so we went ahead and adjusted
7:42 - 7:44

our screen layout we looked at the
7:44 - 7:46

packet layout view or those header
7:46 - 7:49

values and we went ahead and added a
7:49 - 7:50

delta time
7:50 - 7:53

now another thing that i like to do is i
7:53 - 7:55

like to color certain things because if
7:55 - 7:57

we look over here on the right this is
7:57 - 7:59

our intelligent scroll bar and at least
7:59 - 8:01

for this trace file you can see how
8:01 - 8:03

there's just a lot of beige and light
8:03 - 8:05

blue and
8:05 - 8:07

not a lot's going to jump out at you in
8:07 - 8:08

this trace because there's not a lot of
8:08 - 8:10

tcp errors and such but this is where
8:10 - 8:12

you would look for things like black
8:12 - 8:14

lines with red letters those are tcp
8:14 - 8:15

errors
8:15 - 8:17

but something else that i like to do is
8:17 - 8:20

i like to color my tcp syns and i'm
8:20 - 8:21

going to show you how to create a
8:21 - 8:23

coloring rule because then that will
8:23 - 8:25

help certain things jump out to you
8:25 - 8:27

now again uh there's a as a side note i
8:27 - 8:29

just want to thank hansung if he's
8:29 - 8:31

watching this video he's a friend of
8:31 - 8:34

mine from shark fest but he has a really
8:34 - 8:35

good
8:35 - 8:37

saying if you will and he often says my
8:37 - 8:39

way or the highway that means your
8:39 - 8:42

settings for wireshark are good for you
8:42 - 8:45

that's your troubleshooting style so no
8:45 - 8:46

one can ever tell you that that's wrong
8:46 - 8:48

if it works for you go to town that's
8:48 - 8:50

why there's all these great
8:50 - 8:52

configurations within wireshark
8:52 - 8:55

i like to paint my tcp sins bright green
8:55 - 8:57

you might like to make them
8:57 - 8:59

some odd color of brown that's totally
8:59 - 9:01

up to you and it's your way or the
9:01 - 9:03

highway but right now you're on my
9:03 - 9:04

highway so let me show you how to paint
9:04 - 9:06

those green i'm going to go ahead and go
9:06 - 9:08

up to the view menu and i'm going to
9:08 - 9:10

come down to coloring rules
9:10 - 9:11

and this will show you the standard
9:11 - 9:13

default coloring rules that come with
9:13 - 9:15

the default profile
9:15 - 9:16

some people hate these coloring rules
9:16 - 9:18

they delete them all or they just turn
9:18 - 9:20

off coloring altogether to do that you
9:20 - 9:22

just hit the button up on top that'll
9:22 - 9:24

enable or disable the coloring
9:24 - 9:27

altogether but to add a coloring rule we
9:27 - 9:28

hit our little plus button and i'm going
9:28 - 9:31

to call this one tcp
9:31 - 9:33

syn
9:33 - 9:36

and my filter is going to be tcp dot
9:36 - 9:38

flags dot sin
9:38 - 9:42

equals equals one so i like to color any
9:42 - 9:44

packet with a sin flag even the syn and
9:44 - 9:45

syn ack
9:45 - 9:47

i want that to be
9:47 - 9:49

green both of them so i want to see the
9:49 - 9:51

client trying to connect and the server
9:51 - 9:53

response now you might think well i just
9:53 - 9:55

want to have only this in or only the
9:55 - 9:57

synax this is where you can start to
9:57 - 9:59

goof around with our display filter you
9:59 - 10:02

can come back here to flags show me that
10:02 - 10:05

flags field equals equals 0x002
10:05 - 10:07

i'm going to show you how to get to that
10:07 - 10:10

value but this would just color the sin
10:10 - 10:11

not the synack
10:11 - 10:13

i don't like that i like to go
10:13 - 10:16

tcp.flags.sin
10:16 - 10:18

if i could type equals equals one so
10:18 - 10:20

there's my display filter so what i'm
10:20 - 10:22

saying is any packet that meets this
10:22 - 10:23

filter
10:23 - 10:25

this is how you should color it
10:25 - 10:28

okay so now that i've got my
10:28 - 10:30

tcp.flags.sin equals
10:30 - 10:33

one now i want to come down and actually
10:33 - 10:34

color it so i'm going to go to the
10:34 - 10:37

background and i'm going to go over here
10:37 - 10:38

pick a nice bright
10:38 - 10:40

packet pioneer green if you will a nice
10:40 - 10:42

packet head green and i'm going to say
10:42 - 10:43

ok
10:43 - 10:46

and there we go so now all packets that
10:46 - 10:49

meet tcp.flags.cent equals equals one
10:49 - 10:51

all of those will be green but what i
10:51 - 10:53

want to do is i'm going to actually drag
10:53 - 10:56

this below
10:56 - 10:58

the bad tcp
10:58 - 11:00

so what this means is if i have a sin if
11:00 - 11:02

i send off that sin
11:02 - 11:04

and if i have to retransmit it the first
11:04 - 11:06

sin is going to be bright green the
11:06 - 11:07

second one will be according to the bad
11:07 - 11:10

tcp rules it'll be black and red
11:10 - 11:13

right so i only want
11:13 - 11:15

the first sin to be green any
11:15 - 11:17

re-transmissions go ahead and make those
11:17 - 11:20

that that error indicator that bad tcp
11:20 - 11:21

let's say okay
11:21 - 11:23

now initially
11:23 - 11:25

you notice how my first packet is white
11:25 - 11:27

and the second one is green if you come
11:27 - 11:29

up here and just do a refresh it's
11:29 - 11:32

called another pass that'll just refresh
11:32 - 11:34

the view and run this trace file back
11:34 - 11:36

through the rules that we have enabled
11:36 - 11:38

so that will make sure that we have
11:38 - 11:40

everything colored right so there we go
11:40 - 11:42

we just added a coloring rule now again
11:42 - 11:44

you can add coloring rules for all kinds
11:44 - 11:46

of things do you want to color the tls
11:46 - 11:48

handshake do you want to color
11:48 - 11:51

the fins do you want to have the resets
11:51 - 11:53

be some type of interesting color that
11:53 - 11:55

really jump out of you so the coloring
11:55 - 11:58

rules are a nice thing to add
11:58 - 12:00

now along with that in this profile
12:00 - 12:02

what we also want to do is learn how to
12:02 - 12:04

add buttons
12:04 - 12:06

now throughout this course and if you
12:06 - 12:07

take any of my courses you're going to
12:07 - 12:10

notice our display filters we quickly
12:10 - 12:12

get into how to set different display
12:12 - 12:13

filters
12:13 - 12:16

so let's go ahead and create a button
12:16 - 12:20

that will set a filter just for our tcp
12:20 - 12:22

synths how about that
12:22 - 12:24

so if i come down here and go ahead and
12:24 - 12:26

pick that first packet i'm going to show
12:26 - 12:27

you a trick so you don't have to
12:27 - 12:29

remember the syntax for
12:29 - 12:32

display filters if you select our packet
12:32 - 12:34

that has whatever it is you're going to
12:34 - 12:36

filter for come down into our detail
12:36 - 12:38

view i'm going to go down to flags and
12:38 - 12:40

i'm going to go down to syn
12:40 - 12:42

let's say i want to filter for only
12:42 - 12:44

packets with the send bit
12:44 - 12:45

so i come down here and i'm going to
12:45 - 12:47

right click that and i'm going to say
12:47 - 12:49

prepare as filter
12:49 - 12:52

selected not not selected so i'm not
12:52 - 12:54

saying everything but let's go and hit
12:54 - 12:56

selected okay so we can see up above in
12:56 - 12:58

the display filter we got tcp dot flags
12:58 - 13:00

that's in equals equals one okay that's
13:00 - 13:03

great so if i apply that now i can see
13:03 - 13:04

just the two packets in the trace that
13:04 - 13:07

have that send bit set but i don't want
13:07 - 13:09

to have to type that again it's just one
13:09 - 13:11

of those things i just want to click a
13:11 - 13:14

button and have it be there but to do
13:14 - 13:16

that if i come over here to the plus
13:16 - 13:17

button
13:17 - 13:20

now i'll go ahead and see our filter
13:20 - 13:22

button where we can add a label i'm
13:22 - 13:25

going to call this tcp
13:25 - 13:26

syn
13:26 - 13:29

and my filter is that same filter as
13:29 - 13:32

above and i can say ok now i have a
13:32 - 13:34

button over here on the right so if i
13:34 - 13:36

ever open up a trace file and i quickly
13:36 - 13:38

just want to see the sims i can come
13:38 - 13:40

over here and click that button and i
13:40 - 13:42

only see those packets
13:42 - 13:44

now this is where we can do a lot of
13:44 - 13:46

customization with wireshark you can
13:46 - 13:48

have a lot of buttons up here and that
13:48 - 13:50

can highlight things that you're
13:50 - 13:52

specifically looking for in a trace file
13:52 - 13:54

don't worry as we go forward those are
13:54 - 13:56

the kind of things that i'm going to
13:56 - 13:57

teach you now one final thing i'd like
13:57 - 13:59

to teach you in this first lesson is how
13:59 - 14:01

to add columns up on top that's
14:01 - 14:02

something that you're going to
14:02 - 14:05

constantly be doing now to add a column
14:05 - 14:07

we i showed you how to do it the long
14:07 - 14:09

way we can go to preferences we can go
14:09 - 14:11

to columns and we can manually add one
14:11 - 14:13

like we did with the delta time view but
14:13 - 14:15

instead let's go ahead and add one
14:15 - 14:17

the more typical way that you're going
14:17 - 14:19

to do this so what i'm going to do is
14:19 - 14:21

i'm going to come down to tcp and i'm
14:21 - 14:23

going to take a look at tcp segment
14:23 - 14:25

length i'm going to right click this and
14:25 - 14:27

i'm going to come down to apply as
14:27 - 14:28

column
14:28 - 14:30

now if you notice i have the standard
14:30 - 14:33

frame length here by default but i want
14:33 - 14:35

to see the tcb segment length and the
14:35 - 14:36

reason
14:36 - 14:39

is that i'm often interested in how much
14:39 - 14:42

data is actually encompassed in the
14:42 - 14:44

payload so this shows me how much is
14:44 - 14:47

this packet actually carrying
14:47 - 14:50

in form of bytes of data
14:50 - 14:51

length is nice
14:51 - 14:54

but this is often what i'm digging for
14:54 - 14:56

so tcp segment length is a frequent one
14:56 - 14:58

that i have up here in fact it's so
14:58 - 15:00

frequent i'll often come over here to
15:00 - 15:02

length and i'll right click this and i
15:02 - 15:05

can either come down to length and
15:05 - 15:07

uncheck it so it will disappear
15:07 - 15:10

or i can remove this column from this
15:10 - 15:12

profile completely so i'm going to say
15:12 - 15:15

remove column and now i just have my tcp
15:15 - 15:17

segment length so this is an initial way
15:17 - 15:20

that you can set up wireshark what did
15:20 - 15:22

we learn let's go down our list we
15:22 - 15:24

talked about our screen layout so how to
15:24 - 15:26

adjust that we talked about how we can
15:26 - 15:29

change from packet bytes to the actual
15:29 - 15:31

header values of the packet or the
15:31 - 15:33

protocols we also talked about how to
15:33 - 15:36

add a button how to do a coloring rule
15:36 - 15:38

how to add and remove columns how to add
15:38 - 15:41

a custom column for our delta time and
15:41 - 15:43

to do some simple display filters so
15:43 - 15:46

look how much you were able to learn in
15:46 - 15:48

lesson one of the wireshark master class
15:48 - 15:50

so thanks for stopping by make sure that
15:50 - 15:52

you subscribe and hit the notification
15:52 - 15:54

bell because as i come out with these
15:54 - 15:56

master classes i want to make sure that
15:56 - 15:59

you're notified great to have you and
15:59 - 16:02

we'll see you on the next class
16:02 - 16:08

[Music]
16:14 - 16:16

you

Title:: Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS
Description:: more » « less
Video Language:: English
Duration:: 16:14

	OEVIDEOS edited English subtitles for Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS
	OEVIDEOS edited English subtitles for Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS
	OEVIDEOS edited English subtitles for Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS

English subtitles

Revisions Compare revisions

Revision 3 Edited

OEVIDEOS
Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	3	OEVIDEOS
	2	OEVIDEOS
	1	OEVIDEOS

Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)