Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS

Edit subtitles

0:00 - 0:02

So, let's go ahead and
jump into lesson one.
0:02 - 0:04

Now, the important thing about
0:04 - 0:06

Wireshark when you're starting to look
0:06 - 0:09

at a trace file with it, is the setup.
0:09 - 0:12

Now, albeit, when you're
looking at Wireshark
0:12 - 0:14

at the start, it's a daunting thing to
0:14 - 0:16

look at, especially when you're first
0:16 - 0:18

getting going with using the analyzer. So
0:18 - 0:20

I want to show you a few things, a few
0:20 - 0:22

tricks that you can use to get a bit
0:22 - 0:24

more comfort with it. Now, as you can see
0:24 - 0:27

here on my copy of Wireshark, this is the
0:27 - 0:30

default profile. Now, that's the first
0:30 - 0:32

thing you want to learn about setting up
0:32 - 0:34

Wireshark. If you look at the lower right-
0:34 - 0:36

hand corner, you can see which profile
0:36 - 0:39

you're using. But what's a profile?
0:39 - 0:43

Well, a profile is basically a set
0:43 - 0:45

of configurations or settings. Think
0:45 - 0:48

about it this way. If I go out to my car,
0:48 - 0:50

I'm six foot two.
0:50 - 0:53

I want a certain setup for my seat, and I
0:53 - 0:55

want my steering wheel in a certain place,
0:55 - 0:57

and the rear view mirrors, and a
0:57 - 0:59

lot of cars have the ability to just
0:59 - 1:01

touch a button, and everything goes to me.
1:01 - 1:03

Well my wife goes out there, and she's
1:03 - 1:06

five foot one, so she can't just jump in
1:06 - 1:08

the same kind of settings that I like to
1:08 - 1:10

use when I drive. So, she's got another
1:10 - 1:14

setting button, and when
she hits that button,
1:14 - 1:16

it all adjusts just to her. Now, in a
1:16 - 1:18

similar way with the
1:18 - 1:20

profiles within Wireshark, if I'm
1:20 - 1:22

troubleshooting tcp, I might want a
1:22 - 1:25

certain set of columns, and coloring
1:25 - 1:28

rules, and filters just for that protocol
1:28 - 1:30

Or maybe I'm looking at VoiceOver IP, or
1:30 - 1:32

TLS, or Quick.
1:32 - 1:34

Now, I'm going to want different things
1:34 - 1:35

depending on the protocol I'm looking at,
1:35 - 1:37

and that's exactly what profiles allow
1:37 - 1:40

you to do. To save filter buttons,
1:40 - 1:44

coloring, even dissectors. I don't
1:44 - 1:46

always need every single Wireshark
1:46 - 1:48

dissector for every profile.
1:48 - 1:49

So, one of the first things I want to
1:49 - 1:52

teach you with the Wireshark analyzer is
1:52 - 1:54

going down. And let's go ahead and go to
1:54 - 1:56

the right-hand part of the screen.
1:56 - 1:59

We're going to right click this.
1:59 - 2:01

Now, if you're on default, that's fine.
2:01 - 2:03

Everything that you do and change will be
2:03 - 2:04

saved to that profile.
2:04 - 2:06

But let's go ahead and create a new
2:06 - 2:09

profile. And as you can see, there's
2:09 - 2:11

several in my copy of Wireshark, but I'm
2:11 - 2:13

going to go ahead and start a new one,
2:13 - 2:15

and we're going to call this Wireshark
2:15 - 2:19

Master Class.
Doesn't that sound pretty cool?
2:19 - 2:20

And then we're going to hit 'ok'.
2:20 - 2:22

So now we can see in the
lower right, Wireshark
2:22 - 2:24

Master Class, at least this is just how
2:24 - 2:26

we're going to begin in getting
2:26 - 2:28

Wireshark set up. Now, if you notice up on
2:28 - 2:31

top, I've got the frame number,
I've got the time,
2:31 - 2:33

source and destination IP addresses,
2:33 - 2:35

protocol length and information.
2:35 - 2:37

Now this is where I want
to start to customize
2:37 - 2:39

things. First of all, text is a little bit
2:39 - 2:40

small for me, so I'm going to go to my
2:40 - 2:43

magnifying glass, gonna boost that up
2:43 - 2:44

just a little bit.
2:44 - 2:47

And you also notice that the columns
2:47 - 2:48

have kind of
2:48 - 2:50

come together. They've almost collided a
2:50 - 2:51

little bit, so I'm going to go over here
2:51 - 2:53

to the right, and I'm just going to click
2:53 - 2:55

my little column adjuster,
2:55 - 2:57

and that will set up everything
2:57 - 2:59

so nothing's overlapping.
2:59 - 3:01

Now, another thing that I
like to do...now,
3:01 - 3:03

this is a personal preference, is
3:03 - 3:05

typically, if I'm looking at the
3:05 - 3:08

packet detail and the packet bytes, in
3:08 - 3:10

most cases, when I'm looking at protocols
3:10 - 3:11

I'm looking at header values that are
3:11 - 3:13

over here on the left. And I typically
3:13 - 3:15

have this white space that's over here
3:15 - 3:17

on the right. So another thing that I
3:17 - 3:20

like to do with many of my profiles is I
3:20 - 3:22

like to put the packet bytes
3:22 - 3:23

up here on the right.
3:23 - 3:25

So I'm going to show you how to do that.
3:25 - 3:29

And an important thing to
learn about Wireshark
3:29 - 3:31

is the preferences. That's where we can
3:31 - 3:33

set up the layout, and the columns, and
3:33 - 3:35

the buttons, and some of the
3:35 - 3:37

customization with the protocols, and we
3:37 - 3:39

can do all that under Wireshark
3:39 - 3:41

preferences. Now, to get
to preferences, if
3:41 - 3:42

you're on a Windows machine, you're going
3:42 - 3:45

to go to the Edit menu, and you're going
3:45 - 3:47

to come down to preferences down around
3:47 - 3:50

this area. But I'm on a Mac system, so I'm
3:50 - 3:52

going to go to Wireshark preferences
3:52 - 3:54

over here on the left.
3:54 - 3:56

This brings up my preferences, and what
3:56 - 3:59

I'd like to do is go ahead
and go to layout,
3:59 - 4:02

and this is where I can set up...do I want
4:02 - 4:05

the packet detail, packet bytes, packet
4:05 - 4:08

list all stacked on top of each other?
4:08 - 4:10

Depending on if I have a very large
4:10 - 4:12

monitor, I might want to adjust that.
4:12 - 4:15

I usually use the next one
over to the right.
4:15 - 4:18

Now, another thing that's pretty fun is
4:18 - 4:20

in a recent version of Wireshark, here
4:20 - 4:23

I'm running 3.4.3, I believe,
4:23 - 4:27

now, under the packet, any of the panes
4:27 - 4:29

you can also select
'packet diagram', which
4:29 - 4:32

is pretty interesting to do. In fact, just
4:32 - 4:34

to show you that, or demonstrate that, I'm
4:34 - 4:36

going to go to 'packet diagram' on this
4:36 - 4:38

one. And let's go ahead and hit 'ok'.
4:38 - 4:40

And now we can see that our screen has
4:40 - 4:43

reconfigured, and I also have this really
4:43 - 4:48

neat-o feature, where I can
see the actual frame layout
4:48 - 4:51

and packet layout for the packet that
4:51 - 4:53

I've selected. So, for example, if we take
4:53 - 4:55

a look at packet #1, which, by the
4:55 - 4:56

way, I hope that you downloaded this
4:56 - 4:58

trace file down in the description, and
4:58 - 5:00

you can follow along packet for packet,
5:00 - 5:02

but if we go to packet #1, here
5:02 - 5:05

we can see that encapsulated within this
5:05 - 5:08

packet, we have ethernet, IP, and tcp.
5:08 - 5:10

Well, over here on the right, now that I
5:10 - 5:14

have that packet layout,
I can see the ethernet framing.
5:14 - 5:16

So there's my six-byte, destination six-
5:16 - 5:19

byte source, and my ether type, and then I
5:19 - 5:22

have the IP header values. And in fact, if
5:22 - 5:24

I right-click this guy, and I can go to
5:24 - 5:26

'show field values', it'll actually pull
5:26 - 5:29

the values over from the packet itself
5:29 - 5:31

and put them in that layout. Now, this is
5:31 - 5:33

pretty handy, nice way to visualize a
5:33 - 5:35

protocol and the structure of that
5:35 - 5:38

protocol for the headers, and neat
5:38 - 5:40

feature that was just added. So I'm going
5:40 - 5:42

to go ahead and go back to preferences,
5:42 - 5:45

and I'm actually going to change this on
5:45 - 5:46

my layout. Let's go to pane three.
5:46 - 5:48

I'm going to go back to packet bytes.
5:48 - 5:50

Alright? Now, while I'm here under
5:50 - 5:52

preferences, there's a couple other
5:52 - 5:54

things that we're going to adjust. Again,
5:54 - 5:56

just to make things
a little bit easier for us.
5:56 - 5:59

I'm going to go to columns,
5:59 - 6:02

and every packet head has to know how to
6:02 - 6:05

use and read a delta time column, alright?
6:05 - 6:07

If you haven't done that yet, this is
6:07 - 6:08

something that surely you want to make
6:08 - 6:10

sure that you know how to add. So I'm
6:10 - 6:13

going to come down here
under columns, hit plus,
6:13 - 6:17

and I'm going to name this column 'Delta',
6:17 - 6:19

and I'm going to choose...the type is
6:19 - 6:24

going to be Delta Time Displayed. Alright?
6:24 - 6:26

Once I have that set up, I can go ahead
6:26 - 6:29

and drag it up next to the time column,
6:29 - 6:31

so now I can have a running total of
6:31 - 6:34

time, or I can have a time of day, or I
6:34 - 6:37

can have UTC time, and then right next to
6:37 - 6:39

that column, I can have a Delta time,
6:39 - 6:41

which is going to display the amount of
6:41 - 6:43

time between displayed packets.
6:43 - 6:46

Very useful column to have when I'm
6:46 - 6:48

troubleshooting. So I'm going to go ahead
6:48 - 6:51

and select 'ok'. And
if we notice up top, we
6:51 - 6:53

have our running total of time, and our
6:53 - 6:55

Delta time. Now, by the way, the time
6:55 - 6:58

column. This is an adjustable time column.
6:58 - 7:00

Like I mentioned, it can be time of day
7:00 - 7:03

it can be year, month, day, and then
7:03 - 7:05

actual time of day if I want. So to
7:05 - 7:08

adjust this and what it shows, that's
7:08 - 7:10

where we can go to 'view', and we go to
7:10 - 7:12

'time display format',
and this is where we
7:12 - 7:14

can select how we want time to be
7:14 - 7:17

represented in that time column.
7:17 - 7:18

Now, usually, I start out with seconds
7:18 - 7:20

since beginning of capture, but hey,
7:20 - 7:22

sometimes I have a client in New York
7:22 - 7:25

City, and they send me a trace and I go
7:25 - 7:28

ahead and open it,
and if I do time of day,
7:28 - 7:31

Wireshark will get the time of day off
7:31 - 7:33

of my system clock. So if it says three
7:33 - 7:36

o'clock for them, that means noon for me,
7:36 - 7:38

so sometimes that's also why I would
7:38 - 7:40

like to use UTC time.
7:40 - 7:43

Alright, so we went ahead and
adjusted our screen layout,
7:43 - 7:46

we looked at the packet layout view,
7:46 - 7:50

or those header values, and we
went ahead and added a Delta time.
7:50 - 7:53

Now, another thing that I like to do is I
7:53 - 7:55

like to color certain things. Because if
7:55 - 7:57

we look over here on the right, this is
7:57 - 7:59

our intelligent scroll bar, and at least
7:59 - 8:01

for this trace file, you can see how
8:01 - 8:05

there's just a lot of
beige and light blue, and
8:05 - 8:07

not a lot's going to jump out at you in
8:07 - 8:08

this trace, because there's not a lot of
8:08 - 8:10

TCP errors and such. But this is where
8:10 - 8:12

you would look for things like black
8:12 - 8:15

lines with red letters,
those are TCP errors.
8:15 - 8:17

But something else that I like to do is
8:17 - 8:20

I like to color my TCP syns, and I'm
8:20 - 8:21

going to show you how to create a
8:21 - 8:23

coloring rule, because then that will
8:23 - 8:25

help certain things jump out to you.
8:25 - 8:27

Now again, there's a...as a side note i
8:27 - 8:29

just want to thank Hansung, if he's
8:29 - 8:31

watching this video, he's a friend of
8:31 - 8:35

mine from Shark Fest,
but he has a really good
8:35 - 8:37

saying, if you will, and he often says "my
8:37 - 8:39

way or the highway". That means your
8:39 - 8:42

settings for Wireshark are good for you,
8:42 - 8:45

that's your troubleshooting style, so no
8:45 - 8:46

one can ever tell you that that's wrong.
8:46 - 8:48

If it works for you, go to town. That's
8:48 - 8:52

why there's all these great
configurations within Wireshark.
8:52 - 8:55

I like to paint my TCP syns bright green,
8:55 - 8:57

you might like to make them
8:57 - 8:59

some odd color of brown. That's totally
8:59 - 9:02

up to you, and it's your way or the highway.
9:02 - 9:04

But right now, you're on my highway,
so let me show you how to paint
9:04 - 9:06

those green. I'm going to go ahead and go
9:06 - 9:08

up to the view menu, and I'm going to
9:08 - 9:10

come down to 'coloring rules',
9:10 - 9:11

and this will show you the standard
9:11 - 9:13

default coloring rules that come with
9:13 - 9:15

the default profile.
9:15 - 9:16

Some people hate these coloring rules,
9:16 - 9:18

they delete them all, or they just turn
9:18 - 9:20

off coloring altogether. To do that, you
9:20 - 9:22

just hit the button up on top, that'll
9:22 - 9:24

enable or disable the coloring
9:24 - 9:27

altogether. But to add a coloring rule, we
9:27 - 9:33

hit our little plus button, and I'm going
to call this one 'TCP syn',
9:33 - 9:35

and my filter is going to be
9:35 - 9:39

tcp dot flags dot sin equals equals one.
9:39 - 9:42

So, I like to color any packet with
9:42 - 9:45

a syn flag, even the syn and syn ack,
9:45 - 9:47

I want that to be green,
9:47 - 9:49

both of them, so I want to see the
9:49 - 9:51

client trying to connect,
and the server response.
9:51 - 9:53

Now you might think, well, I just
9:53 - 9:55

want to have only the syn, or only the
9:55 - 9:57

synax. This is where you can start to
9:57 - 9:59

goof around with our display filter. You
9:59 - 10:02

can come back here to flags, show me that
10:02 - 10:05

flags field equals equals 0x002.
10:05 - 10:07

I'm going to show you
how to get to that value,
10:07 - 10:10

but this would just color the syn
10:10 - 10:11

not the synack.
10:11 - 10:16

I don't like that, I like to go
tcp dot flags dot syn...
10:16 - 10:18

if I could type...equals equals one.
10:18 - 10:20

So there's my display filter. So what I'm
10:20 - 10:23

saying is any packet
that meets this filter,
10:23 - 10:25

this is how you should color it.
10:25 - 10:27

Okay, so now that I've got my
10:27 - 10:30

tcp dot flags dot syn equals one,
10:30 - 10:33

now I want to come down and actually
10:33 - 10:34

color it. So I'm going to go to the
10:34 - 10:37

background, and I'm going to go over here,
10:37 - 10:38

pick a nice bright
10:38 - 10:40

packet pioneer green, if you will, a nice
10:40 - 10:43

packet head green,
and I'm going to say 'ok'.
10:43 - 10:46

and there we go. So now all packets that
10:46 - 10:49

meet tcp dot flags
dot syn equals equals one,
10:49 - 10:51

all of those will be green. But what I
10:51 - 10:56

want to do is I'm going to
actually drag this below,
10:56 - 11:00

the bad tcp. So what this
means is if I have a syn,
11:00 - 11:02

if I send off that syn
11:02 - 11:04

and if i have to retransmit it, the first
11:04 - 11:06

syn is going to be bright green, the
11:06 - 11:07

second one will be according to the bad
11:07 - 11:10

TCP rules. It'll be black and red.
11:10 - 11:13

Right, so I only want
11:13 - 11:15

the first syn to be green, any
11:15 - 11:17

re-transmissions, go ahead and make those
11:17 - 11:20

that error indicator, that bad TCP.
11:20 - 11:21

Let's say 'ok'.
11:21 - 11:25

Now, initially, you notice
how my first packet is white
11:25 - 11:27

and the second one is green. If you come
11:27 - 11:29

up here and just do a refresh, it's
11:29 - 11:32

called another pass. That'll just refresh
11:32 - 11:34

the view and run this trace file back
11:34 - 11:36

through the rules that we have enabled,
11:36 - 11:38

so that will make sure that we have
11:38 - 11:40

everything colored right. So there we go,
11:40 - 11:42

we just added a coloring rule. Now again,
11:42 - 11:44

you can add coloring rules for all kinds
11:44 - 11:46

of thing. Do you want to color the TLS
11:46 - 11:48

handshake? Do you want to color
11:48 - 11:51

the fins? Do you want to have the resets
11:51 - 11:53

be some type of interesting color that
11:53 - 11:55

really jump out at you? So the coloring
11:55 - 11:58

rules are a nice thing to add.
11:58 - 12:00

Now, along with that, in this profile,
12:00 - 12:04

what we also want to do is
learn how to add buttons.
12:04 - 12:06

Now, throughout this course, and if you
12:06 - 12:07

take any of my courses, you're going to
12:07 - 12:10

notice our display filters. We quickly
12:10 - 12:13

get into how to set
different display filters.
12:13 - 12:16

So, let's go ahead and create a button
12:16 - 12:20

that will set a filter just for our TCP
12:20 - 12:22

syns. How about that?
12:22 - 12:24

So, if I come down here, and go ahead and
12:24 - 12:26

pick that first packet...I'm going to show
12:26 - 12:29

you a trick, so you don't have
to remember the syntax for
12:29 - 12:32

display filters. If you select our packet
12:32 - 12:34

that has whatever it is you're going to
12:34 - 12:36

filter for, come down into our detail
12:36 - 12:38

view. I'm going to go down to flags, and
12:38 - 12:40

I'm going to go down to syn.
12:40 - 12:42

Let's say I want to filter for only
12:42 - 12:44

packets with the syn bit.
12:44 - 12:45

So I come down here, and I'm going to
12:45 - 12:47

right click that, and I'm going to say
12:47 - 12:49

'prepare as filter'...
12:49 - 12:52

selected...not not selected, so I'm not
12:52 - 12:54

saying everything but. Let's go and hit
12:54 - 12:56

'selected'. Okay, so
we can see up above in
12:56 - 12:58

the display filter, we got tcp dot flags
12:58 - 13:00

dot syn equals equals one. Okay, that's
13:00 - 13:03

great. So if I apply that, now I can see
13:03 - 13:04

just the two packets in the trace that
13:04 - 13:07

have that syn bit set. But I don't want
13:07 - 13:09

to have to type that again, it's just one
13:09 - 13:11

of those things, I just want to click a
13:11 - 13:14

button and have it be there. But to do
13:14 - 13:17

that, if i come over here
to the plus button,
13:17 - 13:20

now I'll go ahead and see our filter
13:20 - 13:22

button where we can add a label, I'm
13:22 - 13:26

going to call this 'TCP syn'.
13:26 - 13:29

Snd my filter is that same filter as
13:29 - 13:32

above, and I can say, 'ok'. Now I have a
13:32 - 13:34

button over here on the right, so if I
13:34 - 13:36

ever open up a trace file and I quickly
13:36 - 13:38

just want to see the syns, I can come
13:38 - 13:40

over here and click that button, and I
13:40 - 13:42

only see those packets.
13:42 - 13:44

Now, this is where we can do a lot of
13:44 - 13:46

customization with Wireshark. You can
13:46 - 13:48

have a lot of buttons up here, and that
13:48 - 13:50

can highlight things that you're
13:50 - 13:52

specifically looking for in a trace file.
13:52 - 13:54

Don't worry, as we go forward, those are
13:54 - 13:56

the kind of things that I'm going to
13:56 - 13:57

teach you. Now, one final thing I'd like
13:57 - 13:59

to teach you in this first lesson is how
13:59 - 14:01

to add columns up on top.
14:01 - 14:04

That's something that you're going
to constantly be doing.
14:04 - 14:06

Now to add a column, I showed
14:06 - 14:07

you how to do it the long way.
14:07 - 14:09

We can go to 'preferences', we can go
14:09 - 14:11

to columns, and we can manually add one
14:11 - 14:13

like we did with the Delta time view, but
14:13 - 14:15

instead, let's go ahead and add one
14:15 - 14:17

the more typical way that you're going
14:17 - 14:19

to do this. So what I'm going to do is
14:19 - 14:21

I'm going to come down to TCP, and I'm
14:21 - 14:23

going to take a look at TCP segment
14:23 - 14:25

length. I'm going to right click this, and
14:25 - 14:28

I'm going to come down to
'apply as column'.
14:28 - 14:30

Now, if you notice, I have the standard
14:30 - 14:33

frame length here by default, but I want
14:33 - 14:36

to see the TCP segment length,
and the reason
14:36 - 14:39

is that I'm often interested in how much
14:39 - 14:42

data is actually encompassed in the
14:42 - 14:44

payload, so this shows me how much is
14:44 - 14:47

this packet actually carrying
14:47 - 14:50

in form of bytes of data.
14:50 - 14:51

Length is nice,
14:51 - 14:54

but this is often what I'm digging for.
14:54 - 14:56

So TCP segment length is a frequent one
14:56 - 14:58

that I have up here. In fact, it's so
14:58 - 15:00

frequent, I'll often come over here to
15:00 - 15:02

'length', and I'll right-click this, and I
15:02 - 15:05

can either come down to 'length' and
15:05 - 15:07

uncheck it, so it will disappear,
15:07 - 15:10

or I can remove this column from this
15:10 - 15:12

profile completely. So I'm going to say
15:12 - 15:15

'remove column', and
now I just have my TCP
15:15 - 15:17

segment length. So this is an initial way
15:17 - 15:20

that you can set up Wireshark. What did
15:20 - 15:22

we learn? Let's go down our list. We
15:22 - 15:24

talked about our screen layout, so how to
15:24 - 15:26

adjust that. We talked about how we can
15:26 - 15:29

change from packet bytes to the actual
15:29 - 15:31

header values of the packet or the
15:31 - 15:33

protocols. We also talked about how to
15:33 - 15:36

add a button, how to do a coloring rule,
15:36 - 15:38

how to add and remove columns, how to add
15:38 - 15:41

a custom column for our Delta time, and
15:41 - 15:43

to do some simple display filters. So
15:43 - 15:46

look how much you were able to learn in
15:46 - 15:48

lesson one of the Wireshark Master Class.
15:48 - 15:50

So thanks for stopping by. Make sure that
15:50 - 15:52

you subscribe and hit the notification
15:52 - 15:54

bell, because as I come out with these
15:54 - 15:56

master classes, I want to make sure that
15:56 - 15:59

you're notified. Great to have you, and
15:59 - 16:01

we'll see you on the next class.
16:01 - 16:14

[Music]

Title:: Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS
Description:: more » « less
Video Language:: English
Duration:: 16:14

	OEVIDEOS edited English subtitles for Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS
	OEVIDEOS edited English subtitles for Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS
	OEVIDEOS edited English subtitles for Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS

English subtitles

Revisions Compare revisions

Revision 3 Edited

OEVIDEOS
Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	3	OEVIDEOS
	2	OEVIDEOS
	1	OEVIDEOS

Learn Wireshark in 15 Minutes! Lesson 1 for BEGINNERS

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)