Welcome back. In the last task we covered how to use a display
filter to observe certain packet protocols.
By the end of this task you will be able to employ a display
filter to detect a certain I. P.
Address in a capture.
This task is important because there may be an instance where
a certain known I. P.
Address is causing issues for the server.
Now let's get started.
Okay to begin let's go over to the browser, Mozilla browser
and uh we're just going to get rid of any pages we might have
open. And then I'm going to go into the settings and we're going to
go to privacy and security and then we're going to go down to uh
cookies and site data and we're going to clear the data.
We're going to clear the cache in our browser.
This is a good idea so that we get the most recent versions
of websites we visit rather than using the cached versions.
Okay so I'm going to clear this.
Alright so we have that cleared and now we're going to do is go
to wire shark.
So go back to wire shark.
Here we go.
And uh we're going to go ahead and uh clear this out for now..
and I'm going to go ahead and um close the capture file.
So there.. just want to show you this.
There are ..there's a file memory in here.
So it will remember the files that you saved in case
you wanted to quickly go back.
This is the capture filter we were talking about earlier
that we don't that.. if you use this capture filter
It's only going to capture traffic.
So if we added the TCP uh port here equal equal 4 43.
That's all the traffic it would capture.
So we wouldn't see any other um packets at all.
Okay, That's the difference between this and the the uh
display filter, you know, that's that's going to look at an
existing set of packets and uh and then just display those
that we want to see out of the dump, which is probably
oftentimes what you'll be doing is looking at a previous
capture.
Right? So um so what we're going to do now is we're going to go
ahead and uh go to wire shark and we're going to start a capture.
Okay? And this time we'll go to google dot com in firefox.
Okay. So I'm going to go ahead and start the capture.
Alright.
And we'll go to google dot com.
Here we go.
Now, one thing I should note here is that google uses various
I. P. Addresses.
So the I. P.
Address that you get when you run this might be slightly
different.
Okay, So for our purposes it really doesn't make
any difference.
Just use the I. P.
Address that shows up on your in your list when you do
the filter.
Okay? Alright.
So let's continue and then we'll go back here and stop
the capture.
All right.
We stopped it.
So next uh what I want you to do is pause pause here and set
the display filter to only show https packets Okay.
HTTPS
pause here and try that.
Okay so there's our TCP dot port equal equal 4 43.
This is going to capture our https traffic and you'll see
we have a client
Hello, Which is the handshake used in https.
Right? The TLS handshake.
And uh we see that we have an I. P. Destination
of 1 42.2 50.31 point 105.
Okay. And that's actually google dot com.
So if you put this into the browser ..I'll let you do
that as an exercise...
You'll see that that's google.
Okay. And there's the client
Hello.. Now what if you just wanted to look for the hand
shaking the first step in a handshake from the server
to the uh the website.
Well we can do that here too.
So we have TCP dot port equal equal 4 43.
So we'll just change this to TLS dot handshake dot type equal
equal one.
Okay, so this is the TLS handshaking we were talking
about earlier so we can specify type equal equal one.
And all you'll see is the client
Hellos.
So it's kind of handy.
Okay, so if you place 1 42.2 50.31 dot one oh
three for example here.
Our first client.
Hello put that into the browser and you'll see that that's a
google uh I P address.
Okay so what if we just want to look at that one
I. P address?
Well we can use the I. P.
Dot A D. D. R filter.
Okay so I'm going to go ahead and clear this one out and we use
I P dot A D. D. R.
For I. P address...
So its I P.
Dot A D. D. R.
Equal equal 1 42.250 point 31.103.
Okay, which matches this google address.
Alright, so go ahead and apply that filter and you'll see I'll get all of the transactions regarding the I. P.
Address that specific I. P address.
So again, if we were having a problem with something to do
with that website we can specify the I. P.
Address and get all of the packets associated
with that source and destination.
Okay. So what if we just wanted to get the ,for example where
the source was 1 42.251 point 1 63.1 05.
Okay. In other words the source address is this.
Okay, so we would use instead of I. P dot address we use
IP dot S R C equals 1 42.2 50.31 point 13.
Okay, so let's go ahead and apply that.
And now it's all the source ..every time google is sending
something back to the server..
See well see here it is 'server
Hello'. Right, that's coming from google to our I. P address.
So that's that's the way we could do that.
Okay. Now, if you wanted to you could also do this
with the destination packets.
So in order to do that, we clear out the S R C here.
Right. And change this to D S T.
So go ahead and pause here and give that a try.
Okay, So we have I P dot D S T.
And then we'll apply that filter and now we have our source is
the server.
And this is all the cases where we're sending something
to the website.
Right. So the destination is google dot com here:
1 42.2 50.3. 1.103.
Okay. So again, to get all of them both source
and destination with 1 42.250 point 31.103. We would just
simply say I P dot a D D R.
Okay, so it gives you a lot of flexibility as far as what
you want to see uh in the display.
Okay. All right.
So to summarize in Task four, we started a wire shark capture,
visited a web page, and detect its I. P address using
a display filter.
The key takeaways are a TLS handshake display filter.
May be used to detect a website, visit in a packet list.
So TLS dot handshake type equals one will show us all of the
the first step in a handshake, which is Hello client.
That comes from the server to the to the [site] for example, google
dot com. The I P address is
Using a filter to obtain packet information for a particular
website.
So for example, I P address equal equal 1 42.251 point
163.105 or whichever the case may be.
Right. Okay.
Great. Now that we know how to employ a display filter
to detect a certain I. P address in the capture, let's move
onto the next task where we will locate all https packets
from a capture not containing a certain I P address.
Alright, see you there.