Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,790 --> 00:00:07,510 Okay so I'm gonna open up a web browser from P.S. 1 to the server the service IP address and this is 2 00:00:07,510 --> 00:00:12,790 a linux server is 10 dot 1 dot wondered 100. 3 00:00:13,270 --> 00:00:17,830 I used the command I have config to see the service IP address. 4 00:00:17,830 --> 00:00:23,970 So what I'll do is start capturing traffic between the P.C. and the switch. 5 00:00:24,190 --> 00:00:26,200 Genius 3 makes this very easy. 6 00:00:26,200 --> 00:00:33,370 It allows us to capture traffic directly within the topology rather than having to install a hub or 7 00:00:33,400 --> 00:00:36,610 a wire tap or something to see the traffic. 8 00:00:37,660 --> 00:00:43,630 So I'm gonna capture the traffic between the P.C. and the switch and we'll be able to see exactly what's 9 00:00:43,630 --> 00:00:50,260 going on within this why shock capture so you can see that we've got spanning tree traffic we've got 10 00:00:50,270 --> 00:01:00,100 a job P traffic dynamic trunk protocol traffic already displayed and being captured by a y shock. 11 00:01:00,240 --> 00:01:04,250 What I'm going to do however is falter for HDP. 12 00:01:04,440 --> 00:01:13,650 There's no HDP traffic at the moment but what we'll do is open up a web browser on the P.C. and connect 13 00:01:13,650 --> 00:01:22,870 it to the server so let's use P.S. 1 open up a web browser. 14 00:01:22,960 --> 00:01:24,590 I'm going to browse to 15 00:01:27,260 --> 00:01:34,110 tendered wondered one at 100 which is the server and as you can see they are web pages displayed. 16 00:01:34,220 --> 00:01:42,500 That's nothing fancy it's just a basic Web page hosted on the server but it's enough for us to see what's 17 00:01:42,500 --> 00:01:43,810 going on. 18 00:01:43,970 --> 00:01:52,930 So in why a shock you can see that traffic was sent from a source IP address 10 1 1 1 to a destination 19 00:01:52,960 --> 00:01:55,540 IP address of 10 1 1 100. 20 00:01:55,540 --> 00:01:57,070 This is HDP traffic. 21 00:01:57,070 --> 00:02:00,150 You can see the protocol they is HDP. 22 00:02:00,310 --> 00:02:05,130 You can see the length you can see that it's an HDP get. 23 00:02:05,160 --> 00:02:09,930 In other words the piece he's trying to get a web page from the server. 24 00:02:09,930 --> 00:02:16,290 Now before I go through the wash capture in more detail let's explain some of the basics that you see 25 00:02:16,290 --> 00:02:17,880 in why shock. 26 00:02:17,940 --> 00:02:22,180 The first thing you see is a frame now in networking. 27 00:02:22,180 --> 00:02:25,720 This is known as Layer two of the oversized model. 28 00:02:25,720 --> 00:02:28,510 Information captured here are known as frames. 29 00:02:28,540 --> 00:02:30,780 So this is known as a frame. 30 00:02:30,880 --> 00:02:33,290 We've captured and Ethernet to frame. 31 00:02:33,370 --> 00:02:38,170 In other words we've captured traffic on Ethernet that different types of Ethan at frames. 32 00:02:38,170 --> 00:02:44,870 But Ethan it too is the most common the source MAC address is a VM where host destination MAC addresses 33 00:02:44,890 --> 00:02:45,700 this. 34 00:02:45,790 --> 00:02:50,060 So the source MAC address is the P.C.. 35 00:02:50,080 --> 00:02:57,670 This piece is actually running inside a VM where I type IP conflict slash all you'll be able to see 36 00:02:57,820 --> 00:03:09,260 the MAC address of the host 0 0 0 c 29 ending in DC D 7 and hopefully that's what we see over here. 37 00:03:09,290 --> 00:03:13,260 So notice MAC address is DC D7. 38 00:03:13,370 --> 00:03:19,620 So notice this MAC address is the MAC address of the P.C. destination address is this. 39 00:03:19,850 --> 00:03:22,280 That's the MAC address of the server. 40 00:03:22,280 --> 00:03:29,140 Notice the MAC address over here 36 E four five C 40 91 82. 41 00:03:29,140 --> 00:03:30,430 There you go. 42 00:03:30,430 --> 00:03:34,350 That's the IP address of the server MAC address of the server. 43 00:03:34,870 --> 00:03:39,850 Here's the IP address of the P.C. and the MAC address of the P.C.. 44 00:03:39,850 --> 00:03:48,130 So in networking we use the term frame to layer two you get different types of frames on Ethernet typically 45 00:03:48,160 --> 00:03:48,960 Ethan at two. 46 00:03:48,970 --> 00:03:54,370 But on a when connection or wide area network connection you could be using something like point to 47 00:03:54,370 --> 00:04:03,610 point protocol or PDP or HDFC or in the old days you had encapsulation like frame relay or A.T.M.. 48 00:04:03,610 --> 00:04:11,320 In other words the layered to frame changes depending on the physical technology that you're using. 49 00:04:11,350 --> 00:04:17,490 Most common technology today's Ethernet most common Ethan at frame type is Ethernet too. 50 00:04:17,530 --> 00:04:25,090 So this is known as a frame not just to make it more confusing in why a shock they talk about frames 51 00:04:25,180 --> 00:04:30,030 here as well but this is actually just metadata used within why shock. 52 00:04:30,040 --> 00:04:32,100 That tells us about the frame. 53 00:04:32,110 --> 00:04:38,120 So again this is just metadata we don't typically talk about that as a frame in networking. 54 00:04:38,200 --> 00:04:39,700 This is known as a frame. 55 00:04:39,850 --> 00:04:43,300 This is known as layer two in the OSA model. 56 00:04:43,310 --> 00:04:49,220 Now I've included a section following this video that talks about ISI and the ISI model. 57 00:04:49,240 --> 00:04:52,420 So if you're not used to the ISI model or you're not quite sure what it's about. 58 00:04:52,420 --> 00:04:53,590 Have a look at those videos. 59 00:04:53,770 --> 00:04:57,330 If you know about the ISI model then skip those videos. 60 00:04:57,460 --> 00:05:00,740 And again if you want more information have a look at my CCN a course. 61 00:05:00,790 --> 00:05:06,160 So this is a frame at least three we have what's called a packet. 62 00:05:06,220 --> 00:05:12,730 So when we refer to the layers in the OS model we use terms such as frame at least two packets layer 63 00:05:12,730 --> 00:05:20,130 three and segment at the layer for at least three we've captured the IP version 4 addresses. 64 00:05:20,140 --> 00:05:22,630 So this is IP version for information. 65 00:05:22,630 --> 00:05:27,530 The protocol used jet layer 4 is IP version for what we'll do actually. 66 00:05:27,550 --> 00:05:32,850 This point is stop my wife's shock capture so that the capture that I share with you isn't too big. 67 00:05:34,260 --> 00:05:46,830 And I'll save this as basic why a shock capture one notice it's a pickup in G file will pick up next 68 00:05:46,830 --> 00:05:48,880 generation Y shock file. 69 00:05:49,050 --> 00:05:52,980 So that's the file that you'll download and you'll be able to do something similar to what I've done 70 00:05:52,980 --> 00:05:53,220 here. 71 00:05:54,180 --> 00:06:00,930 So again protocol at layer 3 is IP version for source IP addresses this destination ip addresses this 72 00:06:01,530 --> 00:06:07,650 IP version 4 contains a lot of information differentiate services code points or differentiate services 73 00:06:07,650 --> 00:06:15,780 field DCP differentiated services code points is to do with quality of service quality of service or 74 00:06:15,780 --> 00:06:20,900 cause or QS allows us to differentiate some traffic types from others. 75 00:06:21,020 --> 00:06:25,800 So in other words we could say that voice traffic is more important than FCP traffic. 76 00:06:26,400 --> 00:06:32,910 So when you make a voice call it should be proud to arised over file transfer protocol or FCP traffic. 77 00:06:32,940 --> 00:06:37,580 This is a way to indicate to the network how important the traffic is. 78 00:06:37,860 --> 00:06:43,230 A lot of other information is shown in this header including as an example that the protocol used at 79 00:06:43,230 --> 00:06:45,270 Layer 4 is TTP. 80 00:06:45,510 --> 00:06:53,580 So lay off for once again this is layered to frame Layer 3 is packet layer forward segment at Layer 81 00:06:53,580 --> 00:07:01,560 4 in the OSA model we are using TTP here and you can see source and destination port numbers HDP or 82 00:07:01,560 --> 00:07:06,840 Hypertext Transfer Protocol uses the well-known port number of 80. 83 00:07:06,840 --> 00:07:09,700 The server was listening on port 80. 84 00:07:09,700 --> 00:07:18,790 That's why when the client made a connection to the server the web page displayed the client initiated 85 00:07:18,790 --> 00:07:20,290 a session to port 80. 86 00:07:20,320 --> 00:07:23,110 The server was listening on port 80. 87 00:07:23,110 --> 00:07:25,690 It served because it's a server. 88 00:07:25,690 --> 00:07:29,310 It served a web page to the client. 89 00:07:29,980 --> 00:07:35,440 In this case using the protocol HDP so it basically has this page. 90 00:07:35,440 --> 00:07:43,510 This web page hosted on its harddrive and it served that page to the client when the client connected 91 00:07:43,510 --> 00:07:44,760 on port 80. 92 00:07:44,800 --> 00:07:51,610 The client uses this random pulled number or ephemeral port number to use the correct term so it connects 93 00:07:51,610 --> 00:07:58,570 to the server using an ephemeral or random port number going to a well-known port number of 80 and then 94 00:07:58,570 --> 00:08:04,080 you can see here the application used his Hypertext Transfer Protocol. 95 00:08:04,080 --> 00:08:11,430 Now in networking we talk about the OS model but typically it's a hybrid model between the TTP model 96 00:08:11,790 --> 00:08:14,220 and the OS side model. 97 00:08:14,220 --> 00:08:18,690 At the top of the other some model we have application presentation and session. 98 00:08:18,690 --> 00:08:22,860 Those layers are often grouped into a single layer called application. 99 00:08:22,980 --> 00:08:28,170 So notice we have Layer 2 here Layer 1 is the physical medium so that's not shown in the wide shot capture 100 00:08:28,410 --> 00:08:33,180 the physical medium here is Ethan it could be copper or could be fiber. 101 00:08:33,180 --> 00:08:35,270 In our example this is just a virtual network. 102 00:08:35,300 --> 00:08:38,620 But in the real world this would be physical Ethernet. 103 00:08:38,700 --> 00:08:42,750 In this case perhaps copper so the physical media is copper. 104 00:08:42,750 --> 00:08:49,320 So that's the physical connection gets just a virtual logical connection. 105 00:08:49,320 --> 00:08:56,570 So layer one physical layer to data link or in this case it's Ethernet Layer three is network. 106 00:08:56,580 --> 00:09:00,410 In this case we've got IP layer four is transport. 107 00:09:00,420 --> 00:09:06,870 In this case it's TTP and then the top three layers are kind of combining to one layer application layer. 108 00:09:06,870 --> 00:09:09,490 So notice Hypertext Transfer Protocol. 109 00:09:09,600 --> 00:09:13,810 And inside here we can see details such as the client used. 110 00:09:14,010 --> 00:09:26,020 It shows up store as windows in t 10 when 64 bit using a browser Mozilla 5.0 so in this example I'm 111 00:09:26,020 --> 00:09:28,020 actually using Microsoft Edge. 112 00:09:28,030 --> 00:09:32,230 That's the browser used within Windows 10. 113 00:09:32,230 --> 00:09:34,900 So this is a Windows 10 a virtual computer. 114 00:09:34,930 --> 00:09:36,370 In other words it's a virtualize. 115 00:09:36,400 --> 00:09:42,640 I'm actually running on a Mac here recording on a Mac but I'm running VMware which allows me to virtualize 116 00:09:42,910 --> 00:09:46,930 multiple devices within my genius free topology. 117 00:09:46,930 --> 00:09:55,240 So the why shock capture sees the client as a Windows 10 computer which is correct using 64 bit Windows 118 00:09:55,780 --> 00:09:57,220 Mozilla is the browser. 119 00:09:57,220 --> 00:10:02,350 It's actually Microsoft Edge and then the server replies back. 120 00:10:02,350 --> 00:10:07,090 Notice in the server example the MAC addresses all swapped round. 121 00:10:07,090 --> 00:10:13,410 In this example I've got a layer to switch a layer to switch means that it's just simply switching trains. 122 00:10:13,510 --> 00:10:17,190 In other words Layer 2 data from one port to another. 123 00:10:17,260 --> 00:10:20,680 It's not trying to rupture the data from one network to another. 124 00:10:20,680 --> 00:10:24,120 These two hosts are in the same subnet or the same network. 125 00:10:24,310 --> 00:10:28,950 So the switch simply switching the traffic from one port to another. 126 00:10:28,960 --> 00:10:34,420 So in this example the IP addresses are swapped round and so are the MAC addresses going back to the 127 00:10:34,420 --> 00:10:35,640 first example. 128 00:10:35,710 --> 00:10:40,840 Notice source MAC address is this destination MAC addresses this when the server replies. 129 00:10:40,840 --> 00:10:47,680 Those are simply stopped around so the server is replying with its MAC addresses the source destination 130 00:10:47,680 --> 00:10:54,310 MAC address is the Windows computer IP addresses a swapped round and so a port numbers and if we look 131 00:10:54,340 --> 00:11:02,860 at the hypertext protocol notice we can see service says 200 Okay 200 means that the server was able 132 00:11:02,860 --> 00:11:05,270 to provide the data to the client. 133 00:11:05,440 --> 00:11:08,120 We didn't have a 4 0 for each team all error. 134 00:11:08,170 --> 00:11:12,920 As an example some data was provided to the client. 135 00:11:12,940 --> 00:11:19,050 Notice you can see here the actual web page that was served to the client so you can see it says network 136 00:11:19,050 --> 00:11:20,270 has toolkit. 137 00:11:20,320 --> 00:11:25,900 You can see the P and G file notice network is toolkit. 138 00:11:25,900 --> 00:11:32,110 And if I look at that web page on the client notice you can see the output here. 139 00:11:32,230 --> 00:11:41,490 It says w w w files located at a var w w w dot HMO and if we look here that's actually what you see. 140 00:11:41,620 --> 00:11:46,600 Files located at var w w w dot HMO. 141 00:11:46,600 --> 00:11:50,740 So if I scroll to the right notice you see the full output. 142 00:11:50,740 --> 00:12:00,220 You get to route after logging in noticed we told you can place files in t t p boot and that's exactly 143 00:12:00,460 --> 00:12:02,890 what you see over here. 144 00:12:02,890 --> 00:12:06,200 So why shock has read the HDP traffic. 145 00:12:06,220 --> 00:12:13,360 Be careful with HDP it's clear text so through why shock you can see exactly what's going on here. 146 00:12:13,360 --> 00:12:20,440 The client is trying to get the G image so it's trying to get the actual P G image and had the server 147 00:12:20,470 --> 00:12:29,470 which is in a boon to server is providing the PMG file so that's the actual file and you can actually 148 00:12:29,470 --> 00:12:35,510 export that and I'd do this again in other videos but let's do it right now. 149 00:12:35,560 --> 00:12:36,860 Genus 3. 150 00:12:36,940 --> 00:12:48,760 Image Some would export that to my desktop and on my desktop I'm going to change that to a PMG file 151 00:12:50,350 --> 00:12:55,390 and then when I open it up notice there's the actual image. 152 00:12:55,390 --> 00:13:00,180 So why shock captured all the data from the server as well as the image. 153 00:13:00,490 --> 00:13:02,950 And that's the image that we have on the server. 154 00:13:02,950 --> 00:13:09,610 So once again to do that click portable network graphics because it's a pinkie file and then go export 155 00:13:09,640 --> 00:13:17,750 packet bytes save it to your hard drive someone to save it once again is genius free image to and then 156 00:13:17,750 --> 00:13:22,500 I'm gonna rename it so it saved it as a burn file. 157 00:13:22,500 --> 00:13:30,800 I'm gonna rename that as P and G because it's a P G file and they want to open it up you can see that 158 00:13:30,800 --> 00:13:34,330 it's say P G file and there's the actual image. 159 00:13:34,550 --> 00:13:43,240 So you can see here it's getting the fave icon and then we're getting something HDP forward for error 160 00:13:43,300 --> 00:13:44,540 something not found. 161 00:13:44,680 --> 00:13:46,630 So something went wrong here. 162 00:13:47,620 --> 00:13:56,620 But the point is is that you can read the actual HDP traffic and remember because of these devices on 163 00:13:56,620 --> 00:14:02,840 the same subnet all that happens is the MAC addresses are swapped around IP addresses or swapped round 164 00:14:03,020 --> 00:14:07,070 port numbers or swapped around during that communication. 165 00:14:07,070 --> 00:14:12,080 So source IP is host yes source IP is the server. 166 00:14:12,080 --> 00:14:17,360 So when the server replies back it's replying back from port 80 to the client. 167 00:14:17,360 --> 00:14:23,240 So that was a very basic example of using Y shock to see what's going on in the network. 168 00:14:23,240 --> 00:14:27,080 Were you able to download the pick up file. 169 00:14:27,080 --> 00:14:31,530 Were you able to open it up in y shock and actually do something similar to what I've done here. 170 00:14:31,550 --> 00:14:38,630 There's no better way to learn than to practically use Y shock capture frames and see for yourself what's 171 00:14:38,630 --> 00:14:39,490 going on. 172 00:14:39,500 --> 00:14:45,100 I've made it a little bit more simple by giving you some pick up files but hopefully they mean something 173 00:14:45,110 --> 00:14:51,380 because she's using the actual files that I'm recording right now rather than just some random file 174 00:14:51,380 --> 00:14:53,100 that you got off the Internet. 175 00:14:53,160 --> 00:14:56,820 Now please note it means a lot to me if you provide feedback on the course. 176 00:14:56,840 --> 00:15:00,710 So if you're enjoying the video then please say so. 177 00:15:00,980 --> 00:15:06,380 If you get prompted to leave a review and you're enjoying the course then please do that because it 178 00:15:06,380 --> 00:15:10,850 helps other students and helps me make the course better let me know how I can improve the course as 179 00:15:10,850 --> 00:15:11,090 well. 19065