Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,696 --> 00:00:03,616
>> While we are nearing the
end of our Cisco Foundations
2
00:00:03,616 --> 00:00:09,426
or more specifically network foundations, as in
how devices communicate on the network today.
3
00:00:10,036 --> 00:00:13,516
At this point, I'm going to
say we are good at layer two.
4
00:00:13,736 --> 00:00:15,186
We understand the data link layer.
5
00:00:15,186 --> 00:00:18,726
We understand MAC addresses, physical
addresses burned into the network cards
6
00:00:18,726 --> 00:00:22,806
of the different devices and how that
interacts with layer three, the IP layer,
7
00:00:22,806 --> 00:00:28,106
and IP addressing basics fundamental and
communication, how the art protocol resolves,
8
00:00:28,106 --> 00:00:31,396
I mean all of that stuff we've
talked about the previous nuggets.
9
00:00:31,396 --> 00:00:33,086
So, now I'm going to move up to layer four.
10
00:00:33,896 --> 00:00:41,716
TCP and UDP, the last really network relevant
layer that we're going to focus on in here.
11
00:00:41,716 --> 00:00:46,106
We're going to see where these two fit into this
puzzle of network communication and it's going
12
00:00:46,106 --> 00:00:47,806
to bring up a whole bunch of port numbers.
13
00:00:47,806 --> 00:00:49,966
So, I'll give you some common
ones that you'll want to know,
14
00:00:49,966 --> 00:00:54,136
not only for certification purposes
if that's your direction, but also,
15
00:00:54,136 --> 00:00:56,786
I mean you use this all the
time in the real world.
16
00:00:57,256 --> 00:01:01,346
And then, we'll complete the end-to-end
communication story where we started looking at,
17
00:01:01,496 --> 00:01:05,016
you know, from this host to this
host, what are all the factors that go
18
00:01:05,016 --> 00:01:09,146
in to making pockets transmit
successfully across the wire.
19
00:01:10,506 --> 00:01:14,276
Oh, my goodness, I totally forgot to
mention that we're going to start learning
20
00:01:14,276 --> 00:01:17,926
about Wireshark in this nugget
which-- it's awesome!
21
00:01:17,956 --> 00:01:21,206
You're going to really see a lot.
22
00:01:21,206 --> 00:01:22,826
That's what this little icon is right here.
23
00:01:22,826 --> 00:01:25,786
I know some of you might have heard
of it before I go and, "Oh, no.
24
00:01:25,816 --> 00:01:30,986
Really?" This tool is amazing for helping
you not only troubleshoot networking,
25
00:01:31,576 --> 00:01:35,186
network issues, but to learn networking.
26
00:01:35,186 --> 00:01:38,246
I mean when you look at it,
initially it's overwhelming.
27
00:01:38,246 --> 00:01:39,406
There's no doubt about it.
28
00:01:39,666 --> 00:01:42,286
But when you see just the
basics of how to use it,
29
00:01:42,286 --> 00:01:45,876
it's like okay, I think I can really get this.
30
00:01:45,876 --> 00:01:50,406
As a matter of fact, Wireshark has
always, you know, it's always been one
31
00:01:50,406 --> 00:01:52,786
of the tools I've had but I rarely use that.
32
00:01:52,786 --> 00:01:56,716
I mean, Wireshark was like, okay,
everything is down, last resort,
33
00:01:56,716 --> 00:01:58,476
what's going on, let's get out Wireshark.
34
00:01:58,756 --> 00:01:59,576
And then I got a book.
35
00:01:59,576 --> 00:02:01,196
I'm-- I've got in my bookshelf right here.
36
00:02:01,196 --> 00:02:02,426
Pull it off.
37
00:02:02,426 --> 00:02:05,356
It's "Wireshark Network Analysis"
by Laura Chappell.
38
00:02:05,416 --> 00:02:08,276
It's a big, big fat book.
39
00:02:08,276 --> 00:02:10,876
And just this-- it's a free utility.
40
00:02:11,266 --> 00:02:13,046
And I-- let me-- I'm going to flip a hand.
41
00:02:13,046 --> 00:02:16,456
I'm flipping at the preface
here, table of contents.
42
00:02:16,456 --> 00:02:17,096
All right.
43
00:02:17,556 --> 00:02:20,256
This is what she said and this is her preface.
44
00:02:20,976 --> 00:02:26,086
"Wireshark is a," and she puts it in
all capitals, "FIRST RESPONDER tool
45
00:02:26,546 --> 00:02:30,826
that should be employed immediately
when the cries of the network is slow
46
00:02:30,826 --> 00:02:34,386
or I think my network is infected
echo through the company halls."
47
00:02:34,806 --> 00:02:38,406
And, when I read that, remember
reading that years ago, and I go,
48
00:02:38,406 --> 00:02:40,806
[inaudible], it's not a first responder tool.
49
00:02:40,806 --> 00:02:45,806
This is like the last responder tool, but
seriously that's one of those statements
50
00:02:45,806 --> 00:02:50,806
that have just stuck in my head and over
these last few years, I've started using it.
51
00:02:50,806 --> 00:02:54,746
It's not-- it's still not my first
responder tool, but I've used it a lot more--
52
00:02:54,746 --> 00:02:59,656
with a lot more immediacy than I have in the
past and it really has saved a lot of times.
53
00:02:59,656 --> 00:03:01,646
So, I want to get you guys
familiar with that right away.
54
00:03:01,856 --> 00:03:05,296
So, what are TCP and UDP?
55
00:03:06,306 --> 00:03:13,116
They are the primary transport protocols used
today, meaning transport layer of the OSI model.
56
00:03:13,116 --> 00:03:16,316
We've got our applications trying
to communicate data up here, right?
57
00:03:16,316 --> 00:03:21,976
In our internet explorer, our [laughs]--
what other online games, whatever--
58
00:03:21,976 --> 00:03:25,326
what other applications that people
use now a days, instant messengers,
59
00:03:25,326 --> 00:03:27,366
all those kinds of things are
sending their data down here.
60
00:03:27,576 --> 00:03:30,606
It reaches the transport layer and
you might remember from the OSI model,
61
00:03:30,756 --> 00:03:33,276
this is where it's going to
choose the reliability, you know,
62
00:03:33,366 --> 00:03:35,376
it's going to be reliable or unreliable.
63
00:03:35,496 --> 00:03:40,086
And then it also assigns the port numbers to
start separating the different applications
64
00:03:40,086 --> 00:03:43,356
so the operating system can
distinctly understand
65
00:03:43,356 --> 00:03:45,516
which traffic goes to which application.
66
00:03:45,886 --> 00:03:48,926
Now, there are a lot of transport protocols.
67
00:03:48,996 --> 00:03:53,826
Again, I'll remind you, the OSI
model is a standard of standards.
68
00:03:54,116 --> 00:03:58,056
The transport layer is just a shell but inside
of there, there's all kinds of standards
69
00:03:58,056 --> 00:04:04,066
like TCP is one of them, UDP is
another, ICMP is yet another,
70
00:04:04,066 --> 00:04:07,866
ESP that's used for VPN connections,
and things like that.
71
00:04:07,866 --> 00:04:12,836
Even-- you'll start seeing protocols
like OSPF and EIGRP, I mean all these--
72
00:04:12,836 --> 00:04:17,326
all of these kind of squeeze right into
that green box known as the transport layer.
73
00:04:17,676 --> 00:04:24,596
But when we're talking about programs, talking
across the network, they primarily use one
74
00:04:24,596 --> 00:04:28,836
of two protocols, UDP, that's
our unreliable version.
75
00:04:28,886 --> 00:04:35,136
It's saying, "I hope it gets there," or
TCP, that's the "I know it got there."
76
00:04:35,136 --> 00:04:36,996
That's the reliable version of this.
77
00:04:37,316 --> 00:04:39,606
So UDP is the user datagram protocol.
78
00:04:39,606 --> 00:04:41,696
TCP, transmission control protocol.
79
00:04:41,696 --> 00:04:42,696
That's what they stand for.
80
00:04:42,936 --> 00:04:45,986
And that they combine together with,
you know, the subprotocols below,
81
00:04:45,986 --> 00:04:51,546
that's why TCP/IP got it's name is
it's not really that's the protocol,
82
00:04:51,546 --> 00:04:52,706
it's the suite of protocol.
83
00:04:52,926 --> 00:04:57,826
The most common being TCP and IP combined
together to make network communication happen.
84
00:04:57,966 --> 00:05:01,596
So, first of, let's get into UDP.
85
00:05:01,596 --> 00:05:05,716
And I talked one more time about the OSI model,
I got it in a little, little bit of this like,
86
00:05:05,716 --> 00:05:09,486
why would you want to send something
unreliable like, "I hope it gets there"?
87
00:05:10,216 --> 00:05:14,416
Well, the first thing to understand is
that there is a cost to reliability.
88
00:05:15,046 --> 00:05:20,256
In order to say, "I know it got there,"
there's a lot of setup that takes place.
89
00:05:20,616 --> 00:05:23,976
The first thing that happens is
something known as the 3 way handshake,
90
00:05:24,126 --> 00:05:28,596
and I'll explain that in just a
moment, but essentially the two devices
91
00:05:28,596 --> 00:05:32,126
that are talking together have to
establish a session between each other,
92
00:05:32,126 --> 00:05:34,406
make sure that, "Okay, we agree to talk, okay.
93
00:05:34,406 --> 00:05:34,886
That's good."
94
00:05:34,886 --> 00:05:39,346
Okay. That's a little time right there and
a little time to establish that session.
95
00:05:39,696 --> 00:05:45,876
Then every single packet that get sent or
every stream of communication that gets sent,
96
00:05:45,876 --> 00:05:47,526
I'm going to just write something up here.
97
00:05:48,946 --> 00:05:52,796
It's my reminder.
98
00:05:52,936 --> 00:05:55,996
[Laughs] Every stream of things that
get sent between these things has
99
00:05:55,996 --> 00:05:58,816
to get an acknowledgment
back saying, "I got it."
100
00:05:58,946 --> 00:06:05,426
Again, more overhead, more delay where some
things just may not need that sort of thing.
101
00:06:05,906 --> 00:06:10,956
I want to give you-- now, I gave you the
example back in the OSI model of things
102
00:06:10,956 --> 00:06:15,616
that do not need reliable
communications being like voice over IP
103
00:06:16,176 --> 00:06:19,326
where I have an IP phone talking to an IP phone.
104
00:06:19,646 --> 00:06:23,736
You know, there's a stream of data going between
the two, if something is dropped, it's gone.
105
00:06:23,736 --> 00:06:27,776
There's no use in retransmitting it at a
later time because it's real time traffic.
106
00:06:27,976 --> 00:06:29,816
Same thing with video over IP.
107
00:06:30,036 --> 00:06:36,466
But, there's also some other data
applications out there that use UDP as well.
108
00:06:36,666 --> 00:06:41,306
I want to give you one that you use
every single day and that is DNS.
109
00:06:43,056 --> 00:06:48,036
DNS, the domain name service,
translates names to IP addresses,
110
00:06:48,036 --> 00:06:50,206
because remember in the OSI
model, it's not-- we--
111
00:06:50,206 --> 00:06:55,436
at this network layer, we can't
squeeze in www.google.com.
112
00:06:55,436 --> 00:06:56,796
It deals with IP, the IP protocol.
113
00:06:57,086 --> 00:07:01,146
So, we have to have some kind of
system that takes these friendly names
114
00:07:01,146 --> 00:07:05,756
like I put wireshark.org, I'm going to show
that to you in a moment, or cbtnuggets.com
115
00:07:05,756 --> 00:07:08,836
and translates it to what
IP address is really there.
116
00:07:09,176 --> 00:07:15,046
DNS, at least the client version of
it that we use everyday, uses UDP.
117
00:07:15,726 --> 00:07:17,576
So, let's check this out.
118
00:07:17,846 --> 00:07:19,866
I'm going to bring up Wireshark.
119
00:07:20,346 --> 00:07:22,996
Now, I want to give you a
little basics of this program.
120
00:07:24,216 --> 00:07:28,476
Wireshark will be flat overwhelming
if you just open it up and say,
121
00:07:28,476 --> 00:07:30,396
"Okay, let's see what's happening."
122
00:07:30,396 --> 00:07:33,316
If you've never done this before, I
mean people get scared, they back of.
123
00:07:33,316 --> 00:07:35,516
They'll like, "Aah, I don't
want to use that again."
124
00:07:35,516 --> 00:07:39,906
But, let me give you the basics which will
really get you started and I tell you what,
125
00:07:39,906 --> 00:07:44,546
if somebody would have sat down with me in my
early days of networking and just said, "Hey,
126
00:07:44,546 --> 00:07:46,756
Jeremy, let's just sit down for a second.
127
00:07:46,756 --> 00:07:50,266
Let me give you a 5-minute tutorial of
this tool that will change your life."
128
00:07:50,546 --> 00:07:51,906
You know, I would have been
like, "Great, thanks."
129
00:07:52,086 --> 00:07:56,256
You know, just, you know, the fear of
it is what held me back for so long.
130
00:07:56,606 --> 00:07:58,776
But, this is Wireshark 1.82.
131
00:07:59,096 --> 00:07:59,946
It is free.
132
00:07:59,946 --> 00:08:04,316
You go to wireshark.org and just
go to their little download page
133
00:08:04,316 --> 00:08:06,316
and they'll automatically
detect your operating system.
134
00:08:06,316 --> 00:08:07,806
You can put it on there, it's good.
135
00:08:07,806 --> 00:08:14,636
So, once you get Wireshark installed, it's just
literally a next, next finish sort of install.
136
00:08:14,816 --> 00:08:16,226
This is what pops up.
137
00:08:16,466 --> 00:08:21,826
Now, the key icon you want to go to is
this list available capture interfaces.
138
00:08:21,826 --> 00:08:26,606
And, trust me, this is a massive utility.
139
00:08:27,276 --> 00:08:28,326
There's a lot to it.
140
00:08:28,326 --> 00:08:31,736
I just want to get you the core that will
get you started in doing what you need to do.
141
00:08:32,246 --> 00:08:33,256
So, I click on this.
142
00:08:33,336 --> 00:08:36,886
And right here, I can see the
interfaces that are on my computer.
143
00:08:37,226 --> 00:08:43,246
Now, I see this sun which, if you remember
I had it when I went to my control panel,
144
00:08:44,196 --> 00:08:46,376
and did my network status, look to my adaptor,
145
00:08:46,376 --> 00:08:53,056
I had this little virtual box host only that's
installed by the virtual box application.
146
00:08:53,056 --> 00:08:54,416
It's a little virtual machine thing.
147
00:08:54,706 --> 00:08:57,566
It's developed by Oracle,
Sun Oracle, they merge.
148
00:08:57,826 --> 00:09:01,506
And so, that's what this little adaptor is and
I can look, that's why I always go to this view.
149
00:09:01,506 --> 00:09:06,506
I'm like, "Okay, not much happening there"
'cause if I'm looking here trying to start,
150
00:09:06,506 --> 00:09:10,396
you know, pick one, you can start it from here
but if I don't, I don't know which one it is.
151
00:09:10,396 --> 00:09:12,576
You know, I want to see,
where's the traffic happening?
152
00:09:12,576 --> 00:09:13,066
So, I go, "Okay."
153
00:09:13,066 --> 00:09:16,286
Well, it looks like this is where
there's some communication happening,
154
00:09:16,286 --> 00:09:19,386
so I'm going to click check
on this and do start.
155
00:09:20,056 --> 00:09:25,526
What I'm going to start seeing is the
communication that's going across the network
156
00:09:25,526 --> 00:09:29,616
and this is where a lot of people
go, "Ooh, aah, what's going on?"
157
00:09:29,616 --> 00:09:32,296
You know, they're not too sure what to do.
158
00:09:32,456 --> 00:09:37,876
So, right now, this is-- not much is
going on, 29 packets are happening.
159
00:09:37,876 --> 00:09:41,076
I can see Spanning Tree Protocol running
in the background, some other, you know,
160
00:09:41,106 --> 00:09:45,706
just normal network traffic
discovering and communicating with things
161
00:09:45,706 --> 00:09:46,836
that are going on in the network.
162
00:09:46,836 --> 00:09:51,896
Now, as soon as I open a web browser
and let me move this to the side
163
00:09:51,896 --> 00:09:57,106
so you can see, and let's just go to msn.com.
164
00:09:57,106 --> 00:09:57,776
And look at that.
165
00:09:57,776 --> 00:10:02,706
I mean, we went from like 29, 30, 50 and
all the way up, you know, msn.com came up
166
00:10:02,706 --> 00:10:06,816
and now we're at packet number 1095, you know.
167
00:10:07,396 --> 00:10:10,386
All of these things are going
on and what just happened?
168
00:10:10,596 --> 00:10:16,666
We just had a ton of network communication that
comprised 1,200 or 1,280 individual packets.
169
00:10:16,666 --> 00:10:18,526
So, that's where people go "Huh!
170
00:10:18,526 --> 00:10:19,286
It's overwhelming."
171
00:10:19,286 --> 00:10:21,026
How do-- you know, how do I now sift
172
00:10:21,026 --> 00:10:24,796
through 1,200 individual packets
to really see what's going on.
173
00:10:25,636 --> 00:10:28,836
We'll, I'll explain that in just a moment
but let's look at the matter at hand.
174
00:10:29,026 --> 00:10:30,906
I want to talk about DNS.
175
00:10:32,086 --> 00:10:37,166
DNS resolves names to IP
addresses and I'm going to show you
176
00:10:37,166 --> 00:10:40,256
that this is using UDP as
it's protocol to do it.
177
00:10:40,256 --> 00:10:42,426
Now, the first thing that's
happening is I'm like "Aah!
178
00:10:42,716 --> 00:10:45,416
This is just-- it's too much,
I want to put a filter on."
179
00:10:45,706 --> 00:10:49,296
Let me show you one of the handiest
filters that you will likely use.
180
00:10:49,336 --> 00:10:53,636
It is coming up here, you click in this
little filter box and you'll find, I mean,
181
00:10:53,636 --> 00:10:57,716
you can build your own, you can click on this
and it let's you, you know, click through
182
00:10:57,716 --> 00:11:02,516
and kind of-- almost like that's a gooey base
like if I just want to see the UDP traffic
183
00:11:02,516 --> 00:11:08,656
or the TCP traffic, I can do that but I'm
just going to go in here and just say ip.addr,
184
00:11:08,656 --> 00:11:14,016
IP address equals 4.2.2.2, enter.
185
00:11:14,016 --> 00:11:14,866
Now, what is that?
186
00:11:15,756 --> 00:11:18,766
Actually, you know what, I'm
going to even change that further.
187
00:11:18,766 --> 00:11:22,326
Let me go 4.2.2.3, enter,
blanks it out completely.
188
00:11:22,806 --> 00:11:28,666
What that does is say, only show me
the traffic that is going to 4.2.2.3.
189
00:11:29,676 --> 00:11:30,706
Getting that so far?
190
00:11:30,706 --> 00:11:33,276
So, right now, how much traffic is going there?
191
00:11:33,616 --> 00:11:38,256
Nothing. Because nothing is actually accessing
that IP address so my display is nice and empty.
192
00:11:38,316 --> 00:11:41,686
So now, I'm going to use
DNS to do a little testing.
193
00:11:41,976 --> 00:11:46,736
I'm going to open a command prompt in
windows, start, you can browse to it,
194
00:11:46,736 --> 00:11:52,226
accessories all that, or just type in start run
CMD and bring this to the middle of the screen.
195
00:11:52,646 --> 00:11:56,766
And, show you first of, when I
do IP config forward slash all,
196
00:11:57,196 --> 00:12:01,066
I have in my list my DNS servers,
197
00:12:01,746 --> 00:12:06,226
shows the primary DNS server my
computer is using is 4.2.2.2.
198
00:12:06,736 --> 00:12:09,686
The secondary is 4.2.2.3.
199
00:12:09,966 --> 00:12:11,426
Now, how did those get there?
200
00:12:11,636 --> 00:12:13,006
Well, that was through DHCP.
201
00:12:13,006 --> 00:12:17,646
When DHCP gives me an IP address, it can also
assign me DNS servers, the default, gateway,
202
00:12:17,646 --> 00:12:20,056
all that kind of stuff, and so this
is the DNS server I was assigned.
203
00:12:20,056 --> 00:12:24,306
Now, since this is the primary, remember when I
was looking at Wireshark, when I set the filter
204
00:12:24,306 --> 00:12:32,676
to say 4.2.2.2, oh, okay, my capture is
still going so it's getting obnoxiously big.
205
00:12:32,976 --> 00:12:36,276
But-- so let me-- I'm going to stop the
capture because we've got enough data.
206
00:12:36,496 --> 00:12:40,246
I can see all of these little DNS queries
but this is kind of-- it's too much.
207
00:12:40,246 --> 00:12:42,996
I want to do a little demonstration version,
208
00:12:42,996 --> 00:12:46,866
so I'm going to filter this
down and just see 4.2.2.3.
209
00:12:48,206 --> 00:12:52,396
Now, I stopped the capture so nothing-- oh
[laughs] I suppose I should start the capture.
210
00:12:52,396 --> 00:12:54,806
I was just thinking-- so
nothing new is coming in.
211
00:12:55,106 --> 00:12:58,136
So, I'm going to start the capture
and let's say-- let's begin this.
212
00:12:58,136 --> 00:13:02,226
It's going to ask me, "Do you
want to delete the old capture?"
213
00:13:02,226 --> 00:13:04,686
Once I click save, it would say, "Hey,
do you want to delete the old one?"
214
00:13:04,686 --> 00:13:05,596
Absolutely.
215
00:13:05,596 --> 00:13:07,006
I'm, you know, I don't need the old one.
216
00:13:07,006 --> 00:13:12,196
So, I'm looking-- I'm capturing traffic just for
4.2.2.3, that's the filter of what I'm seeing.
217
00:13:12,746 --> 00:13:17,166
I'm going to open my command prompt and
show you a handy utility called nslookup.
218
00:13:19,076 --> 00:13:25,486
What this is, is a utility that
allows you too ask questions of DNS,
219
00:13:26,216 --> 00:13:29,826
so what it's doing is this is coming
up and say, "Okay, well, right now.
220
00:13:30,066 --> 00:13:33,226
You can ask a question of 4.2.2.2.
221
00:13:33,226 --> 00:13:33,926
And, I would say, "Okay.
222
00:13:33,926 --> 00:13:38,066
Well, I want to see who is www.cbtnuggets.com."
223
00:13:38,356 --> 00:13:43,626
And, 4.2.2.2 comes back and says, "Well,
actually, they have two IP addresses associated
224
00:13:43,626 --> 00:13:45,426
with them, this one and this one."
225
00:13:45,706 --> 00:13:47,886
Well, which one am I going to use.
226
00:13:47,886 --> 00:13:50,386
Well, the way it works is it's
going to do a round robin.
227
00:13:50,386 --> 00:13:54,026
Maybe the first time I'm going to use this
one, the second time I'm going to use this one.
228
00:13:54,316 --> 00:13:57,796
And, the name is kind of gives
me a little clue right here.
229
00:13:57,796 --> 00:13:58,996
It says, web balancer.
230
00:13:58,996 --> 00:13:59,726
I'm going, "Okay."
231
00:13:59,726 --> 00:14:01,966
So, this is some kind of load balancing.
232
00:14:01,966 --> 00:14:04,746
You know, maybe CBT Nuggets has
enough traffic that they say,
233
00:14:04,746 --> 00:14:06,186
"I don't want just one web server.
234
00:14:06,186 --> 00:14:08,856
I want to kind of balance that
between a couple web servers."
235
00:14:08,856 --> 00:14:11,866
I mean we see that again
if I type in google.com.
236
00:14:11,866 --> 00:14:13,956
And, I mean, "Hello, Google."
237
00:14:14,116 --> 00:14:17,026
They're definitely trying to
balance that load 'cause obviously,
238
00:14:17,026 --> 00:14:18,646
how many people use Google everyday.
239
00:14:18,736 --> 00:14:24,896
So now, what I'm going to do, I
was asking questions of 4.2.2.2.
240
00:14:25,086 --> 00:14:25,976
I'm going to change them.
241
00:14:25,976 --> 00:14:30,366
I'm going to do server equals 4.2.2.3.
242
00:14:32,546 --> 00:14:35,466
And so, I'm changing the-- wait a second.
243
00:14:35,626 --> 00:14:38,996
Server? I don't know why but equals [inaudible].
244
00:14:39,326 --> 00:14:46,086
Server space 4.2.2.3 which now
sets my DNS server to this address.
245
00:14:46,766 --> 00:14:48,206
Now, watch what happens.
246
00:14:48,206 --> 00:14:51,876
I'm going to do-- I want to
do a lookup for what's that--
247
00:14:51,876 --> 00:14:57,646
a small website that would've be--
oh, I have a blog, tekcert.com.
248
00:14:57,876 --> 00:15:03,246
I blog with another guy out there, comes back
and says, "Aha, tekcert.com is this IP address."
249
00:15:03,246 --> 00:15:06,786
But now, did you see behind the
scene is like, Wireshark is like,
250
00:15:06,786 --> 00:15:09,096
"I saw something happened right there."
251
00:15:09,096 --> 00:15:12,336
So, what happens is this
guy went out and said, "Hey,
252
00:15:12,436 --> 00:15:19,706
I want to find out what is the IP
address for tekcert.com.home.local?"
253
00:15:20,426 --> 00:15:24,166
[laughs] What the-- you know,
where did that come from?
254
00:15:24,406 --> 00:15:30,186
I typed in tekcert.com and the only way I
would know this is if I was using Wireshark
255
00:15:30,186 --> 00:15:34,686
and it went out and said, "Well, actually, I
want to ask the server, you know the DNS server,
256
00:15:34,686 --> 00:15:38,516
I want to find out who tekcert.com.home.local
is."
257
00:15:38,516 --> 00:15:41,526
Now, why on earth did it do that?
258
00:15:42,106 --> 00:15:47,016
Well, when you dig a little bit
deeper, let me go back here in my--
259
00:15:47,016 --> 00:15:50,646
create a second command prompt,
and I do an IP config slash all,
260
00:15:50,806 --> 00:16:00,256
one of the things that you can do with DNS
is assign computers, a default DNS suffix.
261
00:16:00,796 --> 00:16:01,966
Suffix, where does that go?
262
00:16:02,076 --> 00:16:03,066
At the end right?
263
00:16:03,386 --> 00:16:08,426
So, that would allow somebody, for instance if I
assign the home.local suffix, it allows somebody
264
00:16:08,426 --> 00:16:12,116
to say, "I want to ping," you know, maybe
the server and hit enter and it's going
265
00:16:12,216 --> 00:16:17,946
to automatically try to ping server.home.local,
maybe that's my local DNS domain that I have
266
00:16:17,946 --> 00:16:19,926
for my house or something like that.
267
00:16:19,926 --> 00:16:24,666
So immediately, when I tried to ping tag or look
up tekcert.com, it came back and it was like,
268
00:16:24,666 --> 00:16:27,606
"Well, I'm going to try and
look up tekcert.com.home.local."
269
00:16:27,606 --> 00:16:28,986
Now, before we go on.
270
00:16:29,546 --> 00:16:31,886
You can even see the reply right here.
271
00:16:31,886 --> 00:16:34,436
It's saying, "There's no such thing.
272
00:16:34,436 --> 00:16:38,376
I don't know of a tekcert.com.home.local,"
is the DNS server's reply.
273
00:16:38,376 --> 00:16:42,516
But, let's dig a little bit deeper
because Wireshark actually breaks
274
00:16:42,516 --> 00:16:45,796
down communication in the
layers of the OSI model.
275
00:16:46,286 --> 00:16:51,556
At the very, very, very bottom is, you
know, essentially as physical as it can get.
276
00:16:51,556 --> 00:16:54,416
It's saying, "Hey, this is
how big the data was."
277
00:16:54,416 --> 00:16:58,146
This is, you know, how many bytes
were actually sent on the wire.
278
00:16:58,146 --> 00:17:01,026
I mean think of this top
one as the physical layer.
279
00:17:01,626 --> 00:17:03,716
Then, we come right here to the data link layer.
280
00:17:04,116 --> 00:17:05,526
Now, what do we expect to see there?
281
00:17:06,076 --> 00:17:07,326
Mac addresses.
282
00:17:07,326 --> 00:17:12,086
And sure enough I see that I
have the source MAC address--
283
00:17:12,086 --> 00:17:15,706
this is my computer right here
and, you know, let's prove it.
284
00:17:15,706 --> 00:17:19,006
I mean, let's make sure we're
doing what's real here.
285
00:17:19,286 --> 00:17:25,396
I'll do IP config forward slash
all and come up and look again.
286
00:17:25,396 --> 00:17:31,026
And, I look at my MAC address C8-C0, you
know, and the last four digits 6C-32.
287
00:17:31,026 --> 00:17:35,246
I'm looking over her right there and
sure enough, C8-60, so I go, "Okay".
288
00:17:35,416 --> 00:17:37,536
Well, I was the source, this is me.
289
00:17:37,906 --> 00:17:40,576
And then, I went to the destination of--
290
00:17:40,576 --> 00:17:44,716
I actually have a little Cisco
firewall that runs my location here.
291
00:17:45,006 --> 00:17:45,796
And, it says, "Okay.
292
00:17:45,796 --> 00:17:48,636
Well, I sent it to this MAC
address as the destination."
293
00:17:48,636 --> 00:17:52,966
Ahh, you see-- so, wow, this
is really, really good, right?
294
00:17:52,966 --> 00:17:57,446
So, it starts putting reality to a lot of the
discussions we've had up 'till now on, okay,
295
00:17:57,446 --> 00:17:58,776
it's got the MAC addresses in there.
296
00:17:59,106 --> 00:18:01,346
Then it says, "Okay, well, what IP address is?"
297
00:18:01,346 --> 00:18:03,796
Where-- so, layer one, layer two, layer three.
298
00:18:03,796 --> 00:18:07,486
IP addresses were actually coming from
the source of this, that's my computer,
299
00:18:07,796 --> 00:18:11,016
destination of this, the two DNS server.
300
00:18:11,446 --> 00:18:17,916
And now we come to the point that started
this entire discussion, the UDP protocol.
301
00:18:18,456 --> 00:18:20,726
DNS actually uses UDP.
302
00:18:20,726 --> 00:18:23,706
Look at it, User Datagram Protocol, UDP.
303
00:18:23,706 --> 00:18:26,966
This is layer one, two, three, and four.
304
00:18:27,226 --> 00:18:34,716
It's saying, "I'm coming from the source port,
60353, going to the destination port, 53."
305
00:18:35,306 --> 00:18:37,666
Okay, stop right there.
306
00:18:37,906 --> 00:18:44,726
What that says to me is that my
computer contacted this DNS server.
307
00:18:45,826 --> 00:18:47,876
[Inaudible] .72 is the last octet.
308
00:18:47,876 --> 00:18:55,906
This is 4.2.2.3 is that DNS server and it
went to a destination port of UDP port 53.
309
00:18:56,586 --> 00:18:58,576
Oh, three is a little odd there.
310
00:18:58,576 --> 00:19:03,396
Okay, 53, and it came from
a source port of 60353.
311
00:19:03,796 --> 00:19:09,596
Now this is a well known, I'll
put W/K, well-known port for DNS.
312
00:19:09,916 --> 00:19:15,876
As in all the DNS servers in the world respond
on port UDP 53, that's where they expect
313
00:19:15,876 --> 00:19:22,026
to receive request for and all the computers in
the world by default will ask questions directed
314
00:19:22,026 --> 00:19:24,716
at UDP port 53 of their DNS server.
315
00:19:25,686 --> 00:19:28,526
Now, Windows generated a dynamic port.
316
00:19:28,526 --> 00:19:32,446
This is a not a well-known port at all, this
is considered my source port saying, "Hey,
317
00:19:32,626 --> 00:19:36,296
my question is coming from
the source port 60353."
318
00:19:36,596 --> 00:19:40,416
So when this guy replies back and says,"
I have no idea what you're talking about.
319
00:19:40,416 --> 00:19:42,786
There is no such thing as tekcert.home.local."
320
00:19:44,376 --> 00:19:45,156
Excuse me.
321
00:19:45,156 --> 00:19:50,726
He's actually going to be coming from source
of port 53 going to destination of 60353.
322
00:19:50,726 --> 00:19:51,976
But Windows expected that.
323
00:19:52,026 --> 00:19:54,976
They'd expected to get a
response back on that source port
324
00:19:54,976 --> 00:19:59,356
and that's actually one of
the reasons why DNS uses UDP.
325
00:20:00,306 --> 00:20:05,396
This is kind of a stimulus response
sort of thing to where I'm going to say,
326
00:20:05,396 --> 00:20:10,396
"I want to know who tekcert-- but
I'll just put tk.com really is,"
327
00:20:10,576 --> 00:20:13,096
and the DNS server will say,
"Okay, here's your answer."
328
00:20:13,346 --> 00:20:17,216
Now that's all the communication that
really goes on between them is, what's this,
329
00:20:17,276 --> 00:20:19,876
here's your answer, what's this, here's your
answer, what's this, here's your answer.
330
00:20:20,146 --> 00:20:25,176
It would just be a waste of time to say,
"Okay, let's build a session between us.
331
00:20:25,176 --> 00:20:27,016
You know, are you okay talking?"
332
00:20:27,016 --> 00:20:27,766
The other one is like, "Yes.
333
00:20:27,766 --> 00:20:28,426
Let's build this."
334
00:20:28,426 --> 00:20:30,876
And I'm getting into the 3 way
handshake, you know, building a session.
335
00:20:31,076 --> 00:20:36,216
Okay. Now I want to know what is the name or
IP address of tekcert.com and then, you know,
336
00:20:36,216 --> 00:20:37,936
send the acknowledgment that
you got my question.
337
00:20:37,936 --> 00:20:39,146
He is like, "Okay, got it.
338
00:20:39,146 --> 00:20:41,306
I got your question and here's the answer."
339
00:20:41,306 --> 00:20:42,836
It's like, good grief.
340
00:20:42,836 --> 00:20:47,316
Why do you need all that overhead just
to get the answer of who is tekcert.com?"
341
00:20:47,626 --> 00:20:51,746
So, with DNS, it's geared in such a way
that you say, "Hey, who's tekcert.com?"
342
00:20:52,026 --> 00:20:56,186
And if your computer doesn't get an answer
back, it's configured to say, "Well,
343
00:20:56,256 --> 00:20:59,236
I hope they got there but I don't think it
got there 'cause I didn't get an answer back.
344
00:20:59,476 --> 00:21:00,486
Well let me ask again."
345
00:21:00,746 --> 00:21:04,636
And so it will keep trying to ask because
maybe the packet did get dropped somewhere
346
00:21:04,636 --> 00:21:07,676
between here in California
during that communication.
347
00:21:07,756 --> 00:21:11,376
So, that's the idea of those port numbers.
348
00:21:11,376 --> 00:21:15,436
Now let's go back to Wireshark and
look at this communication as a whole.
349
00:21:15,676 --> 00:21:19,536
So it's saying, "Okay, who
is tekcert.com.home.local?"
350
00:21:19,786 --> 00:21:23,096
This guy comes back and it's like, no
such thing, I don't know who that is.
351
00:21:23,166 --> 00:21:28,136
Now notice, it's asking for an
A record, a DNS that's alias,
352
00:21:28,136 --> 00:21:30,876
that's the normal record that people ask for.
353
00:21:31,116 --> 00:21:32,626
So, it's like, no such thing.
354
00:21:32,626 --> 00:21:35,246
So it comes and say, "Okay, well let's try this.
355
00:21:35,446 --> 00:21:38,246
I would like an AAAA record."
356
00:21:38,246 --> 00:21:41,096
He's saying, "If I'm looking
for this kind of record
357
00:21:41,096 --> 00:21:44,216
for tekcert.com.home.local,
do you know who that is now?"
358
00:21:44,406 --> 00:21:46,376
And he's like, "No, still no such name."
359
00:21:47,056 --> 00:21:49,596
So okay, what's the difference here versus here?
360
00:21:50,016 --> 00:21:56,736
Well, this is looking for the IPv4
address of tekcert.com.home.local.
361
00:21:56,736 --> 00:22:00,046
AAAA record is actually an IPv6 address.
362
00:22:00,116 --> 00:22:02,146
So it's saying, "Okay, that didn't go so well.
363
00:22:02,336 --> 00:22:07,956
Maybe he's on TCP/IP version 6 because
since Windows XP Service Pack 3,
364
00:22:08,246 --> 00:22:11,806
all the Windows operating
systems have had IPv6 enabled
365
00:22:11,806 --> 00:22:13,526
by default so they-- they're balance today.
366
00:22:13,526 --> 00:22:14,796
He's like, "No, still no such thing."
367
00:22:14,796 --> 00:22:22,536
So then he comes back and he's like, "Okay, well
then, do you have an IP address for tekcert.com?
368
00:22:22,666 --> 00:22:23,856
How about just tekcert.com?"
369
00:22:23,856 --> 00:22:26,316
He comes back and he goes, "Actually, I do."
370
00:22:26,316 --> 00:22:29,936
And we can expand that out and we can
find out, "Oh well, here is the query,
371
00:22:29,936 --> 00:22:31,916
tekcert.com and here is the answer.
372
00:22:32,216 --> 00:22:35,636
Tekcert.com came back and this is
the IP address that I received."
373
00:22:36,496 --> 00:22:41,706
Wow, do you see how this
can be really, really handy?
374
00:22:41,756 --> 00:22:43,176
If, I mean, think about it.
375
00:22:43,176 --> 00:22:47,346
Let's say we're sitting here and
you type in, you know, whatever.
376
00:22:47,346 --> 00:22:50,096
You know, you're looking something up and
it comes back and he's like no response
377
00:22:50,096 --> 00:22:53,636
or request timed out or, you
know, something like that.
378
00:22:53,636 --> 00:22:56,206
And let's just put Bob.com.
379
00:22:56,236 --> 00:22:57,366
And, you know, it fills that.
380
00:22:57,366 --> 00:23:00,806
We've got all, you know, tries again
Bob.com and we get this answer back.
381
00:23:01,086 --> 00:23:04,256
But what, you know, what if
it never got the answer back?
382
00:23:04,256 --> 00:23:07,416
It just said, you know, request
timed out, request timed out.
383
00:23:07,416 --> 00:23:08,976
And you're like, "What's going on?"
384
00:23:09,426 --> 00:23:12,766
I mean, without this tool in the
background, you have no idea.
385
00:23:12,856 --> 00:23:16,216
I mean, this tool is what-- oh,
it's looking for Bob.com.home.local,
386
00:23:16,216 --> 00:23:18,036
it's not supposed to do that,
why is it doing that?
387
00:23:18,036 --> 00:23:20,456
So that's why Wireshark is really handy.
388
00:23:20,456 --> 00:23:22,906
So, bring that back around.
389
00:23:23,196 --> 00:23:25,266
That's the basics of Wireshark.
390
00:23:25,266 --> 00:23:29,106
Again, without this filter, it's
going to be just plain overwhelming,
391
00:23:29,106 --> 00:23:34,676
but if you can filter it down and start
to really look and analyze these packets,
392
00:23:35,046 --> 00:23:36,786
you can get quite a bit out of it.
393
00:23:38,006 --> 00:23:42,886
So let me clear off this slate and get back
to the topic at hand which is TCP and UDP.
394
00:23:42,886 --> 00:23:45,866
TCP I think we've got, it's just--
it's a wing it protocol, all right?
395
00:23:45,866 --> 00:23:49,476
You kind of chop the packet, you hope it gets
there and if a response comes back, great.
396
00:23:49,656 --> 00:23:51,146
You know, that's how it works.
397
00:23:51,566 --> 00:23:54,636
TCP is the, "I know it got there" protocol.
398
00:23:55,146 --> 00:24:00,446
The way that it does that is by using initially
a 3 way handshake to establish the session
399
00:24:00,916 --> 00:24:05,066
and then it uses acknowledgments to make
sure that every single packet was received.
400
00:24:05,386 --> 00:24:10,016
Now, let me break that down into the
fundamentals of how this protocol really works.
401
00:24:10,456 --> 00:24:14,476
When I have a computer here,
and I say, "I want to go to--
402
00:24:14,476 --> 00:24:21,406
let's just say I want to surf the
web and go to cbtnuggets.com."
403
00:24:21,596 --> 00:24:22,906
That will be our example.
404
00:24:24,356 --> 00:24:28,436
HTTP is a TCP-based protocol.
405
00:24:28,826 --> 00:24:32,816
It uses-- it says, "I want to have
reliability otherwise web pages might show up."
406
00:24:32,816 --> 00:24:37,086
You know, things missing off of them
and all that now, and that may happen
407
00:24:37,086 --> 00:24:40,746
but it's not TCPs fault, it's--
somebody made a bad web page.
408
00:24:41,076 --> 00:24:44,746
But TCP make sure that all of your
traffic gets between these two.
409
00:24:45,116 --> 00:24:47,676
Now, when this guy starts, here's how it works.
410
00:24:48,636 --> 00:24:54,956
He will send-- when he realize, okay, I've got
the IP address 'cause I looked it up via DNS.
411
00:24:54,956 --> 00:25:02,146
The IP address of CBT Nuggets, let's just use
some reality here, cbtnuggets.com., there we go.
412
00:25:02,146 --> 00:25:03,556
Is-- let's just grab this first one,
413
00:25:03,556 --> 00:25:10,086
18472 so I'll just go 1184.72 dot dot
dot, you know, that's the IP address.
414
00:25:10,086 --> 00:25:17,726
He's going to send the very first packet
will be what's called a SYN packet saying,
415
00:25:18,056 --> 00:25:21,766
"Hey CBT Nuggets, I would like
to start a discussion with you."
416
00:25:22,606 --> 00:25:26,706
Are you-- essentially, let me put in
plain English and then I'll get technical.
417
00:25:26,886 --> 00:25:27,766
"Are you okay with that?"
418
00:25:28,236 --> 00:25:32,106
CBT Nuggets says, "Yes, I am okay with that."
419
00:25:32,266 --> 00:25:39,986
SYN ACK. That means, I'm sending a
synchronization bit, if you will.
420
00:25:39,986 --> 00:25:42,366
I'm saying, yes, I would
like to start talking to you,
421
00:25:42,366 --> 00:25:45,356
which is what these do, and
I'm acknowledging yours.
422
00:25:45,356 --> 00:25:49,116
I'm saying, "I got yours" that's the
acknowledgment "And here's mine."
423
00:25:49,636 --> 00:25:53,136
So, this guy replies back with one final ACK.
424
00:25:53,206 --> 00:25:55,486
What do you think that's there for?
425
00:25:57,506 --> 00:25:58,036
I got that.
426
00:25:58,536 --> 00:26:00,816
I got the SYN message from you.
427
00:26:00,816 --> 00:26:06,116
So I'm acknowledging that we're good and
that is what they call a TCP 3 way handshake.
428
00:26:06,116 --> 00:26:11,126
Every single time you start a session,
it's going to do that with the destination.
429
00:26:11,336 --> 00:26:14,036
A matter of fact let's--
I am all about Wireshark.
430
00:26:14,036 --> 00:26:15,506
Let's prove it to ourselves, right?
431
00:26:15,756 --> 00:26:18,986
Let's stop this capture, I'm
just going to close this guy.
432
00:26:19,576 --> 00:26:20,766
Continue without saving.
433
00:26:20,766 --> 00:26:24,696
Okay. Let's clear the filter off
and let's just start to capture.
434
00:26:24,696 --> 00:26:28,756
We'll just go to one website so it should
be pretty easy to pull out, click on start.
435
00:26:29,286 --> 00:26:33,726
I'm going to go to cbtnuggets.com.
436
00:26:35,136 --> 00:26:37,096
Enter, boom, stop the capture.
437
00:26:37,316 --> 00:26:42,116
I got a whole bunch of data, 400 some packets
that were sent to generate CBT Nuggets website.
438
00:26:42,346 --> 00:26:45,306
Let's go all the way back to the
beginning up here where it all happened.
439
00:26:45,596 --> 00:26:52,956
Notice that right here my-- now, now you might
say, "Well I don't see any DNS, you know,
440
00:26:53,036 --> 00:26:58,246
question for who is cbtnuggets.com, I see, you
know, Wireshark weaseled its way in there."
441
00:26:58,546 --> 00:27:02,796
But, you know, what's happened is
my computer cached the DNS response.
442
00:27:02,796 --> 00:27:06,506
It remembers who CBT Nuggets is
because I've gone there before.
443
00:27:06,506 --> 00:27:09,296
Now, those caches will eventually
time out but they'll get there.
444
00:27:09,526 --> 00:27:10,326
Now, look right here.
445
00:27:10,326 --> 00:27:13,636
So, we have Google, we're talking
to Google and you might say, "Well,
446
00:27:13,966 --> 00:27:15,526
what's all this stuff happening?"
447
00:27:15,776 --> 00:27:19,336
Well, whenever you type, you know, I'm using
Google Chrome and I don't know if you've notice
448
00:27:19,336 --> 00:27:23,966
but when you start typing you're like,
Jeremy, it's starting to, you know,
449
00:27:23,966 --> 00:27:27,076
figure out who will the, you know, who is--
450
00:27:27,076 --> 00:27:30,356
it's filling in all of this
data, so we're able to see.
451
00:27:30,606 --> 00:27:32,246
You know, oh, okay it's filling this in.
452
00:27:32,246 --> 00:27:34,426
So every single time, Google
is going, "Okay, well,
453
00:27:34,706 --> 00:27:38,416
let's find out who Jeremy
Cioara is and you click on it.
454
00:27:38,706 --> 00:27:41,226
That's-- it's kind of weird
[laughs], I'm looking myself up.
455
00:27:41,466 --> 00:27:43,146
But, you know, who is Jeremy Cioara?
456
00:27:43,146 --> 00:27:47,136
It's constantly going back and forth with Google
saying, "Okay, he typed an I, he typed an O,
457
00:27:47,136 --> 00:27:48,906
he typed an A, you know,
as it fills out the names.
458
00:27:48,906 --> 00:27:51,186
So that's what this little shindig was.
459
00:27:51,186 --> 00:27:52,726
Now, here's the meat of it.
460
00:27:52,726 --> 00:27:59,746
I come down right and I see, okay this is a
TCP-based message, three of them to be exact.
461
00:28:00,086 --> 00:28:08,486
Notice, SYN, SYN ACK, ACK, 3 way handshake,
SYN, SYN ACK, ACK, SYN, SYN ACK, ACK.
462
00:28:08,486 --> 00:28:12,286
Now, I want to go down a little
further because I'm noticing here--
463
00:28:12,286 --> 00:28:13,476
notice the source and destination.
464
00:28:13,476 --> 00:28:15,516
It came from this server
going to this one, right?
465
00:28:15,626 --> 00:28:19,956
SYN, SYN ACK, ACK and I go down a little bit
more and all of a sudden, I see another one.
466
00:28:20,276 --> 00:28:23,176
It's like, wait second, SYN, SYN ACK, ACK.
467
00:28:23,726 --> 00:28:25,546
And so there's more than one.
468
00:28:25,816 --> 00:28:28,416
I go down and all of a sudden, I see
it looking up all the stuff, it's like,
469
00:28:28,626 --> 00:28:32,706
"I'm looking up some analytics, I'm
looking up cloudfront.net, Facebook.com."
470
00:28:32,706 --> 00:28:34,136
What on earth is going on?
471
00:28:34,316 --> 00:28:37,446
And all of a sudden I see all these-- okay,
SYN within, SYN within, SYN within, SYN within.
472
00:28:37,526 --> 00:28:40,476
All of these are SYNs and then I
started, you know, look at these SYNs.
473
00:28:40,476 --> 00:28:43,616
It's starting all of the sessions
with all these different servers
474
00:28:43,726 --> 00:28:46,506
and then they all start coming back,
SYN ACK, SYN ACK, SYN ACK, SYN ACK.
475
00:28:46,506 --> 00:28:50,266
And then, you know, it's kind of like that
we get this big merge of ACK, ACK, ACK.
476
00:28:50,266 --> 00:28:52,496
You know, it's kind of a--
what on earth is going on?
477
00:28:52,496 --> 00:28:56,036
I just went to CBT Nuggets and all of a sudden,
I've got all of these sessions starting.
478
00:28:56,296 --> 00:29:00,396
Well, you remember, I think that I
talked about this in the previous Nugget
479
00:29:00,396 --> 00:29:03,326
but this web page is a framework of web pages.
480
00:29:03,486 --> 00:29:06,706
When you come here, there's something
on here that deals with Facebook.
481
00:29:06,706 --> 00:29:07,476
Ahh, there we go.
482
00:29:07,786 --> 00:29:10,306
They've got a little follow us on
Facebook link, maybe that's it.
483
00:29:10,306 --> 00:29:12,376
And they've got a little
link to Twitter or something
484
00:29:12,376 --> 00:29:14,316
that it pulled from Twitter and built this.
485
00:29:14,316 --> 00:29:16,876
So this web page is dynamic,
it's always changing,
486
00:29:16,876 --> 00:29:18,456
it's pulling from all these different servers.
487
00:29:18,456 --> 00:29:24,666
So when I come to cbtnuggets.com, I'm actually,
you know, these pictures, these videos,
488
00:29:24,666 --> 00:29:29,256
everything is pulling from all these different
servers, so that's why I see just getting shot
489
00:29:29,256 --> 00:29:32,516
into this world of SYN and SYN
ACKs but just get back to the base
490
00:29:32,516 --> 00:29:34,426
of it all, that's where it started.
491
00:29:34,626 --> 00:29:36,426
SYN, SYN ACK, ACK.
492
00:29:37,056 --> 00:29:39,266
So there's got to be more
to it than that, right?
493
00:29:39,266 --> 00:29:40,266
You know, there is.
494
00:29:41,066 --> 00:29:47,906
SYN, SYN ACK, and ACK introduce
something known as sequence numbers.
495
00:29:50,826 --> 00:29:51,906
So here's the concept.
496
00:29:51,906 --> 00:29:53,336
I wrote it up here so I wouldn't forget,
497
00:29:53,336 --> 00:29:56,946
but I didn't forget even though I
erased it, called TCP Windowing.
498
00:29:57,776 --> 00:30:00,946
TCP Windowing is the key to network efficiency.
499
00:30:01,786 --> 00:30:05,556
So, here's the concept of
windowing and window sizes.
500
00:30:05,556 --> 00:30:08,186
Some people call it sliding windows
if you ever hear that before.
501
00:30:08,676 --> 00:30:13,606
Let's say I have a really big
file, it's 1.0 gigabytes in size,
502
00:30:13,816 --> 00:30:15,816
and I want to send that over to the server.
503
00:30:16,546 --> 00:30:18,666
Well, when-- I don't know if
you've ever seen this in Windows,
504
00:30:18,666 --> 00:30:22,636
if you've ever copied a really big file and you
copy across and pops up that little, you know,
505
00:30:22,636 --> 00:30:25,906
copying time estimate window and
it initially starts off and it's
506
00:30:25,906 --> 00:30:30,556
like your time estimate is two days
five hours, and you're like, "What,
507
00:30:30,556 --> 00:30:31,836
you know, well that's not right!"
508
00:30:31,836 --> 00:30:33,246
And then Windows is like, "No, no, no, no, no.
509
00:30:33,246 --> 00:30:34,256
Just kidding, let me back of.
510
00:30:34,486 --> 00:30:37,986
Actually, it's going to be one day three hours."
511
00:30:37,986 --> 00:30:38,956
And you're like, "What?"
512
00:30:38,956 --> 00:30:42,066
You know, and then, no, no, no, no, have
you-- you know what I'm talking about?
513
00:30:42,066 --> 00:30:45,776
And [inaudible] says like, "No, just kidding
your time estimate is really 32 minutes."
514
00:30:45,776 --> 00:30:48,596
And you're like, "Okay, that's
a little more of a result."
515
00:30:48,596 --> 00:30:51,966
And then, I mean, it takes like 30
seconds before it's final like, okay,
516
00:30:51,966 --> 00:30:54,146
really it's going to take 10
minutes to copy that file.
517
00:30:54,586 --> 00:30:59,256
[Laughs] Okay, it's like, okay what happened
between Windows popping up and saying it's two
518
00:30:59,256 --> 00:31:03,066
and half days to copy this file
all the way down to 10 minutes?
519
00:31:03,486 --> 00:31:06,456
Well that's where TCP Windowing
kick in and took effect.
520
00:31:06,716 --> 00:31:11,486
Essentially when your computer starts to
send that file, this file has actually broken
521
00:31:11,486 --> 00:31:19,106
up the normal packet size for Ethernet,
it's actually 1,500 bytes, 1,500 bytes,
522
00:31:19,106 --> 00:31:24,356
that's very small especially when you're
considering I'm sending 1 gigabyte of data.
523
00:31:24,356 --> 00:31:27,496
So, a little 1,500-byte, that's, you
know, think of this as 1 kilobyte
524
00:31:27,496 --> 00:31:30,516
and you remember there is a
thousand 24 K and a megabyte
525
00:31:30,516 --> 00:31:32,896
and there's a thousand 24
megabytes and a gigabyte.
526
00:31:32,896 --> 00:31:35,986
So, I mean, you're going to send
thousands and thousands and thousands
527
00:31:35,986 --> 00:31:37,166
of these packets to compress this.
528
00:31:37,166 --> 00:31:40,376
So, it sends one packet over there.
529
00:31:40,646 --> 00:31:43,146
This guy comes back and it's like, "Okay, great.
530
00:31:43,146 --> 00:31:44,106
I got your packet."
531
00:31:44,106 --> 00:31:49,226
The very, very first packet of this
1.0-gigabyte file transfer, I got it ACK.
532
00:31:50,756 --> 00:31:53,766
Now Windows looks at that and it's like, "Wow.
533
00:31:53,926 --> 00:31:59,226
Okay." If I'm going to send one packet at a time
and then sit there and wait for the other size--
534
00:31:59,316 --> 00:32:01,426
other side to come back and
say, "Okay, I got it.
535
00:32:01,426 --> 00:32:04,766
It's going to take two and a
half days to transmit this file."
536
00:32:05,356 --> 00:32:06,476
So the computer goes, "Okay.
537
00:32:06,476 --> 00:32:08,496
Well let's-- let's try this.
538
00:32:08,496 --> 00:32:14,516
How about instead of sending one packet,
I send you four packets at a time."
539
00:32:14,716 --> 00:32:19,586
So it takes four of these 1,500 byte packets
of the 1 gigabyte file, sends them over there
540
00:32:19,806 --> 00:32:22,936
and the server comes back and
he's like, "Okay, I got it.
541
00:32:22,936 --> 00:32:24,996
I got all four of those packets."
542
00:32:24,996 --> 00:32:28,376
And the guy-- the Windows is like, "Okay, great.
543
00:32:28,376 --> 00:32:28,896
That's better.
544
00:32:29,286 --> 00:32:32,716
If I can send four packets at a time
then I bet you that I can get this done
545
00:32:32,716 --> 00:32:34,176
in like a day and a half, right."
546
00:32:34,176 --> 00:32:37,586
It reduces it dramatically because
we're being much more efficient.
547
00:32:37,586 --> 00:32:41,146
So, what's happening over that,
you know, first 30 seconds
548
00:32:41,146 --> 00:32:44,836
or so of that file transfer is it just
keeps trying to send more and more and more
549
00:32:44,836 --> 00:32:45,736
and more and more and more and more.
550
00:32:45,736 --> 00:32:46,206
It's like, "Okay.
551
00:32:46,206 --> 00:32:49,946
I'm going to try and send
you 100 packets at a time."
552
00:32:49,996 --> 00:32:54,826
Sends them a 100 of these 1,500-byte
packets, ACK, I got all 100 of them.
553
00:32:54,826 --> 00:32:55,416
Does that make sense?
554
00:32:55,416 --> 00:33:01,706
So, that's the concept known as TCP window
sizes or some people call it sliding windows
555
00:33:01,706 --> 00:33:04,086
because the windows starts
small, it slides bigger.
556
00:33:04,336 --> 00:33:09,716
But if there's drafts, like let's say, I
send a 100 packets and I lost two of them,
557
00:33:09,786 --> 00:33:13,476
then my computer is going to go, "Whoa, whoa,
whoa, whoa, whoa," you know, we're loosing data,
558
00:33:13,476 --> 00:33:16,576
I've got to pull back and only send a smaller,
559
00:33:16,576 --> 00:33:19,926
so the window size slides smaller
and you see the copy time go up.
560
00:33:20,106 --> 00:33:26,136
So, that is the essence of how computers
know how much they're able to send
561
00:33:26,136 --> 00:33:30,046
or how much bandwidth they can consume and
they're going to try and consume all of it.
562
00:33:30,516 --> 00:33:34,656
And computers are bandwidth hungry monsters,
they will try and consume all of the bandwidth
563
00:33:34,656 --> 00:33:37,986
that they can on the way to that server
until they finally start dropping packets.
564
00:33:37,986 --> 00:33:41,126
And they go, "Okay, that's how much I
can send it once before I, you know,
565
00:33:41,226 --> 00:33:43,676
I've reached the congestion
point of the network."
566
00:33:43,726 --> 00:33:48,796
So, how do-- what-- how did this, this Window--
567
00:33:48,796 --> 00:33:54,336
Windowing concept and sending more than
one packet at a time fit into this and it--
568
00:33:54,336 --> 00:33:56,466
where we started with this 3 way handshake.
569
00:33:57,046 --> 00:34:02,596
Well, when we do a 3 way handshake, what
we're really exchanging is sequence numbers
570
00:34:02,596 --> 00:34:08,716
of my packet numbers are going to start here
and then keep incrementing as I send you data.
571
00:34:09,186 --> 00:34:11,906
So, let's look back at Wireshark,
get some examples of this.
572
00:34:11,906 --> 00:34:14,786
So, right here, we've got our 3 way handshake.
573
00:34:14,786 --> 00:34:16,576
We've got SYN, SYN ACK, ACK.
574
00:34:16,576 --> 00:34:17,996
So that's the very first one that we do.
575
00:34:17,996 --> 00:34:19,516
So let's break this open.
576
00:34:19,876 --> 00:34:25,816
We'll look at the TCP data and it says, "Oh,
this guy is a flag, it's a SYN" but I want you--
577
00:34:25,816 --> 00:34:29,236
and you can, I mean, you can dig deep and
say, "Oh, okay, well it's actually this bit,"
578
00:34:29,236 --> 00:34:32,246
and that, I mean, yeah, for
now, it's a SYN, right?
579
00:34:32,576 --> 00:34:35,196
But if you look three above that, it says, "Hey,
580
00:34:35,406 --> 00:34:38,436
we're going to be starting
from sequence number zero."
581
00:34:38,856 --> 00:34:41,926
That's it, that's was-- so I'm going
to-- that's my beginning where--
582
00:34:41,926 --> 00:34:44,286
that's where my counter begins essentially.
583
00:34:44,606 --> 00:34:47,976
Now this comes back and says,
"Well, here's your SYN ACK," right?
584
00:34:48,256 --> 00:34:51,166
And what this says is, "I'm going to
be starting from sequence number two."
585
00:34:51,256 --> 00:34:52,206
That's great.
586
00:34:52,206 --> 00:34:55,626
"And by the way, I'm sending it ACK for one."
587
00:34:56,516 --> 00:34:57,656
What does that mean?
588
00:34:57,916 --> 00:35:02,586
So, I-- and so, again, let's look,
this is my computer saying, "Hi SYN.
589
00:35:02,586 --> 00:35:04,516
I'm going to be starting
from sequence number zero."
590
00:35:04,806 --> 00:35:09,626
This is them, see them, this is CBT Nuggets
you're applying back that it's saying, "Okay.
591
00:35:09,626 --> 00:35:12,826
I'm going to start from sequence
number zero, that's my SYN too
592
00:35:13,096 --> 00:35:15,346
but I'm also going to send you an ACK of one."
593
00:35:15,966 --> 00:35:21,036
Well the way the ACK works is it's always
going to be one more than your sequence number.
594
00:35:21,256 --> 00:35:24,336
So when I said, "Hey SYN, I'm going
to be starting from number zero."
595
00:35:24,576 --> 00:35:27,946
He comes back and in his ACK he
says, "I'm going to acknowledge one."
596
00:35:28,096 --> 00:35:32,806
And what that says to the computer is, "I've
received your zero and the next sequence
597
00:35:32,806 --> 00:35:35,146
that I'm expecting from you is one."
598
00:35:35,786 --> 00:35:36,896
Does that make sense?
599
00:35:36,896 --> 00:35:40,446
And then, and then, and then, I'm like
[laughs], "Oh, oh, oh, and then look at this."
600
00:35:40,446 --> 00:35:43,066
And then, when I click it on
here, it goes, "Okay, great.
601
00:35:43,216 --> 00:35:45,806
I'm going to send an ACK back of one as well."
602
00:35:46,926 --> 00:35:50,386
So, what we've done is we say, "Okay,
I started with sequence number zero.
603
00:35:50,616 --> 00:35:51,376
Is that good?"
604
00:35:51,376 --> 00:35:52,506
And he goes, "Absolutely.
605
00:35:52,506 --> 00:35:54,166
I'm going to start from sequence number zero
606
00:35:54,166 --> 00:35:57,506
and I'm acknowledging your sequence
number zero by giving you an ACK of one."
607
00:35:57,806 --> 00:36:01,056
Then I come back and say, "Okay,
ACK of one because I'm a--
608
00:36:01,056 --> 00:36:02,786
I don't know why I put it aligned to that,
609
00:36:02,786 --> 00:36:04,656
because I'm acknowledging
your sequence number zero
610
00:36:04,656 --> 00:36:07,056
that you gave me and now let's start talking."
611
00:36:07,676 --> 00:36:08,636
Isn't there a lot?
612
00:36:08,636 --> 00:36:09,476
That's a lot-- whoa.
613
00:36:09,716 --> 00:36:12,976
That's a lot to just say,
"Okay, let's now start talking."
614
00:36:12,976 --> 00:36:15,886
But then, when you start getting it
to the data, let's see if I can dig
615
00:36:15,886 --> 00:36:19,956
and then find some good data transfer here.
616
00:36:20,046 --> 00:36:24,406
I got your standard encrypted
packets going through there.
617
00:36:24,406 --> 00:36:31,776
It's so [laughs], it's funny because going to
CBT Nuggets home page, there's so much pointers
618
00:36:31,776 --> 00:36:34,586
on there that-- and there's
encrypted data, HTTPS,
619
00:36:34,586 --> 00:36:36,176
you know, stuff flying all over the place.
620
00:36:36,586 --> 00:36:38,466
But right here and that's, I'll describe this.
621
00:36:39,576 --> 00:36:43,356
Right in the middle of this, this is
actually using TLS which is encrypted data.
622
00:36:43,656 --> 00:36:47,336
This is CBT Nuggets sending me some
data saying-- and they're saying, "Hey,
623
00:36:47,336 --> 00:36:50,556
this is my sequence number and
I am acknowledging the last one
624
00:36:50,556 --> 00:36:52,606
that you gave me which was 1639."
625
00:36:52,606 --> 00:36:56,076
So you kind of go back and forth, it's
just, you know, finding the stream.
626
00:36:56,076 --> 00:36:59,176
So this guy is saying, "Okay.
627
00:36:59,176 --> 00:37:01,996
I'm-- yeah, we're getting
the encryption handshake."
628
00:37:01,996 --> 00:37:02,866
So, okay, here we go.
629
00:37:03,116 --> 00:37:04,096
I'm sending some data.
630
00:37:04,096 --> 00:37:08,046
So I send some data right
here, sequence number 348.
631
00:37:08,176 --> 00:37:10,266
I move on sequence number 401.
632
00:37:10,306 --> 00:37:12,476
I move on sequence number 462.
633
00:37:12,476 --> 00:37:17,056
So, you're sending data and every time-- now, if
I want to see-- well, here is the actual data,
634
00:37:17,316 --> 00:37:19,806
it's SSL which is all nice and encrypted.
635
00:37:20,066 --> 00:37:21,856
Here's the data that's being sent.
636
00:37:21,856 --> 00:37:24,716
It's all encrypted mosh going
to CBT Nuggets website,
637
00:37:24,986 --> 00:37:28,046
but all of that stuff has sequence numbers.
638
00:37:28,366 --> 00:37:32,266
So, essentially, let me boil it back down on
the slide 'cause it's a little less complex
639
00:37:32,266 --> 00:37:33,486
and busting that Wireshark.
640
00:37:33,746 --> 00:37:38,556
I've got, you know, let's say three
1,500-byte packets to send, right?
641
00:37:38,556 --> 00:37:44,696
So let's say I started with SYN zero, I send
three 1,500-byte packets to the other side,
642
00:37:45,576 --> 00:37:50,646
and it will come through and, you know,
first one will say, "Hey, I'm some data.
643
00:37:50,886 --> 00:37:53,066
I'm sequence number 1,500.
644
00:37:53,066 --> 00:37:55,786
The second one will come through and say, "Okay.
645
00:37:55,786 --> 00:37:58,006
Well, I'm sequence number 3,000."
646
00:38:00,136 --> 00:38:04,696
And third one comes through and you see where
this is going, "I'm sequence number 4,500."
647
00:38:04,696 --> 00:38:08,596
The sequence numbers are-- they are
essentially a mathematical addition
648
00:38:08,596 --> 00:38:10,796
of all of the data that's being sent.
649
00:38:10,796 --> 00:38:13,266
In that way when this-- these
two get dropped, you know,
650
00:38:13,266 --> 00:38:15,496
maybe this one made it through,
these two were dropped.
651
00:38:15,656 --> 00:38:18,206
All of a sudden this guy
goes, "Whoa, wait a sec.
652
00:38:19,016 --> 00:38:28,046
I missed sequence numbers, you know, we'll
say 4,000 through 6593 or whatever, you know,
653
00:38:28,046 --> 00:38:29,186
whatever those sequence numbers are."
654
00:38:29,436 --> 00:38:32,286
So, he's going to be like,
"Whoa, I did not receive those."
655
00:38:32,286 --> 00:38:35,046
He goes, "Oh, well let me resend
those sequence numbers to you."
656
00:38:35,046 --> 00:38:41,006
That-- this is how TCP keeps it
all working is by, you know, again,
657
00:38:41,006 --> 00:38:42,536
those acknowledgments coming back.
658
00:38:42,756 --> 00:38:44,956
If you received them all,
he'll send acknowledgment
659
00:38:44,956 --> 00:38:46,696
for one plus, whatever the last sequence.
660
00:38:46,696 --> 00:38:49,876
So let's say, the last sequence
number to get in was 4,500.
661
00:38:50,076 --> 00:38:56,656
He's going to send an acknowledgment for 4501--
1 and then the transmission continues on.
662
00:38:56,796 --> 00:39:00,916
[Laughs] It's like, right there, I took
breath and I took a step back and I'm like,
663
00:39:01,196 --> 00:39:03,676
"How do you see anything on the screen anymore."
664
00:39:03,806 --> 00:39:06,206
It builds on itself so hopefully you've--
665
00:39:06,346 --> 00:39:11,016
you didn't look away throughout 'cause otherwise
it's just a mess of lines going back and forth.
666
00:39:11,376 --> 00:39:16,776
But, wow, I mean, if you take that and put
it all together and you are on your way--
667
00:39:16,846 --> 00:39:21,916
well on your way to becoming a network
Ninja, not only understanding how TCP works,
668
00:39:21,916 --> 00:39:25,796
the 3 way handshake, the acknowledgment,
back and forth process, but also now,
669
00:39:25,796 --> 00:39:28,666
starting to look inside of
Wireshark and been like, "Oh, oh, oh,
670
00:39:28,826 --> 00:39:30,766
I see the 3 way handshake right there.
671
00:39:30,766 --> 00:39:31,286
I get it."
672
00:39:31,286 --> 00:39:34,906
You know, and then I started seeing that, I get
referred to all these other servers, you know,
673
00:39:34,906 --> 00:39:36,776
because there're the DNS queries.
674
00:39:36,776 --> 00:39:40,476
And then, I started sessions with all those,
that's all these SYN packets, I mean, wow!
675
00:39:40,566 --> 00:39:47,716
That's a ton of info that you can say that,
I mean, it's rare to find somebody who's able
676
00:39:47,716 --> 00:39:50,236
to do that level of knowledge
in the network world.
677
00:39:51,246 --> 00:39:56,016
I have found that there is a big difference
between the amount of time I think it's going
678
00:39:56,016 --> 00:39:58,966
to take to talk about something and
then the actual amount of time it does.
679
00:39:59,526 --> 00:40:01,896
It's all a Wireshark, I'm
telling you, bringing that tool
680
00:40:01,896 --> 00:40:03,826
into this, I mean, the sky is the limit.
681
00:40:04,146 --> 00:40:06,546
But boy, do I want to-- what
I'm going to do is I'm going
682
00:40:06,546 --> 00:40:08,076
to break this into two different pieces.
683
00:40:08,076 --> 00:40:13,576
So, this will be our part one and then I'll
wrap up these other two items in part two.
684
00:40:14,106 --> 00:40:17,596
But what did we talk about and then
what do I want you to do with it?
685
00:40:17,986 --> 00:40:19,826
Two, well, we talked about a lot.
686
00:40:19,826 --> 00:40:23,076
We talked about UDP and,
you know, its simplicity.
687
00:40:23,216 --> 00:40:26,766
And then we got into TCP just looking
at, you know, what is this is protocol
688
00:40:26,766 --> 00:40:32,776
or how does it communicate so, you know, in a
stable way using sessions with the other side.
689
00:40:32,776 --> 00:40:38,056
We saw the TCP 3 way handshake, we saw sequence
numbers, we saw a DNS lookups, we saw Wireshark,
690
00:40:38,056 --> 00:40:40,156
I mean [inaudible], you know, the list goes on.
691
00:40:40,156 --> 00:40:43,196
And I mean, this was just a packed Nuggets.
692
00:40:43,196 --> 00:40:46,186
So, here's what I want you to do with it.
693
00:40:46,186 --> 00:40:48,856
I want you to really take the time
694
00:40:48,856 --> 00:40:53,316
to start getting a depth behind
your knowledge of UDP and TCP.
695
00:40:53,956 --> 00:40:56,636
What I want you to do is go download Wireshark.
696
00:40:56,636 --> 00:40:58,526
Go to wireshark.org, it's a freebie.
697
00:40:58,526 --> 00:41:03,176
Download that and install it on your laptop
or desktop or whatever device that you have.
698
00:41:03,576 --> 00:41:05,506
And I want you to go to a simple website.
699
00:41:05,506 --> 00:41:09,326
A matter of fact, somebody emailed
this too me a long time ago.
700
00:41:09,326 --> 00:41:14,246
What was it called, the last
page of the internet.
701
00:41:14,426 --> 00:41:17,876
[Laughs] That it's and it's just some
guy and he's been around for a long time.
702
00:41:18,066 --> 00:41:20,786
The last page you cre-- the guy who
created a website that just says,
703
00:41:20,786 --> 00:41:22,556
"You have reached the last page of the internet.
704
00:41:22,866 --> 00:41:23,936
Hope you enjoyed your browsing.
705
00:41:24,316 --> 00:41:25,816
Go outside."
706
00:41:25,816 --> 00:41:30,106
So, beautifully, simple web page to
where we won't get the confusion behind.
707
00:41:30,296 --> 00:41:35,336
And won't say confusion but the complexity
behind going to big websites like CBT Nuggets
708
00:41:35,336 --> 00:41:38,096
and seeing 50 different servers
popped into our conversation.
709
00:41:38,096 --> 00:41:39,626
So grab Wireshark.
710
00:41:40,016 --> 00:41:42,996
I want you to capture the DNS lookup.
711
00:41:42,996 --> 00:41:45,456
Create a filter, find out
what your DNS server is.
712
00:41:45,616 --> 00:41:50,336
Create a filter that allows you to see the
DNS lookup and then one that allows you
713
00:41:50,336 --> 00:41:56,256
to see the communication between you and
that last page of the internet web server.
714
00:41:56,256 --> 00:41:59,926
They'll be nice and simple so you don't
have a ton of stuffs to read through.
715
00:42:00,116 --> 00:42:07,216
Also, realized that I showed you-- I mean,
one 1,000th of the possibilities of Wireshark.
716
00:42:07,356 --> 00:42:12,866
You can create complex filters like I could
say this and IP address equal, you know,
717
00:42:12,976 --> 00:42:17,726
or I could use and or IP address
at and equals such and such.
718
00:42:17,726 --> 00:42:21,566
I mean, you can start building numbers
where you just capture a certain port number
719
00:42:21,846 --> 00:42:24,356
or I should say filters where you
just capture certain port numbers.
720
00:42:24,356 --> 00:42:25,716
There're a lot of possibilities.
721
00:42:25,716 --> 00:42:27,636
I mean, play around with
this, start tinkering around.
722
00:42:27,936 --> 00:42:33,646
And really, I would say, add some depth to your
knowledge and then jump into the next Nugget
723
00:42:33,646 --> 00:42:36,126
where we'll talk about the port
numbers and then fit it all together
724
00:42:36,126 --> 00:42:37,926
with that end-to-end communication story.
725
00:42:38,426 --> 00:42:41,486
I hope this has been informative for you
and I'd like to thank you for viewing.
71199
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.