Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,696 --> 00:00:03,616 >> While we are nearing the end of our Cisco Foundations 2 00:00:03,616 --> 00:00:09,426 or more specifically network foundations, as in how devices communicate on the network today. 3 00:00:10,036 --> 00:00:13,516 At this point, I'm going to say we are good at layer two. 4 00:00:13,736 --> 00:00:15,186 We understand the data link layer. 5 00:00:15,186 --> 00:00:18,726 We understand MAC addresses, physical addresses burned into the network cards 6 00:00:18,726 --> 00:00:22,806 of the different devices and how that interacts with layer three, the IP layer, 7 00:00:22,806 --> 00:00:28,106 and IP addressing basics fundamental and communication, how the art protocol resolves, 8 00:00:28,106 --> 00:00:31,396 I mean all of that stuff we've talked about the previous nuggets. 9 00:00:31,396 --> 00:00:33,086 So, now I'm going to move up to layer four. 10 00:00:33,896 --> 00:00:41,716 TCP and UDP, the last really network relevant layer that we're going to focus on in here. 11 00:00:41,716 --> 00:00:46,106 We're going to see where these two fit into this puzzle of network communication and it's going 12 00:00:46,106 --> 00:00:47,806 to bring up a whole bunch of port numbers. 13 00:00:47,806 --> 00:00:49,966 So, I'll give you some common ones that you'll want to know, 14 00:00:49,966 --> 00:00:54,136 not only for certification purposes if that's your direction, but also, 15 00:00:54,136 --> 00:00:56,786 I mean you use this all the time in the real world. 16 00:00:57,256 --> 00:01:01,346 And then, we'll complete the end-to-end communication story where we started looking at, 17 00:01:01,496 --> 00:01:05,016 you know, from this host to this host, what are all the factors that go 18 00:01:05,016 --> 00:01:09,146 in to making pockets transmit successfully across the wire. 19 00:01:10,506 --> 00:01:14,276 Oh, my goodness, I totally forgot to mention that we're going to start learning 20 00:01:14,276 --> 00:01:17,926 about Wireshark in this nugget which-- it's awesome! 21 00:01:17,956 --> 00:01:21,206 You're going to really see a lot. 22 00:01:21,206 --> 00:01:22,826 That's what this little icon is right here. 23 00:01:22,826 --> 00:01:25,786 I know some of you might have heard of it before I go and, "Oh, no. 24 00:01:25,816 --> 00:01:30,986 Really?" This tool is amazing for helping you not only troubleshoot networking, 25 00:01:31,576 --> 00:01:35,186 network issues, but to learn networking. 26 00:01:35,186 --> 00:01:38,246 I mean when you look at it, initially it's overwhelming. 27 00:01:38,246 --> 00:01:39,406 There's no doubt about it. 28 00:01:39,666 --> 00:01:42,286 But when you see just the basics of how to use it, 29 00:01:42,286 --> 00:01:45,876 it's like okay, I think I can really get this. 30 00:01:45,876 --> 00:01:50,406 As a matter of fact, Wireshark has always, you know, it's always been one 31 00:01:50,406 --> 00:01:52,786 of the tools I've had but I rarely use that. 32 00:01:52,786 --> 00:01:56,716 I mean, Wireshark was like, okay, everything is down, last resort, 33 00:01:56,716 --> 00:01:58,476 what's going on, let's get out Wireshark. 34 00:01:58,756 --> 00:01:59,576 And then I got a book. 35 00:01:59,576 --> 00:02:01,196 I'm-- I've got in my bookshelf right here. 36 00:02:01,196 --> 00:02:02,426 Pull it off. 37 00:02:02,426 --> 00:02:05,356 It's "Wireshark Network Analysis" by Laura Chappell. 38 00:02:05,416 --> 00:02:08,276 It's a big, big fat book. 39 00:02:08,276 --> 00:02:10,876 And just this-- it's a free utility. 40 00:02:11,266 --> 00:02:13,046 And I-- let me-- I'm going to flip a hand. 41 00:02:13,046 --> 00:02:16,456 I'm flipping at the preface here, table of contents. 42 00:02:16,456 --> 00:02:17,096 All right. 43 00:02:17,556 --> 00:02:20,256 This is what she said and this is her preface. 44 00:02:20,976 --> 00:02:26,086 "Wireshark is a," and she puts it in all capitals, "FIRST RESPONDER tool 45 00:02:26,546 --> 00:02:30,826 that should be employed immediately when the cries of the network is slow 46 00:02:30,826 --> 00:02:34,386 or I think my network is infected echo through the company halls." 47 00:02:34,806 --> 00:02:38,406 And, when I read that, remember reading that years ago, and I go, 48 00:02:38,406 --> 00:02:40,806 [inaudible], it's not a first responder tool. 49 00:02:40,806 --> 00:02:45,806 This is like the last responder tool, but seriously that's one of those statements 50 00:02:45,806 --> 00:02:50,806 that have just stuck in my head and over these last few years, I've started using it. 51 00:02:50,806 --> 00:02:54,746 It's not-- it's still not my first responder tool, but I've used it a lot more-- 52 00:02:54,746 --> 00:02:59,656 with a lot more immediacy than I have in the past and it really has saved a lot of times. 53 00:02:59,656 --> 00:03:01,646 So, I want to get you guys familiar with that right away. 54 00:03:01,856 --> 00:03:05,296 So, what are TCP and UDP? 55 00:03:06,306 --> 00:03:13,116 They are the primary transport protocols used today, meaning transport layer of the OSI model. 56 00:03:13,116 --> 00:03:16,316 We've got our applications trying to communicate data up here, right? 57 00:03:16,316 --> 00:03:21,976 In our internet explorer, our [laughs]-- what other online games, whatever-- 58 00:03:21,976 --> 00:03:25,326 what other applications that people use now a days, instant messengers, 59 00:03:25,326 --> 00:03:27,366 all those kinds of things are sending their data down here. 60 00:03:27,576 --> 00:03:30,606 It reaches the transport layer and you might remember from the OSI model, 61 00:03:30,756 --> 00:03:33,276 this is where it's going to choose the reliability, you know, 62 00:03:33,366 --> 00:03:35,376 it's going to be reliable or unreliable. 63 00:03:35,496 --> 00:03:40,086 And then it also assigns the port numbers to start separating the different applications 64 00:03:40,086 --> 00:03:43,356 so the operating system can distinctly understand 65 00:03:43,356 --> 00:03:45,516 which traffic goes to which application. 66 00:03:45,886 --> 00:03:48,926 Now, there are a lot of transport protocols. 67 00:03:48,996 --> 00:03:53,826 Again, I'll remind you, the OSI model is a standard of standards. 68 00:03:54,116 --> 00:03:58,056 The transport layer is just a shell but inside of there, there's all kinds of standards 69 00:03:58,056 --> 00:04:04,066 like TCP is one of them, UDP is another, ICMP is yet another, 70 00:04:04,066 --> 00:04:07,866 ESP that's used for VPN connections, and things like that. 71 00:04:07,866 --> 00:04:12,836 Even-- you'll start seeing protocols like OSPF and EIGRP, I mean all these-- 72 00:04:12,836 --> 00:04:17,326 all of these kind of squeeze right into that green box known as the transport layer. 73 00:04:17,676 --> 00:04:24,596 But when we're talking about programs, talking across the network, they primarily use one 74 00:04:24,596 --> 00:04:28,836 of two protocols, UDP, that's our unreliable version. 75 00:04:28,886 --> 00:04:35,136 It's saying, "I hope it gets there," or TCP, that's the "I know it got there." 76 00:04:35,136 --> 00:04:36,996 That's the reliable version of this. 77 00:04:37,316 --> 00:04:39,606 So UDP is the user datagram protocol. 78 00:04:39,606 --> 00:04:41,696 TCP, transmission control protocol. 79 00:04:41,696 --> 00:04:42,696 That's what they stand for. 80 00:04:42,936 --> 00:04:45,986 And that they combine together with, you know, the subprotocols below, 81 00:04:45,986 --> 00:04:51,546 that's why TCP/IP got it's name is it's not really that's the protocol, 82 00:04:51,546 --> 00:04:52,706 it's the suite of protocol. 83 00:04:52,926 --> 00:04:57,826 The most common being TCP and IP combined together to make network communication happen. 84 00:04:57,966 --> 00:05:01,596 So, first of, let's get into UDP. 85 00:05:01,596 --> 00:05:05,716 And I talked one more time about the OSI model, I got it in a little, little bit of this like, 86 00:05:05,716 --> 00:05:09,486 why would you want to send something unreliable like, "I hope it gets there"? 87 00:05:10,216 --> 00:05:14,416 Well, the first thing to understand is that there is a cost to reliability. 88 00:05:15,046 --> 00:05:20,256 In order to say, "I know it got there," there's a lot of setup that takes place. 89 00:05:20,616 --> 00:05:23,976 The first thing that happens is something known as the 3 way handshake, 90 00:05:24,126 --> 00:05:28,596 and I'll explain that in just a moment, but essentially the two devices 91 00:05:28,596 --> 00:05:32,126 that are talking together have to establish a session between each other, 92 00:05:32,126 --> 00:05:34,406 make sure that, "Okay, we agree to talk, okay. 93 00:05:34,406 --> 00:05:34,886 That's good." 94 00:05:34,886 --> 00:05:39,346 Okay. That's a little time right there and a little time to establish that session. 95 00:05:39,696 --> 00:05:45,876 Then every single packet that get sent or every stream of communication that gets sent, 96 00:05:45,876 --> 00:05:47,526 I'm going to just write something up here. 97 00:05:48,946 --> 00:05:52,796 It's my reminder. 98 00:05:52,936 --> 00:05:55,996 [Laughs] Every stream of things that get sent between these things has 99 00:05:55,996 --> 00:05:58,816 to get an acknowledgment back saying, "I got it." 100 00:05:58,946 --> 00:06:05,426 Again, more overhead, more delay where some things just may not need that sort of thing. 101 00:06:05,906 --> 00:06:10,956 I want to give you-- now, I gave you the example back in the OSI model of things 102 00:06:10,956 --> 00:06:15,616 that do not need reliable communications being like voice over IP 103 00:06:16,176 --> 00:06:19,326 where I have an IP phone talking to an IP phone. 104 00:06:19,646 --> 00:06:23,736 You know, there's a stream of data going between the two, if something is dropped, it's gone. 105 00:06:23,736 --> 00:06:27,776 There's no use in retransmitting it at a later time because it's real time traffic. 106 00:06:27,976 --> 00:06:29,816 Same thing with video over IP. 107 00:06:30,036 --> 00:06:36,466 But, there's also some other data applications out there that use UDP as well. 108 00:06:36,666 --> 00:06:41,306 I want to give you one that you use every single day and that is DNS. 109 00:06:43,056 --> 00:06:48,036 DNS, the domain name service, translates names to IP addresses, 110 00:06:48,036 --> 00:06:50,206 because remember in the OSI model, it's not-- we-- 111 00:06:50,206 --> 00:06:55,436 at this network layer, we can't squeeze in www.google.com. 112 00:06:55,436 --> 00:06:56,796 It deals with IP, the IP protocol. 113 00:06:57,086 --> 00:07:01,146 So, we have to have some kind of system that takes these friendly names 114 00:07:01,146 --> 00:07:05,756 like I put wireshark.org, I'm going to show that to you in a moment, or cbtnuggets.com 115 00:07:05,756 --> 00:07:08,836 and translates it to what IP address is really there. 116 00:07:09,176 --> 00:07:15,046 DNS, at least the client version of it that we use everyday, uses UDP. 117 00:07:15,726 --> 00:07:17,576 So, let's check this out. 118 00:07:17,846 --> 00:07:19,866 I'm going to bring up Wireshark. 119 00:07:20,346 --> 00:07:22,996 Now, I want to give you a little basics of this program. 120 00:07:24,216 --> 00:07:28,476 Wireshark will be flat overwhelming if you just open it up and say, 121 00:07:28,476 --> 00:07:30,396 "Okay, let's see what's happening." 122 00:07:30,396 --> 00:07:33,316 If you've never done this before, I mean people get scared, they back of. 123 00:07:33,316 --> 00:07:35,516 They'll like, "Aah, I don't want to use that again." 124 00:07:35,516 --> 00:07:39,906 But, let me give you the basics which will really get you started and I tell you what, 125 00:07:39,906 --> 00:07:44,546 if somebody would have sat down with me in my early days of networking and just said, "Hey, 126 00:07:44,546 --> 00:07:46,756 Jeremy, let's just sit down for a second. 127 00:07:46,756 --> 00:07:50,266 Let me give you a 5-minute tutorial of this tool that will change your life." 128 00:07:50,546 --> 00:07:51,906 You know, I would have been like, "Great, thanks." 129 00:07:52,086 --> 00:07:56,256 You know, just, you know, the fear of it is what held me back for so long. 130 00:07:56,606 --> 00:07:58,776 But, this is Wireshark 1.82. 131 00:07:59,096 --> 00:07:59,946 It is free. 132 00:07:59,946 --> 00:08:04,316 You go to wireshark.org and just go to their little download page 133 00:08:04,316 --> 00:08:06,316 and they'll automatically detect your operating system. 134 00:08:06,316 --> 00:08:07,806 You can put it on there, it's good. 135 00:08:07,806 --> 00:08:14,636 So, once you get Wireshark installed, it's just literally a next, next finish sort of install. 136 00:08:14,816 --> 00:08:16,226 This is what pops up. 137 00:08:16,466 --> 00:08:21,826 Now, the key icon you want to go to is this list available capture interfaces. 138 00:08:21,826 --> 00:08:26,606 And, trust me, this is a massive utility. 139 00:08:27,276 --> 00:08:28,326 There's a lot to it. 140 00:08:28,326 --> 00:08:31,736 I just want to get you the core that will get you started in doing what you need to do. 141 00:08:32,246 --> 00:08:33,256 So, I click on this. 142 00:08:33,336 --> 00:08:36,886 And right here, I can see the interfaces that are on my computer. 143 00:08:37,226 --> 00:08:43,246 Now, I see this sun which, if you remember I had it when I went to my control panel, 144 00:08:44,196 --> 00:08:46,376 and did my network status, look to my adaptor, 145 00:08:46,376 --> 00:08:53,056 I had this little virtual box host only that's installed by the virtual box application. 146 00:08:53,056 --> 00:08:54,416 It's a little virtual machine thing. 147 00:08:54,706 --> 00:08:57,566 It's developed by Oracle, Sun Oracle, they merge. 148 00:08:57,826 --> 00:09:01,506 And so, that's what this little adaptor is and I can look, that's why I always go to this view. 149 00:09:01,506 --> 00:09:06,506 I'm like, "Okay, not much happening there" 'cause if I'm looking here trying to start, 150 00:09:06,506 --> 00:09:10,396 you know, pick one, you can start it from here but if I don't, I don't know which one it is. 151 00:09:10,396 --> 00:09:12,576 You know, I want to see, where's the traffic happening? 152 00:09:12,576 --> 00:09:13,066 So, I go, "Okay." 153 00:09:13,066 --> 00:09:16,286 Well, it looks like this is where there's some communication happening, 154 00:09:16,286 --> 00:09:19,386 so I'm going to click check on this and do start. 155 00:09:20,056 --> 00:09:25,526 What I'm going to start seeing is the communication that's going across the network 156 00:09:25,526 --> 00:09:29,616 and this is where a lot of people go, "Ooh, aah, what's going on?" 157 00:09:29,616 --> 00:09:32,296 You know, they're not too sure what to do. 158 00:09:32,456 --> 00:09:37,876 So, right now, this is-- not much is going on, 29 packets are happening. 159 00:09:37,876 --> 00:09:41,076 I can see Spanning Tree Protocol running in the background, some other, you know, 160 00:09:41,106 --> 00:09:45,706 just normal network traffic discovering and communicating with things 161 00:09:45,706 --> 00:09:46,836 that are going on in the network. 162 00:09:46,836 --> 00:09:51,896 Now, as soon as I open a web browser and let me move this to the side 163 00:09:51,896 --> 00:09:57,106 so you can see, and let's just go to msn.com. 164 00:09:57,106 --> 00:09:57,776 And look at that. 165 00:09:57,776 --> 00:10:02,706 I mean, we went from like 29, 30, 50 and all the way up, you know, msn.com came up 166 00:10:02,706 --> 00:10:06,816 and now we're at packet number 1095, you know. 167 00:10:07,396 --> 00:10:10,386 All of these things are going on and what just happened? 168 00:10:10,596 --> 00:10:16,666 We just had a ton of network communication that comprised 1,200 or 1,280 individual packets. 169 00:10:16,666 --> 00:10:18,526 So, that's where people go "Huh! 170 00:10:18,526 --> 00:10:19,286 It's overwhelming." 171 00:10:19,286 --> 00:10:21,026 How do-- you know, how do I now sift 172 00:10:21,026 --> 00:10:24,796 through 1,200 individual packets to really see what's going on. 173 00:10:25,636 --> 00:10:28,836 We'll, I'll explain that in just a moment but let's look at the matter at hand. 174 00:10:29,026 --> 00:10:30,906 I want to talk about DNS. 175 00:10:32,086 --> 00:10:37,166 DNS resolves names to IP addresses and I'm going to show you 176 00:10:37,166 --> 00:10:40,256 that this is using UDP as it's protocol to do it. 177 00:10:40,256 --> 00:10:42,426 Now, the first thing that's happening is I'm like "Aah! 178 00:10:42,716 --> 00:10:45,416 This is just-- it's too much, I want to put a filter on." 179 00:10:45,706 --> 00:10:49,296 Let me show you one of the handiest filters that you will likely use. 180 00:10:49,336 --> 00:10:53,636 It is coming up here, you click in this little filter box and you'll find, I mean, 181 00:10:53,636 --> 00:10:57,716 you can build your own, you can click on this and it let's you, you know, click through 182 00:10:57,716 --> 00:11:02,516 and kind of-- almost like that's a gooey base like if I just want to see the UDP traffic 183 00:11:02,516 --> 00:11:08,656 or the TCP traffic, I can do that but I'm just going to go in here and just say ip.addr, 184 00:11:08,656 --> 00:11:14,016 IP address equals 4.2.2.2, enter. 185 00:11:14,016 --> 00:11:14,866 Now, what is that? 186 00:11:15,756 --> 00:11:18,766 Actually, you know what, I'm going to even change that further. 187 00:11:18,766 --> 00:11:22,326 Let me go 4.2.2.3, enter, blanks it out completely. 188 00:11:22,806 --> 00:11:28,666 What that does is say, only show me the traffic that is going to 4.2.2.3. 189 00:11:29,676 --> 00:11:30,706 Getting that so far? 190 00:11:30,706 --> 00:11:33,276 So, right now, how much traffic is going there? 191 00:11:33,616 --> 00:11:38,256 Nothing. Because nothing is actually accessing that IP address so my display is nice and empty. 192 00:11:38,316 --> 00:11:41,686 So now, I'm going to use DNS to do a little testing. 193 00:11:41,976 --> 00:11:46,736 I'm going to open a command prompt in windows, start, you can browse to it, 194 00:11:46,736 --> 00:11:52,226 accessories all that, or just type in start run CMD and bring this to the middle of the screen. 195 00:11:52,646 --> 00:11:56,766 And, show you first of, when I do IP config forward slash all, 196 00:11:57,196 --> 00:12:01,066 I have in my list my DNS servers, 197 00:12:01,746 --> 00:12:06,226 shows the primary DNS server my computer is using is 4.2.2.2. 198 00:12:06,736 --> 00:12:09,686 The secondary is 4.2.2.3. 199 00:12:09,966 --> 00:12:11,426 Now, how did those get there? 200 00:12:11,636 --> 00:12:13,006 Well, that was through DHCP. 201 00:12:13,006 --> 00:12:17,646 When DHCP gives me an IP address, it can also assign me DNS servers, the default, gateway, 202 00:12:17,646 --> 00:12:20,056 all that kind of stuff, and so this is the DNS server I was assigned. 203 00:12:20,056 --> 00:12:24,306 Now, since this is the primary, remember when I was looking at Wireshark, when I set the filter 204 00:12:24,306 --> 00:12:32,676 to say 4.2.2.2, oh, okay, my capture is still going so it's getting obnoxiously big. 205 00:12:32,976 --> 00:12:36,276 But-- so let me-- I'm going to stop the capture because we've got enough data. 206 00:12:36,496 --> 00:12:40,246 I can see all of these little DNS queries but this is kind of-- it's too much. 207 00:12:40,246 --> 00:12:42,996 I want to do a little demonstration version, 208 00:12:42,996 --> 00:12:46,866 so I'm going to filter this down and just see 4.2.2.3. 209 00:12:48,206 --> 00:12:52,396 Now, I stopped the capture so nothing-- oh [laughs] I suppose I should start the capture. 210 00:12:52,396 --> 00:12:54,806 I was just thinking-- so nothing new is coming in. 211 00:12:55,106 --> 00:12:58,136 So, I'm going to start the capture and let's say-- let's begin this. 212 00:12:58,136 --> 00:13:02,226 It's going to ask me, "Do you want to delete the old capture?" 213 00:13:02,226 --> 00:13:04,686 Once I click save, it would say, "Hey, do you want to delete the old one?" 214 00:13:04,686 --> 00:13:05,596 Absolutely. 215 00:13:05,596 --> 00:13:07,006 I'm, you know, I don't need the old one. 216 00:13:07,006 --> 00:13:12,196 So, I'm looking-- I'm capturing traffic just for 4.2.2.3, that's the filter of what I'm seeing. 217 00:13:12,746 --> 00:13:17,166 I'm going to open my command prompt and show you a handy utility called nslookup. 218 00:13:19,076 --> 00:13:25,486 What this is, is a utility that allows you too ask questions of DNS, 219 00:13:26,216 --> 00:13:29,826 so what it's doing is this is coming up and say, "Okay, well, right now. 220 00:13:30,066 --> 00:13:33,226 You can ask a question of 4.2.2.2. 221 00:13:33,226 --> 00:13:33,926 And, I would say, "Okay. 222 00:13:33,926 --> 00:13:38,066 Well, I want to see who is www.cbtnuggets.com." 223 00:13:38,356 --> 00:13:43,626 And, 4.2.2.2 comes back and says, "Well, actually, they have two IP addresses associated 224 00:13:43,626 --> 00:13:45,426 with them, this one and this one." 225 00:13:45,706 --> 00:13:47,886 Well, which one am I going to use. 226 00:13:47,886 --> 00:13:50,386 Well, the way it works is it's going to do a round robin. 227 00:13:50,386 --> 00:13:54,026 Maybe the first time I'm going to use this one, the second time I'm going to use this one. 228 00:13:54,316 --> 00:13:57,796 And, the name is kind of gives me a little clue right here. 229 00:13:57,796 --> 00:13:58,996 It says, web balancer. 230 00:13:58,996 --> 00:13:59,726 I'm going, "Okay." 231 00:13:59,726 --> 00:14:01,966 So, this is some kind of load balancing. 232 00:14:01,966 --> 00:14:04,746 You know, maybe CBT Nuggets has enough traffic that they say, 233 00:14:04,746 --> 00:14:06,186 "I don't want just one web server. 234 00:14:06,186 --> 00:14:08,856 I want to kind of balance that between a couple web servers." 235 00:14:08,856 --> 00:14:11,866 I mean we see that again if I type in google.com. 236 00:14:11,866 --> 00:14:13,956 And, I mean, "Hello, Google." 237 00:14:14,116 --> 00:14:17,026 They're definitely trying to balance that load 'cause obviously, 238 00:14:17,026 --> 00:14:18,646 how many people use Google everyday. 239 00:14:18,736 --> 00:14:24,896 So now, what I'm going to do, I was asking questions of 4.2.2.2. 240 00:14:25,086 --> 00:14:25,976 I'm going to change them. 241 00:14:25,976 --> 00:14:30,366 I'm going to do server equals 4.2.2.3. 242 00:14:32,546 --> 00:14:35,466 And so, I'm changing the-- wait a second. 243 00:14:35,626 --> 00:14:38,996 Server? I don't know why but equals [inaudible]. 244 00:14:39,326 --> 00:14:46,086 Server space 4.2.2.3 which now sets my DNS server to this address. 245 00:14:46,766 --> 00:14:48,206 Now, watch what happens. 246 00:14:48,206 --> 00:14:51,876 I'm going to do-- I want to do a lookup for what's that-- 247 00:14:51,876 --> 00:14:57,646 a small website that would've be-- oh, I have a blog, tekcert.com. 248 00:14:57,876 --> 00:15:03,246 I blog with another guy out there, comes back and says, "Aha, tekcert.com is this IP address." 249 00:15:03,246 --> 00:15:06,786 But now, did you see behind the scene is like, Wireshark is like, 250 00:15:06,786 --> 00:15:09,096 "I saw something happened right there." 251 00:15:09,096 --> 00:15:12,336 So, what happens is this guy went out and said, "Hey, 252 00:15:12,436 --> 00:15:19,706 I want to find out what is the IP address for tekcert.com.home.local?" 253 00:15:20,426 --> 00:15:24,166 [laughs] What the-- you know, where did that come from? 254 00:15:24,406 --> 00:15:30,186 I typed in tekcert.com and the only way I would know this is if I was using Wireshark 255 00:15:30,186 --> 00:15:34,686 and it went out and said, "Well, actually, I want to ask the server, you know the DNS server, 256 00:15:34,686 --> 00:15:38,516 I want to find out who tekcert.com.home.local is." 257 00:15:38,516 --> 00:15:41,526 Now, why on earth did it do that? 258 00:15:42,106 --> 00:15:47,016 Well, when you dig a little bit deeper, let me go back here in my-- 259 00:15:47,016 --> 00:15:50,646 create a second command prompt, and I do an IP config slash all, 260 00:15:50,806 --> 00:16:00,256 one of the things that you can do with DNS is assign computers, a default DNS suffix. 261 00:16:00,796 --> 00:16:01,966 Suffix, where does that go? 262 00:16:02,076 --> 00:16:03,066 At the end right? 263 00:16:03,386 --> 00:16:08,426 So, that would allow somebody, for instance if I assign the home.local suffix, it allows somebody 264 00:16:08,426 --> 00:16:12,116 to say, "I want to ping," you know, maybe the server and hit enter and it's going 265 00:16:12,216 --> 00:16:17,946 to automatically try to ping server.home.local, maybe that's my local DNS domain that I have 266 00:16:17,946 --> 00:16:19,926 for my house or something like that. 267 00:16:19,926 --> 00:16:24,666 So immediately, when I tried to ping tag or look up tekcert.com, it came back and it was like, 268 00:16:24,666 --> 00:16:27,606 "Well, I'm going to try and look up tekcert.com.home.local." 269 00:16:27,606 --> 00:16:28,986 Now, before we go on. 270 00:16:29,546 --> 00:16:31,886 You can even see the reply right here. 271 00:16:31,886 --> 00:16:34,436 It's saying, "There's no such thing. 272 00:16:34,436 --> 00:16:38,376 I don't know of a tekcert.com.home.local," is the DNS server's reply. 273 00:16:38,376 --> 00:16:42,516 But, let's dig a little bit deeper because Wireshark actually breaks 274 00:16:42,516 --> 00:16:45,796 down communication in the layers of the OSI model. 275 00:16:46,286 --> 00:16:51,556 At the very, very, very bottom is, you know, essentially as physical as it can get. 276 00:16:51,556 --> 00:16:54,416 It's saying, "Hey, this is how big the data was." 277 00:16:54,416 --> 00:16:58,146 This is, you know, how many bytes were actually sent on the wire. 278 00:16:58,146 --> 00:17:01,026 I mean think of this top one as the physical layer. 279 00:17:01,626 --> 00:17:03,716 Then, we come right here to the data link layer. 280 00:17:04,116 --> 00:17:05,526 Now, what do we expect to see there? 281 00:17:06,076 --> 00:17:07,326 Mac addresses. 282 00:17:07,326 --> 00:17:12,086 And sure enough I see that I have the source MAC address-- 283 00:17:12,086 --> 00:17:15,706 this is my computer right here and, you know, let's prove it. 284 00:17:15,706 --> 00:17:19,006 I mean, let's make sure we're doing what's real here. 285 00:17:19,286 --> 00:17:25,396 I'll do IP config forward slash all and come up and look again. 286 00:17:25,396 --> 00:17:31,026 And, I look at my MAC address C8-C0, you know, and the last four digits 6C-32. 287 00:17:31,026 --> 00:17:35,246 I'm looking over her right there and sure enough, C8-60, so I go, "Okay". 288 00:17:35,416 --> 00:17:37,536 Well, I was the source, this is me. 289 00:17:37,906 --> 00:17:40,576 And then, I went to the destination of-- 290 00:17:40,576 --> 00:17:44,716 I actually have a little Cisco firewall that runs my location here. 291 00:17:45,006 --> 00:17:45,796 And, it says, "Okay. 292 00:17:45,796 --> 00:17:48,636 Well, I sent it to this MAC address as the destination." 293 00:17:48,636 --> 00:17:52,966 Ahh, you see-- so, wow, this is really, really good, right? 294 00:17:52,966 --> 00:17:57,446 So, it starts putting reality to a lot of the discussions we've had up 'till now on, okay, 295 00:17:57,446 --> 00:17:58,776 it's got the MAC addresses in there. 296 00:17:59,106 --> 00:18:01,346 Then it says, "Okay, well, what IP address is?" 297 00:18:01,346 --> 00:18:03,796 Where-- so, layer one, layer two, layer three. 298 00:18:03,796 --> 00:18:07,486 IP addresses were actually coming from the source of this, that's my computer, 299 00:18:07,796 --> 00:18:11,016 destination of this, the two DNS server. 300 00:18:11,446 --> 00:18:17,916 And now we come to the point that started this entire discussion, the UDP protocol. 301 00:18:18,456 --> 00:18:20,726 DNS actually uses UDP. 302 00:18:20,726 --> 00:18:23,706 Look at it, User Datagram Protocol, UDP. 303 00:18:23,706 --> 00:18:26,966 This is layer one, two, three, and four. 304 00:18:27,226 --> 00:18:34,716 It's saying, "I'm coming from the source port, 60353, going to the destination port, 53." 305 00:18:35,306 --> 00:18:37,666 Okay, stop right there. 306 00:18:37,906 --> 00:18:44,726 What that says to me is that my computer contacted this DNS server. 307 00:18:45,826 --> 00:18:47,876 [Inaudible] .72 is the last octet. 308 00:18:47,876 --> 00:18:55,906 This is 4.2.2.3 is that DNS server and it went to a destination port of UDP port 53. 309 00:18:56,586 --> 00:18:58,576 Oh, three is a little odd there. 310 00:18:58,576 --> 00:19:03,396 Okay, 53, and it came from a source port of 60353. 311 00:19:03,796 --> 00:19:09,596 Now this is a well known, I'll put W/K, well-known port for DNS. 312 00:19:09,916 --> 00:19:15,876 As in all the DNS servers in the world respond on port UDP 53, that's where they expect 313 00:19:15,876 --> 00:19:22,026 to receive request for and all the computers in the world by default will ask questions directed 314 00:19:22,026 --> 00:19:24,716 at UDP port 53 of their DNS server. 315 00:19:25,686 --> 00:19:28,526 Now, Windows generated a dynamic port. 316 00:19:28,526 --> 00:19:32,446 This is a not a well-known port at all, this is considered my source port saying, "Hey, 317 00:19:32,626 --> 00:19:36,296 my question is coming from the source port 60353." 318 00:19:36,596 --> 00:19:40,416 So when this guy replies back and says," I have no idea what you're talking about. 319 00:19:40,416 --> 00:19:42,786 There is no such thing as tekcert.home.local." 320 00:19:44,376 --> 00:19:45,156 Excuse me. 321 00:19:45,156 --> 00:19:50,726 He's actually going to be coming from source of port 53 going to destination of 60353. 322 00:19:50,726 --> 00:19:51,976 But Windows expected that. 323 00:19:52,026 --> 00:19:54,976 They'd expected to get a response back on that source port 324 00:19:54,976 --> 00:19:59,356 and that's actually one of the reasons why DNS uses UDP. 325 00:20:00,306 --> 00:20:05,396 This is kind of a stimulus response sort of thing to where I'm going to say, 326 00:20:05,396 --> 00:20:10,396 "I want to know who tekcert-- but I'll just put tk.com really is," 327 00:20:10,576 --> 00:20:13,096 and the DNS server will say, "Okay, here's your answer." 328 00:20:13,346 --> 00:20:17,216 Now that's all the communication that really goes on between them is, what's this, 329 00:20:17,276 --> 00:20:19,876 here's your answer, what's this, here's your answer, what's this, here's your answer. 330 00:20:20,146 --> 00:20:25,176 It would just be a waste of time to say, "Okay, let's build a session between us. 331 00:20:25,176 --> 00:20:27,016 You know, are you okay talking?" 332 00:20:27,016 --> 00:20:27,766 The other one is like, "Yes. 333 00:20:27,766 --> 00:20:28,426 Let's build this." 334 00:20:28,426 --> 00:20:30,876 And I'm getting into the 3 way handshake, you know, building a session. 335 00:20:31,076 --> 00:20:36,216 Okay. Now I want to know what is the name or IP address of tekcert.com and then, you know, 336 00:20:36,216 --> 00:20:37,936 send the acknowledgment that you got my question. 337 00:20:37,936 --> 00:20:39,146 He is like, "Okay, got it. 338 00:20:39,146 --> 00:20:41,306 I got your question and here's the answer." 339 00:20:41,306 --> 00:20:42,836 It's like, good grief. 340 00:20:42,836 --> 00:20:47,316 Why do you need all that overhead just to get the answer of who is tekcert.com?" 341 00:20:47,626 --> 00:20:51,746 So, with DNS, it's geared in such a way that you say, "Hey, who's tekcert.com?" 342 00:20:52,026 --> 00:20:56,186 And if your computer doesn't get an answer back, it's configured to say, "Well, 343 00:20:56,256 --> 00:20:59,236 I hope they got there but I don't think it got there 'cause I didn't get an answer back. 344 00:20:59,476 --> 00:21:00,486 Well let me ask again." 345 00:21:00,746 --> 00:21:04,636 And so it will keep trying to ask because maybe the packet did get dropped somewhere 346 00:21:04,636 --> 00:21:07,676 between here in California during that communication. 347 00:21:07,756 --> 00:21:11,376 So, that's the idea of those port numbers. 348 00:21:11,376 --> 00:21:15,436 Now let's go back to Wireshark and look at this communication as a whole. 349 00:21:15,676 --> 00:21:19,536 So it's saying, "Okay, who is tekcert.com.home.local?" 350 00:21:19,786 --> 00:21:23,096 This guy comes back and it's like, no such thing, I don't know who that is. 351 00:21:23,166 --> 00:21:28,136 Now notice, it's asking for an A record, a DNS that's alias, 352 00:21:28,136 --> 00:21:30,876 that's the normal record that people ask for. 353 00:21:31,116 --> 00:21:32,626 So, it's like, no such thing. 354 00:21:32,626 --> 00:21:35,246 So it comes and say, "Okay, well let's try this. 355 00:21:35,446 --> 00:21:38,246 I would like an AAAA record." 356 00:21:38,246 --> 00:21:41,096 He's saying, "If I'm looking for this kind of record 357 00:21:41,096 --> 00:21:44,216 for tekcert.com.home.local, do you know who that is now?" 358 00:21:44,406 --> 00:21:46,376 And he's like, "No, still no such name." 359 00:21:47,056 --> 00:21:49,596 So okay, what's the difference here versus here? 360 00:21:50,016 --> 00:21:56,736 Well, this is looking for the IPv4 address of tekcert.com.home.local. 361 00:21:56,736 --> 00:22:00,046 AAAA record is actually an IPv6 address. 362 00:22:00,116 --> 00:22:02,146 So it's saying, "Okay, that didn't go so well. 363 00:22:02,336 --> 00:22:07,956 Maybe he's on TCP/IP version 6 because since Windows XP Service Pack 3, 364 00:22:08,246 --> 00:22:11,806 all the Windows operating systems have had IPv6 enabled 365 00:22:11,806 --> 00:22:13,526 by default so they-- they're balance today. 366 00:22:13,526 --> 00:22:14,796 He's like, "No, still no such thing." 367 00:22:14,796 --> 00:22:22,536 So then he comes back and he's like, "Okay, well then, do you have an IP address for tekcert.com? 368 00:22:22,666 --> 00:22:23,856 How about just tekcert.com?" 369 00:22:23,856 --> 00:22:26,316 He comes back and he goes, "Actually, I do." 370 00:22:26,316 --> 00:22:29,936 And we can expand that out and we can find out, "Oh well, here is the query, 371 00:22:29,936 --> 00:22:31,916 tekcert.com and here is the answer. 372 00:22:32,216 --> 00:22:35,636 Tekcert.com came back and this is the IP address that I received." 373 00:22:36,496 --> 00:22:41,706 Wow, do you see how this can be really, really handy? 374 00:22:41,756 --> 00:22:43,176 If, I mean, think about it. 375 00:22:43,176 --> 00:22:47,346 Let's say we're sitting here and you type in, you know, whatever. 376 00:22:47,346 --> 00:22:50,096 You know, you're looking something up and it comes back and he's like no response 377 00:22:50,096 --> 00:22:53,636 or request timed out or, you know, something like that. 378 00:22:53,636 --> 00:22:56,206 And let's just put Bob.com. 379 00:22:56,236 --> 00:22:57,366 And, you know, it fills that. 380 00:22:57,366 --> 00:23:00,806 We've got all, you know, tries again Bob.com and we get this answer back. 381 00:23:01,086 --> 00:23:04,256 But what, you know, what if it never got the answer back? 382 00:23:04,256 --> 00:23:07,416 It just said, you know, request timed out, request timed out. 383 00:23:07,416 --> 00:23:08,976 And you're like, "What's going on?" 384 00:23:09,426 --> 00:23:12,766 I mean, without this tool in the background, you have no idea. 385 00:23:12,856 --> 00:23:16,216 I mean, this tool is what-- oh, it's looking for Bob.com.home.local, 386 00:23:16,216 --> 00:23:18,036 it's not supposed to do that, why is it doing that? 387 00:23:18,036 --> 00:23:20,456 So that's why Wireshark is really handy. 388 00:23:20,456 --> 00:23:22,906 So, bring that back around. 389 00:23:23,196 --> 00:23:25,266 That's the basics of Wireshark. 390 00:23:25,266 --> 00:23:29,106 Again, without this filter, it's going to be just plain overwhelming, 391 00:23:29,106 --> 00:23:34,676 but if you can filter it down and start to really look and analyze these packets, 392 00:23:35,046 --> 00:23:36,786 you can get quite a bit out of it. 393 00:23:38,006 --> 00:23:42,886 So let me clear off this slate and get back to the topic at hand which is TCP and UDP. 394 00:23:42,886 --> 00:23:45,866 TCP I think we've got, it's just-- it's a wing it protocol, all right? 395 00:23:45,866 --> 00:23:49,476 You kind of chop the packet, you hope it gets there and if a response comes back, great. 396 00:23:49,656 --> 00:23:51,146 You know, that's how it works. 397 00:23:51,566 --> 00:23:54,636 TCP is the, "I know it got there" protocol. 398 00:23:55,146 --> 00:24:00,446 The way that it does that is by using initially a 3 way handshake to establish the session 399 00:24:00,916 --> 00:24:05,066 and then it uses acknowledgments to make sure that every single packet was received. 400 00:24:05,386 --> 00:24:10,016 Now, let me break that down into the fundamentals of how this protocol really works. 401 00:24:10,456 --> 00:24:14,476 When I have a computer here, and I say, "I want to go to-- 402 00:24:14,476 --> 00:24:21,406 let's just say I want to surf the web and go to cbtnuggets.com." 403 00:24:21,596 --> 00:24:22,906 That will be our example. 404 00:24:24,356 --> 00:24:28,436 HTTP is a TCP-based protocol. 405 00:24:28,826 --> 00:24:32,816 It uses-- it says, "I want to have reliability otherwise web pages might show up." 406 00:24:32,816 --> 00:24:37,086 You know, things missing off of them and all that now, and that may happen 407 00:24:37,086 --> 00:24:40,746 but it's not TCPs fault, it's-- somebody made a bad web page. 408 00:24:41,076 --> 00:24:44,746 But TCP make sure that all of your traffic gets between these two. 409 00:24:45,116 --> 00:24:47,676 Now, when this guy starts, here's how it works. 410 00:24:48,636 --> 00:24:54,956 He will send-- when he realize, okay, I've got the IP address 'cause I looked it up via DNS. 411 00:24:54,956 --> 00:25:02,146 The IP address of CBT Nuggets, let's just use some reality here, cbtnuggets.com., there we go. 412 00:25:02,146 --> 00:25:03,556 Is-- let's just grab this first one, 413 00:25:03,556 --> 00:25:10,086 18472 so I'll just go 1184.72 dot dot dot, you know, that's the IP address. 414 00:25:10,086 --> 00:25:17,726 He's going to send the very first packet will be what's called a SYN packet saying, 415 00:25:18,056 --> 00:25:21,766 "Hey CBT Nuggets, I would like to start a discussion with you." 416 00:25:22,606 --> 00:25:26,706 Are you-- essentially, let me put in plain English and then I'll get technical. 417 00:25:26,886 --> 00:25:27,766 "Are you okay with that?" 418 00:25:28,236 --> 00:25:32,106 CBT Nuggets says, "Yes, I am okay with that." 419 00:25:32,266 --> 00:25:39,986 SYN ACK. That means, I'm sending a synchronization bit, if you will. 420 00:25:39,986 --> 00:25:42,366 I'm saying, yes, I would like to start talking to you, 421 00:25:42,366 --> 00:25:45,356 which is what these do, and I'm acknowledging yours. 422 00:25:45,356 --> 00:25:49,116 I'm saying, "I got yours" that's the acknowledgment "And here's mine." 423 00:25:49,636 --> 00:25:53,136 So, this guy replies back with one final ACK. 424 00:25:53,206 --> 00:25:55,486 What do you think that's there for? 425 00:25:57,506 --> 00:25:58,036 I got that. 426 00:25:58,536 --> 00:26:00,816 I got the SYN message from you. 427 00:26:00,816 --> 00:26:06,116 So I'm acknowledging that we're good and that is what they call a TCP 3 way handshake. 428 00:26:06,116 --> 00:26:11,126 Every single time you start a session, it's going to do that with the destination. 429 00:26:11,336 --> 00:26:14,036 A matter of fact let's-- I am all about Wireshark. 430 00:26:14,036 --> 00:26:15,506 Let's prove it to ourselves, right? 431 00:26:15,756 --> 00:26:18,986 Let's stop this capture, I'm just going to close this guy. 432 00:26:19,576 --> 00:26:20,766 Continue without saving. 433 00:26:20,766 --> 00:26:24,696 Okay. Let's clear the filter off and let's just start to capture. 434 00:26:24,696 --> 00:26:28,756 We'll just go to one website so it should be pretty easy to pull out, click on start. 435 00:26:29,286 --> 00:26:33,726 I'm going to go to cbtnuggets.com. 436 00:26:35,136 --> 00:26:37,096 Enter, boom, stop the capture. 437 00:26:37,316 --> 00:26:42,116 I got a whole bunch of data, 400 some packets that were sent to generate CBT Nuggets website. 438 00:26:42,346 --> 00:26:45,306 Let's go all the way back to the beginning up here where it all happened. 439 00:26:45,596 --> 00:26:52,956 Notice that right here my-- now, now you might say, "Well I don't see any DNS, you know, 440 00:26:53,036 --> 00:26:58,246 question for who is cbtnuggets.com, I see, you know, Wireshark weaseled its way in there." 441 00:26:58,546 --> 00:27:02,796 But, you know, what's happened is my computer cached the DNS response. 442 00:27:02,796 --> 00:27:06,506 It remembers who CBT Nuggets is because I've gone there before. 443 00:27:06,506 --> 00:27:09,296 Now, those caches will eventually time out but they'll get there. 444 00:27:09,526 --> 00:27:10,326 Now, look right here. 445 00:27:10,326 --> 00:27:13,636 So, we have Google, we're talking to Google and you might say, "Well, 446 00:27:13,966 --> 00:27:15,526 what's all this stuff happening?" 447 00:27:15,776 --> 00:27:19,336 Well, whenever you type, you know, I'm using Google Chrome and I don't know if you've notice 448 00:27:19,336 --> 00:27:23,966 but when you start typing you're like, Jeremy, it's starting to, you know, 449 00:27:23,966 --> 00:27:27,076 figure out who will the, you know, who is-- 450 00:27:27,076 --> 00:27:30,356 it's filling in all of this data, so we're able to see. 451 00:27:30,606 --> 00:27:32,246 You know, oh, okay it's filling this in. 452 00:27:32,246 --> 00:27:34,426 So every single time, Google is going, "Okay, well, 453 00:27:34,706 --> 00:27:38,416 let's find out who Jeremy Cioara is and you click on it. 454 00:27:38,706 --> 00:27:41,226 That's-- it's kind of weird [laughs], I'm looking myself up. 455 00:27:41,466 --> 00:27:43,146 But, you know, who is Jeremy Cioara? 456 00:27:43,146 --> 00:27:47,136 It's constantly going back and forth with Google saying, "Okay, he typed an I, he typed an O, 457 00:27:47,136 --> 00:27:48,906 he typed an A, you know, as it fills out the names. 458 00:27:48,906 --> 00:27:51,186 So that's what this little shindig was. 459 00:27:51,186 --> 00:27:52,726 Now, here's the meat of it. 460 00:27:52,726 --> 00:27:59,746 I come down right and I see, okay this is a TCP-based message, three of them to be exact. 461 00:28:00,086 --> 00:28:08,486 Notice, SYN, SYN ACK, ACK, 3 way handshake, SYN, SYN ACK, ACK, SYN, SYN ACK, ACK. 462 00:28:08,486 --> 00:28:12,286 Now, I want to go down a little further because I'm noticing here-- 463 00:28:12,286 --> 00:28:13,476 notice the source and destination. 464 00:28:13,476 --> 00:28:15,516 It came from this server going to this one, right? 465 00:28:15,626 --> 00:28:19,956 SYN, SYN ACK, ACK and I go down a little bit more and all of a sudden, I see another one. 466 00:28:20,276 --> 00:28:23,176 It's like, wait second, SYN, SYN ACK, ACK. 467 00:28:23,726 --> 00:28:25,546 And so there's more than one. 468 00:28:25,816 --> 00:28:28,416 I go down and all of a sudden, I see it looking up all the stuff, it's like, 469 00:28:28,626 --> 00:28:32,706 "I'm looking up some analytics, I'm looking up cloudfront.net, Facebook.com." 470 00:28:32,706 --> 00:28:34,136 What on earth is going on? 471 00:28:34,316 --> 00:28:37,446 And all of a sudden I see all these-- okay, SYN within, SYN within, SYN within, SYN within. 472 00:28:37,526 --> 00:28:40,476 All of these are SYNs and then I started, you know, look at these SYNs. 473 00:28:40,476 --> 00:28:43,616 It's starting all of the sessions with all these different servers 474 00:28:43,726 --> 00:28:46,506 and then they all start coming back, SYN ACK, SYN ACK, SYN ACK, SYN ACK. 475 00:28:46,506 --> 00:28:50,266 And then, you know, it's kind of like that we get this big merge of ACK, ACK, ACK. 476 00:28:50,266 --> 00:28:52,496 You know, it's kind of a-- what on earth is going on? 477 00:28:52,496 --> 00:28:56,036 I just went to CBT Nuggets and all of a sudden, I've got all of these sessions starting. 478 00:28:56,296 --> 00:29:00,396 Well, you remember, I think that I talked about this in the previous Nugget 479 00:29:00,396 --> 00:29:03,326 but this web page is a framework of web pages. 480 00:29:03,486 --> 00:29:06,706 When you come here, there's something on here that deals with Facebook. 481 00:29:06,706 --> 00:29:07,476 Ahh, there we go. 482 00:29:07,786 --> 00:29:10,306 They've got a little follow us on Facebook link, maybe that's it. 483 00:29:10,306 --> 00:29:12,376 And they've got a little link to Twitter or something 484 00:29:12,376 --> 00:29:14,316 that it pulled from Twitter and built this. 485 00:29:14,316 --> 00:29:16,876 So this web page is dynamic, it's always changing, 486 00:29:16,876 --> 00:29:18,456 it's pulling from all these different servers. 487 00:29:18,456 --> 00:29:24,666 So when I come to cbtnuggets.com, I'm actually, you know, these pictures, these videos, 488 00:29:24,666 --> 00:29:29,256 everything is pulling from all these different servers, so that's why I see just getting shot 489 00:29:29,256 --> 00:29:32,516 into this world of SYN and SYN ACKs but just get back to the base 490 00:29:32,516 --> 00:29:34,426 of it all, that's where it started. 491 00:29:34,626 --> 00:29:36,426 SYN, SYN ACK, ACK. 492 00:29:37,056 --> 00:29:39,266 So there's got to be more to it than that, right? 493 00:29:39,266 --> 00:29:40,266 You know, there is. 494 00:29:41,066 --> 00:29:47,906 SYN, SYN ACK, and ACK introduce something known as sequence numbers. 495 00:29:50,826 --> 00:29:51,906 So here's the concept. 496 00:29:51,906 --> 00:29:53,336 I wrote it up here so I wouldn't forget, 497 00:29:53,336 --> 00:29:56,946 but I didn't forget even though I erased it, called TCP Windowing. 498 00:29:57,776 --> 00:30:00,946 TCP Windowing is the key to network efficiency. 499 00:30:01,786 --> 00:30:05,556 So, here's the concept of windowing and window sizes. 500 00:30:05,556 --> 00:30:08,186 Some people call it sliding windows if you ever hear that before. 501 00:30:08,676 --> 00:30:13,606 Let's say I have a really big file, it's 1.0 gigabytes in size, 502 00:30:13,816 --> 00:30:15,816 and I want to send that over to the server. 503 00:30:16,546 --> 00:30:18,666 Well, when-- I don't know if you've ever seen this in Windows, 504 00:30:18,666 --> 00:30:22,636 if you've ever copied a really big file and you copy across and pops up that little, you know, 505 00:30:22,636 --> 00:30:25,906 copying time estimate window and it initially starts off and it's 506 00:30:25,906 --> 00:30:30,556 like your time estimate is two days five hours, and you're like, "What, 507 00:30:30,556 --> 00:30:31,836 you know, well that's not right!" 508 00:30:31,836 --> 00:30:33,246 And then Windows is like, "No, no, no, no, no. 509 00:30:33,246 --> 00:30:34,256 Just kidding, let me back of. 510 00:30:34,486 --> 00:30:37,986 Actually, it's going to be one day three hours." 511 00:30:37,986 --> 00:30:38,956 And you're like, "What?" 512 00:30:38,956 --> 00:30:42,066 You know, and then, no, no, no, no, have you-- you know what I'm talking about? 513 00:30:42,066 --> 00:30:45,776 And [inaudible] says like, "No, just kidding your time estimate is really 32 minutes." 514 00:30:45,776 --> 00:30:48,596 And you're like, "Okay, that's a little more of a result." 515 00:30:48,596 --> 00:30:51,966 And then, I mean, it takes like 30 seconds before it's final like, okay, 516 00:30:51,966 --> 00:30:54,146 really it's going to take 10 minutes to copy that file. 517 00:30:54,586 --> 00:30:59,256 [Laughs] Okay, it's like, okay what happened between Windows popping up and saying it's two 518 00:30:59,256 --> 00:31:03,066 and half days to copy this file all the way down to 10 minutes? 519 00:31:03,486 --> 00:31:06,456 Well that's where TCP Windowing kick in and took effect. 520 00:31:06,716 --> 00:31:11,486 Essentially when your computer starts to send that file, this file has actually broken 521 00:31:11,486 --> 00:31:19,106 up the normal packet size for Ethernet, it's actually 1,500 bytes, 1,500 bytes, 522 00:31:19,106 --> 00:31:24,356 that's very small especially when you're considering I'm sending 1 gigabyte of data. 523 00:31:24,356 --> 00:31:27,496 So, a little 1,500-byte, that's, you know, think of this as 1 kilobyte 524 00:31:27,496 --> 00:31:30,516 and you remember there is a thousand 24 K and a megabyte 525 00:31:30,516 --> 00:31:32,896 and there's a thousand 24 megabytes and a gigabyte. 526 00:31:32,896 --> 00:31:35,986 So, I mean, you're going to send thousands and thousands and thousands 527 00:31:35,986 --> 00:31:37,166 of these packets to compress this. 528 00:31:37,166 --> 00:31:40,376 So, it sends one packet over there. 529 00:31:40,646 --> 00:31:43,146 This guy comes back and it's like, "Okay, great. 530 00:31:43,146 --> 00:31:44,106 I got your packet." 531 00:31:44,106 --> 00:31:49,226 The very, very first packet of this 1.0-gigabyte file transfer, I got it ACK. 532 00:31:50,756 --> 00:31:53,766 Now Windows looks at that and it's like, "Wow. 533 00:31:53,926 --> 00:31:59,226 Okay." If I'm going to send one packet at a time and then sit there and wait for the other size-- 534 00:31:59,316 --> 00:32:01,426 other side to come back and say, "Okay, I got it. 535 00:32:01,426 --> 00:32:04,766 It's going to take two and a half days to transmit this file." 536 00:32:05,356 --> 00:32:06,476 So the computer goes, "Okay. 537 00:32:06,476 --> 00:32:08,496 Well let's-- let's try this. 538 00:32:08,496 --> 00:32:14,516 How about instead of sending one packet, I send you four packets at a time." 539 00:32:14,716 --> 00:32:19,586 So it takes four of these 1,500 byte packets of the 1 gigabyte file, sends them over there 540 00:32:19,806 --> 00:32:22,936 and the server comes back and he's like, "Okay, I got it. 541 00:32:22,936 --> 00:32:24,996 I got all four of those packets." 542 00:32:24,996 --> 00:32:28,376 And the guy-- the Windows is like, "Okay, great. 543 00:32:28,376 --> 00:32:28,896 That's better. 544 00:32:29,286 --> 00:32:32,716 If I can send four packets at a time then I bet you that I can get this done 545 00:32:32,716 --> 00:32:34,176 in like a day and a half, right." 546 00:32:34,176 --> 00:32:37,586 It reduces it dramatically because we're being much more efficient. 547 00:32:37,586 --> 00:32:41,146 So, what's happening over that, you know, first 30 seconds 548 00:32:41,146 --> 00:32:44,836 or so of that file transfer is it just keeps trying to send more and more and more 549 00:32:44,836 --> 00:32:45,736 and more and more and more and more. 550 00:32:45,736 --> 00:32:46,206 It's like, "Okay. 551 00:32:46,206 --> 00:32:49,946 I'm going to try and send you 100 packets at a time." 552 00:32:49,996 --> 00:32:54,826 Sends them a 100 of these 1,500-byte packets, ACK, I got all 100 of them. 553 00:32:54,826 --> 00:32:55,416 Does that make sense? 554 00:32:55,416 --> 00:33:01,706 So, that's the concept known as TCP window sizes or some people call it sliding windows 555 00:33:01,706 --> 00:33:04,086 because the windows starts small, it slides bigger. 556 00:33:04,336 --> 00:33:09,716 But if there's drafts, like let's say, I send a 100 packets and I lost two of them, 557 00:33:09,786 --> 00:33:13,476 then my computer is going to go, "Whoa, whoa, whoa, whoa, whoa," you know, we're loosing data, 558 00:33:13,476 --> 00:33:16,576 I've got to pull back and only send a smaller, 559 00:33:16,576 --> 00:33:19,926 so the window size slides smaller and you see the copy time go up. 560 00:33:20,106 --> 00:33:26,136 So, that is the essence of how computers know how much they're able to send 561 00:33:26,136 --> 00:33:30,046 or how much bandwidth they can consume and they're going to try and consume all of it. 562 00:33:30,516 --> 00:33:34,656 And computers are bandwidth hungry monsters, they will try and consume all of the bandwidth 563 00:33:34,656 --> 00:33:37,986 that they can on the way to that server until they finally start dropping packets. 564 00:33:37,986 --> 00:33:41,126 And they go, "Okay, that's how much I can send it once before I, you know, 565 00:33:41,226 --> 00:33:43,676 I've reached the congestion point of the network." 566 00:33:43,726 --> 00:33:48,796 So, how do-- what-- how did this, this Window-- 567 00:33:48,796 --> 00:33:54,336 Windowing concept and sending more than one packet at a time fit into this and it-- 568 00:33:54,336 --> 00:33:56,466 where we started with this 3 way handshake. 569 00:33:57,046 --> 00:34:02,596 Well, when we do a 3 way handshake, what we're really exchanging is sequence numbers 570 00:34:02,596 --> 00:34:08,716 of my packet numbers are going to start here and then keep incrementing as I send you data. 571 00:34:09,186 --> 00:34:11,906 So, let's look back at Wireshark, get some examples of this. 572 00:34:11,906 --> 00:34:14,786 So, right here, we've got our 3 way handshake. 573 00:34:14,786 --> 00:34:16,576 We've got SYN, SYN ACK, ACK. 574 00:34:16,576 --> 00:34:17,996 So that's the very first one that we do. 575 00:34:17,996 --> 00:34:19,516 So let's break this open. 576 00:34:19,876 --> 00:34:25,816 We'll look at the TCP data and it says, "Oh, this guy is a flag, it's a SYN" but I want you-- 577 00:34:25,816 --> 00:34:29,236 and you can, I mean, you can dig deep and say, "Oh, okay, well it's actually this bit," 578 00:34:29,236 --> 00:34:32,246 and that, I mean, yeah, for now, it's a SYN, right? 579 00:34:32,576 --> 00:34:35,196 But if you look three above that, it says, "Hey, 580 00:34:35,406 --> 00:34:38,436 we're going to be starting from sequence number zero." 581 00:34:38,856 --> 00:34:41,926 That's it, that's was-- so I'm going to-- that's my beginning where-- 582 00:34:41,926 --> 00:34:44,286 that's where my counter begins essentially. 583 00:34:44,606 --> 00:34:47,976 Now this comes back and says, "Well, here's your SYN ACK," right? 584 00:34:48,256 --> 00:34:51,166 And what this says is, "I'm going to be starting from sequence number two." 585 00:34:51,256 --> 00:34:52,206 That's great. 586 00:34:52,206 --> 00:34:55,626 "And by the way, I'm sending it ACK for one." 587 00:34:56,516 --> 00:34:57,656 What does that mean? 588 00:34:57,916 --> 00:35:02,586 So, I-- and so, again, let's look, this is my computer saying, "Hi SYN. 589 00:35:02,586 --> 00:35:04,516 I'm going to be starting from sequence number zero." 590 00:35:04,806 --> 00:35:09,626 This is them, see them, this is CBT Nuggets you're applying back that it's saying, "Okay. 591 00:35:09,626 --> 00:35:12,826 I'm going to start from sequence number zero, that's my SYN too 592 00:35:13,096 --> 00:35:15,346 but I'm also going to send you an ACK of one." 593 00:35:15,966 --> 00:35:21,036 Well the way the ACK works is it's always going to be one more than your sequence number. 594 00:35:21,256 --> 00:35:24,336 So when I said, "Hey SYN, I'm going to be starting from number zero." 595 00:35:24,576 --> 00:35:27,946 He comes back and in his ACK he says, "I'm going to acknowledge one." 596 00:35:28,096 --> 00:35:32,806 And what that says to the computer is, "I've received your zero and the next sequence 597 00:35:32,806 --> 00:35:35,146 that I'm expecting from you is one." 598 00:35:35,786 --> 00:35:36,896 Does that make sense? 599 00:35:36,896 --> 00:35:40,446 And then, and then, and then, I'm like [laughs], "Oh, oh, oh, and then look at this." 600 00:35:40,446 --> 00:35:43,066 And then, when I click it on here, it goes, "Okay, great. 601 00:35:43,216 --> 00:35:45,806 I'm going to send an ACK back of one as well." 602 00:35:46,926 --> 00:35:50,386 So, what we've done is we say, "Okay, I started with sequence number zero. 603 00:35:50,616 --> 00:35:51,376 Is that good?" 604 00:35:51,376 --> 00:35:52,506 And he goes, "Absolutely. 605 00:35:52,506 --> 00:35:54,166 I'm going to start from sequence number zero 606 00:35:54,166 --> 00:35:57,506 and I'm acknowledging your sequence number zero by giving you an ACK of one." 607 00:35:57,806 --> 00:36:01,056 Then I come back and say, "Okay, ACK of one because I'm a-- 608 00:36:01,056 --> 00:36:02,786 I don't know why I put it aligned to that, 609 00:36:02,786 --> 00:36:04,656 because I'm acknowledging your sequence number zero 610 00:36:04,656 --> 00:36:07,056 that you gave me and now let's start talking." 611 00:36:07,676 --> 00:36:08,636 Isn't there a lot? 612 00:36:08,636 --> 00:36:09,476 That's a lot-- whoa. 613 00:36:09,716 --> 00:36:12,976 That's a lot to just say, "Okay, let's now start talking." 614 00:36:12,976 --> 00:36:15,886 But then, when you start getting it to the data, let's see if I can dig 615 00:36:15,886 --> 00:36:19,956 and then find some good data transfer here. 616 00:36:20,046 --> 00:36:24,406 I got your standard encrypted packets going through there. 617 00:36:24,406 --> 00:36:31,776 It's so [laughs], it's funny because going to CBT Nuggets home page, there's so much pointers 618 00:36:31,776 --> 00:36:34,586 on there that-- and there's encrypted data, HTTPS, 619 00:36:34,586 --> 00:36:36,176 you know, stuff flying all over the place. 620 00:36:36,586 --> 00:36:38,466 But right here and that's, I'll describe this. 621 00:36:39,576 --> 00:36:43,356 Right in the middle of this, this is actually using TLS which is encrypted data. 622 00:36:43,656 --> 00:36:47,336 This is CBT Nuggets sending me some data saying-- and they're saying, "Hey, 623 00:36:47,336 --> 00:36:50,556 this is my sequence number and I am acknowledging the last one 624 00:36:50,556 --> 00:36:52,606 that you gave me which was 1639." 625 00:36:52,606 --> 00:36:56,076 So you kind of go back and forth, it's just, you know, finding the stream. 626 00:36:56,076 --> 00:36:59,176 So this guy is saying, "Okay. 627 00:36:59,176 --> 00:37:01,996 I'm-- yeah, we're getting the encryption handshake." 628 00:37:01,996 --> 00:37:02,866 So, okay, here we go. 629 00:37:03,116 --> 00:37:04,096 I'm sending some data. 630 00:37:04,096 --> 00:37:08,046 So I send some data right here, sequence number 348. 631 00:37:08,176 --> 00:37:10,266 I move on sequence number 401. 632 00:37:10,306 --> 00:37:12,476 I move on sequence number 462. 633 00:37:12,476 --> 00:37:17,056 So, you're sending data and every time-- now, if I want to see-- well, here is the actual data, 634 00:37:17,316 --> 00:37:19,806 it's SSL which is all nice and encrypted. 635 00:37:20,066 --> 00:37:21,856 Here's the data that's being sent. 636 00:37:21,856 --> 00:37:24,716 It's all encrypted mosh going to CBT Nuggets website, 637 00:37:24,986 --> 00:37:28,046 but all of that stuff has sequence numbers. 638 00:37:28,366 --> 00:37:32,266 So, essentially, let me boil it back down on the slide 'cause it's a little less complex 639 00:37:32,266 --> 00:37:33,486 and busting that Wireshark. 640 00:37:33,746 --> 00:37:38,556 I've got, you know, let's say three 1,500-byte packets to send, right? 641 00:37:38,556 --> 00:37:44,696 So let's say I started with SYN zero, I send three 1,500-byte packets to the other side, 642 00:37:45,576 --> 00:37:50,646 and it will come through and, you know, first one will say, "Hey, I'm some data. 643 00:37:50,886 --> 00:37:53,066 I'm sequence number 1,500. 644 00:37:53,066 --> 00:37:55,786 The second one will come through and say, "Okay. 645 00:37:55,786 --> 00:37:58,006 Well, I'm sequence number 3,000." 646 00:38:00,136 --> 00:38:04,696 And third one comes through and you see where this is going, "I'm sequence number 4,500." 647 00:38:04,696 --> 00:38:08,596 The sequence numbers are-- they are essentially a mathematical addition 648 00:38:08,596 --> 00:38:10,796 of all of the data that's being sent. 649 00:38:10,796 --> 00:38:13,266 In that way when this-- these two get dropped, you know, 650 00:38:13,266 --> 00:38:15,496 maybe this one made it through, these two were dropped. 651 00:38:15,656 --> 00:38:18,206 All of a sudden this guy goes, "Whoa, wait a sec. 652 00:38:19,016 --> 00:38:28,046 I missed sequence numbers, you know, we'll say 4,000 through 6593 or whatever, you know, 653 00:38:28,046 --> 00:38:29,186 whatever those sequence numbers are." 654 00:38:29,436 --> 00:38:32,286 So, he's going to be like, "Whoa, I did not receive those." 655 00:38:32,286 --> 00:38:35,046 He goes, "Oh, well let me resend those sequence numbers to you." 656 00:38:35,046 --> 00:38:41,006 That-- this is how TCP keeps it all working is by, you know, again, 657 00:38:41,006 --> 00:38:42,536 those acknowledgments coming back. 658 00:38:42,756 --> 00:38:44,956 If you received them all, he'll send acknowledgment 659 00:38:44,956 --> 00:38:46,696 for one plus, whatever the last sequence. 660 00:38:46,696 --> 00:38:49,876 So let's say, the last sequence number to get in was 4,500. 661 00:38:50,076 --> 00:38:56,656 He's going to send an acknowledgment for 4501-- 1 and then the transmission continues on. 662 00:38:56,796 --> 00:39:00,916 [Laughs] It's like, right there, I took breath and I took a step back and I'm like, 663 00:39:01,196 --> 00:39:03,676 "How do you see anything on the screen anymore." 664 00:39:03,806 --> 00:39:06,206 It builds on itself so hopefully you've-- 665 00:39:06,346 --> 00:39:11,016 you didn't look away throughout 'cause otherwise it's just a mess of lines going back and forth. 666 00:39:11,376 --> 00:39:16,776 But, wow, I mean, if you take that and put it all together and you are on your way-- 667 00:39:16,846 --> 00:39:21,916 well on your way to becoming a network Ninja, not only understanding how TCP works, 668 00:39:21,916 --> 00:39:25,796 the 3 way handshake, the acknowledgment, back and forth process, but also now, 669 00:39:25,796 --> 00:39:28,666 starting to look inside of Wireshark and been like, "Oh, oh, oh, 670 00:39:28,826 --> 00:39:30,766 I see the 3 way handshake right there. 671 00:39:30,766 --> 00:39:31,286 I get it." 672 00:39:31,286 --> 00:39:34,906 You know, and then I started seeing that, I get referred to all these other servers, you know, 673 00:39:34,906 --> 00:39:36,776 because there're the DNS queries. 674 00:39:36,776 --> 00:39:40,476 And then, I started sessions with all those, that's all these SYN packets, I mean, wow! 675 00:39:40,566 --> 00:39:47,716 That's a ton of info that you can say that, I mean, it's rare to find somebody who's able 676 00:39:47,716 --> 00:39:50,236 to do that level of knowledge in the network world. 677 00:39:51,246 --> 00:39:56,016 I have found that there is a big difference between the amount of time I think it's going 678 00:39:56,016 --> 00:39:58,966 to take to talk about something and then the actual amount of time it does. 679 00:39:59,526 --> 00:40:01,896 It's all a Wireshark, I'm telling you, bringing that tool 680 00:40:01,896 --> 00:40:03,826 into this, I mean, the sky is the limit. 681 00:40:04,146 --> 00:40:06,546 But boy, do I want to-- what I'm going to do is I'm going 682 00:40:06,546 --> 00:40:08,076 to break this into two different pieces. 683 00:40:08,076 --> 00:40:13,576 So, this will be our part one and then I'll wrap up these other two items in part two. 684 00:40:14,106 --> 00:40:17,596 But what did we talk about and then what do I want you to do with it? 685 00:40:17,986 --> 00:40:19,826 Two, well, we talked about a lot. 686 00:40:19,826 --> 00:40:23,076 We talked about UDP and, you know, its simplicity. 687 00:40:23,216 --> 00:40:26,766 And then we got into TCP just looking at, you know, what is this is protocol 688 00:40:26,766 --> 00:40:32,776 or how does it communicate so, you know, in a stable way using sessions with the other side. 689 00:40:32,776 --> 00:40:38,056 We saw the TCP 3 way handshake, we saw sequence numbers, we saw a DNS lookups, we saw Wireshark, 690 00:40:38,056 --> 00:40:40,156 I mean [inaudible], you know, the list goes on. 691 00:40:40,156 --> 00:40:43,196 And I mean, this was just a packed Nuggets. 692 00:40:43,196 --> 00:40:46,186 So, here's what I want you to do with it. 693 00:40:46,186 --> 00:40:48,856 I want you to really take the time 694 00:40:48,856 --> 00:40:53,316 to start getting a depth behind your knowledge of UDP and TCP. 695 00:40:53,956 --> 00:40:56,636 What I want you to do is go download Wireshark. 696 00:40:56,636 --> 00:40:58,526 Go to wireshark.org, it's a freebie. 697 00:40:58,526 --> 00:41:03,176 Download that and install it on your laptop or desktop or whatever device that you have. 698 00:41:03,576 --> 00:41:05,506 And I want you to go to a simple website. 699 00:41:05,506 --> 00:41:09,326 A matter of fact, somebody emailed this too me a long time ago. 700 00:41:09,326 --> 00:41:14,246 What was it called, the last page of the internet. 701 00:41:14,426 --> 00:41:17,876 [Laughs] That it's and it's just some guy and he's been around for a long time. 702 00:41:18,066 --> 00:41:20,786 The last page you cre-- the guy who created a website that just says, 703 00:41:20,786 --> 00:41:22,556 "You have reached the last page of the internet. 704 00:41:22,866 --> 00:41:23,936 Hope you enjoyed your browsing. 705 00:41:24,316 --> 00:41:25,816 Go outside." 706 00:41:25,816 --> 00:41:30,106 So, beautifully, simple web page to where we won't get the confusion behind. 707 00:41:30,296 --> 00:41:35,336 And won't say confusion but the complexity behind going to big websites like CBT Nuggets 708 00:41:35,336 --> 00:41:38,096 and seeing 50 different servers popped into our conversation. 709 00:41:38,096 --> 00:41:39,626 So grab Wireshark. 710 00:41:40,016 --> 00:41:42,996 I want you to capture the DNS lookup. 711 00:41:42,996 --> 00:41:45,456 Create a filter, find out what your DNS server is. 712 00:41:45,616 --> 00:41:50,336 Create a filter that allows you to see the DNS lookup and then one that allows you 713 00:41:50,336 --> 00:41:56,256 to see the communication between you and that last page of the internet web server. 714 00:41:56,256 --> 00:41:59,926 They'll be nice and simple so you don't have a ton of stuffs to read through. 715 00:42:00,116 --> 00:42:07,216 Also, realized that I showed you-- I mean, one 1,000th of the possibilities of Wireshark. 716 00:42:07,356 --> 00:42:12,866 You can create complex filters like I could say this and IP address equal, you know, 717 00:42:12,976 --> 00:42:17,726 or I could use and or IP address at and equals such and such. 718 00:42:17,726 --> 00:42:21,566 I mean, you can start building numbers where you just capture a certain port number 719 00:42:21,846 --> 00:42:24,356 or I should say filters where you just capture certain port numbers. 720 00:42:24,356 --> 00:42:25,716 There're a lot of possibilities. 721 00:42:25,716 --> 00:42:27,636 I mean, play around with this, start tinkering around. 722 00:42:27,936 --> 00:42:33,646 And really, I would say, add some depth to your knowledge and then jump into the next Nugget 723 00:42:33,646 --> 00:42:36,126 where we'll talk about the port numbers and then fit it all together 724 00:42:36,126 --> 00:42:37,926 with that end-to-end communication story. 725 00:42:38,426 --> 00:42:41,486 I hope this has been informative for you and I'd like to thank you for viewing. 71199