Who was the presenter of the webinar?

Jason DuTrey was the presenter of the webinar.

What was the main topic discussed in the webinar?

The main topic was troubleshooting using network traffic analysis.

What are some tools mentioned for network traffic analysis?

Tools such as TCP dump, CPP cap, FW monitor, and WireShark were mentioned.

Can you access the recording of the webinar?

Yes, the webinar will be posted on the company's YouTube channel.

What is a common tool used in Linux for network traffic analysis?

TCP dump is a common tool used in Linux for network traffic analysis.

Is WireShark mentioned as a tool for network analysis?

Yes, WireShark is mentioned as a tool for network analysis.

What is the main advantage of using CPP Cap over TCP Dump?

CPP Cap is lighter weight with less CPU impact compared to TCP Dump.

What is FW monitor used for?

FW monitor is used for monitoring Kernel-level traffic specifically on firewalls.

How can profiles be managed in WireShark according to the webinar?

Profiles in WireShark can be created and exported or shared to ensure consistent setup across different machines.

What is a recommended way to handle extended captures using TCP Dump?

Using TCP dump to write to a pcap file for later analysis is recommended for handling extended captures.

Tips and Tricks 2024 #16 - Troubleshooting using Network Traffic

00:36:47

https://www.youtube.com/watch?v=LAQFitLHANE

Zusammenfassung

TLDRThe webinar, led by Jason DuTrey, Security Engineer at Checkpoint, focused on troubleshooting network traffic. Jason began by emphasizing understanding the OSI model and identifying the starting points for trouble-shooting issues, which can vary significantly based on whether something isn't powered on or if a major configuration change has occurred. The session discussed the importance of knowing which tools to use, introducing several such as TCP dump, CPP cap, FW monitor, and WireShark. TCP dump, a widespread tool in Linux systems for capturing network traffic, allows detailed analysis but can be CPU intensive. Meanwhile, CPP cap, a Checkpoint specific tool, offers similar functionality with lighter CPU usage. FW monitor was explained as a tool for analyzing kernel-level traffic specifically on firewalls, and the session expounded on how WireShark serves as a powerful GUI-based tool for detailed packet analysis, though it can be resource-intensive. Throughout the webinar, Jason also demonstrated the use of filters and the importance of understanding network interfaces and protocols while capturing and analyzing traffic to excel in network troubleshooting.

Mitbringsel

👨‍💻 Jason DuTrey is the presenter, specializing in network security.
🔍 The webinar focuses on network traffic troubleshooting.
🛠️ TCP dump and CPP cap are crucial tools discussed.
🌐 Understanding the OSI model is essential for troubleshooting.
🖥️ WireShark is highlighted for its GUI interface capabilities.
⚙️ FW monitor inspects kernel traffic specifically on firewalls.
📊 Real-time and saved analyses are vital for extended captures.
🚫 Avoid unnecessary DNS resolution during analysis.
📈 Handling CPU impact is crucial when using intensive tools.
🔧 Tailoring WireShark profiles can aid detailed traffic examination.

Zeitleiste

00:00:00 - 00:05:00
The webinar introduces the topic of troubleshooting using network traffic, focusing on identifying starting points, differentiating problems, and understanding tools for analysis. Key questions include discovering when an issue commenced and understanding the OSI model's layers.
00:05:00 - 00:10:00
Jason explains the significance of understanding the OSI model for troubleshooting, emphasizing that issues can arise at any layer, from the physical to application layers. The session aims to focus on layer 3 network (IP layer) and layer 2 (Ethernet).
00:10:00 - 00:15:00
He discusses various tools for network traffic analysis like TCP dump, CPP cap, FW monitor, and Wireshark. TCP dump is a widely-used tool across systems, but can be CPU-intensive. Checkpoint's CPP cap is designed to be lighter, while FW monitor offers kernel-level insights.
00:15:00 - 00:20:00
The section highlights the preferred tool usage depending on the troubleshooting context, viewing TCP dump and CPP cap as ideal for physical NIC issues, and exploring Wireshark for deeper analysis due to its graphical interface capabilities.
00:20:00 - 00:25:00
Jason provides details on how to use TCP dump and CPP cap, emphasizing capturing traffic on specific interfaces, avoiding DNS resolutions during capture, and employing different command options for tailored outputs. This section also touches on protocol analysis intricacies.
00:25:00 - 00:30:00
FW monitor's functionality for inspecting kernel traffic is explained, focusing on pre- and post-inbound/outbound tracking, which is distinct from the management server capabilities and useful for understanding traffic flow and routing issues on firewalls.
00:30:00 - 00:36:47
The session concludes with a demo on using Wireshark profiles for viewing and analyzing network captures. It covers practical steps for setting preferred configurations in Wireshark, using filters effectively for troubleshooting, and emphasizes leveraging various tools appropriately.

Mind Map

Häufig gestellte Fragen

Who was the presenter of the webinar?
Jason DuTrey was the presenter of the webinar.
What was the main topic discussed in the webinar?
The main topic was troubleshooting using network traffic analysis.
What are some tools mentioned for network traffic analysis?
Tools such as TCP dump, CPP cap, FW monitor, and WireShark were mentioned.
Can you access the recording of the webinar?
Yes, the webinar will be posted on the company's YouTube channel.
What is a common tool used in Linux for network traffic analysis?
TCP dump is a common tool used in Linux for network traffic analysis.
Is WireShark mentioned as a tool for network analysis?
Yes, WireShark is mentioned as a tool for network analysis.
What is the main advantage of using CPP Cap over TCP Dump?
CPP Cap is lighter weight with less CPU impact compared to TCP Dump.
What is FW monitor used for?
FW monitor is used for monitoring Kernel-level traffic specifically on firewalls.
How can profiles be managed in WireShark according to the webinar?
Profiles in WireShark can be created and exported or shared to ensure consistent setup across different machines.
What is a recommended way to handle extended captures using TCP Dump?
Using TCP dump to write to a pcap file for later analysis is recommended for handling extended captures.

Weitere Video-Zusammenfassungen anzeigen

Erhalten Sie sofortigen Zugang zu kostenlosen YouTube-Videozusammenfassungen, die von AI unterstützt werden!

Untertitel

Automatisches Blättern:

00:00:03
well hello everybody thank you for
00:00:04
joining today's tips and tricks webinar
00:00:07
today's topic as you can see is on
00:00:09
troubleshooting using network traffic uh
00:00:12
please use the Q&A chat you have any
00:00:14
questions during this webinar we'll make
00:00:15
sure we answer those our presenter today
00:00:18
is an SE from Pennsylvania Jason to Tre
00:00:22
Jason what do you have for us today yeah
00:00:25
thanks Rob and nice to meet you all here
00:00:28
virtually I Jason do TR like Rob said a
00:00:30
security engineer here in the Big East
00:00:32
I'm near Hershey Pennsylvania the
00:00:33
sweetest place on Earth very exciting
00:00:36
I've been with checkpoint here for a
00:00:37
couple years um I was a customer back in
00:00:39
the 7730 days and after that did some
00:00:42
digital forensics with network disc
00:00:45
stuff and some memory items and some
00:00:47
inant response and then I had a chance
00:00:48
to join checkpoint here so so here we
00:00:51
are um again today we'll be talking like
00:00:53
it says troubleshooting using network
00:00:56
traffic guess where we're going to start
00:00:58
here it's always good to know you're
00:01:00
doing the troubleshooting where to start
00:01:01
the troubleshooting because you're going
00:01:02
to be if you've been in it for a while
00:01:04
you understand that if something's not
00:01:06
powered on is quite different than if
00:01:08
somebody made a big huge configuration
00:01:09
change we're going to look at some of
00:01:11
the tools that you use for the network
00:01:12
traffic analysis and then how to
00:01:14
properly use those in the
00:01:16
troubleshooting but that biggest
00:01:18
question that always comes up again if
00:01:20
you've been in it you know that there's
00:01:22
no there's no flowchart like this there
00:01:24
is absolutely not a nice troubleshooting
00:01:26
button so you have to come up with
00:01:28
questions like when did it start
00:01:29
happening did it ever work because
00:01:30
that'll lead you down a different path
00:01:33
if something was something things was
00:01:35
installed and it never worked there big
00:01:37
difference then it's been running fine
00:01:39
for three years and yesterday it stopped
00:01:41
working you know what changed what else
00:01:42
isn't working that kind of thing is your
00:01:44
data center underwater for example so
00:01:47
it's good to know where to start and
00:01:49
where are we looking which is the second
00:01:51
kind of question if you're familiar with
00:01:53
the uh with this layer 1 through 7 The
00:01:55
OSI it's the open systems interconnected
00:01:57
model it's a general framework that
00:01:59
describes network communication from the
00:02:01
physical layer all the way up to the
00:02:02
application and back down if you've
00:02:04
never seen this it uh as your machine or
00:02:08
as your application as your device is
00:02:09
getting data it's hitting your physical
00:02:12
and it's going up and down up and down
00:02:13
zipping through these layers really fast
00:02:16
um but it depends on where you're doing
00:02:18
the troubleshooting is it plugged in
00:02:19
down a physical layer up to is your
00:02:21
application having a problem something's
00:02:23
wrong with your your coding that's you
00:02:25
know higher up in the chain there here's
00:02:28
the general idea of it if you've never
00:02:29
seen it again you've got your physical
00:02:31
Hardware through your through Ethernet
00:02:33
through the data ler data link layer up
00:02:35
to the fun stuff like the IPS and
00:02:37
protocol or IPS and ports and like
00:02:40
things like that and you get higher up
00:02:43
even with the firewall rules protocols
00:02:44
things like that then five six and seven
00:02:47
they get mashed together quite a bit and
00:02:48
we're definitely going to keep them
00:02:49
mashed together for this but it deals
00:02:52
with how your how the data is handed to
00:02:54
your application and what it does with
00:02:56
it how it presents it to the application
00:02:57
than what you're actually seeing on your
00:02:59
screen or your device
00:03:00
that kind of thing and again your data
00:03:02
goes up and down really fast and where
00:03:05
you want to start troubleshooting
00:03:06
depends on what you're seeing or not
00:03:07
seeing today we're going to primarily
00:03:10
focus on layer three Network we'll do a
00:03:13
little bit with Layer Two with the
00:03:14
ethernet side as well but good to know
00:03:16
where we're looking at in this whole
00:03:18
crazy OSI
00:03:20
stuff so what tools can we use for this
00:03:23
I mean there's there's a lot of a lot of
00:03:25
them out there but we're going to focus
00:03:26
on a couple today TCP dump being the big
00:03:29
one if you've done any kind of Linux
00:03:32
Network stuff in the past this is
00:03:33
everywhere andan you can run TCB dump on
00:03:36
any kind of device um it's again it's
00:03:40
built into every operating system in
00:03:41
Linux it's very easy to use it's
00:03:43
crossplatform you'll see it everywhere
00:03:46
but it tends to be a little bit CPU or
00:03:48
processor intense when it uh when you're
00:03:51
ripping through because it does a little
00:03:52
bit of protocol analysis it'll try to
00:03:53
guess what is this port 22 okay what is
00:03:56
this 443 okay this is has to be https
00:03:59
right it'll do a little bit of analysis
00:04:01
that way
00:04:02
but that's where checkpoint came in with
00:04:04
a CPP cap it's another command line tool
00:04:06
it's on checkpoint devices from 8040 and
00:04:09
up and in theory it's supposed to be
00:04:11
lighter weight less CPU impact so you
00:04:13
can run it a little more uh a little
00:04:16
more wild if you want um it's not going
00:04:18
to have as big of impact on your system
00:04:19
so if you're running some or doing some
00:04:21
Diagnostics on a firewall or something
00:04:23
that's running running pretty hot on the
00:04:25
the resources this might be a better
00:04:27
choice but we'll see the differences
00:04:29
here coming coming
00:04:30
up then you've got FW monitor which is
00:04:34
looks more at the cernal level so it's
00:04:36
you can only run it on firewalls it's
00:04:37
not on management servers and this will
00:04:39
give you visibility into the into the
00:04:41
kernel in the inspection chain so you'll
00:04:43
see some again we'll get to it but some
00:04:45
inbound outbound items on different
00:04:47
Nicks and things like
00:04:49
that and then of course we have wire
00:04:51
shark because you can't talk Network
00:04:53
stuff without talking W shark right if
00:04:55
you've done any kind of stuff you
00:04:57
probably run across wire shark it's a
00:04:58
nice gooey interface so you can see all
00:05:01
the all the data right in your right in
00:05:02
front of you oh it's very pretty get all
00:05:04
the different streams things like that
00:05:06
um again it has a lot of capabilities to
00:05:09
it so you can really dive into the uh
00:05:13
dive into what you're seeing in the
00:05:14
traffic and you can look at a different
00:05:15
angles it might help you come to
00:05:16
different conclusions based on what
00:05:18
you're trying to find but not what tools
00:05:21
can we used we should also figure out
00:05:22
what tools should you use because you
00:05:25
know the what's that phrase again the
00:05:27
not everything's a nail if you're a
00:05:28
hammer something like that whatever
00:05:30
great your Twi shark will be able to
00:05:32
capture that data but on your system but
00:05:34
maybe it's not the best thing because
00:05:36
it's also doing protocol analyzing and
00:05:38
parsing and things like that it'll
00:05:39
really spike your CPU on your running on
00:05:41
a server for example so if you can run
00:05:43
something like a TCP dump might be
00:05:45
better and if you're looking for traffic
00:05:48
on the Kernel something's lost trying to
00:05:49
figure out where is it FW monitor might
00:05:51
your better be your better
00:05:53
option you're looking at stuff on
00:05:55
physical Nicks TCB dump and CPP cap
00:05:58
fantastic that's where you're gonna want
00:05:59
to look
00:06:00
but if it gets into the more hey you're
00:06:02
missing traffic I'm trying to find it in
00:06:04
the smart console the firewall where's
00:06:07
this going where is it this might be a
00:06:09
excuse me another great tool to use um
00:06:12
if you're working with Tac and some of
00:06:13
the more in-depth investigations or
00:06:16
invest uh in-depth tickets they'll be
00:06:19
running FW monitor as well as different
00:06:21
um debugs so if they might be looking
00:06:23
for something going in and out of the
00:06:25
kernel but they'll also be doing a debug
00:06:26
on the same thing this really gets down
00:06:29
into the we needs which is
00:06:32
handy so first one we got here TP dump
00:06:35
this one does require expert actually
00:06:36
both of these require expert mode and
00:06:38
you can do the output in real time so if
00:06:40
you're just looking is my traffic
00:06:41
hitting this Nick or not oh great I see
00:06:43
it on my terminal fantastic you can also
00:06:46
save it and throw it into wire shark
00:06:47
later or for further analysis that type
00:06:49
of thing lot of different filters you
00:06:51
can use with TCB dump like BPF for
00:06:53
Berkeley packet
00:06:54
filters uh pretty slick but um on the
00:06:59
checkpoint
00:07:00
when you're running TCP dump DH for help
00:07:02
you're not going to this here what
00:07:04
you're seeing is not going to be overly
00:07:06
helpful to be honest it's uh it'll tell
00:07:09
you kind of what what you can do
00:07:12
personally and off the Record even
00:07:14
though this is being recorded I might
00:07:15
run a man TCB dump from a different
00:07:17
Linux distro or different operating
00:07:19
system somewhere because it will give
00:07:20
you a lot more information it'll show
00:07:23
you what the different commands or what
00:07:25
different switches you can use and then
00:07:26
where your why you might want to use
00:07:28
those it's it's very handy again or
00:07:30
Google stack Overflow always has a ton
00:07:32
of people trying to figure out an exact
00:07:34
you know scalpel type of filter they're
00:07:36
looking for a very specific traffic and
00:07:39
there's a lot of examples out there
00:07:40
definitely check those
00:07:42
out but some of the more useful options
00:07:44
that you have there um why W isn't first
00:07:48
but that's really the first one you want
00:07:49
to write it to a pcap file for later
00:07:51
analysis and later looking that's kind
00:07:52
of the the bread and butter there but
00:07:54
with TCP dump you're also able to use R
00:07:57
so you can read from a pcap file so if
00:07:58
you want to do some parsing if you had a
00:08:00
huge gig dump of a peac app well you
00:08:04
want to look for just specific host
00:08:06
destination Port protocol whatever you
00:08:08
can read from that pcap parse it out and
00:08:10
then write it to a different file kind
00:08:11
of carves it down a little bit very
00:08:14
handy uh tcbm will run against all of
00:08:17
your interfaces At Once by default which
00:08:19
is not something you want to do
00:08:20
especially on a production firewall
00:08:21
because that's going to be very CPU
00:08:23
intensive so you want to use the Dashi
00:08:25
which you can specify which interface to
00:08:26
capture it on that gets you a little
00:08:28
more little more Target there then and
00:08:31
is going to be a little more
00:08:32
controversial to me it's very important
00:08:34
for OPC um if you're capturing traffic
00:08:37
and you've got some traffic that's going
00:08:39
to I don't say
00:08:41
evil.com you don't want to be resolving
00:08:43
that because every time TCP dump does a
00:08:44
capture of it it tries resolve the name
00:08:46
and it's going to say hey what's this
00:08:47
evil.com evil.com if somebody's watching
00:08:49
evil.com they're going to see your
00:08:52
traffic hitting requesting their stuff
00:08:54
so it's for obsc don't run in um you'll
00:08:57
see again as we start looking at example
00:08:59
here that and having a domain name in
00:09:02
your p in your TP D output it's it kind
00:09:05
of muddies things up so I like the nend
00:09:06
because it cleans it up as well and you
00:09:08
can run
00:09:10
dhnn and TP dump is they love all sorts
00:09:14
of things like that so n is going to be
00:09:17
resolution for DNS names n n is going to
00:09:19
be resolving protocols so again we'll
00:09:23
show you in a second here but if you say
00:09:25
gosh I would love to see am I seeing SSH
00:09:27
traffic or am I seeing RDP traffic you
00:09:30
could see hey this is remote desktop
00:09:32
protocol
00:09:33
RDP for the eyes or when you're looking
00:09:36
through it it's nicer to see 3389 or 22
00:09:39
versus what TCB dump thinks is you know
00:09:42
what your protocol is there the last
00:09:44
handful there just going to be for if
00:09:45
you're rotating through P TCB dump if
00:09:47
you're running an extended capture on
00:09:49
something like that and you want to say
00:09:51
just just keep this running and keep
00:09:52
cycling it over if you see it I'll come
00:09:54
back to it tomorrow and look at it those
00:09:55
last ones are going to be for you and
00:09:57
that f is the whole the BPF the Berkeley
00:09:59
packet for filters if you have used
00:10:00
those in the past if you want to load
00:10:01
them into a TCB dump use the F
00:10:05
there some sample traffic um just
00:10:08
because you never I'm not going to try
00:10:09
to generate this in a in a timely
00:10:12
manner look at this top one here RP dump
00:10:15
dasi to specify eth2 and then I'm saying
00:10:18
hey don't again and don't resolve the
00:10:21
the name so you're not seeing the 888
00:10:22
resolving to Google makes it much
00:10:25
cleaner and of specifying my host and
00:10:27
host and icmp so so it's I say very very
00:10:32
English friendly um you can put those in
00:10:34
quotes if you like you'll see it in CPP
00:10:36
cap it's you need that there for the
00:10:38
different syntax there but if you jump
00:10:42
down to the second sample there the SSH
00:10:44
if you'll notice I move the N
00:10:47
over well it's r t speed up there n n i
00:10:51
so that's doing I'm not resolving Google
00:10:54
but I'm also not looking at the the
00:10:56
protocol so it's 22 you'll see 4.22 so
00:11:00
it's SSH traffic I'm just there a
00:11:01
communication between the virtual
00:11:02
machine and the not even sure what that
00:11:04
is firewall and it's it's not resolving
00:11:08
it all that fun stuff so it's easier to
00:11:10
see versus SSH you see the numbers I
00:11:12
don't maybe it's just my eyes but for me
00:11:14
that's a lot easier do what you want um
00:11:17
but you will notice on this one that
00:11:18
after the ntcp port 22 on the command
00:11:22
it's actually cut off a little bit the
00:11:24
the output comma whatever and it's
00:11:27
broken TC them I had a wider screen when
00:11:30
I was capturing that so if I shrink my
00:11:31
terminal down to a smaller screen it
00:11:33
does word wrap so it's harder to look at
00:11:36
maybe if you don't have a smaller screen
00:11:39
something you have to pay attention to
00:11:40
that okay this might not be something
00:11:42
you could just let your eyes rip down
00:11:43
because it's going to word wrap
00:11:45
especially when you throw a v in there
00:11:47
for verbos verbosity verbosity you're
00:11:50
going to start seeing some check some
00:11:51
stuff your different sequence numbers
00:11:54
things like that and it's going to word
00:11:55
wrap all over the place and you know
00:11:57
kind of looks like throw up on the
00:11:58
screen using a-w to write it out
00:12:01
somewhere or using a longer terminal is
00:12:02
going to be very
00:12:05
beneficial we jump on to CP cap again
00:12:09
with the- h for the help it's this is
00:12:12
much easier it tells you shows you
00:12:14
exactly what you're looking at much uh
00:12:16
yeah much easier to use there's a nice
00:12:18
SK there you 141 1412 it gives you you
00:12:21
some different examples some different
00:12:23
samples on how to use them but again
00:12:24
this Dash is going to get you in the
00:12:27
right direction anyway
00:12:30
and kind of using the same idea with the
00:12:32
Ping sample
00:12:34
here if you
00:12:36
notice my mistake wrong button this dasf
00:12:40
in our help file is your expression so
00:12:43
here you do have to specify CPP capap
00:12:45
with your interface great- f for your
00:12:47
filter it doesn't just if you throw the
00:12:50
filter on there it's just going to give
00:12:51
you a nice error um and again CPP cap
00:12:54
can run against all of your interfaces
00:12:56
not best practice but you can and so
00:12:58
here you're going to see hey in out in
00:13:01
out on eth to for that ping traffic
00:13:03
that's the the port of the virtual
00:13:04
firewall I had here but notice that it's
00:13:07
only showing you eth2 so it's going in
00:13:08
out in out in out whatever it's not
00:13:10
showing you the other ethernet port
00:13:12
that's actually going out to the
00:13:13
internet somewhere um just something to
00:13:15
know when you're
00:13:16
specifying hey I'm looking at interface
00:13:18
eth2 it's only going to show you eth2 so
00:13:21
if you're not seeing you're expecting to
00:13:22
see it coming from somewhere else or if
00:13:25
you're just something to pay attention
00:13:27
to there the bottom one the https sample
00:13:31
stuff again it's uh it word wraps it's
00:13:35
handy it's great but it yeah it gets
00:13:37
harder to see so so pay attention to
00:13:39
that as well again when you're using the
00:13:41
uh using these kind of commands this one
00:13:43
but you'll notice in the command it's
00:13:44
CPP c-i e to-
00:13:48
d-n which we look at our switches here
00:13:50
was verbos data link layer and verbos
00:13:52
network so you'll notice in this one
00:13:53
here you're seeing Mac addresses you're
00:13:55
seeing some other ether types it's a lot
00:13:58
more information but you can get more
00:13:59
granular with CPP cap saying I want to
00:14:02
see the this one specific thing versus a
00:14:04
TCP dump where it's give me verbose give
00:14:06
me foros Rose and so this might be a
00:14:09
little handier on that one but again if
00:14:10
you check out the SK it uh should get
00:14:12
you in the right
00:14:14
direction other one here FW
00:14:16
monitor like it says here it's Curel
00:14:19
traffic the inspection chain so you see
00:14:20
the some post inbound pre- outbound
00:14:22
things like that show you what those
00:14:24
look like in a second this is only on
00:14:25
your firewalls though you can't run this
00:14:27
on your management server or your random
00:14:29
Linux machine in your back closet there
00:14:31
this is just on your
00:14:33
firewalls uh the thing to pay attention
00:14:35
to here E versus f for your accelerat
00:14:39
non-accelerator traffic and what kind of
00:14:40
filter you might be looking
00:14:42
at uh again we'll show you what that
00:14:44
looks like and FW monitor is nice that
00:14:46
you can specify if you have virtual
00:14:48
systems on your machine you can on your
00:14:50
firewall you can specifically look for
00:14:51
traffic in those so it's not just
00:14:53
ethernet it's
00:14:55
kernel again this this SK here though
00:14:58
the CPP cap one is fantastic but this FW
00:15:00
monitor one is updated all the time
00:15:02
there's they're coming out with
00:15:03
different ways to manipulate it ways to
00:15:05
make it work better this uh this is
00:15:07
definitely one to to keep an eye
00:15:09
on want to give you a quick traffic flow
00:15:12
I actually borrowed this from Tim Hall
00:15:13
he's a trainer over at Shadow Peak he
00:15:15
doesn't some great classes if you're
00:15:17
ever so inclined to jump on those but
00:15:19
just want to show you how the traffic
00:15:20
flows from eth to eth again we'll just
00:15:23
use Z on1 for example here but we
00:15:25
looking at uh something off the wire did
00:15:28
something hit zero TCB dump and CPP cap
00:15:31
are are going to be your golden nuggets
00:15:33
there um you want to know if actually
00:15:35
got there if you have a switching
00:15:37
something's wrong Upstream
00:15:39
Downstream these are going to get you
00:15:41
that traffic they're going to see the
00:15:43
again the traffic at the ethernet port
00:15:45
running lid pcap it just essentially
00:15:47
makes a copy of the packet and just
00:15:49
hands it off oh here you go TCP dump
00:15:51
CPAP yep one for you one for you one for
00:15:53
you just keeps going um so it's very
00:15:55
handy for did this get there or
00:15:57
not we talk about the uh accelerated
00:16:01
traffic with using d e and DF with
00:16:04
secure Excel it's going to Fast Track
00:16:07
that trusted traffic so if you have
00:16:09
again my example earlier of the SSH
00:16:11
traffic my firewall can see oh yeah I
00:16:13
know this this is approved we're allowed
00:16:15
boom you're going to see the header go
00:16:16
through and everything but then
00:16:17
everything else is going to be zipping
00:16:18
over secure Excel if you're looking in
00:16:20
using- E you're not going to see it
00:16:22
you're going to see just oh here's the
00:16:24
sessions set up no big deal but you're
00:16:26
not going to you're going to miss all
00:16:27
the the rest of the data there
00:16:30
but then if you're again likewise if
00:16:32
you're looking just at at uh Dash f
00:16:35
using the for acceler traffic you won't
00:16:38
see all the uh all of it behind if it's
00:16:41
slow path so kind of depends on what
00:16:42
you're looking for something to pay
00:16:44
attention to you can always disable
00:16:45
secure Excel don't do that in production
00:16:48
that'll people will not be happy because
00:16:50
that's going to take your firewall and
00:16:51
send its resources through the roof
00:16:53
because I guess H traffic is well it's
00:16:56
designed to help your firewall run run
00:16:57
leaner
00:17:00
um when you're looking to the fire FW
00:17:03
monitor logs you're going to look our
00:17:05
main example here is going to be I I and
00:17:06
O and O So pre-bound post inbound and
00:17:09
pre- upbound post outbound so these eyes
00:17:12
but as again as that SK I'll show you in
00:17:14
a second what it was again but you also
00:17:16
see different things like D's and q's
00:17:18
for qos and decrypted traffic and
00:17:20
encrypted traffic things like that um it
00:17:23
really gets into the weeds but again
00:17:25
you'll see like on the left side here
00:17:28
we've got I and then the right side o as
00:17:31
the traffic is coming up into your
00:17:32
kernel and into your into your kernel
00:17:35
it's a pre- inbound post inbound and
00:17:36
then post outbound pre- up outbound so
00:17:40
you'll see different uh depending on
00:17:41
where an issue might rely might lie that
00:17:45
uh that'll help you help clue you in
00:17:46
anyway like you might be seeing just a
00:17:49
couple eyes but no O's and that could be
00:17:51
something with a routing issue maybe
00:17:52
Knack conf figurations things like that
00:17:54
to go look for um and again if you're
00:17:57
working with Tac on these kind of things
00:17:58
they'll probably be running an fwl
00:18:00
debug looking for different drops and
00:18:02
they should that should also help clue
00:18:04
you in but again that's kind of out of
00:18:06
the scope of network stuff but FW
00:18:08
monitor a lot of
00:18:11
craziness so just a quick quick example
00:18:14
of what this looks like you've got your
00:18:16
like at the very top I'm using F looking
00:18:19
for secure traffic but it looks like a
00:18:22
lot of craziness on here let's just kind
00:18:24
of break it down the first part here is
00:18:26
your filter check so if you fat finger
00:18:29
and mess up this syntax which is easy to
00:18:31
do unless you've done it a couple times
00:18:33
this will just error out it's not going
00:18:35
to capture it's not going to tell you oh
00:18:36
yeah I'm capturing and it's not it's
00:18:37
just going to say nope hey try again
00:18:40
buddy and the Syntax for this is it
00:18:41
looks complicated it's just Source IP
00:18:44
Source Port which is zero for any
00:18:46
destination port or destination IP
00:18:48
destination Port then protocol so six
00:18:49
being
00:18:50
TCP and if it likes that oh yeah you're
00:18:52
good to go then you'll monitor will
00:18:54
start and it'll tell you hey yeah great
00:18:56
we're kicking it off off we go if you're
00:18:58
doing well then it'll show you the
00:19:00
capture data at the bottom here if
00:19:01
you're writing this out to a file it'll
00:19:03
just show you packets underneath that
00:19:06
last pack there but again this SK that
00:19:10
30583 is definitely something to keep an
00:19:12
eye on um I'll just kind of cut this out
00:19:15
cut out some of the fat here just to let
00:19:17
you see what it looks like here but
00:19:18
again the command syntax with the fs
00:19:22
it's very simple and then and you'll
00:19:26
see well see if I can get my laser
00:19:29
pointer here to do the eyes and the I
00:19:32
and the o on different ethernet ports so
00:19:34
mightbe coming in E four hits my kernel
00:19:36
all the fun stuff and goes out on E
00:19:38
to just handy to know um I did a little
00:19:43
dump of this earlier so I saved as off
00:19:44
so we can look at it in wi shark here in
00:19:46
a minute but just using the O you just
00:19:47
slap it on the end and tell it where you
00:19:48
want to write off to and off you go
00:19:51
maybe it's not best practice to do home
00:19:52
admin but hey it's a lab why
00:19:56
not example using the E filter is a
00:19:58
little a little bit different so they
00:20:00
can't make it too easy so it's a
00:20:01
lowercase e and then you're going to
00:20:03
have to put this in quotes and you're
00:20:04
going to specify hosts and looking for
00:20:06
accepted
00:20:07
traffic um the output's going to be
00:20:09
similar as far as the I's and the O's
00:20:11
and things of that nature if you're
00:20:12
looking for that but it will give you
00:20:14
this nice warning right in the very
00:20:15
middle here hey using the E filter it's
00:20:17
not accelerated if you want to look for
00:20:18
Accelerated make sure you use the
00:20:20
dasf um if you're like me you'll just
00:20:23
ignore that part and trying to figure
00:20:25
out why you can't find the accelerated
00:20:26
traffic and remember oh yeah use the f
00:20:29
so and again the bottom stuff down here
00:20:32
is the exciting part of FW monitor
00:20:35
seeing the
00:20:37
interfaces so let's cross our fingers
00:20:39
and do some some demos with wire shark
00:20:42
all right because that's more fun that
00:20:45
way pull
00:20:47
up exactly what could go wrong in a live
00:20:50
demo right um I had a couple captures
00:20:54
here and if you've used wire shark in
00:20:55
the past you know this is it might be
00:20:58
something interesting might not be so by
00:21:00
default you have a default profile here
00:21:03
wi shark looks like somebody threw up on
00:21:05
the screen it's it it's convenient but
00:21:08
it's not user friendly out of the box
00:21:10
you'll see the number for how many
00:21:12
packets is receive how many packets are
00:21:14
captured um your time since the packet
00:21:16
started packet capture started Source
00:21:18
destination again it's best attempt at
00:21:20
protocol analysis oh this is TCP good
00:21:24
work all right 1. one Whatever fantastic
00:21:27
it'll give you the length of the packet
00:21:28
and some general information that it
00:21:30
thinks is
00:21:31
useful and you'll see the different
00:21:32
ethernet options ethernet ethernet IP
00:21:36
you know depending on what the protocol
00:21:38
is you'll see that information here if
00:21:40
it's HTTP you'll see that down there as
00:21:41
well and then on the right side you'll
00:21:43
get the hex for what you're actually
00:21:44
seeing so everything flies across the
00:21:47
network running hex which is
00:21:49
terrific you
00:21:53
can for example if you see hey there's
00:21:55
my source IP address it's going to be as
00:21:58
you click it's going to show up on the
00:21:59
right side hey c88 1368 that's the IP
00:22:02
address fantastic in HEX well hex is
00:22:05
going to convert that over to Binary and
00:22:07
that's where your numbers are so if
00:22:09
you're really looking for fun down this
00:22:11
way hey enjoy it's it's if it's fun to
00:22:14
figure out whatever might not be useful
00:22:16
for traffic analysis so we're going to
00:22:18
look at a different version here if I
00:22:21
throw in this one
00:22:24
here again it's going to look like
00:22:26
somebody threw up on the screen which
00:22:27
they did this just just a peap from a
00:22:29
Honeypot somewhere out there on the
00:22:30
internet
00:22:32
but using different profiles there's HTT
00:22:36
I again doing forensics I kind of had a
00:22:38
bunch of different ones but HTTP is one
00:22:39
that I always
00:22:41
enjoyed if it loads here there we go you
00:22:45
see this isn't a huge peap but wire
00:22:46
shark takes an extra second or two to oh
00:22:48
let me reconvert that stuff so if you're
00:22:50
running this on a live capture it can
00:22:51
start dropping packets because your
00:22:53
computer can't keep up that well but
00:22:56
again I like to keep in the number of
00:22:58
packets is fantastic but the bigger
00:23:00
thing is knowing hey when did this
00:23:02
happen what am I seeing for the time so
00:23:03
I change the time stamps over to the
00:23:05
real time was captured and the another
00:23:08
big thing is throwing source and
00:23:09
destination ports in there not resolving
00:23:11
them so oh 80 you this you know wi shark
00:23:15
could tell me that this is hdb traffic
00:23:16
but I want to know what give me the port
00:23:18
I want to know what kind of Port I'm
00:23:19
looking at here and then there's a whole
00:23:21
slew of other information that you can
00:23:23
throw into columns like servers user
00:23:24
agents things like that um I it just
00:23:27
makes it as you're looking through
00:23:30
through different
00:23:32
traffics bad example here but normally
00:23:35
you'll you'll see some stuff in there
00:23:36
I'll show you in a second
00:23:38
um and then from here again it's kind of
00:23:41
throw up on the screen and W shark might
00:23:44
not be your your go-to option for
00:23:47
because you're not going to be recording
00:23:48
with wi shark you're going to be
00:23:49
potentially throwing a peap into it
00:23:51
which is the best practice for it and
00:23:54
but if you throw it in here and you're
00:23:55
going to do some analysis there's a lot
00:23:57
of Statistics under here which are handy
00:24:00
youve got your HTTP
00:24:02
um like a request counter is here
00:24:07
requests oops not going to show me wrong
00:24:09
wrong screen give me one more second
00:24:10
rerun that again gota love the live demo
00:24:14
here
00:24:17
sequences grief come on pull it down
00:24:20
there we
00:24:21
go it'll show you the different IPS that
00:24:24
they're trying to hit the different uh
00:24:26
what what are they looking for that kind
00:24:27
of stuff
00:24:29
um it's and it can show
00:24:31
you well all sorts of random fun in here
00:24:35
like your end points um this one's going
00:24:38
to turn for just a second
00:24:40
but it's not actually endpoint but it's
00:24:42
it's talking Network endpoints so if
00:24:43
you're seeing traffic from come on you
00:24:46
can do it here there we
00:24:48
go I want a filter for what's the most
00:24:51
this is the honey pot that was running
00:24:53
out there but what's this 7910 okay it's
00:24:55
got a lot of traffic going to it more
00:24:57
than a lot of other things
00:24:59
you're seeing something specific and if
00:25:00
you're doing troubleshooting you want to
00:25:01
get from the ethernet level you'll
00:25:03
probably know what your Upstream
00:25:04
Downstream Mac addresses are and what
00:25:06
you're looking at and if something's
00:25:07
going to the wrong one if you didn't
00:25:09
find it using a different tool like CPP
00:25:11
cap TCB dump that type of thing this
00:25:13
will definitely show you hey you got a
00:25:15
lot of traffic involving these Macs
00:25:17
what's going on maybe you have a routing
00:25:18
issue something like that and from here
00:25:21
if you want to do you know more of an
00:25:22
investigation you can what's this IP
00:25:24
address and you can copy that and go
00:25:26
look for it and find out where that
00:25:28
where that's going and all the fun
00:25:30
things um the other handy thing on here
00:25:33
if you're looking for again specific
00:25:35
items but if I look for HTTP requests
00:25:38
HTTP I already typed it in so I'm going
00:25:40
to cheat but oh the request method is
00:25:42
get oh what are you looking at here what
00:25:44
what kind of get requests did this honey
00:25:46
pot see during this time you're seeing a
00:25:48
lot of random stuff
00:25:51
okay grant that I'm using this on a
00:25:53
little tiny screen for the sake of
00:25:55
viewing but
00:25:58
all these different gets okay well
00:26:00
they're somebody using a curl what are
00:26:02
they doing right click on that you can
00:26:03
follow the HTTP or TCP stream for this
00:26:06
doesn't really matter show you the
00:26:07
different Communications between the
00:26:08
client and the server once wik gets
00:26:11
button gear here we go okay great I've
00:26:14
got a host's my user agent curl so
00:26:15
somebody's running a curl against this
00:26:17
they could be spoofing that but whatever
00:26:19
here's what the the server told it
00:26:21
fantastic here's my generic stuff
00:26:24
nothing fancy and then it'll still show
00:26:26
you what the okay it's going to get it's
00:26:27
a 200 so it was allowed fantastic just
00:26:30
different ways to look at
00:26:32
that um lastly close this one here open
00:26:36
up the last thing to show you so using
00:26:39
that same profile of HTTP this is a dump
00:26:42
that I took from that I showed you in
00:26:43
the earlier in the example the FW
00:26:45
monitor
00:26:47
it's because it's looking at different
00:26:49
inspection points it's it's kind of
00:26:50
quadrupling at least quadrupling all the
00:26:52
different traffic so it's not going to
00:26:53
show you as much with
00:26:55
HTTP but if you set this up I call it
00:26:57
checkpoint because because hey we're
00:26:58
looking at checkpoint
00:27:00
stuff it'll show you this extra item
00:27:03
here cpf W you can just pick up this
00:27:05
information if you went to preferences
00:27:09
and might as well show you right under
00:27:12
protocols W shark and gu is kind of
00:27:15
small but W shark has all these
00:27:17
protocols that you could scroll until
00:27:19
your heart's content but there's one FW
00:27:22
for firewall if you didn't put that
00:27:24
together fw1 you want to make sure you
00:27:26
enable that and once you that restart
00:27:30
restart wi shark and then this little
00:27:32
handy dandy gu here will pop up and just
00:27:35
like anything down here you can add
00:27:38
this apply as a column and you will add
00:27:41
it to the top up here and you can
00:27:43
manipulate it how you like you can make
00:27:45
it look pretty whatever great if you
00:27:46
decide under this gosh I really want to
00:27:47
see the destination Port you can apply
00:27:49
as a column it'll throw up here too but
00:27:52
this just shows you again this is
00:27:54
traffic actually actually working so it
00:27:56
it's not going to be as exciting but
00:27:58
you're going to see that it came from
00:27:59
the 19 Network to the 14 Network on this
00:28:01
lab it went in eth4 okay great pre-
00:28:05
inbound post inbound and then it hit
00:28:07
ethernet 2 or hit the kernel said oh
00:28:09
yeah go ahead and send it out so eth two
00:28:11
on the way out and then out so it just
00:28:14
shows you the uh the steps in and out of
00:28:15
the kernel there as well so if you're
00:28:17
only seeing again if you're only seeing
00:28:18
eyes all where's it what's what's being
00:28:20
dropped do you have a rule set up in
00:28:21
place is there some implied rule
00:28:22
somewhere that's not allowing it
00:28:24
through if you can't find it there check
00:28:27
your net stuff things like that check
00:28:28
your routing there could be something
00:28:29
there and then if you really get into
00:28:31
the deep into the weeds you're going to
00:28:32
do some kind of debugging on the Kernel
00:28:33
itself to find out what's being dropped
00:28:36
and where is it being
00:28:38
dropped all right um believe yeah that's
00:28:43
about it we got that's all we got so
00:28:45
yeah In Sum we want to make sure you ask
00:28:46
the questions if you're what you're
00:28:48
somebody's asking you into
00:28:48
troubleshooting or what you're trying to
00:28:49
figure out did it ever work that kind of
00:28:51
thing is going to be a lot different
00:28:54
avenue than hey it stopped working 10
00:28:56
seconds ago um got to know where to
00:28:58
start and then use the right tool for
00:29:00
the job again if you're you might not
00:29:02
need to throw this all into wire shark
00:29:04
if you're just looking for is something
00:29:05
reaching my that certain Nick on my
00:29:07
firewall hey just run TCP down run cppb
00:29:10
cap and you'll see it either hitting or
00:29:12
not hitting and if it's not then you can
00:29:13
trouble shoot from there why is my
00:29:15
switch not sending it or what's wrong
00:29:16
with my router my Gateway that type of
00:29:18
thing um yes use the right tool for the
00:29:21
job
00:29:22
and and we're getting close to the end
00:29:24
of oh yeah we're already at 31 again my
00:29:26
name's Jason uh here's my email address
00:29:28
if anybody you know anything you want to
00:29:30
follow up with later feel free to shoot
00:29:32
me a message you want to talk packets I
00:29:33
love that love uh diving into these kind
00:29:35
of things so by all means you can reach
00:29:37
out
00:29:38
anytime all right Rob back to you I'm
00:29:41
gonna grab a drink of water here oh go
00:29:42
grab a drink you're like an Auctioneer
00:29:44
there Jason good job uh got some
00:29:46
questions for you here if you run back
00:29:48
to wire shark real quick I think you
00:29:50
showed this in another path but I just
00:29:52
wanted to share it John said he found
00:29:54
very helpful when you find a packet of
00:29:56
interest to click on analyze follow the
00:29:59
stream on the top menu there so what I
00:30:02
think is the yep you can follow the
00:30:04
stream you can uh you can click up there
00:30:06
or you can right click on the packet
00:30:08
itself yeah okay yep just wanted to
00:30:10
share that it's a bad example of that
00:30:11
one but yeah okay
00:30:14
um somebody asked do we get a recording
00:30:16
of This yes this will be this is
00:30:18
recorded will be posted on YouTube
00:30:20
channel and the link for that will be in
00:30:22
the follow-up
00:30:24
email uh let's
00:30:26
see no we got some more coming in here
00:30:29
uh John asked and I don't know if you're
00:30:31
going to know this one Jason years ago
00:30:33
there used to be a version of wire shark
00:30:35
specifically made for analyzing check
00:30:37
put output from TCP dump whatever
00:30:39
happened to that that sounds Vaguely
00:30:42
Familiar to me but I really don't
00:30:44
remember that Jason do you know anything
00:30:45
about that or any other checkpoint
00:30:48
people on the call here that sounds very
00:30:50
familiar to me I I know they used to
00:30:52
have something similar to it but i e
00:30:54
like white shirt came from was it
00:30:56
etheral back or however you want to say
00:30:58
it way back in the day but I thought
00:31:00
there was a different flavor of some
00:31:01
sort that was specifically for
00:31:03
checkpoint sound familiar from the 7730
00:31:05
days but I top of my head I don't know
00:31:07
but it's something I can definitely look
00:31:09
up and ask that question if you want
00:31:11
toil track that down it does sound
00:31:14
familiar though so yeah you're not crazy
00:31:16
John uh let's see here
00:31:23
uh sorry analyze possible capture oh is
00:31:27
it possible to take a capture and see
00:31:29
exactly what rule is being applied to
00:31:31
that
00:31:32
traffic so can capture look at the
00:31:35
policy rule number not that I'm aware of
00:31:39
but it's something to look at um I know
00:31:40
FWB monitor is only going to show you if
00:31:43
it's again on the wire so it's not doing
00:31:46
FW monitor itself isn't going to do the
00:31:47
Diagnostics or isn't going to tell you
00:31:49
what rule because it's only looking at
00:31:51
is it pre or postponing into the
00:31:52
different kernel things if it doesn't
00:31:55
get through that can lead you to look
00:31:56
into a specific rule
00:32:00
but yeah I mean if it's h in the policy
00:32:02
we should definitely have a uh a log
00:32:04
entry for it so you can get the rule
00:32:06
number from there but I don't know if
00:32:07
you can do it with the uh packet capture
00:32:10
again somebody please uh correct me if
00:32:12
I'm
00:32:13
wrong uh let's see other
00:32:18
questions are you sharing the slides
00:32:22
uh think we could share these right John
00:32:25
there's Jason there's nothing who
00:32:28
yeah of course I have no problem with
00:32:29
that yep yep
00:32:33
uh oh somebody said I guess this was the
00:32:36
checkpoint version this is back when
00:32:37
etheral wire shark was updated so often
00:32:39
so maybe that's when they had the
00:32:40
checkpoint
00:32:44
version does all wire shark come up with
00:32:46
the profile
00:32:49
checkpoint um the Prof no um it's
00:32:52
something that I had to create so when
00:32:53
you do a like here by default just has
00:32:57
one called default when you first
00:32:58
install check wi shark is going to say
00:33:00
oh here's a default profile great and
00:33:01
you can add like same with HTTP with
00:33:05
these different s columns I have on the
00:33:06
top of course now it's going to run slow
00:33:09
once I added these different destination
00:33:10
ports and format how I like you can save
00:33:12
the profile similar with the H the uh
00:33:15
the checkpoint here because by default
00:33:17
it doesn't like I showed it doesn't uh
00:33:20
actually capture the eyes and of course
00:33:23
this not the example for that but you
00:33:25
got on to your preferences here
00:33:26
protocols
00:33:28
down to
00:33:29
F W good grief a lot of protocols in
00:33:33
here you need to check this one here and
00:33:34
I'm not sure if you can see it too well
00:33:35
on the screen here but the top one's
00:33:37
saying show firewall One summary in
00:33:39
protocol tree Once you check that and
00:33:41
hit okay you have to restart wire shark
00:33:43
before it actually starts paying
00:33:44
attention to it then once you do it'll
00:33:47
have it in your frames or your output
00:33:50
over here and then you just need to
00:33:51
right click that and then apply as a
00:33:53
column and then it'll drop it up top
00:33:55
here I don't think it actually calls it
00:33:58
FW or cpf w i just because it just says
00:34:00
here's whatever you can rename you can
00:34:03
rename these you can do whatever you
00:34:04
want with them but once you're in there
00:34:05
then you can yeah leave it as a leave it
00:34:08
as a different column and if you can
00:34:10
save that save the profile and and then
00:34:12
you've got your default and you got your
00:34:15
checkpoint yeah whatever other ones you
00:34:17
out there but yep great um me
00:34:22
see uh is there a way to share the
00:34:25
profiles file
00:34:28
um yeah you can
00:34:30
do not sure if I could I could probably
00:34:32
figure yeah because i' I've changed them
00:34:33
between different machines instead of
00:34:34
recreating every time because that right
00:34:36
gets hairy so yeah you can definitely do
00:34:38
you export the profile I'd have to
00:34:40
remember exactly where that is here but
00:34:42
yeah you you can export it and if it's
00:34:44
something that they actually want I can
00:34:46
get you a copy of that too if I don't
00:34:48
have a problem with that there's nothing
00:34:49
proprietary in
00:34:51
it uh well John who asked the uh the wi
00:34:54
shark checkpoint question says he thinks
00:34:57
he found found it here etheral for
00:34:59
checkpoint CSP
00:35:04
community so I guess it is out there so
00:35:07
thank you John we'll go check that
00:35:10
out uh does Ethernet still have the fw-1
00:35:14
monitor
00:35:15
option doesn't ethernet still have the F
00:35:19
firewall one monitor
00:35:21
option does Ethernet have it um I'm not
00:35:25
following that one
00:35:28
I'm not sure either actually hey John we
00:35:31
should have you on one he
00:35:33
said John he's digging in on that uh
00:35:36
checkpoint wire shark he said it
00:35:38
actually decodes the output from FW
00:35:41
monitor yeah so sounds like something to
00:35:43
check out thank you for that John we
00:35:45
will check that
00:35:48
out this one doesn't have any typically
00:35:50
it won't have ethernet information in it
00:35:52
but it's right yeah all right I think we
00:35:56
covered it
00:35:58
some questions came in Fast and Furious
00:36:00
there so I apologize if I missed
00:36:02
something really if you guys feel free
00:36:04
to grab my email address or too if
00:36:06
something comes up that you think of
00:36:07
later on I could show the slides too but
00:36:09
if somebody says hey I got a quick
00:36:10
question feel free to shoot it over and
00:36:12
I can always do my best to help out
00:36:14
absolutely if we don't have the answer
00:36:16
we'll find it for you so thank you Jason
00:36:18
great
00:36:20
information um we will send out that
00:36:23
follow-up email I said with the
00:36:24
reference content the SK article Jason
00:36:26
mentioned and the recording link that'll
00:36:29
be up on our YouTube channel uh next
00:36:31
webinar will be in two weeks you will
00:36:33
see the invitation for that soon but
00:36:35
thanks again for joining we'll see you
00:36:37
here next time thank you Jason everyone
00:36:39
enjoy your day thanks for joining
00:36:41
everybody see you