Tips and Tricks 2024 #16 - Troubleshooting using Network Traffic

00:36:47
https://www.youtube.com/watch?v=LAQFitLHANE

Sintesi

TLDRThe webinar, led by Jason DuTrey, Security Engineer at Checkpoint, focused on troubleshooting network traffic. Jason began by emphasizing understanding the OSI model and identifying the starting points for trouble-shooting issues, which can vary significantly based on whether something isn't powered on or if a major configuration change has occurred. The session discussed the importance of knowing which tools to use, introducing several such as TCP dump, CPP cap, FW monitor, and WireShark. TCP dump, a widespread tool in Linux systems for capturing network traffic, allows detailed analysis but can be CPU intensive. Meanwhile, CPP cap, a Checkpoint specific tool, offers similar functionality with lighter CPU usage. FW monitor was explained as a tool for analyzing kernel-level traffic specifically on firewalls, and the session expounded on how WireShark serves as a powerful GUI-based tool for detailed packet analysis, though it can be resource-intensive. Throughout the webinar, Jason also demonstrated the use of filters and the importance of understanding network interfaces and protocols while capturing and analyzing traffic to excel in network troubleshooting.

Punti di forza

  • 👨‍💻 Jason DuTrey is the presenter, specializing in network security.
  • 🔍 The webinar focuses on network traffic troubleshooting.
  • 🛠️ TCP dump and CPP cap are crucial tools discussed.
  • 🌐 Understanding the OSI model is essential for troubleshooting.
  • 🖥️ WireShark is highlighted for its GUI interface capabilities.
  • ⚙️ FW monitor inspects kernel traffic specifically on firewalls.
  • 📊 Real-time and saved analyses are vital for extended captures.
  • 🚫 Avoid unnecessary DNS resolution during analysis.
  • 📈 Handling CPU impact is crucial when using intensive tools.
  • 🔧 Tailoring WireShark profiles can aid detailed traffic examination.

Linea temporale

  • 00:00:00 - 00:05:00

    The webinar introduces the topic of troubleshooting using network traffic, focusing on identifying starting points, differentiating problems, and understanding tools for analysis. Key questions include discovering when an issue commenced and understanding the OSI model's layers.

  • 00:05:00 - 00:10:00

    Jason explains the significance of understanding the OSI model for troubleshooting, emphasizing that issues can arise at any layer, from the physical to application layers. The session aims to focus on layer 3 network (IP layer) and layer 2 (Ethernet).

  • 00:10:00 - 00:15:00

    He discusses various tools for network traffic analysis like TCP dump, CPP cap, FW monitor, and Wireshark. TCP dump is a widely-used tool across systems, but can be CPU-intensive. Checkpoint's CPP cap is designed to be lighter, while FW monitor offers kernel-level insights.

  • 00:15:00 - 00:20:00

    The section highlights the preferred tool usage depending on the troubleshooting context, viewing TCP dump and CPP cap as ideal for physical NIC issues, and exploring Wireshark for deeper analysis due to its graphical interface capabilities.

  • 00:20:00 - 00:25:00

    Jason provides details on how to use TCP dump and CPP cap, emphasizing capturing traffic on specific interfaces, avoiding DNS resolutions during capture, and employing different command options for tailored outputs. This section also touches on protocol analysis intricacies.

  • 00:25:00 - 00:30:00

    FW monitor's functionality for inspecting kernel traffic is explained, focusing on pre- and post-inbound/outbound tracking, which is distinct from the management server capabilities and useful for understanding traffic flow and routing issues on firewalls.

  • 00:30:00 - 00:36:47

    The session concludes with a demo on using Wireshark profiles for viewing and analyzing network captures. It covers practical steps for setting preferred configurations in Wireshark, using filters effectively for troubleshooting, and emphasizes leveraging various tools appropriately.

Mostra di più

Mappa mentale

Video Domande e Risposte

  • Who was the presenter of the webinar?

    Jason DuTrey was the presenter of the webinar.

  • What was the main topic discussed in the webinar?

    The main topic was troubleshooting using network traffic analysis.

  • What are some tools mentioned for network traffic analysis?

    Tools such as TCP dump, CPP cap, FW monitor, and WireShark were mentioned.

  • Can you access the recording of the webinar?

    Yes, the webinar will be posted on the company's YouTube channel.

  • What is a common tool used in Linux for network traffic analysis?

    TCP dump is a common tool used in Linux for network traffic analysis.

  • Is WireShark mentioned as a tool for network analysis?

    Yes, WireShark is mentioned as a tool for network analysis.

  • What is the main advantage of using CPP Cap over TCP Dump?

    CPP Cap is lighter weight with less CPU impact compared to TCP Dump.

  • What is FW monitor used for?

    FW monitor is used for monitoring Kernel-level traffic specifically on firewalls.

  • How can profiles be managed in WireShark according to the webinar?

    Profiles in WireShark can be created and exported or shared to ensure consistent setup across different machines.

  • What is a recommended way to handle extended captures using TCP Dump?

    Using TCP dump to write to a pcap file for later analysis is recommended for handling extended captures.

Visualizza altre sintesi video

Ottenete l'accesso immediato ai riassunti gratuiti dei video di YouTube grazie all'intelligenza artificiale!
Sottotitoli
en
Scorrimento automatico:
  • 00:00:03
    well hello everybody thank you for
  • 00:00:04
    joining today's tips and tricks webinar
  • 00:00:07
    today's topic as you can see is on
  • 00:00:09
    troubleshooting using network traffic uh
  • 00:00:12
    please use the Q&A chat you have any
  • 00:00:14
    questions during this webinar we'll make
  • 00:00:15
    sure we answer those our presenter today
  • 00:00:18
    is an SE from Pennsylvania Jason to Tre
  • 00:00:22
    Jason what do you have for us today yeah
  • 00:00:25
    thanks Rob and nice to meet you all here
  • 00:00:28
    virtually I Jason do TR like Rob said a
  • 00:00:30
    security engineer here in the Big East
  • 00:00:32
    I'm near Hershey Pennsylvania the
  • 00:00:33
    sweetest place on Earth very exciting
  • 00:00:36
    I've been with checkpoint here for a
  • 00:00:37
    couple years um I was a customer back in
  • 00:00:39
    the 7730 days and after that did some
  • 00:00:42
    digital forensics with network disc
  • 00:00:45
    stuff and some memory items and some
  • 00:00:47
    inant response and then I had a chance
  • 00:00:48
    to join checkpoint here so so here we
  • 00:00:51
    are um again today we'll be talking like
  • 00:00:53
    it says troubleshooting using network
  • 00:00:56
    traffic guess where we're going to start
  • 00:00:58
    here it's always good to know you're
  • 00:01:00
    doing the troubleshooting where to start
  • 00:01:01
    the troubleshooting because you're going
  • 00:01:02
    to be if you've been in it for a while
  • 00:01:04
    you understand that if something's not
  • 00:01:06
    powered on is quite different than if
  • 00:01:08
    somebody made a big huge configuration
  • 00:01:09
    change we're going to look at some of
  • 00:01:11
    the tools that you use for the network
  • 00:01:12
    traffic analysis and then how to
  • 00:01:14
    properly use those in the
  • 00:01:16
    troubleshooting but that biggest
  • 00:01:18
    question that always comes up again if
  • 00:01:20
    you've been in it you know that there's
  • 00:01:22
    no there's no flowchart like this there
  • 00:01:24
    is absolutely not a nice troubleshooting
  • 00:01:26
    button so you have to come up with
  • 00:01:28
    questions like when did it start
  • 00:01:29
    happening did it ever work because
  • 00:01:30
    that'll lead you down a different path
  • 00:01:33
    if something was something things was
  • 00:01:35
    installed and it never worked there big
  • 00:01:37
    difference then it's been running fine
  • 00:01:39
    for three years and yesterday it stopped
  • 00:01:41
    working you know what changed what else
  • 00:01:42
    isn't working that kind of thing is your
  • 00:01:44
    data center underwater for example so
  • 00:01:47
    it's good to know where to start and
  • 00:01:49
    where are we looking which is the second
  • 00:01:51
    kind of question if you're familiar with
  • 00:01:53
    the uh with this layer 1 through 7 The
  • 00:01:55
    OSI it's the open systems interconnected
  • 00:01:57
    model it's a general framework that
  • 00:01:59
    describes network communication from the
  • 00:02:01
    physical layer all the way up to the
  • 00:02:02
    application and back down if you've
  • 00:02:04
    never seen this it uh as your machine or
  • 00:02:08
    as your application as your device is
  • 00:02:09
    getting data it's hitting your physical
  • 00:02:12
    and it's going up and down up and down
  • 00:02:13
    zipping through these layers really fast
  • 00:02:16
    um but it depends on where you're doing
  • 00:02:18
    the troubleshooting is it plugged in
  • 00:02:19
    down a physical layer up to is your
  • 00:02:21
    application having a problem something's
  • 00:02:23
    wrong with your your coding that's you
  • 00:02:25
    know higher up in the chain there here's
  • 00:02:28
    the general idea of it if you've never
  • 00:02:29
    seen it again you've got your physical
  • 00:02:31
    Hardware through your through Ethernet
  • 00:02:33
    through the data ler data link layer up
  • 00:02:35
    to the fun stuff like the IPS and
  • 00:02:37
    protocol or IPS and ports and like
  • 00:02:40
    things like that and you get higher up
  • 00:02:43
    even with the firewall rules protocols
  • 00:02:44
    things like that then five six and seven
  • 00:02:47
    they get mashed together quite a bit and
  • 00:02:48
    we're definitely going to keep them
  • 00:02:49
    mashed together for this but it deals
  • 00:02:52
    with how your how the data is handed to
  • 00:02:54
    your application and what it does with
  • 00:02:56
    it how it presents it to the application
  • 00:02:57
    than what you're actually seeing on your
  • 00:02:59
    screen or your device
  • 00:03:00
    that kind of thing and again your data
  • 00:03:02
    goes up and down really fast and where
  • 00:03:05
    you want to start troubleshooting
  • 00:03:06
    depends on what you're seeing or not
  • 00:03:07
    seeing today we're going to primarily
  • 00:03:10
    focus on layer three Network we'll do a
  • 00:03:13
    little bit with Layer Two with the
  • 00:03:14
    ethernet side as well but good to know
  • 00:03:16
    where we're looking at in this whole
  • 00:03:18
    crazy OSI
  • 00:03:20
    stuff so what tools can we use for this
  • 00:03:23
    I mean there's there's a lot of a lot of
  • 00:03:25
    them out there but we're going to focus
  • 00:03:26
    on a couple today TCP dump being the big
  • 00:03:29
    one if you've done any kind of Linux
  • 00:03:32
    Network stuff in the past this is
  • 00:03:33
    everywhere andan you can run TCB dump on
  • 00:03:36
    any kind of device um it's again it's
  • 00:03:40
    built into every operating system in
  • 00:03:41
    Linux it's very easy to use it's
  • 00:03:43
    crossplatform you'll see it everywhere
  • 00:03:46
    but it tends to be a little bit CPU or
  • 00:03:48
    processor intense when it uh when you're
  • 00:03:51
    ripping through because it does a little
  • 00:03:52
    bit of protocol analysis it'll try to
  • 00:03:53
    guess what is this port 22 okay what is
  • 00:03:56
    this 443 okay this is has to be https
  • 00:03:59
    right it'll do a little bit of analysis
  • 00:04:01
    that way
  • 00:04:02
    but that's where checkpoint came in with
  • 00:04:04
    a CPP cap it's another command line tool
  • 00:04:06
    it's on checkpoint devices from 8040 and
  • 00:04:09
    up and in theory it's supposed to be
  • 00:04:11
    lighter weight less CPU impact so you
  • 00:04:13
    can run it a little more uh a little
  • 00:04:16
    more wild if you want um it's not going
  • 00:04:18
    to have as big of impact on your system
  • 00:04:19
    so if you're running some or doing some
  • 00:04:21
    Diagnostics on a firewall or something
  • 00:04:23
    that's running running pretty hot on the
  • 00:04:25
    the resources this might be a better
  • 00:04:27
    choice but we'll see the differences
  • 00:04:29
    here coming coming
  • 00:04:30
    up then you've got FW monitor which is
  • 00:04:34
    looks more at the cernal level so it's
  • 00:04:36
    you can only run it on firewalls it's
  • 00:04:37
    not on management servers and this will
  • 00:04:39
    give you visibility into the into the
  • 00:04:41
    kernel in the inspection chain so you'll
  • 00:04:43
    see some again we'll get to it but some
  • 00:04:45
    inbound outbound items on different
  • 00:04:47
    Nicks and things like
  • 00:04:49
    that and then of course we have wire
  • 00:04:51
    shark because you can't talk Network
  • 00:04:53
    stuff without talking W shark right if
  • 00:04:55
    you've done any kind of stuff you
  • 00:04:57
    probably run across wire shark it's a
  • 00:04:58
    nice gooey interface so you can see all
  • 00:05:01
    the all the data right in your right in
  • 00:05:02
    front of you oh it's very pretty get all
  • 00:05:04
    the different streams things like that
  • 00:05:06
    um again it has a lot of capabilities to
  • 00:05:09
    it so you can really dive into the uh
  • 00:05:13
    dive into what you're seeing in the
  • 00:05:14
    traffic and you can look at a different
  • 00:05:15
    angles it might help you come to
  • 00:05:16
    different conclusions based on what
  • 00:05:18
    you're trying to find but not what tools
  • 00:05:21
    can we used we should also figure out
  • 00:05:22
    what tools should you use because you
  • 00:05:25
    know the what's that phrase again the
  • 00:05:27
    not everything's a nail if you're a
  • 00:05:28
    hammer something like that whatever
  • 00:05:30
    great your Twi shark will be able to
  • 00:05:32
    capture that data but on your system but
  • 00:05:34
    maybe it's not the best thing because
  • 00:05:36
    it's also doing protocol analyzing and
  • 00:05:38
    parsing and things like that it'll
  • 00:05:39
    really spike your CPU on your running on
  • 00:05:41
    a server for example so if you can run
  • 00:05:43
    something like a TCP dump might be
  • 00:05:45
    better and if you're looking for traffic
  • 00:05:48
    on the Kernel something's lost trying to
  • 00:05:49
    figure out where is it FW monitor might
  • 00:05:51
    your better be your better
  • 00:05:53
    option you're looking at stuff on
  • 00:05:55
    physical Nicks TCB dump and CPP cap
  • 00:05:58
    fantastic that's where you're gonna want
  • 00:05:59
    to look
  • 00:06:00
    but if it gets into the more hey you're
  • 00:06:02
    missing traffic I'm trying to find it in
  • 00:06:04
    the smart console the firewall where's
  • 00:06:07
    this going where is it this might be a
  • 00:06:09
    excuse me another great tool to use um
  • 00:06:12
    if you're working with Tac and some of
  • 00:06:13
    the more in-depth investigations or
  • 00:06:16
    invest uh in-depth tickets they'll be
  • 00:06:19
    running FW monitor as well as different
  • 00:06:21
    um debugs so if they might be looking
  • 00:06:23
    for something going in and out of the
  • 00:06:25
    kernel but they'll also be doing a debug
  • 00:06:26
    on the same thing this really gets down
  • 00:06:29
    into the we needs which is
  • 00:06:32
    handy so first one we got here TP dump
  • 00:06:35
    this one does require expert actually
  • 00:06:36
    both of these require expert mode and
  • 00:06:38
    you can do the output in real time so if
  • 00:06:40
    you're just looking is my traffic
  • 00:06:41
    hitting this Nick or not oh great I see
  • 00:06:43
    it on my terminal fantastic you can also
  • 00:06:46
    save it and throw it into wire shark
  • 00:06:47
    later or for further analysis that type
  • 00:06:49
    of thing lot of different filters you
  • 00:06:51
    can use with TCB dump like BPF for
  • 00:06:53
    Berkeley packet
  • 00:06:54
    filters uh pretty slick but um on the
  • 00:06:59
    checkpoint
  • 00:07:00
    when you're running TCP dump DH for help
  • 00:07:02
    you're not going to this here what
  • 00:07:04
    you're seeing is not going to be overly
  • 00:07:06
    helpful to be honest it's uh it'll tell
  • 00:07:09
    you kind of what what you can do
  • 00:07:12
    personally and off the Record even
  • 00:07:14
    though this is being recorded I might
  • 00:07:15
    run a man TCB dump from a different
  • 00:07:17
    Linux distro or different operating
  • 00:07:19
    system somewhere because it will give
  • 00:07:20
    you a lot more information it'll show
  • 00:07:23
    you what the different commands or what
  • 00:07:25
    different switches you can use and then
  • 00:07:26
    where your why you might want to use
  • 00:07:28
    those it's it's very handy again or
  • 00:07:30
    Google stack Overflow always has a ton
  • 00:07:32
    of people trying to figure out an exact
  • 00:07:34
    you know scalpel type of filter they're
  • 00:07:36
    looking for a very specific traffic and
  • 00:07:39
    there's a lot of examples out there
  • 00:07:40
    definitely check those
  • 00:07:42
    out but some of the more useful options
  • 00:07:44
    that you have there um why W isn't first
  • 00:07:48
    but that's really the first one you want
  • 00:07:49
    to write it to a pcap file for later
  • 00:07:51
    analysis and later looking that's kind
  • 00:07:52
    of the the bread and butter there but
  • 00:07:54
    with TCP dump you're also able to use R
  • 00:07:57
    so you can read from a pcap file so if
  • 00:07:58
    you want to do some parsing if you had a
  • 00:08:00
    huge gig dump of a peac app well you
  • 00:08:04
    want to look for just specific host
  • 00:08:06
    destination Port protocol whatever you
  • 00:08:08
    can read from that pcap parse it out and
  • 00:08:10
    then write it to a different file kind
  • 00:08:11
    of carves it down a little bit very
  • 00:08:14
    handy uh tcbm will run against all of
  • 00:08:17
    your interfaces At Once by default which
  • 00:08:19
    is not something you want to do
  • 00:08:20
    especially on a production firewall
  • 00:08:21
    because that's going to be very CPU
  • 00:08:23
    intensive so you want to use the Dashi
  • 00:08:25
    which you can specify which interface to
  • 00:08:26
    capture it on that gets you a little
  • 00:08:28
    more little more Target there then and
  • 00:08:31
    is going to be a little more
  • 00:08:32
    controversial to me it's very important
  • 00:08:34
    for OPC um if you're capturing traffic
  • 00:08:37
    and you've got some traffic that's going
  • 00:08:39
    to I don't say
  • 00:08:41
    evil.com you don't want to be resolving
  • 00:08:43
    that because every time TCP dump does a
  • 00:08:44
    capture of it it tries resolve the name
  • 00:08:46
    and it's going to say hey what's this
  • 00:08:47
    evil.com evil.com if somebody's watching
  • 00:08:49
    evil.com they're going to see your
  • 00:08:52
    traffic hitting requesting their stuff
  • 00:08:54
    so it's for obsc don't run in um you'll
  • 00:08:57
    see again as we start looking at example
  • 00:08:59
    here that and having a domain name in
  • 00:09:02
    your p in your TP D output it's it kind
  • 00:09:05
    of muddies things up so I like the nend
  • 00:09:06
    because it cleans it up as well and you
  • 00:09:08
    can run
  • 00:09:10
    dhnn and TP dump is they love all sorts
  • 00:09:14
    of things like that so n is going to be
  • 00:09:17
    resolution for DNS names n n is going to
  • 00:09:19
    be resolving protocols so again we'll
  • 00:09:23
    show you in a second here but if you say
  • 00:09:25
    gosh I would love to see am I seeing SSH
  • 00:09:27
    traffic or am I seeing RDP traffic you
  • 00:09:30
    could see hey this is remote desktop
  • 00:09:32
    protocol
  • 00:09:33
    RDP for the eyes or when you're looking
  • 00:09:36
    through it it's nicer to see 3389 or 22
  • 00:09:39
    versus what TCB dump thinks is you know
  • 00:09:42
    what your protocol is there the last
  • 00:09:44
    handful there just going to be for if
  • 00:09:45
    you're rotating through P TCB dump if
  • 00:09:47
    you're running an extended capture on
  • 00:09:49
    something like that and you want to say
  • 00:09:51
    just just keep this running and keep
  • 00:09:52
    cycling it over if you see it I'll come
  • 00:09:54
    back to it tomorrow and look at it those
  • 00:09:55
    last ones are going to be for you and
  • 00:09:57
    that f is the whole the BPF the Berkeley
  • 00:09:59
    packet for filters if you have used
  • 00:10:00
    those in the past if you want to load
  • 00:10:01
    them into a TCB dump use the F
  • 00:10:05
    there some sample traffic um just
  • 00:10:08
    because you never I'm not going to try
  • 00:10:09
    to generate this in a in a timely
  • 00:10:12
    manner look at this top one here RP dump
  • 00:10:15
    dasi to specify eth2 and then I'm saying
  • 00:10:18
    hey don't again and don't resolve the
  • 00:10:21
    the name so you're not seeing the 888
  • 00:10:22
    resolving to Google makes it much
  • 00:10:25
    cleaner and of specifying my host and
  • 00:10:27
    host and icmp so so it's I say very very
  • 00:10:32
    English friendly um you can put those in
  • 00:10:34
    quotes if you like you'll see it in CPP
  • 00:10:36
    cap it's you need that there for the
  • 00:10:38
    different syntax there but if you jump
  • 00:10:42
    down to the second sample there the SSH
  • 00:10:44
    if you'll notice I move the N
  • 00:10:47
    over well it's r t speed up there n n i
  • 00:10:51
    so that's doing I'm not resolving Google
  • 00:10:54
    but I'm also not looking at the the
  • 00:10:56
    protocol so it's 22 you'll see 4.22 so
  • 00:11:00
    it's SSH traffic I'm just there a
  • 00:11:01
    communication between the virtual
  • 00:11:02
    machine and the not even sure what that
  • 00:11:04
    is firewall and it's it's not resolving
  • 00:11:08
    it all that fun stuff so it's easier to
  • 00:11:10
    see versus SSH you see the numbers I
  • 00:11:12
    don't maybe it's just my eyes but for me
  • 00:11:14
    that's a lot easier do what you want um
  • 00:11:17
    but you will notice on this one that
  • 00:11:18
    after the ntcp port 22 on the command
  • 00:11:22
    it's actually cut off a little bit the
  • 00:11:24
    the output comma whatever and it's
  • 00:11:27
    broken TC them I had a wider screen when
  • 00:11:30
    I was capturing that so if I shrink my
  • 00:11:31
    terminal down to a smaller screen it
  • 00:11:33
    does word wrap so it's harder to look at
  • 00:11:36
    maybe if you don't have a smaller screen
  • 00:11:39
    something you have to pay attention to
  • 00:11:40
    that okay this might not be something
  • 00:11:42
    you could just let your eyes rip down
  • 00:11:43
    because it's going to word wrap
  • 00:11:45
    especially when you throw a v in there
  • 00:11:47
    for verbos verbosity verbosity you're
  • 00:11:50
    going to start seeing some check some
  • 00:11:51
    stuff your different sequence numbers
  • 00:11:54
    things like that and it's going to word
  • 00:11:55
    wrap all over the place and you know
  • 00:11:57
    kind of looks like throw up on the
  • 00:11:58
    screen using a-w to write it out
  • 00:12:01
    somewhere or using a longer terminal is
  • 00:12:02
    going to be very
  • 00:12:05
    beneficial we jump on to CP cap again
  • 00:12:09
    with the- h for the help it's this is
  • 00:12:12
    much easier it tells you shows you
  • 00:12:14
    exactly what you're looking at much uh
  • 00:12:16
    yeah much easier to use there's a nice
  • 00:12:18
    SK there you 141 1412 it gives you you
  • 00:12:21
    some different examples some different
  • 00:12:23
    samples on how to use them but again
  • 00:12:24
    this Dash is going to get you in the
  • 00:12:27
    right direction anyway
  • 00:12:30
    and kind of using the same idea with the
  • 00:12:32
    Ping sample
  • 00:12:34
    here if you
  • 00:12:36
    notice my mistake wrong button this dasf
  • 00:12:40
    in our help file is your expression so
  • 00:12:43
    here you do have to specify CPP capap
  • 00:12:45
    with your interface great- f for your
  • 00:12:47
    filter it doesn't just if you throw the
  • 00:12:50
    filter on there it's just going to give
  • 00:12:51
    you a nice error um and again CPP cap
  • 00:12:54
    can run against all of your interfaces
  • 00:12:56
    not best practice but you can and so
  • 00:12:58
    here you're going to see hey in out in
  • 00:13:01
    out on eth to for that ping traffic
  • 00:13:03
    that's the the port of the virtual
  • 00:13:04
    firewall I had here but notice that it's
  • 00:13:07
    only showing you eth2 so it's going in
  • 00:13:08
    out in out in out whatever it's not
  • 00:13:10
    showing you the other ethernet port
  • 00:13:12
    that's actually going out to the
  • 00:13:13
    internet somewhere um just something to
  • 00:13:15
    know when you're
  • 00:13:16
    specifying hey I'm looking at interface
  • 00:13:18
    eth2 it's only going to show you eth2 so
  • 00:13:21
    if you're not seeing you're expecting to
  • 00:13:22
    see it coming from somewhere else or if
  • 00:13:25
    you're just something to pay attention
  • 00:13:27
    to there the bottom one the https sample
  • 00:13:31
    stuff again it's uh it word wraps it's
  • 00:13:35
    handy it's great but it yeah it gets
  • 00:13:37
    harder to see so so pay attention to
  • 00:13:39
    that as well again when you're using the
  • 00:13:41
    uh using these kind of commands this one
  • 00:13:43
    but you'll notice in the command it's
  • 00:13:44
    CPP c-i e to-
  • 00:13:48
    d-n which we look at our switches here
  • 00:13:50
    was verbos data link layer and verbos
  • 00:13:52
    network so you'll notice in this one
  • 00:13:53
    here you're seeing Mac addresses you're
  • 00:13:55
    seeing some other ether types it's a lot
  • 00:13:58
    more information but you can get more
  • 00:13:59
    granular with CPP cap saying I want to
  • 00:14:02
    see the this one specific thing versus a
  • 00:14:04
    TCP dump where it's give me verbose give
  • 00:14:06
    me foros Rose and so this might be a
  • 00:14:09
    little handier on that one but again if
  • 00:14:10
    you check out the SK it uh should get
  • 00:14:12
    you in the right
  • 00:14:14
    direction other one here FW
  • 00:14:16
    monitor like it says here it's Curel
  • 00:14:19
    traffic the inspection chain so you see
  • 00:14:20
    the some post inbound pre- outbound
  • 00:14:22
    things like that show you what those
  • 00:14:24
    look like in a second this is only on
  • 00:14:25
    your firewalls though you can't run this
  • 00:14:27
    on your management server or your random
  • 00:14:29
    Linux machine in your back closet there
  • 00:14:31
    this is just on your
  • 00:14:33
    firewalls uh the thing to pay attention
  • 00:14:35
    to here E versus f for your accelerat
  • 00:14:39
    non-accelerator traffic and what kind of
  • 00:14:40
    filter you might be looking
  • 00:14:42
    at uh again we'll show you what that
  • 00:14:44
    looks like and FW monitor is nice that
  • 00:14:46
    you can specify if you have virtual
  • 00:14:48
    systems on your machine you can on your
  • 00:14:50
    firewall you can specifically look for
  • 00:14:51
    traffic in those so it's not just
  • 00:14:53
    ethernet it's
  • 00:14:55
    kernel again this this SK here though
  • 00:14:58
    the CPP cap one is fantastic but this FW
  • 00:15:00
    monitor one is updated all the time
  • 00:15:02
    there's they're coming out with
  • 00:15:03
    different ways to manipulate it ways to
  • 00:15:05
    make it work better this uh this is
  • 00:15:07
    definitely one to to keep an eye
  • 00:15:09
    on want to give you a quick traffic flow
  • 00:15:12
    I actually borrowed this from Tim Hall
  • 00:15:13
    he's a trainer over at Shadow Peak he
  • 00:15:15
    doesn't some great classes if you're
  • 00:15:17
    ever so inclined to jump on those but
  • 00:15:19
    just want to show you how the traffic
  • 00:15:20
    flows from eth to eth again we'll just
  • 00:15:23
    use Z on1 for example here but we
  • 00:15:25
    looking at uh something off the wire did
  • 00:15:28
    something hit zero TCB dump and CPP cap
  • 00:15:31
    are are going to be your golden nuggets
  • 00:15:33
    there um you want to know if actually
  • 00:15:35
    got there if you have a switching
  • 00:15:37
    something's wrong Upstream
  • 00:15:39
    Downstream these are going to get you
  • 00:15:41
    that traffic they're going to see the
  • 00:15:43
    again the traffic at the ethernet port
  • 00:15:45
    running lid pcap it just essentially
  • 00:15:47
    makes a copy of the packet and just
  • 00:15:49
    hands it off oh here you go TCP dump
  • 00:15:51
    CPAP yep one for you one for you one for
  • 00:15:53
    you just keeps going um so it's very
  • 00:15:55
    handy for did this get there or
  • 00:15:57
    not we talk about the uh accelerated
  • 00:16:01
    traffic with using d e and DF with
  • 00:16:04
    secure Excel it's going to Fast Track
  • 00:16:07
    that trusted traffic so if you have
  • 00:16:09
    again my example earlier of the SSH
  • 00:16:11
    traffic my firewall can see oh yeah I
  • 00:16:13
    know this this is approved we're allowed
  • 00:16:15
    boom you're going to see the header go
  • 00:16:16
    through and everything but then
  • 00:16:17
    everything else is going to be zipping
  • 00:16:18
    over secure Excel if you're looking in
  • 00:16:20
    using- E you're not going to see it
  • 00:16:22
    you're going to see just oh here's the
  • 00:16:24
    sessions set up no big deal but you're
  • 00:16:26
    not going to you're going to miss all
  • 00:16:27
    the the rest of the data there
  • 00:16:30
    but then if you're again likewise if
  • 00:16:32
    you're looking just at at uh Dash f
  • 00:16:35
    using the for acceler traffic you won't
  • 00:16:38
    see all the uh all of it behind if it's
  • 00:16:41
    slow path so kind of depends on what
  • 00:16:42
    you're looking for something to pay
  • 00:16:44
    attention to you can always disable
  • 00:16:45
    secure Excel don't do that in production
  • 00:16:48
    that'll people will not be happy because
  • 00:16:50
    that's going to take your firewall and
  • 00:16:51
    send its resources through the roof
  • 00:16:53
    because I guess H traffic is well it's
  • 00:16:56
    designed to help your firewall run run
  • 00:16:57
    leaner
  • 00:17:00
    um when you're looking to the fire FW
  • 00:17:03
    monitor logs you're going to look our
  • 00:17:05
    main example here is going to be I I and
  • 00:17:06
    O and O So pre-bound post inbound and
  • 00:17:09
    pre- upbound post outbound so these eyes
  • 00:17:12
    but as again as that SK I'll show you in
  • 00:17:14
    a second what it was again but you also
  • 00:17:16
    see different things like D's and q's
  • 00:17:18
    for qos and decrypted traffic and
  • 00:17:20
    encrypted traffic things like that um it
  • 00:17:23
    really gets into the weeds but again
  • 00:17:25
    you'll see like on the left side here
  • 00:17:28
    we've got I and then the right side o as
  • 00:17:31
    the traffic is coming up into your
  • 00:17:32
    kernel and into your into your kernel
  • 00:17:35
    it's a pre- inbound post inbound and
  • 00:17:36
    then post outbound pre- up outbound so
  • 00:17:40
    you'll see different uh depending on
  • 00:17:41
    where an issue might rely might lie that
  • 00:17:45
    uh that'll help you help clue you in
  • 00:17:46
    anyway like you might be seeing just a
  • 00:17:49
    couple eyes but no O's and that could be
  • 00:17:51
    something with a routing issue maybe
  • 00:17:52
    Knack conf figurations things like that
  • 00:17:54
    to go look for um and again if you're
  • 00:17:57
    working with Tac on these kind of things
  • 00:17:58
    they'll probably be running an fwl
  • 00:18:00
    debug looking for different drops and
  • 00:18:02
    they should that should also help clue
  • 00:18:04
    you in but again that's kind of out of
  • 00:18:06
    the scope of network stuff but FW
  • 00:18:08
    monitor a lot of
  • 00:18:11
    craziness so just a quick quick example
  • 00:18:14
    of what this looks like you've got your
  • 00:18:16
    like at the very top I'm using F looking
  • 00:18:19
    for secure traffic but it looks like a
  • 00:18:22
    lot of craziness on here let's just kind
  • 00:18:24
    of break it down the first part here is
  • 00:18:26
    your filter check so if you fat finger
  • 00:18:29
    and mess up this syntax which is easy to
  • 00:18:31
    do unless you've done it a couple times
  • 00:18:33
    this will just error out it's not going
  • 00:18:35
    to capture it's not going to tell you oh
  • 00:18:36
    yeah I'm capturing and it's not it's
  • 00:18:37
    just going to say nope hey try again
  • 00:18:40
    buddy and the Syntax for this is it
  • 00:18:41
    looks complicated it's just Source IP
  • 00:18:44
    Source Port which is zero for any
  • 00:18:46
    destination port or destination IP
  • 00:18:48
    destination Port then protocol so six
  • 00:18:49
    being
  • 00:18:50
    TCP and if it likes that oh yeah you're
  • 00:18:52
    good to go then you'll monitor will
  • 00:18:54
    start and it'll tell you hey yeah great
  • 00:18:56
    we're kicking it off off we go if you're
  • 00:18:58
    doing well then it'll show you the
  • 00:19:00
    capture data at the bottom here if
  • 00:19:01
    you're writing this out to a file it'll
  • 00:19:03
    just show you packets underneath that
  • 00:19:06
    last pack there but again this SK that
  • 00:19:10
    30583 is definitely something to keep an
  • 00:19:12
    eye on um I'll just kind of cut this out
  • 00:19:15
    cut out some of the fat here just to let
  • 00:19:17
    you see what it looks like here but
  • 00:19:18
    again the command syntax with the fs
  • 00:19:22
    it's very simple and then and you'll
  • 00:19:26
    see well see if I can get my laser
  • 00:19:29
    pointer here to do the eyes and the I
  • 00:19:32
    and the o on different ethernet ports so
  • 00:19:34
    mightbe coming in E four hits my kernel
  • 00:19:36
    all the fun stuff and goes out on E
  • 00:19:38
    to just handy to know um I did a little
  • 00:19:43
    dump of this earlier so I saved as off
  • 00:19:44
    so we can look at it in wi shark here in
  • 00:19:46
    a minute but just using the O you just
  • 00:19:47
    slap it on the end and tell it where you
  • 00:19:48
    want to write off to and off you go
  • 00:19:51
    maybe it's not best practice to do home
  • 00:19:52
    admin but hey it's a lab why
  • 00:19:56
    not example using the E filter is a
  • 00:19:58
    little a little bit different so they
  • 00:20:00
    can't make it too easy so it's a
  • 00:20:01
    lowercase e and then you're going to
  • 00:20:03
    have to put this in quotes and you're
  • 00:20:04
    going to specify hosts and looking for
  • 00:20:06
    accepted
  • 00:20:07
    traffic um the output's going to be
  • 00:20:09
    similar as far as the I's and the O's
  • 00:20:11
    and things of that nature if you're
  • 00:20:12
    looking for that but it will give you
  • 00:20:14
    this nice warning right in the very
  • 00:20:15
    middle here hey using the E filter it's
  • 00:20:17
    not accelerated if you want to look for
  • 00:20:18
    Accelerated make sure you use the
  • 00:20:20
    dasf um if you're like me you'll just
  • 00:20:23
    ignore that part and trying to figure
  • 00:20:25
    out why you can't find the accelerated
  • 00:20:26
    traffic and remember oh yeah use the f
  • 00:20:29
    so and again the bottom stuff down here
  • 00:20:32
    is the exciting part of FW monitor
  • 00:20:35
    seeing the
  • 00:20:37
    interfaces so let's cross our fingers
  • 00:20:39
    and do some some demos with wire shark
  • 00:20:42
    all right because that's more fun that
  • 00:20:45
    way pull
  • 00:20:47
    up exactly what could go wrong in a live
  • 00:20:50
    demo right um I had a couple captures
  • 00:20:54
    here and if you've used wire shark in
  • 00:20:55
    the past you know this is it might be
  • 00:20:58
    something interesting might not be so by
  • 00:21:00
    default you have a default profile here
  • 00:21:03
    wi shark looks like somebody threw up on
  • 00:21:05
    the screen it's it it's convenient but
  • 00:21:08
    it's not user friendly out of the box
  • 00:21:10
    you'll see the number for how many
  • 00:21:12
    packets is receive how many packets are
  • 00:21:14
    captured um your time since the packet
  • 00:21:16
    started packet capture started Source
  • 00:21:18
    destination again it's best attempt at
  • 00:21:20
    protocol analysis oh this is TCP good
  • 00:21:24
    work all right 1. one Whatever fantastic
  • 00:21:27
    it'll give you the length of the packet
  • 00:21:28
    and some general information that it
  • 00:21:30
    thinks is
  • 00:21:31
    useful and you'll see the different
  • 00:21:32
    ethernet options ethernet ethernet IP
  • 00:21:36
    you know depending on what the protocol
  • 00:21:38
    is you'll see that information here if
  • 00:21:40
    it's HTTP you'll see that down there as
  • 00:21:41
    well and then on the right side you'll
  • 00:21:43
    get the hex for what you're actually
  • 00:21:44
    seeing so everything flies across the
  • 00:21:47
    network running hex which is
  • 00:21:49
    terrific you
  • 00:21:53
    can for example if you see hey there's
  • 00:21:55
    my source IP address it's going to be as
  • 00:21:58
    you click it's going to show up on the
  • 00:21:59
    right side hey c88 1368 that's the IP
  • 00:22:02
    address fantastic in HEX well hex is
  • 00:22:05
    going to convert that over to Binary and
  • 00:22:07
    that's where your numbers are so if
  • 00:22:09
    you're really looking for fun down this
  • 00:22:11
    way hey enjoy it's it's if it's fun to
  • 00:22:14
    figure out whatever might not be useful
  • 00:22:16
    for traffic analysis so we're going to
  • 00:22:18
    look at a different version here if I
  • 00:22:21
    throw in this one
  • 00:22:24
    here again it's going to look like
  • 00:22:26
    somebody threw up on the screen which
  • 00:22:27
    they did this just just a peap from a
  • 00:22:29
    Honeypot somewhere out there on the
  • 00:22:30
    internet
  • 00:22:32
    but using different profiles there's HTT
  • 00:22:36
    I again doing forensics I kind of had a
  • 00:22:38
    bunch of different ones but HTTP is one
  • 00:22:39
    that I always
  • 00:22:41
    enjoyed if it loads here there we go you
  • 00:22:45
    see this isn't a huge peap but wire
  • 00:22:46
    shark takes an extra second or two to oh
  • 00:22:48
    let me reconvert that stuff so if you're
  • 00:22:50
    running this on a live capture it can
  • 00:22:51
    start dropping packets because your
  • 00:22:53
    computer can't keep up that well but
  • 00:22:56
    again I like to keep in the number of
  • 00:22:58
    packets is fantastic but the bigger
  • 00:23:00
    thing is knowing hey when did this
  • 00:23:02
    happen what am I seeing for the time so
  • 00:23:03
    I change the time stamps over to the
  • 00:23:05
    real time was captured and the another
  • 00:23:08
    big thing is throwing source and
  • 00:23:09
    destination ports in there not resolving
  • 00:23:11
    them so oh 80 you this you know wi shark
  • 00:23:15
    could tell me that this is hdb traffic
  • 00:23:16
    but I want to know what give me the port
  • 00:23:18
    I want to know what kind of Port I'm
  • 00:23:19
    looking at here and then there's a whole
  • 00:23:21
    slew of other information that you can
  • 00:23:23
    throw into columns like servers user
  • 00:23:24
    agents things like that um I it just
  • 00:23:27
    makes it as you're looking through
  • 00:23:30
    through different
  • 00:23:32
    traffics bad example here but normally
  • 00:23:35
    you'll you'll see some stuff in there
  • 00:23:36
    I'll show you in a second
  • 00:23:38
    um and then from here again it's kind of
  • 00:23:41
    throw up on the screen and W shark might
  • 00:23:44
    not be your your go-to option for
  • 00:23:47
    because you're not going to be recording
  • 00:23:48
    with wi shark you're going to be
  • 00:23:49
    potentially throwing a peap into it
  • 00:23:51
    which is the best practice for it and
  • 00:23:54
    but if you throw it in here and you're
  • 00:23:55
    going to do some analysis there's a lot
  • 00:23:57
    of Statistics under here which are handy
  • 00:24:00
    youve got your HTTP
  • 00:24:02
    um like a request counter is here
  • 00:24:07
    requests oops not going to show me wrong
  • 00:24:09
    wrong screen give me one more second
  • 00:24:10
    rerun that again gota love the live demo
  • 00:24:14
    here
  • 00:24:17
    sequences grief come on pull it down
  • 00:24:20
    there we
  • 00:24:21
    go it'll show you the different IPS that
  • 00:24:24
    they're trying to hit the different uh
  • 00:24:26
    what what are they looking for that kind
  • 00:24:27
    of stuff
  • 00:24:29
    um it's and it can show
  • 00:24:31
    you well all sorts of random fun in here
  • 00:24:35
    like your end points um this one's going
  • 00:24:38
    to turn for just a second
  • 00:24:40
    but it's not actually endpoint but it's
  • 00:24:42
    it's talking Network endpoints so if
  • 00:24:43
    you're seeing traffic from come on you
  • 00:24:46
    can do it here there we
  • 00:24:48
    go I want a filter for what's the most
  • 00:24:51
    this is the honey pot that was running
  • 00:24:53
    out there but what's this 7910 okay it's
  • 00:24:55
    got a lot of traffic going to it more
  • 00:24:57
    than a lot of other things
  • 00:24:59
    you're seeing something specific and if
  • 00:25:00
    you're doing troubleshooting you want to
  • 00:25:01
    get from the ethernet level you'll
  • 00:25:03
    probably know what your Upstream
  • 00:25:04
    Downstream Mac addresses are and what
  • 00:25:06
    you're looking at and if something's
  • 00:25:07
    going to the wrong one if you didn't
  • 00:25:09
    find it using a different tool like CPP
  • 00:25:11
    cap TCB dump that type of thing this
  • 00:25:13
    will definitely show you hey you got a
  • 00:25:15
    lot of traffic involving these Macs
  • 00:25:17
    what's going on maybe you have a routing
  • 00:25:18
    issue something like that and from here
  • 00:25:21
    if you want to do you know more of an
  • 00:25:22
    investigation you can what's this IP
  • 00:25:24
    address and you can copy that and go
  • 00:25:26
    look for it and find out where that
  • 00:25:28
    where that's going and all the fun
  • 00:25:30
    things um the other handy thing on here
  • 00:25:33
    if you're looking for again specific
  • 00:25:35
    items but if I look for HTTP requests
  • 00:25:38
    HTTP I already typed it in so I'm going
  • 00:25:40
    to cheat but oh the request method is
  • 00:25:42
    get oh what are you looking at here what
  • 00:25:44
    what kind of get requests did this honey
  • 00:25:46
    pot see during this time you're seeing a
  • 00:25:48
    lot of random stuff
  • 00:25:51
    okay grant that I'm using this on a
  • 00:25:53
    little tiny screen for the sake of
  • 00:25:55
    viewing but
  • 00:25:58
    all these different gets okay well
  • 00:26:00
    they're somebody using a curl what are
  • 00:26:02
    they doing right click on that you can
  • 00:26:03
    follow the HTTP or TCP stream for this
  • 00:26:06
    doesn't really matter show you the
  • 00:26:07
    different Communications between the
  • 00:26:08
    client and the server once wik gets
  • 00:26:11
    button gear here we go okay great I've
  • 00:26:14
    got a host's my user agent curl so
  • 00:26:15
    somebody's running a curl against this
  • 00:26:17
    they could be spoofing that but whatever
  • 00:26:19
    here's what the the server told it
  • 00:26:21
    fantastic here's my generic stuff
  • 00:26:24
    nothing fancy and then it'll still show
  • 00:26:26
    you what the okay it's going to get it's
  • 00:26:27
    a 200 so it was allowed fantastic just
  • 00:26:30
    different ways to look at
  • 00:26:32
    that um lastly close this one here open
  • 00:26:36
    up the last thing to show you so using
  • 00:26:39
    that same profile of HTTP this is a dump
  • 00:26:42
    that I took from that I showed you in
  • 00:26:43
    the earlier in the example the FW
  • 00:26:45
    monitor
  • 00:26:47
    it's because it's looking at different
  • 00:26:49
    inspection points it's it's kind of
  • 00:26:50
    quadrupling at least quadrupling all the
  • 00:26:52
    different traffic so it's not going to
  • 00:26:53
    show you as much with
  • 00:26:55
    HTTP but if you set this up I call it
  • 00:26:57
    checkpoint because because hey we're
  • 00:26:58
    looking at checkpoint
  • 00:27:00
    stuff it'll show you this extra item
  • 00:27:03
    here cpf W you can just pick up this
  • 00:27:05
    information if you went to preferences
  • 00:27:09
    and might as well show you right under
  • 00:27:12
    protocols W shark and gu is kind of
  • 00:27:15
    small but W shark has all these
  • 00:27:17
    protocols that you could scroll until
  • 00:27:19
    your heart's content but there's one FW
  • 00:27:22
    for firewall if you didn't put that
  • 00:27:24
    together fw1 you want to make sure you
  • 00:27:26
    enable that and once you that restart
  • 00:27:30
    restart wi shark and then this little
  • 00:27:32
    handy dandy gu here will pop up and just
  • 00:27:35
    like anything down here you can add
  • 00:27:38
    this apply as a column and you will add
  • 00:27:41
    it to the top up here and you can
  • 00:27:43
    manipulate it how you like you can make
  • 00:27:45
    it look pretty whatever great if you
  • 00:27:46
    decide under this gosh I really want to
  • 00:27:47
    see the destination Port you can apply
  • 00:27:49
    as a column it'll throw up here too but
  • 00:27:52
    this just shows you again this is
  • 00:27:54
    traffic actually actually working so it
  • 00:27:56
    it's not going to be as exciting but
  • 00:27:58
    you're going to see that it came from
  • 00:27:59
    the 19 Network to the 14 Network on this
  • 00:28:01
    lab it went in eth4 okay great pre-
  • 00:28:05
    inbound post inbound and then it hit
  • 00:28:07
    ethernet 2 or hit the kernel said oh
  • 00:28:09
    yeah go ahead and send it out so eth two
  • 00:28:11
    on the way out and then out so it just
  • 00:28:14
    shows you the uh the steps in and out of
  • 00:28:15
    the kernel there as well so if you're
  • 00:28:17
    only seeing again if you're only seeing
  • 00:28:18
    eyes all where's it what's what's being
  • 00:28:20
    dropped do you have a rule set up in
  • 00:28:21
    place is there some implied rule
  • 00:28:22
    somewhere that's not allowing it
  • 00:28:24
    through if you can't find it there check
  • 00:28:27
    your net stuff things like that check
  • 00:28:28
    your routing there could be something
  • 00:28:29
    there and then if you really get into
  • 00:28:31
    the deep into the weeds you're going to
  • 00:28:32
    do some kind of debugging on the Kernel
  • 00:28:33
    itself to find out what's being dropped
  • 00:28:36
    and where is it being
  • 00:28:38
    dropped all right um believe yeah that's
  • 00:28:43
    about it we got that's all we got so
  • 00:28:45
    yeah In Sum we want to make sure you ask
  • 00:28:46
    the questions if you're what you're
  • 00:28:48
    somebody's asking you into
  • 00:28:48
    troubleshooting or what you're trying to
  • 00:28:49
    figure out did it ever work that kind of
  • 00:28:51
    thing is going to be a lot different
  • 00:28:54
    avenue than hey it stopped working 10
  • 00:28:56
    seconds ago um got to know where to
  • 00:28:58
    start and then use the right tool for
  • 00:29:00
    the job again if you're you might not
  • 00:29:02
    need to throw this all into wire shark
  • 00:29:04
    if you're just looking for is something
  • 00:29:05
    reaching my that certain Nick on my
  • 00:29:07
    firewall hey just run TCP down run cppb
  • 00:29:10
    cap and you'll see it either hitting or
  • 00:29:12
    not hitting and if it's not then you can
  • 00:29:13
    trouble shoot from there why is my
  • 00:29:15
    switch not sending it or what's wrong
  • 00:29:16
    with my router my Gateway that type of
  • 00:29:18
    thing um yes use the right tool for the
  • 00:29:21
    job
  • 00:29:22
    and and we're getting close to the end
  • 00:29:24
    of oh yeah we're already at 31 again my
  • 00:29:26
    name's Jason uh here's my email address
  • 00:29:28
    if anybody you know anything you want to
  • 00:29:30
    follow up with later feel free to shoot
  • 00:29:32
    me a message you want to talk packets I
  • 00:29:33
    love that love uh diving into these kind
  • 00:29:35
    of things so by all means you can reach
  • 00:29:37
    out
  • 00:29:38
    anytime all right Rob back to you I'm
  • 00:29:41
    gonna grab a drink of water here oh go
  • 00:29:42
    grab a drink you're like an Auctioneer
  • 00:29:44
    there Jason good job uh got some
  • 00:29:46
    questions for you here if you run back
  • 00:29:48
    to wire shark real quick I think you
  • 00:29:50
    showed this in another path but I just
  • 00:29:52
    wanted to share it John said he found
  • 00:29:54
    very helpful when you find a packet of
  • 00:29:56
    interest to click on analyze follow the
  • 00:29:59
    stream on the top menu there so what I
  • 00:30:02
    think is the yep you can follow the
  • 00:30:04
    stream you can uh you can click up there
  • 00:30:06
    or you can right click on the packet
  • 00:30:08
    itself yeah okay yep just wanted to
  • 00:30:10
    share that it's a bad example of that
  • 00:30:11
    one but yeah okay
  • 00:30:14
    um somebody asked do we get a recording
  • 00:30:16
    of This yes this will be this is
  • 00:30:18
    recorded will be posted on YouTube
  • 00:30:20
    channel and the link for that will be in
  • 00:30:22
    the follow-up
  • 00:30:24
    email uh let's
  • 00:30:26
    see no we got some more coming in here
  • 00:30:29
    uh John asked and I don't know if you're
  • 00:30:31
    going to know this one Jason years ago
  • 00:30:33
    there used to be a version of wire shark
  • 00:30:35
    specifically made for analyzing check
  • 00:30:37
    put output from TCP dump whatever
  • 00:30:39
    happened to that that sounds Vaguely
  • 00:30:42
    Familiar to me but I really don't
  • 00:30:44
    remember that Jason do you know anything
  • 00:30:45
    about that or any other checkpoint
  • 00:30:48
    people on the call here that sounds very
  • 00:30:50
    familiar to me I I know they used to
  • 00:30:52
    have something similar to it but i e
  • 00:30:54
    like white shirt came from was it
  • 00:30:56
    etheral back or however you want to say
  • 00:30:58
    it way back in the day but I thought
  • 00:31:00
    there was a different flavor of some
  • 00:31:01
    sort that was specifically for
  • 00:31:03
    checkpoint sound familiar from the 7730
  • 00:31:05
    days but I top of my head I don't know
  • 00:31:07
    but it's something I can definitely look
  • 00:31:09
    up and ask that question if you want
  • 00:31:11
    toil track that down it does sound
  • 00:31:14
    familiar though so yeah you're not crazy
  • 00:31:16
    John uh let's see here
  • 00:31:23
    uh sorry analyze possible capture oh is
  • 00:31:27
    it possible to take a capture and see
  • 00:31:29
    exactly what rule is being applied to
  • 00:31:31
    that
  • 00:31:32
    traffic so can capture look at the
  • 00:31:35
    policy rule number not that I'm aware of
  • 00:31:39
    but it's something to look at um I know
  • 00:31:40
    FWB monitor is only going to show you if
  • 00:31:43
    it's again on the wire so it's not doing
  • 00:31:46
    FW monitor itself isn't going to do the
  • 00:31:47
    Diagnostics or isn't going to tell you
  • 00:31:49
    what rule because it's only looking at
  • 00:31:51
    is it pre or postponing into the
  • 00:31:52
    different kernel things if it doesn't
  • 00:31:55
    get through that can lead you to look
  • 00:31:56
    into a specific rule
  • 00:32:00
    but yeah I mean if it's h in the policy
  • 00:32:02
    we should definitely have a uh a log
  • 00:32:04
    entry for it so you can get the rule
  • 00:32:06
    number from there but I don't know if
  • 00:32:07
    you can do it with the uh packet capture
  • 00:32:10
    again somebody please uh correct me if
  • 00:32:12
    I'm
  • 00:32:13
    wrong uh let's see other
  • 00:32:18
    questions are you sharing the slides
  • 00:32:22
    uh think we could share these right John
  • 00:32:25
    there's Jason there's nothing who
  • 00:32:28
    yeah of course I have no problem with
  • 00:32:29
    that yep yep
  • 00:32:33
    uh oh somebody said I guess this was the
  • 00:32:36
    checkpoint version this is back when
  • 00:32:37
    etheral wire shark was updated so often
  • 00:32:39
    so maybe that's when they had the
  • 00:32:40
    checkpoint
  • 00:32:44
    version does all wire shark come up with
  • 00:32:46
    the profile
  • 00:32:49
    checkpoint um the Prof no um it's
  • 00:32:52
    something that I had to create so when
  • 00:32:53
    you do a like here by default just has
  • 00:32:57
    one called default when you first
  • 00:32:58
    install check wi shark is going to say
  • 00:33:00
    oh here's a default profile great and
  • 00:33:01
    you can add like same with HTTP with
  • 00:33:05
    these different s columns I have on the
  • 00:33:06
    top of course now it's going to run slow
  • 00:33:09
    once I added these different destination
  • 00:33:10
    ports and format how I like you can save
  • 00:33:12
    the profile similar with the H the uh
  • 00:33:15
    the checkpoint here because by default
  • 00:33:17
    it doesn't like I showed it doesn't uh
  • 00:33:20
    actually capture the eyes and of course
  • 00:33:23
    this not the example for that but you
  • 00:33:25
    got on to your preferences here
  • 00:33:26
    protocols
  • 00:33:28
    down to
  • 00:33:29
    F W good grief a lot of protocols in
  • 00:33:33
    here you need to check this one here and
  • 00:33:34
    I'm not sure if you can see it too well
  • 00:33:35
    on the screen here but the top one's
  • 00:33:37
    saying show firewall One summary in
  • 00:33:39
    protocol tree Once you check that and
  • 00:33:41
    hit okay you have to restart wire shark
  • 00:33:43
    before it actually starts paying
  • 00:33:44
    attention to it then once you do it'll
  • 00:33:47
    have it in your frames or your output
  • 00:33:50
    over here and then you just need to
  • 00:33:51
    right click that and then apply as a
  • 00:33:53
    column and then it'll drop it up top
  • 00:33:55
    here I don't think it actually calls it
  • 00:33:58
    FW or cpf w i just because it just says
  • 00:34:00
    here's whatever you can rename you can
  • 00:34:03
    rename these you can do whatever you
  • 00:34:04
    want with them but once you're in there
  • 00:34:05
    then you can yeah leave it as a leave it
  • 00:34:08
    as a different column and if you can
  • 00:34:10
    save that save the profile and and then
  • 00:34:12
    you've got your default and you got your
  • 00:34:15
    checkpoint yeah whatever other ones you
  • 00:34:17
    out there but yep great um me
  • 00:34:22
    see uh is there a way to share the
  • 00:34:25
    profiles file
  • 00:34:28
    um yeah you can
  • 00:34:30
    do not sure if I could I could probably
  • 00:34:32
    figure yeah because i' I've changed them
  • 00:34:33
    between different machines instead of
  • 00:34:34
    recreating every time because that right
  • 00:34:36
    gets hairy so yeah you can definitely do
  • 00:34:38
    you export the profile I'd have to
  • 00:34:40
    remember exactly where that is here but
  • 00:34:42
    yeah you you can export it and if it's
  • 00:34:44
    something that they actually want I can
  • 00:34:46
    get you a copy of that too if I don't
  • 00:34:48
    have a problem with that there's nothing
  • 00:34:49
    proprietary in
  • 00:34:51
    it uh well John who asked the uh the wi
  • 00:34:54
    shark checkpoint question says he thinks
  • 00:34:57
    he found found it here etheral for
  • 00:34:59
    checkpoint CSP
  • 00:35:04
    community so I guess it is out there so
  • 00:35:07
    thank you John we'll go check that
  • 00:35:10
    out uh does Ethernet still have the fw-1
  • 00:35:14
    monitor
  • 00:35:15
    option doesn't ethernet still have the F
  • 00:35:19
    firewall one monitor
  • 00:35:21
    option does Ethernet have it um I'm not
  • 00:35:25
    following that one
  • 00:35:28
    I'm not sure either actually hey John we
  • 00:35:31
    should have you on one he
  • 00:35:33
    said John he's digging in on that uh
  • 00:35:36
    checkpoint wire shark he said it
  • 00:35:38
    actually decodes the output from FW
  • 00:35:41
    monitor yeah so sounds like something to
  • 00:35:43
    check out thank you for that John we
  • 00:35:45
    will check that
  • 00:35:48
    out this one doesn't have any typically
  • 00:35:50
    it won't have ethernet information in it
  • 00:35:52
    but it's right yeah all right I think we
  • 00:35:56
    covered it
  • 00:35:58
    some questions came in Fast and Furious
  • 00:36:00
    there so I apologize if I missed
  • 00:36:02
    something really if you guys feel free
  • 00:36:04
    to grab my email address or too if
  • 00:36:06
    something comes up that you think of
  • 00:36:07
    later on I could show the slides too but
  • 00:36:09
    if somebody says hey I got a quick
  • 00:36:10
    question feel free to shoot it over and
  • 00:36:12
    I can always do my best to help out
  • 00:36:14
    absolutely if we don't have the answer
  • 00:36:16
    we'll find it for you so thank you Jason
  • 00:36:18
    great
  • 00:36:20
    information um we will send out that
  • 00:36:23
    follow-up email I said with the
  • 00:36:24
    reference content the SK article Jason
  • 00:36:26
    mentioned and the recording link that'll
  • 00:36:29
    be up on our YouTube channel uh next
  • 00:36:31
    webinar will be in two weeks you will
  • 00:36:33
    see the invitation for that soon but
  • 00:36:35
    thanks again for joining we'll see you
  • 00:36:37
    here next time thank you Jason everyone
  • 00:36:39
    enjoy your day thanks for joining
  • 00:36:41
    everybody see you
Tag
  • troubleshooting
  • network traffic
  • TCP dump
  • CPP cap
  • FW monitor
  • WireShark
  • OSI model
  • network analysis