Tips and Tricks 2024 #16 - Troubleshooting using Network Traffic
Resumo
TLDRThe webinar, led by Jason DuTrey, Security Engineer at Checkpoint, focused on troubleshooting network traffic. Jason began by emphasizing understanding the OSI model and identifying the starting points for trouble-shooting issues, which can vary significantly based on whether something isn't powered on or if a major configuration change has occurred. The session discussed the importance of knowing which tools to use, introducing several such as TCP dump, CPP cap, FW monitor, and WireShark. TCP dump, a widespread tool in Linux systems for capturing network traffic, allows detailed analysis but can be CPU intensive. Meanwhile, CPP cap, a Checkpoint specific tool, offers similar functionality with lighter CPU usage. FW monitor was explained as a tool for analyzing kernel-level traffic specifically on firewalls, and the session expounded on how WireShark serves as a powerful GUI-based tool for detailed packet analysis, though it can be resource-intensive. Throughout the webinar, Jason also demonstrated the use of filters and the importance of understanding network interfaces and protocols while capturing and analyzing traffic to excel in network troubleshooting.
Conclusões
- 👨💻 Jason DuTrey is the presenter, specializing in network security.
- 🔍 The webinar focuses on network traffic troubleshooting.
- 🛠️ TCP dump and CPP cap are crucial tools discussed.
- 🌐 Understanding the OSI model is essential for troubleshooting.
- 🖥️ WireShark is highlighted for its GUI interface capabilities.
- ⚙️ FW monitor inspects kernel traffic specifically on firewalls.
- 📊 Real-time and saved analyses are vital for extended captures.
- 🚫 Avoid unnecessary DNS resolution during analysis.
- 📈 Handling CPU impact is crucial when using intensive tools.
- 🔧 Tailoring WireShark profiles can aid detailed traffic examination.
Linha do tempo
- 00:00:00 - 00:05:00
The webinar introduces the topic of troubleshooting using network traffic, focusing on identifying starting points, differentiating problems, and understanding tools for analysis. Key questions include discovering when an issue commenced and understanding the OSI model's layers.
- 00:05:00 - 00:10:00
Jason explains the significance of understanding the OSI model for troubleshooting, emphasizing that issues can arise at any layer, from the physical to application layers. The session aims to focus on layer 3 network (IP layer) and layer 2 (Ethernet).
- 00:10:00 - 00:15:00
He discusses various tools for network traffic analysis like TCP dump, CPP cap, FW monitor, and Wireshark. TCP dump is a widely-used tool across systems, but can be CPU-intensive. Checkpoint's CPP cap is designed to be lighter, while FW monitor offers kernel-level insights.
- 00:15:00 - 00:20:00
The section highlights the preferred tool usage depending on the troubleshooting context, viewing TCP dump and CPP cap as ideal for physical NIC issues, and exploring Wireshark for deeper analysis due to its graphical interface capabilities.
- 00:20:00 - 00:25:00
Jason provides details on how to use TCP dump and CPP cap, emphasizing capturing traffic on specific interfaces, avoiding DNS resolutions during capture, and employing different command options for tailored outputs. This section also touches on protocol analysis intricacies.
- 00:25:00 - 00:30:00
FW monitor's functionality for inspecting kernel traffic is explained, focusing on pre- and post-inbound/outbound tracking, which is distinct from the management server capabilities and useful for understanding traffic flow and routing issues on firewalls.
- 00:30:00 - 00:36:47
The session concludes with a demo on using Wireshark profiles for viewing and analyzing network captures. It covers practical steps for setting preferred configurations in Wireshark, using filters effectively for troubleshooting, and emphasizes leveraging various tools appropriately.
Mapa mental
Perguntas frequentes
Who was the presenter of the webinar?
Jason DuTrey was the presenter of the webinar.
What was the main topic discussed in the webinar?
The main topic was troubleshooting using network traffic analysis.
What are some tools mentioned for network traffic analysis?
Tools such as TCP dump, CPP cap, FW monitor, and WireShark were mentioned.
Can you access the recording of the webinar?
Yes, the webinar will be posted on the company's YouTube channel.
What is a common tool used in Linux for network traffic analysis?
TCP dump is a common tool used in Linux for network traffic analysis.
Is WireShark mentioned as a tool for network analysis?
Yes, WireShark is mentioned as a tool for network analysis.
What is the main advantage of using CPP Cap over TCP Dump?
CPP Cap is lighter weight with less CPU impact compared to TCP Dump.
What is FW monitor used for?
FW monitor is used for monitoring Kernel-level traffic specifically on firewalls.
How can profiles be managed in WireShark according to the webinar?
Profiles in WireShark can be created and exported or shared to ensure consistent setup across different machines.
What is a recommended way to handle extended captures using TCP Dump?
Using TCP dump to write to a pcap file for later analysis is recommended for handling extended captures.
Ver mais resumos de vídeos
24-Hour Rice: Lower Carbs, Fix Insulin Resistance, Heal Gut, and Fights Cancer! Dr. Mandell
I Agree with Yasir Qadhi! By Jalal Abualrub @YasirQadhi
Introduction to Threads
You struggle because you want to
Top 10 Supply Chains in the World [Lessons from Amazon, Wal-Mart, Alibaba, McDonalds and others]
Top 6 Sports Earbuds in 2024 (with CUSTOM SCORING)
- 00:00:03well hello everybody thank you for
- 00:00:04joining today's tips and tricks webinar
- 00:00:07today's topic as you can see is on
- 00:00:09troubleshooting using network traffic uh
- 00:00:12please use the Q&A chat you have any
- 00:00:14questions during this webinar we'll make
- 00:00:15sure we answer those our presenter today
- 00:00:18is an SE from Pennsylvania Jason to Tre
- 00:00:22Jason what do you have for us today yeah
- 00:00:25thanks Rob and nice to meet you all here
- 00:00:28virtually I Jason do TR like Rob said a
- 00:00:30security engineer here in the Big East
- 00:00:32I'm near Hershey Pennsylvania the
- 00:00:33sweetest place on Earth very exciting
- 00:00:36I've been with checkpoint here for a
- 00:00:37couple years um I was a customer back in
- 00:00:39the 7730 days and after that did some
- 00:00:42digital forensics with network disc
- 00:00:45stuff and some memory items and some
- 00:00:47inant response and then I had a chance
- 00:00:48to join checkpoint here so so here we
- 00:00:51are um again today we'll be talking like
- 00:00:53it says troubleshooting using network
- 00:00:56traffic guess where we're going to start
- 00:00:58here it's always good to know you're
- 00:01:00doing the troubleshooting where to start
- 00:01:01the troubleshooting because you're going
- 00:01:02to be if you've been in it for a while
- 00:01:04you understand that if something's not
- 00:01:06powered on is quite different than if
- 00:01:08somebody made a big huge configuration
- 00:01:09change we're going to look at some of
- 00:01:11the tools that you use for the network
- 00:01:12traffic analysis and then how to
- 00:01:14properly use those in the
- 00:01:16troubleshooting but that biggest
- 00:01:18question that always comes up again if
- 00:01:20you've been in it you know that there's
- 00:01:22no there's no flowchart like this there
- 00:01:24is absolutely not a nice troubleshooting
- 00:01:26button so you have to come up with
- 00:01:28questions like when did it start
- 00:01:29happening did it ever work because
- 00:01:30that'll lead you down a different path
- 00:01:33if something was something things was
- 00:01:35installed and it never worked there big
- 00:01:37difference then it's been running fine
- 00:01:39for three years and yesterday it stopped
- 00:01:41working you know what changed what else
- 00:01:42isn't working that kind of thing is your
- 00:01:44data center underwater for example so
- 00:01:47it's good to know where to start and
- 00:01:49where are we looking which is the second
- 00:01:51kind of question if you're familiar with
- 00:01:53the uh with this layer 1 through 7 The
- 00:01:55OSI it's the open systems interconnected
- 00:01:57model it's a general framework that
- 00:01:59describes network communication from the
- 00:02:01physical layer all the way up to the
- 00:02:02application and back down if you've
- 00:02:04never seen this it uh as your machine or
- 00:02:08as your application as your device is
- 00:02:09getting data it's hitting your physical
- 00:02:12and it's going up and down up and down
- 00:02:13zipping through these layers really fast
- 00:02:16um but it depends on where you're doing
- 00:02:18the troubleshooting is it plugged in
- 00:02:19down a physical layer up to is your
- 00:02:21application having a problem something's
- 00:02:23wrong with your your coding that's you
- 00:02:25know higher up in the chain there here's
- 00:02:28the general idea of it if you've never
- 00:02:29seen it again you've got your physical
- 00:02:31Hardware through your through Ethernet
- 00:02:33through the data ler data link layer up
- 00:02:35to the fun stuff like the IPS and
- 00:02:37protocol or IPS and ports and like
- 00:02:40things like that and you get higher up
- 00:02:43even with the firewall rules protocols
- 00:02:44things like that then five six and seven
- 00:02:47they get mashed together quite a bit and
- 00:02:48we're definitely going to keep them
- 00:02:49mashed together for this but it deals
- 00:02:52with how your how the data is handed to
- 00:02:54your application and what it does with
- 00:02:56it how it presents it to the application
- 00:02:57than what you're actually seeing on your
- 00:02:59screen or your device
- 00:03:00that kind of thing and again your data
- 00:03:02goes up and down really fast and where
- 00:03:05you want to start troubleshooting
- 00:03:06depends on what you're seeing or not
- 00:03:07seeing today we're going to primarily
- 00:03:10focus on layer three Network we'll do a
- 00:03:13little bit with Layer Two with the
- 00:03:14ethernet side as well but good to know
- 00:03:16where we're looking at in this whole
- 00:03:18crazy OSI
- 00:03:20stuff so what tools can we use for this
- 00:03:23I mean there's there's a lot of a lot of
- 00:03:25them out there but we're going to focus
- 00:03:26on a couple today TCP dump being the big
- 00:03:29one if you've done any kind of Linux
- 00:03:32Network stuff in the past this is
- 00:03:33everywhere andan you can run TCB dump on
- 00:03:36any kind of device um it's again it's
- 00:03:40built into every operating system in
- 00:03:41Linux it's very easy to use it's
- 00:03:43crossplatform you'll see it everywhere
- 00:03:46but it tends to be a little bit CPU or
- 00:03:48processor intense when it uh when you're
- 00:03:51ripping through because it does a little
- 00:03:52bit of protocol analysis it'll try to
- 00:03:53guess what is this port 22 okay what is
- 00:03:56this 443 okay this is has to be https
- 00:03:59right it'll do a little bit of analysis
- 00:04:01that way
- 00:04:02but that's where checkpoint came in with
- 00:04:04a CPP cap it's another command line tool
- 00:04:06it's on checkpoint devices from 8040 and
- 00:04:09up and in theory it's supposed to be
- 00:04:11lighter weight less CPU impact so you
- 00:04:13can run it a little more uh a little
- 00:04:16more wild if you want um it's not going
- 00:04:18to have as big of impact on your system
- 00:04:19so if you're running some or doing some
- 00:04:21Diagnostics on a firewall or something
- 00:04:23that's running running pretty hot on the
- 00:04:25the resources this might be a better
- 00:04:27choice but we'll see the differences
- 00:04:29here coming coming
- 00:04:30up then you've got FW monitor which is
- 00:04:34looks more at the cernal level so it's
- 00:04:36you can only run it on firewalls it's
- 00:04:37not on management servers and this will
- 00:04:39give you visibility into the into the
- 00:04:41kernel in the inspection chain so you'll
- 00:04:43see some again we'll get to it but some
- 00:04:45inbound outbound items on different
- 00:04:47Nicks and things like
- 00:04:49that and then of course we have wire
- 00:04:51shark because you can't talk Network
- 00:04:53stuff without talking W shark right if
- 00:04:55you've done any kind of stuff you
- 00:04:57probably run across wire shark it's a
- 00:04:58nice gooey interface so you can see all
- 00:05:01the all the data right in your right in
- 00:05:02front of you oh it's very pretty get all
- 00:05:04the different streams things like that
- 00:05:06um again it has a lot of capabilities to
- 00:05:09it so you can really dive into the uh
- 00:05:13dive into what you're seeing in the
- 00:05:14traffic and you can look at a different
- 00:05:15angles it might help you come to
- 00:05:16different conclusions based on what
- 00:05:18you're trying to find but not what tools
- 00:05:21can we used we should also figure out
- 00:05:22what tools should you use because you
- 00:05:25know the what's that phrase again the
- 00:05:27not everything's a nail if you're a
- 00:05:28hammer something like that whatever
- 00:05:30great your Twi shark will be able to
- 00:05:32capture that data but on your system but
- 00:05:34maybe it's not the best thing because
- 00:05:36it's also doing protocol analyzing and
- 00:05:38parsing and things like that it'll
- 00:05:39really spike your CPU on your running on
- 00:05:41a server for example so if you can run
- 00:05:43something like a TCP dump might be
- 00:05:45better and if you're looking for traffic
- 00:05:48on the Kernel something's lost trying to
- 00:05:49figure out where is it FW monitor might
- 00:05:51your better be your better
- 00:05:53option you're looking at stuff on
- 00:05:55physical Nicks TCB dump and CPP cap
- 00:05:58fantastic that's where you're gonna want
- 00:05:59to look
- 00:06:00but if it gets into the more hey you're
- 00:06:02missing traffic I'm trying to find it in
- 00:06:04the smart console the firewall where's
- 00:06:07this going where is it this might be a
- 00:06:09excuse me another great tool to use um
- 00:06:12if you're working with Tac and some of
- 00:06:13the more in-depth investigations or
- 00:06:16invest uh in-depth tickets they'll be
- 00:06:19running FW monitor as well as different
- 00:06:21um debugs so if they might be looking
- 00:06:23for something going in and out of the
- 00:06:25kernel but they'll also be doing a debug
- 00:06:26on the same thing this really gets down
- 00:06:29into the we needs which is
- 00:06:32handy so first one we got here TP dump
- 00:06:35this one does require expert actually
- 00:06:36both of these require expert mode and
- 00:06:38you can do the output in real time so if
- 00:06:40you're just looking is my traffic
- 00:06:41hitting this Nick or not oh great I see
- 00:06:43it on my terminal fantastic you can also
- 00:06:46save it and throw it into wire shark
- 00:06:47later or for further analysis that type
- 00:06:49of thing lot of different filters you
- 00:06:51can use with TCB dump like BPF for
- 00:06:53Berkeley packet
- 00:06:54filters uh pretty slick but um on the
- 00:06:59checkpoint
- 00:07:00when you're running TCP dump DH for help
- 00:07:02you're not going to this here what
- 00:07:04you're seeing is not going to be overly
- 00:07:06helpful to be honest it's uh it'll tell
- 00:07:09you kind of what what you can do
- 00:07:12personally and off the Record even
- 00:07:14though this is being recorded I might
- 00:07:15run a man TCB dump from a different
- 00:07:17Linux distro or different operating
- 00:07:19system somewhere because it will give
- 00:07:20you a lot more information it'll show
- 00:07:23you what the different commands or what
- 00:07:25different switches you can use and then
- 00:07:26where your why you might want to use
- 00:07:28those it's it's very handy again or
- 00:07:30Google stack Overflow always has a ton
- 00:07:32of people trying to figure out an exact
- 00:07:34you know scalpel type of filter they're
- 00:07:36looking for a very specific traffic and
- 00:07:39there's a lot of examples out there
- 00:07:40definitely check those
- 00:07:42out but some of the more useful options
- 00:07:44that you have there um why W isn't first
- 00:07:48but that's really the first one you want
- 00:07:49to write it to a pcap file for later
- 00:07:51analysis and later looking that's kind
- 00:07:52of the the bread and butter there but
- 00:07:54with TCP dump you're also able to use R
- 00:07:57so you can read from a pcap file so if
- 00:07:58you want to do some parsing if you had a
- 00:08:00huge gig dump of a peac app well you
- 00:08:04want to look for just specific host
- 00:08:06destination Port protocol whatever you
- 00:08:08can read from that pcap parse it out and
- 00:08:10then write it to a different file kind
- 00:08:11of carves it down a little bit very
- 00:08:14handy uh tcbm will run against all of
- 00:08:17your interfaces At Once by default which
- 00:08:19is not something you want to do
- 00:08:20especially on a production firewall
- 00:08:21because that's going to be very CPU
- 00:08:23intensive so you want to use the Dashi
- 00:08:25which you can specify which interface to
- 00:08:26capture it on that gets you a little
- 00:08:28more little more Target there then and
- 00:08:31is going to be a little more
- 00:08:32controversial to me it's very important
- 00:08:34for OPC um if you're capturing traffic
- 00:08:37and you've got some traffic that's going
- 00:08:39to I don't say
- 00:08:41evil.com you don't want to be resolving
- 00:08:43that because every time TCP dump does a
- 00:08:44capture of it it tries resolve the name
- 00:08:46and it's going to say hey what's this
- 00:08:47evil.com evil.com if somebody's watching
- 00:08:49evil.com they're going to see your
- 00:08:52traffic hitting requesting their stuff
- 00:08:54so it's for obsc don't run in um you'll
- 00:08:57see again as we start looking at example
- 00:08:59here that and having a domain name in
- 00:09:02your p in your TP D output it's it kind
- 00:09:05of muddies things up so I like the nend
- 00:09:06because it cleans it up as well and you
- 00:09:08can run
- 00:09:10dhnn and TP dump is they love all sorts
- 00:09:14of things like that so n is going to be
- 00:09:17resolution for DNS names n n is going to
- 00:09:19be resolving protocols so again we'll
- 00:09:23show you in a second here but if you say
- 00:09:25gosh I would love to see am I seeing SSH
- 00:09:27traffic or am I seeing RDP traffic you
- 00:09:30could see hey this is remote desktop
- 00:09:32protocol
- 00:09:33RDP for the eyes or when you're looking
- 00:09:36through it it's nicer to see 3389 or 22
- 00:09:39versus what TCB dump thinks is you know
- 00:09:42what your protocol is there the last
- 00:09:44handful there just going to be for if
- 00:09:45you're rotating through P TCB dump if
- 00:09:47you're running an extended capture on
- 00:09:49something like that and you want to say
- 00:09:51just just keep this running and keep
- 00:09:52cycling it over if you see it I'll come
- 00:09:54back to it tomorrow and look at it those
- 00:09:55last ones are going to be for you and
- 00:09:57that f is the whole the BPF the Berkeley
- 00:09:59packet for filters if you have used
- 00:10:00those in the past if you want to load
- 00:10:01them into a TCB dump use the F
- 00:10:05there some sample traffic um just
- 00:10:08because you never I'm not going to try
- 00:10:09to generate this in a in a timely
- 00:10:12manner look at this top one here RP dump
- 00:10:15dasi to specify eth2 and then I'm saying
- 00:10:18hey don't again and don't resolve the
- 00:10:21the name so you're not seeing the 888
- 00:10:22resolving to Google makes it much
- 00:10:25cleaner and of specifying my host and
- 00:10:27host and icmp so so it's I say very very
- 00:10:32English friendly um you can put those in
- 00:10:34quotes if you like you'll see it in CPP
- 00:10:36cap it's you need that there for the
- 00:10:38different syntax there but if you jump
- 00:10:42down to the second sample there the SSH
- 00:10:44if you'll notice I move the N
- 00:10:47over well it's r t speed up there n n i
- 00:10:51so that's doing I'm not resolving Google
- 00:10:54but I'm also not looking at the the
- 00:10:56protocol so it's 22 you'll see 4.22 so
- 00:11:00it's SSH traffic I'm just there a
- 00:11:01communication between the virtual
- 00:11:02machine and the not even sure what that
- 00:11:04is firewall and it's it's not resolving
- 00:11:08it all that fun stuff so it's easier to
- 00:11:10see versus SSH you see the numbers I
- 00:11:12don't maybe it's just my eyes but for me
- 00:11:14that's a lot easier do what you want um
- 00:11:17but you will notice on this one that
- 00:11:18after the ntcp port 22 on the command
- 00:11:22it's actually cut off a little bit the
- 00:11:24the output comma whatever and it's
- 00:11:27broken TC them I had a wider screen when
- 00:11:30I was capturing that so if I shrink my
- 00:11:31terminal down to a smaller screen it
- 00:11:33does word wrap so it's harder to look at
- 00:11:36maybe if you don't have a smaller screen
- 00:11:39something you have to pay attention to
- 00:11:40that okay this might not be something
- 00:11:42you could just let your eyes rip down
- 00:11:43because it's going to word wrap
- 00:11:45especially when you throw a v in there
- 00:11:47for verbos verbosity verbosity you're
- 00:11:50going to start seeing some check some
- 00:11:51stuff your different sequence numbers
- 00:11:54things like that and it's going to word
- 00:11:55wrap all over the place and you know
- 00:11:57kind of looks like throw up on the
- 00:11:58screen using a-w to write it out
- 00:12:01somewhere or using a longer terminal is
- 00:12:02going to be very
- 00:12:05beneficial we jump on to CP cap again
- 00:12:09with the- h for the help it's this is
- 00:12:12much easier it tells you shows you
- 00:12:14exactly what you're looking at much uh
- 00:12:16yeah much easier to use there's a nice
- 00:12:18SK there you 141 1412 it gives you you
- 00:12:21some different examples some different
- 00:12:23samples on how to use them but again
- 00:12:24this Dash is going to get you in the
- 00:12:27right direction anyway
- 00:12:30and kind of using the same idea with the
- 00:12:32Ping sample
- 00:12:34here if you
- 00:12:36notice my mistake wrong button this dasf
- 00:12:40in our help file is your expression so
- 00:12:43here you do have to specify CPP capap
- 00:12:45with your interface great- f for your
- 00:12:47filter it doesn't just if you throw the
- 00:12:50filter on there it's just going to give
- 00:12:51you a nice error um and again CPP cap
- 00:12:54can run against all of your interfaces
- 00:12:56not best practice but you can and so
- 00:12:58here you're going to see hey in out in
- 00:13:01out on eth to for that ping traffic
- 00:13:03that's the the port of the virtual
- 00:13:04firewall I had here but notice that it's
- 00:13:07only showing you eth2 so it's going in
- 00:13:08out in out in out whatever it's not
- 00:13:10showing you the other ethernet port
- 00:13:12that's actually going out to the
- 00:13:13internet somewhere um just something to
- 00:13:15know when you're
- 00:13:16specifying hey I'm looking at interface
- 00:13:18eth2 it's only going to show you eth2 so
- 00:13:21if you're not seeing you're expecting to
- 00:13:22see it coming from somewhere else or if
- 00:13:25you're just something to pay attention
- 00:13:27to there the bottom one the https sample
- 00:13:31stuff again it's uh it word wraps it's
- 00:13:35handy it's great but it yeah it gets
- 00:13:37harder to see so so pay attention to
- 00:13:39that as well again when you're using the
- 00:13:41uh using these kind of commands this one
- 00:13:43but you'll notice in the command it's
- 00:13:44CPP c-i e to-
- 00:13:48d-n which we look at our switches here
- 00:13:50was verbos data link layer and verbos
- 00:13:52network so you'll notice in this one
- 00:13:53here you're seeing Mac addresses you're
- 00:13:55seeing some other ether types it's a lot
- 00:13:58more information but you can get more
- 00:13:59granular with CPP cap saying I want to
- 00:14:02see the this one specific thing versus a
- 00:14:04TCP dump where it's give me verbose give
- 00:14:06me foros Rose and so this might be a
- 00:14:09little handier on that one but again if
- 00:14:10you check out the SK it uh should get
- 00:14:12you in the right
- 00:14:14direction other one here FW
- 00:14:16monitor like it says here it's Curel
- 00:14:19traffic the inspection chain so you see
- 00:14:20the some post inbound pre- outbound
- 00:14:22things like that show you what those
- 00:14:24look like in a second this is only on
- 00:14:25your firewalls though you can't run this
- 00:14:27on your management server or your random
- 00:14:29Linux machine in your back closet there
- 00:14:31this is just on your
- 00:14:33firewalls uh the thing to pay attention
- 00:14:35to here E versus f for your accelerat
- 00:14:39non-accelerator traffic and what kind of
- 00:14:40filter you might be looking
- 00:14:42at uh again we'll show you what that
- 00:14:44looks like and FW monitor is nice that
- 00:14:46you can specify if you have virtual
- 00:14:48systems on your machine you can on your
- 00:14:50firewall you can specifically look for
- 00:14:51traffic in those so it's not just
- 00:14:53ethernet it's
- 00:14:55kernel again this this SK here though
- 00:14:58the CPP cap one is fantastic but this FW
- 00:15:00monitor one is updated all the time
- 00:15:02there's they're coming out with
- 00:15:03different ways to manipulate it ways to
- 00:15:05make it work better this uh this is
- 00:15:07definitely one to to keep an eye
- 00:15:09on want to give you a quick traffic flow
- 00:15:12I actually borrowed this from Tim Hall
- 00:15:13he's a trainer over at Shadow Peak he
- 00:15:15doesn't some great classes if you're
- 00:15:17ever so inclined to jump on those but
- 00:15:19just want to show you how the traffic
- 00:15:20flows from eth to eth again we'll just
- 00:15:23use Z on1 for example here but we
- 00:15:25looking at uh something off the wire did
- 00:15:28something hit zero TCB dump and CPP cap
- 00:15:31are are going to be your golden nuggets
- 00:15:33there um you want to know if actually
- 00:15:35got there if you have a switching
- 00:15:37something's wrong Upstream
- 00:15:39Downstream these are going to get you
- 00:15:41that traffic they're going to see the
- 00:15:43again the traffic at the ethernet port
- 00:15:45running lid pcap it just essentially
- 00:15:47makes a copy of the packet and just
- 00:15:49hands it off oh here you go TCP dump
- 00:15:51CPAP yep one for you one for you one for
- 00:15:53you just keeps going um so it's very
- 00:15:55handy for did this get there or
- 00:15:57not we talk about the uh accelerated
- 00:16:01traffic with using d e and DF with
- 00:16:04secure Excel it's going to Fast Track
- 00:16:07that trusted traffic so if you have
- 00:16:09again my example earlier of the SSH
- 00:16:11traffic my firewall can see oh yeah I
- 00:16:13know this this is approved we're allowed
- 00:16:15boom you're going to see the header go
- 00:16:16through and everything but then
- 00:16:17everything else is going to be zipping
- 00:16:18over secure Excel if you're looking in
- 00:16:20using- E you're not going to see it
- 00:16:22you're going to see just oh here's the
- 00:16:24sessions set up no big deal but you're
- 00:16:26not going to you're going to miss all
- 00:16:27the the rest of the data there
- 00:16:30but then if you're again likewise if
- 00:16:32you're looking just at at uh Dash f
- 00:16:35using the for acceler traffic you won't
- 00:16:38see all the uh all of it behind if it's
- 00:16:41slow path so kind of depends on what
- 00:16:42you're looking for something to pay
- 00:16:44attention to you can always disable
- 00:16:45secure Excel don't do that in production
- 00:16:48that'll people will not be happy because
- 00:16:50that's going to take your firewall and
- 00:16:51send its resources through the roof
- 00:16:53because I guess H traffic is well it's
- 00:16:56designed to help your firewall run run
- 00:16:57leaner
- 00:17:00um when you're looking to the fire FW
- 00:17:03monitor logs you're going to look our
- 00:17:05main example here is going to be I I and
- 00:17:06O and O So pre-bound post inbound and
- 00:17:09pre- upbound post outbound so these eyes
- 00:17:12but as again as that SK I'll show you in
- 00:17:14a second what it was again but you also
- 00:17:16see different things like D's and q's
- 00:17:18for qos and decrypted traffic and
- 00:17:20encrypted traffic things like that um it
- 00:17:23really gets into the weeds but again
- 00:17:25you'll see like on the left side here
- 00:17:28we've got I and then the right side o as
- 00:17:31the traffic is coming up into your
- 00:17:32kernel and into your into your kernel
- 00:17:35it's a pre- inbound post inbound and
- 00:17:36then post outbound pre- up outbound so
- 00:17:40you'll see different uh depending on
- 00:17:41where an issue might rely might lie that
- 00:17:45uh that'll help you help clue you in
- 00:17:46anyway like you might be seeing just a
- 00:17:49couple eyes but no O's and that could be
- 00:17:51something with a routing issue maybe
- 00:17:52Knack conf figurations things like that
- 00:17:54to go look for um and again if you're
- 00:17:57working with Tac on these kind of things
- 00:17:58they'll probably be running an fwl
- 00:18:00debug looking for different drops and
- 00:18:02they should that should also help clue
- 00:18:04you in but again that's kind of out of
- 00:18:06the scope of network stuff but FW
- 00:18:08monitor a lot of
- 00:18:11craziness so just a quick quick example
- 00:18:14of what this looks like you've got your
- 00:18:16like at the very top I'm using F looking
- 00:18:19for secure traffic but it looks like a
- 00:18:22lot of craziness on here let's just kind
- 00:18:24of break it down the first part here is
- 00:18:26your filter check so if you fat finger
- 00:18:29and mess up this syntax which is easy to
- 00:18:31do unless you've done it a couple times
- 00:18:33this will just error out it's not going
- 00:18:35to capture it's not going to tell you oh
- 00:18:36yeah I'm capturing and it's not it's
- 00:18:37just going to say nope hey try again
- 00:18:40buddy and the Syntax for this is it
- 00:18:41looks complicated it's just Source IP
- 00:18:44Source Port which is zero for any
- 00:18:46destination port or destination IP
- 00:18:48destination Port then protocol so six
- 00:18:49being
- 00:18:50TCP and if it likes that oh yeah you're
- 00:18:52good to go then you'll monitor will
- 00:18:54start and it'll tell you hey yeah great
- 00:18:56we're kicking it off off we go if you're
- 00:18:58doing well then it'll show you the
- 00:19:00capture data at the bottom here if
- 00:19:01you're writing this out to a file it'll
- 00:19:03just show you packets underneath that
- 00:19:06last pack there but again this SK that
- 00:19:1030583 is definitely something to keep an
- 00:19:12eye on um I'll just kind of cut this out
- 00:19:15cut out some of the fat here just to let
- 00:19:17you see what it looks like here but
- 00:19:18again the command syntax with the fs
- 00:19:22it's very simple and then and you'll
- 00:19:26see well see if I can get my laser
- 00:19:29pointer here to do the eyes and the I
- 00:19:32and the o on different ethernet ports so
- 00:19:34mightbe coming in E four hits my kernel
- 00:19:36all the fun stuff and goes out on E
- 00:19:38to just handy to know um I did a little
- 00:19:43dump of this earlier so I saved as off
- 00:19:44so we can look at it in wi shark here in
- 00:19:46a minute but just using the O you just
- 00:19:47slap it on the end and tell it where you
- 00:19:48want to write off to and off you go
- 00:19:51maybe it's not best practice to do home
- 00:19:52admin but hey it's a lab why
- 00:19:56not example using the E filter is a
- 00:19:58little a little bit different so they
- 00:20:00can't make it too easy so it's a
- 00:20:01lowercase e and then you're going to
- 00:20:03have to put this in quotes and you're
- 00:20:04going to specify hosts and looking for
- 00:20:06accepted
- 00:20:07traffic um the output's going to be
- 00:20:09similar as far as the I's and the O's
- 00:20:11and things of that nature if you're
- 00:20:12looking for that but it will give you
- 00:20:14this nice warning right in the very
- 00:20:15middle here hey using the E filter it's
- 00:20:17not accelerated if you want to look for
- 00:20:18Accelerated make sure you use the
- 00:20:20dasf um if you're like me you'll just
- 00:20:23ignore that part and trying to figure
- 00:20:25out why you can't find the accelerated
- 00:20:26traffic and remember oh yeah use the f
- 00:20:29so and again the bottom stuff down here
- 00:20:32is the exciting part of FW monitor
- 00:20:35seeing the
- 00:20:37interfaces so let's cross our fingers
- 00:20:39and do some some demos with wire shark
- 00:20:42all right because that's more fun that
- 00:20:45way pull
- 00:20:47up exactly what could go wrong in a live
- 00:20:50demo right um I had a couple captures
- 00:20:54here and if you've used wire shark in
- 00:20:55the past you know this is it might be
- 00:20:58something interesting might not be so by
- 00:21:00default you have a default profile here
- 00:21:03wi shark looks like somebody threw up on
- 00:21:05the screen it's it it's convenient but
- 00:21:08it's not user friendly out of the box
- 00:21:10you'll see the number for how many
- 00:21:12packets is receive how many packets are
- 00:21:14captured um your time since the packet
- 00:21:16started packet capture started Source
- 00:21:18destination again it's best attempt at
- 00:21:20protocol analysis oh this is TCP good
- 00:21:24work all right 1. one Whatever fantastic
- 00:21:27it'll give you the length of the packet
- 00:21:28and some general information that it
- 00:21:30thinks is
- 00:21:31useful and you'll see the different
- 00:21:32ethernet options ethernet ethernet IP
- 00:21:36you know depending on what the protocol
- 00:21:38is you'll see that information here if
- 00:21:40it's HTTP you'll see that down there as
- 00:21:41well and then on the right side you'll
- 00:21:43get the hex for what you're actually
- 00:21:44seeing so everything flies across the
- 00:21:47network running hex which is
- 00:21:49terrific you
- 00:21:53can for example if you see hey there's
- 00:21:55my source IP address it's going to be as
- 00:21:58you click it's going to show up on the
- 00:21:59right side hey c88 1368 that's the IP
- 00:22:02address fantastic in HEX well hex is
- 00:22:05going to convert that over to Binary and
- 00:22:07that's where your numbers are so if
- 00:22:09you're really looking for fun down this
- 00:22:11way hey enjoy it's it's if it's fun to
- 00:22:14figure out whatever might not be useful
- 00:22:16for traffic analysis so we're going to
- 00:22:18look at a different version here if I
- 00:22:21throw in this one
- 00:22:24here again it's going to look like
- 00:22:26somebody threw up on the screen which
- 00:22:27they did this just just a peap from a
- 00:22:29Honeypot somewhere out there on the
- 00:22:30internet
- 00:22:32but using different profiles there's HTT
- 00:22:36I again doing forensics I kind of had a
- 00:22:38bunch of different ones but HTTP is one
- 00:22:39that I always
- 00:22:41enjoyed if it loads here there we go you
- 00:22:45see this isn't a huge peap but wire
- 00:22:46shark takes an extra second or two to oh
- 00:22:48let me reconvert that stuff so if you're
- 00:22:50running this on a live capture it can
- 00:22:51start dropping packets because your
- 00:22:53computer can't keep up that well but
- 00:22:56again I like to keep in the number of
- 00:22:58packets is fantastic but the bigger
- 00:23:00thing is knowing hey when did this
- 00:23:02happen what am I seeing for the time so
- 00:23:03I change the time stamps over to the
- 00:23:05real time was captured and the another
- 00:23:08big thing is throwing source and
- 00:23:09destination ports in there not resolving
- 00:23:11them so oh 80 you this you know wi shark
- 00:23:15could tell me that this is hdb traffic
- 00:23:16but I want to know what give me the port
- 00:23:18I want to know what kind of Port I'm
- 00:23:19looking at here and then there's a whole
- 00:23:21slew of other information that you can
- 00:23:23throw into columns like servers user
- 00:23:24agents things like that um I it just
- 00:23:27makes it as you're looking through
- 00:23:30through different
- 00:23:32traffics bad example here but normally
- 00:23:35you'll you'll see some stuff in there
- 00:23:36I'll show you in a second
- 00:23:38um and then from here again it's kind of
- 00:23:41throw up on the screen and W shark might
- 00:23:44not be your your go-to option for
- 00:23:47because you're not going to be recording
- 00:23:48with wi shark you're going to be
- 00:23:49potentially throwing a peap into it
- 00:23:51which is the best practice for it and
- 00:23:54but if you throw it in here and you're
- 00:23:55going to do some analysis there's a lot
- 00:23:57of Statistics under here which are handy
- 00:24:00youve got your HTTP
- 00:24:02um like a request counter is here
- 00:24:07requests oops not going to show me wrong
- 00:24:09wrong screen give me one more second
- 00:24:10rerun that again gota love the live demo
- 00:24:14here
- 00:24:17sequences grief come on pull it down
- 00:24:20there we
- 00:24:21go it'll show you the different IPS that
- 00:24:24they're trying to hit the different uh
- 00:24:26what what are they looking for that kind
- 00:24:27of stuff
- 00:24:29um it's and it can show
- 00:24:31you well all sorts of random fun in here
- 00:24:35like your end points um this one's going
- 00:24:38to turn for just a second
- 00:24:40but it's not actually endpoint but it's
- 00:24:42it's talking Network endpoints so if
- 00:24:43you're seeing traffic from come on you
- 00:24:46can do it here there we
- 00:24:48go I want a filter for what's the most
- 00:24:51this is the honey pot that was running
- 00:24:53out there but what's this 7910 okay it's
- 00:24:55got a lot of traffic going to it more
- 00:24:57than a lot of other things
- 00:24:59you're seeing something specific and if
- 00:25:00you're doing troubleshooting you want to
- 00:25:01get from the ethernet level you'll
- 00:25:03probably know what your Upstream
- 00:25:04Downstream Mac addresses are and what
- 00:25:06you're looking at and if something's
- 00:25:07going to the wrong one if you didn't
- 00:25:09find it using a different tool like CPP
- 00:25:11cap TCB dump that type of thing this
- 00:25:13will definitely show you hey you got a
- 00:25:15lot of traffic involving these Macs
- 00:25:17what's going on maybe you have a routing
- 00:25:18issue something like that and from here
- 00:25:21if you want to do you know more of an
- 00:25:22investigation you can what's this IP
- 00:25:24address and you can copy that and go
- 00:25:26look for it and find out where that
- 00:25:28where that's going and all the fun
- 00:25:30things um the other handy thing on here
- 00:25:33if you're looking for again specific
- 00:25:35items but if I look for HTTP requests
- 00:25:38HTTP I already typed it in so I'm going
- 00:25:40to cheat but oh the request method is
- 00:25:42get oh what are you looking at here what
- 00:25:44what kind of get requests did this honey
- 00:25:46pot see during this time you're seeing a
- 00:25:48lot of random stuff
- 00:25:51okay grant that I'm using this on a
- 00:25:53little tiny screen for the sake of
- 00:25:55viewing but
- 00:25:58all these different gets okay well
- 00:26:00they're somebody using a curl what are
- 00:26:02they doing right click on that you can
- 00:26:03follow the HTTP or TCP stream for this
- 00:26:06doesn't really matter show you the
- 00:26:07different Communications between the
- 00:26:08client and the server once wik gets
- 00:26:11button gear here we go okay great I've
- 00:26:14got a host's my user agent curl so
- 00:26:15somebody's running a curl against this
- 00:26:17they could be spoofing that but whatever
- 00:26:19here's what the the server told it
- 00:26:21fantastic here's my generic stuff
- 00:26:24nothing fancy and then it'll still show
- 00:26:26you what the okay it's going to get it's
- 00:26:27a 200 so it was allowed fantastic just
- 00:26:30different ways to look at
- 00:26:32that um lastly close this one here open
- 00:26:36up the last thing to show you so using
- 00:26:39that same profile of HTTP this is a dump
- 00:26:42that I took from that I showed you in
- 00:26:43the earlier in the example the FW
- 00:26:45monitor
- 00:26:47it's because it's looking at different
- 00:26:49inspection points it's it's kind of
- 00:26:50quadrupling at least quadrupling all the
- 00:26:52different traffic so it's not going to
- 00:26:53show you as much with
- 00:26:55HTTP but if you set this up I call it
- 00:26:57checkpoint because because hey we're
- 00:26:58looking at checkpoint
- 00:27:00stuff it'll show you this extra item
- 00:27:03here cpf W you can just pick up this
- 00:27:05information if you went to preferences
- 00:27:09and might as well show you right under
- 00:27:12protocols W shark and gu is kind of
- 00:27:15small but W shark has all these
- 00:27:17protocols that you could scroll until
- 00:27:19your heart's content but there's one FW
- 00:27:22for firewall if you didn't put that
- 00:27:24together fw1 you want to make sure you
- 00:27:26enable that and once you that restart
- 00:27:30restart wi shark and then this little
- 00:27:32handy dandy gu here will pop up and just
- 00:27:35like anything down here you can add
- 00:27:38this apply as a column and you will add
- 00:27:41it to the top up here and you can
- 00:27:43manipulate it how you like you can make
- 00:27:45it look pretty whatever great if you
- 00:27:46decide under this gosh I really want to
- 00:27:47see the destination Port you can apply
- 00:27:49as a column it'll throw up here too but
- 00:27:52this just shows you again this is
- 00:27:54traffic actually actually working so it
- 00:27:56it's not going to be as exciting but
- 00:27:58you're going to see that it came from
- 00:27:59the 19 Network to the 14 Network on this
- 00:28:01lab it went in eth4 okay great pre-
- 00:28:05inbound post inbound and then it hit
- 00:28:07ethernet 2 or hit the kernel said oh
- 00:28:09yeah go ahead and send it out so eth two
- 00:28:11on the way out and then out so it just
- 00:28:14shows you the uh the steps in and out of
- 00:28:15the kernel there as well so if you're
- 00:28:17only seeing again if you're only seeing
- 00:28:18eyes all where's it what's what's being
- 00:28:20dropped do you have a rule set up in
- 00:28:21place is there some implied rule
- 00:28:22somewhere that's not allowing it
- 00:28:24through if you can't find it there check
- 00:28:27your net stuff things like that check
- 00:28:28your routing there could be something
- 00:28:29there and then if you really get into
- 00:28:31the deep into the weeds you're going to
- 00:28:32do some kind of debugging on the Kernel
- 00:28:33itself to find out what's being dropped
- 00:28:36and where is it being
- 00:28:38dropped all right um believe yeah that's
- 00:28:43about it we got that's all we got so
- 00:28:45yeah In Sum we want to make sure you ask
- 00:28:46the questions if you're what you're
- 00:28:48somebody's asking you into
- 00:28:48troubleshooting or what you're trying to
- 00:28:49figure out did it ever work that kind of
- 00:28:51thing is going to be a lot different
- 00:28:54avenue than hey it stopped working 10
- 00:28:56seconds ago um got to know where to
- 00:28:58start and then use the right tool for
- 00:29:00the job again if you're you might not
- 00:29:02need to throw this all into wire shark
- 00:29:04if you're just looking for is something
- 00:29:05reaching my that certain Nick on my
- 00:29:07firewall hey just run TCP down run cppb
- 00:29:10cap and you'll see it either hitting or
- 00:29:12not hitting and if it's not then you can
- 00:29:13trouble shoot from there why is my
- 00:29:15switch not sending it or what's wrong
- 00:29:16with my router my Gateway that type of
- 00:29:18thing um yes use the right tool for the
- 00:29:21job
- 00:29:22and and we're getting close to the end
- 00:29:24of oh yeah we're already at 31 again my
- 00:29:26name's Jason uh here's my email address
- 00:29:28if anybody you know anything you want to
- 00:29:30follow up with later feel free to shoot
- 00:29:32me a message you want to talk packets I
- 00:29:33love that love uh diving into these kind
- 00:29:35of things so by all means you can reach
- 00:29:37out
- 00:29:38anytime all right Rob back to you I'm
- 00:29:41gonna grab a drink of water here oh go
- 00:29:42grab a drink you're like an Auctioneer
- 00:29:44there Jason good job uh got some
- 00:29:46questions for you here if you run back
- 00:29:48to wire shark real quick I think you
- 00:29:50showed this in another path but I just
- 00:29:52wanted to share it John said he found
- 00:29:54very helpful when you find a packet of
- 00:29:56interest to click on analyze follow the
- 00:29:59stream on the top menu there so what I
- 00:30:02think is the yep you can follow the
- 00:30:04stream you can uh you can click up there
- 00:30:06or you can right click on the packet
- 00:30:08itself yeah okay yep just wanted to
- 00:30:10share that it's a bad example of that
- 00:30:11one but yeah okay
- 00:30:14um somebody asked do we get a recording
- 00:30:16of This yes this will be this is
- 00:30:18recorded will be posted on YouTube
- 00:30:20channel and the link for that will be in
- 00:30:22the follow-up
- 00:30:24email uh let's
- 00:30:26see no we got some more coming in here
- 00:30:29uh John asked and I don't know if you're
- 00:30:31going to know this one Jason years ago
- 00:30:33there used to be a version of wire shark
- 00:30:35specifically made for analyzing check
- 00:30:37put output from TCP dump whatever
- 00:30:39happened to that that sounds Vaguely
- 00:30:42Familiar to me but I really don't
- 00:30:44remember that Jason do you know anything
- 00:30:45about that or any other checkpoint
- 00:30:48people on the call here that sounds very
- 00:30:50familiar to me I I know they used to
- 00:30:52have something similar to it but i e
- 00:30:54like white shirt came from was it
- 00:30:56etheral back or however you want to say
- 00:30:58it way back in the day but I thought
- 00:31:00there was a different flavor of some
- 00:31:01sort that was specifically for
- 00:31:03checkpoint sound familiar from the 7730
- 00:31:05days but I top of my head I don't know
- 00:31:07but it's something I can definitely look
- 00:31:09up and ask that question if you want
- 00:31:11toil track that down it does sound
- 00:31:14familiar though so yeah you're not crazy
- 00:31:16John uh let's see here
- 00:31:23uh sorry analyze possible capture oh is
- 00:31:27it possible to take a capture and see
- 00:31:29exactly what rule is being applied to
- 00:31:31that
- 00:31:32traffic so can capture look at the
- 00:31:35policy rule number not that I'm aware of
- 00:31:39but it's something to look at um I know
- 00:31:40FWB monitor is only going to show you if
- 00:31:43it's again on the wire so it's not doing
- 00:31:46FW monitor itself isn't going to do the
- 00:31:47Diagnostics or isn't going to tell you
- 00:31:49what rule because it's only looking at
- 00:31:51is it pre or postponing into the
- 00:31:52different kernel things if it doesn't
- 00:31:55get through that can lead you to look
- 00:31:56into a specific rule
- 00:32:00but yeah I mean if it's h in the policy
- 00:32:02we should definitely have a uh a log
- 00:32:04entry for it so you can get the rule
- 00:32:06number from there but I don't know if
- 00:32:07you can do it with the uh packet capture
- 00:32:10again somebody please uh correct me if
- 00:32:12I'm
- 00:32:13wrong uh let's see other
- 00:32:18questions are you sharing the slides
- 00:32:22uh think we could share these right John
- 00:32:25there's Jason there's nothing who
- 00:32:28yeah of course I have no problem with
- 00:32:29that yep yep
- 00:32:33uh oh somebody said I guess this was the
- 00:32:36checkpoint version this is back when
- 00:32:37etheral wire shark was updated so often
- 00:32:39so maybe that's when they had the
- 00:32:40checkpoint
- 00:32:44version does all wire shark come up with
- 00:32:46the profile
- 00:32:49checkpoint um the Prof no um it's
- 00:32:52something that I had to create so when
- 00:32:53you do a like here by default just has
- 00:32:57one called default when you first
- 00:32:58install check wi shark is going to say
- 00:33:00oh here's a default profile great and
- 00:33:01you can add like same with HTTP with
- 00:33:05these different s columns I have on the
- 00:33:06top of course now it's going to run slow
- 00:33:09once I added these different destination
- 00:33:10ports and format how I like you can save
- 00:33:12the profile similar with the H the uh
- 00:33:15the checkpoint here because by default
- 00:33:17it doesn't like I showed it doesn't uh
- 00:33:20actually capture the eyes and of course
- 00:33:23this not the example for that but you
- 00:33:25got on to your preferences here
- 00:33:26protocols
- 00:33:28down to
- 00:33:29F W good grief a lot of protocols in
- 00:33:33here you need to check this one here and
- 00:33:34I'm not sure if you can see it too well
- 00:33:35on the screen here but the top one's
- 00:33:37saying show firewall One summary in
- 00:33:39protocol tree Once you check that and
- 00:33:41hit okay you have to restart wire shark
- 00:33:43before it actually starts paying
- 00:33:44attention to it then once you do it'll
- 00:33:47have it in your frames or your output
- 00:33:50over here and then you just need to
- 00:33:51right click that and then apply as a
- 00:33:53column and then it'll drop it up top
- 00:33:55here I don't think it actually calls it
- 00:33:58FW or cpf w i just because it just says
- 00:34:00here's whatever you can rename you can
- 00:34:03rename these you can do whatever you
- 00:34:04want with them but once you're in there
- 00:34:05then you can yeah leave it as a leave it
- 00:34:08as a different column and if you can
- 00:34:10save that save the profile and and then
- 00:34:12you've got your default and you got your
- 00:34:15checkpoint yeah whatever other ones you
- 00:34:17out there but yep great um me
- 00:34:22see uh is there a way to share the
- 00:34:25profiles file
- 00:34:28um yeah you can
- 00:34:30do not sure if I could I could probably
- 00:34:32figure yeah because i' I've changed them
- 00:34:33between different machines instead of
- 00:34:34recreating every time because that right
- 00:34:36gets hairy so yeah you can definitely do
- 00:34:38you export the profile I'd have to
- 00:34:40remember exactly where that is here but
- 00:34:42yeah you you can export it and if it's
- 00:34:44something that they actually want I can
- 00:34:46get you a copy of that too if I don't
- 00:34:48have a problem with that there's nothing
- 00:34:49proprietary in
- 00:34:51it uh well John who asked the uh the wi
- 00:34:54shark checkpoint question says he thinks
- 00:34:57he found found it here etheral for
- 00:34:59checkpoint CSP
- 00:35:04community so I guess it is out there so
- 00:35:07thank you John we'll go check that
- 00:35:10out uh does Ethernet still have the fw-1
- 00:35:14monitor
- 00:35:15option doesn't ethernet still have the F
- 00:35:19firewall one monitor
- 00:35:21option does Ethernet have it um I'm not
- 00:35:25following that one
- 00:35:28I'm not sure either actually hey John we
- 00:35:31should have you on one he
- 00:35:33said John he's digging in on that uh
- 00:35:36checkpoint wire shark he said it
- 00:35:38actually decodes the output from FW
- 00:35:41monitor yeah so sounds like something to
- 00:35:43check out thank you for that John we
- 00:35:45will check that
- 00:35:48out this one doesn't have any typically
- 00:35:50it won't have ethernet information in it
- 00:35:52but it's right yeah all right I think we
- 00:35:56covered it
- 00:35:58some questions came in Fast and Furious
- 00:36:00there so I apologize if I missed
- 00:36:02something really if you guys feel free
- 00:36:04to grab my email address or too if
- 00:36:06something comes up that you think of
- 00:36:07later on I could show the slides too but
- 00:36:09if somebody says hey I got a quick
- 00:36:10question feel free to shoot it over and
- 00:36:12I can always do my best to help out
- 00:36:14absolutely if we don't have the answer
- 00:36:16we'll find it for you so thank you Jason
- 00:36:18great
- 00:36:20information um we will send out that
- 00:36:23follow-up email I said with the
- 00:36:24reference content the SK article Jason
- 00:36:26mentioned and the recording link that'll
- 00:36:29be up on our YouTube channel uh next
- 00:36:31webinar will be in two weeks you will
- 00:36:33see the invitation for that soon but
- 00:36:35thanks again for joining we'll see you
- 00:36:37here next time thank you Jason everyone
- 00:36:39enjoy your day thanks for joining
- 00:36:41everybody see you
- troubleshooting
- network traffic
- TCP dump
- CPP cap
- FW monitor
- WireShark
- OSI model
- network analysis