Login Register

Basic Network Troubleshooting using Wireshark - doris-rzgx-20250422-092312

6 videos • 📅 2025-04-22 09:00:00 Asia/Singapore

2025-04-22 09:23:11

2025-04-22 09:42:41

2025-04-22 10:08:58

2025-04-22 13:53:28

2025-04-23 09:04:44

2025-04-23 13:15:25

Visit the Basic Network Troubleshooting using Wireshark course recordings page

                WEBVTT

00:00:00.000 --> 00:00:10.500
package. Yeah. Danin, I can see you are there. How about him? Okay, I saw you are

00:00:10.500 --> 00:00:24.820
here. So, okay, let me try to help you to extract this. Okay, from here. All right,

00:00:24.820 --> 00:00:31.560
that's the file that we are going to use during the training. Okay, so back to here. Okay,

00:00:31.660 --> 00:00:41.360
let's go back to the slideshare. Okay, so now you have those files, right? Let's go

00:00:41.360 --> 00:00:49.980
ahead and get to it. All right, I think before that, I will give you some brief

00:00:50.820 --> 00:00:57.120
about the network troubleshooting. So maybe I want to hear about some feedback from your

00:00:57.120 --> 00:01:06.860
side as well, because at least I will have a brief understanding on what you are doing

00:01:06.860 --> 00:01:16.660
and what is your level and then how can I help you to understand the basic knowledge

00:01:16.660 --> 00:01:29.280
of the Wireshark. Okay, so network troubleshooting actually for my role. I'm not really like using

00:01:29.280 --> 00:01:35.820
the command line to Linux, but I'm mostly using Windows for network troubleshooting.

00:01:36.120 --> 00:01:42.480
And why do I need it? Because, for example, okay, let me give you an example. Sometimes,

00:01:43.440 --> 00:01:54.620
let's say I want to transfer money while the online banking app. So when I log in to the

00:01:54.620 --> 00:02:01.600
app, so when I select my front account and to account, let's say, I fill in all the

00:02:01.600 --> 00:02:07.460
information needed. When I click transfer, that's a very important process, right? Because this

00:02:07.460 --> 00:02:13.640
money transfer process. But sometimes I can see the spinning wheel is keep loading.

00:02:14.340 --> 00:02:21.940
Or sometimes I will see like, why no response from the maybe banking side? And suddenly

00:02:21.940 --> 00:02:29.380
prompt, oops, the transaction fell. Okay. And then I'm the client, I'm so worried about

00:02:30.080 --> 00:02:36.860
now where my money go on. Is that fail? But then my money was deducted from that account.

00:02:37.460 --> 00:02:47.180
So what should I do? So normally, if I'm the one who encountered this failure, or I'm receiving

00:02:47.180 --> 00:02:53.300
some feedback or complaint from the client, I would try to use a browser. Okay, let me show you.

00:02:54.420 --> 00:03:07.760
Okay, so let me go to the, all right. So let's say this is the website. So if I click something

00:03:07.760 --> 00:03:18.300
here, okay, so let me open the inspector and network. All right. If I simply type any keyword

00:03:18.860 --> 00:03:25.800
I press enter. So you can see there are a lot of information under the tab. So I will always

00:03:25.800 --> 00:03:34.780
monitoring the transaction here. So if I see there's an API call, clients send a request to

00:03:34.780 --> 00:03:41.020
the server side. So I will see like, for example, this one. So I will try to click on it

00:03:41.020 --> 00:03:49.100
and I will see the response and the payload as well, payload and also the response from the

00:03:49.100 --> 00:03:57.920
server. Sometimes the server will just return the 200, but some server, I think most of

00:03:57.920 --> 00:04:06.920
the server response were passing the content as well. So if let's say, okay, I'm not

00:04:06.920 --> 00:04:13.820
able to capture any failure. I cannot get any clues from the network or just a very

00:04:13.820 --> 00:04:20.700
brief information for me. It's not enough. So I will use some tools. I will use some

00:04:20.700 --> 00:04:27.740
command line. I will also go to the Azure portal to check the Azure configuration as well.

00:04:28.180 --> 00:04:35.080
So that's what I did. But then for the network engineering, I think what you're familiar

00:04:35.080 --> 00:04:41.820
is that. So, okay, later on I will show you, but let's see what is the network troubleshooting.

00:04:41.940 --> 00:04:47.640
So this is the process of identifying the problem and then do some analysis,

00:04:48.740 --> 00:04:59.080
analyze the logs, analyze all the capture packets, analyze any information that you

00:05:00.400 --> 00:05:06.480
collect from the website, from the browser, from the network analyzer tools and

00:05:07.340 --> 00:05:12.700
resolving the issues that affect the performance, connectivity or functionality of the network.

00:05:13.660 --> 00:05:21.220
And then, so why is it important? Because I think right now, now always everyone is

00:05:21.220 --> 00:05:28.840
using network, right? No matter what. And now AI is very popular. So whenever we have any

00:05:28.840 --> 00:05:37.160
questions, we will sometimes, I mostly will ask chat GBT, Gemini or any like co-pilot

00:05:37.160 --> 00:05:45.220
tools for whatever purpose. So we are using network in every day, even in every minute.

00:05:46.160 --> 00:05:53.220
So it's very critical for communication and data access. And so let's say our client

00:05:53.220 --> 00:05:59.580
got some downtime or issues and affect their productivity, business operations or security.

00:06:00.120 --> 00:06:07.840
So it's very, very serious issue is a very, very critical problem and matter. So it will help

00:06:07.840 --> 00:06:15.500
it will cause our company to lose the money and the business. Right. And then so we need

00:06:15.500 --> 00:06:20.440
to like be proactive to do some troubleshooting to help to prevent the long-term issues.

00:06:20.440 --> 00:06:25.960
And what is the common network issues that we are always encountering?

00:06:27.680 --> 00:06:34.520
Okay. For example, okay. So I will use some example, why inability to connect to the

00:06:34.520 --> 00:06:41.860
internet or local network. So this was happened if the Wi-Fi drop, but then is it always

00:06:41.860 --> 00:06:47.960
happened? Not really. But it will happen mostly in my case is that when I connecting

00:06:47.960 --> 00:06:54.600
to the virtual machine or if my client is using the virtual desktop and for their,

00:06:54.600 --> 00:07:00.720
maybe for their assessing like connection to the application that we develop. So

00:07:00.720 --> 00:07:06.440
sometimes it will happen. And it's not only like internet drop due to the firewall policy.

00:07:06.920 --> 00:07:13.640
Sometimes it will always do to the slow network speed as well. Okay. So specific websites,

00:07:13.640 --> 00:07:18.780
not accessible, DNS error or device unable to communicate is always happen.

00:07:19.680 --> 00:07:30.060
If yeah, if the connection or internet got some like latency issue, or maybe the firewall

00:07:30.060 --> 00:07:38.400
will drop or maybe the server site has no accessible like got this 404 or 500 error.

00:07:38.400 --> 00:07:43.800
Okay. This was sometimes happened in my daily tasks. So that's why,

00:07:45.340 --> 00:07:52.360
that's why sometimes we use some tools to do at least some first ground of the troubleshooting.

00:07:52.860 --> 00:07:59.880
So I think that tools, the common line, I believe Ham and Tanin will be familiar with,

00:07:59.980 --> 00:08:05.340
right? Are you guys familiar with the common line tools and using it in your daily tasks?

00:08:05.340 --> 00:08:13.080
Okay. So what is the normally, what is the OS platform that you use? Is it Linux or Windows

00:08:13.080 --> 00:08:18.760
or Windows? Okay. Then how about the tools that I showed you guys before, the network tab

00:08:18.760 --> 00:08:25.900
in the browser, the developer tool. Have you guys ever used the developer tool in any browser

00:08:26.460 --> 00:08:33.460
like do some troubleshooting or debugging here? No. Okay. So all right. I think it's cool

00:08:33.460 --> 00:08:39.060
because we have a different background, but I think that was reacted because if we send the

00:08:39.060 --> 00:08:44.860
request from client side to response, that's one of the way that I monitor the transaction in

00:08:44.860 --> 00:08:56.280
here. Okay. All right. So, okay. Back to here. So I think ping, everyone is familiar, right? So

00:08:56.280 --> 00:09:04.060
this is to test. We send the ICMP packets to test if a device is reachable

00:09:04.060 --> 00:09:11.840
and we can measure the response time. And then trust rock. So this is the comment

00:09:11.840 --> 00:09:17.640
which shows each hub between the source and the destination to identify where delays or

00:09:17.640 --> 00:09:26.600
drops happen can. All right. So for the IV config slash all, this is to view the IP settings

00:09:26.600 --> 00:09:33.660
to display and configure network interfaces. And then NS lookup. Okay. We, for example,

00:09:33.680 --> 00:09:39.960
if you want to get the IP address, so we will check if the DNS query is resolved correctly.

00:09:40.800 --> 00:09:46.580
And then wild shark, I think this is our main purpose today. We are going to use a wild shark

00:09:46.580 --> 00:09:54.180
to capture and analyze the packets deeply. But I think in this training, I will don't

00:09:54.180 --> 00:10:00.520
spend too much time on the troubleshooting, but I will drive it to the basic usage of the

00:10:00.520 --> 00:10:11.700
wild shark. Okay. So next state and TCP dump. All right. Okay. So troubleshooting methodologies,

00:10:11.700 --> 00:10:21.120
I think this is quite similar, no matter who you are. So it's either you are an engineer,

00:10:21.880 --> 00:10:29.520
any, and never engineer or QA engineer or developer. So first of all, whenever we

00:10:29.520 --> 00:10:37.000
encounter any issues, right? Okay. Let's say crank comprend, the performance of the

00:10:37.000 --> 00:10:47.880
application is low. So they can see, or they are not able to upload a map file to their website,

00:10:48.080 --> 00:10:54.340
or they are not able to upload the file or download file to their machine. So we will try

00:10:54.340 --> 00:11:02.200
to collect what is the problem in a very high level. And we will try to collect all those

00:11:02.440 --> 00:11:11.980
steps. And we will see, is it possible to collect those logs or reports or any symptoms? Okay.

00:11:11.980 --> 00:11:16.880
Understand when, where, and how often the issue occurs. Is it always reproducible or only

00:11:16.880 --> 00:11:23.340
happen in their particular machine or environment or windows or what is the browser type they

00:11:23.900 --> 00:11:32.520
Okay. So second, based on the symptoms or initial log, we are trying to, you know,

00:11:32.840 --> 00:11:40.640
like form a hypothesis. Okay. Is the device receiving a valid IP or is DNS resolution failing

00:11:41.260 --> 00:11:47.780
or is the wifi signal weak or could a cable report be faulty? So we are trying to get

00:11:47.780 --> 00:11:57.680
possible causes. So for me, I will usually like form a hypothesis like maybe the

00:11:57.680 --> 00:12:03.220
connection in between server and client is not stable. So I would at least try to

00:12:04.160 --> 00:12:10.620
reproduce in my local machine. If my local machine is also encountered that issue,

00:12:10.780 --> 00:12:14.640
that means I don't need to collect all those information from client side,

00:12:14.640 --> 00:12:20.200
but it's only happened in their side. I will try to understand. Yeah. I want to try to collect

00:12:20.200 --> 00:12:27.780
all those needed logs. Okay. And then isolate the codes. So what does that mean? Okay. This

00:12:27.780 --> 00:12:32.280
is important to narrow down the source, like try to connecting another device on the same

00:12:32.280 --> 00:12:38.100
network and use the tools like ping, ipconfig or our short to compare the healthy versus

00:12:38.100 --> 00:12:45.520
a faulty system. So do a comparison and check logs from router or firewalls.

00:12:46.940 --> 00:12:54.940
And then once you are able to get some clues, so we will try to implement a solution,

00:12:56.580 --> 00:13:02.940
maybe, okay, let's say restart the routers or switches or reassign the IP address

00:13:03.580 --> 00:13:09.920
or if the hardware issue or cable issue, we can repress or change it

00:13:09.920 --> 00:13:16.660
or adjust the file rules or DNS setting. All right. And then verify the solution. We need

00:13:16.660 --> 00:13:22.960
to make sure is the issue has been resolved. Can the user access to the internet? Is the

00:13:22.960 --> 00:13:30.340
performance back to normal or are the services responding properly? And then the final one is

00:13:30.340 --> 00:13:36.060
document and prevent future issues. So this is very important because we need to record what

00:13:36.060 --> 00:13:42.460
happened and how it will fix, what is the root cause and what are the lessons learned.

00:13:43.020 --> 00:13:49.880
So we can implement monitoring tool or alerts or plan for redundancy or improve the

00:13:50.840 --> 00:13:58.220
Okay. So that is the basic ideas of the troubleshooting.

00:14:00.140 --> 00:14:08.920
So I won't go into the deeper level for this, but I will jump into our Wireshark lesson now.

00:14:09.340 --> 00:14:15.180
All right. Okay. So I think first,

00:14:19.000 --> 00:14:26.000
so let's just talk about why you are here in the first place. So I think since you are using

00:14:26.000 --> 00:14:32.240
Wireshark tool every day, right? So Wireshark can be intimidating. So when you are looking

00:14:32.240 --> 00:14:39.320
at the network traffic, it doesn't really matter what you are looking at. It could be

00:14:39.320 --> 00:14:46.640
or maybe even you are using Wireshark to investigate the cyber security incident.

00:14:47.780 --> 00:14:51.640
But when you trigger the Wireshark, for example, let me open it.

00:14:57.580 --> 00:15:09.300
So you can see the packets keep increasing, right? So it's intimidating. So it's very

00:15:09.300 --> 00:15:17.680
capture to analyze all those information with the 6,000 records here. Okay.

00:15:20.960 --> 00:15:25.220
So when you are looking at the network traffic, it doesn't really matter what

00:15:25.220 --> 00:15:30.540
you are looking at. It could be troubleshooting network problem, right? Like what I said,

00:15:30.700 --> 00:15:35.860
could be a cyber security incident. So we capture a lot on the wire, but there's

00:15:36.020 --> 00:15:44.120
a lot whipping by like few thousand, 6,000 within just maybe 10 seconds. So it's easy

00:15:44.120 --> 00:15:55.280
to get overwhelmed. So even with a simple screen as like you see just now. Okay. So

00:15:55.280 --> 00:16:01.160
here's a lot going on. What the protocols matter and what filter do I set and what

00:16:01.160 --> 00:16:06.100
I really hone in to find the source of the problem and even get the proof of what happened

00:16:06.100 --> 00:16:15.500
during an attack. Okay. So before we jump into the course, I want you to open the pre lab.

00:16:18.120 --> 00:16:23.280
So right now we are here to do in this course to make Wireshark more accessible to you as a

00:16:23.280 --> 00:16:28.260
tool in a toolbox that can help you to troubleshoot and investigate incident faster.

00:16:29.260 --> 00:16:39.200
All right. So later on, I will need your help to open the pre lab. Let me show you.