Basic Network Troubleshooting using Wireshark Videos

6 videos • 📅 2025-04-22 09:00:00 Asia/Singapore
16:40
2025-04-22 09:23:11
2025-04-22 09:42:41
2025-04-22 10:08:58
2025-04-22 13:53:28
2025-04-23 09:04:44
2025-04-23 13:15:25
Visit the Basic Network Troubleshooting using Wireshark course recordings page
United Arab Emirates - Basic Network Troubleshooting Using Wireshark
                WEBVTT

00:00:01.380 --> 00:00:09.960
okay so all right so we're on the same page okay please open the pre-lap slow

00:00:09.960 --> 00:00:21.580
network pick up yeah turning already there um you know hem you can open the

00:00:21.580 --> 00:00:29.460
pre-lap all right okay good so in lesson two we talked about before

00:00:29.460 --> 00:00:37.380
interface so we are on this workshop basic training profile but this time I

00:00:37.380 --> 00:00:43.400
will let you to take a look at some basic statistic first before we jump

00:00:43.400 --> 00:00:54.000
into lesson three okay so here so you can see here is the manual bar right

00:00:54.000 --> 00:01:02.440
and there is a statistic tool here when you click on it you can see there are a

00:01:02.440 --> 00:01:10.140
lot of tools under this statistic okay so different information we can get

00:01:10.140 --> 00:01:17.120
about this big app by clicking on different tools here so first I will

00:01:17.120 --> 00:01:25.180
go to the conversation okay before I jump into a workshop okay so I will let

00:01:25.180 --> 00:01:32.900
you to see later on I will give you five minutes to take a look on the

00:01:32.900 --> 00:01:38.320
conversation and then analyze something that you found in the

00:01:38.320 --> 00:01:46.520
conversation is either on Ethernet IPv4 TCP tab and tell me how did you

00:01:46.520 --> 00:01:53.640
know and realize this PCAP file is having network slowness problem by

00:01:53.640 --> 00:02:00.360
looking into these traffic conversation records okay so let me hide it and

00:02:01.060 --> 00:02:10.840
let me open it okay here so to make sure you both and me on the same page

00:02:10.840 --> 00:02:20.300
please click the statistic and then go to the conversation you can enlarge it

00:02:20.300 --> 00:02:27.260
or maximize these windows okay they are one two three four five five tabs

00:02:27.260 --> 00:02:37.920
here right so you can see Ethernet is two IPv4 is only one and then TCP is

00:02:37.920 --> 00:02:50.960
one as well okay so remember yesterday we did some packet analysis right so

00:02:50.960 --> 00:03:03.280
we did let me open this is the packet list so from here we can see we only

00:03:03.280 --> 00:03:13.140
have one and two two IP address so let me take a look on the destination so

00:03:13.140 --> 00:03:22.300
we have two IP address which is 10.0.0.100 and then 172.16.0.13

00:03:22.300 --> 00:03:33.360
so okay back to the default ordering so we can see this 172.16.0.13

00:03:33.360 --> 00:03:39.600
actually is like a client to send a request to a server so the server is

00:03:39.600 --> 00:03:47.720
10.0.0.100 okay so only two IP address in this traffic

00:03:47.720 --> 00:03:56.760
conversation okay so the protocol having TCP HTTP what else let me take a

00:03:56.760 --> 00:04:06.400
look okay these two so back to here we do have two internet records here

00:04:06.400 --> 00:04:15.660
and why we do have the three MAC different address one two three okay

00:04:15.660 --> 00:04:25.380
and then when we go to the IP report there's one record which is here just

00:04:25.380 --> 00:04:32.740
now in the packet list summary view we can see this 172 actually is like a

00:04:32.740 --> 00:04:40.040
client to be a client and 10.0.0.100 is like to be a server right so both

00:04:40.040 --> 00:04:47.700
them are communicate with each other and sending the packet okay so one PB

00:04:47.700 --> 00:04:53.060
six nothing TCP we have one and then the conversation is between these two

00:04:53.060 --> 00:05:00.240
IP address by using for a for client 80 for server okay there is no

00:05:00.240 --> 00:05:09.220
UDP all right so take five minutes and then let on we come back and tell

00:05:09.220 --> 00:05:16.020
me yeah maybe we can take turn to share about your fighting okay right

00:05:42.460 --> 00:05:43.860
Oh

00:05:43.860 --> 00:05:54.340
So this is just like a warm-up for you to look into the statistics tool.

00:05:55.500 --> 00:06:07.600
So I think maybe let us have some interaction first before I jump into the observation findings

00:06:07.600 --> 00:06:08.440
explanation.

00:06:08.760 --> 00:06:09.420
All right.

00:06:09.420 --> 00:06:12.760
So who wants to go first?

00:06:15.460 --> 00:06:16.840
I see Tanin is smiling.

00:06:17.240 --> 00:06:24.320
So are you going to be the first one to share about?

00:06:25.240 --> 00:06:25.640
OK.

00:06:25.780 --> 00:06:27.640
So let me open the Wireshark.

00:06:28.560 --> 00:06:33.980
Remember yesterday we are adding this column, delta time.

00:06:34.380 --> 00:06:37.480
So we can see the amount of time between the packets.

00:06:38.400 --> 00:06:48.440
And here from 100, 105 milliseconds for this packet, I think still OK for this packet.

00:06:49.240 --> 00:06:57.360
So and going next and next, we can see it's quite quick and fast for the following each

00:06:57.360 --> 00:06:58.560
packet to transfer.

00:06:59.640 --> 00:07:02.480
But here it's about 20 seconds.

00:07:02.840 --> 00:07:06.020
So we can see maybe it's a spinning wheel, it keeps loading.

00:07:06.620 --> 00:07:08.800
So it's something wrong here.

00:07:09.880 --> 00:07:13.140
And from this conversation, what do you find?

00:07:13.880 --> 00:07:13.940
Right?

00:07:14.580 --> 00:07:16.500
I'll pass it over to you.

00:07:17.100 --> 00:07:18.900
And you are the next, OK?

00:07:19.680 --> 00:07:20.780
Oh, you want to go first?

00:07:20.860 --> 00:07:21.640
No problem.

00:07:24.540 --> 00:07:24.900
OK.

00:07:25.600 --> 00:07:27.100
I'm trying to track.

00:07:27.360 --> 00:07:30.880
And then you can see here we do have the 1, 2, 3 packets.

00:07:32.100 --> 00:07:35.480
And here in Dota you can see 1, 2, 3 as well.

00:07:35.480 --> 00:07:40.760
All right, Ham or Tanin, any thoughts about this conversation?

00:07:40.820 --> 00:07:41.460
Duration?

00:07:42.840 --> 00:07:43.700
Ah, here, OK.

00:07:44.600 --> 00:07:47.240
So you mean too long, is it?

00:07:47.740 --> 00:07:48.140
OK.

00:07:48.320 --> 00:07:48.560
Right.

00:07:48.940 --> 00:07:50.520
Next, anything else?

00:07:50.760 --> 00:07:51.840
Ham says no.

00:07:52.600 --> 00:07:54.160
Then Tanin, anything else?

00:07:57.600 --> 00:08:00.340
B to A are here.

00:08:01.880 --> 00:08:02.620
Ah, OK.

00:08:02.620 --> 00:08:06.020
That bit is quite high, is it?

00:08:08.920 --> 00:08:10.260
All right.

00:08:10.960 --> 00:08:13.700
From B to A means from client to the server.

00:08:15.920 --> 00:08:18.220
Sorry, from server to client.

00:08:19.580 --> 00:08:22.920
So it means the application is a bit slow to respond.

00:08:24.620 --> 00:08:25.320
OK.

00:08:26.720 --> 00:08:27.680
All right, that's all?

00:08:28.900 --> 00:08:29.480
All right.

00:08:29.560 --> 00:08:30.060
OK.

00:08:30.780 --> 00:08:32.020
So OK.

00:08:32.020 --> 00:08:32.900
All right.

00:08:33.260 --> 00:08:34.220
Back to...

00:08:36.120 --> 00:08:37.660
Let me zoom in first.

00:08:38.500 --> 00:08:40.160
Now it's easier for you to see.

00:08:40.720 --> 00:08:41.220
All right.

00:08:42.940 --> 00:08:47.320
First, let us recall the memory yesterday.

00:08:49.780 --> 00:08:57.780
Just now I mentioned from packet 6, from the friend 6 to friend 7 here,

00:08:58.860 --> 00:09:05.500
when 6 jumps to 7, right, it takes 20 seconds.

00:09:06.320 --> 00:09:07.280
What does that mean?

00:09:09.200 --> 00:09:16.980
Means I waited for 20 seconds, over 20 seconds to receive the packet 7.

00:09:17.880 --> 00:09:19.800
What does that tell me?

00:09:21.220 --> 00:09:26.740
So the three-way handshake worked pretty quickly for the previous packets.

00:09:26.740 --> 00:09:30.740
At least about 100 milliseconds in the network latency.

00:09:31.400 --> 00:09:34.460
So my get was sent off to the server.

00:09:35.500 --> 00:09:37.980
Again happened pretty quickly.

00:09:38.100 --> 00:09:40.360
The server acknowledged the packet 6.

00:09:41.600 --> 00:09:44.420
From here to here.

00:09:48.000 --> 00:09:50.780
So how many seconds it takes?

00:09:50.940 --> 00:09:56.000
So it's about 218 milliseconds, right?

00:09:57.280 --> 00:10:01.700
So no one, I mean no one is calling and complaining just yet.

00:10:02.240 --> 00:10:07.540
But 20 seconds, that's something you and I would complain about, isn't it?

00:10:07.800 --> 00:10:12.320
Like when you see you wait 20 seconds for the server,

00:10:12.560 --> 00:10:18.040
means the application to be load is nothing there.

00:10:18.880 --> 00:10:22.220
You can see a view is keep loading, the spinny view is keep loading.

00:10:22.220 --> 00:10:29.500
So I believe everyone when they look into the page, they will ask why, what is happening.

00:10:31.100 --> 00:10:34.540
So that's what I like to call a scream punching slow.

00:10:35.400 --> 00:10:38.460
So when things spinny view on you and you are thinking,

00:10:38.860 --> 00:10:42.720
why isn't that application loading and what is going there?

00:10:43.920 --> 00:10:47.420
So this was due to the application here.

00:10:48.420 --> 00:10:51.260
When server responded to the client,

00:10:52.060 --> 00:10:56.040
so that means this problem actually is due to the application.

00:10:57.480 --> 00:11:03.300
The application waited 20 seconds in order to send the response back to the client.

00:11:07.100 --> 00:11:12.200
So let me open again the work conversation box.

00:11:12.200 --> 00:11:17.000
Okay, first question.

00:11:17.460 --> 00:11:21.660
Just now I asked, since we only have one client, one server,

00:11:22.080 --> 00:11:29.160
but why we do have one, two, three, three unique MAC address.

00:11:31.280 --> 00:11:36.140
So let me think, maybe let me open this like this.

00:11:37.840 --> 00:11:40.140
Okay, never mind, come to here first.

00:11:41.940 --> 00:11:44.480
Let us jump back to the first packet.

00:11:46.920 --> 00:11:51.300
So normally if you want to check the MAC address, we will come to the layer 2.

00:11:52.380 --> 00:11:59.760
So let's say first packet is from client to server 172.16.0.13.

00:12:00.280 --> 00:12:02.020
What is the source MAC address?

00:12:02.440 --> 00:12:03.260
You can see.

00:12:03.260 --> 00:12:09.260
Okay, let me compare with the catalog here.

00:12:10.420 --> 00:12:12.380
Okay, 0C here.

00:12:12.720 --> 00:12:18.100
So that means 172, 0C is means 172.

00:12:18.320 --> 00:12:19.440
And then how about 100?

00:12:19.600 --> 00:12:21.840
100 is 6F.

00:12:22.320 --> 00:12:24.000
So these two are correct.

00:12:24.900 --> 00:12:27.000
Okay, let us go to the second packet.

00:12:27.880 --> 00:12:32.820
100 now becomes source, means the server becomes source because it responded.

00:12:33.280 --> 00:12:34.480
Okay, let me open the conversation.

00:12:35.920 --> 00:12:44.380
So just now 100 here, the server is having 6F MAC address, but now it becomes 7F MAC address.

00:12:44.480 --> 00:12:45.540
See, this one.

00:12:46.000 --> 00:12:50.180
And then the client 13 is having the same, 0C, 0C.

00:12:50.180 --> 00:12:53.120
So that means these two here.

00:12:53.280 --> 00:12:58.960
Sorry, let me open the laser pen.

00:13:02.240 --> 00:13:04.700
How can I open the laser pen?

00:13:07.100 --> 00:13:08.500
Okay, never mind, it's okay.

00:13:08.620 --> 00:13:09.700
I can't find it today.

00:13:10.220 --> 00:13:18.260
But anyway, so why we do have three MAC addresses but only two IP addresses?

00:13:18.260 --> 00:13:20.860
That I will explain in detail.

00:13:21.460 --> 00:13:23.880
So back to the slide.

00:13:24.640 --> 00:13:29.040
So I review the result here.

00:13:29.480 --> 00:13:33.220
So we notice that we do have three IP addresses.

00:13:33.580 --> 00:13:34.720
So that's one thing.

00:13:35.300 --> 00:13:43.620
Second, when we see packet B to A is 0, means the receiver not reply.

00:13:43.620 --> 00:13:55.620
Whatever is A or who is the A or who is the B, when sends the packet B to A, A not reply.

00:13:56.420 --> 00:13:58.260
Means the receiver not reply.

00:13:59.340 --> 00:14:12.980
And just now Tony mentioned that the duration is too long because the packet actually is just 25 and 54 KB, right?

00:14:13.620 --> 00:14:15.800
It's not that huge data.

00:14:16.260 --> 00:14:21.520
But it took 114 and 156 seconds.

00:14:21.860 --> 00:14:24.120
So it's quite long.

00:14:24.960 --> 00:14:28.460
Third finding is about the bitrate.

00:14:28.920 --> 00:14:30.620
What is that mean?

00:14:32.040 --> 00:14:36.200
The bits per second, which is BPS.

00:14:38.080 --> 00:14:43.380
So 1737 bits per second is very slow.

00:14:43.640 --> 00:14:45.940
It's a slow data transfer.

00:14:48.020 --> 00:14:53.920
2750 is even slower, much more slower.

00:14:55.460 --> 00:14:59.740
And this is a one way communication only, but it took so long.

00:14:59.740 --> 00:15:05.980
So what is the possible causes of this low network behavior?

00:15:06.360 --> 00:15:08.740
We assume.

00:15:09.040 --> 00:15:11.300
So remember, we formed the hypothesis.

00:15:12.340 --> 00:15:20.180
Even though we always say that don't make the assumption first, but then we have to expect what is happening.

00:15:20.680 --> 00:15:22.260
We have to form the hypothesis.

00:15:22.740 --> 00:15:25.200
What if, what if, if something wrong?

00:15:25.400 --> 00:15:26.540
What if something wrong?

00:15:26.540 --> 00:15:29.560
So something like we guess what is the root cause.

00:15:30.120 --> 00:15:34.280
And then we try to narrow down the issue by different scenarios.

00:15:35.160 --> 00:15:42.180
OK, first, packet loss or no acknowledgement means no reprise on the destination or from the server.

00:15:43.160 --> 00:15:47.820
Connection or routing issue, maybe network connection.

00:15:48.420 --> 00:15:54.480
It caused the device unreachable or unresponsive, like return 404.

00:15:54.480 --> 00:16:01.180
Firewall or security filtering, maybe preventing some responses from the server or from the application.

00:16:01.900 --> 00:16:06.060
Procrastal logging, OK, might be sending data that doesn't require a reply.

00:16:06.780 --> 00:16:11.540
So these are the possibilities of the causes.

00:16:15.980 --> 00:16:18.760
So let me go into the details.

00:16:19.760 --> 00:16:24.720
So no response traffic, 0 bytes from B to A.

00:16:25.000 --> 00:16:27.460
Both strings show these two strings.

00:16:28.820 --> 00:16:32.800
We have string 0 and string 1.

00:16:33.180 --> 00:16:43.920
And these two strings show 0 packets and 0 bytes here.

00:16:44.120 --> 00:16:47.320
So from B to A.

00:16:47.320 --> 00:16:49.780
Meaning the receiver did not reply.

00:16:50.080 --> 00:16:52.500
So what does that mean? What does that indicate?

00:16:53.720 --> 00:16:58.940
So I tried to find out four possibilities.

00:16:59.920 --> 00:17:08.580
So it's either network misconfiguration, like firewall dropping the responses or connection issue.

00:17:09.980 --> 00:17:15.960
It caused the device at the receiving end is down or unreachable.

00:17:15.960 --> 00:17:22.360
Or broadcast or unidirectional logging or ping message, right?

00:17:22.780 --> 00:17:27.440
So this is something that is weird.

00:17:27.980 --> 00:17:34.280
And then for the low bitrate again, these two are quite slow.

00:17:36.340 --> 00:17:43.140
So possibility is due to the retries or network congestion or limited link speed.

00:17:43.140 --> 00:17:46.460
So it caused the slow data transfer.

00:17:47.620 --> 00:17:58.680
And then long duration, it lasts for 114 and 156 seconds, which is long for such a small data site.

00:18:01.700 --> 00:18:06.800
So this indicates it's either a slow or delay in the network connection.

00:18:06.800 --> 00:18:14.800
So from this conversation, we already know this packet is having network slowness issue.

00:18:16.740 --> 00:18:22.920
This is extremely slow, especially for this bitrate.

00:18:23.100 --> 00:18:24.520
Very, very slow.

00:18:25.960 --> 00:18:31.020
Especially for the modern networks nowadays.

00:18:31.660 --> 00:18:33.980
So what is the suggestion?

00:18:33.980 --> 00:18:42.120
What is the troubleshooting solution when you are getting this packet?

00:18:42.720 --> 00:18:48.160
I would suggest, let's say, first thing.

00:18:48.500 --> 00:18:53.740
So I found there are three MAC addresses for only two IP addresses.

00:18:54.280 --> 00:18:58.300
Maybe, I am guessing maybe, there are some reasons.

00:18:58.540 --> 00:19:00.400
So I will talk about only one reason.

00:19:00.400 --> 00:19:03.640
Maybe it's due to the IP conflict.

00:19:04.760 --> 00:19:15.580
It's having duplicate IP or misconfiguration for two machines or two devices on the same network.

00:19:16.680 --> 00:19:21.020
So maybe they are externally configured with the same IP address.

00:19:22.980 --> 00:19:27.500
But they are having their own unique MAC address.

00:19:27.500 --> 00:19:29.640
So what is the reason?

00:19:30.220 --> 00:19:31.980
Maybe it's cloning.

00:19:32.360 --> 00:19:34.520
Maybe it's for the DHCP.

00:19:34.680 --> 00:19:37.860
Maybe they are using the manual static IP settings.

00:19:38.220 --> 00:19:42.000
So it causes two devices having the same IP address.

00:19:42.560 --> 00:19:44.720
And what is the consequences?

00:19:45.380 --> 00:19:51.980
It may cause the network instability or drop connections or slow network symptoms.

00:19:53.320 --> 00:19:55.600
So what can we do?

00:19:56.560 --> 00:20:02.920
We can check if the destination MAC address is valid and active.

00:20:04.420 --> 00:20:07.080
Because maybe it's due to the connection.

00:20:07.240 --> 00:20:10.740
So we can try to ping the MAC address.

00:20:11.420 --> 00:20:13.460
And then we can use the filters.

00:20:13.840 --> 00:20:17.160
For example, here.

00:20:18.260 --> 00:20:29.440
Maybe we can try to check whether it has the ICMP ping or DNS or TCP.analysis.

00:20:29.560 --> 00:20:34.160
Maybe here.

00:20:35.380 --> 00:20:41.420
Whether it has retransmission packets or not to check for the errors.

00:20:41.420 --> 00:20:47.300
So for this pre-lab, we don't have this retransmission or ICMP.

00:20:47.440 --> 00:20:52.520
But in the tomorrow's session, I will show you on those packets.

00:20:52.780 --> 00:20:53.560
For example.

00:20:54.360 --> 00:20:58.720
And then run a ping or traceroute to the destination to test the connectivity.

00:20:59.300 --> 00:21:02.800
Or verify the Ohio rules for the endpoint behavior.

00:21:02.800 --> 00:21:05.800
All right.

00:21:08.520 --> 00:21:10.300
Back to the conversation.

00:21:12.480 --> 00:21:13.960
So here.

00:21:14.960 --> 00:21:18.800
In total, we receive 123 packets.

00:21:19.160 --> 00:21:22.420
So from here, there's no filter there.

00:21:22.540 --> 00:21:27.080
So it means the total packet size is 123.

00:21:27.540 --> 00:21:30.200
So it's matched with the conversation here.

00:21:30.200 --> 00:21:31.920
And then here.

00:21:32.400 --> 00:21:35.420
We do have 55 and 68.

00:21:35.740 --> 00:21:38.160
So that means in total it's 123 as well.

00:21:38.480 --> 00:21:39.440
It's correct.

00:21:40.980 --> 00:21:41.800
And let me check.

00:21:42.640 --> 00:21:47.920
The bytes here, 25 and 54.

00:21:48.100 --> 00:21:55.400
So in total, this 123, the size is 79 KB only.

00:21:55.520 --> 00:21:57.460
So it's a very small data size.

00:21:57.460 --> 00:22:05.080
So all the results here, the values from packet A to B, bytes A to B, actually is exactly the same as here.

00:22:05.160 --> 00:22:06.700
You can see.

00:22:08.820 --> 00:22:09.000
Here.

00:22:10.400 --> 00:22:14.160
So the duration is taking 156.

00:22:15.200 --> 00:22:23.960
And the bits per second, the bit track from A to B is taking 1268 bits, 2748 bits.

00:22:23.960 --> 00:22:28.040
So it's either you are looking into the IPv4 tab or Internet tab.

00:22:28.100 --> 00:22:29.020
Actually, it's the same.

00:22:29.300 --> 00:22:41.020
You can find something wrong by looking into the duration, the bit track, bits per second, and match with the data size.

00:22:41.920 --> 00:22:44.260
So that is the high level.

00:22:44.280 --> 00:22:50.940
I mean, the basic ways on how to looking into the problems.

00:22:50.940 --> 00:23:01.560
So if you think there are like a bunch of the packet list is too much for you to have a quick look on the traffic,

00:23:02.020 --> 00:23:05.860
just go into the conversation and take a look on this.

00:23:06.020 --> 00:23:10.080
This is the summarize of the whole lot of packet list.

00:23:11.420 --> 00:23:12.000
OK.

00:23:12.800 --> 00:23:16.980
So, so far, any questions or comments you want to talk about?

00:23:16.980 --> 00:23:22.860
If no, then I will get you to jump into the quiz.

00:23:24.240 --> 00:23:31.800
Simple questions help you to know, recap what we have learned yesterday afternoon and today.

00:23:33.540 --> 00:23:34.020
OK.

00:23:35.120 --> 00:23:36.140
Back to the slide.

00:23:36.140 --> 00:23:36.820
OK.

00:23:39.360 --> 00:23:41.660
Before that, OK.

00:23:43.400 --> 00:23:54.540
Before that, so Ham and Tanen, I want to maybe let me know a bit further about what is the tool that you are normally use for your analysis task.

00:23:55.060 --> 00:23:59.420
We do have a lot of tools, right, under the statistics here.

00:23:59.600 --> 00:24:03.940
So what is the tool that you are constantly using?

00:24:03.980 --> 00:24:04.700
Sorry, which one?

00:24:04.700 --> 00:24:05.580
Oh, four graph.

00:24:05.740 --> 00:24:06.820
OK, four graph.

00:24:08.080 --> 00:24:08.700
This one.

00:24:09.320 --> 00:24:11.260
OK, a little bit on the four graph.

00:24:11.840 --> 00:24:12.600
OK, what else?

00:24:13.300 --> 00:24:13.580
OK.

00:24:13.720 --> 00:24:14.460
Oh, this one.

00:24:15.400 --> 00:24:18.440
Which one only you are using on round trip time?

00:24:18.640 --> 00:24:19.660
OK, OK.

00:24:19.920 --> 00:24:20.280
All right.

00:24:20.500 --> 00:24:23.400
So round trip time and the four graph.

00:24:24.820 --> 00:24:25.340
OK.

00:24:26.500 --> 00:24:27.200
All right.

00:24:28.100 --> 00:24:31.660
So we do have this topic in the following lesson.

00:24:32.180 --> 00:24:32.520
All right.

00:24:32.520 --> 00:24:34.460
So I will.

00:24:35.320 --> 00:24:38.100
I think you already get this slide.

00:24:39.440 --> 00:24:40.040
OK.

00:24:41.380 --> 00:24:43.580
So you can click on the link.

00:24:43.720 --> 00:24:46.740
I will still share the link in the chat.

00:24:48.460 --> 00:24:51.060
Please open in a locker in a locker let up.

00:24:51.700 --> 00:24:56.300
I'm sending the link in the chat if you cannot find the slide.

00:24:56.540 --> 00:24:58.240
OK, just five questions.

00:24:58.600 --> 00:25:01.200
I hope you get a high score compared to yesterday.

00:25:01.200 --> 00:25:05.080
Try to answer it properly, one by one.

00:25:05.280 --> 00:25:06.580
Think about it.

00:25:06.800 --> 00:25:08.180
Just a quiz for your fun.

00:25:09.520 --> 00:25:11.840
OK, we take 10 minutes for this quiz.

00:25:12.660 --> 00:25:19.660
OK, after that, let us have a quick discussion about the quiz answer.

00:25:19.780 --> 00:25:23.940
And then we take a short break before we jump into the new lesson.

00:25:25.120 --> 00:25:29.820
OK, come back to you at 9.50.

00:25:29.820 --> 00:25:35.480
All right.

00:25:36.960 --> 00:25:37.520
Finish.

00:25:38.140 --> 00:25:38.760
OK, sure.

00:25:41.420 --> 00:25:42.860
All right.

00:25:43.120 --> 00:25:44.440
Let me take a look.

00:25:56.620 --> 00:25:58.440
OK, I found it.

00:25:58.500 --> 00:26:00.140
Sorry, the tech.

00:26:01.820 --> 00:26:02.420
Few seconds.

00:26:02.720 --> 00:26:05.560
OK, I can see your answer.

00:26:07.800 --> 00:26:10.780
So all right.

00:26:12.120 --> 00:26:15.320
OK, let me on the camera.

00:26:16.160 --> 00:26:19.220
So the first question, the time column.

00:26:20.620 --> 00:26:25.440
So what is the purpose of adding a time column in your wire shock?

00:26:26.400 --> 00:26:28.040
Not is not the data time.

00:26:28.700 --> 00:26:32.280
This one is about the time column, the default column.

00:26:32.680 --> 00:26:33.080
Yeah.

00:26:33.600 --> 00:26:38.100
So actually is to highlight the arrival time differences between packets.

00:26:38.180 --> 00:26:38.720
Right.

00:26:38.720 --> 00:26:45.380
So for example, we can see this is starting from time 0.0.

00:26:45.640 --> 00:26:48.580
And then it's gradually increasing.

00:26:49.480 --> 00:26:55.220
And the total duration is 156 seconds.

00:26:55.600 --> 00:27:04.380
So that means the arrival time for, for example, for packet 3 is 106 milliseconds.

00:27:05.420 --> 00:27:07.620
Yes, it's not highlight the current timing.

00:27:07.620 --> 00:27:10.640
It's highlight the arrival time for each packet.

00:27:12.740 --> 00:27:12.820
OK.

00:27:13.220 --> 00:27:14.620
So how can you OK.

00:27:14.760 --> 00:27:15.760
Both of you are correct.

00:27:15.940 --> 00:27:17.360
Turn off the default current reason.

00:27:17.540 --> 00:27:19.900
It's a magic icon here.

00:27:20.420 --> 00:27:22.920
When they accidentally cricket while everything is gone.

00:27:23.060 --> 00:27:23.980
So you will feel shocked.

00:27:24.220 --> 00:27:24.960
What happened?

00:27:25.340 --> 00:27:26.340
But you click it back.

00:27:26.940 --> 00:27:29.620
The current rule that you already said will be come back.

00:27:30.420 --> 00:27:30.780
OK.

00:27:31.500 --> 00:27:37.600
So remember, we can customize the current rules by using this current rule.

00:27:37.600 --> 00:27:42.860
You can surf to the customized profile.

00:27:43.220 --> 00:27:44.360
The personal profile.

00:27:45.500 --> 00:27:51.560
Or copy from the default one and then repress or override the duplicate one.

00:27:53.720 --> 00:27:55.120
So move on.

00:27:55.440 --> 00:27:59.380
Why would you add a specific values as a column in my shop?

00:27:59.720 --> 00:28:00.940
Create custom protocols.

00:28:02.100 --> 00:28:02.900
OK.

00:28:03.380 --> 00:28:06.200
So that question means.

00:28:08.120 --> 00:28:09.260
Let's say.

00:28:10.340 --> 00:28:11.620
Let's say.

00:28:12.800 --> 00:28:14.420
I'm looking into the packet.

00:28:16.620 --> 00:28:17.320
First packet.

00:28:17.560 --> 00:28:19.680
This is the same frag.

00:28:20.680 --> 00:28:23.240
Like it is sending from client to server.

00:28:24.820 --> 00:28:27.700
So second is responded by the server.

00:28:28.140 --> 00:28:30.860
So I want to know what is the sequence number?

00:28:31.160 --> 00:28:33.000
What is the enumeration number?

00:28:33.000 --> 00:28:36.180
So that's why I expand.

00:28:37.240 --> 00:28:42.000
The TCP and then adding this column into here.

00:28:42.560 --> 00:28:44.380
So this is the questions.

00:28:45.700 --> 00:28:49.860
Means why I need to add a specific value as a column in my shop.

00:28:50.440 --> 00:28:51.320
What is that purpose?

00:28:51.320 --> 00:28:53.220
It's helped me.

00:28:53.280 --> 00:29:01.460
It's helped the network engineer or maybe protocol analyst or task engineer.

00:29:01.780 --> 00:29:08.780
They're able to highlight what is the important information for our quick analysis.

00:29:09.420 --> 00:29:12.440
So it's not to create a custom protocol for analysis.

00:29:12.600 --> 00:29:14.640
We are not creating the custom protocol.

00:29:15.060 --> 00:29:18.700
We are looking into the protocol from the packet summary.

00:29:18.700 --> 00:29:19.260
OK.

00:29:20.200 --> 00:29:23.440
So why are our shop proposals useful for our analysts?

00:29:24.100 --> 00:29:25.720
Why the profile is important?

00:29:26.760 --> 00:29:33.780
Because they enable faster analysis by hiding the essential packets like the critical one.

00:29:34.920 --> 00:29:35.880
So when you.

00:29:37.700 --> 00:29:40.260
We are not customized the TCP behavior.

00:29:42.700 --> 00:29:44.020
Oh, OK.

00:29:44.340 --> 00:29:47.260
Different color schemes is the coloring blues.

00:29:47.260 --> 00:29:54.260
So this one, if we are creating the customization, let's say now.

00:29:57.640 --> 00:29:58.160
I.

00:29:58.160 --> 00:30:03.740
I open the mesh file profile dialog and from here I can add or remove.

00:30:04.300 --> 00:30:15.680
So means when I add a new profile here, it's under percent attack and then it will save everything in the current user interface, including the filtering button.

00:30:15.680 --> 00:30:25.500
Do you still remember, for example, that TCP and then filter is TCP dot analysis dot frags.

00:30:26.500 --> 00:30:30.740
So everything in here, including the coloring rules.

00:30:31.960 --> 00:30:33.280
Everything, everything.

00:30:33.740 --> 00:30:38.820
If you rename the column at a column, it was still inside this profile.

00:30:38.820 --> 00:30:46.100
So that means it will include every customization settings into this profile.

00:30:47.520 --> 00:30:52.800
To be enabled faster analysis by hiding the important packets.

00:30:55.000 --> 00:30:57.400
How can you add a custom column in washout?

00:30:58.040 --> 00:30:58.680
OK.

00:30:58.700 --> 00:31:02.180
Assess the preferences or settings and navigate the current section.

00:31:02.540 --> 00:31:03.180
Yes, correct.

00:31:03.680 --> 00:31:05.360
So there are few ways.

00:31:05.360 --> 00:31:21.860
Remember, we can write just right click and then we click column preferences and we can add a column under the column tab or we go to the edit preferences.

00:31:21.860 --> 00:31:24.540
It comes to the same location.

00:31:24.540 --> 00:31:31.580
Or we just right click, apply as column or drag and drop.

00:31:32.800 --> 00:31:34.840
To add a column address.

00:31:36.740 --> 00:31:39.160
So there are few methods to add a column.

00:31:41.820 --> 00:31:46.200
All right, so that's it for quiz.

00:31:47.960 --> 00:31:50.260
Let me write it back.

00:31:50.700 --> 00:31:51.080
All right.

00:31:51.180 --> 00:31:52.740
Well done for your quiz.

00:31:52.740 --> 00:31:57.520
I think that answer score is better than yesterday.

00:31:57.840 --> 00:32:04.120
So I hope you still can remember whatever you learned till now.

00:32:04.780 --> 00:32:04.860
OK.

00:32:05.200 --> 00:32:08.080
So let me open the slide.

00:32:09.760 --> 00:32:11.100
No problem.

00:32:13.200 --> 00:32:13.420
Yeah.

00:32:14.300 --> 00:32:14.860
OK.

00:32:16.600 --> 00:32:16.820
OK.

00:32:17.420 --> 00:32:25.520
So in lesson three, we are going to learn the more deeper about the statistic tools.

00:32:26.080 --> 00:32:32.780
But before that, do you want to have a short break now or after the first topic?

00:32:33.700 --> 00:32:37.740
If now, then we can take 15 minutes break before we jump into the next lesson.

00:32:37.880 --> 00:32:39.440
Oh, you guys are OK to proceed.

00:32:39.860 --> 00:32:41.660
At least we talk about the first topic.

00:32:41.660 --> 00:32:43.900
It's up to you.

00:32:44.320 --> 00:32:44.780
OK now.

00:32:45.060 --> 00:32:45.420
OK.

00:32:45.420 --> 00:32:45.800
It's OK.

00:32:45.860 --> 00:32:50.020
We take 15 minutes and then we come back at 10, 15.

00:32:51.060 --> 00:32:51.480
OK.

00:32:52.460 --> 00:32:52.780
All right.

00:32:52.840 --> 00:32:53.640
See you later.

00:33:02.960 --> 00:33:03.900
Welcome back.

00:33:04.740 --> 00:33:05.100
OK.

00:33:05.240 --> 00:33:09.160
Are you ready to continue our lesson?

00:33:10.340 --> 00:33:11.120
OK.

00:33:11.360 --> 00:33:11.860
Good.

00:33:12.460 --> 00:33:19.600
So next lesson, we are going to learn more about the statistic tools.

00:33:20.080 --> 00:33:27.740
I do have a one lab, which consists of I think more than 10 questions in the end of this lesson.

00:33:27.740 --> 00:33:39.480
I guess we took more than one hour for answering that question and also review it

00:33:40.780 --> 00:33:54.560
because there are quite some questions we need to really take some time for you to find from different tools or different configurations.

00:33:54.560 --> 00:34:00.180
So this is not the exercise yesterday is the most straightforward.

00:34:00.180 --> 00:34:02.880
I ask you a question and give you some tips.

00:34:02.880 --> 00:34:03.740
Just follow.

00:34:04.140 --> 00:34:11.160
But today you need to take some time to think about it, where to find it, where to find the answer.

00:34:11.580 --> 00:34:11.760
OK.

00:34:12.200 --> 00:34:23.140
So I want to make this lesson three as simple, but then it's more interactive because we are using some graph or tools to look into the information.

00:34:23.140 --> 00:34:26.820
So we are still using the pre lab network.

00:34:26.820 --> 00:34:28.240
So never pick up.

00:34:28.420 --> 00:34:28.820
OK.

00:34:30.160 --> 00:34:30.440
OK.

00:34:30.560 --> 00:34:39.840
So you can open that pick up file face in your desktop while I'm go to the next page.

00:34:39.860 --> 00:34:40.700
All right.

00:34:41.880 --> 00:34:42.560
OK.

00:34:43.480 --> 00:34:51.600
So like I mentioned just now, we are proceed with less entry using the statistic tools.

00:34:51.600 --> 00:34:56.340
And at the end of this lesson, we are going to have a lab exercise.

00:34:56.680 --> 00:35:13.940
And that exercise contains of more than 10 questions which need your thinking and thought to find the question and sorry to find the answer from different locations, from different tools, from different settings or even the packet detail span.

00:35:14.280 --> 00:35:14.340
OK.

00:35:14.920 --> 00:35:18.600
So I want to make this session to be more interactive.

00:35:18.890 --> 00:35:27.270
So later on, if you get any ideas or findings, and then we can share with each other.

00:35:27.470 --> 00:35:28.070
All right.

00:35:28.890 --> 00:35:31.950
So why we need these statistic tools?

00:35:32.770 --> 00:35:32.850
OK.

00:35:32.950 --> 00:35:38.570
As we know, Varsha is not about just capturing and starring at the packets, right?

00:35:38.890 --> 00:35:47.710
Especially in the large captures like consists of more than a few hundred or one thousand packet list is a lot.

00:35:48.730 --> 00:35:59.590
So when the issue is not in a single or few friends, but maybe is spread in different part of the picket file.

00:36:00.250 --> 00:36:09.950
So it's a bit frustrating for us if it's huge and is I mean spread over in different location.

00:36:09.950 --> 00:36:19.430
We need to take a lot of time and effort to go to to go by step by step or one by one to look into the packet detail span.

00:36:19.910 --> 00:36:21.150
It's very annoying.

00:36:21.150 --> 00:36:22.370
So.

00:36:24.110 --> 00:36:33.150
And you also often need to look beyond individual packets to get a broader view or identify the patterns and know.

00:36:34.430 --> 00:36:41.230
Key in the filtering, maybe you are using the rack expression or the special characters.

00:36:41.230 --> 00:36:52.570
So although Varsha is not a statistical tool, but it includes quite some powerful analytic modules that you can use to quickly understand the traffic role structure.

00:36:53.490 --> 00:37:10.590
So, again, in this lesson, we are start looking at a series of the statistical tools which will group under the name our graph and also using this hour graph to identify the top talkers.

00:37:10.590 --> 00:37:14.570
OK, I found the laser pointer here.

00:37:15.930 --> 00:37:20.650
So and also that graph that you are familiar with is the full graph.

00:37:21.710 --> 00:37:25.030
And also the long round trip time graph.

00:37:25.290 --> 00:37:35.830
And I would also introduce about how to personalize your hour graph and also the time sequence graph under the TCP stream.

00:37:35.830 --> 00:37:36.890
OK.

00:37:37.610 --> 00:37:38.270
All right.

00:37:38.670 --> 00:37:49.810
So by using this graph, it can help you to see the flow in the way that you will understand the logics of the exchanges, even in a very large captures.

00:37:50.830 --> 00:38:00.310
So I would then show you on how to identify the different machines exchanging the information in your capture and follow the top talkers.

00:38:00.310 --> 00:38:06.370
So remember the conversation dialogue that we learned in the lesson just now.

00:38:07.270 --> 00:38:10.750
We learned how to follow the conversations and the streams, right?

00:38:10.750 --> 00:38:13.430
We have two streams, stream one and two.

00:38:13.770 --> 00:38:19.390
It has the unique stream ID to isolate the specific traffic of interest.

00:38:20.510 --> 00:38:21.970
OK, so it will help you.

00:38:22.230 --> 00:38:24.950
These tools will help you to go beyond the layer two.

00:38:25.950 --> 00:38:29.990
And you can learn how to identify the machines of protocols.

00:38:30.170 --> 00:38:34.670
For example, we do have the TCP in the pre lab.

00:38:34.670 --> 00:38:37.550
So networks only have a TCP.

00:38:37.990 --> 00:38:43.030
So we can see the number of the TCP transactions.

00:38:43.770 --> 00:38:48.670
The number we can see how many TCP transactions in that conversation dialogue.

00:38:50.210 --> 00:39:00.070
So the protocol tab is shopping with NEM instead of the least application or visualize protocol hierarchies throughout the entire capture file.

00:39:01.550 --> 00:39:04.550
OK, so you can modify the view.

00:39:05.110 --> 00:39:07.770
You can add a filtering to customize the graph.

00:39:07.810 --> 00:39:10.250
It will help you to spot the anomalies.

00:39:10.250 --> 00:39:18.330
OK, so when you get comfortable with the tools, I will let you to jump into the lab as a size.

00:39:19.170 --> 00:39:28.270
And probably you can customize the tools that we learn and credit and to retain the functions that help you the most.

00:39:28.350 --> 00:39:33.590
All right, so let's get started and jump into the first one.

00:39:34.590 --> 00:39:43.590
OK, so before we jump into the aisle graph, let me quickly summarize what a statistic can help you.

00:39:44.310 --> 00:39:58.270
So under this statistic manual, we can see a lot of different opportunities to see things about our packet capture is either to save a file or a live running file.

00:39:59.270 --> 00:40:05.150
So by using the tools, we can quickly to see the total packets.

00:40:05.310 --> 00:40:09.110
Remember the total packets one, two, three for this bigot file.

00:40:09.490 --> 00:40:22.450
We can see the total packets amount and the time means the duration and also the packet size in bytes that is sent in this network traffic.

00:40:23.710 --> 00:40:26.850
OK, and we can also see the comments.

00:40:26.850 --> 00:40:30.210
I'm not sure whether you know about it.

00:40:30.210 --> 00:40:36.470
We do have the capture file properties that I will show you.

00:40:36.750 --> 00:40:42.250
So I'm not sure whether you know about it or you use it frequently or not.

00:40:42.550 --> 00:40:44.010
But that I will show you.

00:40:44.450 --> 00:40:47.030
So in there, we can add a comment.

00:40:47.030 --> 00:40:53.810
So later on, I will also add a comment inside that property dialogue.

00:40:53.930 --> 00:40:58.270
So you can answer me while edit a comment and then save it.

00:40:58.270 --> 00:41:05.630
So I can go into a workshop in your desktop and then just check your answer.

00:41:05.630 --> 00:41:09.590
OK, so and also we can find the top talkers.

00:41:09.650 --> 00:41:25.810
That means who is the chat is device in your packet capture and also view the conversation and throw and even resolve the address for the clients and service in the capture or the life.

00:41:25.810 --> 00:41:35.630
We can also create a custom customized our graphs that those can be stored per configuration profile.

00:41:35.630 --> 00:41:37.930
Remember, we do have the customized profile.

00:41:38.630 --> 00:41:43.990
So in overall, this statistic manner is very, very powerful.

00:41:44.870 --> 00:41:47.450
OK, let's jump into the hour graph.

00:41:47.930 --> 00:41:48.610
All right.

00:41:48.610 --> 00:41:57.290
So before I proceed, I want you to open your desktop again and open a workshop.

00:41:58.090 --> 00:42:03.390
So go to the statistic menu and then.

00:42:03.890 --> 00:42:09.530
Mouse use a mouse to point to the hour graph and click it.

00:42:10.510 --> 00:42:15.750
So you will get the first grants of the hour graph by the default view.

00:42:15.750 --> 00:42:20.810
So in here you can see I already added some customized filtering.

00:42:22.370 --> 00:42:24.310
And also different color.

00:42:26.090 --> 00:42:35.210
So let me open a workshop and then I will monitor your desktop now.

00:42:37.790 --> 00:42:40.910
OK, I can see both you are there.

00:42:41.490 --> 00:42:42.770
All right. OK.

00:42:42.770 --> 00:42:48.330
So this is a pre lab slow network pick up file.

00:42:49.650 --> 00:42:51.110
Let me see.

00:42:53.290 --> 00:42:56.230
The surface I want to.

00:42:57.090 --> 00:42:58.290
All right. Oh, OK.

00:42:58.750 --> 00:43:03.270
I can see you have the TCP errors.

00:43:04.410 --> 00:43:09.010
Is that a filter that already exists in the packet file or you edit by yourself?

00:43:09.810 --> 00:43:11.510
The TCP errors.

00:43:13.170 --> 00:43:13.850
OK.

00:43:15.530 --> 00:43:16.830
All right, I think I start.

00:43:18.350 --> 00:43:19.630
OK, never mind.

00:43:20.830 --> 00:43:24.190
So right now, let me put side by side.

00:43:24.570 --> 00:43:26.430
Let me remove this column.

00:43:31.130 --> 00:43:34.410
OK, now the time is very important, very important.

00:43:34.410 --> 00:43:35.590
So.

00:43:39.190 --> 00:43:45.090
The why is this we can see there's a packet amount per second.

00:43:45.490 --> 00:43:49.130
Actually, we can we can switch different options.

00:43:49.670 --> 00:43:55.110
But normally I would prefer to use the second as an interval with the most.

00:43:55.470 --> 00:44:00.990
Because if you choose the millisecond, it will become very, very small interval.

00:44:00.990 --> 00:44:03.110
It's very hard for us.

00:44:04.210 --> 00:44:05.430
To do the analysis.

00:44:06.630 --> 00:44:10.510
So normally I would choose one second as an interval per packet.

00:44:11.530 --> 00:44:14.990
And also the X axis is the.

00:44:15.970 --> 00:44:19.050
Time the unit is the second.

00:44:19.790 --> 00:44:22.190
So from here, you can see, wow.

00:44:22.710 --> 00:44:25.290
OK, it's go up to how many packets?

00:44:26.290 --> 00:44:31.910
Um, it's about 35 packets during this in duration.

00:44:31.910 --> 00:44:37.790
From maybe 23 seconds until 25.

00:44:38.410 --> 00:44:42.050
So by comparing with this packet list.

00:44:42.950 --> 00:44:43.270
OK.

00:44:44.970 --> 00:44:49.690
OK, here from 10 the one second.

00:44:50.110 --> 00:44:52.530
OK, let me start it.

00:44:53.290 --> 00:44:57.530
OK, from 21, that means it's number 14.

00:44:58.530 --> 00:45:00.950
To 60 to 62.

00:45:01.730 --> 00:45:03.510
OK, so you can know.

00:45:03.810 --> 00:45:06.170
You can try to zoom in and zoom out.

00:45:06.710 --> 00:45:09.530
So 21, let's say this is 21.

00:45:10.710 --> 00:45:13.390
Yeah, so you can see how many packets.

00:45:14.490 --> 00:45:16.590
Around 21 seconds.

00:45:17.330 --> 00:45:20.270
So that is exactly match with the packet list.

00:45:20.270 --> 00:45:23.330
So do you need to count it by yourself manually?

00:45:23.590 --> 00:45:27.590
No need. You just look into this hour graph.

00:45:29.050 --> 00:45:30.730
All right, so.

00:45:31.470 --> 00:45:33.250
Don't need to spend a lot of time.

00:45:33.750 --> 00:45:35.470
I want you to tell me.

00:45:35.510 --> 00:45:38.190
I want you to tell me from this packet.

00:45:39.350 --> 00:45:40.210
The hour graph.

00:45:40.930 --> 00:45:42.890
Let me press zero.

00:45:44.310 --> 00:45:46.550
When you press zero.

00:45:46.550 --> 00:45:48.590
Once or.

00:45:49.910 --> 00:45:52.650
Or twice, you were back to the default view.

00:45:53.190 --> 00:45:54.830
OK, from here.

00:45:55.530 --> 00:45:56.210
Right here.

00:45:57.090 --> 00:45:58.730
Until 100.

00:46:01.670 --> 00:46:05.670
Around 125 or 23 seconds.

00:46:06.770 --> 00:46:08.070
What happened?

00:46:09.230 --> 00:46:11.530
And what's wrong with the.

00:46:12.010 --> 00:46:13.990
What's wrong with the packet capture?

00:46:14.710 --> 00:46:16.890
Can you share our idea?

00:46:18.990 --> 00:46:23.350
Only one feedback about this hour graph from each of you.

00:46:23.670 --> 00:46:25.570
Dunwin and Hem, I want you to talk.

00:46:26.670 --> 00:46:26.990
OK.

00:46:28.650 --> 00:46:29.070
All right.

00:46:29.310 --> 00:46:31.230
Any comments or any thoughts, feel free.

00:46:31.530 --> 00:46:32.730
No wrong or right.

00:46:33.910 --> 00:46:34.170
OK.

00:46:35.070 --> 00:46:37.350
Hem, now it's your turn to go first.

00:46:40.830 --> 00:46:41.270
OK.

00:46:41.270 --> 00:46:42.490
So.

00:46:42.770 --> 00:46:46.510
So what is your finding from the hour graph?

00:46:47.770 --> 00:46:48.310
Any idea?

00:46:48.450 --> 00:46:49.110
Packet loss.

00:46:49.810 --> 00:46:49.990
OK.

00:46:50.670 --> 00:46:52.610
From where you can see is drop.

00:46:53.590 --> 00:46:53.970
From where?

00:46:54.010 --> 00:46:55.090
You mean here?

00:46:56.290 --> 00:46:57.570
OK, from here onwards.

00:46:58.650 --> 00:47:00.610
OK, from 25 seconds onwards.

00:47:01.190 --> 00:47:01.730
Maybe.

00:47:03.050 --> 00:47:03.770
The packet is drop.

00:47:04.990 --> 00:47:05.330
OK.

00:47:06.670 --> 00:47:06.750
OK.

00:47:06.830 --> 00:47:07.430
Router.

00:47:07.870 --> 00:47:08.190
A firewall.

00:47:09.170 --> 00:47:09.550
OK.

00:47:10.510 --> 00:47:16.670
Because it's over the size that the switch can handle.

00:47:18.430 --> 00:47:19.810
Or the device can handle.

00:47:21.190 --> 00:47:24.230
So it will cause the packet drop or loss.

00:47:25.090 --> 00:47:25.470
OK.

00:47:26.570 --> 00:47:27.490
What else?

00:47:28.070 --> 00:47:29.010
Not turning?

00:47:32.330 --> 00:47:35.310
I don't have the exercise about the graph.

00:47:35.310 --> 00:47:39.330
But then I will have an exercise in the overall picture.

00:47:39.930 --> 00:47:40.610
OK.

00:47:41.230 --> 00:47:42.210
So never mind.

00:47:42.430 --> 00:47:43.190
All right.

00:47:43.490 --> 00:47:45.950
So back to the slide.

00:47:48.510 --> 00:47:52.770
I'm capturing the screenshot for the hour graph.

00:47:53.050 --> 00:47:55.690
I think you are seeing the same as mine, right?

00:47:55.810 --> 00:47:56.450
The screenshot.

00:47:56.870 --> 00:48:04.890
You do have the TCP errors with the red background color and the line color.

00:48:07.790 --> 00:48:11.890
And also the HTTP filter in yellow color.

00:48:13.390 --> 00:48:13.430
OK.

00:48:13.630 --> 00:48:13.890
Let me.

00:48:14.790 --> 00:48:16.710
Three-way handshake is not complete.

00:48:17.910 --> 00:48:18.330
OK.

00:48:18.790 --> 00:48:19.210
OK.

00:48:19.450 --> 00:48:23.710
So from where you can see the three-way handshake is not complete?

00:48:24.850 --> 00:48:26.430
In the packet list, is it?

00:48:28.710 --> 00:48:28.890
OK.

00:48:29.070 --> 00:48:29.730
OK.

00:48:29.850 --> 00:48:30.970
The same act.

00:48:31.410 --> 00:48:36.050
If you don't see the same act, pick it.

00:48:36.470 --> 00:48:37.030
OK.

00:48:37.930 --> 00:48:38.390
All right.

00:48:38.430 --> 00:48:38.710
OK.

00:48:38.710 --> 00:48:39.410
Good try.

00:48:42.390 --> 00:48:44.430
So I won't show this wire shock.

00:48:44.610 --> 00:48:47.050
I will use the screenshot as in the slide.

00:48:47.110 --> 00:48:49.490
I think it's the same as your screen.

00:48:49.970 --> 00:48:50.170
OK.

00:48:50.170 --> 00:48:51.730
Let me double-check.

00:48:57.790 --> 00:48:58.350
OK.

00:48:58.810 --> 00:48:59.050
OK.

00:48:59.610 --> 00:49:03.830
It's OK to ignore the HTTP because it doesn't matter.

00:49:03.910 --> 00:49:05.950
It's not related to this packet analysis.

00:49:07.070 --> 00:49:09.070
We don't have that error for HTTP.

00:49:09.190 --> 00:49:10.870
We only got the TCP errors.

00:49:12.090 --> 00:49:12.310
All right.

00:49:12.350 --> 00:49:13.510
Back to here.

00:49:15.050 --> 00:49:15.210
OK.

00:49:17.010 --> 00:49:22.770
So first, you can see, just now I mentioned, if you want to look into the smaller lever,

00:49:23.190 --> 00:49:26.970
you can change it to milliseconds or even larger.

00:49:27.510 --> 00:49:30.490
And you can try to zoom in and zoom out.

00:49:30.810 --> 00:49:37.730
If you want to go back to the, like ghostware too far off the screen, you want to go back to the default view.

00:49:38.010 --> 00:49:42.230
Just press the zero button once or twice.

00:49:42.230 --> 00:49:43.710
You will reset the graph.

00:49:45.150 --> 00:49:45.230
OK.

00:49:45.430 --> 00:49:46.950
So this is very, very handy.

00:49:48.750 --> 00:49:54.110
You can tell in the title of our graph means input output that we are working with a live capture.

00:49:55.910 --> 00:49:56.510
OK.

00:49:57.590 --> 00:50:08.650
So if you get the hour graph, normally I will set it into a PDF file or a big on the picture.

00:50:09.570 --> 00:50:23.310
Why I want to set it in the picture is because it's easier for me to attach it in a report and present to the client or any stakeholders.

00:50:24.970 --> 00:50:26.190
So that's what I did.

00:50:26.190 --> 00:50:41.070
If you want to attach this information, this information right on especially to send the data points on the graph as a CSV file for later use in an external program like Microsoft Excel.

00:50:41.590 --> 00:50:43.450
So you can just click the copy button.

00:50:43.930 --> 00:50:47.130
So now we are using one second is the interval.

00:50:47.890 --> 00:50:50.110
So what is our key observation?

00:50:50.110 --> 00:50:52.650
First, it's very obvious.

00:50:53.490 --> 00:50:54.270
The spike.

00:50:54.890 --> 00:50:56.530
Can you see?

00:50:57.090 --> 00:51:03.970
It's a sharp bridge of the packet activity seen between 15 and 20 seconds.

00:51:04.090 --> 00:51:08.050
It's picking at nearly like 50 packets per second.

00:51:09.010 --> 00:51:09.550
So again.

00:51:10.210 --> 00:51:16.850
So in order for you to look into the wire shock, you can apply different filter.

00:51:17.790 --> 00:51:26.350
When you apply different filter and you go to a static tool, that result may slightly different.

00:51:26.910 --> 00:51:29.850
It depends on the filter that you put.

00:51:30.610 --> 00:51:36.470
So by looking into this screenshot, you can see it's a spike.

00:51:37.290 --> 00:51:38.310
It's a sharp bridge.

00:51:38.470 --> 00:51:44.370
You can see this one is go to the top and then go down.

00:51:44.370 --> 00:51:47.430
Maybe after like one or two seconds immediately.

00:51:47.850 --> 00:51:49.090
So it's like a picking.

00:51:50.690 --> 00:51:55.570
And this birds is likely correspond to the man data transfer ordinary event.

00:51:56.190 --> 00:52:02.050
So what why it goes up and down is becomes a sharp bridge.

00:52:02.310 --> 00:52:05.490
Something maybe we need to take a look.

00:52:05.690 --> 00:52:12.850
OK, so after this, I purposely credit dissipate errors with this TCP analysis.

00:52:12.850 --> 00:52:24.550
I want to I want our graph to show what are the potential TCP problems in this traffic network traffic.

00:52:24.910 --> 00:52:32.690
OK, so from here you can see it's around.

00:52:33.250 --> 00:52:37.930
OK, let me open the hourglass so you can see it's around.

00:52:38.790 --> 00:52:41.750
You can see order because it's very small.

00:52:41.750 --> 00:52:43.710
OK, let me open again.

00:52:44.010 --> 00:52:54.650
You can see between 15 and 25 seconds and then at nearly like 50 packets per second in here.

00:52:56.270 --> 00:53:03.890
And also, again, it's about 70 seconds until 110 seconds.

00:53:04.310 --> 00:53:06.290
You can see the dissipate errors go up.

00:53:07.290 --> 00:53:23.830
So those errors may indicate maybe the packet retransmission or we do receive duplicate knowledge from the server or zero windows segment or other TCP level issues.

00:53:25.070 --> 00:53:28.250
That one was the fighting and observation.

00:53:28.250 --> 00:53:28.950
OK.

00:53:30.190 --> 00:53:38.030
Just now, I think I mentioned that all time you mentioned that is is like a sharp brace is a pig.

00:53:38.490 --> 00:53:44.010
But then after 25 seconds until 150 seconds.

00:53:45.590 --> 00:53:48.210
Here, what happened is a quiet period.

00:53:50.210 --> 00:53:56.250
Very few packets are observed is idle is like kind of idle period.

00:53:56.250 --> 00:53:59.250
So it's a long period of inactivity.

00:54:00.250 --> 00:54:01.250
What happened?

00:54:01.410 --> 00:54:03.470
What happened to this idle stage?

00:54:04.090 --> 00:54:08.250
It may be due to maybe a stall connection.

00:54:08.970 --> 00:54:11.390
It's still to the network congestion.

00:54:11.770 --> 00:54:17.310
Maybe it's due to like switch problem, like what I mentioned, or firewall.

00:54:17.730 --> 00:54:21.910
It broke or it delayed the application later.

00:54:21.910 --> 00:54:22.990
OK.

00:54:23.550 --> 00:54:26.790
So that's what we encounter.

00:54:28.790 --> 00:54:32.430
In this packet capture and observe it.

00:54:32.630 --> 00:54:43.830
OK, so this TCP analysis are actually is a very important display filter because it includes the things like retransmission out of orders or duplicate.

00:54:47.010 --> 00:54:58.210
So, again, we can see what happened to the hour graph to showing that some symptoms of a slow or problematic network.

00:54:59.510 --> 00:55:02.530
The TCP errors are long idle period.

00:55:03.430 --> 00:55:13.010
OK, so I think that's the fighting for this pre lab slow network and then how to customize it.

00:55:13.010 --> 00:55:16.070
So I want you to play around with this.

00:55:16.210 --> 00:55:17.550
I want you to customize.

00:55:18.790 --> 00:55:22.050
Maybe I will give you a done.

00:55:22.490 --> 00:55:25.450
I'll give you a filter.

00:55:25.990 --> 00:55:26.010
All right.

00:55:26.910 --> 00:55:29.970
Open your washout and I'll I'll graph.

00:55:30.710 --> 00:55:35.390
I want to I want you to add multiple lines with different display filter.

00:55:36.630 --> 00:55:40.570
And then set it as a JPEG file and back to here.

00:55:42.730 --> 00:55:44.730
So let's say.

00:55:47.090 --> 00:55:48.830
Just OK.

00:55:49.270 --> 00:55:54.070
We do have one, two, three, four, four potential TCP errors.

00:55:55.010 --> 00:55:58.570
And just now, Tony mentioned that.

00:55:59.490 --> 00:56:01.770
Scene act respond, right?

00:56:02.350 --> 00:56:04.130
Maybe it's not complete because.

00:56:04.130 --> 00:56:06.730
We lost the same act respond.

00:56:06.890 --> 00:56:12.690
Remember, yesterday we learned how to add the filter for filtering the scene act.

00:56:13.150 --> 00:56:17.450
So if you forgot the syntax, just click any one of the same act respond.

00:56:18.150 --> 00:56:19.690
Expand the TCP.

00:56:22.010 --> 00:56:25.790
And then expand the frag and then drag it.

00:56:29.070 --> 00:56:38.130
OK, now we can select and select it because we want the two, the two filter condition applied.

00:56:38.610 --> 00:56:43.570
OK, so copy it and then put inside your hour graph and show me.

00:56:43.670 --> 00:56:48.650
Save it as a PDF file or JPEG file and then let our check.

00:56:49.370 --> 00:56:50.410
OK, go ahead.

00:56:50.410 --> 00:56:55.510
A little bit lower.

00:56:57.450 --> 00:56:58.690
Let's try it a little lower.

00:57:00.430 --> 00:57:02.550
Just a little bit lower and we'll have it show up.

00:57:02.890 --> 00:57:03.730
Just a little bit lower.

00:57:27.410 --> 00:57:30.470
Okay, I can see you've already added.

00:57:31.590 --> 00:57:41.550
Can you generate as the PDF report and Dhani, maybe you can generate as a JPEG or PNG file

00:57:41.550 --> 00:57:42.830
as a picture.

00:57:45.490 --> 00:57:55.030
And then open the exported file and show me. Okay, all right, I saw it.

00:57:55.830 --> 00:58:04.030
How about Ham? You can generate as the PDF file, PDF okay. So open the PDF file

00:58:04.030 --> 00:58:10.330
that you exported. Okay, all right so while waiting for Ham to open the PDF

00:58:10.330 --> 00:58:20.570
file. Dhani, go back to the hour graph. Okay, try to zoom in. Zoom in. Just scroll your

00:58:20.570 --> 00:58:26.310
mouse closer. Like make it larger. Zoom in, something like that. Okay, something like

00:58:26.310 --> 00:58:33.430
that. Okay, so show me how to back restore to the default view. So right

00:58:33.430 --> 00:58:39.170
now I can see, wow, I want to see the, no, I don't want to see this oral

00:58:39.170 --> 00:58:46.150
picture. I want to see the default one, the original size. Okay, no, don't use

00:58:46.150 --> 00:58:52.570
the dialog. Use your keyboard. Press the zero button. You can try to press one

00:58:52.570 --> 00:58:58.470
time zero button in your keyboard. Just press zero button. Okay, so how many

00:58:58.470 --> 00:59:04.470
times you press? One time or two times? I cannot hear you. I think you are muted.

00:59:04.470 --> 00:59:11.470
Okay, good. So press zero button one time. You are back to the default view. So Ham,

00:59:11.530 --> 00:59:18.030
show me your PDF file. Okay, okay, I saw it. All right, so this is something that

00:59:18.030 --> 00:59:22.470
I normally use and attached in our report to show that, okay, I can

00:59:22.470 --> 00:59:29.030
explain, put some observation in the notes there. The either period with

00:59:29.030 --> 00:59:35.910
the TCP error if you want to show the error with the highlighted color. So

00:59:35.910 --> 00:59:42.530
it's able to tell that the user like something wrong because it has a

00:59:42.530 --> 00:59:49.130
quiet period. And also the TCP dot nsys dot rex, this is something like

00:59:49.130 --> 00:59:56.030
potential problems with free transmission, duplicate acts, etc, etc. Okay, all

00:59:56.030 --> 01:00:05.250
right, so back to my slide. Okay, so we're already done to personalizing the

01:00:05.250 --> 01:00:12.990
IO graph. So I can put the graph name as TCP act if I only want to see the

01:00:12.990 --> 01:00:18.490
filter with the frags dot act equal to true. And then I can choose

01:00:18.490 --> 01:00:25.030
different style. So see, it's very interesting. I can see a lot of dots

01:00:25.030 --> 01:00:31.810
inside the graph. So the IO graph actually is very powerful because you

01:00:31.810 --> 01:00:36.550
can customize it with entering many different deep spray filter. It's not

01:00:36.550 --> 01:00:41.270
capture filter, instead it's a display filter. After you capture the

01:00:41.270 --> 01:00:49.030
file, then you just filter it with the displaying packet list. So we can

01:00:49.030 --> 01:00:55.910
set it as a simple packet visualized graph. It depends on the

01:00:55.910 --> 01:01:02.270
filtering that you filter here. So for example, in our packet

01:01:02.270 --> 01:01:10.970
summarized list, we do have 123 packets. But then in the

01:01:10.970 --> 01:01:17.490
IO graph, you want to filter it become smaller size, then you just put it as

01:01:17.490 --> 01:01:25.390
different filter here, right? You can reduce the size of your graph. So let's

01:01:25.390 --> 01:01:33.390
say, okay, I want to like, I want to get the filter with retry. If let's

01:01:33.390 --> 01:01:40.110
say I have the reset packet, I have the retransmission packet, you can try

01:01:40.110 --> 01:01:45.130
to fill in different filter with different coloring of the line or bar.

01:01:45.930 --> 01:01:51.210
Okay, or if I want to see, found any like ICMP

01:01:53.210 --> 01:02:00.150
packet, I can also filter the displaying filter in here with the

01:02:00.150 --> 01:02:07.410
HTTP or DNS. If maybe, I'm assuming maybe the server will or the client

01:02:07.410 --> 01:02:12.630
will use that different protocol for the TCP errors happening. Okay.

01:02:13.770 --> 01:02:21.730
So there are many, many filtering that you can put. So just third note, if you

01:02:21.730 --> 01:02:26.470
have a list of common filters that you normally use, you just put

01:02:26.470 --> 01:02:31.690
inside a note and you can just copy paste. Or it's very hard for you to

01:02:31.690 --> 01:02:36.910
like realize, okay, which is the powerful or useful filtering that

01:02:37.610 --> 01:02:42.830
it will be helpful for your packet analysis task. Okay. I think I won't

01:02:42.830 --> 01:02:47.050
ask you to do any exercise for this personalizing our graph because we

01:02:47.050 --> 01:02:51.350
already done it in the exercise just now. Okay. It's just a quick

01:02:51.350 --> 01:02:55.990
exercise because I want you to experience it by generating our graph

01:02:55.990 --> 01:03:02.350
and exploit is a different file extension like PDF or JPEG. Okay.

01:03:02.350 --> 01:03:12.010
All right. Okay. So the capture file properties that I already show you

01:03:12.010 --> 01:03:17.070
just now and mentioned that we can add a comment in here. This is the

01:03:17.070 --> 01:03:21.870
comment. I won't ask you to do as a size right now for this capture

01:03:21.870 --> 01:03:32.130
file property because we do have the lab after that. Okay. Let me

01:03:32.130 --> 01:03:38.950
using because you can see the statistic here. Well, it helped us to

01:03:38.950 --> 01:03:44.870
summarize everything. So what happened? Okay. For example, for

01:03:44.870 --> 01:03:52.550
example, I want to compare. I want to compare the disparate

01:03:52.550 --> 01:03:58.150
capture with the, okay, the disparate filter with the capture

01:03:58.150 --> 01:04:04.790
filter. And now I don't enter any disparate filter yet. So those two

01:04:04.790 --> 01:04:12.510
statistics are exactly match. But what if I want to find those

01:04:12.510 --> 01:04:20.830
potential TCP errors and then open again the capture file properties.

01:04:21.630 --> 01:04:29.070
So it helped me to refresh the statistic again. So it's easier for

01:04:29.070 --> 01:04:35.390
us to do the comparison. Okay. So by using this example, let me end

01:04:35.390 --> 01:04:42.150
the slide sharing first. Okay. So, okay. From here, what you have

01:04:42.150 --> 01:04:47.090
seen? What have you seen? Okay. Maybe we look from here first.

01:04:47.810 --> 01:04:57.630
Okay. So I can know it starts from when and what time. And it

01:04:57.630 --> 01:05:05.570
lasts and ended at when and what time. And how many seconds it

01:05:05.570 --> 01:05:12.590
took in the overall. So now I can see it took two minutes 36

01:05:12.590 --> 01:05:19.310
seconds of the total time for the capturing. Okay. So if I

01:05:19.310 --> 01:05:25.190
want to analyze the troubleshooting, slowness of the

01:05:25.190 --> 01:05:30.730
network or a performance issue. Okay. So a few key things to

01:05:30.730 --> 01:05:34.630
stand out. Only four packets they spread out of the one,

01:05:34.630 --> 01:05:42.050
two, three capture. So we might suggest to the few

01:05:42.050 --> 01:05:47.570
traffic. So this is what I purposely did to highlight the

01:05:47.570 --> 01:05:53.330
display statistic here. Okay. So the average packet size is

01:05:53.330 --> 01:05:57.510
fairly small. How many? Size? How much of the size? It's

01:05:57.510 --> 01:06:02.350
six, three, nine bytes. And the overall traffic rate is

01:06:02.350 --> 01:06:07.330
very slow. Why I know that? Because remember, we do have

01:06:07.660 --> 01:06:11.880
the bit rate, bits per second. And now it's showing the

01:06:11.880 --> 01:06:17.660
average bits per second is four, four zero one seven means

01:06:17.660 --> 01:06:25.400
about four Kbps. So this is that means the traffic rate is

01:06:25.400 --> 01:06:32.440
very slow, very low in our overall traffic rate. Okay.

01:06:32.440 --> 01:06:37.940
So this consider low traffic. And I can add some

01:06:37.940 --> 01:06:45.540
comment. Okay. So let's say I want to add a comment. So

01:06:48.040 --> 01:06:50.180
low traffic with

01:06:56.100 --> 01:07:01.000
only four Kbps. Okay. What else you want to add in the

01:07:01.960 --> 01:07:09.580
average packet size is fairly small. It's only six, three,

01:07:09.600 --> 01:07:17.280
nine bytes in total. Maybe the overall traffic rate

01:07:19.080 --> 01:07:20.660
is quite low.

01:07:21.300 --> 01:07:26.860
Okay. About. Okay. So anything else?

01:07:31.540 --> 01:07:33.320
Okay. So

01:07:39.700 --> 01:07:43.720
okay. One more thing to highlight. Filter the

01:07:43.720 --> 01:07:44.620
display.

01:07:51.320 --> 01:07:59.760
And this is right. So why I need to add the comment in

01:07:59.760 --> 01:08:03.760
here? Because when you save it, and then you can

01:08:03.760 --> 01:08:08.380
set the oral picket entry file again, and then send to

01:08:08.380 --> 01:08:13.980
your client. So from there, they don't need to know

01:08:14.660 --> 01:08:19.820
maybe you send while email. For example, you put all

01:08:19.820 --> 01:08:23.760
the notes in the Excel file or Word document. When you

01:08:23.760 --> 01:08:27.940
send while email, they will forgot where to store or

01:08:27.940 --> 01:08:31.140
maybe they overlook on that email. But then if you

01:08:31.140 --> 01:08:35.060
send out to this big app entry file, they can easily

01:08:35.060 --> 01:08:39.420
to read all the comments or the findings or observation

01:08:39.420 --> 01:08:44.400
by looking into these comments. Okay. So from here,

01:08:44.420 --> 01:08:47.600
we can also know like what are the hardware or OS that

01:08:47.600 --> 01:08:51.640
you capture, but here is unknown. Okay. All right. Let

01:08:51.640 --> 01:08:54.780
me close it. Okay. So far, any questions or comments?

01:08:57.080 --> 01:09:04.080
Okay. All right. Then let's proceed. Okay. So the

01:09:04.080 --> 01:09:10.600
third powerful tools is the end points. Okay. So

01:09:10.600 --> 01:09:17.120
let's say I want to identify the top talkers. So who is

01:09:17.120 --> 01:09:22.440
most talkative device on your network? How can we do?

01:09:22.900 --> 01:09:25.740
Have you ever used the end points for the analysis?

01:09:26.020 --> 01:09:30.940
Have you? Okay. Maybe let me show you where is the

01:09:30.940 --> 01:09:34.260
end point. Yes. So have you used for your analysis

01:09:34.260 --> 01:09:38.560
task? For your project? For your business case? No.

01:09:39.420 --> 01:09:43.620
Okay. Never mind. Maybe it's good for your knowledge as

01:09:44.340 --> 01:09:48.960
Why we use this end point? Because sometimes we want to

01:09:48.960 --> 01:09:54.480
find which devices are talking the most. Is it server or is

01:09:54.480 --> 01:09:59.300
it client? So from the end points, it will show you.

01:10:00.320 --> 01:10:04.060
Okay. It will show you like all the tabs, which

01:10:04.060 --> 01:10:13.600
includes the internet, IPv4, IPv6, TCP and UDP. It's

01:10:13.600 --> 01:10:17.960
This is the conversation dialogue. And this is the end

01:10:17.960 --> 01:10:24.560
point. Okay. If you compare both, you can find the

01:10:24.560 --> 01:10:27.020
tabs are exactly the same, but the numbering is

01:10:27.020 --> 01:10:32.260
different. So here, this is the conversation. This is

01:10:32.260 --> 01:10:35.760
a conversation, traffic conversation. So it will help

01:10:35.760 --> 01:10:40.300
you to summarize. But the end point, I want to see how

01:10:40.300 --> 01:10:46.360
devices. I don't need to guess. Okay. One, two, three,

01:10:46.800 --> 01:10:51.540
and this is the same as the address A source. So that

01:10:51.540 --> 01:10:54.440
means only three unique end points. I don't need to

01:10:55.260 --> 01:10:59.500
like check it manually step by step. I just go to

01:10:59.500 --> 01:11:02.480
end points, then it will help me to summarize how many

01:11:02.480 --> 01:11:07.400
IPv4 address, how many internet MAC address. So that

01:11:08.040 --> 01:11:11.020
I can find easily and compare with the conversation

01:11:11.020 --> 01:11:16.740
here. Okay. That's the difference. So. Okay. It has

01:11:16.740 --> 01:11:24.020
the packets, bytes and the direction. Okay. Okay. Let

01:11:24.020 --> 01:11:29.040
me go to here. Yep. We do have the total packets

01:11:29.040 --> 01:11:32.580
as well in every tab. And you can see how many

01:11:32.580 --> 01:11:36.240
packets in here sent by this device. Okay. Let me

01:11:36.240 --> 01:11:40.760
hold on. Let me clear the filter first. I forgot to

01:11:40.760 --> 01:11:44.420
clear the filters. Okay. Again, come to end points.

01:11:45.860 --> 01:11:54.080
Yeah. So that is the total. Right. So how to know

01:11:54.080 --> 01:11:58.880
who is the most threat is like the talking the most

01:11:58.880 --> 01:12:04.120
device. Okay. Let's say, sorry, zero C. How do you

01:12:04.120 --> 01:12:08.300
know from this dialogue? I can see one, two, three

01:12:08.300 --> 01:12:14.100
packets from here. Okay. Good. So if let's say I

01:12:14.100 --> 01:12:21.880
open again the conversation. Okay. So I can see

01:12:21.880 --> 01:12:30.180
this address, 172.16.0.13 sent to the address

01:12:30.180 --> 01:12:37.560
IP. It's one, two, three packets in total. So

01:12:37.560 --> 01:12:42.540
let's back to the here. Okay. Go to the top one

01:12:42.540 --> 01:12:48.240
when I click on the first one and then check on the

01:12:48.240 --> 01:12:54.960
MAC address. Okay. So zero C. Zero C here. So what is

01:12:54.960 --> 01:13:01.420
the IP address of the zero C? 16.0.13. Okay. So by

01:13:01.420 --> 01:13:06.980
comparing with this, is that correct here? Okay.

01:13:07.760 --> 01:13:18.020
So this 172.16.0.13 is the most talkative device

01:13:18.640 --> 01:13:22.740
because it talk a lot. It's sending a lot. And then

01:13:22.740 --> 01:13:27.920
these two actually is belongs to one IP address but have

01:13:27.920 --> 01:13:30.760
different MAC address. So maybe they are from different

01:13:30.760 --> 01:13:35.580
devices. Maybe or maybe misconfigured in the machines.

01:13:36.940 --> 01:13:44.080
Okay. So if I go to the IPv4, since I mentioned they

01:13:44.080 --> 01:13:48.060
have one IP address have different MAC address. So I'm

01:13:48.060 --> 01:13:51.240
not sure whether this IP address is belongs to one

01:13:51.240 --> 01:13:54.940
device or two devices, even though it's sending one, two,

01:13:54.940 --> 01:14:01.000
three. So as a conclusion, I can't judge is the most

01:14:01.000 --> 01:14:08.480
talkative one, but I can determine this source as a

01:14:08.480 --> 01:14:12.500
client is the most talkative device from the packet size

01:14:12.500 --> 01:14:18.760
that I can find here. Okay. All right. So it's very

01:14:18.760 --> 01:14:23.720
simple for the conversation. I am only using this as to

01:14:23.720 --> 01:14:30.860
find out like who sending the most maximum packet size

01:14:30.860 --> 01:14:34.680
and then who are the most active device in the

01:14:34.680 --> 01:14:40.100
traffic, in the network traffic. Okay. All right. Next.

01:14:42.320 --> 01:14:52.660
What else? Okay. Just now we know. Okay. Back to the

01:14:54.360 --> 01:14:59.480
source is the client. Destination is the server from the

01:14:59.480 --> 01:15:03.120
SYNFRAC I can see, right? Because SYN is sending by

01:15:03.120 --> 01:15:08.660
client. So if let's say I want to see the, I want to

01:15:08.660 --> 01:15:12.400
identify the talk talkers. What is the other methods that

01:15:12.400 --> 01:15:19.200
I can use? Okay. Let us go to the statistic, IPv4

01:15:19.200 --> 01:15:25.180
statistic and select this destination and ports. So in

01:15:25.180 --> 01:15:29.600
here, I can see all the list of the IP address

01:15:29.600 --> 01:15:32.180
destination. Now this is so-called destination IP

01:15:32.180 --> 01:15:38.480
address and the ports number. Yeah. Port number. They are

01:15:38.480 --> 01:15:46.120
with. And if you collapse the protocol, it's only showing

01:15:46.120 --> 01:15:52.600
TCP. Why is only showing TCP instead of having HTTP,

01:15:52.960 --> 01:15:59.180
HTTPS and other protocol? Why? That means in this network

01:15:59.180 --> 01:16:05.140
traffic, it's only have the TCP conversation by sending

01:16:05.140 --> 01:16:10.940
packets. So from here, I can see the size, the number,

01:16:11.000 --> 01:16:13.720
sorry, not the size. The size will be misunderstood,

01:16:13.940 --> 01:16:16.840
will be leading to misunderstood. So I want to

01:16:16.840 --> 01:16:25.580
see how many a month of the packet is 68 is 55. So this

01:16:25.580 --> 01:16:31.160
is the destination. So I will see. Okay. From the

01:16:31.160 --> 01:16:37.340
port to the client, the client received 68. From the

01:16:37.340 --> 01:16:42.340
client to the server, it received 55. So this is

01:16:42.340 --> 01:16:46.260
something that I can try to list it out. What are the

01:16:46.260 --> 01:16:51.380
protocols and what are the packet amount that send to

01:16:51.380 --> 01:16:57.560
the destination? Okay. So this is the optional method

01:16:57.560 --> 01:17:05.620
that you can check on the destination on port. But for

01:17:05.620 --> 01:17:11.760
me, I would say the most preferred tools that I'm

01:17:11.760 --> 01:17:15.220
using the most is the conversation tier. But if I

01:17:15.220 --> 01:17:19.540
want to know how many devices, I would choose the

01:17:19.540 --> 01:17:23.580
endpoints. So the destination and port that I'm showing

01:17:23.580 --> 01:17:27.920
just now is to highlight like if you don't have the

01:17:27.920 --> 01:17:35.000
duplicate IP address with different MAC address. If

01:17:35.000 --> 01:17:38.460
you don't have that problem, yes, of course, you can use

01:17:38.980 --> 01:17:42.760
the destination port. But you do have, it will make

01:17:42.760 --> 01:17:47.380
you more confused. Hey, why only one IP address and then

01:17:47.380 --> 01:17:51.700
how can I identify the most top talker? I don't know

01:17:51.700 --> 01:17:54.860
because it may be come from different devices with the

01:17:54.860 --> 01:17:59.480
duplicate IP address. So it will lead to misunderstanding.

01:18:00.720 --> 01:18:04.560
Okay. So it's up to you to choose which tool you can

01:18:04.560 --> 01:18:13.280
use. Alright, next. Okay, so we do have the

01:18:13.280 --> 01:18:16.660
photograph and also we do have the time sequence

01:18:16.660 --> 01:18:23.420
graph. What else? The round trip graph. So, and

01:18:23.420 --> 01:18:28.100
lastly, we do have the lab. So I don't think I will have

01:18:28.100 --> 01:18:34.080
the time to do the lab one, but we try to finish

01:18:35.480 --> 01:18:43.000
one photograph, TCP time sequence graph, and also the

01:18:43.000 --> 01:18:47.080
round trip time graph in this morning session. And then we

01:18:47.080 --> 01:18:52.160
can have a lunch break. So lunch break, you still prefer

01:18:52.160 --> 01:18:56.800
one hour, is it? Not too rush for you. And then for

01:18:56.800 --> 01:19:05.660
today's session, I prefer to have less break time and

01:19:05.660 --> 01:19:09.940
then you can end earlier. Okay, you have the event

01:19:10.500 --> 01:19:15.700
tonight, right? Oh, okay. Good to know. So when you're

01:19:15.700 --> 01:19:20.360
back to Thailand, is it Friday or Saturday? Oh, it's

01:19:20.360 --> 01:19:25.680
rush of 6 p.m. Okay, so we still have time. Okay.

01:19:26.300 --> 01:19:30.320
So as I remember, both of you said you are familiar

01:19:30.320 --> 01:19:34.220
with this photograph because sometimes you will use it.

01:19:34.600 --> 01:19:38.220
So photograph actually is for me is quite simple

01:19:38.220 --> 01:19:45.420
because it's showing all the flow in the traffic

01:19:45.420 --> 01:19:49.640
conversation. But I would like to know in your use

01:19:49.640 --> 01:19:54.340
case. Okay, I think it's your talking time

01:19:54.340 --> 01:19:58.540
right now. I want to know why you use this photograph

01:19:58.540 --> 01:20:02.140
and then what is your use case or scenarios

01:20:02.940 --> 01:20:06.280
and what are the type that you mostly use

01:20:06.920 --> 01:20:10.800
to understand your packet. Alright, so I will pass

01:20:10.800 --> 01:20:16.220
to any one of you to tell me or you to briefly

01:20:16.220 --> 01:20:23.340
introduce. Okay, you're okay for just for teaching

01:20:23.340 --> 01:20:30.340
purpose. Okay, so what type you are using? Are you

01:20:30.340 --> 01:20:33.920
using all flows or specific flows type CP flows?

01:20:34.540 --> 01:20:38.760
Okay, can you tell me from this TCP flows?

01:20:39.200 --> 01:20:43.840
And we do have these two IP address, right? So

01:20:44.640 --> 01:20:48.800
okay, let's say I will ask Tony. I don't know.

01:20:49.000 --> 01:20:51.600
I don't know how to identify who is the client,

01:20:51.740 --> 01:20:54.940
who is the server and why. Okay, can you answer

01:20:54.940 --> 01:21:01.400
my question? Okay. So that means 172 server. So that

01:21:01.400 --> 01:21:07.880
means whoever received the SIN packet is the server.

01:21:09.960 --> 01:21:17.700
Okay, alright. So, okay, next question.

01:21:20.100 --> 01:21:23.360
Okay, since I know 172 is the client,

01:21:24.200 --> 01:21:28.900
100. Okay, I call it 100 server. So I know

01:21:28.900 --> 01:21:34.540
100 server. 100 is the server. But how do I know

01:21:34.540 --> 01:21:38.000
the server already received the packet successfully?

01:21:38.780 --> 01:21:43.340
Ah, okay. SINAC is the responded by server

01:21:43.340 --> 01:21:46.400
because it will tell, hey, client already

01:21:46.400 --> 01:21:49.400
received a packet and already acknowledge it.

01:21:50.920 --> 01:21:56.240
Okay, yes. Yeah, okay. So why the client is using

01:21:57.100 --> 01:22:02.320
61330? Okay. Okay, good. So, okay, client

01:22:02.320 --> 01:22:06.360
receive. And then will the client responded

01:22:06.360 --> 01:22:09.360
to server to tell the server, hey, server,

01:22:09.740 --> 01:22:13.000
I already receive your acknowledge. So no problem.

01:22:13.100 --> 01:22:14.800
How did I know from this program?

01:22:16.820 --> 01:22:20.200
Will the client tell the server that, hey, server,

01:22:20.640 --> 01:22:24.320
I already receive your packet, already receive your respond.

01:22:26.400 --> 01:22:31.680
You mean here? Okay, alright. Okay, just now who mentioned sequence?

01:22:32.480 --> 01:22:35.800
Okay, can you explain further about sequence number?

01:22:36.360 --> 01:22:38.500
Is it the sequence number that you mean?

01:22:39.920 --> 01:22:43.920
Okay, what is the difference between acknowledge number and the sequence number?

01:22:46.440 --> 01:22:49.920
Hello, can you hear me? Okay, um,

01:22:49.920 --> 01:22:55.460
um, like, I think Dhanin answer the right.

01:22:56.020 --> 01:22:58.540
So the sequence number, let's say from here,

01:22:59.560 --> 01:23:03.460
this is the number of the first part of the data in the TCP segment, right?

01:23:03.820 --> 01:23:07.360
So, um, okay, I give you an example.

01:23:08.760 --> 01:23:13.920
Okay, so, okay, from here is starting from zero.

01:23:15.620 --> 01:23:18.400
And the TCP segment carries, for example,

01:23:18.400 --> 01:23:22.380
for example, it carries 100 bytes of data.

01:23:23.600 --> 01:23:25.200
So what is the next sequence number?

01:23:25.380 --> 01:23:27.760
The next segment will have a sequence number of one,

01:23:29.440 --> 01:23:32.240
uh, sorry, zero plus 100 means 100.

01:23:32.440 --> 01:23:35.360
Do you get what I mean? Okay, so this is,

01:23:37.000 --> 01:23:38.660
okay, again, let me highlight again.

01:23:38.960 --> 01:23:42.880
So it's the number of the first part of the data in the TCP segment.

01:23:43.440 --> 01:23:46.940
So if let's say, um, the first segment,

01:23:47.720 --> 01:23:51.520
I started from sequence number equal to zero.

01:23:51.920 --> 01:23:59.200
And then I know that this is the TCP segment is sending 100 bytes of data.

01:23:59.600 --> 01:24:03.400
So the next sequence number, if I receive it correct, uh,

01:24:03.400 --> 01:24:08.540
successfully, it will start, it will start with zero plus 100 means, uh,

01:24:10.580 --> 01:24:13.580
100. Okay, 100.

01:24:13.580 --> 01:24:15.400
It was started with 100.

01:24:17.880 --> 01:24:19.900
Okay, then how about a knowledge number?

01:24:20.020 --> 01:24:24.080
Okay, let's say sequence number equal to zero and our channel equal to one.

01:24:26.560 --> 01:24:34.680
Okay, so, okay, so if let's say, um,

01:24:34.940 --> 01:24:40.060
if the client received the unless the segment with a knowledge number one,

01:24:40.060 --> 01:24:41.580
here is one, right?

01:24:41.680 --> 01:24:49.700
It means the sender receive all data up to byte, uh, one.

01:24:51.200 --> 01:24:55.320
And it expecting the byte one in the next segment.

01:24:56.480 --> 01:25:00.080
Okay, here is the packet size that the server,

01:25:00.560 --> 01:25:04.280
the, sorry, that the receiver can be received.

01:25:04.580 --> 01:25:05.440
Do you get what I mean?

01:25:06.380 --> 01:25:08.620
So, okay, maybe next question.

01:25:08.620 --> 01:25:15.620
Um, okay, maybe I don't ask any question, but tell me from that graph what you can see,

01:25:15.660 --> 01:25:23.500
for example, from 105 milliseconds and then suddenly jump to 20 seconds right here.

01:25:23.740 --> 01:25:30.000
And then from sequence number equal to one and suddenly jump to 1461.

01:25:30.600 --> 01:25:32.720
I was asked, hey, what happened?

01:25:33.120 --> 01:25:35.440
Why suddenly the sequence size, uh,

01:25:37.340 --> 01:25:40.680
is plus 1400 is a huge difference.

01:25:41.500 --> 01:25:42.300
What happened?

01:25:43.740 --> 01:25:46.480
So, think here, one, two, three, four.

01:25:47.740 --> 01:25:50.460
Okay, here, 108.

01:25:51.680 --> 01:25:52.440
108.

01:25:53.960 --> 01:26:00.660
Okay, remember I mentioned that I found something wrong because the length size of the

01:26:00.660 --> 01:26:03.440
is too huge, one, five, one, four.

01:26:03.980 --> 01:26:06.740
And then it has a problem.

01:26:06.900 --> 01:26:11.340
So it's not able to send it out successfully.

01:26:11.700 --> 01:26:17.540
It has split into two packets and to be continued sending because

01:26:17.540 --> 01:26:19.940
the packet size limited during capture.

01:26:21.480 --> 01:26:26.940
So from here, I can see the sequence number jump from one to 1461,

01:26:27.500 --> 01:26:29.240
but then our natural number is one.

01:26:30.040 --> 01:26:36.560
So that means there is something wrong from here to from here to here,

01:26:36.740 --> 01:26:39.460
and also from 108 to 218 here.

01:26:39.820 --> 01:26:42.080
Sorry, from 218 to 20 seconds.

01:26:42.500 --> 01:26:46.340
So this is something that I need to analyze further.

01:26:46.820 --> 01:26:51.720
So if you click on here, see, it will auto-highlight the problem,

01:26:52.620 --> 01:26:55.240
the packet in the summarized view.

01:26:56.340 --> 01:27:03.560
Okay, so again, sequence number is to identify the first byte in this segment.

01:27:03.900 --> 01:27:12.220
So it was started with 1461 in this segment, and it's from sender to receiver.

01:27:13.440 --> 01:27:18.740
Okay, to indicate what is being sent, and it's randomly generated as in the start

01:27:18.740 --> 01:27:19.380
of the connection.

01:27:19.660 --> 01:27:23.700
So if let's say it's 1461.

01:27:23.700 --> 01:27:29.360
So meaning it's sending the byte 1001 onwards.

01:27:30.880 --> 01:27:32.900
Okay, 101 onwards.

01:27:33.820 --> 01:27:37.380
So it's sending 1461 bytes onwards.

01:27:38.620 --> 01:27:40.540
And then what is the analysis number?

01:27:40.980 --> 01:27:44.560
It indicates the next byte expected from the other side.

01:27:45.200 --> 01:27:47.220
The next byte is better from the other side.

01:27:47.980 --> 01:27:50.740
Okay, it's from receiver to sender.

01:27:51.460 --> 01:27:56.280
Send server, send the analysis to who?

01:27:56.780 --> 01:27:57.700
To the client.

01:27:58.040 --> 01:28:00.340
So it means from the receiver to sender.

01:28:01.140 --> 01:28:03.580
And tell what has been received.

01:28:05.080 --> 01:28:06.600
Okay, what has been received?

01:28:06.780 --> 01:28:08.440
I already received one.

01:28:08.840 --> 01:28:11.460
I already received 1519.

01:28:12.180 --> 01:28:18.980
So it's usually zero until first segment is received like here.

01:28:18.980 --> 01:28:21.840
I already received one segment.

01:28:22.200 --> 01:28:24.380
So my analysis number is one.

01:28:25.460 --> 01:28:29.440
So it means number of bytes received in analysis.

01:28:31.580 --> 01:28:39.900
Okay, for example, if I put let's say 1522.

01:28:41.560 --> 01:28:42.660
What is that means?

01:28:43.300 --> 01:28:48.060
Okay, I already received 1521 bytes.

01:28:49.020 --> 01:28:57.100
I already received up to 1521 bytes.

01:28:57.540 --> 01:29:02.120
So I'm expecting the bytes starting with 1522.

01:29:05.140 --> 01:29:10.160
Okay, so analysis means I already received how many bytes in the previous segment.

01:29:10.380 --> 01:29:12.560
And then I will start with 1522.

01:29:13.380 --> 01:29:15.100
And then sequence number means

01:29:15.100 --> 01:29:21.120
I identify from which byte, the first byte in this segment.

01:29:21.240 --> 01:29:25.100
So it was started with byte one onwards.

01:29:25.960 --> 01:29:33.440
Okay, it's a bit confusing but actually this sequence number

01:29:33.440 --> 01:29:39.300
and knowledge number is quite helpful for our analysis in the last session.

01:29:39.960 --> 01:29:40.380
Okay, all right.

01:29:44.020 --> 01:29:46.400
So what else?

01:29:46.680 --> 01:29:48.080
What else you are using this

01:29:50.560 --> 01:29:53.940
photograph for any purpose of your project?

01:29:55.300 --> 01:29:56.400
That's it?

01:29:57.760 --> 01:30:05.600
Okay, so the photograph can easily tell us like the total amount of time

01:30:05.600 --> 01:30:08.200
is being elapsed.

01:30:08.200 --> 01:30:19.100
For example, 156 seconds is about two minutes and maybe 36 seconds.

01:30:19.220 --> 01:30:23.240
And also the list of the knowledge and sequence number.

01:30:23.320 --> 01:30:30.120
So you can export it into PDF or Jetpack PNG as a picture file

01:30:30.120 --> 01:30:32.320
and then attach in your report as well.

01:30:32.800 --> 01:30:35.680
So if I want to see the overall flows,

01:30:36.320 --> 01:30:43.180
so it's a bit complicated if you compare with the specific photograph

01:30:43.180 --> 01:30:45.000
with different specific type.

01:30:45.920 --> 01:30:51.120
So normally I won't use the offers unless I want to know.

01:30:51.420 --> 01:30:57.920
Okay, apart from TCP, what are the protocols that are used by this network traffic?

01:30:58.260 --> 01:31:04.580
So I can see, oh okay, it's sending HTTP because it's using port 80.

01:31:04.580 --> 01:31:06.660
So it's not HBS.

01:31:07.060 --> 01:31:10.220
It returns 200 means okay, no problem, successful.

01:31:11.340 --> 01:31:13.840
But it's not important for my network analysis

01:31:13.840 --> 01:31:19.580
unless I got some error code with apart from 200.

01:31:22.740 --> 01:31:25.820
But from here it's easy to tell me like okay,

01:31:25.860 --> 01:31:31.340
so from the client to the server, it's not successfully.

01:31:31.980 --> 01:31:36.160
So I'm keep sending because packet size is limited.

01:31:36.180 --> 01:31:37.880
I'm keep sending.

01:31:38.740 --> 01:31:43.720
Okay, see there are a lot of continuation until when.

01:31:44.260 --> 01:31:47.580
So we have to click keep scoring down.

01:31:47.860 --> 01:31:52.220
Let's say I back to this packet nine.

01:31:52.300 --> 01:31:55.020
This is around 20th point.

01:31:56.840 --> 01:31:58.700
This one up here.

01:31:58.990 --> 01:32:04.530
So yeah, from here you can see there is something wrong.

01:32:05.510 --> 01:32:10.030
The server responded very slow and it keep continuous sending

01:32:10.030 --> 01:32:12.590
because of the packet size limited during the capture.

01:32:14.890 --> 01:32:16.750
All right, okay.

01:32:16.910 --> 01:32:22.070
If you want to limit the photograph,

01:32:22.410 --> 01:32:27.550
you can put a display filter here and then click the check.

01:32:28.990 --> 01:32:32.990
For example, if I only want to see those problem with,

01:32:36.330 --> 01:32:44.990
okay, let's say contents continuation.

01:32:48.570 --> 01:32:52.750
It will refract exactly the same as our summarized bill.

01:32:53.350 --> 01:32:55.890
But if you want to see like for example,

01:32:56.270 --> 01:32:57.710
I want to see the frags.

01:32:59.290 --> 01:33:00.430
Equal to only.

01:33:00.790 --> 01:33:05.250
That means I want to see from the server to the client.

01:33:07.030 --> 01:33:11.650
So it can help you to narrow down the analysis scope.

01:33:13.630 --> 01:33:14.530
All right, okay.

01:33:14.690 --> 01:33:18.690
That's it for the photograph.

01:33:20.590 --> 01:33:22.970
So by using this program, actually,

01:33:23.210 --> 01:33:26.730
it can help us to visualize the sequence of the packets.

01:33:26.730 --> 01:33:31.830
Exchange is very important in the network traffic

01:33:31.830 --> 01:33:33.610
between the endpoints over the time.

01:33:36.190 --> 01:33:41.530
So what is the benefit or advantage of this program?

01:33:42.490 --> 01:33:46.290
It helps us to understand the communication in sequence

01:33:46.290 --> 01:33:49.390
and then it helps us to troubleshoot on the handshake

01:33:49.390 --> 01:33:52.470
like Danny mentioned, the three-way handshake problems,

01:33:53.130 --> 01:33:55.730
the TCP three-way handshakes problem.

01:33:55.730 --> 01:33:58.110
For example, like the retransmission.

01:33:58.890 --> 01:34:04.010
So it helps us to see some delays or other packets

01:34:04.010 --> 01:34:06.930
in the complex exchange or any TCP errors.

01:34:09.090 --> 01:34:13.130
So because we can see it shows the protocol layers,

01:34:14.010 --> 01:34:18.350
different protocol like TCP, UDP, DNS, and straw.

01:34:18.730 --> 01:34:20.730
And it also shows the direction, right?

01:34:20.850 --> 01:34:23.370
Direction go and back.

01:34:23.370 --> 01:34:29.210
And the flags like SYN or ECH or SYN ECH and etc.

01:34:30.310 --> 01:34:33.930
And it also color and order communication line

01:34:33.930 --> 01:34:35.470
like a letter diagram.

01:34:35.830 --> 01:34:39.690
So it's quite easy for us to see the overall communication flow.

01:34:41.910 --> 01:34:43.010
Okay, all right.

01:34:43.410 --> 01:34:48.410
So next, I'm also using the same PCAP file,

01:34:48.410 --> 01:34:53.770
the pre-lap slow network PCAP file.

01:34:54.330 --> 01:34:55.290
So it's the same.

01:34:55.950 --> 01:35:01.670
We can use the flow of TCP data, which is under here.

01:35:02.050 --> 01:35:06.030
I'm using TCP Trash because it's more detailed than the Stevens.

01:35:06.490 --> 01:35:09.930
It's more or less the same, but TCP Trash is more detailed.

01:35:10.550 --> 01:35:13.630
So I'm selecting this timescreen TCP Trash

01:35:13.630 --> 01:35:19.130
to see the summary of the graph problem.

01:35:19.650 --> 01:35:24.430
So I already attached the summary of the observation.

01:35:25.850 --> 01:35:28.670
Can someone help me to read it out?

01:35:29.530 --> 01:35:34.690
What is the observation from different aspect from here?

01:35:35.030 --> 01:35:35.810
What you have seen?

01:35:35.930 --> 01:35:39.550
Maybe Tan-Yoon, you can be volunteer.

01:35:39.870 --> 01:35:43.610
Okay, so I have one, two, three, four, five.

01:35:43.630 --> 01:35:45.170
Five observations.

01:35:45.890 --> 01:35:50.750
So maybe you can translate by using your own language.

01:35:51.070 --> 01:35:54.830
I mean, using your own way to describe about

01:35:55.350 --> 01:35:59.630
what you have monitored and observed by using this TCP graph.

01:36:00.490 --> 01:36:04.590
Okay, so I try to give you some example.

01:36:05.270 --> 01:36:10.750
The total span is about 160 seconds

01:36:10.750 --> 01:36:12.870
because it's more than 150 seconds.

01:36:12.870 --> 01:36:19.770
So we can see the measure rising here in the data transfer,

01:36:20.170 --> 01:36:23.750
and it stopped around 25 seconds, right?

01:36:25.430 --> 01:36:30.870
No more data is being sent in the x-axis here.

01:36:32.170 --> 01:36:38.770
And then in the y-axis, this is the TCP sequence number in bytes here.

01:36:39.250 --> 01:36:40.470
Sequence number in bytes.

01:36:41.110 --> 01:36:43.150
And this is the time in seconds.

01:36:44.210 --> 01:36:48.210
So it represents the cumulative number of bytes successfully sent.

01:36:48.830 --> 01:36:56.650
So how many bytes the server has been sent about?

01:36:57.750 --> 01:37:02.530
How many kb or how many bytes in total for the server already been sent?

01:37:04.390 --> 01:37:06.630
So from here, you can see it's about how many?

01:37:07.760 --> 01:37:19.520
More than 65,000 bytes or about 63.5 kb, is it?

01:37:21.080 --> 01:37:27.160
So this is the difference between y-axis and the x-axis.

01:37:29.100 --> 01:37:31.920
So I try to make it slow.

01:37:33.180 --> 01:37:37.260
Okay, so this is the key observation.

01:37:38.640 --> 01:37:46.100
The initial data transfer is from 0 seconds to 25 seconds because it stopped here.

01:37:47.340 --> 01:37:55.000
So data is sent steadily in steps from 1, 2, 3, up to 25.

01:37:55.620 --> 01:37:56.160
It's stable.

01:37:57.340 --> 01:38:00.880
So this represents normal TCP segment transmission.

01:38:01.680 --> 01:38:11.020
But then is happening the sequence number practice like a sudden practice after 25 seconds.

01:38:11.900 --> 01:38:16.880
So it indicates sender stop transmitting more data.

01:38:19.940 --> 01:38:29.580
Or someone is either client or server is waiting for the segment.

01:38:29.580 --> 01:38:34.900
Maybe, maybe is the client is waiting for acknowledgement.

01:38:35.120 --> 01:38:38.900
So it could imply the receiver side delay.

01:38:40.300 --> 01:38:46.580
Okay, receiver side delay or window size limitation like what Ham mentioned just now.

01:38:47.340 --> 01:38:53.140
Or congestion, network congestion or any packet loss or retransmission stalling progress.

01:38:54.660 --> 01:38:59.940
Or it's simply the data transfer finished early but the client is still waiting.

01:39:01.020 --> 01:39:05.700
Okay, let me see the green light here.

01:39:08.120 --> 01:39:16.660
Okay, green light means the acknowledgment from the client, the x-ray ACK.

01:39:17.460 --> 01:39:23.660
So it catches up to the data quickly after initial delays.

01:39:24.020 --> 01:39:26.260
But it stops updating after the data ends.

01:39:27.600 --> 01:39:31.920
Okay, so this is what is expected because we already have the key observation

01:39:31.920 --> 01:39:33.840
from the first perspective.

01:39:35.240 --> 01:39:39.780
So if you hover the data, bottom line here, see.

01:39:41.680 --> 01:39:49.360
It helps us to summarize 68 packets already sent from the server to client.

01:39:50.020 --> 01:39:52.140
From the server to client.

01:39:53.280 --> 01:39:56.900
And the 55 packets is from client.

01:39:57.280 --> 01:40:01.420
It's likely on x-ray, the ACK.

01:40:02.540 --> 01:40:07.000
Okay, so it shows that this was relatively short session.

01:40:07.940 --> 01:40:19.200
Maybe the issue is due to maybe a slow network or delay x or slow start behavior of TCP.

01:40:20.040 --> 01:40:22.600
Or retransmission is not visible directly.

01:40:23.020 --> 01:40:26.900
So it could be inferred if jump or overlap is in the line.

01:40:30.260 --> 01:40:34.740
Alright, so that is so-called time sequence graph.

01:40:35.460 --> 01:40:39.460
And it shows green light means from client.

01:40:39.960 --> 01:40:42.640
Show the black line means from server.

01:40:43.280 --> 01:40:45.460
So what is the observation in here?

01:40:46.140 --> 01:40:55.560
So Tanim, can you help to repeat again what is the key observation by using your own method?

01:40:57.400 --> 01:41:03.840
Duration, yes, it's about how long for the duration in total?

01:41:04.740 --> 01:41:06.120
You mean drop down?

01:41:07.020 --> 01:41:08.200
Or you mean here?

01:41:08.520 --> 01:41:09.580
It's dropped, okay.

01:41:11.160 --> 01:41:13.120
It's dropped at 25.

01:41:13.640 --> 01:41:16.120
Means like something stopped there.

01:41:16.320 --> 01:41:17.700
The data transfer stopped there.

01:41:20.200 --> 01:41:27.880
Okay, so anything else from what you observe?

01:41:28.420 --> 01:41:29.280
One more thing.

01:41:29.500 --> 01:41:34.020
Sometimes when we look into a time sequence graph, we might get confused.

01:41:34.020 --> 01:41:37.040
Does it represent client or server?

01:41:37.560 --> 01:41:47.120
So actually at the top in here, sequence number means TCP trust is actually from where to where?

01:41:48.000 --> 01:41:51.080
Here, yeah, yeah, sorry, the client.

01:41:51.820 --> 01:41:54.420
So this one need to be noted.

01:41:55.420 --> 01:41:57.660
And also this is the graph title.

01:41:58.540 --> 01:42:04.340
So all the packet size here, if you compare with the conversation dialogue,

01:42:04.740 --> 01:42:06.300
endpoint dialogue actually is the same.

01:42:07.460 --> 01:42:09.700
See, 68, 55.

01:42:10.020 --> 01:42:16.020
55 is from what always means by 55?

01:42:16.300 --> 01:42:17.040
Still remember?

01:42:17.720 --> 01:42:19.540
It's from server or client.

01:42:21.380 --> 01:42:22.100
Okay, good.

01:42:22.580 --> 01:42:25.700
And 68, okay.

01:42:25.700 --> 01:42:27.500
All right.

01:42:29.240 --> 01:42:39.700
So, okay, again, can you give me an example like, let's say, for example,

01:42:40.900 --> 01:42:46.600
first segment, the sequence number is 1,000.

01:42:46.920 --> 01:42:51.460
If this packet has a sequence number of 1,000, 1,000.

01:42:52.800 --> 01:42:55.000
Oh, this packet.

01:42:55.280 --> 01:42:56.740
Okay, I have packet 1.

01:42:57.360 --> 01:43:03.200
I have a sequence number of 1,000 and I am sending 100 bytes.

01:43:03.440 --> 01:43:04.380
Okay, 100 bytes.

01:43:04.800 --> 01:43:08.080
So what is the sequence number of the next packet?

01:43:09.400 --> 01:43:14.320
Okay, let me open.

01:43:15.860 --> 01:43:17.340
What happened to this?

01:43:17.340 --> 01:43:36.660
Okay, so let's say I have get 1 and then I have, I'm having sequence number 1,000

01:43:36.660 --> 01:43:43.380
and I am sending 100 bytes of data.

01:43:43.380 --> 01:43:47.340
Okay, so, okay.

01:43:47.340 --> 01:43:51.660
What is the sequence number of next packet?

01:43:51.960 --> 01:44:01.220
I am having 1,000 sequence number and then I'm sending 500 bytes of data.

01:44:01.280 --> 01:44:03.960
So what is the sequence number of next packet?

01:44:05.640 --> 01:44:06.020
Sorry?

01:44:08.860 --> 01:44:10.880
100, okay.

01:44:13.280 --> 01:44:23.340
Let's say, okay, packet 1 has a sequence number 1,000 and then sending 500.

01:44:23.960 --> 01:44:27.960
So the next sequence number, if everything is successful, it's smooth,

01:44:28.500 --> 01:44:31.160
will be start with 1,500.

01:44:31.920 --> 01:44:33.020
So what is that mean?

01:44:33.020 --> 01:44:50.600
Okay, and this means this packet, it already contains bytes 1,000 to 1499.

01:44:50.800 --> 01:44:56.600
So it's like a book, a big book, one page at a time.

01:44:56.600 --> 01:45:04.180
Each page has a number, page 1, page 2, page 3, page 4, page 5.

01:45:04.860 --> 01:45:08.440
So the sequence number, just imagine, what is the sequence number?

01:45:08.840 --> 01:45:14.300
It actually tells the receiver where in the book this page belongs to.

01:45:15.000 --> 01:45:26.580
So I tell the client, I tell the client,

01:45:27.680 --> 01:45:34.760
So please start reading it at page 1,500.

01:45:35.080 --> 01:45:35.900
Do you get what I mean?

01:45:36.200 --> 01:45:37.260
Like a page number.

01:45:37.920 --> 01:45:40.920
So you are sending the data from which page.

01:45:41.840 --> 01:45:49.400
If I have 1,000 pages in this book and passing you this very big book with 1,000 pages,

01:45:49.640 --> 01:45:53.020
I tell you, hey, Tam, please read the book.

01:45:53.700 --> 01:45:56.860
But do you know which page you are going to be read?

01:45:57.680 --> 01:45:58.620
You don't know.

01:45:59.120 --> 01:46:05.580
So I'm telling you, okay, please read from page 1,500.

01:46:06.900 --> 01:46:16.300
But then, okay, so how do you know how many pages that you are going to read?

01:46:16.440 --> 01:46:18.340
So that's why I have the data byte size.

01:46:18.340 --> 01:46:24.300
So this is just imagination to match with the real-world case.

01:46:31.860 --> 01:46:35.560
So just now we mentioned about the acknowledge number.

01:46:36.800 --> 01:46:42.800
I give you one example to help you to try to imagine the real-world case.

01:46:43.940 --> 01:46:46.940
Acknowledge number is how the receiver tells the sender,

01:46:46.940 --> 01:46:49.500
I got everything up to this byte.

01:46:51.520 --> 01:46:53.000
You can send more.

01:46:53.520 --> 01:46:57.660
So for example, if the receiver sends an acknowledge

01:46:58.380 --> 01:47:02.860
with an accurate with the acknowledge number 1,500,

01:47:03.660 --> 01:47:11.760
it means I have received byte 0 until 1,499.

01:47:12.260 --> 01:47:16.840
So please send me byte 1,500 next.

01:47:19.560 --> 01:47:23.120
So it's like saying, thanks, I got everything up to this point.

01:47:23.160 --> 01:47:24.220
Keep going from here.

01:47:28.040 --> 01:47:31.440
So another question, I'll give you one example.

01:47:34.700 --> 01:47:37.220
So I'll give you another example.

01:47:38.640 --> 01:47:42.620
Let's say sequence number equal to 1,000.

01:47:43.220 --> 01:47:46.540
This packet starts as byte 1,000, right?

01:47:46.940 --> 01:47:50.180
Because sequence number is 1,000, correct?

01:47:51.420 --> 01:47:54.460
And length equal to 500 bytes.

01:47:54.900 --> 01:47:58.640
So it means it's carrying data size is 500 bytes.

01:47:58.780 --> 01:48:02.460
Acknowledge number is equal to 1,500.

01:48:04.700 --> 01:48:11.280
That means the other side already has received everything up to byte 1,499.

01:48:12.340 --> 01:48:12.960
OK.

01:48:15.240 --> 01:48:18.200
It's a bit confusing, but never mind.

01:48:18.540 --> 01:48:23.460
I will go deeper in tomorrow's session by using different lab examples,

01:48:24.000 --> 01:48:26.180
especially for the sequence number, acknowledge number.

01:48:26.560 --> 01:48:29.640
So that's why in the first lesson that I introduced yesterday,

01:48:30.300 --> 01:48:35.460
I like to add two more columns, especially sequence and acknowledge number.

01:48:35.800 --> 01:48:37.740
Then you will see, hey, what happened?

01:48:37.740 --> 01:48:40.180
Acknowledge number is 1,500.

01:48:40.620 --> 01:48:42.680
But then, what happened to the next packet?

01:48:42.940 --> 01:48:45.260
Maybe acknowledge number is not the right and not accurate,

01:48:45.520 --> 01:48:46.880
or sequence number is not accurate.

01:48:47.100 --> 01:48:48.880
Jump from here to there, there to here.

01:48:49.240 --> 01:48:50.960
So I found something wrong.

01:48:53.500 --> 01:48:54.620
Just for your heads up.

01:48:56.260 --> 01:48:58.720
So the last one in this morning's session.

01:49:02.740 --> 01:49:05.380
Let's continue to the next one, the last one.

01:49:05.380 --> 01:49:09.860
I think the last one before we go into a very big lab exercise.

01:49:11.880 --> 01:49:18.320
From here, I want to tell you, apart from we are observing the time sequence,

01:49:18.340 --> 01:49:21.840
which means the server from the server side,

01:49:22.140 --> 01:49:24.600
we can also look into the round trip.

01:49:25.300 --> 01:49:26.860
And the short form is RTT.

01:49:26.980 --> 01:49:28.660
And what does that mean, RTT?

01:49:30.320 --> 01:49:35.540
Okay, I tried to put here, it's for your better reference.

01:49:36.180 --> 01:49:43.580
RTT means it's a time in text for a packet to travel from the sender to receiver and back again.

01:49:44.620 --> 01:49:48.700
So typically, it's measured using the TCP acknowledgements.

01:49:50.400 --> 01:49:54.140
It's a round trip, go and back.

01:49:55.560 --> 01:49:58.640
So it's a key indicator of a network lesson.

01:49:59.600 --> 01:50:02.640
From here, I already captured the screenshot

01:50:03.680 --> 01:50:09.940
for this PreLab slow network PCAP file.

01:50:10.460 --> 01:50:20.900
So we know that this is a TCP stream between the client 172 to the server.

01:50:23.060 --> 01:50:28.440
So RTT actually is calculating in milliseconds.

01:50:28.640 --> 01:50:32.480
You can see in the Y axis using milliseconds instead of seconds.

01:50:33.180 --> 01:50:37.560
But the time in the X axis is using seconds in the unit.

01:50:38.920 --> 01:50:44.680
So what is the key observation and analysis in this round trip time graph?

01:50:45.820 --> 01:50:46.600
What have you found?

01:50:48.000 --> 01:50:51.240
Again, this is from zero.

01:50:52.140 --> 01:50:54.380
Let me open the workshop.

01:50:56.380 --> 01:51:05.220
Okay, so from this perspective, the Y-axis perspective.

01:51:08.100 --> 01:51:13.760
Let me think how to introduce in a better way.

01:51:14.480 --> 01:51:18.120
Okay, so we do have the sharp RTT spikes.

01:51:19.220 --> 01:51:23.280
Sharp RTT spikes is about here.

01:51:23.660 --> 01:51:24.360
It's around here.

01:51:25.340 --> 01:51:26.920
60 milliseconds, right?

01:51:28.480 --> 01:51:31.340
So then how long for the time duration?

01:51:31.540 --> 01:51:33.680
It's about 20 seconds.

01:51:34.200 --> 01:51:38.220
So the spike is around 60 milliseconds for the round trip,

01:51:38.520 --> 01:51:42.020
but for the duration is about 22 seconds.

01:51:43.300 --> 01:51:48.820
But then it's a big jump from around 22 seconds.

01:51:49.100 --> 01:51:51.960
It's a steep drop, drop to here.

01:51:53.000 --> 01:51:57.740
So it may suggest to, again, retransmission,

01:51:57.880 --> 01:51:59.700
writing longer for the acknowledgement,

01:52:00.080 --> 01:52:06.040
extract from server or packet loss or server processing delay.

01:52:06.080 --> 01:52:11.200
So it's unstable RTT between 22.

01:52:13.020 --> 01:52:17.560
Okay, from here I can see 22.5.

01:52:18.740 --> 01:52:20.440
Okay, 22, 21.

01:52:20.540 --> 01:52:21.940
So it's around 22.5.

01:52:21.940 --> 01:52:32.400
Seconds until 23.5, I think.

01:52:32.460 --> 01:52:33.460
It's about here.

01:52:34.400 --> 01:52:39.180
It's very unstable because we can see

01:52:39.860 --> 01:52:43.220
this graph is showing inconsistent slope.

01:52:43.220 --> 01:52:47.020
Sharp up and down, up and down, right?

01:52:47.220 --> 01:52:51.100
So it indicates unstable or congested network behavior.

01:52:52.660 --> 01:52:59.080
Okay, so again, after the initial peak,

01:52:59.320 --> 01:53:02.820
this is the initial peak, RTT drops significantly.

01:53:03.460 --> 01:53:06.120
So it may due to TCP slow,

01:53:06.880 --> 01:53:08.980
start competing and traffic stabilizing.

01:53:10.420 --> 01:53:14.500
Okay, or act delay or bursty communication.

01:53:16.420 --> 01:53:21.920
Control between 20, I think here.

01:53:21.940 --> 01:53:27.780
From 20.5 seconds until 21.5 seconds.

01:53:29.900 --> 01:53:32.420
Okay, like this is a small spike.

01:53:32.580 --> 01:53:40.200
We can see small spike and this is the most top spike.

01:53:40.780 --> 01:53:48.680
Okay, so from the instability and the small spike

01:53:48.680 --> 01:53:51.580
and the high spike and the sharp drop,

01:53:52.500 --> 01:53:53.460
up and down.

01:53:54.280 --> 01:54:01.360
So we can conclude that the traffic is not stable

01:54:01.860 --> 01:54:05.560
and it might have network congestion issue.

01:54:06.280 --> 01:54:08.980
It might have network slowness

01:54:09.600 --> 01:54:11.900
or jitter in parts of the communication

01:54:12.820 --> 01:54:16.020
because it's not consistently stable.

01:54:16.900 --> 01:54:21.340
Okay, especially around the 22 seconds in here.

01:54:21.940 --> 01:54:23.380
This one, okay.

01:54:23.620 --> 01:54:26.180
Let us back to, okay, see.

01:54:28.980 --> 01:54:32.200
During the 22 seconds around here,

01:54:32.540 --> 01:54:36.040
you can see a lot of packets are sending out,

01:54:36.160 --> 01:54:38.060
especially a continuation frag.

01:54:38.640 --> 01:54:43.320
But after 24.2 seconds, it stopped.

01:54:44.240 --> 01:54:45.980
And what is happening in here?

01:54:46.640 --> 01:54:50.940
So the client send to server but server never respond

01:54:50.940 --> 01:54:56.580
until 69 seconds, I can see TCP keep alive.

01:54:58.420 --> 01:55:02.520
Okay, after a few milliseconds,

01:55:03.760 --> 01:55:06.120
server responded.

01:55:07.040 --> 01:55:08.580
I'm still alive.

01:55:10.600 --> 01:55:14.200
But then it's nothing after 69 seconds.

01:55:15.600 --> 01:55:19.380
Okay, so client ask the server again.

01:55:19.380 --> 01:55:21.240
Are you still alive?

01:55:21.720 --> 01:55:22.660
Are you still alive?

01:55:23.160 --> 01:55:25.240
And then after a few milliseconds,

01:55:26.180 --> 01:55:27.060
the server responded.

01:55:27.620 --> 01:55:29.180
Yes, I'm keep alive.

01:55:30.980 --> 01:55:33.160
After 114 seconds, it's nothing.

01:55:33.880 --> 01:55:38.100
Okay, but then 156, you can see the red flag happening.

01:55:38.880 --> 01:55:40.020
So what is happening?

01:55:40.660 --> 01:55:43.560
I will go in deeper in tomorrow's session.

01:55:44.940 --> 01:55:46.440
Okay, is that okay?

01:55:46.440 --> 01:55:49.340
I have few laps to indicate.

01:55:50.040 --> 01:55:54.520
And I will try to get more involvement in the lab exercise.

01:55:55.180 --> 01:55:57.960
I'm not going to just explain in the theory

01:55:57.960 --> 01:56:01.800
and showing you the, okay, let me show you.

01:56:03.020 --> 01:56:05.240
Yeah, the summary, the key observation.

01:56:05.500 --> 01:56:07.940
But instead, I will try to get involved

01:56:08.920 --> 01:56:11.260
in the analysis and investigation task.

01:56:11.460 --> 01:56:15.260
Okay, so that's all for this morning session.

01:56:15.260 --> 01:56:19.080
I will, okay, hold on, let me check the time.

01:56:20.680 --> 01:56:23.300
Let me pause the recording first.

01:56:24.480 --> 01:56:30.300
So let us back at 1 and 10, 1 and 10 p.m.

01:56:30.740 --> 01:56:32.860
Okay, at least you have one more than one hour

01:56:32.860 --> 01:56:37.000
because otherwise it's too rush for you for lunchtime.

01:56:37.860 --> 01:56:40.700
Okay, and then I hope you can enjoy your lunch break

01:56:40.700 --> 01:56:42.640
and then you have some takeaway,

01:56:42.640 --> 01:56:45.280
even though it's a bit more deeper,

01:56:45.500 --> 01:56:49.120
it's more technical compared with the previous yesterday session

01:56:49.120 --> 01:56:51.720
because yesterday is just a basic knowledge.

01:56:51.940 --> 01:56:53.700
But today is going more deeper

01:56:53.700 --> 01:56:56.080
and tomorrow we're going more deeper and deeper.

01:56:56.640 --> 01:56:59.740
But I hope this afternoon session after the lab,

01:56:59.780 --> 01:57:01.360
you can learn more, right?

01:57:01.900 --> 01:57:04.120
Okay, see you later after lunch.

01:57:05.340 --> 01:57:06.420
All right, bye.

01:58:14.340 --> 01:58:15.660
I'm waiting.

01:58:33.920 --> 01:58:35.100
I didn't count.

01:58:35.500 --> 01:58:39.160
Oh no, how many times did you go?

01:58:42.640 --> 01:58:45.760
One, two, three, four, five, six, seven, eight, nine, ten.

01:58:45.760 --> 01:58:47.800
So you don't count the hospital, you don't count the room.

01:58:49.480 --> 01:58:50.900
You count this room.

01:58:53.160 --> 01:58:54.600
This is four times, right?

01:58:55.880 --> 01:58:56.980
Four times or five times?

01:58:59.360 --> 01:59:01.980
It's four times, four times, four times, eight times.

01:59:04.200 --> 01:59:05.300
What did you say today?

01:59:06.660 --> 01:59:08.680
I just said I was going to the hospital.

01:59:08.680 --> 01:59:11.100
I was going to the hospital.

01:59:12.640 --> 01:59:14.380
I was going to the hospital.

01:59:16.120 --> 01:59:18.720
What does that mean, you're going to the hospital for a month?

01:59:22.200 --> 01:59:23.240
I'm going to the hospital.

01:59:23.260 --> 01:59:23.980
I'm going to the hospital.

01:59:24.060 --> 01:59:24.900
I'm going to the hospital.

01:59:27.180 --> 01:59:29.560
Did he tell you to continue taking the medicine?

01:59:29.780 --> 01:59:30.920
I'm going to the hospital.

01:59:34.860 --> 01:59:36.480
Is there tea here?

01:59:37.580 --> 01:59:38.680
I didn't ask.

01:59:39.580 --> 01:59:40.540
I didn't ask.

01:59:41.920 --> 01:59:47.900
There seems to be no tea.

01:59:54.580 --> 01:59:58.280
Do you want to have some rice?

01:59:59.860 --> 02:00:01.380
No, no.

02:00:01.840 --> 02:00:03.660
I don't need rice.

02:00:04.080 --> 02:00:05.040
There's too much.

02:00:08.240 --> 02:00:10.920
I know I can put it on your shirt

02:00:10.920 --> 02:00:12.800
You can put it on or not

02:00:19.600 --> 02:00:20.680
This shirt

02:00:20.680 --> 02:00:22.680
I don't know

02:00:22.680 --> 02:00:23.240
I don't know

02:00:24.480 --> 02:00:25.260
This shirt

02:00:25.260 --> 02:00:26.020
I don't know

02:00:26.020 --> 02:00:26.980
I don't know

02:00:26.980 --> 02:00:28.360
This shirt is 3.9

02:00:28.360 --> 02:00:30.020
I don't know

02:00:30.020 --> 02:00:31.560
This shirt is just 3.9

02:00:31.560 --> 02:00:33.260
I only know this shirt

02:01:03.540 --> 02:01:06.940
You don't need to change it. You can sleep on your own.

02:01:08.680 --> 02:01:10.420
Oh, I can't stand it anymore.

02:01:12.840 --> 02:01:13.640
You like to talk.

02:01:21.580 --> 02:01:27.260
You want to sit on the table?

02:01:33.580 --> 02:01:35.640
You can go. You have time to chat.

02:01:35.700 --> 02:01:41.540
I want to kiss you.

02:01:45.280 --> 02:01:46.920
What are you going to use?

02:01:53.480 --> 02:01:55.180
Then talk like this.

02:01:58.300 --> 02:01:59.920
What are you doing here?

02:01:59.920 --> 02:02:01.140
What are you doing?

02:02:02.920 --> 02:02:04.920
I am...

02:02:06.460 --> 02:02:08.140
I am going to use the cooking oil.

02:02:08.140 --> 02:02:09.140
You can use it for fried rice.

02:02:10.200 --> 02:02:10.820
It's expensive.

02:02:11.120 --> 02:02:15.900
You don't want to use it?

02:02:15.900 --> 02:02:24.940
You don't want to use it?

02:02:25.320 --> 02:02:28.860
You don't want to use it?

02:02:28.860 --> 02:02:29.380
Wait a minute.

02:02:30.220 --> 02:02:33.060
I am thinking about something.

02:02:45.900 --> 02:02:45.920
I am thinking about something.

02:02:59.160 --> 02:03:01.520
You can give it to him.

02:03:07.900 --> 02:03:08.720
I am thinking about something.

02:03:17.540 --> 02:03:21.780
I am thinking about something.

02:03:57.640 --> 02:03:59.080
I am thinking about something.

02:03:59.080 --> 02:04:00.020
I am going to continue my class.

02:04:00.320 --> 02:04:02.200
After tomorrow, I am going to eat fried rice.

02:04:06.900 --> 02:04:09.280
The sauce is weird. What do you add?

02:04:10.900 --> 02:04:11.740
I add chili oil.

02:04:16.880 --> 02:04:18.260
I am going to add chili oil.

02:04:20.700 --> 02:04:21.880
I am going to add chili oil.

02:04:22.160 --> 02:04:22.360
I am going to add chili oil.

02:04:54.000 --> 02:04:58.520
I am going to add chili oil.

02:04:58.540 --> 02:05:00.000
I am going to add chili oil.

02:05:01.840 --> 02:05:03.080
I am going to add chili oil.

02:05:05.700 --> 02:05:07.900
My water bottle.

02:05:08.490 --> 02:05:23.190
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.

02:05:23.190 --> 02:05:38.470
I think it's a good way to say it in Chinese, but I think it's a good way to say it in Chinese.

02:05:38.470 --> 02:06:08.450
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.

02:06:31.430 --> 02:06:38.090
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.

02:06:38.470 --> 02:07:08.450
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.

02:07:10.790 --> 02:07:37.370
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.

02:08:04.750 --> 02:08:08.250
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.

02:08:36.610 --> 02:08:38.190
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.

02:08:58.430 --> 02:09:06.670
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.

02:09:24.450 --> 02:09:38.050
I don't know how to say it in Chinese.

02:09:38.050 --> 02:09:38.250
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.

02:09:38.250 --> 02:09:53.450
I don't know how to say it in Chinese.

02:09:53.450 --> 02:09:58.350
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.

02:09:58.350 --> 02:10:00.290
I don't know how to say it in Chinese.

02:10:00.450 --> 02:10:04.210
I don't know how to say it in Chinese.

02:10:27.890 --> 02:10:30.690
Thank you.

02:10:30.690 --> 02:10:32.010
Thank you.

02:10:32.490 --> 02:10:38.090
Thank you.

02:11:08.090 --> 02:11:28.090
Thank you.

02:11:30.670 --> 02:11:36.590
I hope you enjoy your lunch.

02:11:37.050 --> 02:11:58.070
I hope you enjoy your lunch.

02:11:58.070 --> 02:12:17.950
I hope you enjoy your lunch.

02:12:31.170 --> 02:12:37.930
I stayed there for two months just to experience the Thailand's life.

02:12:39.690 --> 02:12:42.730
I like the environment there and the culture.

02:12:42.730 --> 02:12:44.590
I like the people there.

02:12:45.610 --> 02:13:09.950
I like the people there.

02:13:39.270 --> 02:13:39.530
I like the people there.

02:13:39.550 --> 02:13:39.890
I like the people there.

02:14:04.510 --> 02:14:09.870
I like the people there.

02:14:09.870 --> 02:14:15.970
I like the people there.