Basic Network Troubleshooting using Wireshark | Videos

language: EN

                  WEBVTT
package. Yeah. Danin, I can see you are there. How about him? Okay, I saw you are
here. So, okay, let me try to help you to extract this. Okay, from here. All right,
that's the file that we are going to use during the training. Okay, so back to here. Okay,
let's go back to the slideshare. Okay, so now you have those files, right? Let's go
ahead and get to it. All right, I think before that, I will give you some brief
about the network troubleshooting. So maybe I want to hear about some feedback from your
side as well, because at least I will have a brief understanding on what you are doing
and what is your level and then how can I help you to understand the basic knowledge
of the Wireshark. Okay, so network troubleshooting actually for my role. I'm not really like using
the command line to Linux, but I'm mostly using Windows for network troubleshooting.
And why do I need it? Because, for example, okay, let me give you an example. Sometimes,
let's say I want to transfer money while the online banking app. So when I log in to the
app, so when I select my front account and to account, let's say, I fill in all the
information needed. When I click transfer, that's a very important process, right? Because this
money transfer process. But sometimes I can see the spinning wheel is keep loading.
Or sometimes I will see like, why no response from the maybe banking side? And suddenly
prompt, oops, the transaction fell. Okay. And then I'm the client, I'm so worried about
now where my money go on. Is that fail? But then my money was deducted from that account.
So what should I do? So normally, if I'm the one who encountered this failure, or I'm receiving
some feedback or complaint from the client, I would try to use a browser. Okay, let me show you.
Okay, so let me go to the, all right. So let's say this is the website. So if I click something
here, okay, so let me open the inspector and network. All right. If I simply type any keyword
I press enter. So you can see there are a lot of information under the tab. So I will always
monitoring the transaction here. So if I see there's an API call, clients send a request to
the server side. So I will see like, for example, this one. So I will try to click on it
and I will see the response and the payload as well, payload and also the response from the
server. Sometimes the server will just return the 200, but some server, I think most of
the server response were passing the content as well. So if let's say, okay, I'm not
able to capture any failure. I cannot get any clues from the network or just a very
brief information for me. It's not enough. So I will use some tools. I will use some
command line. I will also go to the Azure portal to check the Azure configuration as well.
So that's what I did. But then for the network engineering, I think what you're familiar
is that. So, okay, later on I will show you, but let's see what is the network troubleshooting.
So this is the process of identifying the problem and then do some analysis,
analyze the logs, analyze all the capture packets, analyze any information that you
collect from the website, from the browser, from the network analyzer tools and
resolving the issues that affect the performance, connectivity or functionality of the network.
And then, so why is it important? Because I think right now, now always everyone is
using network, right? No matter what. And now AI is very popular. So whenever we have any
questions, we will sometimes, I mostly will ask chat GBT, Gemini or any like co-pilot
tools for whatever purpose. So we are using network in every day, even in every minute.
So it's very critical for communication and data access. And so let's say our client
got some downtime or issues and affect their productivity, business operations or security.
So it's very, very serious issue is a very, very critical problem and matter. So it will help
it will cause our company to lose the money and the business. Right. And then so we need
to like be proactive to do some troubleshooting to help to prevent the long-term issues.
And what is the common network issues that we are always encountering?
Okay. For example, okay. So I will use some example, why inability to connect to the
internet or local network. So this was happened if the Wi-Fi drop, but then is it always
happened? Not really. But it will happen mostly in my case is that when I connecting
to the virtual machine or if my client is using the virtual desktop and for their,
maybe for their assessing like connection to the application that we develop. So
sometimes it will happen. And it's not only like internet drop due to the firewall policy.
Sometimes it will always do to the slow network speed as well. Okay. So specific websites,
not accessible, DNS error or device unable to communicate is always happen.
If yeah, if the connection or internet got some like latency issue, or maybe the firewall
will drop or maybe the server site has no accessible like got this 404 or 500 error.
Okay. This was sometimes happened in my daily tasks. So that's why,
that's why sometimes we use some tools to do at least some first ground of the troubleshooting.
So I think that tools, the common line, I believe Ham and Tanin will be familiar with,
right? Are you guys familiar with the common line tools and using it in your daily tasks?
Okay. So what is the normally, what is the OS platform that you use? Is it Linux or Windows
or Windows? Okay. Then how about the tools that I showed you guys before, the network tab
in the browser, the developer tool. Have you guys ever used the developer tool in any browser
like do some troubleshooting or debugging here? No. Okay. So all right. I think it's cool
because we have a different background, but I think that was reacted because if we send the
request from client side to response, that's one of the way that I monitor the transaction in
here. Okay. All right. So, okay. Back to here. So I think ping, everyone is familiar, right? So
this is to test. We send the ICMP packets to test if a device is reachable
and we can measure the response time. And then trust rock. So this is the comment
which shows each hub between the source and the destination to identify where delays or
drops happen can. All right. So for the IV config slash all, this is to view the IP settings
to display and configure network interfaces. And then NS lookup. Okay. We, for example,
if you want to get the IP address, so we will check if the DNS query is resolved correctly.
And then wild shark, I think this is our main purpose today. We are going to use a wild shark
to capture and analyze the packets deeply. But I think in this training, I will don't
spend too much time on the troubleshooting, but I will drive it to the basic usage of the
wild shark. Okay. So next state and TCP dump. All right. Okay. So troubleshooting methodologies,
I think this is quite similar, no matter who you are. So it's either you are an engineer,
any, and never engineer or QA engineer or developer. So first of all, whenever we
encounter any issues, right? Okay. Let's say crank comprend, the performance of the
application is low. So they can see, or they are not able to upload a map file to their website,
or they are not able to upload the file or download file to their machine. So we will try
to collect what is the problem in a very high level. And we will try to collect all those
steps. And we will see, is it possible to collect those logs or reports or any symptoms? Okay.
Understand when, where, and how often the issue occurs. Is it always reproducible or only
happen in their particular machine or environment or windows or what is the browser type they
Okay. So second, based on the symptoms or initial log, we are trying to, you know,
like form a hypothesis. Okay. Is the device receiving a valid IP or is DNS resolution failing
or is the wifi signal weak or could a cable report be faulty? So we are trying to get
possible causes. So for me, I will usually like form a hypothesis like maybe the
connection in between server and client is not stable. So I would at least try to
reproduce in my local machine. If my local machine is also encountered that issue,
that means I don't need to collect all those information from client side,
but it's only happened in their side. I will try to understand. Yeah. I want to try to collect
all those needed logs. Okay. And then isolate the codes. So what does that mean? Okay. This
is important to narrow down the source, like try to connecting another device on the same
network and use the tools like ping, ipconfig or our short to compare the healthy versus
a faulty system. So do a comparison and check logs from router or firewalls.
And then once you are able to get some clues, so we will try to implement a solution,
maybe, okay, let's say restart the routers or switches or reassign the IP address
or if the hardware issue or cable issue, we can repress or change it
or adjust the file rules or DNS setting. All right. And then verify the solution. We need
to make sure is the issue has been resolved. Can the user access to the internet? Is the
performance back to normal or are the services responding properly? And then the final one is
document and prevent future issues. So this is very important because we need to record what
happened and how it will fix, what is the root cause and what are the lessons learned.
So we can implement monitoring tool or alerts or plan for redundancy or improve the
Okay. So that is the basic ideas of the troubleshooting.
So I won't go into the deeper level for this, but I will jump into our Wireshark lesson now.
All right. Okay. So I think first,
so let's just talk about why you are here in the first place. So I think since you are using
Wireshark tool every day, right? So Wireshark can be intimidating. So when you are looking
at the network traffic, it doesn't really matter what you are looking at. It could be
or maybe even you are using Wireshark to investigate the cyber security incident.
But when you trigger the Wireshark, for example, let me open it.
So you can see the packets keep increasing, right? So it's intimidating. So it's very
capture to analyze all those information with the 6,000 records here. Okay.
So when you are looking at the network traffic, it doesn't really matter what
you are looking at. It could be troubleshooting network problem, right? Like what I said,
could be a cyber security incident. So we capture a lot on the wire, but there's
a lot whipping by like few thousand, 6,000 within just maybe 10 seconds. So it's easy
to get overwhelmed. So even with a simple screen as like you see just now. Okay. So
here's a lot going on. What the protocols matter and what filter do I set and what
I really hone in to find the source of the problem and even get the proof of what happened
during an attack. Okay. So before we jump into the course, I want you to open the pre lab.
So right now we are here to do in this course to make Wireshark more accessible to you as a
tool in a toolbox that can help you to troubleshoot and investigate incident faster.
All right. So later on, I will need your help to open the pre lab. Let me show you.                

on 2025-04-22

language: EN

                  WEBVTT
All right, okay, so that's already open. All right, so before that, okay, I want you to
like have maybe some heads up. Okay, who should have it in their toolbox? I mean,
who should learn about Wireshark? Who should have a basic understanding for Wireshark?
Well, from my understanding, from my perspective, the short answer is everybody.
Doesn't... Sorry? Yes, yes, that's correct. Because it doesn't matter if we are
coming from the network side. So you can see network operation, or maybe
entering an even help desk role, like support role. And then, okay, some
security operations, DevOps. Do you know who are the DevOps engineers?
Have you even worked with DevOps engineers? No? Okay, so maybe my current role is a
hardware engineer. I always deal with different operation engineers, including
DevOps. DevOps is something like, okay, for example, we are using the Azure
portal, that is a Microsoft portal, for our software development website.
Okay, so whenever we want to deploy the software development application to
the website, I mean, to the publish, so we need to deploy the build. We need
to have some configuration to do the continuous integration, right? So that
is so-called DevOps. They are the ones who are doing all the configuration in
the Azure portal, including like the pipeline spill, the continuous
deployment settings, continuous integration settings, starting from the
build deployment until the end, deployed to the client machine. That's
that means all the operation engineers should learn. No matter you are the
security and the SOC analysis or threat hunter, absolutely workshop is
something that we want to learn. Okay, so I'm used to be a developer, I'm
used to be a tester, I'm used to be a network analysis for the NDR's
product, so I also need to learn about the workshop. So we are developing
or testing application for the use over the network, so it's very
important for us to learn the protocol analysis, then doing so with
workshop. Okay, so this is some main idea and key concept of what is
workshop or network troubleshooting skill and who should learn it.
All right, back to the pre lab. So I want you guys to open it. I'm
entering your desktop now. So I will able to open the pre lab.
Let me see. Okay, you are there. All right, I want you to spend
few minutes, just few minutes, okay, maybe five minutes. To go through
this picket file. Take a look at this first example. So from the title,
we can see this is pre lab slow network picket file. So that means
this is a packet file to record some transaction with slow network
problem. Okay, I'm going to tell you a little bit about the problem,
but friends, I would like you to take a look at some of this traffic
place and then just get an overview of what's happening in the
packet. Okay, so later on we are going to work through what was
the problem together. Just few minutes, maybe let me check the
time right now. 9.47 maybe 9.55 then we can discuss together. Okay,
I will mute the audio right now. So let's take a look and understand and
then maybe Tanin and Ham, you can try to share your ideas later on and
then we can discuss together.                

on 2025-04-22

language: EN

                  WEBVTT
Okay so I can see your desktop so please double check the time display format is the one that
I selected here second since first capture packet. Okay good. So okay this is actually
this is a default measurement of time that I just want to make sure we are absolutely on
packet page. So I believe I've always selected this selection and I want to see my running total
of time. So it's like I start at stopwatch at first package 0.0 and then as the packets come
in I can gradually see those came into to our other packet. So in total how much time of
actually I can put it in here 156 seconds. Okay so this is the total time that's spending
in this conversation. All right okay so let's jump into here.
Ah okay but before that can you help me to um maybe
okay maybe we can do it later. No worries we can do it later. So from here first packet
I'm seeing our client send us in request and then with the HTTP GET and then server responded
but inside here I can see client send another GET request we ask the client is sending
to this sls-client-opportunity.asps file for whatever that is in that application but
I think right now it's not very important. Let's see the client connected over the TCP
and able to send the request to the server but did the server get the response?
Did the server get the response? Okay let's see. If we look at the packet number five
why is continuation? What is that means? Actually this is a continuation packet that
means the packet size limited during capture so that means the client the request from
the client was so large so it will span in two okay it will span in two
packets. It's not uncommon to see but sometimes a GET is so much in it
okay so there's a lot of information and from the client to the server so it just simply
spans more than one packet going from the client to the server. Okay let's go down to
this packet six so I can see the server got the response server got the response with the
knowledge all right so if I got it I come over to the link here is the link it's just a 60
wow okay that means it's a very small packet coming back from the server is it full enough
no I don't think it's a full response just yet because the server may be saying I got
but wet how long do we wait okay so maybe some notice that um okay let's continue
in the next packet we can see 20 seconds right 20 seconds to receive a packet so that means
how long do we wait is wait until 20 seconds 20 seconds quite a lot so what does tell me
I think that three will handshake work pretty quickly or at least 100 millisecond
network latency but this get was enough to the server it takes 10 20 seconds so from
the previous packet you can see the maximum was only 201 218 milliseconds
and the minimum one is just 105 milliseconds but right now I can see in the packet number seven
eight stacking how many seconds 20 seconds in order to send the response back to us
okay so that was tell us the response was um slow the response was slow from client
to the application sorry from server to the client okay so that means there was something
wrong something wrong in the server side so this is something that I can take a look
and understand what's happening in the packet file okay so for the rest of the um packet
I won't describe right now because we have a first lesson to brief you to about what is
the information in the bottom left corner and the middle pen okay so I will not like
go into a deeper for this pick up for this moment and just get you to warm up to show
some of the things that we can determine at the packet level and maybe stir up some of
your assignment okay so all right so I think okay let me open the camera I want to
uh
all right so I'm not really familiar with um yeah bear with me
okay
okay so from the pre-lab I hope you guys can get some ideas on how
do we know have a first look on the packet file but this was a lesson I think in the
let me think I think maybe we are going to discuss in very deeper in the third day lesson
first day and second day we need to understand from the beginning because
this is a basic training from the very beginning on how to install the virtual
what are the default interface and how do we look into the color um
color filtering and do some filtering color ruling do some filtering on narrow down the
analysis so so on so forth okay so I think let's have a 15 minutes break before we jump
into a first lesson I think first day I don't want to make it very tight schedule
I yeah let's have a short break before we continue into the first lesson is that all right
okay so Alex I'm not sure is there a music or timer in the zoom
okay okay so there's no music like teams we can just launch it no okay all right no worries
just take a short break I think because first day first lesson we are yeah we'll get a bit
warm if we continue yeah talk too much into just the first session all right see you guys
later yes I will launch a timer I will put in the chat see you at 10 30 all right see you
guys
You want to drink some water?
No, I don't want to drink it.
What do you want to drink?
I want to drink it like you do.
No, don't disturb me.
Hello, we are back.
Alright, so I hope you guys enjoy the short break and have a drink, have a water.
Alright, so I think before we go to the first lesson, I want to make sure that my speaking is not that fast.
You are able to catch up what I'm saying.
Or is it too fast for you to understand my talking?
Okay, that's good.
Okay, let me adjust my speaker.
Is it better now?
Okay, thank you.
So I think my first lesson is about starting from installing the workshop from the beginning.
So maybe we go into the first lesson.
I want to have more interaction.
So at first, you both introduce yourself as a network engineer.
So maybe one of you, each of you can take like two minutes to maybe let me know who are the team players?
I mean, who are you working with?
I'm working with software engineers, task engineer, developer, developers, security ops, any product manager, project manager, business analyst, product owner.
So for me to understand what is your daily task and understand like what are you doing every day.
Maybe just a high level introduction about your job.
So who want to raise your hand and go first?
Clients.
So do you have any application?
I mean like software, website, or desktop application like install, for example, Microsoft Word, Office.
So whenever web browser, web application, for example, Google.com.
Or do you have any website or application that used by your client or only internet issue?
So you are not the one who set up the environment, but you are the one who like need to do some troubleshooting on any network issue.
So typically like mostly what are the issues?
Maybe you can give you one example.
What are the common issues that you found in your regular job?
Just any one example of your problem that you mostly encounter from the client side.
So whenever you have some clues after your troubleshooting.
So who is the one who need to communicate with?
I mean you collect the logs, packet files, and do analysis and found some clues.
So able to found the solution.
So are you the one who just fix it and then who need to report to or are you need to communicate with your client?
Or do you need to do a report?
Okay, I see. You are the one.
Deal with client, solve the issue.
I mean collect the issue, solve the issue, and communicate with client.
Okay, I see.
So maybe I can share some demo from the software application perspective.
I'm not sure if you guys are interested to know.
But at least we can integrate with Wireshark to know what we normally do from there.
Let's back to our presentation slide.
Let me minimize.
Hope you don't mind because I just feel some eye drops in my eyes because I cannot really always open it.
So I will turn off the camera sometimes.
So are you guys able to see my sharing screen?
That's good. Let's proceed.
I like to see your face.
So I'm opening the gallery mode.
So first lesson is about the introduction to Wireshark.
I will try to speak slowly.
I hope I'm not too fast. If too fast, just rest your hand or shout to me.
So we're going to talk about how to successfully capture network traffic.
Because if you don't capture it well, you can't analyze it.
So this is the first lesson we're going to go through in the morning session.
So these are the things that I'm going to discuss and share with you.
First, we're going to learn how to install the Wireshark with some default settings.
But some command line trees as well if you are also using it.
And where and how on the network that we should capture the packets.
And then the first packet that captured maybe just some very high-level introduction on the first packet that I'm capturing.
And then the ring buffer that I'm going to share with you on how I collect the log files.
And also some best practice guidelines when you are doing the packet capture.
So before we get into the packet reads, we first have to install the Wireshark.
So I've already installed it for you in the virtual machine.
And I believe because you're the one who uses the Wireshark in your daily tests.
So you're very familiar with the installation.
Just in case you want to look at some extra features that get installed along the actual user interface.
So this is the first lesson it's all about.
Let me copy and open it.
So this is the Wireshark official website.
May I know how often you are using the Wireshark official website to go to ask a question to the developer or go to the documentation or FAQ?
Do you guys go through it in very deeper to get some information while you are doing your daily tests?
No? Okay.
Alright.
So from here actually we can get the installer.
If you want to download it, you can see there are multiple types of installer.
So for Windows, normally I would choose the first one.
So I already installed it in my local.
So I will drive you guys through the installation.
I need to close it first.
Now done.
This is already installed in my machine.
Nope.
Alright.
Where is my Wireshark?
Okay, here.
So just now I downloaded the .exe file.
So now I executed that file.
So it comes down to install the Wireshark.
This is the first UI that you can see.
Oh, it cannot be enlarged.
Okay, never mind.
So this is the installer and the first UI that you can see.
So let's go to the next and agree on the license agreement noted.
Okay, next.
So normally the components that to install, normally I will use the default one.
And you can just go into the next page if I just hit the enter.
But if you expand the tools in here, right?
You can see some other tools, the extra tools and with the command line tools as well.
But I'm not really like use the command line tools in my daily tasks.
So normally I will just skip it.
But if you are familiar with this command line tool that is helpful for you, you can also install it as well as this T-Shark.
Okay, so have you guys used the T-Shark as well?
The terminal shark, this one?
Yes or no?
Okay, have you guys ever used the T-Shark too?
Okay, so normally you won't install it.
How about the command line tools like edit-cap, merge-cap, texture-pcap and the components?
No, okay, so you just use the default one, yes?
Alright, so let's go to the next.
And okay, because okay, let's see.
I think already installed, okay.
So I'm not able to check this install mpcap because I already installed it.
Currently installed version is 1.79.
This is very important.
I have to highlight this because this is the actual packet driver that collects the packets from the wire.
So this is very something that is important to know as well.
We have to install it, otherwise we are not able to capture the packet successfully and properly in the wire shock.
So go to the next and then click install.
So for this one, it's up to you.
Okay, it's optional, right?
So I won't click install because I already installed it.
And this is just to tell you about the installation that normally did by the common user.
If you have extra components that you are going to use like the one that I mentioned,
a list of extra components that you normally use, then you have to manually check and then install it.
Okay.
So once you have installed it, let's launch a wire shock.
Okay, hold on.
Okay.
So let me launch a wire shock now.
Okay.
So now we have, all of us have the wire shock downloaded, right?
So let's go ahead and collect some traffic off the network.
And go ahead and file our wire shock and let's get to the first packet capture.
So you can see that is the history PCAP file that I opened before.
And here are the interface.
Okay.
Here are the interface and the protocol that bound with the protocol driver.
So normally what are the interface that we are going to choose?
So may I know what are the interface that mostly you are analysed on?
Is it Wi-Fi or LAN?
Okay, LAN because you are using the company office, right?
Okay, understood.
So, okay.
So there are a few options here.
If let's say, okay, if let's say here I didn't have the USB connected so I cannot see the USB interface.
But if you have the USB device connected, you can even see a USB interface.
Have you also traversed or analysed the USB traffic?
No, only the LAN.
Okay, okay.
So USB is one of my, I think one of my interface that I use before because like for example,
if we trying to, I'm the hacker.
Okay, I'm the hacker.
I want to spread the wires to the client side.
So I purposely plug in the USB and then download the wires file.
Maybe just a text file, zip file, whatever file.
And then download it to the local machine.
So that is something that I need to try and test it.
But here I didn't plug in the USB so what I can show is the default one.
Wi-Fi, Internet, LAN, whatever.
So normally I would choose Wi-Fi interface because my wires was enabled.
Okay, this is something that the interface that I could go ahead and capture on.
So there are a few options.
As long as you know what other interface and which interface has utilization,
just go into the closet and then we will get some bit information coming in.
All right.
Okay, so let's open it.
Okay, so as you can see, I mouse over to the Wi-Fi interface.
So I can see this is my information, right?
So my IP address is here that you can see, no capture filter.
So let's double click and it was starting to capture all the packets.
So wow, a few thousand is going on and on.
So let me install it.
I think I need to end.
Hold on, let me end the slideshare because I cannot really click on other ways.
Okay, so I just stopped it.
I just stopped the capturing.
So if let's say I reproduce the issues that encounter in the client side,
I'm going to save and give that a file name.
So let me try to do it.
Okay, so I'm selecting as pcap-mg file.
May I know, are you using other file extension as well?
Except apart from this pcap-mg.
What are the other types that you use?
Are you using other options for the file extension as well in your daily job?
Yes or no?
Oh, you are only saved as the pcap-mg file.
Okay, all right.
So let me quickly save it.
Intro.
Okay, let's save it intro.
So from here I can see I already saved it.
Let me go to the desk.
Okay, so this is the packet file that I installed.
So it's just a very simple.
If you only select as a pcap-mg, you just save as and then select a type that you prefer.
So this is the standard pcap-mg file.
So if you come down to netmall, novel, land analyzer.
So this is something that is not a common one.
It's not a popular one.
All right, this is the first packet with Wireshark we already captured.
Okay, now on the other note, before we go to the next part of our training,
I want to show you some of the capture options.
Okay, so let me share the...
Okay, so this is the capture option that I'm going to show you.
All right, here.
So, okay, all right.
So this is the capture option.
You can see all those inputs.
This is the interface that we are seeing in the first UI.
Okay, so just now I selected Wi-Fi.
This is my IP address of my host machine.
And normally when I'm doing the capturing,
so I will always look into the capture option first.
Okay, you can go from here, capture options,
or this is the little icon here.
Send, access.
So this is a little gear which is the capture option.
All right, so just now I mentioned if you have plugged in the USB,
you can also see USB interface showing here.
So if you have another USB option, you can also see different...
I mean, connected to the client or endpoints that install the workshop,
you can see different list of interfaces were showing here.
Okay, let's go to the output here.
Okay, I'm sharing with you about the...
Okay, so just now I set the packet file as intro.pcapmg.
So this is the only one file that I'm capturing and storing.
So let's say I want to do some configuration before I capture the file.
And if I want to monitor over the time, all the time, right?
For example, two hours, three hours.
So if the file getting larger and larger,
it will come to one gig, two gig, three gig, and even 10 gig and 100 gig.
So what is going to happen to my storage, right?
So it will be crazy big, it will be crazy huge.
So this is something that will not happen in our client side.
They will comprehend I cannot use my machine because my local storage already bombed.
Okay, so normally I will use...
Okay, let's say let me choose a location.
I'm using test.
Let's say I'm using test as my file name.
I'm selecting pcapmg.
So I click this, create a new file automatically.
So I can select different option to capture to a permanent file.
Let me end the screenshot.
Okay, here you can see this is a ring buffer, right?
Have you used ring buffer for your capturing?
No, okay.
So maybe this is something interesting for your information.
So normally before I capture the file, I will try to select a location.
I will fill in the name.
For example, it's Tesla.
Then I will try to enable the ring buffer and then fill in some information here.
Okay, because like I mentioned, I don't want to capture a massive pcap.
I don't want to make my system crash and fill my hard drive.
So the ring buffer is very important.
I want to point your attention to.
So what is ring buffer means?
So that's I'm going to share with you.
So for example, I want to store my test pcapmg as 20 here.
I increase to 20 from 2 to 20.
And then I'm going to get this 20 files total of 500.
Okay, let's say 500 megabytes for each.
So that means after the 20th file, that means 21 onwards,
I'm going to go back to the first file and override the first one.
Okay, you get what I mean?
Okay, for example, in this location, you were going to have test 01, 02 up to 20.
And then started from 21, test 21, 22, it will override with 21 with 01.
So I will only always see 20 files with one 500 megabytes for each.
So in total, it will only allocating 10 gigabytes of my hard drive for packet capture.
So that's the ring buffer means.
So as soon as so let's say for file one, as soon as it gets to 500 megabytes,
it will write the next one file 02 and file 03.
So 500 megabytes for each file size in total will be 10 gigabytes.
Okay, so this is my I think this is one of the advantage for long term capture method
because if you are going to monitoring some not always reproducible issue,
for example, the network latency slowness or application slowness,
you are going to digging into the file.
But then sometimes that problem will only happen in different environment.
So this is one of the way that you can use.
Apart from after 500 megabytes, this is focused on the file size.
You can also select this one or you can have multiple choice.
If let's say I after say it's too much for me after let's say 10,000 decades,
it will go to the file two.
So after particular session or one minute, you will go to file two.
So that will depends on the option to create the ring buffer.
I mean the repeated file.
All right.
So normally I will use the file size instead of packet amount or the duration.
All right.
Let's say.
OK.
So I won't show you.
I won't show you the result at this moment.
We are going to proceed.
All right.
So later on, once I have the result, I will show you in the letter moment.
Let's back to the slide share.
OK.
So I'm not sure whether it's helpful for you.
But I think this is the extra knowledge for you guys to know.
Don't feel your hub drive, especially the client side.
If clients like compran, they can't use because the system crashed due to the file package that you captured.
And it will be a serious problem.
OK.
So next, I think you guys are very familiar with the OSI model.
Because this is something that we are going to analyze in a workshop.
OK.
For example, for example, let me stop it.
Let me open the pre lab.
OK.
So just now, we realized that this is the scene packet that's sending by client to the server.
So we can see we have the frame one, layer two internet and layer three IP, layer four TCP.
So if we have the TRS, we have also this one, the layer six.
OK.
If we have HTTP protocol, we have the layer seven.
But we are not capturing the HTTP packet in here.
So these are the layers that we always analyze to.
So I try to make it as simple because for me, it's very hard for me to even understand and always memorize the layers.
OK.
So it's very interesting words.
Have you heard about this word before?
We have seven layers.
P, D, N, T, S, P, A.
So have you heard about please do not throw sausage pizza away to memorize the order?
Have you?
No.
OK.
Because I can't even remember the capital letter.
So please do not throw sausage pizza away.
So this is a very interesting sentence for me to understand.
And I try to use an example, a real world example, to understand what is the application, presentation and each layer means.
OK.
So I give you an example.
So imagine you're sending a handwritten letter to a friend in one city.
So in Bangkok, for example, to Singapore.
And here how it works step by step.
So this is it.
And I try to create a column for computer network example and virtual example for me to understand well about the layers, the OSI models.
So I hope it help you guys as well.
So for imagine, OK, what is the application?
If let's say I try to browse the example dot com in the Chrome browser, Chrome browser and each browser is a very common browser that used by the client.
Right.
So this is application layer.
And in the real world example, this is the letter.
I want to write a letter to my friend.
OK, this is a letter that I'm going to use.
And then workshop is on board.
What is that means?
So for example, I'm using the HPE protocol.
I'm going to see the HPE layer.
But if I'm not using the HPE protocol, like I'm not included using the HPE as I won't see this in the workshop when you click on the particular packet.
OK.
So what is presentation means?
So if let's say I want to write in English, I want to write in Chinese, I want to write in the language as well.
So this is the method that you are trying to form your letter for your friend to understand.
And here in the computer, I'm trying to use HTML, JSON, XML or encoded data.
So if I'm using the encoded data, that means I'm using the HTTP as encoded protocol.
OK.
So I'm able to see the TOS layer that I'm sharing you guys in the workshop.
I am able to see this layer 6, TRS.
OK.
What is session means?
Like the active session.
Are you going to send your friends a letter weekly, monthly or yearly?
So this is a session.
And then what I'm understanding session actually is the one that I'm always using in the browser.
OK.
Let me show you one example.
OK.
Just now I'm using example.com.
OK.
Let me try to since this is not the OK.
Never mind.
So normally I'm using HBS.
Maybe I'm using this one.
Let me see.
OK.
So you can see I'm getting some information in the headers.
If let's say I'm going to send a client request, click a button to this session.
And this is the encrypted HTTPS protocol.
I need to get the better token in this active session.
If let's say I close it.
OK.
This session will gone.
We're gonna.
And if in the back end I'm trying to send.
OK.
Let's say I'm using a tool automation.
I write some script.
I'm using a postman tool.
For example, I tried to use a postman tool to send a request from client to the server.
But that session already closed.
Am I able to connect to the server?
No.
You would definitely know.
It needs to be open and have an active section like what I'm showing just now.
You can get it from the F12 or right click inspect in the browser.
Go to the network.
You will see a lot of conversations there.
It's huge.
But just click on the one that you are going to trace in.
So you will see at this section.
So in here we are actually session is part of the TCP or TR session.
You won't show in the workshop.
OK.
So transport layer.
So I try to divide the letter into pages and number them.
Number one, number two, number three.
If I have three letters.
So just imagine TCP.
I'm going to using like TCP port.
So inside the workshop you can see here.
TCP.
Let's say the first one.
OK.
I will see the port number.
I will see the destination port number of my either server or client.
And I will see some facts as well.
And whether this is the SYN, FRAG, ANALYZE or whatever.
So ANALYZE number, next sequence number, row sequence number or relative sequence number.
That will be helpful for our capturing and analysis.
And network.
So what is your address of a friend?
What is your address for your sender and recipient?
So just now my IP address is 102.
So this is my host address.
And I'm accessing to NeverSSL.com.
And this is the destination and IP address.
So this is the IP address of recipient and sender.
OK.
And the data link.
So this is the ARP and the Ethernet layer.
So this is a MAC address.
And the switches.
OK.
Let me show you.
OK.
Here.
Here.
OK.
Normally, the destination MAC address would be the router or switch MAC address.
So if I'm going to understand.
Let me have a demo and MAC this a bit.
I'm not really open to use this network comment unless I encounter some network issue.
So for example, if I'm going to know what is my MAC address.
Normally, I'll come to here with the wireless or Wi-Fi keyword.
And this is my physical MAC address.
And this is my IP address.
But if I want to know what is my router address.
And this is the comment that I normally use.
So you will see here.
All right.
Because this is not captured from my local.
So you are not able to see the MAC address exactly match with my comment line.
But just for information, this is the MAC address for your endpoint.
That capturing wire shop packet and the router or switch MAC address.
OK.
So that means the POP office address sorting backwards.
For example, you are sending to Singapore or you are going to send to your bank code.
So you will know the postcode.
So physical.
Which server transfer are you going to use?
It's whether by truck, plant or extra extra.
So in the computer network example.
Are you going to send over the cables or Wi-Fi?
So here.
Actually, I'm not really like looking into the first layer in here.
I'm not really like for kind of use.
But then from here I will I will try to understand.
For example, the capture length.
And what is the.
For example, this one.
So capture length is 74 bytes.
And this is the number one packet.
And time.
Another thing that I'm usually looking into is the delta time.
From the first previous capture frame or the first previous display frame.
And what's the arrival time as well.
So this is something that I'm looking into the first layer.
But sometimes and mostly I won't use frame one for my analysis.
I will go in directly into the TCP or IP layer.
All right.
So that's basic information on the OSI layer.
Any questions or any interesting experience that you are going to share?
If no, then we are going to the next slide.
All right.
So I think this one you are more familiar with me.
Where to capture on the network.
Before I jump into the next slide.
Maybe.
OK.
OK.
Maybe I share you guys with this.
What is the definition of where to capture?
Maybe you can tell me where to capture.
It's in the endpoint or it's in the network or using workshop.
But here what I mean is where to capture on the network.
OK.
Before I explain my understanding and my knowledge.
I hope.
Yeah.
Maybe Ham or Tanen.
You can share.
Based on experience.
Normally where you put the workshop.
Where you install the workshop endpoint.
OK.
Here the current site.
So let's say imagine.
Hey Ham.
Current A got a problem.
It cannot load the page.
It keeps loading.
So after click a button.
So where how to capture the packet.
So you will normally install the PowerPoint in the client side machine.
Is that what you mean?
OK.
Good.
How about Tanen?
OK.
Are you in the same team?
Are you the same team members?
Oh no.
But most of the ways that you are capturing the packet is more or less the same.
OK.
All right.
No worries.
Back to the site.
OK.
This is just a very simple diagram of a network.
I'm going to show you like what is the.
Common way or better way of the best way to capturing a sorry to install the workshop and capturing the traffic in the network.
So just I mentioned normally you will you will install the endpoint and workshop in your client site endpoint the machine right.
So this is the I think this is the easiest way.
Normally I would use as well.
You will use you will install the workshop physically on that device and you keep capture and you stop it.
And you are able to collect the packet the p cap file is very quick.
Even though it's dirty but it's free and easy.
Right.
So however there are some downsides to Louis to doing this.
Have you think about this.
This.
What are the downside if you install the workshop in our endpoint you know what is the limitation or the bad things.
If you install the workshop in the endpoint site.
OK.
All right.
Never mind.
OK.
For example what I experienced with my clients that previously I know some of my clients are from a huge enterprise.
Maybe for example for example Panasonic.
They have the like more than a few for example 30 companies in close countries.
If they are in point they are using a very very old OS platform which are not which are already obsolete that are not maintaining at all.
For example Windows 7 XP Windows 8 whatever.
Or they are using very less RAM memory for example less than 80.
Just forget.
Crazy.
So in that very bad environment they will always encounter some network latency issue.
Right.
Because less resource.
So if I still install the workshop to capture the packet in the environment it will load adding the load to the client that's already loaded down.
So this is one of possibility.
So this is something that we want to consider.
But I think when I'm consulting and helping people to fix their problems this is one of the common option that I might use because at least out the gate and until we get a better idea on how the application is running.
So normally I will still install the endpoint in the client side.
But what would be the more ideas to actually capture a packet from the network somewhere is from here.
So this is the second one of the best way to do that is congregate a span port of a switch or router.
For example when I install the workshop.
What is span means?
Span means for the switch port analyzer.
It's a feature on many network switches that allow you to monitor network traffic just on that particular traffic path.
So you won't see anything unless you are part of the conversation.
It's a specific device and in the particular network path.
So with a span port you can tell the switch, hey, I'm able to copy all the traffic from this port to all multiple ports with this end point and then send over and copy all the traffic conversation into here.
So I'm able to see all the copied traffic from the selected ports that's super helpful for troubleshooting or even the security monitoring.
And what is the downside?
Actually this, even though this is a better way, but span switch will also be loaded with other traffic.
So this is something that we need to take into consideration.
So this is so-called, we always call it over-provisioning because we are given more to the span port that span port is able to handle.
So what are the consequences?
It might make the span port to get too busy and keep up with the total traffic stream.
So it will cause some of the packets might get lost and maybe will cause some of the packets need to be retransmitted.
So this is more problem will be capturing.
So another best way is to buy a tap, but this is the best way, but it is not free of charge.
It's the most expensive option because the taps are free.
It's a physical device to install in here to break the connection somewhere along the way that allows you to just
like into the feed that send it over to a laptop or server that's running the wire shock.
So I won't say which method is the best or worst because it depends on the requirement.
I can even install a tap in the virtual tap in the cloud or server, or I can install the wire shock in the server.
Let's say here from this example, I have three servers, one, two, three.
If I'm going to install wire shock in each server, that means I have three wire shock in different servers
and I can always like capturing all the clients, like a few thousand clients, traffic to this client and this server A
and what is the downside? It will cause the server A overloaded as well.
So honestly, tap is the best solution, but it's charged.
So span port is the second option, but it's also overloaded span, so it depends on the configuration.
And one is the quick and easiest way is to install into endpoint.
If your endpoint machine is not like using the obsolete or not maintaining OS platform,
the resource, the hardware spec is still quite good enough.
So that's something you have to consider.
OK, all right, so let's go to the next.
I won't, OK, I won't go into deep in the network traffic,
but just give you some information on normally where the wire shock installed in.
All right, first package, we already captured the first packet, right?
And what is the best practice? What is the best practice or guidelines that normally you use?
OK, before I review the next slide, maybe show me some idea, some idea.
What is your guideline on capturing a packet?
Or what is your best practice like, hey, please be highlighted and be noted.
Normally when capturing a packet, you have to do this, you have to be aware of this,
and different notes you have to be aware of.
So share with me what is your guidelines that you are normally following with.
Any best practice you're going to.
OK, how about turning maybe you have some.
OK, so normally the client side are actually not the I mean, not having a heavy traffic, right?
Just a small packet.
Normally how many packets that you are normally analyzing in a PCAP entry file.
Maybe let me know the packet size.
Then I have I will have an idea about 100 or more than about 100.
OK, so it's not that huge, but not that complicated environment.
OK, so let me go into the next slide and you will know.
OK, let me back into the slide.
OK, here.
I'm using the word capture filter at start, but I don't I'm not going to explain what is a capture filter in deeper right now.
Maybe just a very high level explanation for this capture filter is one of the filtering before you capture your traffic.
And we can try to narrow down and specify which port, what IP range or what is a protocol you are going to capture.
So it will limit the packet size for your PCAP entry file.
So why I said don't use a capture filter at start.
Do you know why I'm not recommended this?
Any any ideas why I'm not recommended to use capture filter at the first beginning?
OK, how about Dunin?
What is the understanding about capture filter?
Why I don't recommend to use it in the first start?
OK, all right.
OK, let me explain it to you.
OK, let me cross it here.
So let me start capturing.
OK, so when I start capturing, you can see the packet size is keep increasing.
Now, 10 seconds, 11, 12.
So you're already up to 6000.
So let me stop it.
OK, so let's say.
I'm opening capture filter.
So this is the default filtering.
I'm not modifying yet.
You can see it will capture best on the filtering rules here.
OK, so I'm not limited with 443 or I'm not limited at port 0 only.
I'm capturing with all the traffic by default.
So I can see UDP.
I can see TRS and I can see what?
Let me see.
No, maybe I'm not triggering something.
OK, so I have different protocol.
OK, so I can.
Let me see.
So let's say, OK, let's say from here, I'm capturing 6,680 packets.
And then I'm filtering TCP.fragstats and knowledge equal to 2 or 1.
OK, let's say 1.
So my display packet is reduced 3000.
So I only have 3046.
It's not more than 50%.
So I'm only able to see 3000 means it reduces the size of the packets.
So it's easier and quick for me to analyze.
But this is the display filter.
This is not the capture filter.
So if I remove it, I can see 6,680 packets are displaying here.
It's a whole lot of packets, right?
So I want to limit the size.
I put in some capture filters in here.
But let's say if I put the wrong filtering, if I put the wrong one,
I specify it to somewhere.
And then I'm not able to see UDP.
I'm not able to see TRS or even the HTTP.
For example, let's say I might miss out some important packets.
I might not able to.
OK, for example, I just want to look for a certain IP address,
certain port number or certain application.
And I'm taking a guess as to what we think the problem is.
I guess, oh, maybe 20 seconds is the one in the pre-lab slow network PCAP file.
It takes 20 seconds because the packet size is too huge.
And it's split into two packets.
And the client takes 20 seconds to respond to the server.
So I guess, OK, if the network connection is not stable, there's a latency issue.
So I try to narrow down the capture filter to what I assume.
OK, for example, I'm having a problem with web pass application.
OK, just show me only HTTP.
But what if I'm using HTTPS?
OK, that's the way.
OK, let's say, OK.
So for example, I am OK.
I'm using HTTP never SSL.com as a sink here.
OK, let me stop it.
And OK, capture again.
Stop it.
I'm still seeing the protocol with TRS.
I'm able to see HTTP or not? No.
So this is something that is not matched with what we expect.
So we will miss out a lot of packets that are important.
If the traffic being dropped by the network, let's say, because the packet size is too huge.
And the client getting ICMP message back from the switches and routers telling me of a problem of the network.
Well, but I'm able to capture the packet only for HTTP.
So am I able to see those packets in the capture file? No.
Right. So because I already made an assumption on what I thought on the application was.
But in fact, it was a different port or it was a different conversation.
Use different protocols in both different protocols like ICMP, HTTP, TRS, whatever.
So on and so forth.
So as a best practice, I don't want to use a packet captures or capture filters at the very beginning of our dress.
Unless you are very, very confident on what are the port application IP that you are going to capture.
OK. For example, in the server side, I only want to capture the packets from this machine.
I mean, my machine with the IP address one zero two.
So I can I can just put a filter that fix the limit, the packets from the IP address.
But if not, please don't do it.
OK. OK, so second one capture on client end.
OK. Why when we begin capture, we want to start by capturing on the client side.
That's why I said that a lot of downside, right?
If your client and points is already overloaded, you will the wire shock capturing traffic will add the load to the client.
But then why now I'm saying, OK, we begin capture on the client side.
OK. Maybe you can guess why I'm.
I'm saying this. Any ideas trying to no brainstorm.
OK. Let me OK.
Go ahead. Yeah. Yeah. Yeah.
OK. Yeah. You get the right answer.
So I give one example. OK, let's say let me think.
OK. So one of the reason why we want to start this start on the client side is because, look,
these things can get very large packet captures can get huge.
Right. So we want to have things be as simple as possible.
So if you are beginning to troubleshoot an issue, you can just go ahead, go to the client, particular client that you know.
Who is encountered a problem, which end point are having that issue and have them shut down everything.
For example, you can try to their own issue by cross out the mail, cross out the browsers, cross out that streaming audio or that podcast that they are listening to.
Or you want to add more static or more background noise to important packets that you are going to looking for.
OK. So look, this is already hard enough because you want to make it less hard on yourself.
Right. So we can start on the client side.
So once you start on the client side, you can get a good picture of what system does the client communicate with.
So, for example, OK, let's just talk to DNS space or does it go and talk to an authentication server?
For example, just now I show you the network tab. We do have the active section.
If that is using HBS protocol, it will have authentication token.
Is the client using a valid token to communicate with the server?
Or does it go to the cloud or does it go to our local data center?
So we are able to determine that by starting out looking at the client to see what the system actually communicate with.
So that's why I strongly recommend to use a ring buffer for long term capture.
So this is one of the best practice.
OK. Do you still remember what is the ring buffer is?
OK. Maybe share with me on what you understand about ring buffer.
A ring buffer actually just imagine is a repeated storing mechanism applying to the rules here that you configure with.
And you will override the file started with the number one numbering.
Yeah, up to no. This process that I already fixed.
So you won't fill up the system drive.
You won't make your client platform crash.
OK. It won't make the file size become huge until it's very hard for you to troubleshoot on.
OK. Get it.
All right. So come back to here.
So OK.
So I highlighted for long term capture.
But if this is a quick capture, don't need to use ring buffer is fine.
But if the long term capture for monitoring in specific problem that is not always reproducible,
very tricky problem that only happen in specific environment or network or resource.
So just use ring buffer.
OK. Because of you don't have a clear picture on exactly when the problem occurs and what time.
Yeah. And then we are not able to reproduce on our environment or our team members environment.
So make use of the long term capture that I show you just now that is ring buffer to collect traffic over time.
So doing so, you can collect smaller files instead of one huge file that we have to dig through later.
OK. All right. Next.
Make sure the problem happens while capturing.
OK. What is that means? Maybe any one of you can try.
Make sure when you're capturing the problem is happening. Is it possible in the real case?
OK. OK. So I think this practice.
OK. For example, I give you one real case, one use case, one use case.
The client sent me 10 log files, 10 picket files.
OK, 10. So for me, while we stand, I need to know open up all the files and analyze one by one.
But do you believe that all the files having the specific problems?
Don't write. I won't. I don't think so.
It might happen in specific packet file. Right.
So OK. And then the remember the methodologies.
I will try to reproduce on my end.
So I found some clues. I will try to reproduce.
So that is the practice that tell me make sure the problem happens while capturing.
I will start to capture while I'm reporting reproduced that particular reproduced steps that provided by my client.
For example, when I click login button, it felt OK.
When I click, then before I click, I try to capture.
After I click, OK, maybe wait for a few seconds. I try to stop.
So that is the idea on make sure the problem happens while capturing.
OK, so this is something wrong with those big gaps.
If you're capturing from beginning when you open the browser and type in the URL and then until you log out.
So actually that particular problem only occur in a particular step.
So all the problem never actually occur when we are watching because you never hit the login button.
Maybe you just access to the browser website and then go to check your amount and doing some other transaction.
But actually you are not performing that step with the problem.
So make sure that you already confidently capture the problem, not just in the time, but in the place where you are physically capturing from.
OK, so in last, the tab that I mentioned is expensive.
It's not free of charge, but it's something that if your environment is too complicated,
maybe it's a good idea to recommend to your company to invest in the network tab.
Maybe it's not super expensive, but any protocol analyst is going to want to have one of these in their backpack.
Even just 100 megabit per second or gigabyte copper on one tab.
But that's something we can ever find on Amazon if we have to.
So maybe in the next level or maybe in future,
you have more complicated environment or more problems that encounter in the client side.
Maybe that's another thing that you are going to considering.
All right, I think let me double check.
OK, so before we end the lesson 1, I'm going to share a link to you.
Let me open next slide.
OK, I have prepared a quiz that helps you to recall some of the lessons.
We only have lesson 1 and basic network chart,
but I think it helps you to recall some of the memories and basic knowledge that we learned just now.
I'm trying to use different quiz macros, but then I found that Google for me is the best one to use.
So just a few quiz questions.
When you try to answer it, there are multiple options.
You can select our answer and click next.
Think about it properly, don't make it very fast.
Just read one by one, select the option, click next.
And then until the end, when you completed and submit, you can view your score.
You can view your score and you can view the correct answer with the explanation.
Just for your fun.
OK, I'm going to share the link to you in the chat.
Copy link.
OK, I send the link in the chat.
Can you try to open it in your desktop?
I want to ensure that you are able to access it and see the question, but please don't start.
I will connect the link in the desktop.
Let me refresh.
OK, I'm opening in my machine as well.
Don't know it's a bit like it.
Yes, I'm sharing the link.
OK, OK, all right.
OK, so as per Alex, so you can use our laptop for the quiz.
It's just a Google phone.
OK, so OK, don't don't don't look on the question first, please.
So let me minimize it.
So I think now is eleven fifty.
So we take ten minutes for the quiz answering and then we come back.
So we are going to have a lunch break after the quiz.
Is that OK?
So maybe we can discuss after the lunch.
So I'm not sure.
Alex, normally how long for the lunch break time?
Is it flexible for us to decide?
OK, OK, so I think we can after the quiz, we can go directly for your lunch.
All right, so we will meet up at one p.m.
All right, OK.
All right.
See you later after lunch.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Oh, I'm so sorry.
Oh, I'm so sorry.
Oh.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.                

on 2025-04-22

language: EN

                  WEBVTT
filters bcap file and then perform these configure columns this is the exercise
that just a simple exercise for you to do
all right take your time we are not rushing
so when you've done then now let's come back to
I will double check in your workshop and see whether you are yeah doing the right thing
if you have any questions just let me know okay
is there any problem when you're doing the exercise
everything all right I hope you enjoy the exercise and then okay remember when we add
columns right okay so let's say there are two columns that I purposely put sequence number
and annihilation number so where do we find that two columns you can use filter or you can
go to the particular protocol and for example sequence number and annihilation number
where are they in which layer so if you click on the particular protocol record
it will add this in the particular layer then you can find it in there okay so I will still
monitoring your doing and if everything all right then we can continue to discuss it
yes I can hear you
oh you mean your internet is slow or you are not able to connect to it
ah okay hold on um can you try to reconnect to the desktop and maybe you can close it
okay let let you try already
I can see you you are moving maybe maybe I will try to stop your desktop connection
to reduce some loading I hope it help okay already close the connection for your machine
maybe it will help
so once you're done okay once you're done just let me know I hope you really like
know how to create a columns unless you don't know like totally don't know what
how how to do and then just let me know yeah okay                

on 2025-04-22

language: EN

                  WEBVTT
okay so all right so we're on the same page okay please open the pre-lap slow
network pick up yeah turning already there um you know hem you can open the
pre-lap all right okay good so in lesson two we talked about before
interface so we are on this workshop basic training profile but this time I
will let you to take a look at some basic statistic first before we jump
into lesson three okay so here so you can see here is the manual bar right
and there is a statistic tool here when you click on it you can see there are a
lot of tools under this statistic okay so different information we can get
about this big app by clicking on different tools here so first I will
go to the conversation okay before I jump into a workshop okay so I will let
you to see later on I will give you five minutes to take a look on the
conversation and then analyze something that you found in the
conversation is either on Ethernet IPv4 TCP tab and tell me how did you
know and realize this PCAP file is having network slowness problem by
looking into these traffic conversation records okay so let me hide it and
let me open it okay here so to make sure you both and me on the same page
please click the statistic and then go to the conversation you can enlarge it
or maximize these windows okay they are one two three four five five tabs
here right so you can see Ethernet is two IPv4 is only one and then TCP is
one as well okay so remember yesterday we did some packet analysis right so
we did let me open this is the packet list so from here we can see we only
have one and two two IP address so let me take a look on the destination so
we have two IP address which is 10.0.0.100 and then 172.16.0.13
so okay back to the default ordering so we can see this 172.16.0.13
actually is like a client to send a request to a server so the server is
10.0.0.100 okay so only two IP address in this traffic
conversation okay so the protocol having TCP HTTP what else let me take a
look okay these two so back to here we do have two internet records here
and why we do have the three MAC different address one two three okay
and then when we go to the IP report there's one record which is here just
now in the packet list summary view we can see this 172 actually is like a
client to be a client and 10.0.0.100 is like to be a server right so both
them are communicate with each other and sending the packet okay so one PB
six nothing TCP we have one and then the conversation is between these two
IP address by using for a for client 80 for server okay there is no
UDP all right so take five minutes and then let on we come back and tell
me yeah maybe we can take turn to share about your fighting okay right
Oh
So this is just like a warm-up for you to look into the statistics tool.
So I think maybe let us have some interaction first before I jump into the observation findings
explanation.
All right.
So who wants to go first?
I see Tanin is smiling.
So are you going to be the first one to share about?
OK.
So let me open the Wireshark.
Remember yesterday we are adding this column, delta time.
So we can see the amount of time between the packets.
And here from 100, 105 milliseconds for this packet, I think still OK for this packet.
So and going next and next, we can see it's quite quick and fast for the following each
packet to transfer.
But here it's about 20 seconds.
So we can see maybe it's a spinning wheel, it keeps loading.
So it's something wrong here.
And from this conversation, what do you find?
Right?
I'll pass it over to you.
And you are the next, OK?
Oh, you want to go first?
No problem.
OK.
I'm trying to track.
And then you can see here we do have the 1, 2, 3 packets.
And here in Dota you can see 1, 2, 3 as well.
All right, Ham or Tanin, any thoughts about this conversation?
Duration?
Ah, here, OK.
So you mean too long, is it?
OK.
Right.
Next, anything else?
Ham says no.
Then Tanin, anything else?
B to A are here.
Ah, OK.
That bit is quite high, is it?
All right.
From B to A means from client to the server.
Sorry, from server to client.
So it means the application is a bit slow to respond.
OK.
All right, that's all?
All right.
OK.
So OK.
All right.
Back to...
Let me zoom in first.
Now it's easier for you to see.
All right.
First, let us recall the memory yesterday.
Just now I mentioned from packet 6, from the friend 6 to friend 7 here,
when 6 jumps to 7, right, it takes 20 seconds.
What does that mean?
Means I waited for 20 seconds, over 20 seconds to receive the packet 7.
What does that tell me?
So the three-way handshake worked pretty quickly for the previous packets.
At least about 100 milliseconds in the network latency.
So my get was sent off to the server.
Again happened pretty quickly.
The server acknowledged the packet 6.
From here to here.
So how many seconds it takes?
So it's about 218 milliseconds, right?
So no one, I mean no one is calling and complaining just yet.
But 20 seconds, that's something you and I would complain about, isn't it?
Like when you see you wait 20 seconds for the server,
means the application to be load is nothing there.
You can see a view is keep loading, the spinny view is keep loading.
So I believe everyone when they look into the page, they will ask why, what is happening.
So that's what I like to call a scream punching slow.
So when things spinny view on you and you are thinking,
why isn't that application loading and what is going there?
So this was due to the application here.
When server responded to the client,
so that means this problem actually is due to the application.
The application waited 20 seconds in order to send the response back to the client.
So let me open again the work conversation box.
Okay, first question.
Just now I asked, since we only have one client, one server,
but why we do have one, two, three, three unique MAC address.
So let me think, maybe let me open this like this.
Okay, never mind, come to here first.
Let us jump back to the first packet.
So normally if you want to check the MAC address, we will come to the layer 2.
So let's say first packet is from client to server 172.16.0.13.
What is the source MAC address?
You can see.
Okay, let me compare with the catalog here.
Okay, 0C here.
So that means 172, 0C is means 172.
And then how about 100?
100 is 6F.
So these two are correct.
Okay, let us go to the second packet.
100 now becomes source, means the server becomes source because it responded.
Okay, let me open the conversation.
So just now 100 here, the server is having 6F MAC address, but now it becomes 7F MAC address.
See, this one.
And then the client 13 is having the same, 0C, 0C.
So that means these two here.
Sorry, let me open the laser pen.
How can I open the laser pen?
Okay, never mind, it's okay.
I can't find it today.
But anyway, so why we do have three MAC addresses but only two IP addresses?
That I will explain in detail.
So back to the slide.
So I review the result here.
So we notice that we do have three IP addresses.
So that's one thing.
Second, when we see packet B to A is 0, means the receiver not reply.
Whatever is A or who is the A or who is the B, when sends the packet B to A, A not reply.
Means the receiver not reply.
And just now Tony mentioned that the duration is too long because the packet actually is just 25 and 54 KB, right?
It's not that huge data.
But it took 114 and 156 seconds.
So it's quite long.
Third finding is about the bitrate.
What is that mean?
The bits per second, which is BPS.
So 1737 bits per second is very slow.
It's a slow data transfer.
2750 is even slower, much more slower.
And this is a one way communication only, but it took so long.
So what is the possible causes of this low network behavior?
We assume.
So remember, we formed the hypothesis.
Even though we always say that don't make the assumption first, but then we have to expect what is happening.
We have to form the hypothesis.
What if, what if, if something wrong?
What if something wrong?
So something like we guess what is the root cause.
And then we try to narrow down the issue by different scenarios.
OK, first, packet loss or no acknowledgement means no reprise on the destination or from the server.
Connection or routing issue, maybe network connection.
It caused the device unreachable or unresponsive, like return 404.
Firewall or security filtering, maybe preventing some responses from the server or from the application.
Procrastal logging, OK, might be sending data that doesn't require a reply.
So these are the possibilities of the causes.
So let me go into the details.
So no response traffic, 0 bytes from B to A.
Both strings show these two strings.
We have string 0 and string 1.
And these two strings show 0 packets and 0 bytes here.
So from B to A.
Meaning the receiver did not reply.
So what does that mean? What does that indicate?
So I tried to find out four possibilities.
So it's either network misconfiguration, like firewall dropping the responses or connection issue.
It caused the device at the receiving end is down or unreachable.
Or broadcast or unidirectional logging or ping message, right?
So this is something that is weird.
And then for the low bitrate again, these two are quite slow.
So possibility is due to the retries or network congestion or limited link speed.
So it caused the slow data transfer.
And then long duration, it lasts for 114 and 156 seconds, which is long for such a small data site.
So this indicates it's either a slow or delay in the network connection.
So from this conversation, we already know this packet is having network slowness issue.
This is extremely slow, especially for this bitrate.
Very, very slow.
Especially for the modern networks nowadays.
So what is the suggestion?
What is the troubleshooting solution when you are getting this packet?
I would suggest, let's say, first thing.
So I found there are three MAC addresses for only two IP addresses.
Maybe, I am guessing maybe, there are some reasons.
So I will talk about only one reason.
Maybe it's due to the IP conflict.
It's having duplicate IP or misconfiguration for two machines or two devices on the same network.
So maybe they are externally configured with the same IP address.
But they are having their own unique MAC address.
So what is the reason?
Maybe it's cloning.
Maybe it's for the DHCP.
Maybe they are using the manual static IP settings.
So it causes two devices having the same IP address.
And what is the consequences?
It may cause the network instability or drop connections or slow network symptoms.
So what can we do?
We can check if the destination MAC address is valid and active.
Because maybe it's due to the connection.
So we can try to ping the MAC address.
And then we can use the filters.
For example, here.
Maybe we can try to check whether it has the ICMP ping or DNS or TCP.analysis.
Maybe here.
Whether it has retransmission packets or not to check for the errors.
So for this pre-lab, we don't have this retransmission or ICMP.
But in the tomorrow's session, I will show you on those packets.
For example.
And then run a ping or traceroute to the destination to test the connectivity.
Or verify the Ohio rules for the endpoint behavior.
All right.
Back to the conversation.
So here.
In total, we receive 123 packets.
So from here, there's no filter there.
So it means the total packet size is 123.
So it's matched with the conversation here.
And then here.
We do have 55 and 68.
So that means in total it's 123 as well.
It's correct.
And let me check.
The bytes here, 25 and 54.
So in total, this 123, the size is 79 KB only.
So it's a very small data size.
So all the results here, the values from packet A to B, bytes A to B, actually is exactly the same as here.
You can see.
Here.
So the duration is taking 156.
And the bits per second, the bit track from A to B is taking 1268 bits, 2748 bits.
So it's either you are looking into the IPv4 tab or Internet tab.
Actually, it's the same.
You can find something wrong by looking into the duration, the bit track, bits per second, and match with the data size.
So that is the high level.
I mean, the basic ways on how to looking into the problems.
So if you think there are like a bunch of the packet list is too much for you to have a quick look on the traffic,
just go into the conversation and take a look on this.
This is the summarize of the whole lot of packet list.
OK.
So, so far, any questions or comments you want to talk about?
If no, then I will get you to jump into the quiz.
Simple questions help you to know, recap what we have learned yesterday afternoon and today.
OK.
Back to the slide.
OK.
Before that, OK.
Before that, so Ham and Tanen, I want to maybe let me know a bit further about what is the tool that you are normally use for your analysis task.
We do have a lot of tools, right, under the statistics here.
So what is the tool that you are constantly using?
Sorry, which one?
Oh, four graph.
OK, four graph.
This one.
OK, a little bit on the four graph.
OK, what else?
OK.
Oh, this one.
Which one only you are using on round trip time?
OK, OK.
All right.
So round trip time and the four graph.
OK.
All right.
So we do have this topic in the following lesson.
All right.
So I will.
I think you already get this slide.
OK.
So you can click on the link.
I will still share the link in the chat.
Please open in a locker in a locker let up.
I'm sending the link in the chat if you cannot find the slide.
OK, just five questions.
I hope you get a high score compared to yesterday.
Try to answer it properly, one by one.
Think about it.
Just a quiz for your fun.
OK, we take 10 minutes for this quiz.
OK, after that, let us have a quick discussion about the quiz answer.
And then we take a short break before we jump into the new lesson.
OK, come back to you at 9.50.
All right.
Finish.
OK, sure.
All right.
Let me take a look.
OK, I found it.
Sorry, the tech.
Few seconds.
OK, I can see your answer.
So all right.
OK, let me on the camera.
So the first question, the time column.
So what is the purpose of adding a time column in your wire shock?
Not is not the data time.
This one is about the time column, the default column.
Yeah.
So actually is to highlight the arrival time differences between packets.
Right.
So for example, we can see this is starting from time 0.0.
And then it's gradually increasing.
And the total duration is 156 seconds.
So that means the arrival time for, for example, for packet 3 is 106 milliseconds.
Yes, it's not highlight the current timing.
It's highlight the arrival time for each packet.
OK.
So how can you OK.
Both of you are correct.
Turn off the default current reason.
It's a magic icon here.
When they accidentally cricket while everything is gone.
So you will feel shocked.
What happened?
But you click it back.
The current rule that you already said will be come back.
OK.
So remember, we can customize the current rules by using this current rule.
You can surf to the customized profile.
The personal profile.
Or copy from the default one and then repress or override the duplicate one.
So move on.
Why would you add a specific values as a column in my shop?
Create custom protocols.
OK.
So that question means.
Let's say.
Let's say.
I'm looking into the packet.
First packet.
This is the same frag.
Like it is sending from client to server.
So second is responded by the server.
So I want to know what is the sequence number?
What is the enumeration number?
So that's why I expand.
The TCP and then adding this column into here.
So this is the questions.
Means why I need to add a specific value as a column in my shop.
What is that purpose?
It's helped me.
It's helped the network engineer or maybe protocol analyst or task engineer.
They're able to highlight what is the important information for our quick analysis.
So it's not to create a custom protocol for analysis.
We are not creating the custom protocol.
We are looking into the protocol from the packet summary.
OK.
So why are our shop proposals useful for our analysts?
Why the profile is important?
Because they enable faster analysis by hiding the essential packets like the critical one.
So when you.
We are not customized the TCP behavior.
Oh, OK.
Different color schemes is the coloring blues.
So this one, if we are creating the customization, let's say now.
I.
I open the mesh file profile dialog and from here I can add or remove.
So means when I add a new profile here, it's under percent attack and then it will save everything in the current user interface, including the filtering button.
Do you still remember, for example, that TCP and then filter is TCP dot analysis dot frags.
So everything in here, including the coloring rules.
Everything, everything.
If you rename the column at a column, it was still inside this profile.
So that means it will include every customization settings into this profile.
To be enabled faster analysis by hiding the important packets.
How can you add a custom column in washout?
OK.
Assess the preferences or settings and navigate the current section.
Yes, correct.
So there are few ways.
Remember, we can write just right click and then we click column preferences and we can add a column under the column tab or we go to the edit preferences.
It comes to the same location.
Or we just right click, apply as column or drag and drop.
To add a column address.
So there are few methods to add a column.
All right, so that's it for quiz.
Let me write it back.
All right.
Well done for your quiz.
I think that answer score is better than yesterday.
So I hope you still can remember whatever you learned till now.
OK.
So let me open the slide.
No problem.
Yeah.
OK.
OK.
So in lesson three, we are going to learn the more deeper about the statistic tools.
But before that, do you want to have a short break now or after the first topic?
If now, then we can take 15 minutes break before we jump into the next lesson.
Oh, you guys are OK to proceed.
At least we talk about the first topic.
It's up to you.
OK now.
OK.
It's OK.
We take 15 minutes and then we come back at 10, 15.
OK.
All right.
See you later.
Welcome back.
OK.
Are you ready to continue our lesson?
OK.
Good.
So next lesson, we are going to learn more about the statistic tools.
I do have a one lab, which consists of I think more than 10 questions in the end of this lesson.
I guess we took more than one hour for answering that question and also review it
because there are quite some questions we need to really take some time for you to find from different tools or different configurations.
So this is not the exercise yesterday is the most straightforward.
I ask you a question and give you some tips.
Just follow.
But today you need to take some time to think about it, where to find it, where to find the answer.
OK.
So I want to make this lesson three as simple, but then it's more interactive because we are using some graph or tools to look into the information.
So we are still using the pre lab network.
So never pick up.
OK.
OK.
So you can open that pick up file face in your desktop while I'm go to the next page.
All right.
OK.
So like I mentioned just now, we are proceed with less entry using the statistic tools.
And at the end of this lesson, we are going to have a lab exercise.
And that exercise contains of more than 10 questions which need your thinking and thought to find the question and sorry to find the answer from different locations, from different tools, from different settings or even the packet detail span.
OK.
So I want to make this session to be more interactive.
So later on, if you get any ideas or findings, and then we can share with each other.
All right.
So why we need these statistic tools?
OK.
As we know, Varsha is not about just capturing and starring at the packets, right?
Especially in the large captures like consists of more than a few hundred or one thousand packet list is a lot.
So when the issue is not in a single or few friends, but maybe is spread in different part of the picket file.
So it's a bit frustrating for us if it's huge and is I mean spread over in different location.
We need to take a lot of time and effort to go to to go by step by step or one by one to look into the packet detail span.
It's very annoying.
So.
And you also often need to look beyond individual packets to get a broader view or identify the patterns and know.
Key in the filtering, maybe you are using the rack expression or the special characters.
So although Varsha is not a statistical tool, but it includes quite some powerful analytic modules that you can use to quickly understand the traffic role structure.
So, again, in this lesson, we are start looking at a series of the statistical tools which will group under the name our graph and also using this hour graph to identify the top talkers.
OK, I found the laser pointer here.
So and also that graph that you are familiar with is the full graph.
And also the long round trip time graph.
And I would also introduce about how to personalize your hour graph and also the time sequence graph under the TCP stream.
OK.
All right.
So by using this graph, it can help you to see the flow in the way that you will understand the logics of the exchanges, even in a very large captures.
So I would then show you on how to identify the different machines exchanging the information in your capture and follow the top talkers.
So remember the conversation dialogue that we learned in the lesson just now.
We learned how to follow the conversations and the streams, right?
We have two streams, stream one and two.
It has the unique stream ID to isolate the specific traffic of interest.
OK, so it will help you.
These tools will help you to go beyond the layer two.
And you can learn how to identify the machines of protocols.
For example, we do have the TCP in the pre lab.
So networks only have a TCP.
So we can see the number of the TCP transactions.
The number we can see how many TCP transactions in that conversation dialogue.
So the protocol tab is shopping with NEM instead of the least application or visualize protocol hierarchies throughout the entire capture file.
OK, so you can modify the view.
You can add a filtering to customize the graph.
It will help you to spot the anomalies.
OK, so when you get comfortable with the tools, I will let you to jump into the lab as a size.
And probably you can customize the tools that we learn and credit and to retain the functions that help you the most.
All right, so let's get started and jump into the first one.
OK, so before we jump into the aisle graph, let me quickly summarize what a statistic can help you.
So under this statistic manual, we can see a lot of different opportunities to see things about our packet capture is either to save a file or a live running file.
So by using the tools, we can quickly to see the total packets.
Remember the total packets one, two, three for this bigot file.
We can see the total packets amount and the time means the duration and also the packet size in bytes that is sent in this network traffic.
OK, and we can also see the comments.
I'm not sure whether you know about it.
We do have the capture file properties that I will show you.
So I'm not sure whether you know about it or you use it frequently or not.
But that I will show you.
So in there, we can add a comment.
So later on, I will also add a comment inside that property dialogue.
So you can answer me while edit a comment and then save it.
So I can go into a workshop in your desktop and then just check your answer.
OK, so and also we can find the top talkers.
That means who is the chat is device in your packet capture and also view the conversation and throw and even resolve the address for the clients and service in the capture or the life.
We can also create a custom customized our graphs that those can be stored per configuration profile.
Remember, we do have the customized profile.
So in overall, this statistic manner is very, very powerful.
OK, let's jump into the hour graph.
All right.
So before I proceed, I want you to open your desktop again and open a workshop.
So go to the statistic menu and then.
Mouse use a mouse to point to the hour graph and click it.
So you will get the first grants of the hour graph by the default view.
So in here you can see I already added some customized filtering.
And also different color.
So let me open a workshop and then I will monitor your desktop now.
OK, I can see both you are there.
All right. OK.
So this is a pre lab slow network pick up file.
Let me see.
The surface I want to.
All right. Oh, OK.
I can see you have the TCP errors.
Is that a filter that already exists in the packet file or you edit by yourself?
The TCP errors.
OK.
All right, I think I start.
OK, never mind.
So right now, let me put side by side.
Let me remove this column.
OK, now the time is very important, very important.
So.
The why is this we can see there's a packet amount per second.
Actually, we can we can switch different options.
But normally I would prefer to use the second as an interval with the most.
Because if you choose the millisecond, it will become very, very small interval.
It's very hard for us.
To do the analysis.
So normally I would choose one second as an interval per packet.
And also the X axis is the.
Time the unit is the second.
So from here, you can see, wow.
OK, it's go up to how many packets?
Um, it's about 35 packets during this in duration.
From maybe 23 seconds until 25.
So by comparing with this packet list.
OK.
OK, here from 10 the one second.
OK, let me start it.
OK, from 21, that means it's number 14.
To 60 to 62.
OK, so you can know.
You can try to zoom in and zoom out.
So 21, let's say this is 21.
Yeah, so you can see how many packets.
Around 21 seconds.
So that is exactly match with the packet list.
So do you need to count it by yourself manually?
No need. You just look into this hour graph.
All right, so.
Don't need to spend a lot of time.
I want you to tell me.
I want you to tell me from this packet.
The hour graph.
Let me press zero.
When you press zero.
Once or.
Or twice, you were back to the default view.
OK, from here.
Right here.
Until 100.
Around 125 or 23 seconds.
What happened?
And what's wrong with the.
What's wrong with the packet capture?
Can you share our idea?
Only one feedback about this hour graph from each of you.
Dunwin and Hem, I want you to talk.
OK.
All right.
Any comments or any thoughts, feel free.
No wrong or right.
OK.
Hem, now it's your turn to go first.
OK.
So.
So what is your finding from the hour graph?
Any idea?
Packet loss.
OK.
From where you can see is drop.
From where?
You mean here?
OK, from here onwards.
OK, from 25 seconds onwards.
Maybe.
The packet is drop.
OK.
OK.
Router.
A firewall.
OK.
Because it's over the size that the switch can handle.
Or the device can handle.
So it will cause the packet drop or loss.
OK.
What else?
Not turning?
I don't have the exercise about the graph.
But then I will have an exercise in the overall picture.
OK.
So never mind.
All right.
So back to the slide.
I'm capturing the screenshot for the hour graph.
I think you are seeing the same as mine, right?
The screenshot.
You do have the TCP errors with the red background color and the line color.
And also the HTTP filter in yellow color.
OK.
Let me.
Three-way handshake is not complete.
OK.
OK.
So from where you can see the three-way handshake is not complete?
In the packet list, is it?
OK.
OK.
The same act.
If you don't see the same act, pick it.
OK.
All right.
OK.
Good try.
So I won't show this wire shock.
I will use the screenshot as in the slide.
I think it's the same as your screen.
OK.
Let me double-check.
OK.
OK.
It's OK to ignore the HTTP because it doesn't matter.
It's not related to this packet analysis.
We don't have that error for HTTP.
We only got the TCP errors.
All right.
Back to here.
OK.
So first, you can see, just now I mentioned, if you want to look into the smaller lever,
you can change it to milliseconds or even larger.
And you can try to zoom in and zoom out.
If you want to go back to the, like ghostware too far off the screen, you want to go back to the default view.
Just press the zero button once or twice.
You will reset the graph.
OK.
So this is very, very handy.
You can tell in the title of our graph means input output that we are working with a live capture.
OK.
So if you get the hour graph, normally I will set it into a PDF file or a big on the picture.
Why I want to set it in the picture is because it's easier for me to attach it in a report and present to the client or any stakeholders.
So that's what I did.
If you want to attach this information, this information right on especially to send the data points on the graph as a CSV file for later use in an external program like Microsoft Excel.
So you can just click the copy button.
So now we are using one second is the interval.
So what is our key observation?
First, it's very obvious.
The spike.
Can you see?
It's a sharp bridge of the packet activity seen between 15 and 20 seconds.
It's picking at nearly like 50 packets per second.
So again.
So in order for you to look into the wire shock, you can apply different filter.
When you apply different filter and you go to a static tool, that result may slightly different.
It depends on the filter that you put.
So by looking into this screenshot, you can see it's a spike.
It's a sharp bridge.
You can see this one is go to the top and then go down.
Maybe after like one or two seconds immediately.
So it's like a picking.
And this birds is likely correspond to the man data transfer ordinary event.
So what why it goes up and down is becomes a sharp bridge.
Something maybe we need to take a look.
OK, so after this, I purposely credit dissipate errors with this TCP analysis.
I want to I want our graph to show what are the potential TCP problems in this traffic network traffic.
OK, so from here you can see it's around.
OK, let me open the hourglass so you can see it's around.
You can see order because it's very small.
OK, let me open again.
You can see between 15 and 25 seconds and then at nearly like 50 packets per second in here.
And also, again, it's about 70 seconds until 110 seconds.
You can see the dissipate errors go up.
So those errors may indicate maybe the packet retransmission or we do receive duplicate knowledge from the server or zero windows segment or other TCP level issues.
That one was the fighting and observation.
OK.
Just now, I think I mentioned that all time you mentioned that is is like a sharp brace is a pig.
But then after 25 seconds until 150 seconds.
Here, what happened is a quiet period.
Very few packets are observed is idle is like kind of idle period.
So it's a long period of inactivity.
What happened?
What happened to this idle stage?
It may be due to maybe a stall connection.
It's still to the network congestion.
Maybe it's due to like switch problem, like what I mentioned, or firewall.
It broke or it delayed the application later.
OK.
So that's what we encounter.
In this packet capture and observe it.
OK, so this TCP analysis are actually is a very important display filter because it includes the things like retransmission out of orders or duplicate.
So, again, we can see what happened to the hour graph to showing that some symptoms of a slow or problematic network.
The TCP errors are long idle period.
OK, so I think that's the fighting for this pre lab slow network and then how to customize it.
So I want you to play around with this.
I want you to customize.
Maybe I will give you a done.
I'll give you a filter.
All right.
Open your washout and I'll I'll graph.
I want to I want you to add multiple lines with different display filter.
And then set it as a JPEG file and back to here.
So let's say.
Just OK.
We do have one, two, three, four, four potential TCP errors.
And just now, Tony mentioned that.
Scene act respond, right?
Maybe it's not complete because.
We lost the same act respond.
Remember, yesterday we learned how to add the filter for filtering the scene act.
So if you forgot the syntax, just click any one of the same act respond.
Expand the TCP.
And then expand the frag and then drag it.
OK, now we can select and select it because we want the two, the two filter condition applied.
OK, so copy it and then put inside your hour graph and show me.
Save it as a PDF file or JPEG file and then let our check.
OK, go ahead.
A little bit lower.
Let's try it a little lower.
Just a little bit lower and we'll have it show up.
Just a little bit lower.
Okay, I can see you've already added.
Can you generate as the PDF report and Dhani, maybe you can generate as a JPEG or PNG file
as a picture.
And then open the exported file and show me. Okay, all right, I saw it.
How about Ham? You can generate as the PDF file, PDF okay. So open the PDF file
that you exported. Okay, all right so while waiting for Ham to open the PDF
file. Dhani, go back to the hour graph. Okay, try to zoom in. Zoom in. Just scroll your
mouse closer. Like make it larger. Zoom in, something like that. Okay, something like
that. Okay, so show me how to back restore to the default view. So right
now I can see, wow, I want to see the, no, I don't want to see this oral
picture. I want to see the default one, the original size. Okay, no, don't use
the dialog. Use your keyboard. Press the zero button. You can try to press one
time zero button in your keyboard. Just press zero button. Okay, so how many
times you press? One time or two times? I cannot hear you. I think you are muted.
Okay, good. So press zero button one time. You are back to the default view. So Ham,
show me your PDF file. Okay, okay, I saw it. All right, so this is something that
I normally use and attached in our report to show that, okay, I can
explain, put some observation in the notes there. The either period with
the TCP error if you want to show the error with the highlighted color. So
it's able to tell that the user like something wrong because it has a
quiet period. And also the TCP dot nsys dot rex, this is something like
potential problems with free transmission, duplicate acts, etc, etc. Okay, all
right, so back to my slide. Okay, so we're already done to personalizing the
IO graph. So I can put the graph name as TCP act if I only want to see the
filter with the frags dot act equal to true. And then I can choose
different style. So see, it's very interesting. I can see a lot of dots
inside the graph. So the IO graph actually is very powerful because you
can customize it with entering many different deep spray filter. It's not
capture filter, instead it's a display filter. After you capture the
file, then you just filter it with the displaying packet list. So we can
set it as a simple packet visualized graph. It depends on the
filtering that you filter here. So for example, in our packet
summarized list, we do have 123 packets. But then in the
IO graph, you want to filter it become smaller size, then you just put it as
different filter here, right? You can reduce the size of your graph. So let's
say, okay, I want to like, I want to get the filter with retry. If let's
say I have the reset packet, I have the retransmission packet, you can try
to fill in different filter with different coloring of the line or bar.
Okay, or if I want to see, found any like ICMP
packet, I can also filter the displaying filter in here with the
HTTP or DNS. If maybe, I'm assuming maybe the server will or the client
will use that different protocol for the TCP errors happening. Okay.
So there are many, many filtering that you can put. So just third note, if you
have a list of common filters that you normally use, you just put
inside a note and you can just copy paste. Or it's very hard for you to
like realize, okay, which is the powerful or useful filtering that
it will be helpful for your packet analysis task. Okay. I think I won't
ask you to do any exercise for this personalizing our graph because we
already done it in the exercise just now. Okay. It's just a quick
exercise because I want you to experience it by generating our graph
and exploit is a different file extension like PDF or JPEG. Okay.
All right. Okay. So the capture file properties that I already show you
just now and mentioned that we can add a comment in here. This is the
comment. I won't ask you to do as a size right now for this capture
file property because we do have the lab after that. Okay. Let me
using because you can see the statistic here. Well, it helped us to
summarize everything. So what happened? Okay. For example, for
example, I want to compare. I want to compare the disparate
capture with the, okay, the disparate filter with the capture
filter. And now I don't enter any disparate filter yet. So those two
statistics are exactly match. But what if I want to find those
potential TCP errors and then open again the capture file properties.
So it helped me to refresh the statistic again. So it's easier for
us to do the comparison. Okay. So by using this example, let me end
the slide sharing first. Okay. So, okay. From here, what you have
seen? What have you seen? Okay. Maybe we look from here first.
Okay. So I can know it starts from when and what time. And it
lasts and ended at when and what time. And how many seconds it
took in the overall. So now I can see it took two minutes 36
seconds of the total time for the capturing. Okay. So if I
want to analyze the troubleshooting, slowness of the
network or a performance issue. Okay. So a few key things to
stand out. Only four packets they spread out of the one,
two, three capture. So we might suggest to the few
traffic. So this is what I purposely did to highlight the
display statistic here. Okay. So the average packet size is
fairly small. How many? Size? How much of the size? It's
six, three, nine bytes. And the overall traffic rate is
very slow. Why I know that? Because remember, we do have
the bit rate, bits per second. And now it's showing the
average bits per second is four, four zero one seven means
about four Kbps. So this is that means the traffic rate is
very slow, very low in our overall traffic rate. Okay.
So this consider low traffic. And I can add some
comment. Okay. So let's say I want to add a comment. So
low traffic with
only four Kbps. Okay. What else you want to add in the
average packet size is fairly small. It's only six, three,
nine bytes in total. Maybe the overall traffic rate
is quite low.
Okay. About. Okay. So anything else?
Okay. So
okay. One more thing to highlight. Filter the
display.
And this is right. So why I need to add the comment in
here? Because when you save it, and then you can
set the oral picket entry file again, and then send to
your client. So from there, they don't need to know
maybe you send while email. For example, you put all
the notes in the Excel file or Word document. When you
send while email, they will forgot where to store or
maybe they overlook on that email. But then if you
send out to this big app entry file, they can easily
to read all the comments or the findings or observation
by looking into these comments. Okay. So from here,
we can also know like what are the hardware or OS that
you capture, but here is unknown. Okay. All right. Let
me close it. Okay. So far, any questions or comments?
Okay. All right. Then let's proceed. Okay. So the
third powerful tools is the end points. Okay. So
let's say I want to identify the top talkers. So who is
most talkative device on your network? How can we do?
Have you ever used the end points for the analysis?
Have you? Okay. Maybe let me show you where is the
end point. Yes. So have you used for your analysis
task? For your project? For your business case? No.
Okay. Never mind. Maybe it's good for your knowledge as
Why we use this end point? Because sometimes we want to
find which devices are talking the most. Is it server or is
it client? So from the end points, it will show you.
Okay. It will show you like all the tabs, which
includes the internet, IPv4, IPv6, TCP and UDP. It's
This is the conversation dialogue. And this is the end
point. Okay. If you compare both, you can find the
tabs are exactly the same, but the numbering is
different. So here, this is the conversation. This is
a conversation, traffic conversation. So it will help
you to summarize. But the end point, I want to see how
devices. I don't need to guess. Okay. One, two, three,
and this is the same as the address A source. So that
means only three unique end points. I don't need to
like check it manually step by step. I just go to
end points, then it will help me to summarize how many
IPv4 address, how many internet MAC address. So that
I can find easily and compare with the conversation
here. Okay. That's the difference. So. Okay. It has
the packets, bytes and the direction. Okay. Okay. Let
me go to here. Yep. We do have the total packets
as well in every tab. And you can see how many
packets in here sent by this device. Okay. Let me
hold on. Let me clear the filter first. I forgot to
clear the filters. Okay. Again, come to end points.
Yeah. So that is the total. Right. So how to know
who is the most threat is like the talking the most
device. Okay. Let's say, sorry, zero C. How do you
know from this dialogue? I can see one, two, three
packets from here. Okay. Good. So if let's say I
open again the conversation. Okay. So I can see
this address, 172.16.0.13 sent to the address
IP. It's one, two, three packets in total. So
let's back to the here. Okay. Go to the top one
when I click on the first one and then check on the
MAC address. Okay. So zero C. Zero C here. So what is
the IP address of the zero C? 16.0.13. Okay. So by
comparing with this, is that correct here? Okay.
So this 172.16.0.13 is the most talkative device
because it talk a lot. It's sending a lot. And then
these two actually is belongs to one IP address but have
different MAC address. So maybe they are from different
devices. Maybe or maybe misconfigured in the machines.
Okay. So if I go to the IPv4, since I mentioned they
have one IP address have different MAC address. So I'm
not sure whether this IP address is belongs to one
device or two devices, even though it's sending one, two,
three. So as a conclusion, I can't judge is the most
talkative one, but I can determine this source as a
client is the most talkative device from the packet size
that I can find here. Okay. All right. So it's very
simple for the conversation. I am only using this as to
find out like who sending the most maximum packet size
and then who are the most active device in the
traffic, in the network traffic. Okay. All right. Next.
What else? Okay. Just now we know. Okay. Back to the
source is the client. Destination is the server from the
SYNFRAC I can see, right? Because SYN is sending by
client. So if let's say I want to see the, I want to
identify the talk talkers. What is the other methods that
I can use? Okay. Let us go to the statistic, IPv4
statistic and select this destination and ports. So in
here, I can see all the list of the IP address
destination. Now this is so-called destination IP
address and the ports number. Yeah. Port number. They are
with. And if you collapse the protocol, it's only showing
TCP. Why is only showing TCP instead of having HTTP,
HTTPS and other protocol? Why? That means in this network
traffic, it's only have the TCP conversation by sending
packets. So from here, I can see the size, the number,
sorry, not the size. The size will be misunderstood,
will be leading to misunderstood. So I want to
see how many a month of the packet is 68 is 55. So this
is the destination. So I will see. Okay. From the
port to the client, the client received 68. From the
client to the server, it received 55. So this is
something that I can try to list it out. What are the
protocols and what are the packet amount that send to
the destination? Okay. So this is the optional method
that you can check on the destination on port. But for
me, I would say the most preferred tools that I'm
using the most is the conversation tier. But if I
want to know how many devices, I would choose the
endpoints. So the destination and port that I'm showing
just now is to highlight like if you don't have the
duplicate IP address with different MAC address. If
you don't have that problem, yes, of course, you can use
the destination port. But you do have, it will make
you more confused. Hey, why only one IP address and then
how can I identify the most top talker? I don't know
because it may be come from different devices with the
duplicate IP address. So it will lead to misunderstanding.
Okay. So it's up to you to choose which tool you can
use. Alright, next. Okay, so we do have the
photograph and also we do have the time sequence
graph. What else? The round trip graph. So, and
lastly, we do have the lab. So I don't think I will have
the time to do the lab one, but we try to finish
one photograph, TCP time sequence graph, and also the
round trip time graph in this morning session. And then we
can have a lunch break. So lunch break, you still prefer
one hour, is it? Not too rush for you. And then for
today's session, I prefer to have less break time and
then you can end earlier. Okay, you have the event
tonight, right? Oh, okay. Good to know. So when you're
back to Thailand, is it Friday or Saturday? Oh, it's
rush of 6 p.m. Okay, so we still have time. Okay.
So as I remember, both of you said you are familiar
with this photograph because sometimes you will use it.
So photograph actually is for me is quite simple
because it's showing all the flow in the traffic
conversation. But I would like to know in your use
case. Okay, I think it's your talking time
right now. I want to know why you use this photograph
and then what is your use case or scenarios
and what are the type that you mostly use
to understand your packet. Alright, so I will pass
to any one of you to tell me or you to briefly
introduce. Okay, you're okay for just for teaching
purpose. Okay, so what type you are using? Are you
using all flows or specific flows type CP flows?
Okay, can you tell me from this TCP flows?
And we do have these two IP address, right? So
okay, let's say I will ask Tony. I don't know.
I don't know how to identify who is the client,
who is the server and why. Okay, can you answer
my question? Okay. So that means 172 server. So that
means whoever received the SIN packet is the server.
Okay, alright. So, okay, next question.
Okay, since I know 172 is the client,
100. Okay, I call it 100 server. So I know
100 server. 100 is the server. But how do I know
the server already received the packet successfully?
Ah, okay. SINAC is the responded by server
because it will tell, hey, client already
received a packet and already acknowledge it.
Okay, yes. Yeah, okay. So why the client is using
61330? Okay. Okay, good. So, okay, client
receive. And then will the client responded
to server to tell the server, hey, server,
I already receive your acknowledge. So no problem.
How did I know from this program?
Will the client tell the server that, hey, server,
I already receive your packet, already receive your respond.
You mean here? Okay, alright. Okay, just now who mentioned sequence?
Okay, can you explain further about sequence number?
Is it the sequence number that you mean?
Okay, what is the difference between acknowledge number and the sequence number?
Hello, can you hear me? Okay, um,
um, like, I think Dhanin answer the right.
So the sequence number, let's say from here,
this is the number of the first part of the data in the TCP segment, right?
So, um, okay, I give you an example.
Okay, so, okay, from here is starting from zero.
And the TCP segment carries, for example,
for example, it carries 100 bytes of data.
So what is the next sequence number?
The next segment will have a sequence number of one,
uh, sorry, zero plus 100 means 100.
Do you get what I mean? Okay, so this is,
okay, again, let me highlight again.
So it's the number of the first part of the data in the TCP segment.
So if let's say, um, the first segment,
I started from sequence number equal to zero.
And then I know that this is the TCP segment is sending 100 bytes of data.
So the next sequence number, if I receive it correct, uh,
successfully, it will start, it will start with zero plus 100 means, uh,
100. Okay, 100.
It was started with 100.
Okay, then how about a knowledge number?
Okay, let's say sequence number equal to zero and our channel equal to one.
Okay, so, okay, so if let's say, um,
if the client received the unless the segment with a knowledge number one,
here is one, right?
It means the sender receive all data up to byte, uh, one.
And it expecting the byte one in the next segment.
Okay, here is the packet size that the server,
the, sorry, that the receiver can be received.
Do you get what I mean?
So, okay, maybe next question.
Um, okay, maybe I don't ask any question, but tell me from that graph what you can see,
for example, from 105 milliseconds and then suddenly jump to 20 seconds right here.
And then from sequence number equal to one and suddenly jump to 1461.
I was asked, hey, what happened?
Why suddenly the sequence size, uh,
is plus 1400 is a huge difference.
What happened?
So, think here, one, two, three, four.
Okay, here, 108.
108.
Okay, remember I mentioned that I found something wrong because the length size of the
is too huge, one, five, one, four.
And then it has a problem.
So it's not able to send it out successfully.
It has split into two packets and to be continued sending because
the packet size limited during capture.
So from here, I can see the sequence number jump from one to 1461,
but then our natural number is one.
So that means there is something wrong from here to from here to here,
and also from 108 to 218 here.
Sorry, from 218 to 20 seconds.
So this is something that I need to analyze further.
So if you click on here, see, it will auto-highlight the problem,
the packet in the summarized view.
Okay, so again, sequence number is to identify the first byte in this segment.
So it was started with 1461 in this segment, and it's from sender to receiver.
Okay, to indicate what is being sent, and it's randomly generated as in the start
of the connection.
So if let's say it's 1461.
So meaning it's sending the byte 1001 onwards.
Okay, 101 onwards.
So it's sending 1461 bytes onwards.
And then what is the analysis number?
It indicates the next byte expected from the other side.
The next byte is better from the other side.
Okay, it's from receiver to sender.
Send server, send the analysis to who?
To the client.
So it means from the receiver to sender.
And tell what has been received.
Okay, what has been received?
I already received one.
I already received 1519.
So it's usually zero until first segment is received like here.
I already received one segment.
So my analysis number is one.
So it means number of bytes received in analysis.
Okay, for example, if I put let's say 1522.
What is that means?
Okay, I already received 1521 bytes.
I already received up to 1521 bytes.
So I'm expecting the bytes starting with 1522.
Okay, so analysis means I already received how many bytes in the previous segment.
And then I will start with 1522.
And then sequence number means
I identify from which byte, the first byte in this segment.
So it was started with byte one onwards.
Okay, it's a bit confusing but actually this sequence number
and knowledge number is quite helpful for our analysis in the last session.
Okay, all right.
So what else?
What else you are using this
photograph for any purpose of your project?
That's it?
Okay, so the photograph can easily tell us like the total amount of time
is being elapsed.
For example, 156 seconds is about two minutes and maybe 36 seconds.
And also the list of the knowledge and sequence number.
So you can export it into PDF or Jetpack PNG as a picture file
and then attach in your report as well.
So if I want to see the overall flows,
so it's a bit complicated if you compare with the specific photograph
with different specific type.
So normally I won't use the offers unless I want to know.
Okay, apart from TCP, what are the protocols that are used by this network traffic?
So I can see, oh okay, it's sending HTTP because it's using port 80.
So it's not HBS.
It returns 200 means okay, no problem, successful.
But it's not important for my network analysis
unless I got some error code with apart from 200.
But from here it's easy to tell me like okay,
so from the client to the server, it's not successfully.
So I'm keep sending because packet size is limited.
I'm keep sending.
Okay, see there are a lot of continuation until when.
So we have to click keep scoring down.
Let's say I back to this packet nine.
This is around 20th point.
This one up here.
So yeah, from here you can see there is something wrong.
The server responded very slow and it keep continuous sending
because of the packet size limited during the capture.
All right, okay.
If you want to limit the photograph,
you can put a display filter here and then click the check.
For example, if I only want to see those problem with,
okay, let's say contents continuation.
It will refract exactly the same as our summarized bill.
But if you want to see like for example,
I want to see the frags.
Equal to only.
That means I want to see from the server to the client.
So it can help you to narrow down the analysis scope.
All right, okay.
That's it for the photograph.
So by using this program, actually,
it can help us to visualize the sequence of the packets.
Exchange is very important in the network traffic
between the endpoints over the time.
So what is the benefit or advantage of this program?
It helps us to understand the communication in sequence
and then it helps us to troubleshoot on the handshake
like Danny mentioned, the three-way handshake problems,
the TCP three-way handshakes problem.
For example, like the retransmission.
So it helps us to see some delays or other packets
in the complex exchange or any TCP errors.
So because we can see it shows the protocol layers,
different protocol like TCP, UDP, DNS, and straw.
And it also shows the direction, right?
Direction go and back.
And the flags like SYN or ECH or SYN ECH and etc.
And it also color and order communication line
like a letter diagram.
So it's quite easy for us to see the overall communication flow.
Okay, all right.
So next, I'm also using the same PCAP file,
the pre-lap slow network PCAP file.
So it's the same.
We can use the flow of TCP data, which is under here.
I'm using TCP Trash because it's more detailed than the Stevens.
It's more or less the same, but TCP Trash is more detailed.
So I'm selecting this timescreen TCP Trash
to see the summary of the graph problem.
So I already attached the summary of the observation.
Can someone help me to read it out?
What is the observation from different aspect from here?
What you have seen?
Maybe Tan-Yoon, you can be volunteer.
Okay, so I have one, two, three, four, five.
Five observations.
So maybe you can translate by using your own language.
I mean, using your own way to describe about
what you have monitored and observed by using this TCP graph.
Okay, so I try to give you some example.
The total span is about 160 seconds
because it's more than 150 seconds.
So we can see the measure rising here in the data transfer,
and it stopped around 25 seconds, right?
No more data is being sent in the x-axis here.
And then in the y-axis, this is the TCP sequence number in bytes here.
Sequence number in bytes.
And this is the time in seconds.
So it represents the cumulative number of bytes successfully sent.
So how many bytes the server has been sent about?
How many kb or how many bytes in total for the server already been sent?
So from here, you can see it's about how many?
More than 65,000 bytes or about 63.5 kb, is it?
So this is the difference between y-axis and the x-axis.
So I try to make it slow.
Okay, so this is the key observation.
The initial data transfer is from 0 seconds to 25 seconds because it stopped here.
So data is sent steadily in steps from 1, 2, 3, up to 25.
It's stable.
So this represents normal TCP segment transmission.
But then is happening the sequence number practice like a sudden practice after 25 seconds.
So it indicates sender stop transmitting more data.
Or someone is either client or server is waiting for the segment.
Maybe, maybe is the client is waiting for acknowledgement.
So it could imply the receiver side delay.
Okay, receiver side delay or window size limitation like what Ham mentioned just now.
Or congestion, network congestion or any packet loss or retransmission stalling progress.
Or it's simply the data transfer finished early but the client is still waiting.
Okay, let me see the green light here.
Okay, green light means the acknowledgment from the client, the x-ray ACK.
So it catches up to the data quickly after initial delays.
But it stops updating after the data ends.
Okay, so this is what is expected because we already have the key observation
from the first perspective.
So if you hover the data, bottom line here, see.
It helps us to summarize 68 packets already sent from the server to client.
From the server to client.
And the 55 packets is from client.
It's likely on x-ray, the ACK.
Okay, so it shows that this was relatively short session.
Maybe the issue is due to maybe a slow network or delay x or slow start behavior of TCP.
Or retransmission is not visible directly.
So it could be inferred if jump or overlap is in the line.
Alright, so that is so-called time sequence graph.
And it shows green light means from client.
Show the black line means from server.
So what is the observation in here?
So Tanim, can you help to repeat again what is the key observation by using your own method?
Duration, yes, it's about how long for the duration in total?
You mean drop down?
Or you mean here?
It's dropped, okay.
It's dropped at 25.
Means like something stopped there.
The data transfer stopped there.
Okay, so anything else from what you observe?
One more thing.
Sometimes when we look into a time sequence graph, we might get confused.
Does it represent client or server?
So actually at the top in here, sequence number means TCP trust is actually from where to where?
Here, yeah, yeah, sorry, the client.
So this one need to be noted.
And also this is the graph title.
So all the packet size here, if you compare with the conversation dialogue,
endpoint dialogue actually is the same.
See, 68, 55.
55 is from what always means by 55?
Still remember?
It's from server or client.
Okay, good.
And 68, okay.
All right.
So, okay, again, can you give me an example like, let's say, for example,
first segment, the sequence number is 1,000.
If this packet has a sequence number of 1,000, 1,000.
Oh, this packet.
Okay, I have packet 1.
I have a sequence number of 1,000 and I am sending 100 bytes.
Okay, 100 bytes.
So what is the sequence number of the next packet?
Okay, let me open.
What happened to this?
Okay, so let's say I have get 1 and then I have, I'm having sequence number 1,000
and I am sending 100 bytes of data.
Okay, so, okay.
What is the sequence number of next packet?
I am having 1,000 sequence number and then I'm sending 500 bytes of data.
So what is the sequence number of next packet?
Sorry?
100, okay.
Let's say, okay, packet 1 has a sequence number 1,000 and then sending 500.
So the next sequence number, if everything is successful, it's smooth,
will be start with 1,500.
So what is that mean?
Okay, and this means this packet, it already contains bytes 1,000 to 1499.
So it's like a book, a big book, one page at a time.
Each page has a number, page 1, page 2, page 3, page 4, page 5.
So the sequence number, just imagine, what is the sequence number?
It actually tells the receiver where in the book this page belongs to.
So I tell the client, I tell the client,
So please start reading it at page 1,500.
Do you get what I mean?
Like a page number.
So you are sending the data from which page.
If I have 1,000 pages in this book and passing you this very big book with 1,000 pages,
I tell you, hey, Tam, please read the book.
But do you know which page you are going to be read?
You don't know.
So I'm telling you, okay, please read from page 1,500.
But then, okay, so how do you know how many pages that you are going to read?
So that's why I have the data byte size.
So this is just imagination to match with the real-world case.
So just now we mentioned about the acknowledge number.
I give you one example to help you to try to imagine the real-world case.
Acknowledge number is how the receiver tells the sender,
I got everything up to this byte.
You can send more.
So for example, if the receiver sends an acknowledge
with an accurate with the acknowledge number 1,500,
it means I have received byte 0 until 1,499.
So please send me byte 1,500 next.
So it's like saying, thanks, I got everything up to this point.
Keep going from here.
So another question, I'll give you one example.
So I'll give you another example.
Let's say sequence number equal to 1,000.
This packet starts as byte 1,000, right?
Because sequence number is 1,000, correct?
And length equal to 500 bytes.
So it means it's carrying data size is 500 bytes.
Acknowledge number is equal to 1,500.
That means the other side already has received everything up to byte 1,499.
OK.
It's a bit confusing, but never mind.
I will go deeper in tomorrow's session by using different lab examples,
especially for the sequence number, acknowledge number.
So that's why in the first lesson that I introduced yesterday,
I like to add two more columns, especially sequence and acknowledge number.
Then you will see, hey, what happened?
Acknowledge number is 1,500.
But then, what happened to the next packet?
Maybe acknowledge number is not the right and not accurate,
or sequence number is not accurate.
Jump from here to there, there to here.
So I found something wrong.
Just for your heads up.
So the last one in this morning's session.
Let's continue to the next one, the last one.
I think the last one before we go into a very big lab exercise.
From here, I want to tell you, apart from we are observing the time sequence,
which means the server from the server side,
we can also look into the round trip.
And the short form is RTT.
And what does that mean, RTT?
Okay, I tried to put here, it's for your better reference.
RTT means it's a time in text for a packet to travel from the sender to receiver and back again.
So typically, it's measured using the TCP acknowledgements.
It's a round trip, go and back.
So it's a key indicator of a network lesson.
From here, I already captured the screenshot
for this PreLab slow network PCAP file.
So we know that this is a TCP stream between the client 172 to the server.
So RTT actually is calculating in milliseconds.
You can see in the Y axis using milliseconds instead of seconds.
But the time in the X axis is using seconds in the unit.
So what is the key observation and analysis in this round trip time graph?
What have you found?
Again, this is from zero.
Let me open the workshop.
Okay, so from this perspective, the Y-axis perspective.
Let me think how to introduce in a better way.
Okay, so we do have the sharp RTT spikes.
Sharp RTT spikes is about here.
It's around here.
60 milliseconds, right?
So then how long for the time duration?
It's about 20 seconds.
So the spike is around 60 milliseconds for the round trip,
but for the duration is about 22 seconds.
But then it's a big jump from around 22 seconds.
It's a steep drop, drop to here.
So it may suggest to, again, retransmission,
writing longer for the acknowledgement,
extract from server or packet loss or server processing delay.
So it's unstable RTT between 22.
Okay, from here I can see 22.5.
Okay, 22, 21.
So it's around 22.5.
Seconds until 23.5, I think.
It's about here.
It's very unstable because we can see
this graph is showing inconsistent slope.
Sharp up and down, up and down, right?
So it indicates unstable or congested network behavior.
Okay, so again, after the initial peak,
this is the initial peak, RTT drops significantly.
So it may due to TCP slow,
start competing and traffic stabilizing.
Okay, or act delay or bursty communication.
Control between 20, I think here.
From 20.5 seconds until 21.5 seconds.
Okay, like this is a small spike.
We can see small spike and this is the most top spike.
Okay, so from the instability and the small spike
and the high spike and the sharp drop,
up and down.
So we can conclude that the traffic is not stable
and it might have network congestion issue.
It might have network slowness
or jitter in parts of the communication
because it's not consistently stable.
Okay, especially around the 22 seconds in here.
This one, okay.
Let us back to, okay, see.
During the 22 seconds around here,
you can see a lot of packets are sending out,
especially a continuation frag.
But after 24.2 seconds, it stopped.
And what is happening in here?
So the client send to server but server never respond
until 69 seconds, I can see TCP keep alive.
Okay, after a few milliseconds,
server responded.
I'm still alive.
But then it's nothing after 69 seconds.
Okay, so client ask the server again.
Are you still alive?
Are you still alive?
And then after a few milliseconds,
the server responded.
Yes, I'm keep alive.
After 114 seconds, it's nothing.
Okay, but then 156, you can see the red flag happening.
So what is happening?
I will go in deeper in tomorrow's session.
Okay, is that okay?
I have few laps to indicate.
And I will try to get more involvement in the lab exercise.
I'm not going to just explain in the theory
and showing you the, okay, let me show you.
Yeah, the summary, the key observation.
But instead, I will try to get involved
in the analysis and investigation task.
Okay, so that's all for this morning session.
I will, okay, hold on, let me check the time.
Let me pause the recording first.
So let us back at 1 and 10, 1 and 10 p.m.
Okay, at least you have one more than one hour
because otherwise it's too rush for you for lunchtime.
Okay, and then I hope you can enjoy your lunch break
and then you have some takeaway,
even though it's a bit more deeper,
it's more technical compared with the previous yesterday session
because yesterday is just a basic knowledge.
But today is going more deeper
and tomorrow we're going more deeper and deeper.
But I hope this afternoon session after the lab,
you can learn more, right?
Okay, see you later after lunch.
All right, bye.
I'm waiting.
I didn't count.
Oh no, how many times did you go?
One, two, three, four, five, six, seven, eight, nine, ten.
So you don't count the hospital, you don't count the room.
You count this room.
This is four times, right?
Four times or five times?
It's four times, four times, four times, eight times.
What did you say today?
I just said I was going to the hospital.
I was going to the hospital.
I was going to the hospital.
What does that mean, you're going to the hospital for a month?
I'm going to the hospital.
I'm going to the hospital.
I'm going to the hospital.
Did he tell you to continue taking the medicine?
I'm going to the hospital.
Is there tea here?
I didn't ask.
I didn't ask.
There seems to be no tea.
Do you want to have some rice?
No, no.
I don't need rice.
There's too much.
I know I can put it on your shirt
You can put it on or not
This shirt
I don't know
I don't know
This shirt
I don't know
I don't know
This shirt is 3.9
I don't know
This shirt is just 3.9
I only know this shirt
You don't need to change it. You can sleep on your own.
Oh, I can't stand it anymore.
You like to talk.
You want to sit on the table?
You can go. You have time to chat.
I want to kiss you.
What are you going to use?
Then talk like this.
What are you doing here?
What are you doing?
I am...
I am going to use the cooking oil.
You can use it for fried rice.
It's expensive.
You don't want to use it?
You don't want to use it?
You don't want to use it?
Wait a minute.
I am thinking about something.
I am thinking about something.
You can give it to him.
I am thinking about something.
I am thinking about something.
I am thinking about something.
I am going to continue my class.
After tomorrow, I am going to eat fried rice.
The sauce is weird. What do you add?
I add chili oil.
I am going to add chili oil.
I am going to add chili oil.
I am going to add chili oil.
I am going to add chili oil.
I am going to add chili oil.
I am going to add chili oil.
My water bottle.
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.
I think it's a good way to say it in Chinese, but I think it's a good way to say it in Chinese.
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.
I don't know how to say it in Chinese.
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.
I don't know how to say it in Chinese.
I don't know how to say it in Chinese, but I think it's a good way to say it in Chinese.
I don't know how to say it in Chinese.
I don't know how to say it in Chinese.
Thank you.
Thank you.
Thank you.
Thank you.
I hope you enjoy your lunch.
I hope you enjoy your lunch.
I hope you enjoy your lunch.
I stayed there for two months just to experience the Thailand's life.
I like the environment there and the culture.
I like the people there.
I like the people there.
I like the people there.
I like the people there.
I like the people there.
I like the people there.                

on 2025-04-22

language: EN

                  WEBVTT
Okay, go to statistics, capture file properties, all right. So, throw it down, you will see
there are some comments there. Okay, so I have listed nine, I think nine, okay, should
be 11, 11 questions, okay, sorry, nine questions but include four sub-questions. So, I would
need a help to answer it. I will give you an answer for the first question. You can
find the answer from these capture file properties or you need to back to here to type in
filter or you need to go to the statistics, conversation, endpoints. Okay, I don't give the hint
phrase. I don't want to give the answer phrase. Look in the questions and try to answer from
the side. So, how do you answer these questions? Okay, there's a edit comment in here. Can you
see that? Okay, click edit comment, enlarge it. Okay, so you can answer the questions, put
your answer here, okay, and then save it. So, once you save it, I can go to your desktop
and check the answer. You can write some explanation, how do you find it, whatever,
more detailed answer. Just let me know, okay, where you go, where do you find it
and why and how, something like that. Okay, so it will take some time. So, I will
Is it okay to give you around 33 minutes, I mean 150 hours back. So, it's about 33 minutes
to answer all those questions. Is it too short? Okay, so I will come back at 150
and then we will, I will explain to you on the details after you done the session.
So, please write your answer in details. Try your best to answer it in the proper
way. Okay, it will help you to really like hands on and remember all those steps.
Okay, okay, let's start. See you later. If you have any questions, just shout,
I will be here. Okay, I will be always here, just off the camera and mute. Okay, see you later.
Yes, I'm here.
Okay, all right. You mean you don't know the answer or you don't understand the question?
Okay, are you able to find the answer for four and five? So, that two numbers are different.
So, why is this number different? So, it's related to four and five. Okay.
Have you done? Have you done the exercise? Let me take a look. So, you are still on
which question?
Oh, the last one.
Okay, I'll give you a few more minutes. I will come back to you at two. Okay.                

on 2025-04-22