Learn. Capture. Repeat.

Key Takeaways

just learn learn wireshark it will help you tremendously in the real world it's an important skill for any networker to have or anyone interested in sort of ethical hacking you want to be able to learn what's going on in the network and by simply running a sniffer like wireshark you can actually see a whole bunch of stuff on the network can you answer these questions by interpreting a wireshark capture what i'm going to do here is start a wireshark capture on this interface and then i'll start these routers in the topology the reason i want to start the wireshark capture first is i want to show you the routing protocol negotiation between those two routers so i want to capture that in the y-shot capture now you get these wireshark captures as part of this course so download the attached wireshark capture and see if you can answer the questions first question is which version of ospf is used in the topology so which version of ospf is used on router 1 and router 2. is authentication used if so which type of authentication what's the password so can you sniff the password from this network so by simply running wireshark and looking at the wireshark capture are you able to determine what the password is in other words what password is used by these ospf routers which ospf area is used is it area one area two or another area what are the ospf router priorities default priority is one which router is the designated router okay so you can see here we've got some ospf advertisements taking place i'll do an ospf filter so that we only see ospf messages and what i'll do here is stop the y sharp capture this will be the y sharp capture that you have attached to this course so i'll save this as ospf one so download the y shot capture and see if you can answer these questions yourself so if necessary stop the video at this point or pause the video and see if you can answer these questions yourself there's no better way to learn than to try things yourself so again download the myshark capture see if you can answer the questions otherwise continue watching and i'll answer the questions okay so let's see if we can answer these questions together first question is which a version of ospf is used in the topology so all i've done is run a filter on this wireshark capture for ospf so ospf allows me to filter out the other protocols and only see the ospf messages what we're seeing here is a router with this ip address 1013251 and another router with this ip address 10132 sending multicasts to the well-known multicast address of two two four zero zero five so we see some hello packets and then we actually see a message directly from one router to the other we see continued hello packets and then we get some database description messages request messages a link state request and update messages database descriptions and so forth but just off these hello messages we should be able to determine a lot of information i'm going to go into a little bit more detail here i hope that's okay but i want to make sure that everyone understands how the protocol works first thing layer 2 notice source mac address destination is the ospf multicast address so ipv4 multicast this is the mac address for ipv4 multicast zero one zero zero five e and then this portion the last 23 bits actually is determined by multicast addresses the well-known multicast address as we can see here for ospf is two two four zero zero five so the mac address is zero zero zero zero zero five multicast mac address for ospf at the layer 2 we see that the layer 3 protocol is ipv4 so the type field is set to 0 800. so ipv4 source ip address destination ip address we can see once again here's an interesting field notice the dcp or differentiated services code points is set to cs6 class selector 6. that is actually a higher priority than expedited forwarding which is used for voice of ip writing protocols are deemed to be more important than voice of ip in other words this is some of the most important traffic that you can have and have on a network and it makes sense if you can't rot in other words if riding protocols can't communicate and can't send writing updates to each other you will not be able to forward traffic in your network so everything else will break so you need your writing protocols to be prioritized over other traffic types so cs6 in other words very very important traffic in the network but let's go down a bit further i'll make the y-shock window bigger notice protocol ospf igp protocol number 89 this is the well-known protocol number for ospf it's a good one to remember so 89 is ospf y shock actually makes it easy for us it's interpreting the protocol number automatically source ip address destination ip address once again displayed this implies that this is ospf so in wireshark at layer 4 we see ospf so layer 2 ethernet layer 3 ipv4 layer 4 ospf there's a bit of debate whether ospf is layer 3 or layer 4. we won't get into that debate but essentially ospf relies on ipv4 in this case so which version of ospf are we running it's ospf version 2. so which version of ospf v2 we can see that clearly in the y shot capture over there this is a hollow packet this is the size of the packet so it's length this is the source of the message this is actually the ip address of radar1 this ip address 1013252 is the ip address of router 2 but for now note ip address of router 1 area id 000 backbone area so we can actually answer this question as well the backbone area and i'll make this a different color let's say blue area is the area in this example is area zero it can be written as zero or it can be written like this same thing is it a router is it a rooter is it a tomato is it a tomato same concept it's area 0. okay so checksum is correct that means there's no problem with the packet notice here authentication type is simple password so is authentication used yes it is so authentication is simple simple password is used very bad idea but that's what we've got here notice here's the password it's ospf pass so that is the password not a good idea to use clear text protocols in a network it's very very simple to capture the passwords there you go there's the password shown clearly in the y-shock capture so be careful using clear text passwords with ospf we actually want to use md5 not clear text better to use md5 passwords okay another question what are the ospf router priorities so let's dig down a little bit deeper we can see the hollow packet notice network mask notice here priority so this is router one if you didn't know the answer to that you could just say the one router has a priority of 101 and if we jump to router 2 second router notice its priority is 102. so write it to 102. very easy to read y-shot captures if you understand the data or understand what you're looking at but in brief ospf is a writing protocol run within an autonomous system rather priorities for determining who's in charge of a segment is done based on rather priority one of the determining factors highest priority wins notice at this point we don't see designated router and backup designated router there is an election that takes place that election hasn't completed so let's go right to the end in other words later hello packets once the routers started talking to each other so notice here we've got no backup designated router but if we go through the messages you'll see they will negotiate a bunch of stuff and then we should start seeing in the holo messages like here who the designated router is and who the backup designated router is so who's designator router the designated router in this topology is 10.1.3.252 as we can see over there highest priority wins this router has a high priority 102 so it's going to be the designated router okay so i've answered all those questions how did you get on were you able to answer these questions the thing about wireshark is you can dig really deep but you need to understand the protocols so you need to spend some time learning the theory of protocols i mean this means nothing if you don't understand what you're looking at so you need to spend some time learning about ospf once again ospf version 2 later releases of ospf ospf version 3 would be used in an ipv6 environment in this example we're just looking at ospf for ipv4 if you don't understand what a backbone router is it doesn't make any sense it's important that you learn your writing protocols so let's actually have a look at the consoles of the routers there's router one here's router two just to prove that what i've explained through wireshark is actually true so show ip and let's do the easy one so show ip interface brief rather you can see this is the router's ip address on gigabit 0 1 this interface here on router 2 show ip interface brief this is the ip address on gigabit zero zero this interface show ipo spf neighbor notice this router rod one has a neighbor relationship with router 2. we can see that it's a full relationship the other router in other words router 2 is the designated router per what we worked out in wireshark so show ip interface brief on this side make that bigger notice that's the wrong command sorry so show ip ospf neighbor rather so router 2 sees rod 1 as a backup designator router full relationship on a ethernet segment the designator rod and backup designated writer form full relationships with other routers in other words they exchange the topology database with other routers and we can see that over here notice we've got hollows and then we've got a database description so in the output here we can see a description of the database so some information about the database is shown in the captcha so you see some information about the database but the one i want to point out is notice as we go down we've got a link state request message and then we've got a link state update message notice lsa type one so if you've learned a bit about ospf you'll know about lsa type one two three four and five as an example notice we can see in network information this is a stub network 10120 here's another stub network 10 1 3 0. this was advertised by 10 1 3 2 5 2 which is actually router 2 10 1 3 0 is the segment between the routers notice you can see 10 1 3 something being advertised here this network is 10 1 2 0 and we can see that once again over here ten one two zero is the subnet on this interface gigabit zero one if you actually want to see that we can do it this way as well show run interface gigabit zero one notice this is the configuration of that interface and if i type show run or show ip interface gigabit zero one you can see the ip address and the subnet mask on that interface okay so we can see here the networks that are going to be advertised by the two broadest to each other here we see a database description here's another update so basically the routers are communicating information to one another this is writer one notice two five one different network is shown here ten one one zero so we see ten one three zero that's the network between the two routers and ten one one zero advertised between or should i say from router one to router two we can see the metric or the cost to get there so network subnet metric of this network it's a sub it's a stub network in other words there's no other router connected to this network a lot of information can be gleaned from wireshark you see acknowledgements ospf doesn't rely on tcp so if you have a look here there's no tcp protocol if it sends a link state update to the other router it needs an acknowledgement back to make sure that the other router got to the update otherwise it's going to retransmit that data because there's no tcp to do the root transmissions and make sure that data gets through ospf has its own mechanism to do that and you can see that once again through the wireshark captures link state update links data acknowledgement so the one router requests data the other person updates and then we give back an acknowledgement to make sure that it got through properly or acknowledged to the other person that we received what they were sending us again why shark is brilliant you can see so much information just by looking at a capture there are other protocols running on this network we can see broadcast here so op we can see spanning tree other protocols but by simply searching for ospf we can see the ospf messages and then interpret what's going on again how did you get on if you weren't able to ask answer the questions don't worry just learn learn wireshark it will help you tremendously in the real world it's a important skill for any networker to have or anyone interested in sort of ethical hacking you want to be able to learn what's going on in the network and by simply running a sniffer like wireshark you can actually see a whole bunch of stuff on the network [Music]