1

00:00:00,696 --> 00:00:03,616

>> While we are nearing the
end of our Cisco Foundations
2
00:00:03,616 --> 00:00:09,426
or more specifically network foundations, as in
how devices communicate on the network today.
3
00:00:10,036 --> 00:00:13,516
At this point, I'm going to
say we are good at layer two.
4
00:00:13,736 --> 00:00:15,186
We understand the data link layer.
5
00:00:15,186 --> 00:00:18,726
We understand MAC addresses, physical
addresses burned into the network cards
6
00:00:18,726 --> 00:00:22,806
of the different devices and how that
interacts with layer three, the IP layer,
7
00:00:22,806 --> 00:00:28,106
and IP addressing basics fundamental and
communication, how the art protocol resolves,
8
00:00:28,106 --> 00:00:31,396
I mean all of that stuff we've
talked about the previous nuggets.
9
00:00:31,396 --> 00:00:33,086
So, now I'm going to move up to layer four.
10
00:00:33,896 --> 00:00:41,716
TCP and UDP, the last really network relevant
layer that we're going to focus on in here.
11
00:00:41,716 --> 00:00:46,106
We're going to see where these two fit into this
puzzle of network communication and it's going
12
00:00:46,106 --> 00:00:47,806
to bring up a whole bunch of port numbers.
13
00:00:47,806 --> 00:00:49,966
So, I'll give you some common

ones that you'll want to know,

14
00:00:49,966 --> 00:00:54,136
not only for certification purposes
if that's your direction, but also,
15
00:00:54,136 --> 00:00:56,786
I mean you use this all the
time in the real world.
16
00:00:57,256 --> 00:01:01,346
And then, we'll complete the end-to-end
communication story where we started looking at,
17
00:01:01,496 --> 00:01:05,016
you know, from this host to this
host, what are all the factors that go
18
00:01:05,016 --> 00:01:09,146
in to making pockets transmit
successfully across the wire.
19
00:01:10,506 --> 00:01:14,276
Oh, my goodness, I totally forgot to
mention that we're going to start learning
20
00:01:14,276 --> 00:01:17,926
about Wireshark in this nugget
which-- it's awesome!
21
00:01:17,956 --> 00:01:21,206
You're going to really see a lot.
22
00:01:21,206 --> 00:01:22,826
That's what this little icon is right here.
23
00:01:22,826 --> 00:01:25,786
I know some of you might have heard
of it before I go and, "Oh, no.
24
00:01:25,816 --> 00:01:30,986
Really?" This tool is amazing for helping
you not only troubleshoot networking,
25
00:01:31,576 --> 00:01:35,186
network issues, but to learn networking.
26

00:01:35,186 --> 00:01:38,246

I mean when you look at it,
initially it's overwhelming.
27
00:01:38,246 --> 00:01:39,406
There's no doubt about it.
28
00:01:39,666 --> 00:01:42,286
But when you see just the
basics of how to use it,
29
00:01:42,286 --> 00:01:45,876
it's like okay, I think I can really get this.
30
00:01:45,876 --> 00:01:50,406
As a matter of fact, Wireshark has
always, you know, it's always been one
31
00:01:50,406 --> 00:01:52,786
of the tools I've had but I rarely use that.
32
00:01:52,786 --> 00:01:56,716
I mean, Wireshark was like, okay,
everything is down, last resort,
33
00:01:56,716 --> 00:01:58,476
what's going on, let's get out Wireshark.
34
00:01:58,756 --> 00:01:59,576
And then I got a book.
35
00:01:59,576 --> 00:02:01,196
I'm-- I've got in my bookshelf right here.
36
00:02:01,196 --> 00:02:02,426
Pull it off.
37
00:02:02,426 --> 00:02:05,356
It's "Wireshark Network Analysis"
by Laura Chappell.
38
00:02:05,416 --> 00:02:08,276
It's a big, big fat book.
39
00:02:08,276 --> 00:02:10,876
And just this-- it's a free utility.

40
00:02:11,266 --> 00:02:13,046
And I-- let me-- I'm going to flip a hand.
41
00:02:13,046 --> 00:02:16,456
I'm flipping at the preface
here, table of contents.
42
00:02:16,456 --> 00:02:17,096
All right.
43
00:02:17,556 --> 00:02:20,256
This is what she said and this is her preface.
44
00:02:20,976 --> 00:02:26,086
"Wireshark is a," and she puts it in
all capitals, "FIRST RESPONDER tool
45
00:02:26,546 --> 00:02:30,826
that should be employed immediately
when the cries of the network is slow
46
00:02:30,826 --> 00:02:34,386
or I think my network is infected
echo through the company halls."
47
00:02:34,806 --> 00:02:38,406
And, when I read that, remember
reading that years ago, and I go,
48
00:02:38,406 --> 00:02:40,806
[inaudible], it's not a first responder tool.
49
00:02:40,806 --> 00:02:45,806
This is like the last responder tool, but
seriously that's one of those statements
50
00:02:45,806 --> 00:02:50,806
that have just stuck in my head and over
these last few years, I've started using it.
51
00:02:50,806 --> 00:02:54,746
It's not-- it's still not my first
responder tool, but I've used it a lot more-52
00:02:54,746 --> 00:02:59,656
with a lot more immediacy than I have in the
past and it really has saved a lot of times.

53
00:02:59,656 --> 00:03:01,646
So, I want to get you guys
familiar with that right away.
54
00:03:01,856 --> 00:03:05,296
So, what are TCP and UDP?
55
00:03:06,306 --> 00:03:13,116
They are the primary transport protocols used
today, meaning transport layer of the OSI model.
56
00:03:13,116 --> 00:03:16,316
We've got our applications trying
to communicate data up here, right?
57
00:03:16,316 --> 00:03:21,976
In our internet explorer, our [laughs]-what other online games, whatever-58
00:03:21,976 --> 00:03:25,326
what other applications that people
use now a days, instant messengers,
59
00:03:25,326 --> 00:03:27,366
all those kinds of things are
sending their data down here.
60
00:03:27,576 --> 00:03:30,606
It reaches the transport layer and
you might remember from the OSI model,
61
00:03:30,756 --> 00:03:33,276
this is where it's going to
choose the reliability, you know,
62
00:03:33,366 --> 00:03:35,376
it's going to be reliable or unreliable.
63
00:03:35,496 --> 00:03:40,086
And then it also assigns the port numbers to
start separating the different applications
64
00:03:40,086 --> 00:03:43,356
so the operating system can
distinctly understand
65

00:03:43,356 --> 00:03:45,516

which traffic goes to which application.
66
00:03:45,886 --> 00:03:48,926
Now, there are a lot of transport protocols.
67
00:03:48,996 --> 00:03:53,826
Again, I'll remind you, the OSI
model is a standard of standards.
68
00:03:54,116 --> 00:03:58,056
The transport layer is just a shell but inside
of there, there's all kinds of standards
69
00:03:58,056 --> 00:04:04,066
like TCP is one of them, UDP is
another, ICMP is yet another,
70
00:04:04,066 --> 00:04:07,866
ESP that's used for VPN connections,
and things like that.
71
00:04:07,866 --> 00:04:12,836
Even-- you'll start seeing protocols
like OSPF and EIGRP, I mean all these-72
00:04:12,836 --> 00:04:17,326
all of these kind of squeeze right into
that green box known as the transport layer.
73
00:04:17,676 --> 00:04:24,596
But when we're talking about programs, talking
across the network, they primarily use one
74
00:04:24,596 --> 00:04:28,836
of two protocols, UDP, that's
our unreliable version.
75
00:04:28,886 --> 00:04:35,136
It's saying, "I hope it gets there," or
TCP, that's the "I know it got there."
76
00:04:35,136 --> 00:04:36,996
That's the reliable version of this.
77
00:04:37,316 --> 00:04:39,606
So UDP is the user datagram protocol.

78
00:04:39,606 --> 00:04:41,696
TCP, transmission control protocol.
79
00:04:41,696 --> 00:04:42,696
That's what they stand for.
80
00:04:42,936 --> 00:04:45,986
And that they combine together with,
you know, the subprotocols below,
81
00:04:45,986 --> 00:04:51,546
that's why TCP/IP got it's name is
it's not really that's the protocol,
82
00:04:51,546 --> 00:04:52,706
it's the suite of protocol.
83
00:04:52,926 --> 00:04:57,826
The most common being TCP and IP combined
together to make network communication happen.
84
00:04:57,966 --> 00:05:01,596
So, first of, let's get into UDP.
85
00:05:01,596 --> 00:05:05,716
And I talked one more time about the OSI model,
I got it in a little, little bit of this like,
86
00:05:05,716 --> 00:05:09,486
why would you want to send something
unreliable like, "I hope it gets there"?
87
00:05:10,216 --> 00:05:14,416
Well, the first thing to understand is
that there is a cost to reliability.
88
00:05:15,046 --> 00:05:20,256
In order to say, "I know it got there,"
there's a lot of setup that takes place.
89
00:05:20,616 --> 00:05:23,976
The first thing that happens is
something known as the 3 way handshake,
90
00:05:24,126 --> 00:05:28,596
and I'll explain that in just a
moment, but essentially the two devices

91
00:05:28,596 --> 00:05:32,126
that are talking together have to
establish a session between each other,
92
00:05:32,126 --> 00:05:34,406
make sure that, "Okay, we agree to talk, okay.
93
00:05:34,406 --> 00:05:34,886
That's good."
94
00:05:34,886 --> 00:05:39,346
Okay. That's a little time right there and
a little time to establish that session.
95
00:05:39,696 --> 00:05:45,876
Then every single packet that get sent or
every stream of communication that gets sent,
96
00:05:45,876 --> 00:05:47,526
I'm going to just write something up here.
97
00:05:48,946 --> 00:05:52,796
It's my reminder.
98
00:05:52,936 --> 00:05:55,996
[Laughs] Every stream of things that
get sent between these things has
99
00:05:55,996 --> 00:05:58,816
to get an acknowledgment
back saying, "I got it."
100
00:05:58,946 --> 00:06:05,426
Again, more overhead, more delay where some
things just may not need that sort of thing.
101
00:06:05,906 --> 00:06:10,956
I want to give you-- now, I gave you the
example back in the OSI model of things
102
00:06:10,956 --> 00:06:15,616
that do not need reliable
communications being like voice over IP
103
00:06:16,176 --> 00:06:19,326
where I have an IP phone talking to an IP phone.

104
00:06:19,646 --> 00:06:23,736
You know, there's a stream of data going between
the two, if something is dropped, it's gone.
105
00:06:23,736 --> 00:06:27,776
There's no use in retransmitting it at a
later time because it's real time traffic.
106
00:06:27,976 --> 00:06:29,816
Same thing with video over IP.
107
00:06:30,036 --> 00:06:36,466
But, there's also some other data
applications out there that use UDP as well.
108
00:06:36,666 --> 00:06:41,306
I want to give you one that you use
every single day and that is DNS.
109
00:06:43,056 --> 00:06:48,036
DNS, the domain name service,
translates names to IP addresses,
110
00:06:48,036 --> 00:06:50,206
because remember in the OSI
model, it's not-- we-111
00:06:50,206 --> 00:06:55,436
at this network layer, we can't
squeeze in www.google.com.
112
00:06:55,436 --> 00:06:56,796
It deals with IP, the IP protocol.
113
00:06:57,086 --> 00:07:01,146
So, we have to have some kind of
system that takes these friendly names
114
00:07:01,146 --> 00:07:05,756
like I put wireshark.org, I'm going to show
that to you in a moment, or cbtnuggets.com
115
00:07:05,756 --> 00:07:08,836
and translates it to what
IP address is really there.
116

00:07:09,176 --> 00:07:15,046

DNS, at least the client version of
it that we use everyday, uses UDP.
117
00:07:15,726 --> 00:07:17,576
So, let's check this out.
118
00:07:17,846 --> 00:07:19,866
I'm going to bring up Wireshark.
119
00:07:20,346 --> 00:07:22,996
Now, I want to give you a
little basics of this program.
120
00:07:24,216 --> 00:07:28,476
Wireshark will be flat overwhelming
if you just open it up and say,
121
00:07:28,476 --> 00:07:30,396
"Okay, let's see what's happening."
122
00:07:30,396 --> 00:07:33,316
If you've never done this before, I
mean people get scared, they back of.
123
00:07:33,316 --> 00:07:35,516
They'll like, "Aah, I don't
want to use that again."
124
00:07:35,516 --> 00:07:39,906
But, let me give you the basics which will
really get you started and I tell you what,
125
00:07:39,906 --> 00:07:44,546
if somebody would have sat down with me in my
early days of networking and just said, "Hey,
126
00:07:44,546 --> 00:07:46,756
Jeremy, let's just sit down for a second.
127
00:07:46,756 --> 00:07:50,266
Let me give you a 5-minute tutorial of
this tool that will change your life."
128
00:07:50,546 --> 00:07:51,906
You know, I would have been
like, "Great, thanks."

129
00:07:52,086 --> 00:07:56,256
You know, just, you know, the fear of
it is what held me back for so long.
130
00:07:56,606 --> 00:07:58,776
But, this is Wireshark 1.82.
131
00:07:59,096 --> 00:07:59,946
It is free.
132
00:07:59,946 --> 00:08:04,316
You go to wireshark.org and just
go to their little download page
133
00:08:04,316 --> 00:08:06,316
and they'll automatically
detect your operating system.
134
00:08:06,316 --> 00:08:07,806
You can put it on there, it's good.
135
00:08:07,806 --> 00:08:14,636
So, once you get Wireshark installed, it's just
literally a next, next finish sort of install.
136
00:08:14,816 --> 00:08:16,226
This is what pops up.
137
00:08:16,466 --> 00:08:21,826
Now, the key icon you want to go to is
this list available capture interfaces.
138
00:08:21,826 --> 00:08:26,606
And, trust me, this is a massive utility.
139
00:08:27,276 --> 00:08:28,326
There's a lot to it.
140
00:08:28,326 --> 00:08:31,736
I just want to get you the core that will
get you started in doing what you need to do.
141
00:08:32,246 --> 00:08:33,256
So, I click on this.
142
00:08:33,336 --> 00:08:36,886

And right here, I can see the

interfaces that are on my computer.
143
00:08:37,226 --> 00:08:43,246
Now, I see this sun which, if you remember
I had it when I went to my control panel,
144
00:08:44,196 --> 00:08:46,376
and did my network status, look to my adaptor,
145
00:08:46,376 --> 00:08:53,056
I had this little virtual box host only that's
installed by the virtual box application.
146
00:08:53,056 --> 00:08:54,416
It's a little virtual machine thing.
147
00:08:54,706 --> 00:08:57,566
It's developed by Oracle,
Sun Oracle, they merge.
148
00:08:57,826 --> 00:09:01,506
And so, that's what this little adaptor is and
I can look, that's why I always go to this view.
149
00:09:01,506 --> 00:09:06,506
I'm like, "Okay, not much happening there"
'cause if I'm looking here trying to start,
150
00:09:06,506 --> 00:09:10,396
you know, pick one, you can start it from here
but if I don't, I don't know which one it is.
151
00:09:10,396 --> 00:09:12,576
You know, I want to see,
where's the traffic happening?
152
00:09:12,576 --> 00:09:13,066
So, I go, "Okay."
153
00:09:13,066 --> 00:09:16,286
Well, it looks like this is where
there's some communication happening,
154
00:09:16,286 --> 00:09:19,386
so I'm going to click check
on this and do start.

155
00:09:20,056 --> 00:09:25,526
What I'm going to start seeing is the
communication that's going across the network
156
00:09:25,526 --> 00:09:29,616
and this is where a lot of people
go, "Ooh, aah, what's going on?"
157
00:09:29,616 --> 00:09:32,296
You know, they're not too sure what to do.
158
00:09:32,456 --> 00:09:37,876
So, right now, this is-- not much is
going on, 29 packets are happening.
159
00:09:37,876 --> 00:09:41,076
I can see Spanning Tree Protocol running
in the background, some other, you know,
160
00:09:41,106 --> 00:09:45,706
just normal network traffic
discovering and communicating with things
161
00:09:45,706 --> 00:09:46,836
that are going on in the network.
162
00:09:46,836 --> 00:09:51,896
Now, as soon as I open a web browser
and let me move this to the side
163
00:09:51,896 --> 00:09:57,106
so you can see, and let's just go to msn.com.
164
00:09:57,106 --> 00:09:57,776
And look at that.
165
00:09:57,776 --> 00:10:02,706
I mean, we went from like 29, 30, 50 and
all the way up, you know, msn.com came up
166
00:10:02,706 --> 00:10:06,816
and now we're at packet number 1095, you know.
167
00:10:07,396 --> 00:10:10,386
All of these things are going
on and what just happened?

168
00:10:10,596 --> 00:10:16,666
We just had a ton of network communication that
comprised 1,200 or 1,280 individual packets.
169
00:10:16,666 --> 00:10:18,526
So, that's where people go "Huh!
170
00:10:18,526 --> 00:10:19,286
It's overwhelming."
171
00:10:19,286 --> 00:10:21,026
How do-- you know, how do I now sift
172
00:10:21,026 --> 00:10:24,796
through 1,200 individual packets
to really see what's going on.
173
00:10:25,636 --> 00:10:28,836
We'll, I'll explain that in just a moment
but let's look at the matter at hand.
174
00:10:29,026 --> 00:10:30,906
I want to talk about DNS.
175
00:10:32,086 --> 00:10:37,166
DNS resolves names to IP
addresses and I'm going to show you
176
00:10:37,166 --> 00:10:40,256
that this is using UDP as
it's protocol to do it.
177
00:10:40,256 --> 00:10:42,426
Now, the first thing that's
happening is I'm like "Aah!
178
00:10:42,716 --> 00:10:45,416
This is just-- it's too much,
I want to put a filter on."
179
00:10:45,706 --> 00:10:49,296
Let me show you one of the handiest
filters that you will likely use.
180
00:10:49,336 --> 00:10:53,636
It is coming up here, you click in this
little filter box and you'll find, I mean,

181
00:10:53,636 --> 00:10:57,716
you can build your own, you can click on this
and it let's you, you know, click through
182
00:10:57,716 --> 00:11:02,516
and kind of-- almost like that's a gooey base
like if I just want to see the UDP traffic
183
00:11:02,516 --> 00:11:08,656
or the TCP traffic, I can do that but I'm
just going to go in here and just say ip.addr,
184
00:11:08,656 --> 00:11:14,016
IP address equals 4.2.2.2, enter.
185
00:11:14,016 --> 00:11:14,866
Now, what is that?
186
00:11:15,756 --> 00:11:18,766
Actually, you know what, I'm
going to even change that further.
187
00:11:18,766 --> 00:11:22,326
Let me go 4.2.2.3, enter,
blanks it out completely.
188
00:11:22,806 --> 00:11:28,666
What that does is say, only show me
the traffic that is going to 4.2.2.3.
189
00:11:29,676 --> 00:11:30,706
Getting that so far?
190
00:11:30,706 --> 00:11:33,276
So, right now, how much traffic is going there?
191
00:11:33,616 --> 00:11:38,256
Nothing. Because nothing is actually accessing
that IP address so my display is nice and empty.
192
00:11:38,316 --> 00:11:41,686
So now, I'm going to use
DNS to do a little testing.
193
00:11:41,976 --> 00:11:46,736
I'm going to open a command prompt in

windows, start, you can browse to it,

194
00:11:46,736 --> 00:11:52,226
accessories all that, or just type in start run
CMD and bring this to the middle of the screen.
195
00:11:52,646 --> 00:11:56,766
And, show you first of, when I
do IP config forward slash all,
196
00:11:57,196 --> 00:12:01,066
I have in my list my DNS servers,
197
00:12:01,746 --> 00:12:06,226
shows the primary DNS server my
computer is using is 4.2.2.2.
198
00:12:06,736 --> 00:12:09,686
The secondary is 4.2.2.3.
199
00:12:09,966 --> 00:12:11,426
Now, how did those get there?
200
00:12:11,636 --> 00:12:13,006
Well, that was through DHCP.
201
00:12:13,006 --> 00:12:17,646
When DHCP gives me an IP address, it can also
assign me DNS servers, the default, gateway,
202
00:12:17,646 --> 00:12:20,056
all that kind of stuff, and so this
is the DNS server I was assigned.
203
00:12:20,056 --> 00:12:24,306
Now, since this is the primary, remember when I
was looking at Wireshark, when I set the filter
204
00:12:24,306 --> 00:12:32,676
to say 4.2.2.2, oh, okay, my capture is
still going so it's getting obnoxiously big.
205
00:12:32,976 --> 00:12:36,276
But-- so let me-- I'm going to stop the
capture because we've got enough data.
206
00:12:36,496 --> 00:12:40,246

I can see all of these little DNS queries

but this is kind of-- it's too much.
207
00:12:40,246 --> 00:12:42,996
I want to do a little demonstration version,
208
00:12:42,996 --> 00:12:46,866
so I'm going to filter this
down and just see 4.2.2.3.
209
00:12:48,206 --> 00:12:52,396
Now, I stopped the capture so nothing-- oh
[laughs] I suppose I should start the capture.
210
00:12:52,396 --> 00:12:54,806
I was just thinking-- so
nothing new is coming in.
211
00:12:55,106 --> 00:12:58,136
So, I'm going to start the capture
and let's say-- let's begin this.
212
00:12:58,136 --> 00:13:02,226
It's going to ask me, "Do you
want to delete the old capture?"
213
00:13:02,226 --> 00:13:04,686
Once I click save, it would say, "Hey,
do you want to delete the old one?"
214
00:13:04,686 --> 00:13:05,596
Absolutely.
215
00:13:05,596 --> 00:13:07,006
I'm, you know, I don't need the old one.
216
00:13:07,006 --> 00:13:12,196
So, I'm looking-- I'm capturing traffic just for
4.2.2.3, that's the filter of what I'm seeing.
217
00:13:12,746 --> 00:13:17,166
I'm going to open my command prompt and
show you a handy utility called nslookup.
218
00:13:19,076 --> 00:13:25,486
What this is, is a utility that
allows you too ask questions of DNS,

219
00:13:26,216 --> 00:13:29,826
so what it's doing is this is coming
up and say, "Okay, well, right now.
220
00:13:30,066 --> 00:13:33,226
You can ask a question of 4.2.2.2.
221
00:13:33,226 --> 00:13:33,926
And, I would say, "Okay.
222
00:13:33,926 --> 00:13:38,066
Well, I want to see who is www.cbtnuggets.com."
223
00:13:38,356 --> 00:13:43,626
And, 4.2.2.2 comes back and says, "Well,
actually, they have two IP addresses associated
224
00:13:43,626 --> 00:13:45,426
with them, this one and this one."
225
00:13:45,706 --> 00:13:47,886
Well, which one am I going to use.
226
00:13:47,886 --> 00:13:50,386
Well, the way it works is it's
going to do a round robin.
227
00:13:50,386 --> 00:13:54,026
Maybe the first time I'm going to use this
one, the second time I'm going to use this one.
228
00:13:54,316 --> 00:13:57,796
And, the name is kind of gives
me a little clue right here.
229
00:13:57,796 --> 00:13:58,996
It says, web balancer.
230
00:13:58,996 --> 00:13:59,726
I'm going, "Okay."
231
00:13:59,726 --> 00:14:01,966
So, this is some kind of load balancing.
232
00:14:01,966 --> 00:14:04,746
You know, maybe CBT Nuggets has

enough traffic that they say,

233
00:14:04,746 --> 00:14:06,186
"I don't want just one web server.
234
00:14:06,186 --> 00:14:08,856
I want to kind of balance that
between a couple web servers."
235
00:14:08,856 --> 00:14:11,866
I mean we see that again
if I type in google.com.
236
00:14:11,866 --> 00:14:13,956
And, I mean, "Hello, Google."
237
00:14:14,116 --> 00:14:17,026
They're definitely trying to
balance that load 'cause obviously,
238
00:14:17,026 --> 00:14:18,646
how many people use Google everyday.
239
00:14:18,736 --> 00:14:24,896
So now, what I'm going to do, I
was asking questions of 4.2.2.2.
240
00:14:25,086 --> 00:14:25,976
I'm going to change them.
241
00:14:25,976 --> 00:14:30,366
I'm going to do server equals 4.2.2.3.
242
00:14:32,546 --> 00:14:35,466
And so, I'm changing the-- wait a second.
243
00:14:35,626 --> 00:14:38,996
Server? I don't know why but equals [inaudible].
244
00:14:39,326 --> 00:14:46,086
Server space 4.2.2.3 which now
sets my DNS server to this address.
245
00:14:46,766 --> 00:14:48,206
Now, watch what happens.
246

00:14:48,206 --> 00:14:51,876

I'm going to do-- I want to
do a lookup for what's that-247
00:14:51,876 --> 00:14:57,646
a small website that would've be-oh, I have a blog, tekcert.com.
248
00:14:57,876 --> 00:15:03,246
I blog with another guy out there, comes back
and says, "Aha, tekcert.com is this IP address."
249
00:15:03,246 --> 00:15:06,786
But now, did you see behind the
scene is like, Wireshark is like,
250
00:15:06,786 --> 00:15:09,096
"I saw something happened right there."
251
00:15:09,096 --> 00:15:12,336
So, what happens is this
guy went out and said, "Hey,
252
00:15:12,436 --> 00:15:19,706
I want to find out what is the IP
address for tekcert.com.home.local?"
253
00:15:20,426 --> 00:15:24,166
[laughs] What the-- you know,
where did that come from?
254
00:15:24,406 --> 00:15:30,186
I typed in tekcert.com and the only way I
would know this is if I was using Wireshark
255
00:15:30,186 --> 00:15:34,686
and it went out and said, "Well, actually, I
want to ask the server, you know the DNS server,
256
00:15:34,686 --> 00:15:38,516
I want to find out who tekcert.com.home.local
is."
257
00:15:38,516 --> 00:15:41,526
Now, why on earth did it do that?
258
00:15:42,106 --> 00:15:47,016
Well, when you dig a little bit

deeper, let me go back here in my-259

00:15:47,016 --> 00:15:50,646
create a second command prompt,
and I do an IP config slash all,
260
00:15:50,806 --> 00:16:00,256
one of the things that you can do with DNS
is assign computers, a default DNS suffix.
261
00:16:00,796 --> 00:16:01,966
Suffix, where does that go?
262
00:16:02,076 --> 00:16:03,066
At the end right?
263
00:16:03,386 --> 00:16:08,426
So, that would allow somebody, for instance if I
assign the home.local suffix, it allows somebody
264
00:16:08,426 --> 00:16:12,116
to say, "I want to ping," you know, maybe
the server and hit enter and it's going
265
00:16:12,216 --> 00:16:17,946
to automatically try to ping server.home.local,
maybe that's my local DNS domain that I have
266
00:16:17,946 --> 00:16:19,926
for my house or something like that.
267
00:16:19,926 --> 00:16:24,666
So immediately, when I tried to ping tag or look
up tekcert.com, it came back and it was like,
268
00:16:24,666 --> 00:16:27,606
"Well, I'm going to try and
look up tekcert.com.home.local."
269
00:16:27,606 --> 00:16:28,986
Now, before we go on.
270
00:16:29,546 --> 00:16:31,886
You can even see the reply right here.
271
00:16:31,886 --> 00:16:34,436
It's saying, "There's no such thing.

272
00:16:34,436 --> 00:16:38,376
I don't know of a tekcert.com.home.local,"
is the DNS server's reply.
273
00:16:38,376 --> 00:16:42,516
But, let's dig a little bit deeper
because Wireshark actually breaks
274
00:16:42,516 --> 00:16:45,796
down communication in the
layers of the OSI model.
275
00:16:46,286 --> 00:16:51,556
At the very, very, very bottom is, you
know, essentially as physical as it can get.
276
00:16:51,556 --> 00:16:54,416
It's saying, "Hey, this is
how big the data was."
277
00:16:54,416 --> 00:16:58,146
This is, you know, how many bytes
were actually sent on the wire.
278
00:16:58,146 --> 00:17:01,026
I mean think of this top
one as the physical layer.
279
00:17:01,626 --> 00:17:03,716
Then, we come right here to the data link layer.
280
00:17:04,116 --> 00:17:05,526
Now, what do we expect to see there?
281
00:17:06,076 --> 00:17:07,326
Mac addresses.
282
00:17:07,326 --> 00:17:12,086
And sure enough I see that I
have the source MAC address-283
00:17:12,086 --> 00:17:15,706
this is my computer right here
and, you know, let's prove it.
284
00:17:15,706 --> 00:17:19,006

I mean, let's make sure we're

doing what's real here.
285
00:17:19,286 --> 00:17:25,396
I'll do IP config forward slash
all and come up and look again.
286
00:17:25,396 --> 00:17:31,026
And, I look at my MAC address C8-C0, you
know, and the last four digits 6C-32.
287
00:17:31,026 --> 00:17:35,246
I'm looking over her right there and
sure enough, C8-60, so I go, "Okay".
288
00:17:35,416 --> 00:17:37,536
Well, I was the source, this is me.
289
00:17:37,906 --> 00:17:40,576
And then, I went to the destination of-290
00:17:40,576 --> 00:17:44,716
I actually have a little Cisco
firewall that runs my location here.
291
00:17:45,006 --> 00:17:45,796
And, it says, "Okay.
292
00:17:45,796 --> 00:17:48,636
Well, I sent it to this MAC
address as the destination."
293
00:17:48,636 --> 00:17:52,966
Ahh, you see-- so, wow, this
is really, really good, right?
294
00:17:52,966 --> 00:17:57,446
So, it starts putting reality to a lot of the
discussions we've had up 'till now on, okay,
295
00:17:57,446 --> 00:17:58,776
it's got the MAC addresses in there.
296
00:17:59,106 --> 00:18:01,346
Then it says, "Okay, well, what IP address is?"
297
00:18:01,346 --> 00:18:03,796

Where-- so, layer one, layer two, layer three.

298
00:18:03,796 --> 00:18:07,486
IP addresses were actually coming from
the source of this, that's my computer,
299
00:18:07,796 --> 00:18:11,016
destination of this, the two DNS server.
300
00:18:11,446 --> 00:18:17,916
And now we come to the point that started
this entire discussion, the UDP protocol.
301
00:18:18,456 --> 00:18:20,726
DNS actually uses UDP.
302
00:18:20,726 --> 00:18:23,706
Look at it, User Datagram Protocol, UDP.
303
00:18:23,706 --> 00:18:26,966
This is layer one, two, three, and four.
304
00:18:27,226 --> 00:18:34,716
It's saying, "I'm coming from the source port,
60353, going to the destination port, 53."
305
00:18:35,306 --> 00:18:37,666
Okay, stop right there.
306
00:18:37,906 --> 00:18:44,726
What that says to me is that my
computer contacted this DNS server.
307
00:18:45,826 --> 00:18:47,876
[Inaudible] .72 is the last octet.
308
00:18:47,876 --> 00:18:55,906
This is 4.2.2.3 is that DNS server and it
went to a destination port of UDP port 53.
309
00:18:56,586 --> 00:18:58,576
Oh, three is a little odd there.
310
00:18:58,576 --> 00:19:03,396
Okay, 53, and it came from
a source port of 60353.

311
00:19:03,796 --> 00:19:09,596
Now this is a well known, I'll
put W/K, well-known port for DNS.
312
00:19:09,916 --> 00:19:15,876
As in all the DNS servers in the world respond
on port UDP 53, that's where they expect
313
00:19:15,876 --> 00:19:22,026
to receive request for and all the computers in
the world by default will ask questions directed
314
00:19:22,026 --> 00:19:24,716
at UDP port 53 of their DNS server.
315
00:19:25,686 --> 00:19:28,526
Now, Windows generated a dynamic port.
316
00:19:28,526 --> 00:19:32,446
This is a not a well-known port at all, this
is considered my source port saying, "Hey,
317
00:19:32,626 --> 00:19:36,296
my question is coming from
the source port 60353."
318
00:19:36,596 --> 00:19:40,416
So when this guy replies back and says,"
I have no idea what you're talking about.
319
00:19:40,416 --> 00:19:42,786
There is no such thing as tekcert.home.local."
320
00:19:44,376 --> 00:19:45,156
Excuse me.
321
00:19:45,156 --> 00:19:50,726
He's actually going to be coming from source
of port 53 going to destination of 60353.
322
00:19:50,726 --> 00:19:51,976
But Windows expected that.
323
00:19:52,026 --> 00:19:54,976
They'd expected to get a
response back on that source port

324
00:19:54,976 --> 00:19:59,356
and that's actually one of
the reasons why DNS uses UDP.
325
00:20:00,306 --> 00:20:05,396
This is kind of a stimulus response
sort of thing to where I'm going to say,
326
00:20:05,396 --> 00:20:10,396
"I want to know who tekcert-- but
I'll just put tk.com really is,"
327
00:20:10,576 --> 00:20:13,096
and the DNS server will say,
"Okay, here's your answer."
328
00:20:13,346 --> 00:20:17,216
Now that's all the communication that
really goes on between them is, what's this,
329
00:20:17,276 --> 00:20:19,876
here's your answer, what's this, here's your
answer, what's this, here's your answer.
330
00:20:20,146 --> 00:20:25,176
It would just be a waste of time to say,
"Okay, let's build a session between us.
331
00:20:25,176 --> 00:20:27,016
You know, are you okay talking?"
332
00:20:27,016 --> 00:20:27,766
The other one is like, "Yes.
333
00:20:27,766 --> 00:20:28,426
Let's build this."
334
00:20:28,426 --> 00:20:30,876
And I'm getting into the 3 way
handshake, you know, building a session.
335
00:20:31,076 --> 00:20:36,216
Okay. Now I want to know what is the name or
IP address of tekcert.com and then, you know,
336
00:20:36,216 --> 00:20:37,936
send the acknowledgment that

you got my question.

337
00:20:37,936 --> 00:20:39,146
He is like, "Okay, got it.
338
00:20:39,146 --> 00:20:41,306
I got your question and here's the answer."
339
00:20:41,306 --> 00:20:42,836
It's like, good grief.
340
00:20:42,836 --> 00:20:47,316
Why do you need all that overhead just
to get the answer of who is tekcert.com?"
341
00:20:47,626 --> 00:20:51,746
So, with DNS, it's geared in such a way
that you say, "Hey, who's tekcert.com?"
342
00:20:52,026 --> 00:20:56,186
And if your computer doesn't get an answer
back, it's configured to say, "Well,
343
00:20:56,256 --> 00:20:59,236
I hope they got there but I don't think it
got there 'cause I didn't get an answer back.
344
00:20:59,476 --> 00:21:00,486
Well let me ask again."
345
00:21:00,746 --> 00:21:04,636
And so it will keep trying to ask because
maybe the packet did get dropped somewhere
346
00:21:04,636 --> 00:21:07,676
between here in California
during that communication.
347
00:21:07,756 --> 00:21:11,376
So, that's the idea of those port numbers.
348
00:21:11,376 --> 00:21:15,436
Now let's go back to Wireshark and
look at this communication as a whole.
349
00:21:15,676 --> 00:21:19,536
So it's saying, "Okay, who

is tekcert.com.home.local?"
350
00:21:19,786 --> 00:21:23,096
This guy comes back and it's like, no
such thing, I don't know who that is.
351
00:21:23,166 --> 00:21:28,136
Now notice, it's asking for an
A record, a DNS that's alias,
352
00:21:28,136 --> 00:21:30,876
that's the normal record that people ask for.
353
00:21:31,116 --> 00:21:32,626
So, it's like, no such thing.
354
00:21:32,626 --> 00:21:35,246
So it comes and say, "Okay, well let's try this.
355
00:21:35,446 --> 00:21:38,246
I would like an AAAA record."
356
00:21:38,246 --> 00:21:41,096
He's saying, "If I'm looking
for this kind of record
357
00:21:41,096 --> 00:21:44,216
for tekcert.com.home.local,
do you know who that is now?"
358
00:21:44,406 --> 00:21:46,376
And he's like, "No, still no such name."
359
00:21:47,056 --> 00:21:49,596
So okay, what's the difference here versus here?
360
00:21:50,016 --> 00:21:56,736
Well, this is looking for the IPv4
address of tekcert.com.home.local.
361
00:21:56,736 --> 00:22:00,046
AAAA record is actually an IPv6 address.
362
00:22:00,116 --> 00:22:02,146
So it's saying, "Okay, that didn't go so well.
363

00:22:02,336 --> 00:22:07,956

Maybe he's on TCP/IP version 6 because
since Windows XP Service Pack 3,
364
00:22:08,246 --> 00:22:11,806
all the Windows operating
systems have had IPv6 enabled
365
00:22:11,806 --> 00:22:13,526
by default so they-- they're balance today.
366
00:22:13,526 --> 00:22:14,796
He's like, "No, still no such thing."
367
00:22:14,796 --> 00:22:22,536
So then he comes back and he's like, "Okay, well
then, do you have an IP address for tekcert.com?
368
00:22:22,666 --> 00:22:23,856
How about just tekcert.com?"
369
00:22:23,856 --> 00:22:26,316
He comes back and he goes, "Actually, I do."
370
00:22:26,316 --> 00:22:29,936
And we can expand that out and we can
find out, "Oh well, here is the query,
371
00:22:29,936 --> 00:22:31,916
tekcert.com and here is the answer.
372
00:22:32,216 --> 00:22:35,636
Tekcert.com came back and this is
the IP address that I received."
373
00:22:36,496 --> 00:22:41,706
Wow, do you see how this
can be really, really handy?
374
00:22:41,756 --> 00:22:43,176
If, I mean, think about it.
375
00:22:43,176 --> 00:22:47,346
Let's say we're sitting here and
you type in, you know, whatever.
376
00:22:47,346 --> 00:22:50,096

You know, you're looking something up and

it comes back and he's like no response
377
00:22:50,096 --> 00:22:53,636
or request timed out or, you
know, something like that.
378
00:22:53,636 --> 00:22:56,206
And let's just put Bob.com.
379
00:22:56,236 --> 00:22:57,366
And, you know, it fills that.
380
00:22:57,366 --> 00:23:00,806
We've got all, you know, tries again
Bob.com and we get this answer back.
381
00:23:01,086 --> 00:23:04,256
But what, you know, what if
it never got the answer back?
382
00:23:04,256 --> 00:23:07,416
It just said, you know, request
timed out, request timed out.
383
00:23:07,416 --> 00:23:08,976
And you're like, "What's going on?"
384
00:23:09,426 --> 00:23:12,766
I mean, without this tool in the
background, you have no idea.
385
00:23:12,856 --> 00:23:16,216
I mean, this tool is what-- oh,
it's looking for Bob.com.home.local,
386
00:23:16,216 --> 00:23:18,036
it's not supposed to do that,
why is it doing that?
387
00:23:18,036 --> 00:23:20,456
So that's why Wireshark is really handy.
388
00:23:20,456 --> 00:23:22,906
So, bring that back around.
389
00:23:23,196 --> 00:23:25,266

That's the basics of Wireshark.

390
00:23:25,266 --> 00:23:29,106
Again, without this filter, it's
going to be just plain overwhelming,
391
00:23:29,106 --> 00:23:34,676
but if you can filter it down and start
to really look and analyze these packets,
392
00:23:35,046 --> 00:23:36,786
you can get quite a bit out of it.
393
00:23:38,006 --> 00:23:42,886
So let me clear off this slate and get back
to the topic at hand which is TCP and UDP.
394
00:23:42,886 --> 00:23:45,866
TCP I think we've got, it's just-it's a wing it protocol, all right?
395
00:23:45,866 --> 00:23:49,476
You kind of chop the packet, you hope it gets
there and if a response comes back, great.
396
00:23:49,656 --> 00:23:51,146
You know, that's how it works.
397
00:23:51,566 --> 00:23:54,636
TCP is the, "I know it got there" protocol.
398
00:23:55,146 --> 00:24:00,446
The way that it does that is by using initially
a 3 way handshake to establish the session
399
00:24:00,916 --> 00:24:05,066
and then it uses acknowledgments to make
sure that every single packet was received.
400
00:24:05,386 --> 00:24:10,016
Now, let me break that down into the
fundamentals of how this protocol really works.
401
00:24:10,456 --> 00:24:14,476
When I have a computer here,
and I say, "I want to go to-402

00:24:14,476 --> 00:24:21,406

let's just say I want to surf the
web and go to cbtnuggets.com."
403
00:24:21,596 --> 00:24:22,906
That will be our example.
404
00:24:24,356 --> 00:24:28,436
HTTP is a TCP-based protocol.
405
00:24:28,826 --> 00:24:32,816
It uses-- it says, "I want to have
reliability otherwise web pages might show up."
406
00:24:32,816 --> 00:24:37,086
You know, things missing off of them
and all that now, and that may happen
407
00:24:37,086 --> 00:24:40,746
but it's not TCPs fault, it's-somebody made a bad web page.
408
00:24:41,076 --> 00:24:44,746
But TCP make sure that all of your
traffic gets between these two.
409
00:24:45,116 --> 00:24:47,676
Now, when this guy starts, here's how it works.
410
00:24:48,636 --> 00:24:54,956
He will send-- when he realize, okay, I've got
the IP address 'cause I looked it up via DNS.
411
00:24:54,956 --> 00:25:02,146
The IP address of CBT Nuggets, let's just use
some reality here, cbtnuggets.com., there we go.
412
00:25:02,146 --> 00:25:03,556
Is-- let's just grab this first one,
413
00:25:03,556 --> 00:25:10,086
18472 so I'll just go 1184.72 dot dot
dot, you know, that's the IP address.
414
00:25:10,086 --> 00:25:17,726
He's going to send the very first packet
will be what's called a SYN packet saying,

415
00:25:18,056 --> 00:25:21,766
"Hey CBT Nuggets, I would like
to start a discussion with you."
416
00:25:22,606 --> 00:25:26,706
Are you-- essentially, let me put in
plain English and then I'll get technical.
417
00:25:26,886 --> 00:25:27,766
"Are you okay with that?"
418
00:25:28,236 --> 00:25:32,106
CBT Nuggets says, "Yes, I am okay with that."
419
00:25:32,266 --> 00:25:39,986
SYN ACK. That means, I'm sending a
synchronization bit, if you will.
420
00:25:39,986 --> 00:25:42,366
I'm saying, yes, I would
like to start talking to you,
421
00:25:42,366 --> 00:25:45,356
which is what these do, and
I'm acknowledging yours.
422
00:25:45,356 --> 00:25:49,116
I'm saying, "I got yours" that's the
acknowledgment "And here's mine."
423
00:25:49,636 --> 00:25:53,136
So, this guy replies back with one final ACK.
424
00:25:53,206 --> 00:25:55,486
What do you think that's there for?
425
00:25:57,506 --> 00:25:58,036
I got that.
426
00:25:58,536 --> 00:26:00,816
I got the SYN message from you.
427
00:26:00,816 --> 00:26:06,116
So I'm acknowledging that we're good and
that is what they call a TCP 3 way handshake.
428

00:26:06,116 --> 00:26:11,126

Every single time you start a session,
it's going to do that with the destination.
429
00:26:11,336 --> 00:26:14,036
A matter of fact let's-I am all about Wireshark.
430
00:26:14,036 --> 00:26:15,506
Let's prove it to ourselves, right?
431
00:26:15,756 --> 00:26:18,986
Let's stop this capture, I'm
just going to close this guy.
432
00:26:19,576 --> 00:26:20,766
Continue without saving.
433
00:26:20,766 --> 00:26:24,696
Okay. Let's clear the filter off
and let's just start to capture.
434
00:26:24,696 --> 00:26:28,756
We'll just go to one website so it should
be pretty easy to pull out, click on start.
435
00:26:29,286 --> 00:26:33,726
I'm going to go to cbtnuggets.com.
436
00:26:35,136 --> 00:26:37,096
Enter, boom, stop the capture.
437
00:26:37,316 --> 00:26:42,116
I got a whole bunch of data, 400 some packets
that were sent to generate CBT Nuggets website.
438
00:26:42,346 --> 00:26:45,306
Let's go all the way back to the
beginning up here where it all happened.
439
00:26:45,596 --> 00:26:52,956
Notice that right here my-- now, now you might
say, "Well I don't see any DNS, you know,
440
00:26:53,036 --> 00:26:58,246
question for who is cbtnuggets.com, I see, you
know, Wireshark weaseled its way in there."

441
00:26:58,546 --> 00:27:02,796
But, you know, what's happened is
my computer cached the DNS response.
442
00:27:02,796 --> 00:27:06,506
It remembers who CBT Nuggets is
because I've gone there before.
443
00:27:06,506 --> 00:27:09,296
Now, those caches will eventually
time out but they'll get there.
444
00:27:09,526 --> 00:27:10,326
Now, look right here.
445
00:27:10,326 --> 00:27:13,636
So, we have Google, we're talking
to Google and you might say, "Well,
446
00:27:13,966 --> 00:27:15,526
what's all this stuff happening?"
447
00:27:15,776 --> 00:27:19,336
Well, whenever you type, you know, I'm using
Google Chrome and I don't know if you've notice
448
00:27:19,336 --> 00:27:23,966
but when you start typing you're like,
Jeremy, it's starting to, you know,
449
00:27:23,966 --> 00:27:27,076
figure out who will the, you know, who is-450
00:27:27,076 --> 00:27:30,356
it's filling in all of this
data, so we're able to see.
451
00:27:30,606 --> 00:27:32,246
You know, oh, okay it's filling this in.
452
00:27:32,246 --> 00:27:34,426
So every single time, Google
is going, "Okay, well,
453
00:27:34,706 --> 00:27:38,416
let's find out who Jeremy
Cioara is and you click on it.

454
00:27:38,706 --> 00:27:41,226
That's-- it's kind of weird
[laughs], I'm looking myself up.
455
00:27:41,466 --> 00:27:43,146
But, you know, who is Jeremy Cioara?
456
00:27:43,146 --> 00:27:47,136
It's constantly going back and forth with Google
saying, "Okay, he typed an I, he typed an O,
457
00:27:47,136 --> 00:27:48,906
he typed an A, you know,
as it fills out the names.
458
00:27:48,906 --> 00:27:51,186
So that's what this little shindig was.
459
00:27:51,186 --> 00:27:52,726
Now, here's the meat of it.
460
00:27:52,726 --> 00:27:59,746
I come down right and I see, okay this is a
TCP-based message, three of them to be exact.
461
00:28:00,086 --> 00:28:08,486
Notice, SYN, SYN ACK, ACK, 3 way handshake,
SYN, SYN ACK, ACK, SYN, SYN ACK, ACK.
462
00:28:08,486 --> 00:28:12,286
Now, I want to go down a little
further because I'm noticing here-463
00:28:12,286 --> 00:28:13,476
notice the source and destination.
464
00:28:13,476 --> 00:28:15,516
It came from this server
going to this one, right?
465
00:28:15,626 --> 00:28:19,956
SYN, SYN ACK, ACK and I go down a little bit
more and all of a sudden, I see another one.
466
00:28:20,276 --> 00:28:23,176
It's like, wait second, SYN, SYN ACK, ACK.

467
00:28:23,726 --> 00:28:25,546
And so there's more than one.
468
00:28:25,816 --> 00:28:28,416
I go down and all of a sudden, I see
it looking up all the stuff, it's like,
469
00:28:28,626 --> 00:28:32,706
"I'm looking up some analytics, I'm
looking up cloudfront.net, Facebook.com."
470
00:28:32,706 --> 00:28:34,136
What on earth is going on?
471
00:28:34,316 --> 00:28:37,446
And all of a sudden I see all these-- okay,
SYN within, SYN within, SYN within, SYN within.
472
00:28:37,526 --> 00:28:40,476
All of these are SYNs and then I
started, you know, look at these SYNs.
473
00:28:40,476 --> 00:28:43,616
It's starting all of the sessions
with all these different servers
474
00:28:43,726 --> 00:28:46,506
and then they all start coming back,
SYN ACK, SYN ACK, SYN ACK, SYN ACK.
475
00:28:46,506 --> 00:28:50,266
And then, you know, it's kind of like that
we get this big merge of ACK, ACK, ACK.
476
00:28:50,266 --> 00:28:52,496
You know, it's kind of a-what on earth is going on?
477
00:28:52,496 --> 00:28:56,036
I just went to CBT Nuggets and all of a sudden,
I've got all of these sessions starting.
478
00:28:56,296 --> 00:29:00,396
Well, you remember, I think that I
talked about this in the previous Nugget
479

00:29:00,396 --> 00:29:03,326

but this web page is a framework of web pages.
480
00:29:03,486 --> 00:29:06,706
When you come here, there's something
on here that deals with Facebook.
481
00:29:06,706 --> 00:29:07,476
Ahh, there we go.
482
00:29:07,786 --> 00:29:10,306
They've got a little follow us on
Facebook link, maybe that's it.
483
00:29:10,306 --> 00:29:12,376
And they've got a little
link to Twitter or something
484
00:29:12,376 --> 00:29:14,316
that it pulled from Twitter and built this.
485
00:29:14,316 --> 00:29:16,876
So this web page is dynamic,
it's always changing,
486
00:29:16,876 --> 00:29:18,456
it's pulling from all these different servers.
487
00:29:18,456 --> 00:29:24,666
So when I come to cbtnuggets.com, I'm actually,
you know, these pictures, these videos,
488
00:29:24,666 --> 00:29:29,256
everything is pulling from all these different
servers, so that's why I see just getting shot
489
00:29:29,256 --> 00:29:32,516
into this world of SYN and SYN
ACKs but just get back to the base
490
00:29:32,516 --> 00:29:34,426
of it all, that's where it started.
491
00:29:34,626 --> 00:29:36,426
SYN, SYN ACK, ACK.
492
00:29:37,056 --> 00:29:39,266

So there's got to be more

to it than that, right?
493
00:29:39,266 --> 00:29:40,266
You know, there is.
494
00:29:41,066 --> 00:29:47,906
SYN, SYN ACK, and ACK introduce
something known as sequence numbers.
495
00:29:50,826 --> 00:29:51,906
So here's the concept.
496
00:29:51,906 --> 00:29:53,336
I wrote it up here so I wouldn't forget,
497
00:29:53,336 --> 00:29:56,946
but I didn't forget even though I
erased it, called TCP Windowing.
498
00:29:57,776 --> 00:30:00,946
TCP Windowing is the key to network efficiency.
499
00:30:01,786 --> 00:30:05,556
So, here's the concept of
windowing and window sizes.
500
00:30:05,556 --> 00:30:08,186
Some people call it sliding windows
if you ever hear that before.
501
00:30:08,676 --> 00:30:13,606
Let's say I have a really big
file, it's 1.0 gigabytes in size,
502
00:30:13,816 --> 00:30:15,816
and I want to send that over to the server.
503
00:30:16,546 --> 00:30:18,666
Well, when-- I don't know if
you've ever seen this in Windows,
504
00:30:18,666 --> 00:30:22,636
if you've ever copied a really big file and you
copy across and pops up that little, you know,
505
00:30:22,636 --> 00:30:25,906

copying time estimate window and

it initially starts off and it's
506
00:30:25,906 --> 00:30:30,556
like your time estimate is two days
five hours, and you're like, "What,
507
00:30:30,556 --> 00:30:31,836
you know, well that's not right!"
508
00:30:31,836 --> 00:30:33,246
And then Windows is like, "No, no, no, no, no.
509
00:30:33,246 --> 00:30:34,256
Just kidding, let me back of.
510
00:30:34,486 --> 00:30:37,986
Actually, it's going to be one day three hours."
511
00:30:37,986 --> 00:30:38,956
And you're like, "What?"
512
00:30:38,956 --> 00:30:42,066
You know, and then, no, no, no, no, have
you-- you know what I'm talking about?
513
00:30:42,066 --> 00:30:45,776
And [inaudible] says like, "No, just kidding
your time estimate is really 32 minutes."
514
00:30:45,776 --> 00:30:48,596
And you're like, "Okay, that's
a little more of a result."
515
00:30:48,596 --> 00:30:51,966
And then, I mean, it takes like 30
seconds before it's final like, okay,
516
00:30:51,966 --> 00:30:54,146
really it's going to take 10
minutes to copy that file.
517
00:30:54,586 --> 00:30:59,256
[Laughs] Okay, it's like, okay what happened
between Windows popping up and saying it's two
518
00:30:59,256 --> 00:31:03,066

and half days to copy this file

all the way down to 10 minutes?
519
00:31:03,486 --> 00:31:06,456
Well that's where TCP Windowing
kick in and took effect.
520
00:31:06,716 --> 00:31:11,486
Essentially when your computer starts to
send that file, this file has actually broken
521
00:31:11,486 --> 00:31:19,106
up the normal packet size for Ethernet,
it's actually 1,500 bytes, 1,500 bytes,
522
00:31:19,106 --> 00:31:24,356
that's very small especially when you're
considering I'm sending 1 gigabyte of data.
523
00:31:24,356 --> 00:31:27,496
So, a little 1,500-byte, that's, you
know, think of this as 1 kilobyte
524
00:31:27,496 --> 00:31:30,516
and you remember there is a
thousand 24 K and a megabyte
525
00:31:30,516 --> 00:31:32,896
and there's a thousand 24
megabytes and a gigabyte.
526
00:31:32,896 --> 00:31:35,986
So, I mean, you're going to send
thousands and thousands and thousands
527
00:31:35,986 --> 00:31:37,166
of these packets to compress this.
528
00:31:37,166 --> 00:31:40,376
So, it sends one packet over there.
529
00:31:40,646 --> 00:31:43,146
This guy comes back and it's like, "Okay, great.
530
00:31:43,146 --> 00:31:44,106
I got your packet."
531

00:31:44,106 --> 00:31:49,226

The very, very first packet of this
1.0-gigabyte file transfer, I got it ACK.
532
00:31:50,756 --> 00:31:53,766
Now Windows looks at that and it's like, "Wow.
533
00:31:53,926 --> 00:31:59,226
Okay." If I'm going to send one packet at a time
and then sit there and wait for the other size-534
00:31:59,316 --> 00:32:01,426
other side to come back and
say, "Okay, I got it.
535
00:32:01,426 --> 00:32:04,766
It's going to take two and a
half days to transmit this file."
536
00:32:05,356 --> 00:32:06,476
So the computer goes, "Okay.
537
00:32:06,476 --> 00:32:08,496
Well let's-- let's try this.
538
00:32:08,496 --> 00:32:14,516
How about instead of sending one packet,
I send you four packets at a time."
539
00:32:14,716 --> 00:32:19,586
So it takes four of these 1,500 byte packets
of the 1 gigabyte file, sends them over there
540
00:32:19,806 --> 00:32:22,936
and the server comes back and
he's like, "Okay, I got it.
541
00:32:22,936 --> 00:32:24,996
I got all four of those packets."
542
00:32:24,996 --> 00:32:28,376
And the guy-- the Windows is like, "Okay, great.
543
00:32:28,376 --> 00:32:28,896
That's better.
544
00:32:29,286 --> 00:32:32,716

If I can send four packets at a time

then I bet you that I can get this done
545
00:32:32,716 --> 00:32:34,176
in like a day and a half, right."
546
00:32:34,176 --> 00:32:37,586
It reduces it dramatically because
we're being much more efficient.
547
00:32:37,586 --> 00:32:41,146
So, what's happening over that,
you know, first 30 seconds
548
00:32:41,146 --> 00:32:44,836
or so of that file transfer is it just
keeps trying to send more and more and more
549
00:32:44,836 --> 00:32:45,736
and more and more and more and more.
550
00:32:45,736 --> 00:32:46,206
It's like, "Okay.
551
00:32:46,206 --> 00:32:49,946
I'm going to try and send
you 100 packets at a time."
552
00:32:49,996 --> 00:32:54,826
Sends them a 100 of these 1,500-byte
packets, ACK, I got all 100 of them.
553
00:32:54,826 --> 00:32:55,416
Does that make sense?
554
00:32:55,416 --> 00:33:01,706
So, that's the concept known as TCP window
sizes or some people call it sliding windows
555
00:33:01,706 --> 00:33:04,086
because the windows starts
small, it slides bigger.
556
00:33:04,336 --> 00:33:09,716
But if there's drafts, like let's say, I
send a 100 packets and I lost two of them,
557

00:33:09,786 --> 00:33:13,476

then my computer is going to go, "Whoa, whoa,
whoa, whoa, whoa," you know, we're loosing data,
558
00:33:13,476 --> 00:33:16,576
I've got to pull back and only send a smaller,
559
00:33:16,576 --> 00:33:19,926
so the window size slides smaller
and you see the copy time go up.
560
00:33:20,106 --> 00:33:26,136
So, that is the essence of how computers
know how much they're able to send
561
00:33:26,136 --> 00:33:30,046
or how much bandwidth they can consume and
they're going to try and consume all of it.
562
00:33:30,516 --> 00:33:34,656
And computers are bandwidth hungry monsters,
they will try and consume all of the bandwidth
563
00:33:34,656 --> 00:33:37,986
that they can on the way to that server
until they finally start dropping packets.
564
00:33:37,986 --> 00:33:41,126
And they go, "Okay, that's how much I
can send it once before I, you know,
565
00:33:41,226 --> 00:33:43,676
I've reached the congestion
point of the network."
566
00:33:43,726 --> 00:33:48,796
So, how do-- what-- how did this, this Window-567
00:33:48,796 --> 00:33:54,336
Windowing concept and sending more than
one packet at a time fit into this and it-568
00:33:54,336 --> 00:33:56,466
where we started with this 3 way handshake.
569
00:33:57,046 --> 00:34:02,596
Well, when we do a 3 way handshake, what
we're really exchanging is sequence numbers

570
00:34:02,596 --> 00:34:08,716
of my packet numbers are going to start here
and then keep incrementing as I send you data.
571
00:34:09,186 --> 00:34:11,906
So, let's look back at Wireshark,
get some examples of this.
572
00:34:11,906 --> 00:34:14,786
So, right here, we've got our 3 way handshake.
573
00:34:14,786 --> 00:34:16,576
We've got SYN, SYN ACK, ACK.
574
00:34:16,576 --> 00:34:17,996
So that's the very first one that we do.
575
00:34:17,996 --> 00:34:19,516
So let's break this open.
576
00:34:19,876 --> 00:34:25,816
We'll look at the TCP data and it says, "Oh,
this guy is a flag, it's a SYN" but I want you-577
00:34:25,816 --> 00:34:29,236
and you can, I mean, you can dig deep and
say, "Oh, okay, well it's actually this bit,"
578
00:34:29,236 --> 00:34:32,246
and that, I mean, yeah, for
now, it's a SYN, right?
579
00:34:32,576 --> 00:34:35,196
But if you look three above that, it says, "Hey,
580
00:34:35,406 --> 00:34:38,436
we're going to be starting
from sequence number zero."
581
00:34:38,856 --> 00:34:41,926
That's it, that's was-- so I'm going
to-- that's my beginning where-582
00:34:41,926 --> 00:34:44,286
that's where my counter begins essentially.

583
00:34:44,606 --> 00:34:47,976
Now this comes back and says,
"Well, here's your SYN ACK," right?
584
00:34:48,256 --> 00:34:51,166
And what this says is, "I'm going to
be starting from sequence number two."
585
00:34:51,256 --> 00:34:52,206
That's great.
586
00:34:52,206 --> 00:34:55,626
"And by the way, I'm sending it ACK for one."
587
00:34:56,516 --> 00:34:57,656
What does that mean?
588
00:34:57,916 --> 00:35:02,586
So, I-- and so, again, let's look,
this is my computer saying, "Hi SYN.
589
00:35:02,586 --> 00:35:04,516
I'm going to be starting
from sequence number zero."
590
00:35:04,806 --> 00:35:09,626
This is them, see them, this is CBT Nuggets
you're applying back that it's saying, "Okay.
591
00:35:09,626 --> 00:35:12,826
I'm going to start from sequence
number zero, that's my SYN too
592
00:35:13,096 --> 00:35:15,346
but I'm also going to send you an ACK of one."
593
00:35:15,966 --> 00:35:21,036
Well the way the ACK works is it's always
going to be one more than your sequence number.
594
00:35:21,256 --> 00:35:24,336
So when I said, "Hey SYN, I'm going
to be starting from number zero."
595
00:35:24,576 --> 00:35:27,946
He comes back and in his ACK he
says, "I'm going to acknowledge one."

596
00:35:28,096 --> 00:35:32,806
And what that says to the computer is, "I've
received your zero and the next sequence
597
00:35:32,806 --> 00:35:35,146
that I'm expecting from you is one."
598
00:35:35,786 --> 00:35:36,896
Does that make sense?
599
00:35:36,896 --> 00:35:40,446
And then, and then, and then, I'm like
[laughs], "Oh, oh, oh, and then look at this."
600
00:35:40,446 --> 00:35:43,066
And then, when I click it on
here, it goes, "Okay, great.
601
00:35:43,216 --> 00:35:45,806
I'm going to send an ACK back of one as well."
602
00:35:46,926 --> 00:35:50,386
So, what we've done is we say, "Okay,
I started with sequence number zero.
603
00:35:50,616 --> 00:35:51,376
Is that good?"
604
00:35:51,376 --> 00:35:52,506
And he goes, "Absolutely.
605
00:35:52,506 --> 00:35:54,166
I'm going to start from sequence number zero
606
00:35:54,166 --> 00:35:57,506
and I'm acknowledging your sequence
number zero by giving you an ACK of one."
607
00:35:57,806 --> 00:36:01,056
Then I come back and say, "Okay,
ACK of one because I'm a-608
00:36:01,056 --> 00:36:02,786
I don't know why I put it aligned to that,
609

00:36:02,786 --> 00:36:04,656

because I'm acknowledging
your sequence number zero
610
00:36:04,656 --> 00:36:07,056
that you gave me and now let's start talking."
611
00:36:07,676 --> 00:36:08,636
Isn't there a lot?
612
00:36:08,636 --> 00:36:09,476
That's a lot-- whoa.
613
00:36:09,716 --> 00:36:12,976
That's a lot to just say,
"Okay, let's now start talking."
614
00:36:12,976 --> 00:36:15,886
But then, when you start getting it
to the data, let's see if I can dig
615
00:36:15,886 --> 00:36:19,956
and then find some good data transfer here.
616
00:36:20,046 --> 00:36:24,406
I got your standard encrypted
packets going through there.
617
00:36:24,406 --> 00:36:31,776
It's so [laughs], it's funny because going to
CBT Nuggets home page, there's so much pointers
618
00:36:31,776 --> 00:36:34,586
on there that-- and there's
encrypted data, HTTPS,
619
00:36:34,586 --> 00:36:36,176
you know, stuff flying all over the place.
620
00:36:36,586 --> 00:36:38,466
But right here and that's, I'll describe this.
621
00:36:39,576 --> 00:36:43,356
Right in the middle of this, this is
actually using TLS which is encrypted data.
622
00:36:43,656 --> 00:36:47,336

This is CBT Nuggets sending me some

data saying-- and they're saying, "Hey,
623
00:36:47,336 --> 00:36:50,556
this is my sequence number and
I am acknowledging the last one
624
00:36:50,556 --> 00:36:52,606
that you gave me which was 1639."
625
00:36:52,606 --> 00:36:56,076
So you kind of go back and forth, it's
just, you know, finding the stream.
626
00:36:56,076 --> 00:36:59,176
So this guy is saying, "Okay.
627
00:36:59,176 --> 00:37:01,996
I'm-- yeah, we're getting
the encryption handshake."
628
00:37:01,996 --> 00:37:02,866
So, okay, here we go.
629
00:37:03,116 --> 00:37:04,096
I'm sending some data.
630
00:37:04,096 --> 00:37:08,046
So I send some data right
here, sequence number 348.
631
00:37:08,176 --> 00:37:10,266
I move on sequence number 401.
632
00:37:10,306 --> 00:37:12,476
I move on sequence number 462.
633
00:37:12,476 --> 00:37:17,056
So, you're sending data and every time-- now, if
I want to see-- well, here is the actual data,
634
00:37:17,316 --> 00:37:19,806
it's SSL which is all nice and encrypted.
635
00:37:20,066 --> 00:37:21,856
Here's the data that's being sent.

636
00:37:21,856 --> 00:37:24,716
It's all encrypted mosh going
to CBT Nuggets website,
637
00:37:24,986 --> 00:37:28,046
but all of that stuff has sequence numbers.
638
00:37:28,366 --> 00:37:32,266
So, essentially, let me boil it back down on
the slide 'cause it's a little less complex
639
00:37:32,266 --> 00:37:33,486
and busting that Wireshark.
640
00:37:33,746 --> 00:37:38,556
I've got, you know, let's say three
1,500-byte packets to send, right?
641
00:37:38,556 --> 00:37:44,696
So let's say I started with SYN zero, I send
three 1,500-byte packets to the other side,
642
00:37:45,576 --> 00:37:50,646
and it will come through and, you know,
first one will say, "Hey, I'm some data.
643
00:37:50,886 --> 00:37:53,066
I'm sequence number 1,500.
644
00:37:53,066 --> 00:37:55,786
The second one will come through and say, "Okay.
645
00:37:55,786 --> 00:37:58,006
Well, I'm sequence number 3,000."
646
00:38:00,136 --> 00:38:04,696
And third one comes through and you see where
this is going, "I'm sequence number 4,500."
647
00:38:04,696 --> 00:38:08,596
The sequence numbers are-- they are
essentially a mathematical addition
648
00:38:08,596 --> 00:38:10,796
of all of the data that's being sent.
649

00:38:10,796 --> 00:38:13,266

In that way when this-- these
two get dropped, you know,
650
00:38:13,266 --> 00:38:15,496
maybe this one made it through,
these two were dropped.
651
00:38:15,656 --> 00:38:18,206
All of a sudden this guy
goes, "Whoa, wait a sec.
652
00:38:19,016 --> 00:38:28,046
I missed sequence numbers, you know, we'll
say 4,000 through 6593 or whatever, you know,
653
00:38:28,046 --> 00:38:29,186
whatever those sequence numbers are."
654
00:38:29,436 --> 00:38:32,286
So, he's going to be like,
"Whoa, I did not receive those."
655
00:38:32,286 --> 00:38:35,046
He goes, "Oh, well let me resend
those sequence numbers to you."
656
00:38:35,046 --> 00:38:41,006
That-- this is how TCP keeps it
all working is by, you know, again,
657
00:38:41,006 --> 00:38:42,536
those acknowledgments coming back.
658
00:38:42,756 --> 00:38:44,956
If you received them all,
he'll send acknowledgment
659
00:38:44,956 --> 00:38:46,696
for one plus, whatever the last sequence.
660
00:38:46,696 --> 00:38:49,876
So let's say, the last sequence
number to get in was 4,500.
661
00:38:50,076 --> 00:38:56,656
He's going to send an acknowledgment for 4501-1 and then the transmission continues on.

662
00:38:56,796 --> 00:39:00,916
[Laughs] It's like, right there, I took
breath and I took a step back and I'm like,
663
00:39:01,196 --> 00:39:03,676
"How do you see anything on the screen anymore."
664
00:39:03,806 --> 00:39:06,206
It builds on itself so hopefully you've-665
00:39:06,346 --> 00:39:11,016
you didn't look away throughout 'cause otherwise
it's just a mess of lines going back and forth.
666
00:39:11,376 --> 00:39:16,776
But, wow, I mean, if you take that and put
it all together and you are on your way-667
00:39:16,846 --> 00:39:21,916
well on your way to becoming a network
Ninja, not only understanding how TCP works,
668
00:39:21,916 --> 00:39:25,796
the 3 way handshake, the acknowledgment,
back and forth process, but also now,
669
00:39:25,796 --> 00:39:28,666
starting to look inside of
Wireshark and been like, "Oh, oh, oh,
670
00:39:28,826 --> 00:39:30,766
I see the 3 way handshake right there.
671
00:39:30,766 --> 00:39:31,286
I get it."
672
00:39:31,286 --> 00:39:34,906
You know, and then I started seeing that, I get
referred to all these other servers, you know,
673
00:39:34,906 --> 00:39:36,776
because there're the DNS queries.
674
00:39:36,776 --> 00:39:40,476
And then, I started sessions with all those,
that's all these SYN packets, I mean, wow!

675
00:39:40,566 --> 00:39:47,716
That's a ton of info that you can say that,
I mean, it's rare to find somebody who's able
676
00:39:47,716 --> 00:39:50,236
to do that level of knowledge
in the network world.
677
00:39:51,246 --> 00:39:56,016
I have found that there is a big difference
between the amount of time I think it's going
678
00:39:56,016 --> 00:39:58,966
to take to talk about something and
then the actual amount of time it does.
679
00:39:59,526 --> 00:40:01,896
It's all a Wireshark, I'm
telling you, bringing that tool
680
00:40:01,896 --> 00:40:03,826
into this, I mean, the sky is the limit.
681
00:40:04,146 --> 00:40:06,546
But boy, do I want to-- what
I'm going to do is I'm going
682
00:40:06,546 --> 00:40:08,076
to break this into two different pieces.
683
00:40:08,076 --> 00:40:13,576
So, this will be our part one and then I'll
wrap up these other two items in part two.
684
00:40:14,106 --> 00:40:17,596
But what did we talk about and then
what do I want you to do with it?
685
00:40:17,986 --> 00:40:19,826
Two, well, we talked about a lot.
686
00:40:19,826 --> 00:40:23,076
We talked about UDP and,
you know, its simplicity.
687
00:40:23,216 --> 00:40:26,766

And then we got into TCP just looking

at, you know, what is this is protocol
688
00:40:26,766 --> 00:40:32,776
or how does it communicate so, you know, in a
stable way using sessions with the other side.
689
00:40:32,776 --> 00:40:38,056
We saw the TCP 3 way handshake, we saw sequence
numbers, we saw a DNS lookups, we saw Wireshark,
690
00:40:38,056 --> 00:40:40,156
I mean [inaudible], you know, the list goes on.
691
00:40:40,156 --> 00:40:43,196
And I mean, this was just a packed Nuggets.
692
00:40:43,196 --> 00:40:46,186
So, here's what I want you to do with it.
693
00:40:46,186 --> 00:40:48,856
I want you to really take the time
694
00:40:48,856 --> 00:40:53,316
to start getting a depth behind
your knowledge of UDP and TCP.
695
00:40:53,956 --> 00:40:56,636
What I want you to do is go download Wireshark.
696
00:40:56,636 --> 00:40:58,526
Go to wireshark.org, it's a freebie.
697
00:40:58,526 --> 00:41:03,176
Download that and install it on your laptop
or desktop or whatever device that you have.
698
00:41:03,576 --> 00:41:05,506
And I want you to go to a simple website.
699
00:41:05,506 --> 00:41:09,326
A matter of fact, somebody emailed
this too me a long time ago.
700
00:41:09,326 --> 00:41:14,246
What was it called, the last
page of the internet.

701
00:41:14,426 --> 00:41:17,876
[Laughs] That it's and it's just some
guy and he's been around for a long time.
702
00:41:18,066 --> 00:41:20,786
The last page you cre-- the guy who
created a website that just says,
703
00:41:20,786 --> 00:41:22,556
"You have reached the last page of the internet.
704
00:41:22,866 --> 00:41:23,936
Hope you enjoyed your browsing.
705
00:41:24,316 --> 00:41:25,816
Go outside."
706
00:41:25,816 --> 00:41:30,106
So, beautifully, simple web page to
where we won't get the confusion behind.
707
00:41:30,296 --> 00:41:35,336
And won't say confusion but the complexity
behind going to big websites like CBT Nuggets
708
00:41:35,336 --> 00:41:38,096
and seeing 50 different servers
popped into our conversation.
709
00:41:38,096 --> 00:41:39,626
So grab Wireshark.
710
00:41:40,016 --> 00:41:42,996
I want you to capture the DNS lookup.
711
00:41:42,996 --> 00:41:45,456
Create a filter, find out
what your DNS server is.
712
00:41:45,616 --> 00:41:50,336
Create a filter that allows you to see the
DNS lookup and then one that allows you
713
00:41:50,336 --> 00:41:56,256
to see the communication between you and
that last page of the internet web server.

714
00:41:56,256 --> 00:41:59,926
They'll be nice and simple so you don't
have a ton of stuffs to read through.
715
00:42:00,116 --> 00:42:07,216
Also, realized that I showed you-- I mean,
one 1,000th of the possibilities of Wireshark.
716
00:42:07,356 --> 00:42:12,866
You can create complex filters like I could
say this and IP address equal, you know,
717
00:42:12,976 --> 00:42:17,726
or I could use and or IP address
at and equals such and such.
718
00:42:17,726 --> 00:42:21,566
I mean, you can start building numbers
where you just capture a certain port number
719
00:42:21,846 --> 00:42:24,356
or I should say filters where you
just capture certain port numbers.
720
00:42:24,356 --> 00:42:25,716
There're a lot of possibilities.
721
00:42:25,716 --> 00:42:27,636
I mean, play around with
this, start tinkering around.
722
00:42:27,936 --> 00:42:33,646
And really, I would say, add some depth to your
knowledge and then jump into the next Nugget
723
00:42:33,646 --> 00:42:36,126
where we'll talk about the port
numbers and then fit it all together
724
00:42:36,126 --> 00:42:37,926
with that end-to-end communication story.
725
00:42:38,426 --> 00:42:41,486
I hope this has been informative for you
and I'd like to thank you for viewing.