1 00:00:00,000 --> 00:00:00,910 2 00:00:00,910 --> 00:00:03,940 To help reinforce the concepts of various protocols being 3 00:00:03,940 --> 00:00:07,240 used at various layers, let's go ahead and open up Wireshark. 4 00:00:07,240 --> 00:00:10,180 Wireshark is an example of a protocol analyzer 5 00:00:10,180 --> 00:00:12,040 that captures packets and then helps 6 00:00:12,040 --> 00:00:14,230 to decode them so that we can see them and make 7 00:00:14,230 --> 00:00:15,350 sense of them. 8 00:00:15,350 --> 00:00:19,110 So here in Wireshark, if we open up a capture-- 9 00:00:19,110 --> 00:00:22,200 and I've got a capture of an HTTP session. 10 00:00:22,200 --> 00:00:24,450 An HTTP is an example of a protocol that 11 00:00:24,450 --> 00:00:27,420 would be used at the application layer when a user, for example, 12 00:00:27,420 --> 00:00:28,350 visits a website. 13 00:00:28,350 --> 00:00:29,850 And now that we have this opened up, 14 00:00:29,850 --> 00:00:32,022 if we just grab one of these entries 15 00:00:32,022 --> 00:00:33,480 here-- in fact in this example, I'm 16 00:00:33,480 --> 00:00:34,810 just going to grab number four. 17 00:00:34,810 --> 00:00:36,030 In this output of Wireshark, it's 18 00:00:36,030 --> 00:00:37,696 showing us the upper layer of protocols. 19 00:00:37,696 --> 00:00:40,260 We have the application layer, we have HTTP, the hypertext 20 00:00:40,260 --> 00:00:43,140 transfer protocol, and then at layer 4, 21 00:00:43,140 --> 00:00:45,600 we have the TCP protocol right here. 22 00:00:45,600 --> 00:00:49,634 And then at layer 3, the network layer, we have IP version 4. 23 00:00:49,634 --> 00:00:52,050 And then below that, because we're on an Ethernet network, 24 00:00:52,050 --> 00:00:53,790 it's showing us the layer 2 framing 25 00:00:53,790 --> 00:00:56,632 information for Ethernet regarding this data. 26 00:00:56,632 --> 00:00:58,590 If we looked at another example, let's go ahead 27 00:00:58,590 --> 00:00:59,300 and do that, too. 28 00:00:59,300 --> 00:01:01,670 We'll go to File, Open, and let's go ahead 29 00:01:01,670 --> 00:01:03,300 and grab a DNS request. 30 00:01:03,300 --> 00:01:05,220 DNS is used a lot in the background 31 00:01:05,220 --> 00:01:08,640 when we type in a name like www.cbtnuggets.com, 32 00:01:08,640 --> 00:01:11,207 and it resolves that into an IP address for our computer. 33 00:01:11,207 --> 00:01:13,040 And the key here-- if we grab one of these-- 34 00:01:13,040 --> 00:01:16,710 we have DNS as the application layer of service being used. 35 00:01:16,710 --> 00:01:18,780 And then at layer 4, the transport layer, here 36 00:01:18,780 --> 00:01:22,091 we have UDP, because that's what DNS uses for a DNS query. 37 00:01:22,091 --> 00:01:24,090 This will go down to the network layer, layer 3. 38 00:01:24,090 --> 00:01:25,560 We have IP once again. 39 00:01:25,560 --> 00:01:27,240 In this case, it's IP version four. 40 00:01:27,240 --> 00:01:29,490 And then below that, we have the layer two information 41 00:01:29,490 --> 00:01:32,910 for the framing based on the type of network we're crossing. 42 00:01:32,910 --> 00:01:35,310 So we've looked at an example of TCP 43 00:01:35,310 --> 00:01:37,800 being used and UDP being used, let's also 44 00:01:37,800 --> 00:01:40,286 take a look at ICMP being used. 45 00:01:40,286 --> 00:01:41,910 Let's open up another capture for that. 46 00:01:41,910 --> 00:01:45,060 So, in Wireshark, we'll go to File, click on Open, 47 00:01:45,060 --> 00:01:47,190 and I've got one for ICMP right here that 48 00:01:47,190 --> 00:01:48,942 includes some ICMP traffic. 49 00:01:48,942 --> 00:01:50,400 So here in the Wireshark output, we 50 00:01:50,400 --> 00:01:51,810 have three panes, or three areas. 51 00:01:51,810 --> 00:01:56,450 Here we have the List view, here we have the Details view, 52 00:01:56,450 --> 00:01:59,210 and down here we have the Bytes view. 53 00:01:59,210 --> 00:02:01,940 And up here in the List view, if we take a look at entry number 54 00:02:01,940 --> 00:02:05,890 one here, it's showing that the protocol being used is ICMP. 55 00:02:05,890 --> 00:02:09,220 And in the info section, it's showing us a ping request, 56 00:02:09,220 --> 00:02:11,420 and then it's followed by-- in entry number two-- 57 00:02:11,420 --> 00:02:13,520 it's followed by a ping reply. 58 00:02:13,520 --> 00:02:15,350 So with the ping request selected, 59 00:02:15,350 --> 00:02:17,891 here in the Detail view, we have the Internet Control Message 60 00:02:17,891 --> 00:02:18,410 Protocol. 61 00:02:18,410 --> 00:02:20,090 If we expand it, it will give us the details 62 00:02:20,090 --> 00:02:22,090 of what's going on, including the fact that it's 63 00:02:22,090 --> 00:02:23,180 a ping request. 64 00:02:23,180 --> 00:02:27,740 And then, we have the layer 3 protocol of IPv4, and then 65 00:02:27,740 --> 00:02:29,330 the layer 2 information regarding 66 00:02:29,330 --> 00:02:31,820 the framing of that data before it's actually 67 00:02:31,820 --> 00:02:32,820 sent out on the wire. 68 00:02:32,820 --> 00:02:34,820 And also, while we have a few moments right here 69 00:02:34,820 --> 00:02:36,350 in the protocol analyzer, let's take 70 00:02:36,350 --> 00:02:40,790 a closer look at TCP and UDP to compare and contrast them. 71 00:02:40,790 --> 00:02:43,040 Because we have UDP right here in this packet capture, 72 00:02:43,040 --> 00:02:44,331 let's go ahead and start there. 73 00:02:44,331 --> 00:02:45,700 This is an example of UDP. 74 00:02:45,700 --> 00:02:48,890 It's pretty straightforward as far as the UDP at layer 4. 75 00:02:48,890 --> 00:02:51,440 It has some port information, some length, 76 00:02:51,440 --> 00:02:53,930 but you'll notice here for UDP, it 77 00:02:53,930 --> 00:02:56,030 does not have a lot of details regarding 78 00:02:56,030 --> 00:02:57,800 the connection oriented status. 79 00:02:57,800 --> 00:03:00,470 And that's because UDP is connectionless, 80 00:03:00,470 --> 00:03:02,570 it doesn't maintain connection state, 81 00:03:02,570 --> 00:03:04,550 it's not verifying that segments of data 82 00:03:04,550 --> 00:03:06,470 are making it to the other side, and that's 83 00:03:06,470 --> 00:03:08,820 why it's very lean and light, not a lot of overhead. 84 00:03:08,820 --> 00:03:11,934 However, if we take a look at a TCP segment-- 85 00:03:11,934 --> 00:03:13,350 and let's open up another capture. 86 00:03:13,350 --> 00:03:16,370 In fact, let's go back to File, Open, and let's go back 87 00:03:16,370 --> 00:03:18,384 to HTTP, because that uses TCP. 88 00:03:18,384 --> 00:03:20,550 And we can click on any of these because they're all 89 00:03:20,550 --> 00:03:22,133 TCP related, but we'll go in and click 90 00:03:22,133 --> 00:03:25,475 on the HTTP protocol, that being the application layer protocol. 91 00:03:25,475 --> 00:03:27,960 And let's expand TCP right here. 92 00:03:27,960 --> 00:03:28,892 So if we expand TCP-- 93 00:03:28,892 --> 00:03:30,850 and I'll go ahead and scroll this down a little 94 00:03:30,850 --> 00:03:32,000 big so we can see it-- 95 00:03:32,000 --> 00:03:33,210 take a look at this. 96 00:03:33,210 --> 00:03:35,510 Just by sheer volume of all the stuff going on, 97 00:03:35,510 --> 00:03:38,690 here in TCP, because of the reliable connection 98 00:03:38,690 --> 00:03:41,120 oriented services that TCP delivers. 99 00:03:41,120 --> 00:03:44,060 Including sequence numbers, and acknowledgment numbers, 100 00:03:44,060 --> 00:03:46,940 and a lot of other details that UDP simply 101 00:03:46,940 --> 00:03:49,580 doesn't have, or need because UDP, 102 00:03:49,580 --> 00:03:53,210 unlike TCP, doesn't give a hoot about connection 103 00:03:53,210 --> 00:03:56,450 oriented or reliable sessions from the transport layer 104 00:03:56,450 --> 00:03:57,420 perspective. 105 00:03:57,420 --> 00:04:00,120 And as a result, there's a lot less overhead, 106 00:04:00,120 --> 00:04:03,290 which makes it more desirable for applications and functions 107 00:04:03,290 --> 00:04:07,790 that don't need a connection oriented, reliable session. 108 00:04:07,790 --> 00:04:09,700 In this Nugget, we've taken the opportunity 109 00:04:09,700 --> 00:04:12,460 to leverage a protocol analyzer-- in our example, 110 00:04:12,460 --> 00:04:15,040 it was Wireshark-- to take a closer look 111 00:04:15,040 --> 00:04:17,570 at some common, core TCP/IP protocols, 112 00:04:17,570 --> 00:04:22,510 including TCP and UDP at layer 4, IP at layer 3, 113 00:04:22,510 --> 00:04:25,650 and IP management protocol, named ICMP. 114 00:04:25,650 --> 00:04:28,360 We also reinforced the idea that TCP, 115 00:04:28,360 --> 00:04:32,470 because it does offer connection oriented and reliable services, 116 00:04:32,470 --> 00:04:35,290 does have more overhead at layer 4 117 00:04:35,290 --> 00:04:37,990 to accomplish that work, compared to its sibling, 118 00:04:37,990 --> 00:04:41,650 UDP, which couldn't care less about reliable delivery. 119 00:04:41,650 --> 00:04:43,870 I hope this has been informative for you, 120 00:04:43,870 --> 00:04:47,520 and I'd like to thank you for viewing.