Awesome channel! Brings back good memories of my time as a Turbofan Test Engineer for Lockheed and Rolls-Royce from 2004-2012. We had serval proprietary protocols that we needed to troubleshoot, but didn't have documentation for. So, I spent several months using Wireshark and creating custom dissectors for it, and eventually built some tools to help us solve many issues within minutes that used to take us days or weeks to narrow down and resolve. Keep up the great work!
@@bordeux, I did, including client and server applications that used the protocols so we could test from either end of the system and find where the failures were.
@@bordeux, I even ended up creating an Android client so we could see the data being transmitted, instead of having one person in the control room and another 1/4 miles away on the jet engine. Using that Android app allowed just one person to do both the monitoring and troubleshooting in real-time.
Also, visit Edit- > Preferences -> Layout form and select a pane where 2 and 3 located at the same bottom level. This way you screen space is used much more efficiently and you can make more long list of packets to be shown.
I have used wireshark many times for debugging, 99% of the video was stuff I already knew. But holy crap, right click and "Apply as Filter" - how on earth did I miss that? I wasted so much time digging through documentation to find out how to express those filters manually... thank you so much! It's also super helpful that you show how you mess up by filtering on the wrong thing, and then correct it; I probably would've made the same mistake.
Ooo, I try not to nitpick, but sometimes I can't help myself. At 5:06 where you talked about DHCP only working on the ... (pause)... "local subnet". The term you wanted is more like "layer II broadcast domain". Subnets are a layer-III concept and there can be multiple concurrent subnets on top of the same layer-II network. DHCP works across layer-II (to/from MAC address) and indeed there should only be one on the same layer-II broadcast domain. DHCP actually CAN traverse to other layer-II LANS (usually VLANs) and offer additional subnets on those VLANs by way of a "DHCP-relay" server, but that's another story :) Keep up the good work and great job making yout mitmrouter scripts public.
NOT trying to be that "ACKTYUALLY" guy but Im pretty sure thats conditional. Its the norm but its not absolute. DHCP is first come first serve and competing servers on the same broadcast domain can have completely different scopes ergo subnets of a network. Rig the client with a delay against the 1st server on a subnet and it leases only with the 2nd, etc. DHCP doesnt *always* use the same broadcast domain.
@@tommyt623 excellent corner-case example @tommyt623! My correction - one should not have multiple DHCP servers on the same layer-II broadcast domain unless the servers are offering differing scopes and you're happy for any clients to get their config somewhat randomly from either scope.
You are correct. Private IP addresses are non-routable. I liked the information at the end. I would like to know how you transitioned that into the hardware side of things. I’d like to see some of the other tools you have for hardware capture and debugging, jtag, or if you have bus pirate…etc. Thanks. Your videos are great. Keep up the good work.
I appreciated this video. Gave me a fundamental understanding of network packets, and how to interpret them in Wireshark. I already had some very very basic knowledge of SYN and SYN/ACK protocol, but this was a really nice breakdown.
I never read your videos comments, so this comment might be old to you... I'm subed to Henry Rollins and saw a notification with your channel pic, in my subed channels and thought "Rollins published a video!", clicked and thought, "damn, Matt looks so much like young Henry Rollins". Great video btw!
DHCP is broadcast on the local subnet. The DHCP server doesn't need to reside on that subnet however. I believe a BOOTP relay agent can take the DHCP request and forward that on to the IP of the DHCP server,. Then the offer, request and acknowledgement takee place as normal.
Matt, as usual, great content and very fluid with discovery step by step. It is always amazing to see the IP addresses going to servers in different countries. Have you noticed any trends on different devices going to the same IP? Who knows? Maybe a shark, ring camera, and Bluetooth scale are all pinging the same server! 😅 Thank you again for sharing your skills!
You mentioned ICMP response in case on TCP connection rejection. But you skipped to say the same for UDP connection as well. In both cases it's true if connection attempt is performed in LAN, without routing and when traffic is not firewalled.
Hi Matt, can you do a video on decoding the TLS data when you have the server certificate and private key (or when the device accepted a self signed certificate)? Thanks!
I know this video just dropped, but had a question for you Matt. I bought a sus single-key programmable Chinese macro keyboard and I’d like to make sure that it’s not sending any data back or doing anything nefarious. Is Wireshark the best way to monitor the USB keyboard?
You must to know fundamentals how keyboard or other device can sand data. If your keyboard have it’s own software it could be bad If your keyboard detects not only as input device it could be bad If your keyboard have some chips not related to the input device it could be bad
Can you please assess the security of the enterprise grade solutions like ZKTeco or Hikvison brand they are well-known but it may have a backdoor or a loop hole.
Please Do Not Throw Sausage Pizza Away... All People Seem To Need Data Processing. and Lyin little chick (LLC) works at MAC donalds. those were some mnemonic devices our instructor told us to help remember the way data flowed through the layers of the OSI Model.
that's not a chinese server. it's owned by Alibaba (US) Technology Co., Ltd. but it's located in san jose, california. edit: i think in a slightly different way it would still be valid to call it a chinese server...
Most of the time Alibaba cloud servers are actually in Hong Kong. I'm guessing they probably have edge infrastructure in the US though but I'd almost wager without a doubt the main servers are in Hong Kong. For me, I'm already in Asia so It wouldn't make much sense sending traffic to the US and back.
0:34 What other video shows how to hook that up ? You have 60 videos by now. Edit: Found it ( th-cam.com/video/k134j9E5oZE/w-d-xo.html ) By the way, nice video 😊
Awesome channel! Brings back good memories of my time as a Turbofan Test Engineer for Lockheed and Rolls-Royce from 2004-2012. We had serval proprietary protocols that we needed to troubleshoot, but didn't have documentation for. So, I spent several months using Wireshark and creating custom dissectors for it, and eventually built some tools to help us solve many issues within minutes that used to take us days or weeks to narrow down and resolve.
Keep up the great work!
and you wrote documentation? Please say yes....
@@bordeux, I did, including client and server applications that used the protocols so we could test from either end of the system and find where the failures were.
@@bordeux, I even ended up creating an Android client so we could see the data being transmitted, instead of having one person in the control room and another 1/4 miles away on the jet engine. Using that Android app allowed just one person to do both the monitoring and troubleshooting in real-time.
Also, visit Edit- > Preferences -> Layout form and select a pane where 2 and 3 located at the same bottom level. This way you screen space is used much more efficiently and you can make more long list of packets to be shown.
I have used wireshark many times for debugging, 99% of the video was stuff I already knew. But holy crap, right click and "Apply as Filter" - how on earth did I miss that? I wasted so much time digging through documentation to find out how to express those filters manually... thank you so much! It's also super helpful that you show how you mess up by filtering on the wrong thing, and then correct it; I probably would've made the same mistake.
Ooo, I try not to nitpick, but sometimes I can't help myself. At 5:06 where you talked about DHCP only working on the ... (pause)... "local subnet". The term you wanted is more like "layer II broadcast domain". Subnets are a layer-III concept and there can be multiple concurrent subnets on top of the same layer-II network. DHCP works across layer-II (to/from MAC address) and indeed there should only be one on the same layer-II broadcast domain. DHCP actually CAN traverse to other layer-II LANS (usually VLANs) and offer additional subnets on those VLANs by way of a "DHCP-relay" server, but that's another story :) Keep up the good work and great job making yout mitmrouter scripts public.
You are correct. I often mix those layers in my head
NOT trying to be that "ACKTYUALLY" guy but Im pretty sure thats conditional. Its the norm but its not absolute. DHCP is first come first serve and competing servers on the same broadcast domain can have completely different scopes ergo subnets of a network. Rig the client with a delay against the 1st server on a subnet and it leases only with the 2nd, etc. DHCP doesnt *always* use the same broadcast domain.
@@tommyt623 excellent corner-case example @tommyt623! My correction - one should not have multiple DHCP servers on the same layer-II broadcast domain unless the servers are offering differing scopes and you're happy for any clients to get their config somewhat randomly from either scope.
Exactly what I was looking for! More of these for beginners getting into IoT Hacking please 🙏🏼
Such an important skill for any kind of troubleshooting, hacking, or just understanding what the heck is going on!
You are correct. Private IP addresses are non-routable. I liked the information at the end. I would like to know how you transitioned that into the hardware side of things. I’d like to see some of the other tools you have for hardware capture and debugging, jtag, or if you have bus pirate…etc.
Thanks. Your videos are great. Keep up the good work.
just found ur channel, going to binge everything u posted ty
Matt, your channel is outstanding.
I appreciated this video. Gave me a fundamental understanding of network packets, and how to interpret them in Wireshark. I already had some very very basic knowledge of SYN and SYN/ACK protocol, but this was a really nice breakdown.
Dude, you are legend.
Fun fact, even though it is a Chinese domain, looks like it is hosted in the the Alibaba Cloud data center in San Jose, CA.
Great stuff man, really like that way you broke down the packets.
I never read your videos comments, so this comment might be old to you... I'm subed to Henry Rollins and saw a notification with your channel pic, in my subed channels and thought "Rollins published a video!", clicked and thought, "damn, Matt looks so much like young Henry Rollins". Great video btw!
I swear man make a course for beginners and I will be the first to buy it!!! Awesome content!
DHCP is broadcast on the local subnet. The DHCP server doesn't need to reside on that subnet however. I believe a BOOTP relay agent can take the DHCP request and forward that on to the IP of the DHCP server,. Then the offer, request and acknowledgement takee place as normal.
Matt, as usual, great content and very fluid with discovery step by step. It is always amazing to see the IP addresses going to servers in different countries.
Have you noticed any trends on different devices going to the same IP?
Who knows? Maybe a shark, ring camera, and Bluetooth scale are all pinging the same server! 😅
Thank you again for sharing your skills!
excellent content and explanations.
You could place on screen some packets diagrams. For some people it’s more understandable
Wireshark has a cool feature to display the packet diagram. Cf Wireshark documentation section 3.21 "the packet diagram pane".
@@petrus54654 yes, for me it was easier to understand how packets are packed. From actual data to top.
You mentioned ICMP response in case on TCP connection rejection. But you skipped to say the same for UDP connection as well. In both cases it's true if connection attempt is performed in LAN, without routing and when traffic is not firewalled.
Than you for your work. Keep going. We need that.
awesome video!!! thank you so much
Currently studying for my CCNA so I love watch real-life examples of network protocols in action. Are there any other certifications you recommend?
This video is really good. Well explained as on uni networking course
very valuable - thank you!
I need to get me some of those sin packets
Hi Matt, can you do a video on decoding the TLS data when you have the server certificate and private key (or when the device accepted a self signed certificate)? Thanks!
Super interesting.
You are best 👍
I know this video just dropped, but had a question for you Matt. I bought a sus single-key programmable Chinese macro keyboard and I’d like to make sure that it’s not sending any data back or doing anything nefarious. Is Wireshark the best way to monitor the USB keyboard?
Just Open the keyboard
yeah open it and look at the chips inside
@@ЛеонидШкурин-б5т then you see a black blob. What information did you get from that exercise? Fuckall.
take pics or video if you see something cool, please.
You must to know fundamentals how keyboard or other device can sand data.
If your keyboard have it’s own software it could be bad
If your keyboard detects not only as input device it could be bad
If your keyboard have some chips not related to the input device it could be bad
So... U`ll MITM that TLS Connection to China? Or even look at those UDP packets?
Can you please assess the security of the enterprise grade solutions like ZKTeco or Hikvison brand they are well-known but it may have a backdoor or a loop hole.
I just found a Hikvison in ewaste :D
@@mattbrwn this will be grate we will be waiting for the demonstration
I'll add possibly going through the process of updating the firmware to an alternative like a custom version of "OpenWrt".
Please Do Not Throw Sausage Pizza Away... All People Seem To Need Data Processing. and Lyin little chick (LLC) works at MAC donalds. those were some mnemonic devices our instructor told us to help remember the way data flowed through the layers of the OSI Model.
that's not a chinese server. it's owned by Alibaba (US) Technology Co., Ltd. but it's located in san jose, california. edit: i think in a slightly different way it would still be valid to call it a chinese server...
They are known to exfiltrate data to china. The US gov does the same data located in europe and hosted by US companies though
Most of the time Alibaba cloud servers are actually in Hong Kong. I'm guessing they probably have edge infrastructure in the US though but I'd almost wager without a doubt the main servers are in Hong Kong. For me, I'm already in Asia so It wouldn't make much sense sending traffic to the US and back.
First comment 💬
First Like 👍🏻
Great video, Matt!
Maybe you could show us also how to MITM with wireshark and how to prevent this?
0:34 What other video shows how to hook that up ? You have 60 videos by now.
Edit: Found it ( th-cam.com/video/k134j9E5oZE/w-d-xo.html )
By the way, nice video 😊
+
I bailed out because of all the adverts. This is making YT unwatchable. Sorry 👎👎👎
Jailbreak with flex