Hello Chris, I'm one huge follower and I want to share my experience here. I'm working for ISP as a tier 2 technician, your lessons on TCP and wireshark literally boosted my knowledge for double amount. And its not that I didnt know something before, but the more you dig into the packet/segment level of communication, you just realize and start breaking the puzzle. Thank you for the awesome videos, and yeah one my last case, on of mine clients was dealing with DDOS attack(qotd at udp 17), if there was no wireshark I wouldnt be able to isolate and resolve. Thanks again and keep those coming. I would like to see a video on buffer delays and how we can spot it in wireshark, and how much does it impact in the network in a first place. Cheers buddy.
That is fantastic Emir! Great to hear you were able to knock out that problem. And it is very encouraging to me to know that the content is helping you improve your analysis skills. Thank you so much.
Chris, I have a BIG respect for you and your work made so far. You presents "technical essence". Please don't stop with that. For people like me you are the authority. Take care and stay safe!
Just when I thought I understood how to spot that in a very crude and elementary way, Chris does it with finesse and teaches you a few more things a long the way. Loved the profile trick and overall how you went about teaching and explaining this attack. 10/10
Chris, there wasn't a pcap available to follow along with you on this guide. As always, your content brings great insights and your tips are very helpful. Thank you!
what about in the case of spoofing the mac address in the malicious arp request, or even changing the mac address of the hackers machine to that of the gateway?
That is a great question. If the attacker spoofed the MAC of the gateway, that would act more like a DoS attack. That is because there would be a duplicate MAC on the network. The switch would always be updating its CAM table with the latest talker - sometimes that would be the spoof, and sometimes the true gateway. So the target station would sometimes get packets through to the true gateway and sometimes the MiTM. Also, the MiTM wouldn't be able to pass traffic to the true gateway since the switch would see the "gateway MAC" on the same port, so no need to forward it to the true port. All of that is true unless, the gateway had a secondary MAC that the attacker could take advantage of. Hope that makes sense and great question!
Great video, really clearly explained and to the point, I would love to see this with T-Shark, we are recording a video on the use of T-Shark in comparison to Wireshark, this gives me a great idea for video concept. Keep up the great work
That's a great idea. Maybe I'll start incorporating more tshark analysis into my vids. It's a little harder for the new folks to follow so I don't do it often, but I should get it in there sometimes! Thanks
That‘s cool! Next, let‘s detect some common port scanning attempts and add those filters to our new Sec-Profile. P. S. Did you ever performed a nmap x-max scan on dec. 24th?
Thanks alot chris But i have a question: you specified the attacker ip in the filter but in real life scenarios i can't tell which one is my real gateway mac so what can we do here?
There will be a MAC that several stations are ARPing for - that will be the gateway. They need that MAC address in order to communicate to another network. I would also watch for routing protocols from a MAC, that is another hint of the gateway. If you can capture in-line, then you can tell easily by the destination MAC for an off-net IP.
10/10 now how do you stop this kinda attack for me I had to get a new modem and router as well as factory rest every device that was on the network and thank god they are off but how do you stop this attack so you don’t have to reset everything ?
Just an idea: tutorial on how to explore on wireshark smart devices that you plug in to your network (like home cameras) to understand what operations they do - and how to safely isolate them perhaps :) Great content as always!
Hello - thank you for the comment! Bypassed by an adversary? I would say that the adversary themself would be the one spoofing the MAC and forwarding the traffic between the target and GW.
Hello I used the filter and i got some packets but the MAC address is still the same as the original one. how can I find the actual fake MAC address after the capture as I am working with a preloaded pcap file.
If the gateway MAC didn't change than you may be ok. I would look for the unsolicited ARPs coming from the attack box, then use the source MAC in the ARP field for the filter. If that doesn't catch anything spoofing the gateway IP, then the attack traffic was not captured. Hope that helps.
Hello Chris. I was wondering why I got any packet(s) at all after using the filter you described above if I can’t spot an unusual MAC address? This is in relation to the first question I asked.
Very useful !! very good content! Good job thanks a lot !!
Glad it was helpful!
@@ChrisGreer Very helpful ! Thanks to you i'm a better network engineer !
Hello Chris, I'm one huge follower and I want to share my experience here. I'm working for ISP as a tier 2 technician, your lessons on TCP and wireshark literally boosted my knowledge for double amount. And its not that I didnt know something before, but the more you dig into the packet/segment level of communication, you just realize and start breaking the puzzle. Thank you for the awesome videos, and yeah one my last case, on of mine clients was dealing with DDOS attack(qotd at udp 17), if there was no wireshark I wouldnt be able to isolate and resolve. Thanks again and keep those coming. I would like to see a video on buffer delays and how we can spot it in wireshark, and how much does it impact in the network in a first place. Cheers buddy.
That is fantastic Emir! Great to hear you were able to knock out that problem. And it is very encouraging to me to know that the content is helping you improve your analysis skills. Thank you so much.
You are literally the Wireshark God. Man I am so grateful for all your vids.
Chris, I have a BIG respect for you and your work made so far. You presents "technical essence". Please don't stop with that. For people like me you are the authority. Take care and stay safe!
Thanks for the comment! I really appreciate it.
Just when I thought I understood how to spot that in a very crude and elementary way, Chris does it with finesse and teaches you a few more things a long the way. Loved the profile trick and overall how you went about teaching and explaining this attack. 10/10
You explain it much better than hack the box
You're awesome, Chris. Thanks for the detailed explanation
Chris, there wasn't a pcap available to follow along with you on this guide. As always, your content brings great insights and your tips are very helpful. Thank you!
Hey Jason thanks for the comment. I don't think I included one on this video. But it is a fun thing to try and replicate on your own!
Chris very cool feature to keep on the side. you never know when your neighbour will attack you back right 😳
what about in the case of spoofing the mac address in the malicious arp request, or even changing the mac address of the hackers machine to that of the gateway?
That is a great question. If the attacker spoofed the MAC of the gateway, that would act more like a DoS attack. That is because there would be a duplicate MAC on the network. The switch would always be updating its CAM table with the latest talker - sometimes that would be the spoof, and sometimes the true gateway. So the target station would sometimes get packets through to the true gateway and sometimes the MiTM. Also, the MiTM wouldn't be able to pass traffic to the true gateway since the switch would see the "gateway MAC" on the same port, so no need to forward it to the true port.
All of that is true unless, the gateway had a secondary MAC that the attacker could take advantage of.
Hope that makes sense and great question!
Straight up, hero!
Hey, is it possible to make a guide for this same video but for terminal based OS?
What if you network is already compromised what than
your videos are so great! thanks for sharing your knowledge.
Thanks Javier!
Chris, you're the best!
thank you! Don't Stop Making Such Cool Content
Thanks, will do!
Very cool filter. Thanks Chris.
Thanks!
Great video, really clearly explained and to the point, I would love to see this with T-Shark, we are recording a video on the use of T-Shark in comparison to Wireshark, this gives me a great idea for video concept. Keep up the great work
That's a great idea. Maybe I'll start incorporating more tshark analysis into my vids. It's a little harder for the new folks to follow so I don't do it often, but I should get it in there sometimes! Thanks
Thx Chris l ve Just ended pkt tracet about arp. Poison ing thx Chris i ve read that in my mind great Guy as always GOD bless u
Nice! Thanks for the comment.
Another outstanding video!
Thanks sir.
Do you have videos for other layer 2 attacks analysis in Wireshark?
Amazing Chris!!
Great explanation, thanks for explanation
Thanks for the comment
Great content, thumbs up
Dammmn great video Chris!!
Glad you liked it!!
keep going, you'v amazing skills
Thank you!
This was awesome!
That‘s cool! Next, let‘s detect some common port scanning attempts and add those filters to our new Sec-Profile.
P. S. Did you ever performed a nmap x-max scan on dec. 24th?
Nice! Good ideas for our security profile.
Great video, Thank you!.
Glad you liked it!
Amazing as always
Thanks again!
Thank You for this Great Video.
My pleasure!
You are Great and i love your videos
Thank you so much 😀
Great as always
Thanks again!
nice, I need to know how to capture a phone trafic? thanks
Thanks alot chris
But i have a question: you specified the attacker ip in the filter but in real life scenarios i can't tell which one is my real gateway mac so what can we do here?
There will be a MAC that several stations are ARPing for - that will be the gateway. They need that MAC address in order to communicate to another network. I would also watch for routing protocols from a MAC, that is another hint of the gateway. If you can capture in-line, then you can tell easily by the destination MAC for an off-net IP.
Excellent video.
Thanks Doug!!
If i get the job i'm applying for i'm sending you 10 beers sir !
Go get that job! 😆
thank you sir very useful content
10/10 now how do you stop this kinda attack for me I had to get a new modem and router as well as factory rest every device that was on the network and thank god they are off but how do you stop this attack so you don’t have to reset everything ?
Just an idea: tutorial on how to explore on wireshark smart devices that you plug in to your network (like home cameras) to understand what operations they do - and how to safely isolate them perhaps :)
Great content as always!
I like that idea! thank you for the comment.
What if they spoofed their max address and IP?
This would be bypassed by any adversary on the network that spoofs your GW's IP, no?
Hello - thank you for the comment! Bypassed by an adversary? I would say that the adversary themself would be the one spoofing the MAC and forwarding the traffic between the target and GW.
you are a genius :3
Damn! Amazing!
Nice Video!
Thanks!
amazing and easy to deploy.
Thanks for sharing!
Thanks for watching!
Amazing
Hello I used the filter and i got some packets but the MAC address is still the same as the original one. how can I find the actual fake MAC address after the capture as I am working with a preloaded pcap file.
If the gateway MAC didn't change than you may be ok. I would look for the unsolicited ARPs coming from the attack box, then use the source MAC in the ARP field for the filter. If that doesn't catch anything spoofing the gateway IP, then the attack traffic was not captured. Hope that helps.
@@ChrisGreer okay. Thanks
Hello Chris. I was wondering why I got any packet(s) at all after using the filter you described above if I can’t spot an unusual MAC address? This is in relation to the first question I asked.
Hi Khaliv - ok understood. Can you show me the filter string that you are using on the pcap I shared?
👍👍
&& !(content_video == bad) keep it up.
Yay!! 😆