WEBVTT 00:00.300 --> 00:07.780 In this lecture, we are going to learn to write and apply the basic filters. 00:07.860 --> 00:12.350 We will filter traffic using different protocols. 00:12.360 --> 00:14.070 So let's get started. 00:14.310 --> 00:18.930 This is the filter bar where you can type your filters. 00:18.940 --> 00:23.550 So I'm going to start with the TCP protocol filter. 00:23.550 --> 00:26.850 For TCP protocol is just TCP. 00:26.850 --> 00:35.610 So type TCP, as you can notice, guys, as soon as you type the correct filter background color of 00:35.610 --> 00:39.370 filter bar automatically changes to green. 00:39.390 --> 00:45.540 If I type an invalid filter background color immediately changes to pink. 00:45.570 --> 00:55.080 Now in order to apply filters, press enter or you can simply click on the button on your right side. 00:55.230 --> 00:55.780 Right. 00:55.800 --> 01:04.680 As you can see under the protocol column, Wireshark has filtered out or removed all other packets, 01:04.680 --> 01:14.190 and it is only displaying the TCP packets or protocols that use TCP for delivering packets. 01:14.220 --> 01:15.480 Let me scroll down. 01:15.480 --> 01:22.050 As you can see, guys, here we have A.P. and deals traffic as well. 01:22.080 --> 01:29.700 TLS is basically HTTPS or encrypted traffic at HTTPS and HTTP. 01:29.730 --> 01:40.980 Both are application layer protocols and all the application layer protocols use either UDP or TCP for 01:40.980 --> 01:42.840 delivering the packets. 01:42.840 --> 01:46.530 Right now, let me find UDP traffic. 01:46.530 --> 01:51.060 So type A UDP hit enter as you can see. 01:51.090 --> 01:56.160 Under the protocol column, we only have UDP packets. 01:56.160 --> 01:56.460 Right. 01:56.460 --> 02:00.090 We also have some DNS packets as well. 02:00.120 --> 02:03.120 Just like HTTPS or HTTP. 02:03.150 --> 02:07.500 DNS is also an application layer protocol. 02:07.530 --> 02:07.830 Okay. 02:07.890 --> 02:12.010 DNS uses UDP for delivering packets. 02:12.030 --> 02:14.640 Now let me find let's say ARPA packets. 02:14.640 --> 02:26.220 So type R, as you can see, we do have to ARP packets now ICMP packets now it is just displaying the 02:26.220 --> 02:27.900 ICMP traffic. 02:27.960 --> 02:36.840 Right in this way, guys, you can filter not all but most of the network traffic using the protocols 02:36.840 --> 02:37.560 a name. 02:37.590 --> 02:45.720 You just need to remember the protocol name and type that in the filter bar. 02:45.750 --> 02:48.920 Now, let me give you a few more examples. 02:48.930 --> 02:51.900 I'm going to find the HTP traffic. 02:51.900 --> 02:54.540 So type HTP hit enter. 02:54.540 --> 03:01.590 As you can see, guys, under the protocol column, it is only displaying the HTTP traffic. 03:01.830 --> 03:06.900 Now, how do you find the encrypted or HTTPS traffic? 03:07.320 --> 03:11.970 Your first guess might be HTP s. 03:12.120 --> 03:15.150 As you can see, it is not a valid filter. 03:15.150 --> 03:15.780 Right. 03:15.780 --> 03:20.710 So filter for filtering at https traffic is the L. 03:20.760 --> 03:23.340 S transport layer security. 03:23.340 --> 03:30.150 If I press enter now we only have the dls or https traffic. 03:30.210 --> 03:30.750 Right. 03:30.780 --> 03:43.380 HTP s uses TLS protocol to encrypt the traffic at https is basically a combination of http plus the 03:43.380 --> 03:44.190 LS. 03:44.190 --> 03:44.760 Right. 03:44.760 --> 03:51.240 So TLS basically takes the http traffic then encrypts it. 03:51.240 --> 03:54.570 So that makes the edge https. 03:54.660 --> 04:04.320 Now moving on, let's say you want to check the search traffic then type ssh press enter. 04:04.320 --> 04:08.010 I don't have any as I search traffic for now. 04:08.020 --> 04:11.460 Now let me type FTP press enter again. 04:11.460 --> 04:17.610 I don't have you know FTP traffic, but as you can see, it is a valid filter. 04:17.620 --> 04:18.240 All right. 04:18.240 --> 04:24.060 Let me try to remember a few more protocols DNS. 04:24.180 --> 04:29.880 Now, as you can see, we have DNS queries and responses, right. 04:30.090 --> 04:35.520 And the edge C P is also a valid filter.