Securing your company's assets with packets

[Music]

so a little bit about me not that you really care but I've been around for it dude packets and looking at trace files 30 years I mean it says 1970 somewhere in there it's been a long time so this is my company I'm in the ex stop welcome to go out to my website I encourage you as a matter of fact go to go download the frame header spreadsheets I'm gonna introduce it to you real quick and I'm not here to sell you anything even though I sound like a used car salesman yeah I'm really not I'm not here to sell you anything what I'm here is to show you resources so I did not I cannot take

credit for this a friend of mine put this together as part of his CISSP project years ago I keep it updated so he started it a long time ago 10 12 years ago and I keep adding things to it as I as I need those resources I figure you as well as Network folks security folks need these same resources so I'm not going to go all the way through this but you see we start with the frame information and we go all the way along the bottom tcp dump unix commands and grip and map i gotta be politically correct ok keep going over to the so they're right there this isn't that can't OS fingerprinting dump

camp at a camp Wireshark FTP HTTP all these wonderful protocols you got all this great information now at your fingertips I don't know anybody doing voice over IP troubleshooting today need to do any of that looking at any of that from a security perspective as well all that information is in this spreadsheet so I highly encourage you to go out there and grab that number two I got a lot of videos I'm kind of into doing videos and free training you hear that free training free is good these days isn't it a lot of free training classes take you from physical air up to the application troubleshooting doing labs with Wireshark how many of you have lighter

shark come on area and and your ought to go up right it's free we're back to this the right price how many of you know how to use Wireshark what's all this I mean come on so okay I'm not gonna teach you how to use water shirt today I'm gonna show you a couple of things that we can do using wireshark in an effort to secure your company's assets maybe I can find my presentation again man this computer stuff it's gonna catch on someday there it is okay so we know there are bad actors out there trying to break into your network we've heard about security stuff you've heard about security stuff you need to

start monitoring your network today if you're not so just look at it mine my worldwide headquarters of Ebony X based out of Kansas City one day one day 241 attempts made to get into my network from US companies dirty dogs and we keep hearing on the news right Russia China really the second ones Canada hey I don't know what they're doing Taiwan and then China I don't even see Russia I guess I'm not they don't want anything out of my network that's okay by me so the Boy Scout motto be prepared this is the whole thing you need to be prepared in order to gain total Network visibility you need to capture all of the packets that if possible know the

normal path of your package so we want to be on the internet side you want to be on any VPN interfaces any any interfaces coming into your corporate environment you know we've heard about all the different companies being hacked over the last you know pick the years right started with target somebody said that already this morning Verizon 14 in records you know come on it's happening everyday so gather the log files from your firewall servers IDs how many of you know how to use snort and have snort again it's a what's all this I mean it's free everybody keeps saying I want free it's a free IDs you should at least be using that as well so the

cost of information why do they want in the value of your information I can't 100% you know validate this I got this from someone else's presentation then I took a picture of and I said oh that's kind of good information so here you go what this information is worth it why they want to get in according to that security professional in a previous one of these emails worth 129 bucks credit cards there's not a lot of value to that because of all the anti-fraud all that and everybody's watching payment accounts your health record now that kind of I get that because I do a lot of work with some hospitals in Kansas City do you know how hard it would be to

change your health record once they got that oh my gosh you'll be brutal so that's why that's kind of a that's worth a lot of money if they can get your health record information social security number bank account information airline miles I never even thought about airline miles how many of you got the million mile account you don't travel enough I your low paid jobs as a sock analyst I'm kidding so okay the twenty sins critical security controls this is where a package I'm not here to educate you on any of this I'm here to talk to you about packets because that's the world I live in every day and packets fall into CSC nine critical security control

number nine the old folks Beatles and number eleven those are the two places package pass play a strategic role into your security infrastructure again why is it important the cost of the attacks the mitigation investigation monitoring all of that security controls that caught corporations money I can't even remember his name been said it best earlier HIPAA we've talked about someone here was already in the HIPPA side of things you know we just saw that here recently anthem was was fined a hundred and fifteen million dollars for their data breach it starts to cost you big money and you know the HIPAA violations are anywhere from a hundred bucks a record that goes out to five thousand dollars a

record that goes out you know you can't really afford a couple hundred thousand records to leave in your environment or a million records leaving your environment so the question I get asked most often is how do I get the package out of the network y'all familiar was setting up spam I know that's you not you know Network folks necessarily but do you not have set up as paying port yeah that's perfect or you have a tab that's though that's the ways that we get packets out of our environment to be able to capture that information and then run some filters some pretty simple filters to vindicates or validate those signatures I encourage you to monitor

both inside and outside the firewall it's always good to look at the outside to see you know who's trying to break in and obviously on the inside who got in no magic there Jethro math right because Indus goes out is so we want to monitor any other inbound outbound link VPN branch office branch donnelly you got someone had already mentioned GRE tunneling you know most firewalls allow that stuff through your key locations need to be monitored for attacks and again you want to look for both inside and outside threats man I can't stress the first two the top thing right there know your environment no consultant knows your environment nobody else knows your environment nor were they going to

learn it so again know it from outside from inside all your hosts you know what the fences do you currently have in place DLP IPS IDs key caps are you taking captures with that free Wireshark - how many of you know how to use tea shark Wow okay pee shark is another free utility that you can Center let me introduce you did I introduce you to my spreadsheet yet you want to build a capture box that will capture all these packets for you for guess how much free that's a great number isn't it free it's not even $49 it's free I passed it again I learned how to use the computer so if we go back

over here to tea shark I gave you this little batch file that you how many of you remember how to do a batch file okay there's a few sweet here's a little batch file that you can run right there it will actually copy create a whole bunch of capture files for you in this case I got a look at it and it's just a matter of changing a couple of these parameters in this case it's going to create 250 files of a hundred Meg in size and write them to a folder called traces hey it's a batch file you already raised your hand right you can change it alright so you can make it as many as

you'd like and now you have a free how much is it free capture device that you can now start capturing both inside and outside then you know this doesn't take a lot of horsepower you got some old 286 is laying around I'm kidding hopefully you got better than that laying around and again the question you got to ask yourself is do you filter do I just want to see you know the first hundred and twenty eight bytes of the frame just what you just do I need protocol information or do I need the entire payload and kind of like Smokey the Bear only you can prevent forest fire so only you can answer that question my personal

opinion and five dollars you can get a cup of coffee at Starbucks so my personal opinion is you need the entire packet and the reason being is I need all that application information URL information all that stuff that's in the payload of the packet but it's always a trade-off right if I've gotten so big of a size of storage do I do I want more frames with less application information or do I want less frames with all the information so again only you can prevent forest fires me and Johnny Danner alright so create your monitoring methodology what do you want to monitor what are you looking for in the packets I've heard it from all of these speakers

today data exfiltration it's kind of key if there's stuff leaving your environment and it's not going to a site that it's supposed to be going to wow I can't even do it the Elvis eyebrow thing you should raise the Elvis eyebrow and take a look at why 11 gig file just left your network web attacks spearfishing whale fishing wanting to get all the big dogs host infections DMS people are creatures of habit it's funny to come into our office in the morning and look and see where everybody's going for calm I'm kidding maybe you are maybe you aren't but people are always creatures of habits and you just start tracking and all the sudden you look for the

anomalies of wait a second they didn't go to for calm this morning they went to three other different places that they've never been to before so it's just a way for you to come up with what are the indicators and then you need to execute on your plan what are your indicators what are the value of those indicators and then you need to prioritize the value so I'm just going to give you a couple you can probably come up with your own as well but here you see an email server is initiated and outbound FTP session again I can't do the always an eyebrow thing but that would be an indicator to a host in

Russia maybe you're Donald Trump that might I did not say that out loud you did not hear that that's on tape isn't it I'm going down I'll be audited next year you see a spike in the amount of Internet control message protocol traffic at 2:00 in the morning begin you know ICMP router set an ICMP traffic to notify us of issues but it could be something your firewall I don't know we probably need to look at that in more detail you see a host sending zip or rar packaged files to a host in San Diego is that a problem I don't know yet up you got a site in San Diego Jack Henry you've got a fight

in San Diego if you do that's probably good I'd still check out you know what is it talking to so these are the things that you need to be paying attention to and that you can easily build filters for Trojans and worms I've heard all this malware stuff that we've talked about today children's in worms they've been around for a long time have you thought about it from the network's perspective anybody how many of you know how to start a connection in TCP what what frames have to happen since an ACK and an act three frames right so Trojans and worms try to talk to the world from inside and do lateral movement so a very

simple filter would be to look for sinks and sink acts so if I filter for sinks and I get a thousand how many sink ACK should I get that would be good if it's one-to-one right but what if I only got a hundred sink acts but I got a thousand seeds just saying might be an indicator you see how we're we're taking this now the next step of this question and I'm more than willing to show you how to do it how many of you could build that filter in Wireshark 2 3 5 that's what Google's for there you go how about if I just show you we'll just get it over with it's really fast I got where sharks

ready TCP dump window there - how about TCP that Flags knots in equals equals one and it turns green that's a great thing in winter shark by the way if you're typing in your filter and it's red and thanks for playing so make sure it's green TCP not flags that's in equals equals one that'll give you the number of sinks you know and there we go and then the other one is just and what do you think that might be if I want to find my sink ax and TCP dot flags oh look at dots and it's even kind of there for you not acting you can kind of scroll down check that out equals equals one

I don't actually I don't want that one look that's not what I want I want sing and shake sighs thank gosh so there's our sinks cruel enough Google if you don't know Google but easy filters some very easy filters now how many of you have heard of the other tool my favorite tool observer anybody a couple of you okay in observer you could build that filter very quickly they allow you to build binary filters I'm not going to teach you how to how to build a binary filter today but inside of observer tools post filter we go to security I got a bunch of the earth so let me see if I've got one for already

anyway the sink in an act a lot a lot of filtering capabilities inside of observer new filter I'm just gonna call it tests because we're here playing I never named filters test I would slap myself for doing that but since we're here because I'll never know why I did it so you know that lives in the TCP header so I just go down here to IP - TCP there we go and you know that lives it off set what thirteen sure y'all know that right thirteen bytes over from the beginning of the TCP header you're with me man I could tell and you know that's a binary field it's a lawn and how many is it can you

count one two three four one two three four that all makes sense to you now if you downloaded my spreadsheet it would and that cool you can even kind of do that in Wireshark it's the same type of filtering your filtering for specific bits in the TCP header the sinc bit and the ACK bit and then you can apply that filter and you know all the magic happens maybe okay okay now I have a filter called tests that we're gonna delete all right so we're shark again we can we can filter within sight of Wireshark we can also filter within sight of observer to protocol analyzers there's lots of protocol analyzers out there those are the two that I use most

common there's netminer it's not really free there's colas soft so whatever your favorite analyzer is again we're shark is free sink act filter we just talked about that how you can find worms Trojans also another way is top talkers inside of Wireshark doujins and worms tend to sim a lot of small packets so if you filter by packets not big packets thinking about doing file transfers right we're gonna send large packets lots of data in that packet FTP might be a way to look for those big files leave in your environment right but Trojans looking for small and in this case I've also downloaded the information that shows you where who's you know talking to wherever Wow look at

all that shiny tiny tiny tiny Hongkong so it's even got all of the geo IP information that you can load into your Wireshark look at your top talkers and see who's sending data to you or who you're sending data to China might not be good just saying unless they're building cars that they're gonna import over for for a suit soon so again we keep talking about the packet path of the packet is important obviously we want to capture on your internet interface that's the most important important important that's Jethro Talk they're from Iowa the most important points in your environment but there are also other strategic places depending upon how your network is configured how many of you have heard of

packet brokers like gigamon Ixia garland okay so with the use of those technologies as well you can bring in multiple points from your network into one capture appliance that you're gonna build now with T shark in my little batch file potentially for free but capturing all the packets it's kind of important so there are companies that make hardware solutions to do this and there are companies you know that offer the free stuff and so again I'm not here to sell you anything your dad's Quecha Giga store is one of those hardware solutions riverbed makes a product with Wireshark called the net shark appliance so these are these big boxes lots of terabytes worth of storage

that you can go back in time and again you want to make sure if you're you know if you're capturing on a 10 gig leak or a 40 gig link my little batch file and your 386 machine isn't gonna keep up just so you know all right didn't want there to be any misunderstanding there so log files again it's not possible more probable to go through you know a terabyte worth of packets not in my lifetime not in your lifetime so we want to use log files and that data these kinds of things for smoke alarms to let us know if something's going on I've got you know this source talking on that destination and it shouldn't be so

there's my smoke alarm now I can go back into the terabyte system I've got who's talking to who I've got the time happened what the ports whatever and I can now easily filter for that out of all of those that packet information and again we just talked real quick there about you know net flow a lot of great information that it keeps free a source destination source port destination port what protocols in use the time stamps so now I know what time this event indicator of compromise occurred I can now go back into my free t-shirt that I just built or my Giga store or my net shark appliance or whatever that box is that that you're gonna use to capture

all of these packets again log files from your firewall in this case I do allow FTP because people upload traces to me to help them analyze because a lot of people get free Wireshark and then they take the trace and they go hmm looks good I don't know maybe we should ask Mike so say sure FTP me the trace I don't allow anonymous so you got to get the user and password and I shut it down the minute we're done and just again within a week you can there they you can see the loggers at a week I don't even remember today 73 and then by the week 1700 attempts it's a break in dirty dogs so again looking at the log

file you can see what they're trying to access what the ports are source port destination port protocols my favorite somebody trying to get in on port 23 we already talked about that today so somebody looking to see if tell that's running on my server so I gave you my statistics earlier here's where they came from again by country I just looked at the IPS did a little nslookup or neo trace whatever your favorite tool is to to find all that stuff and we can figured out who those attackers are by country again the ability to go back in time those big terabyte type boxes there's many companies that make those if you need one contact one of those companies but you

need to have it in place ahead of time so that you can go back in time when they get in how many of you ride motorcycles you ever fell over on it you know what I'm saying you have did you ride a motorcycle usually people go dog never laid it down you will actually as far to ride right it's the same with being attacked ain't that in yet so you think they will they're looking for that in your armor they're gonna find it because you know either you're not but if you've got the pockets you can prove and see what they did what they touched so have it in place ahead of time again the tool allows you to then

roll back the time to you know whatever point in time you need to go to pull out the packets of interest for your indicator of compromise and do the analysis so how much is enough I don't know till I can't stand up anymore around kitty sometimes it depends we're talking banana whiskey or just whiskey whiskey no so haha I'm kidding how much is enough it's all about how far back in time do you need to go I have companies that I work with they need 30 days of retention that's a lot of space so you know it's up to you I can't make that we're back there smokey right Smokey the Bear only you can make that decision

based on your environment we've talked about packet slicing and then what's the trade-off so again we can be sure the attack is imminent look at your firewall logs there try and every day they're trying their programming they want to find that in your armor so we want to be familiar with the flows and the patterns you want to know what's different and I always tease with a packet trace everybody says you know we use filters to find the needle in the haystack I'm even lazier filter out the Hey what do you got left needles it's definitely easier to find one needle among ten then the needle in the haystack so your call whatever you want to do however you want to do it but

I always encourage you filter out the haystack in let's get down to the needles so the way that's going to work for you is you got to know what's normal you got to have baselined the network sort of know what's normal so some of you you're gonna have to work with your network peers and I know we all hate that right but it's the way it is so you got to know what's normal protocols application protocols are right on top of these your remote locations what applications right there again what's normal and then after the compromise because again it's like riding a motorcycle you know what happened what was compromised so inside your firewall actually this is outside

your firewall do you have a web presence if yes where are your web servers what type of content do they host do you offer HTTP HTTP your little cool tool was it I wrote it down because I'm so Dan kind of give us that information very quickly what are the functions do you have externally accessible FTP servers do you allow anonymous and I've said if you do we always recommend SSA it's right there you go what kind of authentication user ID and password two-factor do you allow uploads downloads both how many hosts on your network I'm not gonna read all this to you take a picture if you want it or email me I'll send me the slide show how

do they get updates all this good stuff you need to baseline if you do not know what's normal how do you know when they got in and they're exfiltrating an 11 gig file is that normal I don't know I did in baseline so I'm gonna encourage you you have to know what's normal and it doesn't take a rocket scientist to figure this information out couple of good traces a little bit of time and you can come up with what is and again this needs to be updated baseline information is kind of in my world the living document because you know your network in applications and all that isn't static it changes every I don't know day week month so as things

change you need to then re validate vindicate that's a CV for Vendetta all those V words vindicate validate you need to encourage everyone to be a part of this so that you know what is normal so then you can look at the who what when where where did they get to so here's a little example out of my network I showed you that FTP is allowed into my environment I had somebody trying to get in they sent the sync requests dirty dogs what did my host reply back with a reset I'm kidding so then I do I peed him I'm like so who's trying to get into my FTP server add to this particular time India so

okay they're looking I'm just saying there look in I think it was you two talked about the honeypot was that you yeah honey pots they're wonderful we'll be careful of us so again filter out normal if you know what's normal it's easy to filter out the normal and see what you got left that's remember I said filter out the hey that's your normal if I know you know I got subnet acts of servers web servers will filter all those out ain't no that's my normal traffic talking to this subnet group so filter that out now who else are those web servers talking to should they be oh no guess you'll find out again it's easier to filter out the hey and find

the needle among the needles then my favorite that you always hear people say man I just find a needle in the haystack good luck I live on thirty acres have you seen some of those haystacks we just bail they on my property gotta find the needle in one of those any of you you know farmers hey people you know what I'm talking about we just talked about sinks and sink axe so I encourage you perimeter defenses you need the port scan your a perimeter again you know you can pay somebody to do this but why not learn to use the tools yourself I encourage you to do that as well perform your own penetration test owner ability scan

there's tools out there that will do it for you find your weaknesses and vulnerabilities before they do cuz they're looking and they will guaranteed again look for abnormal outbound data transfers I can't stress that enough there's no magic to how they're getting this information out of all these companies right they get in and they just send out all these records they don't send them out one at a time they zip them up they put them in a big router file they FTP and they whatever they're moving a big block of data someplace that probably is not normal to your environment so what were the attack indicators I've heard several of the speakers talk about indicators what was

penetrated and compromised how long did the compromise persist you know they've been in your environment for two weeks 30 days 60 days I don't know there was some number I read I reached so many numbers but there was some number I read not long ago that the average attack lasts or they've been in your network for over 60 days and you may be able to answer that better than I now it's 180 Wow so there you guys are figuring it out faster that's good so how long and then what information did leave your environment and at what specific time of day what devices were compromised how did they get in the most easy is a user

ID and password that's typically kind of what they're looking for and especially on those admin shares like Petya want to cry have you seen how the well somebody did one of those here already how that all works they were looking for admin shares than our admin and IP C dollar shares to be open so again what were the methods they use to exfiltrate the data can you put countermeasures in place to keep that type of compromise from happening again you need to gather as much information as possible about the attack present factual data I can't tell you how many meetings I've been in where they think things I think I want you to think I need facts I mean hard facts we

need to be able to present this case what was monitored how was the compromise detected that's your eyeball how did you detect it that was in one of his seven kill chain things detection and you need to notify management you can't sit on your hands when this kind of stuff happens you need to notify management immediately clearly document the attack and compromise what was compromised the severity how many servers what servers what hosts what network hardware my favorite Cisco and tell them that's open on all those devices really Network Hardware all this stuff is internet facing what were the credentials used if possible can you you know change all that save logs and capture files I encourage

you to learn the tools this is just a short list of tools there's lots of tools but for your network documentation piece and map Nessus next pose a Kali Linux everybody's talked about that the old Metasploit birth suite our man over here was talking about that earlier burp suite web auditing and attack framework the w3f land turtle that's kind of a cool little USB Ethernet people come and plug that into the back of a PC and also they've got access super scan port scanners IP scanners again a lot of those are free tools so you don't want Magic Mike walk into your network with his Wireshark and land turtle you know what I'm saying so

what can you do about it nothing I'm Kitty kinda I'm kind I'm kidding configuration management patch as soon as practical again a reason the reason a lot of this information that that tool he showed you earlier was these are systems that are unpatched there are still devices sequel devices that are sitting out there that are unpatched there are all kinds of things that are out there unpatched again follow up on your vulnerability scanning once you've put in the patches and make sure they're no longer vulnerable document the exceptions communicate communicate communicate I can't stress that enough again no tolerance for me unauthorized users to come in and plug into your environment especially Wi-Fi I mean I

can't tell you how many places just get on the Wi-Fi it's part of your corporate network yeah really okay whatever let me fire up my Wireshark with Wi-Fi mode said at the airport and do that be careful identify security threats through packet analysis again I have lots and lots of filters and I would be more than willing to show you a few if you want at the end of this ensure you have all the packets magic mites rule here is garbage in garbage out I get the whole frame slicing thing I understand that you know trying to save disk space whatever but if you don't have all the packets and you don't have all the information you can't tell

the whole story again if you can't see all the paths how do you know you have all the information so we want to look at any place that there is inbound and outbound access and again packet brokers there's lots of these on the market from very inexpensive ones to very expensive ones depending upon you know what is your need and what do you want those packet brokers to do for you they can filter they can aggregate and now you've got 24 by 7 Network visibility so as my presentation you're good we're gonna talk Wireshark anybody got any Wireshark questions I kind of know it a little like you know sure it that

is me that is me you need a remedial lesson is that the reason you're asking like I can if you all you got the time if you got the time I got the beer this is okay and so with that intro that's how I came up with this a good friend of mine the guy that kind of started that Excel spreadsheet came to me one day and said man I'm struggling with packet stuff if you teach me all this packet stuff and heck stuff and binary and frames I'll teach you he was a cyber cop at the time for the bomb making company in Kansas City that made the non-nuclear parts for nuclear weapons yeah anyway so he came

to me one afternoon and I said sure we sat down in my garage at my garage because at the time we both drank and we both smoked and the first of that is the key so after six of my favorite beers I grew up right down the street from coolers so you can already picture silver bullets flying I look down at my hands and I said oh my gosh there it is you got the best X calculator there is eight bits right a byte is eight bits one two four eight one two four eight he's got to adjust this yeah see here we go finger netting so one two four eight eight that you learned this in first

grade what does eight plus four plus two plus one equal fifteen but that's two digits we can't have two digits right that represent that in hex so what do we do when we get to eight plus two that's 1000 no that's where the a comes from right that's the Canadians hey ah bad joke so there's a b c d e right E now I gotta turn my back to you for this really to make sense f10 that's it that's the secret of binary decimal one hex right there if you can do that subnetting simple excellent question come to one of my classes and we'll have fun together other questions or you mean the other types of scans sure no they're excellent

I apologize that's that's a great can I expand on the the other sure so this sink first off is the two bit so now that you get the whole hand thing right so the sink is the two bit is set so I send the sink I expect a sink in a knock back from you that's sort of the beginning of that opening that session you're expecting act for me and then we start our connection and we move data and then I send a pin when we're done which is basically saying sayonara and Japanese fin finished and then you act and we go through the you know for three or four packets to tear down the session as well

so those are the normal process to start and close a connection in TCP but from the perspective of steam using the TCP sort of header against you to scan to see what is there and you know can they evade techniques firewall techniques etcetera they may set instead of the sink they may send an urgent bit or just an act or just a push bit or none of those bits set all 0 that's a null and see how does your server reply what does it do does that answer your question is that kind of where you were going with this or where reset ax reset ax so typically that normal let's talk about the normal right so the normal reason to receive a

reset as I send a sink request to you say on port 80 so I'm expecting to start a connection to what application HTTP but you're not a web server you're the DNS server would you be able to sync Acme back no if you did that would be a whole nother problem so you would then send me a recent you would act the receipt of my sink and then you would send me a reset in that packet as well saying you know no I'm not going to open or start a connection with you because that port is not that application service is not running on this particular server and then there's you know window has to be 0 sync the

sequence number must be 0 so you know there's some things that have to happen in that that we can also vindicate with our Wireshark that you know the stack is doing what it's supposed to be good question more you wanna keep going I love this stuff ooh retransmits that's really retransmits really isn't part of the hacking thing but retransmits is part of the TCP process sort of I don't wanna say fails but I sent date it to you just a real easy scenario to show you this as I said they'd it's you and I start a retransmission timer I'm looking at my watch the doesn't exist so you don't think I'm crazy so I start my

retransmission timer I send the data my timer expires and I didn't get your your ACK back so I'm gonna re transmit that data so there's a retransmission timer for part of that process there's also C selective acts there's just so many things I can't teach at TCP in three minutes as much as I would love to but those are those are excellent questions so we're good okay anyone else

decrypting their own traffic is that your question yes many companies on the inside are decrypting their you know they're offloading today the encryption decryption to I hate the name vendors load balancers will just say that right there's lots of those lots of those I won't pick on any of them so typically those do the encryption and decryption so if I'm capturing on the backside of that where it's been decrypted right I can see all the application messages if I'm capturing on the front side of that or it's encrypted then I have the technique where we use the TCP data length so I know data is being transferred and then I'm getting acts and there are data lists acts that

are coming back from this you know whichever side of the device that's a key or there is acts with data as well so I can't necessarily decrypt if I'm out it on the other side of that without the key now if I have the key not if I have if you have the key in that trace file then yes we can decrypt sometimes I'm not going to say all the time because it depends on cuz it diffie-hellman there's other aspects to the whole decryption part of that but that's excellent question did I answer it okay okay

the load balancer is the things that sync up the packets are having one packet you have to basically find the way to connect the outside traffic how much money do you have okay so I'm not trying to be facetious there are tools that that can do that but you know just with Wireshark No okay so that that was my point of that I mean if you have money to spend there are tools that we can you know if I get a capture from let's say the client even HTTP watch on the clients if you're running HTTP watch on the clients I can get the client you know the data before it gets encrypted from the browser if we're talking a web

application and I can get it on the front end so I can still kind of put things together and tell you that well this transaction is probably this TCP connection but not with Wireshark does that answer your question right and the load balancer won't give you the table of who's keeping track yeah that's always the problem but if you got lots of money there are there are tools that can help you with that and one of them you haven't heard of it I'll just know I was promised I wouldn't name go to my website you'll fight if it's out there that's all I do is packet sniff

it is yeah put the top kind of right hand side there where it says frame header you know we're gonna ask you for your email and all that stuff you can just put in blah blah blah blah blah but you got to put in a real email so we can email to you for those of you that weren't paying attention I'm kidding it's M n DX dot biz viz that was a very good question by the way pardon me no you got to get it from the PC yeah it's just too much info let me show it to you again on the big screen maybe

[Music]

trying to not take over everybody else's time here right there M and E X dot biz bi Z if you look on the back of your page there yeah you can't hardly miss it I'm down on the bottom left corner I think and if you can tell me what the binder is in I won't test you okay other questions it's first as far as what training sniffing all got lots of ipv6 yes yeah no no no Wireshark will capture ipv6 all those all those tools will capture ipv6 packets you know ipv6 scares a lot of people but if you can do hacks that's all ipv6 addresses are is just a bunch hex 16 bytes so the header is 40 bytes

instead of variable length so there's from the packet perspective ipv6 is not scary at all excellent questions others done ok thanks for listening [Applause] [Music]