CCNA Cyber Ops SECFND 210-250 Lecture 2 (How TCP Works , Wireshark)
Category
📚
LearningTranscript
00:00 bismillah rahman rahim
00:02 Welcome back to our channel
00:04 Today we will be discussing
00:06 the basics of OSI
00:08 which we have already studied
00:10 and we are experts in it
00:12 Today we will be discussing
00:14 the topics of
00:16 TCP, TCP/IP, UDP, DNS and DACP
00:18 So let's start
00:20 We know that TCP is a
00:22 transport layer protocol
00:24 which we call layer 4
00:26 There are a lot of TCP based attacks
00:28 We will be discussing a few of them
00:30 TCP is a TCP based attack
00:32 which we put in the category of DOS
00:34 TCP establishes a connection
00:36 in a 3 way handshake
00:38 If a client sends a sync packet
00:40 it turns on the sync bit
00:42 and the reply
00:44 which acknowledges the sync
00:46 sends the server
00:48 the acknowledgement
00:50 if you want to access port 80
00:52 I think I told you last time
00:54 that if you want to see a server
00:56 I think I had run the command
00:58 but it was not working
01:00 If I want to do telnet
01:02 google.com
01:04 and hit enter
01:06 it will give me a blank screen
01:08 How will that blank screen be?
01:10 My computer will sync, act
01:12 and if there is a thing running on port 80
01:14 it will respond
01:16 There are a lot of ways
01:18 people find out what is going on in the network
01:20 In our UrduIT
01:22 lecture on bytes
01:24 a volunteer recorded
01:26 about IP scanner
01:28 he scans IP
01:30 there are a lot of scanning tools
01:32 they are scripting on the backend
01:34 IP protocol number is 6
01:36 if you use it in Wireshark
01:38 you can see
01:40 it is a connection oriented protocol
01:42 it maintains the information
01:44 of the entire session
01:46 and after completing it
01:48 it gives you a verification
01:50 it is a reliable transmission
01:52 checks verification
01:54 if there is any issue
01:56 in the network
01:58 so these are all things
02:00 so let's move ahead
02:02 TCP has a type of attack
02:04 called sync
02:06 what is sync attack?
02:08 attacker
02:10 attacker
02:12 sends a packet
02:14 a sync
02:16 and it is a spoof packet
02:18 but it says
02:20 my destination IP address
02:22 is the IP address of
02:24 the server of kashif
02:26 and
02:28 the way it sends a packet
02:30 and the server
02:32 sends a reply
02:34 to the kashif
02:36 and the other packet
02:38 sends a reply to the asif
02:40 so these are
02:42 the sync attacks
02:44 there are a lot of sync attacks
02:46 that are used
02:48 for example, if I make a packet
02:50 a packet that is only of sync
02:52 say for example, 20 bytes
02:54 and send it to a DNS server
02:56 and send it to a DNS server
02:58 and tell this DNS server
03:00 that I am sending this packet
03:02 and my source IP address
03:04 is urduitacademy
03:06 and send me
03:08 a copy of google DNS
03:10 send me a copy of DNS entry
03:12 so from a 20 bytes packet
03:14 a lot of packets come to me
03:16 say for example, 500 kilobytes
03:18 and I
03:20 send this packet to
03:22 15 DNS servers
03:24 so 15 DNS servers
03:26 send me a 10 MB
03:28 data instead of 20 bytes
03:30 this is called
03:32 amplification attack
03:34 an amplified type
03:36 of attack
03:38 there are a lot of attacks like this in the market
03:40 you know the header of TCP
03:42 there is a version detail
03:44 we use a random port number
03:46 if we are sending a source packet
03:48 16 bit source port number
03:50 protocol ID
03:52 identification, type of services
03:54 total length, fragment offset
03:56 these are the flags
03:58 source address, destination address, source port address
04:00 urgent, ack, push
04:02 reset, sync, fin
04:04 these are the flags
04:06 that we use in TCP
04:08 this is the IP header
04:10 and this is the TCP header
04:12 we have already discussed about the TCP header
04:14 we are talking about
04:16 source port, destination port, sequence number, acknowledgement number
04:18 destination port is provided by
04:20 the AANA, if you have a web server
04:22 port number is 80, if you have a FTP server
04:24 21, if you have a DNS
04:26 I think it is 53
04:28 UDP
04:30 DNS can be used by TCP
04:32 sequence number
04:34 and acknowledgement number
04:36 make sure the flow is in order
04:38 sequence number and acknowledgement number
04:40 are very important things
04:42 initial sequence number
04:44 this is my PC
04:46 it has to communicate with PC2
04:48 PCA and PCB
04:50 it has to communicate with PCA and PCB
04:52 and what it does
04:54 it syncs the control bit
04:56 this is my control bit
04:58 I have changed it to 1
05:00 and the rest is 0 0 0
05:02 and the next
05:04 sequence number is 200
05:06 so here
05:08 where is the sequence number
05:10 now let's see what happens
05:12 as the sync packet comes here
05:14 it enables the sync and ack bit
05:16 sync and ack bit
05:18 is enabled
05:20 and says acknowledgement of 201
05:22 and says acknowledgement of 201
05:24 and now I am sending the acknowledgement
05:26 and I have changed the sequence number to 300
05:28 and sync ack is gone
05:30 and what is sent in the control
05:32 sync and ack
05:34 now it sends the acknowledgement
05:36 that I have got the acknowledgement of 201
05:38 and the sequence number is 200
05:40 earlier I sent 201
05:42 and now it is 201
05:44 and I am sending the acknowledgement
05:46 of the sequence
05:48 I think it should be 200
05:50 acknowledgement is sent
05:52 acknowledgement is sent
05:54 of 200 and my sequence number is 300
05:56 and this is the sequence number 201
05:58 and this is the acknowledgement
06:00 that is sent
06:02 hmmm
06:04 hmmm
06:06 correction
06:08 I had to verify
06:10 one second
06:12 let me take the eraser
06:14 this is 201
06:16 that is the reason
06:18 I will tell you
06:20 the reason is
06:22 it says I have got 200
06:24 and I am expecting 201
06:26 so when it sends
06:28 the acknowledgement again
06:30 it says this is my sequence number 201
06:32 and acknowledgement is 301
06:34 that I am expecting 301
06:36 and after that the acknowledgement is done
06:38 and the data is transferred
06:40 and the final shutdown is done
06:42 and the packet is FIN
06:44 if you are seeing a communication between two devices
06:46 and then you are seeing FIN
06:48 then you will understand
06:50 that you are in security operation center
06:52 and when I will teach you these things
06:54 I will give you example of security operation center
06:56 you are seeing a packet
06:58 and it is SYN
07:00 SYN
07:02 and in these packets SYN is enabled
07:04 and your PCO sends SYN
07:06 and after that there is no bit of acknowledgement
07:08 SYN SYN SYN
07:10 so if you are in security operation center
07:12 and you are seeing this packet
07:14 but
07:16 there is a condition that you are seeing all these packets
07:18 so you will verify
07:20 that this is SYN attack
07:22 this is SYN attack and it is coming from one IP address
07:24 so let's block this IP address
07:26 this is actually SOC 1 expectation
07:28 you don't have this much detail expectation
07:30 that we have gone to SOC 2
07:32 but my try will be that when you are leaving from here
07:34 you should know a lot of things about SOC 2
07:36 you should not know this for security operation center
07:38 ok
07:40 after that I have added
07:42 one extra slide
07:44 DDoS attack is a very important attack
07:46 Denial of services attack
07:48 this is a careless firewall
07:50 which we call web application firewall
07:52 this is not a standard firewall
07:54 which is put in front of your website
07:56 which protects your website from many things
07:58 this is a tool
08:00 if you are installing this, then try to move it to a real website
08:02 and run it
08:04 ok
08:06 you can run it for 5 seconds to test it on urdu IT
08:08 I am giving you permission
08:10 not more than this
08:12 this is an illegal website
08:14 if you are in western world
08:16 then it will be a big problem for you
08:18 so if you put a website's name like loworbitcanon
08:20 and move it to that website, it will block everything
08:22 DDoS and DDoS attack
08:24 this amplification attack which I have shown you
08:26 was very simple while using TCP
08:28 not TCP, it was used while using DNS
08:30 ok
08:32 anyway, DDoS and DDoS attack can be divided in 3 types
08:34 Volume based attack
08:36 which is a lot of ICMP
08:38 which is a lot of packet
08:40 and UDP
08:42 which is a lot of packets
08:44 similarly, protocol based attack
08:46 which is a lot of ICMP
08:48 Sink flood
08:50 which is a lot of packets
08:52 what is the loss of sink packet
08:54 let me clear the ink
08:56 ok
08:58 erase all ink
09:00 this is your web server
09:02 I have sent a sink packet
09:04 if it is running on port 80
09:06 then it will reserve a memory
09:08 that this first sink
09:10 I have to give it a place
09:12 after some time
09:14 because this connection will be complete
09:16 so it will give a place in memory
09:18 similarly, if I send a lot of
09:20 SIN
09:22 from multiple IP
09:24 so it will overflow
09:26 and the legitimate user
09:28 when he will try to come
09:30 he will not be able to reach the website
09:32 so should not be
09:34 that this is
09:36 see for some time
09:38 the reply of SIN packet did not come
09:40 I have sent SIN ACK
09:42 and there is no acknowledgement of this packet
09:44 so I should clear this memory
09:46 yes
09:48 if you have a firewall in front
09:50 there is a concept
09:52 of embryonic
09:54 connection
09:56 and I think
09:58 30 seconds time is given for SIN
10:00 your firewall will drop this packet
10:02 that is, that connection will be
10:04 removed from the CON table after 30 seconds
10:06 ok
10:08 but I am assuming
10:10 if you are doing CCNA cyber
10:12 then you have read CCNA and CCNA security
10:14 although it does not suggest
10:16 but it is a very strong suggestion
10:18 if you have read CCNA and CCNA security
10:20 then many things will be clear
10:22 ok
10:24 after that there is a type of attack
10:26 application level attack
10:28 that get and post
10:30 such information should be posted
10:32 that system throws an error message
10:34 or system crashes
10:36 for this you do not need to send a lot of packets
10:38 but protocol attacks
10:40 or volume based attacks
10:42 now see this
10:44 almost says that there is a very big
10:46 attack called denial of service
10:48 attack was 200 to 250 GB
10:50 attack was 200 to 250 GB
10:52 this attack started at 5 o'clock
10:54 and at 5.50
10:56 they have controlled
10:58 and at 6 o'clock
11:00 they have sent the website to 250 GB
11:02 and at 6 o'clock they have sent the website to 250 GB
11:04 250 GB is a lot of traffic
11:06 250 GB is a lot of traffic
11:08 and for this you need a lot of people
11:10 you need volunteers to attack
11:12 so anyway
11:14 Imperva is a really good web application firewall
11:16 like we call WAF
11:18 so if you go to their website
11:20 they have a lot of information
11:22 if you have a website that is
11:24 vulnerable to OSP attacks
11:26 so you can use
11:28 Imperva's WAF
11:30 it is going to help you
11:32 they have a cloud based solution
11:34 I am teaching Cisco
11:36 because Cisco does not give WAF solution
11:38 so anyway
11:40 you know about TCP
11:42 protocol, sync, sync-ac
11:44 and ac packets
11:46 and UDP layer 4
11:48 protocol is connectionless
11:50 IP protocol no. 17
11:52 TCP protocol no. 6
11:54 best effort type communication
11:56 one way, fast
11:58 IPerf uses it
12:00 you remember
12:02 if two network engineers
12:04 want to check link speed
12:06 between their offices
12:08 one of them make IPerf client
12:10 and other one make IPerf server
12:12 and they transfer heavy
12:14 duty speed on UDP
12:16 if there is issue of windowing in TCP
12:18 so this is UDP based communication
12:20 UDP header
12:22 is very simple
12:24 16 bit source port
12:26 destination port
12:28 checksum UDP length and data
12:30 so there is no
12:32 science in it
12:34 UDP quick communication
12:36 all your traffic zones are UDP based
12:38 UDP
12:40 Cisco engineer use it on TFTP server
12:42 SNMP uses it
12:44 SNMP manages error checking
12:46 in SNMP
12:48 it checks error
12:50 in DNS
12:52 urduitacademy.com
12:54 if you request DNS
12:56 so DNS uses UDP
12:58 but TCP also uses it
13:00 NTP network time protocol
13:02 uses UDP port no. 1,2,3
13:04 you should know all these things
13:06 because if you are security analyst
13:08 so if you see in your network
13:10 there is 1,2,3 packet
13:12 NTP time based protocol
13:14 so if you see packet
13:16 and 1,2,3 port
13:18 then you should know
13:20 NTP based traffic is going
13:22 ARP
13:24 address resolution protocol
13:26 address resolution protocol
13:28 is Mac address
13:30 finds and gives you
13:32 if Kashif
13:34 wants to talk to PCB
13:36 so data
13:38 segment, packet, frames
13:40 so when it comes to
13:42 frame layer, we need
13:44 destination computer's MAC address
13:46 to find MAC address
13:48 we use ARP table
13:50 if you want to see ARP table entry
13:52 you can see
13:54 ARP -A
13:56 so you can see ARP table entry
13:58 all devices in my network
14:00 have MAC address
14:02 these are the devices
14:04 you can see
14:06 subnet mask
14:08 so you can see
14:10 multiple interfaces
14:12 10-12 interfaces
14:14 because VMware is installed
14:16 ARP poisoning can also happen
14:18 ARP works on
14:20 layer 2 and layer 3
14:22 this is very important
14:24 you should understand this
14:26 because it has frame entry
14:28 IPv6 or IPv4
14:30 let's run
14:32 Wireshark
14:34 ARP poisoning
14:36 can be used in many ways
14:38 mostly man in the middle
14:40 this is your switch
14:42 this is your PC
14:44 and this is your router
14:46 hacker comes here
14:48 and tells you switch
14:50 or poison ARP
14:52 and says
14:54 192.168.0.1
14:56 this is my
14:58 MAC address
15:00 PC sends you traffic
15:02 and your link
15:04 is from router
15:06 so it gets internet but through you
15:08 this whole concept is called
15:10 ARP poisoning
15:12 there are many ways to avoid ARP poisoning
15:14 being a network
15:16 security engineer you know all these things
15:18 DACP starvation
15:20 DACP spoofing, DACP snooping
15:22 you know all these things
15:24 our purpose is not to teach all these things
15:26 we have suggested you that if you have studied
15:28 CCNS security then you will go to
15:30 level 2 as a network engineer
15:32 depends
15:34 no promises
15:36 so the ether type of ARP
15:38 is for IPv4 and IPv6
15:40 let's run Wireshark
15:42 I have installed Wireshark
15:44 I think I have it
15:46 should be there
15:48 and
15:50 wireless network connection
15:52 I think this should be
15:54 here
15:56 ok
15:58 and open the browser
16:00 and refresh urduit academy
16:02 ok
16:04 there is no
16:06 ARP
16:08 ARP
16:10 ARP
16:12 ARP
16:14 ARP
16:16 ARP
16:18 found it
16:20 it is telling
16:22 1680.18
16:24 tell 192.168.0.1
16:26 and if you see
16:28 here
16:30 0x0806
16:32 let me stop it
16:34 ok
16:36 so this
16:38 0x806
16:40 is here
16:42 yes
16:44 this 806
16:46 probably
16:48 0x806
16:50 0x806
16:52 0x806
16:54 0x806
16:56 I think
16:58 there is a mistake
17:00 it should be 806
17:02 let me pause the video
17:04 and verify
17:06 0x
17:08 yes it is ARP
17:10 not 800
17:12 it should be 806
17:14 ok
17:16 so this is the frame entry
17:18 this is the ARP entry
17:20 0x806
17:22 and then
17:24 communication
17:26 if I have a computer
17:28 and it says
17:30 send data to urduit academy
17:32 open the browser
17:34 transport layer says
17:36 I will send using a TCP
17:38 TCP will go
17:40 and establish the connection
17:42 TCP sync
17:44 I will send it to 1.1.1.10
17:46 I have to send it to this
17:48 source IP address is done
17:50 destination IP address is done
17:52 TCP sync flag is on
17:54 layer 2 says
17:56 I need an ARP address
17:58 I need a MAC address
18:00 ARP checks the table
18:02 which table we have seen
18:04 ARP -A
18:06 it checks if I have this entry
18:08 if not
18:10 ARP says resolve it
18:12 ARP broadcasts
18:14 IM111 with MAC address
18:16 send to FFFF
18:18 any machine that hears that message
18:20 replies back
18:22 when the machine returns
18:24 the packet is ready
18:26 and it goes to the server
18:28 we are assuming
18:30 that the computer
18:32 has resolved the urduit academy
18:34 and it knows the IP address
18:36 this is a general breakdown
18:38 we have already discussed
18:40 finally the packet is ready
18:42 TCP sync flag
18:44 source IP address
18:46 destination IP address
18:48 packet is ready
18:50 sync
18:52 and then data transfer
18:54 now comes the DACP
18:56 what is DACP
18:58 very good
19:00 I got it
19:02 DACP
19:04 DACP
19:06 Dynamic Host Configuration Protocol
19:14 DACP
19:16 sometimes happens
19:18 DACP
19:20 gives you IP addresses
19:22 and many other things
19:24 DACP pool option
19:26 2 DACP attacks
19:28 one is called DACP insertion
19:30 you insert DACP in your network
19:32 you say
19:34 I am your DACP server
19:36 what is the loss if someone gives you IP address
19:38 the loss is
19:40 say for example
19:42 I give many examples of DACP
19:44 if you enter a city
19:46 and city map
19:48 gives you DACP server
19:50 you enter a city
19:52 and someone
19:54 gives you a map
19:56 and the map tells you
19:58 to go to zoo, hotel
20:00 and so on
20:02 if you enter a city
20:04 and before entry
20:06 this is the main check point
20:08 a person is standing here
20:10 in yellow shirt and high vish jacket
20:12 and he gives you a map
20:14 and the way you reach here
20:16 and that person gives you a map
20:18 and you say I already have got it
20:20 and in this map all the hotels
20:22 are named dodgy
20:24 and you skim your money
20:26 so you are at loss
20:28 you will stay in city
20:30 or hotel, nothing will happen
20:32 but when you will go back
20:34 your card will be full of data
20:36 and your money will be gone
20:38 so what will be the reason
20:40 the reason will be
20:42 the map given to you
20:44 is the same as before
20:46 so this is how DACP server works
20:48 and the second type of attack
20:50 is DACP starvation
20:52 DACP discover
20:54 you send a packet to discover
20:56 and DACP server replies
20:58 that I am your DACP server
21:00 because you generate broadcast
21:02 and you request IP address
21:04 and you get IP address with lease
21:06 UDP based communication is happening
21:08 once again
21:10 you are sitting in a stock
21:12 and you are seeing packets
21:14 UDP 68 68 68 68
21:16 and 67 also many are happening
21:18 and you see that
21:20 many requests are coming
21:22 you start to see MAC address
21:24 you start to analyze
21:26 you see MAC table
21:28 all MAC addresses
21:30 are on same switch port
21:32 so what does it mean
21:34 this machine is continuously changing MAC address
21:36 and taking early IP address
21:38 but in your switch MAC table
21:40 in one port
21:42 there will be 5000 IP addresses
21:44 5000 MAC addresses
21:46 in MAC table
21:48 you will know that DACP starvation attack is happening
21:50 that's why this configuration is in your switch
21:52 how to do this configuration
21:54 you can see in CCNA security
21:56 I have taught this
21:58 this is very important
22:00 but you don't implement
22:02 after that comes DNS
22:04 typical story
22:06 you can't remember the IP address of URDU IT Academy
22:08 readable name to IP address
22:10 global distribution of database
22:12 NS lookup command
22:14 you go to server
22:16 TCP UDP UDP mostly 53
22:18 and you ask to bring URDU IT Academy
22:20 command prompt
22:22 NS lookup
22:24 urduitacademy.com
22:26 urduitacademy.com
22:28 urduitacademy.com
22:30 and it will bring you
22:32 URDU IT Academy server IP address
22:34 welcome back
22:36 welcome back
22:38 DNS server
22:40 DNS server
22:42 you start to see
22:44 these entries
22:46 DNS has different type of resource
22:48 let's see
22:50 DNS is hierarchy
22:52 root level domain
22:54 top level domain
22:56 ARPA, COM, NET, GOV
22:58 TLD
23:00 second level domain
23:02 like Cisco.com
23:04 then sub domains
23:06 these are all hierarchies
23:08 iterative recursive queries
23:10 we have discussed all these
23:12 in DNS
23:14 there is a type of record
23:16 called
23:18 some records in DNS
23:20 which are called
23:22 resource record
23:24 some entries of resource record
23:26 are visible
23:28 in your database
23:30 we are not going to discuss about this
23:32 but A record is
23:34 IP address of server
23:36 AAA or quad A
23:38 is IPv6 address
23:40 this address is
23:42 AAA record and this is A record
23:44 similarly C name
23:46 what is C name
23:48 you have to call a server
23:50 and refer it
23:52 say for example
23:54 www
23:56 and I have put web1
23:58 I will write www
24:00 and it will go to web1
24:02 now I have to change web1
24:04 I have to put web2
24:06 and point out C name
24:08 and shut down web1
24:10 MX record
24:12 will go to MX server
24:14 pointer record
24:16 will point to C name
24:18 SOA
24:20 start of authority
24:22 like copy of zone
24:24 database
24:26 in DNS
24:28 is called zone
24:30 copy of zone
24:32 in authoritative domain
24:34 is called
24:36 SOA
24:38 name of SOA
24:40 like I have put
24:42 urduitacademy.com
24:44 and go to my ISP
24:46 you can see my ISP name
24:48 and after that
24:50 your reply is
24:52 non authoritative domain server
24:54 this is a server
24:56 which is not
24:58 main DNS server of UIT
25:00 this is another server
25:02 if you want authoritative
25:04 you have to put your name
25:06 on that server
25:08 this is not my IP address
25:10 if I start showing like this
25:12 then everyone will know my IP address
25:14 I have put cloudflare in front of my web server
25:16 cloudflare gives you
25:18 some hosting services
25:20 like I have talked about WAF
25:22 for example
25:24 in nslookup
25:26 nslookup is a detailed tool
25:28 we are not expecting you to know
25:30 all these commands
25:32 set q = mx
25:34 I have said show mx record
25:36 show mx record
25:38 urduitacademy.com
25:40 urduitacademy.com
25:42 and see this
25:44 all these are the servers
25:46 which are running mail services
25:48 admin@urduitacademy.com
25:50 careeradvice@urduitacademy.com
25:52 these are the servers
25:54 actually we have offloaded these services to google
25:56 another domain name is
25:58 urdu.academ.academy
26:00 urdu.academ.academy
26:02 this is the name of urduitacademy.com
26:04 and we have forwarded this to urduitacademy.com
26:06 and we have forwarded this to urduitacademy.com
26:08 this is the domain name
26:10 which we have made a while ago
26:12 urdu.academy
26:14 this is the only domain name
26:16 which is unique for us
26:18 if you go to
26:20 urdu.academy.com
26:22 urdu.academy.com
26:24 it will forward you to urduitacademy.com
26:26 it will forward you to urduitacademy.com
26:28 this is the c name
26:30 let's move ahead
26:32 let's move ahead
26:34 we have talked a lot about DNS
26:36 now we have ICMP
26:38 ICMP is a ping packet
26:40 you know that you ping all day long
26:42 internet control message protocol
26:44 RFC tell us something is not reachable
26:46 or reachable
26:48 but hackers extract a lot of information from it
26:50 but hackers extract a lot of information from it
26:52 you are checking the size of ICMP reply packet
26:54 you are checking the size of ICMP reply packet
26:56 you are checking the maximum size of ICMP reply packet
26:58 you are checking the maximum size of ICMP reply packet
27:00 if ICMP reply packet is big
27:02 if ICMP reply packet is big
27:04 then it is suspicious
27:06 because many tools tunnel
27:08 because many tools tunnel
27:10 using ICMP protocol
27:12 when data is in exfiltration stage
27:14 you see that this PC is pinging outside world
27:16 but later you come to know that
27:18 this ping packet is big
27:20 I am very interested to look into it
27:22 then you come to know
27:24 ICMP has all code types
27:26 ICMP has all code types
27:28 you might need to know some of them
27:30 you might need to know some of them
27:32 for the exam purpose
27:34 then comes TCP dump and Wireshark
27:36 then comes TCP dump and Wireshark
27:38 I have opened Wireshark
27:40 you can see all packets
27:42 if we go in detail
27:44 then apply, follow the TCP stream
27:46 what was happening in TCP stream
27:48 it was going to a specific website
27:50 it was going to a specific website
27:52 I have opened a specific stream
27:54 you can work with it
27:56 I had a plan to do a series on Wireshark
27:58 I had a plan to do a series on Wireshark
28:00 I had a plan to do a series on Wireshark
28:02 I had a plan to do a series on Wireshark
28:04 I had a plan to do a series on Wireshark
28:06 I had a plan to do a series on Wireshark
28:08 I had a plan to do a series on Wireshark
28:10 I had a plan to do a series on Wireshark
28:12 I had a plan to do a series on Wireshark
28:14 I had a plan to do a series on Wireshark
28:16 I had a plan to do a series on Wireshark
28:18 I had a plan to do a series on Wireshark
28:20 I had a plan to do a series on Wireshark
28:22 I had a plan to do a series on Wireshark
28:24 I had a plan to do a series on Wireshark
28:26 I had a plan to do a series on Wireshark
28:28 I had a plan to do a series on Wireshark
28:30 I had a plan to do a series on Wireshark
28:32 I had a plan to do a series on Wireshark
28:34 I had a plan to do a series on Wireshark
28:36 I had a plan to do a series on Wireshark
28:38 I had a plan to do a series on Wireshark
28:40 I had a plan to do a series on Wireshark
28:42 I had a plan to do a series on Wireshark
28:44 I had a plan to do a series on Wireshark
28:46 I had a plan to do a series on Wireshark
28:48 I had a plan to do a series on Wireshark
28:50 I had a plan to do a series on Wireshark
28:52 I had a plan to do a series on Wireshark
28:54 I had a plan to do a series on Wireshark
28:56 I had a plan to do a series on Wireshark
28:58 I had a plan to do a series on Wireshark
29:00 I had a plan to do a series on Wireshark
29:02 I had a plan to do a series on Wireshark
29:04 I had a plan to do a series on Wireshark
29:06 I had a plan to do a series on Wireshark
29:08 I had a plan to do a series on Wireshark
29:10 I had a plan to do a series on Wireshark
29:12 I had a plan to do a series on Wireshark
29:14 I had a plan to do a series on Wireshark
29:16 I had a plan to do a series on Wireshark
29:18 I had a plan to do a series on Wireshark
29:20 I had a plan to do a series on Wireshark
29:22 I had a plan to do a series on Wireshark
29:24 I had a plan to do a series on Wireshark
29:26 I had a plan to do a series on Wireshark
29:28 I had a plan to do a series on Wireshark
29:30 I had a plan to do a series on Wireshark
29:32 I had a plan to do a series on Wireshark
29:34 I had a plan to do a series on Wireshark
29:36 I had a plan to do a series on Wireshark
29:38 I had a plan to do a series on Wireshark
29:40 I had a plan to do a series on Wireshark
29:42 I had a plan to do a series on Wireshark
29:44 I had a plan to do a series on Wireshark
29:46 I had a plan to do a series on Wireshark
29:48 I had a plan to do a series on Wireshark
29:50 I had a plan to do a series on Wireshark
29:52 I had a plan to do a series on Wireshark
29:54 I had a plan to do a series on Wireshark
29:56 I had a plan to do a series on Wireshark
29:58 I had a plan to do a series on Wireshark
30:00 I had a plan to do a series on Wireshark
30:02 I had a plan to do a series on Wireshark
30:04 I had a plan to do a series on Wireshark
30:06 I had a plan to do a series on Wireshark
30:08 I had a plan to do a series on Wireshark
30:10 I had a plan to do a series on Wireshark
30:12 I had a plan to do a series on Wireshark
30:14 I had a plan to do a series on Wireshark
30:16 I had a plan to do a series on Wireshark
30:18 I had a plan to do a series on Wireshark
30:20 I had a plan to do a series on Wireshark
30:22 I had a plan to do a series on Wireshark
30:24 I had a plan to do a series on Wireshark
30:26 I had a plan to do a series on Wireshark
30:28 I had a plan to do a series on Wireshark
30:30 I had a plan to do a series on Wireshark
30:32 I had a plan to do a series on Wireshark
30:34 I had a plan to do a series on Wireshark
30:36 I had a plan to do a series on Wireshark
30:38 I had a plan to do a series on Wireshark
30:40 I had a plan to do a series on Wireshark
30:42 I had a plan to do a series on Wireshark
30:44 I had a plan to do a series on Wireshark
30:46 I had a plan to do a series on Wireshark
30:48 I had a plan to do a series on Wireshark
30:50 I had a plan to do a series on Wireshark
30:52 I had a plan to do a series on Wireshark
30:54 I had a plan to do a series on Wireshark
30:56 I had a plan to do a series on Wireshark
30:58 I had a plan to do a series on Wireshark
31:00 I had a plan to do a series on Wireshark
31:02 I had a plan to do a series on Wireshark
31:04 I had a plan to do a series on Wireshark
31:06 I had a plan to do a series on Wireshark
31:08 I had a plan to do a series on Wireshark
31:10 I had a plan to do a series on Wireshark
31:12 I had a plan to do a series on Wireshark
31:14 I had a plan to do a series on Wireshark
31:16 I had a plan to do a series on Wireshark
31:18 I had a plan to do a series on Wireshark
31:20 I had a plan to do a series on Wireshark
31:22 I had a plan to do a series on Wireshark
31:24 I had a plan to do a series on Wireshark
31:26 I had a plan to do a series on Wireshark
31:28 I had a plan to do a series on Wireshark
31:30 I had a plan to do a series on Wireshark
31:32 I had a plan to do a series on Wireshark
31:34 I had a plan to do a series on Wireshark
31:36 I had a plan to do a series on Wireshark
31:38 I had a plan to do a series on Wireshark
31:40 I had a plan to do a series on Wireshark
31:42 I had a plan to do a series on Wireshark
31:44 I had a plan to do a series on Wireshark
31:46 I had a plan to do a series on Wireshark
31:48 I had a plan to do a series on Wireshark
31:50 I had a plan to do a series on Wireshark
31:52 I had a plan to do a series on Wireshark
31:54 I had a plan to do a series on Wireshark
31:56 I had a plan to do a series on Wireshark
31:58 I had a plan to do a series on Wireshark
32:00 I had a plan to do a series on Wireshark
32:02 I had a plan to do a series on Wireshark
32:04 I had a plan to do a series on Wireshark
32:06 I had a plan to do a series on Wireshark
32:08 I had a plan to do a series on Wireshark
32:10 I had a plan to do a series on Wireshark
32:12 I had a plan to do a series on Wireshark
32:14 I had a plan to do a series on Wireshark
32:16 I had a plan to do a series on Wireshark
32:18 I had a plan to do a series on Wireshark
32:20 I had a plan to do a series on Wireshark
32:22 I had a plan to do a series on Wireshark
32:24 I had a plan to do a series on Wireshark
32:26 I had a plan to do a series on Wireshark
32:28 I had a plan to do a series on Wireshark
32:30 I had a plan to do a series on Wireshark
32:32 I had a plan to do a series on Wireshark
32:34 I had a plan to do a series on Wireshark
32:36 I had a plan to do a series on Wireshark
32:38 I had a plan to do a series on Wireshark
32:40 I had a plan to do a series on Wireshark
32:42 I had a plan to do a series on Wireshark
32:44 I had a plan to do a series on Wireshark
32:46 I had a plan to do a series on Wireshark
32:48 I had a plan to do a series on Wireshark
32:50 I had a plan to do a series on Wireshark
32:52 I had a plan to do a series on Wireshark
32:54 I had a plan to do a series on Wireshark
32:56 I had a plan to do a series on Wireshark
32:58 I had a plan to do a series on Wireshark
33:00 I had a plan to do a series on Wireshark
33:02 I had a plan to do a series on Wireshark
33:04 I had a plan to do a series on Wireshark
33:06 I had a plan to do a series on Wireshark
33:08 I had a plan to do a series on Wireshark
33:10 I had a plan to do a series on Wireshark
33:12 I had a plan to do a series on Wireshark
33:14 I had a plan to do a series on Wireshark
33:16 I had a plan to do a series on Wireshark
33:18 I had a plan to do a series on Wireshark
33:20 I had a plan to do a series on Wireshark
33:22 I had a plan to do a series on Wireshark
33:24 I had a plan to do a series on Wireshark
33:26 I had a plan to do a series on Wireshark
33:28 I had a plan to do a series on Wireshark
33:30 I had a plan to do a series on Wireshark
33:32 I had a plan to do a series on Wireshark
33:34 I had a plan to do a series on Wireshark
33:36 I had a plan to do a series on Wireshark
33:38 I had a plan to do a series on Wireshark
33:40 I had a plan to do a series on Wireshark
33:42 I had a plan to do a series on Wireshark
33:44 I had a plan to do a series on Wireshark
33:46 I had a plan to do a series on Wireshark
33:48 I had a plan to do a series on Wireshark
33:50 I had a plan to do a series on Wireshark
33:52 I had a plan to do a series on Wireshark
33:54 I had a plan to do a series on Wireshark
33:56 I had a plan to do a series on Wireshark
33:58 I had a plan to do a series on Wireshark
34:00 I had a plan to do a series on Wireshark
34:02 I had a plan to do a series on Wireshark
34:04 I had a plan to do a series on Wireshark
34:06 I had a plan to do a series on Wireshark
34:08 I had a plan to do a series on Wireshark
34:10 I had a plan to do a series on Wireshark
34:12 I had a plan to do a series on Wireshark
34:14 I had a plan to do a series on Wireshark
34:16 I had a plan to do a series on Wireshark
34:18 I had a plan to do a series on Wireshark
34:20 I had a plan to do a series on Wireshark
34:22 I had a plan to do a series on Wireshark
34:24 I had a plan to do a series on Wireshark
34:26 I had a plan to do a series on Wireshark
34:28 I had a plan to do a series on Wireshark
34:30 I had a plan to do a series on Wireshark
34:32 I had a plan to do a series on Wireshark
34:34 I had a plan to do a series on Wireshark
34:36 I had a plan to do a series on Wireshark
34:38 I had a plan to do a series on Wireshark
34:40 I had a plan to do a series on Wireshark
34:42 I had a plan to do a series on Wireshark
34:44 I had a plan to do a series on Wireshark
34:46 I had a plan to do a series on Wireshark
34:48 I had a plan to do a series on Wireshark
34:50 I had a plan to do a series on Wireshark
34:52 I had a plan to do a series on Wireshark
34:54 I had a plan to do a series on Wireshark
34:56 I had a plan to do a series on Wireshark
34:58 I had a plan to do a series on Wireshark
35:00 I had a plan to do a series on Wireshark
35:02 I had a plan to do a series on Wireshark
35:04 I had a plan to do a series on Wireshark
35:06 I had a plan to do a series on Wireshark
35:08 I had a plan to do a series on Wireshark
35:10 I had a plan to do a series on Wireshark
35:12 I had a plan to do a series on Wireshark
35:14 I had a plan to do a series on Wireshark
35:16 I had a plan to do a series on Wireshark
35:18 I had a plan to do a series on Wireshark
35:20 I had a plan to do a series on Wireshark
35:22 I had a plan to do a series on Wireshark
35:24 I had a plan to do a series on Wireshark
35:26 I had a plan to do a series on Wireshark
35:28 I had a plan to do a series on Wireshark
35:30 I had a plan to do a series on Wireshark