Wireshark (It's been a minute, Maverick!) Tutorial. SYN, ISN, & what exactly is a sequence number?
Вставка
- Опубліковано 18 вер 2024
- In this video, we start to look at actual trace files! I’m starting slow and start with how TCP SYN and Sequence numbers work. Even if you know it, you may learn a new way of explaining it to others. I also talk about what’s wrong with TCP in terms of security and why Zero Trust principles came about.
Was a welcome surprise seeing a new video on my feed from you today. Very happy to see you back making videos, I really appreciate the way you explain things.
Appreciate the kind words. Let's hope it's not another 18 months! 😜
Thank you for the efforts you are putting in to create these videos Hansang. Please do not worry too much about quality or presentation so much that it makes it harder for you to post more content. Things don’t have to be perfect. The valuable knowledge you share and the wonderful explanations you provide are worth ignoring the errors. Thanks again for your time!
Thanks! I may do that. The actual recording of it is in real time. I rarely do two takes for this stuff. But it takes a good 90 min to add the overlays, fix the sound etc.
Made my day to see this series resumed. Good stuff!
Very kind of you to say!
Even if i know about the sequence numbers but it’s a pleasure to see and hear your explanation. Cheers
Driss, that's very very kind of you!
Hansang the great. As always excellent a material!!!
Thank you! I do appreciate it.
I would be interesting in learning about zero trust after you’re done with this playlist.
That may be a good VLOG type video. Thanks for watching
i love your tutorial vids
TY!
Hey i know this is off topic but I was curious about what you had to say about Patreon. Look forward to hearing from you!
Hey Richard. Patreon kicked out a bunch of conservative creators. One, Sydney Watson, didn't even post anything on Patreon. They kicked her off because of something she said outside of Patreon. To me, 1st Amendment is sacrosanct. The fact that Patreon can kick people off (almost all, if not all conservatives) pisses me off. So I decided not to give them any of my money. It wasn't an easy decision because I had a bunch of people I gave on there. But now there are other options (direct from your website a la Square Space etc., or other Patreon like sites that don't censor.
@@hansangb oh wow. I had no idea that happen. Thanks for the info. Our whole team is conservative basically. I can see why you wouldn’t want to deal with them.
I appreciate the input.
Thank you ❤
Glad it helped!
Nice vid Hansang. May the youtube algorithm promote your videos to the world. I see you use your copy of Cisco Routing TCP/IP Volume 1 just like I do, to hold other things in place!
I was at your sessions in SFEU 2018. Will you be at SFEU this year?
Kevin, yes, as of now I'll be there. Yeah, I had the book in a drawer and I know it was the perfect height (and heft!) :)
Really great explanation Hansang! Good to see a new video. Which tablet are you using? I do a lot of diagramming when sharing analyses and would like an easier way to mark them up than the mouse provides.
Been a while, Todd! It's the reMarkable 2 tablet. It's an EMR based (E-ink) tablet. So the battery lasts a LONG time. It writes like a dream and is compatible with Staetdler digital pens which I actually prefer. However, being able to project to the PC requires a ~$9/mo subscription. It also backs up your note and does OCR for that cost. One additional note, the OCR capability is quite phenomenal. My handwriting is so bad I didn't think it had any chance. But I was blown away by it.
Knock knock. Passenger #5 won't make it in time for his train ride because he forgot his ID at home :)
Thanks for breaking sequence number down for beginners, Hansang. Looking forward to the L1 video.
So, typically, if you have an ACK with a Len of 0, does it mean it is still a byte and it is consider as data sent? so the sequence # increase?
Only for TCP SYN packets. For all others, zero tcp len (no application data) means that seq number will not go up. SYN packet gets special treatment because you have to know it got there. W/O incrementing ACK number, you'll never know. Because, remember, ACK means "you should start with this seq next"
Sent to you by J. Rhymer, who credits you for his interest and success as a networking professional.
John is certainly on my list of good people! We go back a ways :)
Zero trust video would be nice
Maybe I'll do a vlog type video. Stay tuned.
Better late then never 👍🏻
There is that! 😁
Nice Pen you got there ;-)
Oh yeah, I forgot to mention it when we were having dinner (Mmmmm, Peter Lugerrrrrrrr!) Works perfectly. Thanks again for pointing it out.
You said you must accept the SYN but it can be rejected based on IP whitelist/blacklist. But yes no way to auth the user. But is this really an issue? The auth is handled on the application level instead of the transport. I would he interested in learning about the zero trust you mentioned.
You can whiltelist. But herein lies the problem. You're a FW or a VPN concentrator. You have users all over the world now. Which IP do you allow or block given that it comes from ISPs all over the world? Even if collect all the user's home ISP address, it does and can change. So it would be an operational nightmare. Zero Trust principle removes that entirely.
You _should_ accept the SYN, but you will see out there on the internet that some servers will ignore the first SYN, forcing the prospective client to send a second SYN. The thinking behind this is that if someone is doing a DDoS SYN flood type of attack, they will not always try a retransmission from the same host - whereas a genuine client will retransmit. Whether this is a good thing, or even an effective thing is up for debate.
You may also see some firewalls/load balancers/security devices (maybe even servers themselves) using SYN cookies. This is a protective technique whereby a SYN-ACK is sent back to the client, but instead of opening a TCP socket in the session table of the server (TCP half-open) a SYN cookie is created. This saves resource exhaustion on the servers TCP/IP stack. If the ACK is received to the SYN-ACK, then the cookie is used to go ahead and open up a socket on the server. If the ACK to the SYN-ACK is never received, then the cookie times out and the socket never even goes near the session table.
I'd totally agree with Hansang that permitting or denying purely on the basis on IP lists is not so effective. One (of the many) parts of zero trust is to constantly re-evaluate flows. So, for example, your VPN users can authenticate using MFA if they are in their home country and get access to a certain set of internal resources. If they authenticate from a country that they are not usually present in, they will get a sub-set of those resources. You can do this with the main cloud providers also, not just old style trust/untrust models of networks.
@@kevinppb All great points. Thanks Kevin. The installed base is always the issue, isn't it? Also, the other thing to worry about are insider threats. Another place where ZT principle can really help (when done right)
Thank you. 🙏
You are quite welcome!