You know that feeling when you're sitting in a dead, silent room, maybe it's late at night, your laptop is open, your phone is on the table, and it just feels well, it feels uceful, it feels peaceful. But if you could actually see what was happening in the air around you, if you have like X ray vision for data, that room would be absolute chaos, would be screaming.
Oh yeah, it would be completely deafening.
Because every millisecond there are thousands of these invisible conversations happening. Your phone talking to the router, your laptop negotiating with some server in Virginia, your smart bulb checking for firmware updates. Right, it is a massive, frantic, highly orchestrated exchange, and usually we are just completely blind to it.
Well till something breaks, you know. That's usually when we actually start paying attention to the network exactly.
And that is exactly where we're going today for this deep dive. We are looking at the invisible nervous system of the modern world. We're basing our discussion today on a really comprehensive guide called Network Forensics with wire Shark by Pavicshaw, and.
I think it's important to right off the bat, this isn't just a basic how to manual. Shaw really frames wire Shark, which by the way, is the absolute industry standard tool for analyzing network traffic. He frames it as a lens. It's a way to capture those invisible packets flying through the air and basically freeze them in time so we can actually dissect them.
So our mission today is to step into the shoes of that forensic analyst. We are going to trace the life of a data packet. We're going to see how your devices agree to talk, how they handle it when messages get lost, and how they keep secrets. And we are starting at a place I honestly didn't expect a hardcore networking text to start.
The dashboard of your car.
A car, because apparently before we can even talk about the internet, we need to talk about the infotainment system.
It makes perfect sense if you think about it, though. Modern cars are literally just networks on wheels that screen on your dash the integrated head unit. It isn't just a radio.
Anymore, right, It's a computer.
It's a massive hub. It's running an operating system. It talks to the heads of display and it has to pull data from sensors located all over the vehicle.
And this introduces our first big concept which Shaw spends a good amount of time on the SAHM CAN the Controller Area network.
Right, So to understand, can imagine the wiring in a car from say the nineteen sixties. If you wanted the brake pedal to turn on the tail lights, you basically ran a physical copper wire from the pedal all the way to the light. Simple.
But now you have airbags, abs, engine, timing, climate control, navigate. I mean, if you ran a dedicated wire for every single connection today, the car would weigh ten tons exactly.
It'd be impossible. So the CAN protocol solves this physical problem. It treats the car's components as nodes and they all share a single communication light.
A serial bus, a serial bus.
Yeah, it's almost like an old school party line telephone. Everyone's listening to the same way, and when a message comes down the line, the right note just grabs it.
Shaw uses a really specific example here that I thought was great because it immediately raises the stakes. He talks about the spark ignition engine.
Yeah, because the internal combustion engine is entirely a timing game. You need the stark to fire in the combustion chamber at the exact millisecond the fuel.
Is compressed, and if that signal is late, the.
Engine knocks or just straight up doesn't run right. So the engine control unit, the ECU, it needs to coordinate that spark instantly. It absolutely cannot wait for the air conditioning system to finish reporting the cabin temperature.
It needs priority exactly.
The network has to prioritize. And this is really our first core lesson in networking. Latency matters and protocols, which are basically just the rules of the road, are what prevent the entire system from crashing.
Okay, so the CANbus is the model for the car. It's contained, but when we move out to the Internet, we need a much bigger model, and the source material brings up the famous OSI.
Model, ah the open systems intercannation model. If you have ever taken to computer science class, you've definitely memorized the seven layer.
DIP physical data link network all the way up to application at the top.
It's a really elegant theoretical framework. It separates the raw physical cables which is layer one, from the routing at layer three. All the way up to the web browser you're actually looking at, which is layer seven. But Shaw makes a really critical distinction here.
Yeah, he says, the OSCI model is great for teaching, but the TCPIP model is what actually runs the real world.
Because TCPIP is practical. It condenses those theoretical layers into something workable. But the fundamental job is exactly the same. You take a request from your browser, let's say, get Megoogle dot com. You chop it up into tiny little pieces, you address them, and you show them onto the.
Wire where the rubber meets the road.
Literally.
Okay, so let's get into the weeds here. Let's look at one of those actual conversations. Because the source heavily emphasizes that the Internet is not just a fire hose. You don't just blast a bunch of data at a server and cross your fingers hoping it catches that.
Now you have to be polite.
You have to shake hand.
Yes, the TCP three way handshake. It is fundamental to everything we do online. Almost nothing on the web happens without this specific ritual happening. First, I really.
Want to walk through this because I think people just assume computers connect instantly you click a link, Boom, it's there. But there's a whole negotiation happening. So let's roleplay this a bit. Okay, I will be my laptop. You can be the server. I want to download a file from you. I don't just start screaming give me the file.
No, that would be UDP, which we can get to in a bit with TCP. You want guaranteed reliability, So step one, your laptop sends a syn packet syn it stands for synchronize. You're essentially walking up to me and saying, knock, knock. I would like to open a secure line. Here's my starting sequence number.
Okay, so I've knocked. What's step two.
I'm the server. I receive that knock. If I'm active and have the bandwidth, I reply with a yn ack, synchronize and acknowledge. I'm basically saying I heard your knock. That is the ACK part, and I'm also ready to synchronize our communication. That's the syn part.
So we are halfway there. I know you're ready, you know I'm ready. Why isn't that enough? Why do we need a three way handshake?
Because I don't know that you know that I'm ready.
It sounds like a really bad comedy sketch.
It does. It's very redundant, but that is exactly why we need step three. You have to send a final ack packet back to me acknowledged I got your confirmation.
And once that third packet hits.
Once that hits my specialized network card, the socket is officially open. Boom, we are connected and data can flow.
And this little three step dance happens for every single website.
You visit, every single site, every image resource on the page. Sometimes it happens dozens of times simultaneously just to load one single news article.
Wow. Now you mentioned sequence numbers during that handshake, and the source material has these screenshots from wire Shark where there are these absolutely huge numbers associated with every package.
Yeah, that is how TCP keeps the story straight. The Internet is incredibly messy. Packets don't always take the same route, so they don't always arrive in the right order. Imagine if I sent you a book in the mail one page at a time, page fifty might actually arrive at your house before page ten.
So the sequence number is just the page.
Number essentially, Yes, but it tracks individual bytes of data, not pages. So if I send you a thousand bytes of data, and my current sequence number is five thousand, The next sequence number will be six thousand.
It's just simple edition, current sequence.
Plus the data payload exactly, simple edition.
Sure, simple addition. But in the wire Shark screenshots, show provides these numbers are terrifying to look at. They're like three billion, four hundred million in something.
They're massive. Yeah, and that's because they're randomly generated for security purposes. Ye, you really don't want to start at number one every time you connect to your bank, or hackers can easily guess your sex a hijacket. But Shaw gives a really great pro tip here for anyone actually opening up wire.
Shark relative sequence numbers.
Yes, turn that setting on immediately. It just tells Wireshark look, I don't care that the real starting number is four billion. Just treat the very first packet as zero and count up from there. It makes the forensic analysis actually readable for a human brain.
I definitely prefer starting at zero. Okay, so we've shaken hands. We are counting the bytes. But this is the real world. Backos cut fiber optic cables, WI Fi signals fade when you walk into the kitchen what actually happens when the conversation breaks.
This right here is the absolute core of network forensics, spotting the errors. In the old days of TCP, if we were sending a stream of data, let's say we send packets one, two, three, and four and Packett two just vanishes into the ether.
Receiver gets one, three and four and knows there's a hole in the middle.
Right, it would send a message back to the server saying, hey, I got up to pack it one, but I am currently missing packet two. The problem was the center didn't know if packets three and four arrived safely either. Oh, I see, So it just played incredibly safe and resend everything from packet too onwards.
It REASNDS two, three and four, But you just said three and four were already sitting there. That seems incredibly wasteful.
It is terrible for bandwidth. It completely clogs the pipe. And that's exactly why Shah highlights a protocol feature called SCCK SACK Selective Acknowledgment.
I love the acronyms and networking they always sound slightly aggressive. SAC.
It is a total game changer for network efficiency. With SACK enabled, the receiver can be surgically precise. It says, ok, server I received everything up to byte one thousand, I am missing the next chunk. But and here is the clever part, I did receive the chunk from byte two thousand to three thousand.
So it confirms the little islands of data it actually has.
Exactly and wire shark you can actually see these specific fields. They are called the left edge and the right edge. They literally define the start and end boundaries of the data that actually made it through the chaos.
So the center just looks at those edges and says, oh, you just need that one missing piece right in the middle.
It's a surgical strike. It fills the pothole without having to repave the entire street. And when you are looking at a wire shark capture of a really slow network, seeing a ton of these sec K packets helps you diagnose that the network is dropping data left and right, but the protocol is fighting tooth and nail to recover it efficiently.
It really gives you a lot of respect for the people who design these protocols. They just assume failure is inevitable and they build the system to plan for it.
That is the entire philosophy of the Internet. It is technically classified as a best effort network. It promises to try its hardest, but it never promises to be perfect.
Let's bring this a little closer to home for the listeners. We've been talking a lot about the theory of the handshakes, sacks, sequence numbers. But right now, you, the listener, are probably sitting on your home Wi Fi network. What does all of this look like for them?
Well, if they open their command prompt on their you to right now and check their IP address. I can almost guarantee you what numbers it starts.
With one nine, two six eight the absolute.
Classic and shop points out this specific rule book that mandates this. It's called RSC nineteen eighteen. It's an engineering document that basically set aside certain ranges of IP addresses strictly for private internal use.
Private meaning they literally don't exist on the real public Internet.
Exactly. If you try to send a data packet to one und two point one six eight point one point five out on the public Internet, the major backbone routers will just laugh at you and drop it in the trash. Those addresses only exist inside the four walls of your house.
But wait a minute, if my laptop has a fake private address. How am I reading the New York Times? How does the server in New York know where to send the web page back to if my address isn't real.
That is the magic trick performed by that little plastic Wi Fi router sitting in your living room. It's a process called NAT Network address translation.
I've definitely heard of NAT type when setting up gaming consoles, but explain what it's actually doing behind the scenes.
Think of your home router like the mail room of a giant corporate office building. The employees inside the building, which are your phone, your laptop, your smart fridge, they all have internal phone extension numbers like extension one one two, one three. Those numbers don't work if you dial them from outside the building. The building itself, however, has one real public mailing address. That is your public IP address, and it's assigned to you by your Internet service provider.
So when your laptop wants to send a request to Google, you hand that packet to the router. The router physically erases your internal extension the one ninety two point one six eight number, It stamps its own public IP on the return envelope, and it sends it out to the.
Internet, so it's basically impersonating my laptop.
It acts entirely on your behalf. And here is the really crucial part. It writes down in a little temporary ledger, I just sent a request to Google and it was for the laptop on extension one oh one. When the reply can it comes back from Google an instant later, it looks at that ledger, sees who originally asks for it, restamps the internal address on it, and passes it back to your laptop.
And it is doing this for every single packet, for every single device in the house simultaneously.
Thousands and thousands of times a second. That is exactly why cheap home routers sometimes freeze up and need to be rebooted. Maintaining that neat translation table in this memory is really hard work.
That is just incredible, And related to this, the router is usually also the thing handing out those internal extension numbers in the first place. Right.
Yes, that service is called DACP Dynamic Host Configuration Protocol. It's basically the office manager that assigns the extension so your phone and your laptop don't accidentally fight over the same IP address, but does something else that's absolutely critical and tells your computer where to find the DNS server.
Ah DNS the famous phone book of the Internet.
I actually prefer to think of it as the contacts app on your smartphone, because nobody actually memorizes phone numbers anymore. You don't type one four to two point two, five, zero point one nine, zero point four to six into your browser. You just type Google dot com.
But the computers only speak in.
Numbers, right, So the DNS system is the translation bridge between human words and computer numbers. And Shaw shows us something really fascinating here when we look at it through wire shark. We talked about TCP earlier, that highly reliable, slightly slow, handshake heavy protocol. DNS doesn't usually use CCP. It uses UDP, the.
User Data Ground protocol. Why does it use a different rule.
Book Because UDP is fire and forget there is no three way handshake, There is no polite Did you hear me? I heard you. You literally just shout into the void where is Google? And the DNS server just shouts back the IP address.
Because speed is everything in that moment. You don't want to wait around for a multi step handshake just to find out where the website is located exactly.
Every millisecond counts. And in wire Shark, if you dissect a DNS packet, you can see all the layers stacked up beautifully. You see the ethernet frame with the physical MS addresses of the hardware. You see the IP layer with the sore and destination addresses. You see the UDP transport layer operating on port.
Fifty three, and then finally you see the payload, the actual query you typed.
And this is where the deep dive gets very literal. Shaw encourages his readers to look down at pain three in the wire Shark interface, the raw hexadescimal dump.
This is the part that looks like matrix code, just walls of numbers and letters like zero's and f's cascading on the right side of the screen.
It really demystifies how the Internet works at a physical level. When you type www, the network doesn't actually send the letter W. It sends the hexadecimal value seventy seven. So if you look closely at that raw dump, you will literally see seventy seven seventy seven in the data stream.
And what about a full word like YouTube, It's broken down letter by letter by its aske code, so it shows up as seventy nine six F seventy five, seventy four, seventy five sixty two sixty five.
It is genuinely wild to think about. I mean, billion dollar industries, viral videos, entire political revolutions of being coordinated. Yeah, and at the very bottom of the technology stack, it is just seventy sevens and six f's flying as pulses of light through a fiber optic cable under the ocean.
It is quite literally just data. But having that realization seeing it right there in wire Shark, it brings up the big scary question of network security. If it's all just data and I can easily see it wire shark on my laptop, can you see it too? If I'm sitting cross from you to coffee shop, can you see my bank password flying by an hexco?
And that brings us to the final and honestly probably the most important topic covered in the source material, the locked box HTTPS.
This is the fundamental difference between sending a postcard through the mail and sending a locked titanium. Briefcase, standard HTTP traffic is sent in clear text if you look at it in wire Shark you can read the news article the person is reading. You can see their search queries, you can read their password. It's just sitting right there in pain three.
Which is terrifying for anyone using public.
Wi Fi, which is exactly why almost the entire modern web has force fully moved to HTTPS. The S stands for security. It uses TLS Transport Layer security to completely encrypt the payload before it ever leaves your machine.
But here is the nuance that I actually found really surprising in Shaw's breakdown. Even with HTTPS turned on, you can still see some things in wire shark. The connection isn't totally invisible.
That's correct. The connection still relies on TCP underneath it all, so you still see that initial three way handshake. And right after that you see a packet labeled client hello. This is the very start of the secure cryptographic.
Negotiation, the client hello. It sounds very polite. What is actually inside that packet.
A lot of technical metadata. Your computer is essentially telling the server hi, here is a list of all the complex encryption codes and ciphers my browser understands. But crucially, it also sends the SNI the server name indication. Think of this as the two address printed on the outside of that locked titanium briefcase.
So if a hacker or even just the network admin at my office is running wire Shark, they can see that I am visiting news eighteen dot com.
Yes, they can see the destination IP, and they can clearly the domain name in the S and I field, but they absolutely cannot see what is inside the briefcase.
So my boss knows I'm on a news site, but they have no idea which specific article I'm reading or what I'm typing into the search bar.
Exactly in wire Shark, after that initial polite hello phase, every single packet that follows is just labeled application data. And if you drop down to look at the hexpain where we clearly saw seven seven seven seven to seven seven seven earlier, now it's just completely random garbage. It's crambled noise.
Because the network sniffer doesn't have the key to unlock the briefcase.
Right, The whole system relies on public key encryption. The destination server holds a private key that it never ever shares over the wire. Without that specific mathematical key, unscrambling that noise is virtually impossible.
But Shaw mentions that in the context of forensic analysis. This incredible security feature can actually be a massive headache if you are the good guy, right, you're the IT admin trying to fix a broken network and everything is encrypted noise. How do you delu it is a.
Huge ongoing challenge in the industry. If you own the server you're diagnosing, you can actually load your private key directly into wire shark and it will decrypt the traffic locally so you can read it. But if you're just troubleshooting why a user's connection to Google workspace is running slow, you can't read the data. You are forced to rely entirely on.
The metadata, so you're just looking at the handshakes, the sack packets, the latency timing exactly.
You're observing the shape of the conversation because the actual content of the conversation is dark.
It's a fundamental trade off. We as a society are giving up easy inspectability in exchange for necessary privacy, and.
Given the stakes today, it's a trade offf we have to make.
So just looking back at the whole journey we took today, we started with the physical reality of the network, the CANbus inside a car dashboard. Realizing that everything is just nodes taking turns sharing a line.
Then we move to the logic of how connections form the TCP three way handshake, syn synack ack the mandatory politeness that happens before the data storm begins.
We saw how the system intelligently heals itself with SAK when those packets inevitably get dropped, and how the home router uses NAT to act as the ultimate mail room traffic cop for all our personal devices.
And finally we saw how modern encryption turns those easily readable hex codes back into scrambled noise, keeping our digital secrets safe even while they travel through the open air in a crowded coffee shop.
It honestly changes how you look at a simple loading bar on your screen. When that little circle is spinning, it isn't just loading. It is resolving DNS. It's handshaking, acknowledging missing bytes, decrypting secure keys.
It is continuously performing a minor miracle of coordination.
So here is my final thought for you, the listener, to chew on. The next time you click a simple link, just take a split second to acknowledge the completely invisible, frantic reality you just kicked off Those seventy sevens and six steps aren't just abstract concepts. They are physical pulses of electromagnetic energy manipulating the error around your body right now to bring you a web page. It's literal energy passing through you.
It's a bit mind vending when you put it like that. And hey, if you really want to see the matrix for yourself, go download wireshark. Just maybe don't run it on your corporate work network unless you want an immediate, very stern phone call from your IT department.
Yes, always get permission first. Always wise words. Thanks for diving deep with us into the invisible threads of the Internet.
It was a pleasure to be here.
We will catch you on the next deep dive.