Capture and Analise Packets

In this lab session, we will use tcpdump and Wireshark to capture packets. To analyze them we will use Wireshark.

Packet Capturing using tcpdump

  • Go to the ubuntu VM
  • use tcpdump command to capture packets
    tcpdump -nn
  • you will get outputs like following
    IP > Flags [P.], seq 53:106,
    ack 1, win 67, options [nop,nop,TS val 854797891 ecr 376933204],
    length 53
  • You can try tcpdump with different attributes
    tcpdump –nni eth0 host
    tcpdump –nni eth0 dst host and tcp
    tcpdump –nni eth0 src net and tcp and portrange 1-1024
    tcpdump –nni eth0 –s0
    tcpdump –nni eth0 not port 22 –s0 –c 1000
    tcpdump –nni eth0 not port 22 and dst host and not src net
    -nn = don’t use DNS to resolve IPs and display port no 
    -i = interface to watch 
    dst = watch only traffic des0ned to a net, host or port 
    src = watch only traffic whose src is a net, host or port 
    net = specifies network 
    host = specifies host 
    port = specifies a port 
    proto = protocol ie tcp or udp 
    -s0 = seIng samples length to 0 m
    -c = number of packets 
  • You can capture packets and save them to a file
    # tcpdump –nni eth0 -w capture.pcap –vv –c 1000
    # tcpdump –nni eth0 –r capture.pcap port 80
    -w capture.pcap = save capture packet to capture.pcap 
    –vv =  display number of packet captured 
    -r capture.pcap = read capt
  • You can open the created file and see the captured packets


Download Wireshark from here and install Wireshark. Installation is very simple.

Captureing Packets from wireshark

Once you open the Wireshark you will get the following interface.

You can select the interface that you want to capture packets by clicking on the interface listed there. Then you can click the Start Capture to capture the packets.

You will see the packets capturing. Click the Stop Capture button when you want to stop the capturing.

You can save the captured packets by clicking File>Save as... and Clicking Save after you select a Location

You can change the interface and add or remove the filter by clicking the Options button.


Wireshark has a lot of filters. Let's try a simple filter. Let's capture only the packets that are using ICMP protocol.

You will the filter text field in the Wireshark interface. Type icmp there and start capturing. You can try different filters.

  • ip.addr == <Your IP address> [Sets a filter for any packet with, as either the source or dest]
  • ip.addr==<Your IP address> && ip.addr==<neighbors IP address> [sets a conversation filter between the two defined IP addresses]
  • http or dns [sets a filter to display all http and dns]
  • tcp.port==53 [sets a filter for any TCP packet with 4000 as a source or dest port]
  • http.request [displays all HTTP GET requests]
  • !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]


Download the sample packet capture files from here. Open them from Wireshark to analyze them. Go to File>Open and select the pcap file to be open.

Telnet.pcap download

  • What is the Username and Password?
  • What did the User do after login?

Open the file. Filter all the telnet traffic. Go to Analyse>Follow>TCP Stream.

massivesyn.pcap download

  • Is this an attack? If so what type of an attack?

Open the file, Go to Statistics>Coversation. Check for the type of packet, Source IP and the duration

chat.dmp download

  • What are the email addresses of the chatters?
  • What were they planning to do?

Open the file. Go to Analyse>Follow>TCP Stream.

ftp.pcap download

  • What is the IP address of the FTP server and the Client?
  • What is the error code 530?

Open the file. Statistics>Coversation. Click TCP. Check the Statistics. Go to Analyse>Follow>TCP Stream

foobar.pcap download

  • What is the protocol use TCP 6346?
  • What could be this scenario?

Open the file. Statistics>Coversation and check for source and destination IP and port. Go to Statistics>Protocol Hierarchy

covertinfo.pcap download

  • Is this a normal icmp packet?

Open the file. Statistics>Coversation and check for packet length.

sip.pcap download

  • What is the protocol used for media?
  • Can you listen to the phone conversation?

Statistics>Protocol Hierarchy check for UDP protocols. Use Telephony>(Protocol) > Analysis

Last modified 8 months ago Last modified on Sep 10, 2021, 1:35:29 AM