| | 1 | = Capture and Analise Packets = |
| | 2 | |
| | 3 | In this lab session we will use tcpdump and wireshark to capture packets. To analise them we will use wireshark. |
| | 4 | |
| | 5 | == Packet Capturing == |
| | 6 | |
| | 7 | === tcpdump === |
| | 8 | |
| | 9 | - Go to the ubuntu VM |
| | 10 | |
| | 11 | - use tcpdump command to pacture packets |
| | 12 | {{{ |
| | 13 | tcpdump -nn |
| | 14 | }}} |
| | 15 | |
| | 16 | - you will get outputs like following |
| | 17 | {{{ |
| | 18 | IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 53:106, |
| | 19 | ack 1, win 67, options [nop,nop,TS val 854797891 ecr 376933204], |
| | 20 | length 53 |
| | 21 | }}} |
| | 22 | |
| | 23 | - You can try tcpdump with different attributes |
| | 24 | {{{ |
| | 25 | tcpdump –nni eth0 host 10.10.10.10 |
| | 26 | tcpdump –nni eth0 dst host 10.10.10.10 and tcp |
| | 27 | tcpdump –nni eth0 src net 10.10.10.0/24 and tcp and portrange 1-1024 |
| | 28 | tcpdump –nni eth0 –s0 |
| | 29 | tcpdump –nni eth0 not port 22 –s0 –c 1000 |
| | 30 | tcpdump –nni eth0 not port 22 and dst host 10.10.10.10 and not src net 10.20.30.0/24 |
| | 31 | |
| | 32 | -nn = don’t use DNS to resolve IPs and display port no |
| | 33 | -i = interface to watch |
| | 34 | dst = watch only traffic des0ned to a net, host or port |
| | 35 | src = watch only traffic whose src is a net, host or port |
| | 36 | net = specifies network |
| | 37 | host = specifies host |
| | 38 | port = specifies a port |
| | 39 | proto = protocol ie tcp or udp |
| | 40 | -s0 = seIng samples length to 0 m |
| | 41 | -c = number of packets |
| | 42 | }}} |
| | 43 | |
| | 44 | - You can capture packets and save them to a file |
| | 45 | {{{ |
| | 46 | # tcpdump –nni eth0 -w capture.pcap –vv –c 1000 |
| | 47 | # tcpdump –nni eth0 –r capture.pcap port 80 |
| | 48 | |
| | 49 | -w capture.pcap = save capture packet to capture.pcap |
| | 50 | –vv = display number of packet captured |
| | 51 | -r capture.pcap = read capt |
| | 52 | }}} |
