= Capture and Analise Packets = In this lab session we will use tcpdump and wireshark to capture packets. To analise them we will use wireshark. == Packet Capturing using tcpdump == - Go to the ubuntu VM - use tcpdump command to pacture packets {{{ tcpdump -nn }}} - you will get outputs like following {{{ IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 53:106, ack 1, win 67, options [nop,nop,TS val 854797891 ecr 376933204], length 53 }}} - You can try tcpdump with different attributes {{{ tcpdump –nni eth0 host 10.10.10.10 tcpdump –nni eth0 dst host 10.10.10.10 and tcp tcpdump –nni eth0 src net 10.10.10.0/24 and tcp and portrange 1-1024 tcpdump –nni eth0 –s0 tcpdump –nni eth0 not port 22 –s0 –c 1000 tcpdump –nni eth0 not port 22 and dst host 10.10.10.10 and not src net 10.20.30.0/24 -nn = don’t use DNS to resolve IPs and display port no -i = interface to watch dst = watch only traffic des0ned to a net, host or port src = watch only traffic whose src is a net, host or port net = specifies network host = specifies host port = specifies a port proto = protocol ie tcp or udp -s0 = seIng samples length to 0 m -c = number of packets }}} - You can capture packets and save them to a file {{{ # tcpdump –nni eth0 -w capture.pcap –vv –c 1000 # tcpdump –nni eth0 –r capture.pcap port 80 -w capture.pcap = save capture packet to capture.pcap –vv = display number of packet captured -r capture.pcap = read capt }}} - You can open the created file and see the captured packets == Wireshark ==