= Capture and Analise Packets =

In this lab session we will use tcpdump and wireshark to capture packets. To analise them we will use wireshark.

== Packet Capturing using tcpdump == 

 - Go to the ubuntu VM

 - use tcpdump command to pacture packets
{{{
tcpdump -nn
}}}

 - you will get outputs like following
{{{
IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 53:106,
ack 1, win 67, options [nop,nop,TS val 854797891 ecr 376933204],
length 53
}}}

 - You can try tcpdump with different attributes
{{{
tcpdump –nni eth0 host 10.10.10.10
tcpdump –nni eth0 dst host 10.10.10.10 and tcp
tcpdump –nni eth0 src net 10.10.10.0/24 and tcp and portrange 1-1024
tcpdump –nni eth0 –s0
tcpdump –nni eth0 not port 22 –s0 –c 1000
tcpdump –nni eth0 not port 22 and dst host 10.10.10.10 and not src net 10.20.30.0/24

-nn = don’t use DNS to resolve IPs and display port no 
-i = interface to watch 
dst = watch only traffic des0ned to a net, host or port 
src = watch only traffic whose src is a net, host or port 
net = specifies network 
host = specifies host 
port = specifies a port 
proto = protocol ie tcp or udp 
-s0 = seIng samples length to 0 m
-c = number of packets 
}}}

 - You can capture packets and save them to a file
{{{
# tcpdump –nni eth0 -w capture.pcap –vv –c 1000
# tcpdump –nni eth0 –r capture.pcap port 80
 
-w capture.pcap = save capture packet to capture.pcap 
–vv =  display number of packet captured 
-r capture.pcap = read capt
}}}

 - You can open the created file and see the captured packets

== Wireshark ==