Capture and Analise Packets

In this lab session we will use tcpdump and wireshark to capture packets. To analise them we will use wireshark.

Packet Capturing using tcpdump

• Go to the ubuntu VM

• use tcpdump command to pacture packets

  tcpdump -nn
  

• you will get outputs like following

  IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 53:106,
  ack 1, win 67, options [nop,nop,TS val 854797891 ecr 376933204],
  length 53
  

• You can try tcpdump with different attributes

  tcpdump –nni eth0 host 10.10.10.10
  tcpdump –nni eth0 dst host 10.10.10.10 and tcp
  tcpdump –nni eth0 src net 10.10.10.0/24 and tcp and portrange 1-1024
  tcpdump –nni eth0 –s0
  tcpdump –nni eth0 not port 22 –s0 –c 1000
  tcpdump –nni eth0 not port 22 and dst host 10.10.10.10 and not src net 10.20.30.0/24
  
  -nn = don’t use DNS to resolve IPs and display port no 
  -i = interface to watch 
  dst = watch only traffic des0ned to a net, host or port 
  src = watch only traffic whose src is a net, host or port 
  net = specifies network 
  host = specifies host 
  port = specifies a port 
  proto = protocol ie tcp or udp 
  -s0 = seIng samples length to 0 m
  -c = number of packets 
  

• You can capture packets and save them to a file

  # tcpdump –nni eth0 -w capture.pcap –vv –c 1000
  # tcpdump –nni eth0 –r capture.pcap port 80
   
  -w capture.pcap = save capture packet to capture.pcap 
  –vv =  display number of packet captured 
  -r capture.pcap = read capt
  

• You can open the created file and see the captured packets

Wireshark