Capture and Analise Packets

In this lab session we will use tcpdump and wireshark to capture packets. To analise them we will use wireshark.

Packet Capturing using tcpdump

• Go to the ubuntu VM

• use tcpdump command to pacture packets

  tcpdump -nn
  

• you will get outputs like following

  IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 53:106,
  ack 1, win 67, options [nop,nop,TS val 854797891 ecr 376933204],
  length 53
  

• You can try tcpdump with different attributes

  tcpdump –nni eth0 host 10.10.10.10
  tcpdump –nni eth0 dst host 10.10.10.10 and tcp
  tcpdump –nni eth0 src net 10.10.10.0/24 and tcp and portrange 1-1024
  tcpdump –nni eth0 –s0
  tcpdump –nni eth0 not port 22 –s0 –c 1000
  tcpdump –nni eth0 not port 22 and dst host 10.10.10.10 and not src net 10.20.30.0/24
  
  -nn = don’t use DNS to resolve IPs and display port no 
  -i = interface to watch 
  dst = watch only traffic des0ned to a net, host or port 
  src = watch only traffic whose src is a net, host or port 
  net = specifies network 
  host = specifies host 
  port = specifies a port 
  proto = protocol ie tcp or udp 
  -s0 = seIng samples length to 0 m
  -c = number of packets 
  

• You can capture packets and save them to a file

  # tcpdump –nni eth0 -w capture.pcap –vv –c 1000
  # tcpdump –nni eth0 –r capture.pcap port 80
   
  -w capture.pcap = save capture packet to capture.pcap 
  –vv =  display number of packet captured 
  -r capture.pcap = read capt
  

• You can open the created file and see the captured packets

Wireshark

Download wireshark from here... and istall wireshark. Installation is very simple.

Captureing Packets from wireshark

Once you open the wireshark you will get the following interface. you can select the interface that you want to capture packets clicking on the intarface listed there. Then you can click the blue shark fin button to capture the packets.