Let’s run through the basics of packet sniffing using TCPDump. TCPDump is a program that does packet analysis. Packet analysis is the process of intercepting data as it travels through a network. Packets are data sent over a network.

Note: Some of these services are not running on this box, so we have faked some terminal interactions in this specific exercise. This is so you can experience how these commands work in the real world.



The very first thing you’ll want to do when capturing packets is examine what interfaces to capture them on.

Interfaces are physical (or virtual) devices that transmit and receive data. For example, a wifi card, an ethernet port, and a Bluetooth antenna are interfaces.

We can see what interfaces are available to capture using the command:

tcpdump -D

Great! We’ve identified what interfaces are available to capture.

Now, to capture traffic from an interface, we can use a command with the format tcpdump -i [interface].

We can also tell tcpdump to write directly to a file, and limit how many packets to capture, so the file doesn’t get too large.

Try using the command:

tcpdump -i any -c 50 -w some_file.pcap

This will:

  • Capture 50packets
  • From any interface
  • Save them to a file called some_file.pcap

We can also read saved packet capture files using the format tcpdump -r [filename].

Try loading the demo.pcap file by using the following command:

tcpdump -r demo.pcap

Wow, that’s a lot of data! It can be hard to tell what’s going on by looking at a pcap file, especially if multiple connections are active at once.

While there are better tools for analyzing pcap files, there are some things we can do with tcpdump to make our lives easier.

For example, let’s look for DNS queries in the demo.pcap file, by adding the port 53 argument to the command, like this:

tcpdump -r demo.pcap port 53

Now, that’s a little easier to read!

It’s also possible to reconstruct files from packet captures.

This can be useful, but it can also be dangerous if not done carefully. For example, if you’re looking at a packet capture that contains a malware download, you might reconstruct the malware on your computer.

As a safe proof of concept, we can piece together the webpage this packet capture contains using the following command:

tcpdump -r demo.pcap port 80 -A

Great! We were able to piece together the webpage demo.pcap packet capture contained. From the output, we have the following information:

  • Host
  • Server
  • HTML content

To complete this Checkpoint, press the Enter (or the return) key.

Sign up to start coding

Mini Info Outline Icon
By signing up for Codecademy, you agree to Codecademy's Terms of Service & Privacy Policy.

Or sign up using:

Already have an account?