Let’s run through the basics of packet sniffing using TCPDump. TCPDump is a program that does packet analysis. Packet analysis is the process of intercepting data as it travels through a network. Packets are data sent over a network.
Note: Some of these services are not running on this box, so we have faked some terminal interactions in this specific exercise. This is so you can experience how these commands work in the real world.
The very first thing you’ll want to do when capturing packets is examine what interfaces to capture them on.
Interfaces are physical (or virtual) devices that transmit and receive data. For example, a wifi card, an ethernet port, and a Bluetooth antenna are interfaces.
We can see what interfaces are available to capture using the command:
Great! We’ve identified what interfaces are available to capture.
Now, to capture traffic from an interface, we can use a command with the format
tcpdump -i [interface].
We can also tell tcpdump to write directly to a file, and limit how many packets to capture, so the file doesn’t get too large.
Try using the command:
tcpdump -i any -c 50 -w some_file.pcap
- Save them to a file called
We can also read saved packet capture files using the format
tcpdump -r [filename].
Try loading the
demo.pcap file by using the following command:
tcpdump -r demo.pcap
Wow, that’s a lot of data! It can be hard to tell what’s going on by looking at a pcap file, especially if multiple connections are active at once.
While there are better tools for analyzing pcap files, there are some things we can do with tcpdump to make our lives easier.
For example, let’s look for DNS queries in the
demo.pcap file, by adding the
port 53 argument to the command, like this:
tcpdump -r demo.pcap port 53
Now, that’s a little easier to read!
It’s also possible to reconstruct files from packet captures.
This can be useful, but it can also be dangerous if not done carefully. For example, if you’re looking at a packet capture that contains a malware download, you might reconstruct the malware on your computer.
As a safe proof of concept, we can piece together the webpage this packet capture contains using the following command:
tcpdump -r demo.pcap port 80 -A
Great! We were able to piece together the webpage demo.pcap packet capture contained. From the output, we have the following information:
- HTML content
To complete this Checkpoint, press the Enter (or the return) key.