Learn about packet sniffing, and try using a simulation of TCPDump to see how it's done!

Packet Sniffing Demo

Let's run through the basics of packet sniffing using TCPDump. TCPDump is a program that does packet analysis. Packet analysis is the process of intercepting data as it travels through a network. Packets are data sent over a network.

> **Note:** Some of these services are not running on this box, so we have faked some terminal interactions in this specific exercise. This is so you can experience how these commands work in the real world. 

Capturing with  TCPDump

TCPDump is far from the only tool out there used for packet capture. One of the most common tools used is Wireshark, a GUI-based tool that allows for a much deeper analysis of pcap files, in addition to capturing packets. There’s also a terminal-based version of Wireshark known as TShark. 

In addition to ‘general-purpose’ packet capture software, there are also more specialized pieces of software floating around. For example, BURP Suite is a piece of proxy software that is incredibly useful for some types of pen-testing because it allows you to intercept and modify outgoing packets from your machine in semi-realtime.

Overall, packet sniffing is incredibly useful, whether you’re looking for vulnerabilities in a website or trying to jailbreak a smart treadmill. It should have a place in any hacker’s toolbox.


Conclusion

Packet sniffing is the act of logging and analyzing packets of data that are sent over a network. There are lots of different reasons you might want to do this. Attackers can use packet sniffing to reverse engineer Application Programming Interfaces (APIs) and find vulnerabilities. Defenders can use packet sniffing to look for suspicious activity on the network. Packet sniffing can also be used for troubleshooting network issues. Looking at individual sent packets can let us better understand what’s going on “under the hood”, and that knowledge can be used to fix or break things.

Additionally, it is important to note that we don’t capture and analyze simultaneously. Some defensive security systems do analyze captured traffic in real-time, but it’s not practical for us humans. When we do a packet capture, we capture traffic first and save it in the packet capture (`.cap` or `.pcap`) file and finally analyze the file.
