TCP Dump vs Wireshark
Using Wireshark and TCPdump for Packet Capture
Install and Configure Packet Capture Software
on your VM and Set Up the “NAT Network” to
Practice in a Secure Environment
on your VM and Set Up the “NAT Network” to
Practice in a Secure Environment
Desription
This lab will provide essential experience in analyzing internet packets using Wireshark and TCPdump. These tools allow us to capture and inspect packets at the network layer, which is a critical skill for any cybersecurity professional.
Monitoring and decoding packets traversing a network gives us visibility into network activity and behavior. We can identify anomalies, trace communications, and gain insight into potential vulnerabilities. In this lab, we will cover:
The basics of capturing packets using both Wireshark and tcpdump
How to apply filters to narrow in on specific traffic
Decode different packet protocols, to understand how to interpret the data
The ability to sniff packets is like having an x-ray into a network’s inner workings. It’s one of the most fundamental cybersecurity skills.
Mastering tools like Wireshark and TCPdump will prepare you to analyze real-world network traffic. You’ll gain hands-on experience that will prove invaluable in your future career.
Basic use cases for packet sniffing include
Asset Discovery
Troubleshooting
Intrusion Detection
Response and Forensics
Key Learning Objectives
Use Wireshark and tcpdump to capture and analyze internet packet data
Understand the differences between these two packet analysis tools
Gain knowledge of networking protocols by analyzing captured packet data
Learn to identify different protocols and understand their purpose
Analyze packet data to discover potential security issues
Understand how packet analysis can reveal findings
Before We Begin
Updating Linux
Make sure to update your Linux VM
To do this, open the Terminal and enter the following
Enter: sudo apt update
Enter your password when prompted by using the sudo command.
sudo stands for “Super User Do”
This allows for root control inside your user session
Follow the incoming prompts
Enter “Y” when asked to update
Enter: sudo apt upgrade
This will install the update package
Select “Y” when asked
Ok, now your machine should be ready to rock!
NAT, NAT Network, Bridged, Isolated
How VirtualBox Networking Works?
In this video we review the types of networks that we can utilize within the VirtualBox application.
MODE – DESCRIPTION – (TIMESTAMP)
NAT – Standard – (0:52)
NAT Network – USE THIS OPTION – (3:50) *This option will protect your private IP out in the wild.
Isolated/Internal/Intranet Only – (5:55)
Bridged – Uses the DHCP Server in your Router – DO NOT USE – (07:15)
How to Enable the NAT Network in VirtualBox
Click on the Tools tab in VirtualBox
Choose Network
Select the NAT Networks tab
Select the Create tab above the previous choice
This will create a “NATNetwork” for you to select when configuring the network for a VM
This setting will allow you to stay safer while practicing cybersecurity
Packet Capture and Analysis
Wireshark in Kali Linux
Open the Wireshark application on the Linux VM
It can be opened via the application menu on the top left of the screen
Search for Wireshark and open the application
The main panels within the dashboard are:
Packet List – Displays captured packets.
Packet Details – Shows the decoded contents of the selected packet.
Packet Bytes – Hex and ASCII view of the data bytes.
Click the interface name (eth0, wlan0, etc.) to start packet capture.
Generate some sample traffic by browsing websites, pinging hosts, etc.
Stop the capture and explore some packets. Click on packets in the Packet List pane to view details.
Apply filters to focus on certain packets. For example, icmp to show only ICMP traffic.
Dig into protocol specifics:
Identify HTTP requests/responses.
Inspect DNS queries and responses.
Analyze TCP handshake and flow (SYN, SYN/ACK, ACK)
Right click on the first packet and select “Follow TCP Stream”
Displays the full TCP conversation between two devices in a new window. Lets you see all data sent over TCP
Puts TCP packet data in correct order. TCP packets can arrive out of order. Wireshark reorders them so the stream makes sense.
Save an interesting packet capture file for further analysis.
TCPdump in Kali Linux
Open the command prompt in your Linux VM
Install the tcpdump from your Linux VM’s repository
Enter: sudo apt install tcpdump
Enter your password as prompted
Now run tcpdump (must be run with root privileges)
Enter: sudo tcpdump
Open your Mozilla Firefox browser on your VM and open multiple tabs, click the bookmarked sites and get some data flowing.
Go back to the command prompt screen and you will see the packet capture taking place
Use Ctrl+C to stop the packet capture operations
Similar to Wireshark, TCPdump can capture traffic on different interfaces
Enter: sudo tcpdump -any
This will show the interfaces and how to list them on the command line
Options can also be added to each command as follows:
-i any : Listen on all interfaces just to see if you’re seeing any traffic
-i eth0 : Listen on the eth0 interface
-D : Show the list of available interfaces
-n : Don’t resolve hostnames
-nn : Don’t resolve hostnames or port names
-q : Be less verbose (more quiet) with your output
-t : Give human-readable timestamp output
-tttt : Give maximally human-readable timestamp output
-X : Show the packet’s contents in both hex and ASCII
-XX : Same as -X, but also shows the ethernet header
-v, -vv, -vvv : Increase the amount of packet information you get back
-c : Only get x number of packets and then stop
-s : Define the size of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less
-S : Print absolute sequence numbers
-e : Get the ethernet header as well
-q : Show less protocol information
-E : Decrypt IPSEC traffic by providing an encryption keyInterpret the Output
Example Packet Data:
14:21:46.134249 IP 10.2.33.440000 > 111.222.33.444: Flags [.], ack 2915, win 72000, length 0
14:21:46.134249 – Timestamp of when the packet was captured
IP 10.2.33.440000 – IP and port number of the source host
111.222.33.444 – IP and port number of the destination host
Flags [.] – TCP flags (SYN, ACK, PSH, etc). [.] means ACK
ack 2915 – The acknowledgment number
win 72000 – The window number (bytes in receiving buffer)
length 0 – The length of the payload data
Deliverables
Create a document or pdf including a screenshot of the packets and information you use for these questions using Wireshark
Identify a TCP 3-Way Handshake. What are the source and destination IP addresses and ports for each of the SYN, SYN/ACK, and ACK packets?
Answer these questions on the document
What sequence numbers are used in the SYN, SYN/ACK, and ACK packets?
What is the total time to complete the handshake?
What does the ACK sequence number in the third ACK packet indicate?
What are the differences that you experience with the two tools?
Just for Fun What tool will allow you look further into packets that are captured?