TCP Dump vs Wireshark

Install and Configure Packet Capture Software
on your VM and Set Up the “NAT Network” to
Practice in a Secure Environment

Desription

• This lab will provide essential experience in analyzing internet packets using Wireshark and TCPdump. These tools allow us to capture and inspect packets at the network layer, which is a critical skill for any cybersecurity professional.

• Monitoring and decoding packets traversing a network gives us visibility into network activity and behavior. We can identify anomalies, trace communications, and gain insight into potential vulnerabilities. In this lab, we will cover:

  • The basics of capturing packets using both Wireshark and tcpdump

  • How to apply filters to narrow in on specific traffic

  • Decode different packet protocols, to understand how to interpret the data

• The ability to sniff packets is like having an x-ray into a network’s inner workings. It’s one of the most fundamental cybersecurity skills.

• Mastering tools like Wireshark and TCPdump will prepare you to analyze real-world network traffic. You’ll gain hands-on experience that will prove invaluable in your future career.

Basic use cases for packet sniffing include

• Asset Discovery

• Troubleshooting

• Intrusion Detection

• Response and Forensics

Key Learning Objectives

• Use Wireshark and tcpdump to capture and analyze internet packet data

• Understand the differences between these two packet analysis tools

• Gain knowledge of networking protocols by analyzing captured packet data

• Learn to identify different protocols and understand their purpose

• Analyze packet data to discover potential security issues

• Understand how packet analysis can reveal findings

Before We Begin

Updating Linux

1. Make sure to update your Linux VM

2. To do this, open the Terminal and enter the following

3. Enter: sudo apt update

4. Enter your password when prompted by using the sudo command.

5. sudo stands for “Super User Do”

6. This allows for root control inside your user session

7. Follow the incoming prompts

8. Enter “Y” when asked to update

9. Enter: sudo apt upgrade

10. This will install the update package

11. Select “Y” when asked

12. Ok, now your machine should be ready to rock!

NAT, NAT Network, Bridged, Isolated

• How VirtualBox Networking Works?

  • https://youtu.be/Fhdxk4bmJCs?si=hN7GByxEWq0GCKoe

  • In this video we review the types of networks that we can utilize within the VirtualBox application.

  • MODE – DESCRIPTION – (TIMESTAMP)

  • NAT – Standard – (0:52)

  • NAT Network – USE THIS OPTION – (3:50) *This option will protect your private IP out in the wild.

  • Isolated/Internal/Intranet Only – (5:55)

  • Bridged – Uses the DHCP Server in your Router – DO NOT USE – (07:15)

  • How to Enable the NAT Network in VirtualBox

    • Click on the Tools tab in VirtualBox

    • Choose Network

    • Select the NAT Networks tab

    • Select the Create tab above the previous choice

    • This will create a “NATNetwork” for you to select when configuring the network for a VM

    • This setting will allow you to stay safer while practicing cybersecurity

Packet Capture and Analysis

Wireshark in Kali Linux

1. Open the Wireshark application on the Linux VM

   • It can be opened via the application menu on the top left of the screen

   • Search for Wireshark and open the application

2. The main panels within the dashboard are:

   • Packet List – Displays captured packets.

   • Packet Details – Shows the decoded contents of the selected packet.

   • Packet Bytes – Hex and ASCII view of the data bytes.

3. Click the interface name (eth0, wlan0, etc.) to start packet capture.

4. Generate some sample traffic by browsing websites, pinging hosts, etc.

5. Stop the capture and explore some packets. Click on packets in the Packet List pane to view details.

6. Apply filters to focus on certain packets. For example, icmp to show only ICMP traffic.

7. Dig into protocol specifics:

   • Identify HTTP requests/responses.

   • Inspect DNS queries and responses.

   • Analyze TCP handshake and flow (SYN, SYN/ACK, ACK)

     • Right click on the first packet and select “Follow TCP Stream”

     • Displays the full TCP conversation between two devices in a new window. Lets you see all data sent over TCP

8. Puts TCP packet data in correct order. TCP packets can arrive out of order. Wireshark reorders them so the stream makes sense.

9. Save an interesting packet capture file for further analysis.

TCPdump in Kali Linux

1. Open the command prompt in your Linux VM

2. Install the tcpdump from your Linux VM’s repository

   • Enter: sudo apt install tcpdump

   • Enter your password as prompted

3. Now run tcpdump (must be run with root privileges)

   • Enter: sudo tcpdump

4. Open your Mozilla Firefox browser on your VM and open multiple tabs, click the bookmarked sites and get some data flowing.

5. Go back to the command prompt screen and you will see the packet capture taking place

6. Use Ctrl+C to stop the packet capture operations

7. Similar to Wireshark, TCPdump can capture traffic on different interfaces

8. Enter: sudo tcpdump -any

9. This will show the interfaces and how to list them on the command line

10. Options can also be added to each command as follows:

    • -i any : Listen on all interfaces just to see if you’re seeing any traffic

    • -i eth0 : Listen on the eth0 interface

    • -D : Show the list of available interfaces

    • -n : Don’t resolve hostnames

    • -nn : Don’t resolve hostnames or port names

    • -q : Be less verbose (more quiet) with your output

    • -t : Give human-readable timestamp output

    • -tttt : Give maximally human-readable timestamp output

    • -X : Show the packet’s contents in both hex and ASCII

    • -XX : Same as -X, but also shows the ethernet header

    • -v, -vv, -vvv : Increase the amount of packet information you get back

    • -c : Only get x number of packets and then stop

    • -s : Define the size of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less

    • -S : Print absolute sequence numbers

    • -e : Get the ethernet header as well

    • -q : Show less protocol information

    • -E : Decrypt IPSEC traffic by providing an encryption keyInterpret the Output

Example Packet Data:

• 14:21:46.134249 IP 10.2.33.440000 > 111.222.33.444: Flags [.], ack 2915, win 72000, length 0

• 14:21:46.134249 – Timestamp of when the packet was captured

• IP 10.2.33.440000 – IP and port number of the source host

• 111.222.33.444 – IP and port number of the destination host

• Flags [.] – TCP flags (SYN, ACK, PSH, etc). [.] means ACK

• ack 2915 – The acknowledgment number

• win 72000 – The window number (bytes in receiving buffer)

• length 0 – The length of the payload data

Deliverables

• Create a document or pdf including a screenshot of the packets and information you use for these questions using Wireshark

• Identify a TCP 3-Way Handshake. What are the source and destination IP addresses and ports for each of the SYN, SYN/ACK, and ACK packets?

Answer these questions on the document

1. What sequence numbers are used in the SYN, SYN/ACK, and ACK packets?

2. What is the total time to complete the handshake?

3. What does the ACK sequence number in the third ACK packet indicate?

4. What are the differences that you experience with the two tools?

5. Just for Fun What tool will allow you look further into packets that are captured?