Capturing and analyzing network traffic is a core security assessment skill. Though there are many tools available, in my mind the two most important for packet capture and analysis is Wireshark and tcpdump. I like tcpdump for packet capture and Wireshark for analysis (“D.3. tcpdump,” n.d.). For security assessments, you can use packet capture on-demand to investigate suspicious activity, or you can create a pcap repository to capture and analyze traffic across a period to establish baselines to help detect and investigate anomalies.
To capture packets, the first thing you need is permission (See https://pdrcybersecurity.com/disclaimer/). Second, you need the right hardware, software, and access to the network. Regarding hardware, you need a network adapter that you can put into monitor or promiscuous mode. If your network adapter does not support this function, you will have to use a commercially available 802.11 network adapter that is specially designed for capturing packets such as AirPcap USB adapter, manufactured by Riverbed Technology (See https://www.riverbed.com/products/steelcentral/steelcentral-riverbed-airpcap.html).
Armed with the right hardware, you need access to the network. Network access is obtained in any number of ways, a full discussion of which is outside the scope of this post ( i.e., hubs, switch port mirroring, WAP, a TAP, etc.). Finally, you will need packet capture software to record packets. Tcpdump is powerful, yet simple to use packet capture software that runs under the command line. If not run with the -c flag, tcpdump will continue capturing packets until it is interrupted by a SIGINT signal.
The two most common software libraries libpcap and WinPcap for recording, parsing, and analyzing captured packet data. Libpcap, a portable C/C++ library for network traffic capture, which provides an API for capturing and filtering data link layer frames from network interfaces. Tcpdump is based on the libpcap libraries (“Tcpdump,” n.d.).
Libpcap includes a filtering language called the “Berkeley Packet Filter” (BPF) syntax.20. Using libcap’s BPF filters, you can define which traffic to capture Layer 2, 3, and 4 protocols fields.
Packet Capture with tcpdump
View tcpdump -h
For more details and options view tcpdump man pages:
$ man tcpdump
Show available interfaces:
Capture packets from a specific interface:
Capture and write all packets to a one file called one_file_capture.pcap until you stop:
Capture and write all packets to multiple files no larger than 10MB each:
I use hping3 to flood the target (Metasploitable 2) on my test network with packets:
I stop the capture and list the directory. We see that tcpdump created multiple files, all smaller than 10MB:
Capture and write all packets to a single file for host IP address 10.0.2.6:
For more tcpdump command examples see my tcpdump Cheat Sheet.
About the Author
David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in a variety of roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado. Regis University’s School of Computer & Information Sciences, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.
D.3. tcpdump: Capturing with tcpdump for viewing with Wireshark. (n.d.). Retrieved October 23, 2017 from https://www.wireshark.org/
hping3. (n.d.). Retrieved October 23, 2017 from https://tools.kali.org/information-gathering/hping3
TAP vs span. (n.d.). Retrieved October 23, 2017 from https://observer.viavisolutions.com/
Tcpdump & Libcap. (n.d.). Retrieved October 23, 2017 from http://www.tcpdump.org/