Analyze Network traffic using TCPDump

Skills Learned: Wireshark, TCPdump, VisualStudio

8/26/20233 min read

Useful Commands:

  • Sudo TCPdump - Using sudo dump on Terminal to capture packets

  • Sudo TCPdump c-10 (will capture 10 packets) - Adding # sign to this will add packet numbers - Adding #A will show packet contents

  • Man TCPdump -- Pulls up the manual

  • #tttt -- Human readable time format

  • -D -- Shows the available network interfaces

  • -G -- Capture file for a certain amount of seconds

  • -c -- captures packets

  • -C -- specify max dump file size

  • -w -- write to pcap file

  • Ctrl C -- Stops TCPdump

  1. Capturing a Specific packet from a network

  1. Command tcpdump -i ens5 -c 10 -> Will capture the contents of the ens5 network

Capturing packet from specific domain:

  1. I ran the command: sudo tcpdump -#tttt -c 10 port 443 and host skyroute66.com

    • Breakdown:

      • #tttt -- Time and date format (the # adds line numbers)

      • -c 10 -- Capture 10 packets

      • Port 443 -- Capture HTTPS traffic

      • Host -- Specific where we want to capture traffic from

  1. Capturing a Shell Script

I created a shell script in visual studio : sudo tcpdump -#XXtttt host skyroute66.com -c 10

  • Breakdown:

    • #tttt

    • -c 10 -- Capture 10 packets

    • Host -- Specific where we want to capture traffic from

  1. Created and read dump files

I changed the script to write to a pcap file (sudo tcpdump -#tttt host skyroute66.com -w captured.pcap -c 10) -- this file will be used to store captured packet information
- Format is messy in this pcap file -- can utilize wireshark to read this information more clearly

  1. Create sequence of dump files with size and time limits

Changed my original script to capture based on time rather than packet amount
- Original : sudo tcpdump -#tttt host skyroute66.com -w captured.pcap -c 10

- Time-based: sudo tcpdump #XXtttt host skyroute66.com -w captured.pcap -G 15

  • -G 15, captures 15 seconds of network traffic

  • Getting rid of -c will get rid of actual packet capture

    • How to fix and specify both packet amount and time amount?

      • sudo tcpdump #xxtttt host skyroute66.com -w captured.pcap -c 1 -G 15

        • Will capture 1 packet, reset after 15 second

File size: sudo tcpdump #XXtttt host skyroute66.com -w captured.pcap -C 1 -G 600

  • -C -- will capture based on file size

  • In this scenario we are capturing network traffic for when the pcap file reaches 1 Million bytes or 600 seconds

  1. Advanced Expressions for more filtering options

Advanced script: sudo tcpdump -XXtttt 'tcp[((tcp[12:1] & 0xf0) : 4] = 0x47455420' -w advanced.pcap

  • ran this script and tried to analyze api call of: www.datausa.io.api/data?drilldowns=Nation&measures=population

  • This advanced script is capturing GET traffic