Capture Network Traffic with TCPDump

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] when you want to capture packets many people instantly go to the gooby based wireshark while it's a good way to capture packets it's primarily a gui based application what if we don't have a gui and we need to capture packets from the terminal tcp dump solves this issue by giving you a terminal-based way to capture and analyze packets in this video we will show you how to use tcp dump we will show you basic flags how to read the output of tcp dump and how to fine tune filters to only capture the data that you want [Music] tcp dump was originally written in 1988 by van jacobson sally floyd vern paxton and stephen mccain who are at the time employed by the lawrence berkeley laboratory network research group by the late 90s due to the lack of coordination there were many different versions of tcp dump available on the internet for this reason michael richardson and bill fenner created tcpdump.org in 1999 since tcp dump is installed by default on kelly linux we can start it using the command tcp dump this will start a capture on the first interface in the list usually this is ethernet 0. to select the interface that we want to use we can use the i flag followed by the interface name when we take a look at the output we can see that there are many different packets that are transferred even in the short time that the capture was running to make the packets more human readable and make tcp dump a more powerful tool we can use several different flags first we look at the d flag d flag changes the timestamp to a human readable format we can use this flag up to 5 times each time we use the flag we increase the velocity of the timestamp using it once disables the default timestamp using it twice shows the timestamp as seconds since the 1st of january using the flank three times brings the delta up to microsecond resolution this delta is a time difference between two packets using the flag four times shows a timestamp of elapsed time since midnight and finally using a flag 5 times shows a timestamp of the time in microseconds between the current packet and the time that the dump started by default tcp dump resolved ip addresses to names with long host names that are used in networks this might become hard to read to prevent this we can use the n flag the n flag does not resolve the host but shows the eyepiece instead the v flag changes to velocity this flag can be used up to 3 times each xrv increases the velocity by using the flag twice packages such as s and b are decoded and shown on screen the s-flag prints absolute tcp sequence numbers and not relative numbers absolute are real sequence numbers of the packets while relative are the sequence numbers relative to when we've started tcp dump if we want to save the output we can use a w flag followed by a file name that we want to create this will save the output in a pcap file instead of displaying the output this pcap can then be opened with the r flag or we can open it with wireshark for further analysis now that we got some basic flags to make the output more human readable let's look at some packets to see how they are built up to give us a more human readable output we will use the following flags ntts this will give us a better timestamp no hostnames and absolute sequence numbers for packets let's look at a random packet to see how to read the output the first item in the line is the timestamp this shows the time since the capture started the second item is the source address and the destination address the separator is the greater than or lesser than icon these icons signal the direction that the packet is going next section indicates if the packet is udp or tcp and finally we have the length of the packet we can change the velocity to show more or less information from the packets the easiest way to filter packets is by selecting an interface like we did earlier there are however more options available these options is where the true power of tcp domplies with these options we can filter exactly the data that we are interested in we can filter packets by host by using the word host followed by a target host or ip address this will capture all packets received and transmitted by or to the target host we can also capture target source or destination we can do this with a source flag or source and a test flag for destination both these flags need to be followed by a host or ip if we want to capture an entire network we can do this with a net flag followed by a sitter this acts similar to the host flag only the target is the entire network range you give as an argument we can also limit the capture to traffic from or to certain ports we can either use the port flag combined with a number or the source port flag to use a range of ports to capture we can use a port range flag followed by a port range separated by a dash we can combine the previous examples to create complicated filters so we can find exactly what we're looking for we can use the following three operators the and the or or the accept operator the end operator can be placed between filters to combine them for example the hose filter can be combined with the port filters to only capture hosts with a certain port with the or operator the same statement find everything with selected host or the selected port the accept flag will show the host we selected with all ports except the selected port when creating complex queries we can also use the parentheses to segments part of our queries this allows us to have multiple evaluations in a single line as you can see we can create queries exactly for our needs if you liked the video or learned anything please leave a like subscribe or comment it would help us out a lot thank you for watching
Info
Channel: Hackery
Views: 5,341
Rating: undefined out of 5
Keywords: hacking, cybersecurity, cyber security, tutorial, how to, howto, hackery, ethical hacking, kali, tcpdump, wireshark, packet capture, packet, kali linux, network capture, mitm, man in the middle, tcp dump, wshark, packetcapture, tcpdump tutorial, tcpdump guide, packet capture guide, how to use tcpdump, how to capture packets, packet capture tutorial, intercept network traffic, tcpdump explained, tcpdump command, tcpdump tool, tcpdump basics
Id: 5pDepRoEXNs
Channel Id: undefined
Length: 6min 38sec (398 seconds)
Published: Wed Jul 20 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.