packet capture tutorial using tcpdump

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

need to troubleshoot why your network isn't working or just want to see what iot devices are doing on your network in this video we will be looking at using the tcp dump program to capture network packets please help me out by hitting the subscribe button because it's now or never in this video we are going to be looking at tcp dump which is a command line packet analyzer you can capture packets and also read back a pcap file tcp dump is already pre-loaded on kane parrot os and other incident response linux distros but if you are using another distro where it's not loaded you can go to tcpdump.org for download instructions once you're ready just type tcpdump so we get an error that tells us that we don't have the permission to capture on that device so basically we need to use sudo to run tcp dump as root because this is now going out to a device which needs administrator privileges so let's try again with sudo tcp dump now we see a lot of stuff flashing across the screen a little too much as a matter of fact and it just doesn't stop well there's a couple of things we can do one thing we can do is type control c this will terminate tcp dump when you're done with capturing packets to have tcp dump stop by itself we can limit its operation to the number of packets specified by the dash c option so if we do sudo tcp dump dash c five what we're going to see is that there's going to be five packets that are captured and then the program will stop another way to limit the output from tcp dump is to select only interfaces where there is traffic of interest some systems have multiple network interfaces on different networks so depending on what you're trying to do you will need to know what network you will want to analyze an old standby command is ifconfig we can use the dash a for all interfaces even if they're currently down then we can pipe the output through grep to only look for the line with the words mtu as that would just give us the condensed list on this machine i can see the wired ethernet interface it's called eth0 i also see the loopback device lo which is standard to all machines and then lastly we see this long l blah blah blah which is my external wired antenna we can also use the tcp dump command with a dash d option to see what interfaces tcp dump sees so if we do sudo tcp dump dash capital d here we see the ethernet eth0 and then the external wireless and then the word any which basically means all devices and then the loopback lo and then the bluetooth monitor something called the linux net filter log something else called the linux net filter q and then d bus dash system and d bus dash session so we get a few more interfaces than ifconfig does and you can select the number of the interface or the name i recommend the name as it's more clear when somebody goes through your logs plus those numbers could change when you reboot the machine and if you specify any then it will capture from all interfaces so we can try sudo tcp dump dash i of any and as you can see from the output here we have things are coming out from the ethernet we have things from the loopback we have something from the external wireless if we do sudo tcp dump dash i of one right one is the ethernet so now we are only looking at things that are coming off the ethernet connection for this machine we can do the same thing by specifying sudo tcp dump dash i of eth0 i recommend using this method instead of specifying a number because those numbers are not really meaningful and they can change another example we can do t sudo tcp dump dash i of l o now we're only looking at the traffic on the loopback and lastly if i want to just look at traffic on the external wi-fi i can do sudo tcp dump dash i of wlx etc to further narrow down what you're looking for tcp dump can use filters and you can filter by host name by a network by specific port number or range of ports you can also filter for the source of the packets the destination of the hacket or specific address for the packet so let's say if we're only interested in the traffic coming from and going to a specific host we can use the host specifier so we do sudo tcp dump dash i of eth0 right so we're let's look at just the ethernet for this demo and then we're going to type the word host and then the name of the host in this case is kane so here we see traffic that only involving the machine kane okay so here some packets are going from kane and here's some packets that are going to kane but every packet that we see here involves kane as either the source or the destination and if we care only about the traffic originating from the host we can add the src the source word before the word host sudo tcp dump dash i eth0 src host kane here we only see traffic where the machine kane is the source of the packets so all the other packets which came with the destination are no longer shown and if we flip it around if we only cared about traffic ending at a particular host we can add the word dst for destination before the word host and you can also use an ip address instead of the host name so let's do sudo tcp dump dash i e th0 dst host we're going to put in the ip address for my machine kane and it's at 10.0. so here we're only seeing traffic where the machine cane is the destination for the packets and you can also use a mac address instead of the ip address if you're looking for a specific machine that might have moved networks and now more than likely has a different ip so we can do sudo tcp dump dash i e t h 0 e t h e r host and then my mac address is zero eight zero zero two seven echo two echo nine fifty one and instead of a specific host we can also filter for a range of addresses by specifying the network along with the netmask so let's go ahead and do sudo tcp dump dash i eth0 so the network we're going to look at is 10.0.2.4 and we're going to apply the mask of 255.255.255.252. so this should limit the number of machines that we're going to be seeing and because the mask that we set here we're only seeing traffic from the machine that's named fedora but i noticed that the output here that the machines are referred to by their host names so it's actually hard to see whether the filter for the ips is actually working or not so we can tell tcp dump to not convert the addresses to names and port numbers and we can use the dash n option so that this demo is easier to see so i'm going to go ahead and up arrow and then dash n now we can see the traffic and it's all showing the ip numbers instead of the machine names and as we can see we're only looking at traffic for the machine that's named dot four all of the other machines that have ip numbers are not in this range are not picked up with tcp dump we can limit the capture traffic to and from port numbers so if we are only interested in traffic involving port 22 which is going to be the ssh traffic we can specify just the port 22. so let's do sudo tcp dump dash i eth0 port 22 and then dash n because once again we wanted to actually show us the port numbers instead of the names like icmp or ssh and so forth so we're now only looking at traffic that involves ssh traffic or port 22. we can add another filter to only look at port 22 of a specific host and so we can be using the and operator to create that filter so in this case we're going to do sudo tcp dump dash i eth0 src host 10.0.2.12 and port 22 n and now we are only seeing traffic from that host where it's port 22. and besides the and operator there's also the or operator right so if we up arrow and change the and to an or so now we're looking at traffic where it originated from the machine 12 or anything that involves port 22. so we should have a little bit more packets than the last one finally we also have the not operator not right so this is going to be reverse logic so if you do sudo tcp dump i eth0 source host 10.0.2.12 and not port 22-n now we're going to be seeing any traffic that's coming from the host of dot 12 but not from port 22 which should be just all of the ping traffic using tcp dump you can filter by protocols such as tcp udp icmp arp etc so if we only want to see the arp traffic we can do sudo tcp dump dash i eth0 of arp and so this kind of a filter might be of interest if you want to see if there is any art poisoning activity on your network and once again we can use the operators like and or and not to craft the filter so if we don't care about icmp traffic but we want to have everything else on this network we can do sudo tcp dump dash i eth0 not icmp so now we see all the traffic that's on this network but not the icmp traffic if you're using tcb dump in a script you will probably want to have the output go into a file for further analysis instead of just scrolling onto the screen we can specify a output file by using the dash w option so if we type sudo tcp dump dash w slash temp slash demo.pcapp if you just give it the path of where you want to save the pcap file and then for this demo i'm going to do c25 so it knows when to stop now if we want to look at the output file we can do a list of slash temp slash demo.pcapp we see that it's raw data and is not human friendly so to make it human readable we can use tcp dump with the dash r option to read the file and parse and display the contents note that since we're reading from a file and not an interface we actually don't need root privileges to run this command tcp dump dash r slash temp slash demo.bcap and because we captured 25 packets it actually is more than this page can handle so it's going to scroll off the screen so if you want to read it easier you can pipe it through the less command and once the pcap is already captured you can actually manipulate the output with a couple of other keys so one of them is the dash e option where you can display the data and the link level so if you want to see the mac addresses you can do tcp dump dash r of slash temp slash demo dot pcapp dash e now you can see that it shows you the mac addresses instead of the ip addresses if you want to look at the packet data in hex and ascii format we can use the dash xx option first let's see what the default output looks like if we limit the count to just one to make things easier so i'm going to do tcp dump dash r slash temp slash demo dot pcapp dash c one so here's the one packet captured you can see that this is the summary but if we want to see the full packet in hex and ascii we can up arrow and then add the dash capital x capital x and so here you can see this section here where it breaks it out in hex form and then ascii form but obviously an ascii is not going to be an e use because most of this is encoded in some manner by default tcp dump will display the timestamps of each packet captured so let's go and take a look at what it looks like if we do tcp dump dash r slash temp demo dot pcapp dash c3 so let's just take a look at three packets so you can see here this first column here is going to be the timestamp and then if we don't want the ca timestamp we're going to use the t option so i'm going to up arrow add the dash t and now you can see that the display does not have any timestamp information and if you want to print the timestamp in linux style which basically is the number of seconds since january 1st 1970 at 000 minutes utc time you can use the tt option so i'm going to go ahead and up arrow and make it a dash tt now you can see that each one of these three time stamps is basically in the linux style where it's in the number of seconds since that epoch time if you want to print the delta between the current and previous line on each packet you can use the ttt option so let's go ahead and up arrow and then make it ttt and now you can see the very first line the timestamp is going to be zero and then the next one is going to be the whatever microseconds or nanoseconds between each capture of the packets and so on and so forth and if we want to print the date and time stamp you can use dash ttt so i'm going to do a up arrow dash ttt and now you can see that there's a date associated with the timestamp as well so yeah there's plenty of options for manipulating the time so go nuts so the basics of tcp dump is that you can look at various interfaces and capture the network traffic you can filter by hostname network ports source destination different protocols etc you can also write the results to a pcap file where you can read it back with tcp dump or with another program like wireshark the pcap file contains a lot more information than what appears on the screen as you can specify different display formats and convert to others more videos on the kane forensics distro make sure you watch these videos here or if you're interested in learning more about networking watch these videos here make sure you click on the blue monkey to subscribe thanks for your time and happy hunting

Info

Channel: BlueMonkey 4n6

Views: 13,944

Rating: undefined out of 5

Keywords: linux command line tutorial, digital forensics using linux command line tutorial, computer forensics using linux command line tutorial, incidence Response, sysAdmin, network Forensics, comptia linux+ prep, DFIR, OSDF, FOSS, CAINE, bash shell, how to use linux command line for digital forensics, how to use CAINE for digital forensics, cyber security, tcpdump, tshark, wireshark, pcap

Id: KTvuyN1QGqs

Channel Id: undefined

Length: 16min 53sec (1013 seconds)

Published: Sun Mar 06 2022