As a security analyst, it’s important to know how to capture and filter network traffic in a Linux environment using tools such as TCPDUMP. Also needs to know the basic concepts associated with network interfaces. Below we’ll perform tasks associated with using tcpdump to capture network traffic data in a packet capture (p-cap) file and then examine the contents of the captured packet data to focus on specific types of traffic.
Installation :
Use ifconfig to identify the interfaces that are available:
sudo tcpdump -D command identify the interface options available for packet capture.
This may be useful on systems that do not include the ifconfig command.
Filter live network packet data from the eth0 interface with tcpdump:
sudo tcpdump -i eth0 -v -c5
This command will run tcpdump with the following options:
• -i eth0: Capture data specifically from the eth0 interface.
• -v: Display detailed packet data.
• -c5: Capture 5 packets of data.
Capture packet data into a file called capture.pcap:
sudo tcpdump -i eth0 -nn -c9 port 80 -w capture.pcap &
This command will run tcpdump in the background with the following options:
• -i eth0: Capture data from the eth0 interface.
• -nn: Do not attempt to resolve IP addresses or ports to names. This is best practice from a security perspective, as the lookup data may not be valid. It also prevents malicious actors from being alerted to an investigation.
• -c9: Capture 9 packets of data and then exit.
• port 80: Filter only port 80 traffic. This is the default HTTP port.
• -w capture.pcap: Save the captured data to the named file.
• &: This is an instruction to the Bash shell to run the command in the background.
Using curl to generate some HTTP (port 80) traffic:
curl opensource.google.com
When the curl command is used like this to open a website, it generates some HTTP (TCP port 80) traffic that can be captured.
Verify that packet data has been captured:
Use the tcpdump command to filter the packet header data from the capture.pcap:
sudo tcpdump -nn -r capture.pcap -v
This command will run tcpdump with the following options:
• -nn: Disable port and protocol name lookup.
• -r: Read capture data from the named file.
• -v: Display detailed packet data.
Use the tcpdump command to filter the extended packet data from the capture.pcap file:
sudo tcpdump -nn -r capture.pcap -X
This command will run tcpdump with the following options:
• -nn: Disable port and protocol name lookup.
• -r: Read capture data from the named file.
• -X: Display the hexadecimal and ASCII output format packet data. We can analyze hexadecimal and ASCII output to detect patterns or anomalies during malware analysis or forensic analysis.
