- Tcpdump commandline interface
- Tcpdump
-
Virtual Box
-
Windows 10 (21H2)
First off we identify the network interfaces that can be used to capture network packet data:
so i used the "eth0" as the interface to capture network packet data from. you can also use the "sudo tcpdump -D" to identify the interface options available for packet capture
you can also use the "sudo tcpdump -D" and below is the output which shows the available interface options i have:
the Captured packet data is sent into a file called capture.pcap using the "-w":
Brief explanations on the flags i used :
-nn: this specifies not to attempt to resolve IP addresses or ports to names.This is best practice from a security perspective, as the lookup data may not be valid. It also prevents malicious actors from being alerted to an investigation.
-c9: Capture 9 packets of data and then exit where "C" stands for count, count 9 data packets.
-port 80: I want to filter only port 80 traffic. This is the default HTTP port.
To verify that the captured data has been saved in the file we named capture.pcap, run ls -l capture.pcap :
Now i used the tcpdump command to filter the packet header data from the capture.pcap capture file:
-r: this flag is to read the captured data from the named file.
-v: this means verbose which displays the details of the data packet.
There are definitely lots of filters that can be used to analyse this data packet file depending on the case scenerio but just for the purposes of this project i chose to keep it simple and i hope it was helpful.