Intro to Network Traffic Analysis Module

Section One: Tcpdump Fundamentals

Tcpdump is a command-line packet sniffer that can directly capture and interpret data frames from a file or network interface. It was built for use on any Unix-like operating system and had a Windows twin called WinDump

Locate Tcpdump

To validate if the package exists on our host, use the following command:

which tcpdump

Install Tcpdump

sudo apt install tcpdump 
sudo tcpdump --version            # Tcpdump Version Validation

Basic Capture Options

These switches can be chained together to craft how the tool output is shown to us in STDOUT and what is saved to the capture file. This is not an exhaustive list, and there are many more we can use, but these are the most common and valuable.

Switch Command
Result

D

Will display any interfaces available to capture from.

i

Selects an interface to capture from. ex. -i eth0

n

Do not resolve hostnames.

nn

Do not resolve hostnames or well-known ports.

e

Will grab the ethernet header along with upper-layer data.

X

Show Contents of packets in hex and ASCII.

XX

Same as X, but will also specify ethernet headers. (like using Xe)

v, vv, vvv

Increase the verbosity of output shown and saved.

c

Grab a specific number of packets, then quit the program.

s

Defines how much of a packet to grab.

S

change relative sequence numbers in the capture display to absolute sequence numbers. (13248765839 instead of 101)

q

Print less protocol information.

r

file.pcap Read from a file.

w

file.pcap Write into a file

Tcpdump Man Page

To see the complete list of switches, we can utilize the man pages:

man tcpdump

Here are some examples of basic Tcpdump switch usage along with descriptions of what is happening:

sudo tcpdump -D                          # Listing Available Interfaces
sudo tcpdump -i eth0                     # Choosing an Interface to Capture From
sudo tcpdump -i eth0 -nn                 # Disable Name Resolution
sudo tcpdump -i eth0 -e                  # Display the Ethernet Header
sudo tcpdump -i eth0 -X                  # Include ASCII and Hex Output
sudo tcpdump -i eth0 -nnvXX              # Tcpdump Switch Combinations
sudo tcpdump -i eth0 -w ~/output.pcap    # Save our PCAP Output to a File
sudo tcpdump -r ~/output.pcap            # Reading Output From a File

This section covers the fundamentals of tcpdump. Let's proceed to solve the first lab.

1) For the first question, I need to identify the server in the communication shown in the following photo.

Answer: 174.143.213.184

2) For the second question, I was asked whether absolute or relative sequence numbers were used in the capture shown above.

Absolute Numbers: The actual sequence and acknowledgment numbers used by TCP, which include the ISN and range up to 4,294,967,295.

Relative Numbers: Sequence and acknowledgment numbers displayed relative to the ISN, starting from 0, for easier interpretation and analysis.

Answer: relative

3) For the third question, I've been asked to specify the switches for starting a capture with no hostname resolution, verbose output, showing contents in ASCII and hex, and capturing the first 100 packets, in the order mentioned.

answer: -nvXc 100

4) For the fourth question, I was asked: "Given the capture file at /tmp/capture.pcap, what tcpdump command will read from the capture and display the output in Hex and ASCII?"

answer: sudo tcpdump -Xr /tmp/capture.pcap

5) For the fifth question, I need to specify the TCPDump switch that increases output verbosity, including the hyphen with the switch.

answer: -v

Section Two: Fundamentals Lab

Tasks

1) Validate Tcpdump is installed on our machine.

which tcpdump

2) Start a capture.

tcpdump -D
tcpdump -i [interface name or #]

3) Utilize Basic Capture Filters.

tcpdump -i [interface name or #] -vX

4) Save a Capture to a .PCAP file.

tcpdump -i [interface name or #] -nvw [/path/of/filename.pcap]

5) Read the Capture from a .PCAP file.

tcpdump -nnSXr [file/to/read.pcap]

Now that we’ve completed the tasks, let’s answer the section questions to test our understanding.

1) What TCPDump switch will allow us to pipe the contents of a pcap file out to another function such as 'grep'?

Answer: -l

2) True or False: The filter "port" looks at source and destination traffic.

Answer: TRUE

3) If we wished to filter out ICMP traffic from our capture, what filter could we use? ( word only, not symbol please.)

Answer: not icmp

4) What command will show you where / if TCPDump is installed?

Answer: which tcpdump

5) How do you start a capture with TCPDump to capture on eth0?

Answer: tcpdump -i eth0

6) What switch will provide more verbosity in your output?

Answer: -v

7) What switch will write your capture output to a .pcap file?

Answer: -w

8) What switch will read a capture from a .pcap file?

Answer: -r

9) What switch will show the contents of a capture in Hex and ASCII?

Answer: -X

Section Three: Tcpdump Packet Filtering

Tcpdump provides a robust and efficient way to parse the data included in our captures via packet filters. This section will examine those filters and get a glimpse at how it modifies the output from our capture.

Helpful TCPDump Filters:

Filter
Result

host

host will filter visible traffic to show anything involving the designated host. Bi-directional

src / dest

src and dest are modifiers. We can use them to designate a source or destination host or port.

net

net will show us any traffic sourcing from or destined to the network designated. It uses / notation.

proto

will filter for a specific protocol type. (ether, TCP, UDP, and ICMP as examples)

port

port is bi-directional. It will show any traffic with the specified port as the source or destination.

portrange

portrange allows us to specify a range of ports. (0-1024)

less / greater "< >"

less and greater can be used to look for a packet or protocol option of a specific size.

and / &&

and && can be used to concatenate two different filters together. for example, src host AND port.

or

or allows for a match on either of two conditions. It does not have to meet both. It can be tricky.

not

not is a modifier saying anything but x. For example, not UDP.

With these filters, we can filter the network traffic on most properties to facilitate the analysis. Let us look at some examples of these filters and how they look when we use them.

sudo tcpdump -i eth0 host 172.16.146.2             # Host Filter
sudo tcpdump -i eth0 src host 172.16.146.2         # Source/Destination Filter
sudo tcpdump -i eth0 tcp src port 80               # Utilizing Source With Port as a Filter
sudo tcpdump -i eth0 dest net 172.16.146.0/24      # Using Destination in Combination with the Net Filter 
sudo tcpdump -i eth0 udp                           # Protocol Filter
sudo tcpdump -i eth0 proto 17                      # Protocol Number Filter (tcp[6], udp[17], or icmp[1])
sudo tcpdump -i eth0 tcp port 443                  # Port Filter
sudo tcpdump -i eth0 portrange 0-1024              # Port Range Filter
sudo tcpdump -i eth0 less 64                       # Less/Greater Filter (packet less than 64 bytes)
sudo tcpdump -i eth0 greater 500                   # Utilizing Greater (packets with 500 or more bytes)
sudo tcpdump -i eth0 host 192.168.0.1 and port 23  # AND Filter
sudo tcpdump -r sus.pcap icmp or host 172.16.146.1 # OR Filter
sudo tcpdump -r sus.pcap not icmp                  # NOT Filter

Tips and Tricks

The -v, -X, and -e switches can help you increase the amount of data captured, while the -c, -n, -s, -S, and -q switches can help reduce and modify the amount of data written and seen.

sudo tcpdump -Ar telnet.pcap                     # 'A' will show only the ASCII text after the packet line
sudo tcpdump -Ar http.cap -l | grep 'mailto:*'   # Piping a Capture to Grep
tcpdump -i eth0 'tcp[13] &2 != 0'                # Hunting For a SYN Flag

Let's begin solving the lab for this section, starting with the first question.

1) What filter will allow me to see traffic coming from or destined to the host with an ip of 10.10.20.1?

Answer: host 10.10.20.1

2) What filter will allow me to capture based on either of two options?

Answer: OR

3) True or False: TCPDump will resolve IPs to hostnames by default.

Answer: True

Section Four: Interrogating Network Traffic With Capture and Display Filters

Tasks

Utilizing TCPDump-lab-2.zip in the optional resources, perform the lab to the best of your ability. Finding everything on the first shot is not the goal. Our understanding of the concepts is our primary concern. As we perform these actions repeatedly, it will get easier.

1) What are the client and server port numbers used in first full TCP three-way handshake? (low number first then high number)

tcpdump -nnr TCPDump-lab-2.pcap 'tcp[13] & 0x12 != 0'

The filter read the packets from TCPDump-lab-2.pcap file where the TCP flags byte (the 13th byte of the TCP header) has either the SYN flag (0x02) or the ACK flag (0x10) set.

Answer: 80 43804

2) Based on the traffic seen in the pcap file, who is the DNS server in this network segment? (ip address)

tcpdump -nnr TCPDump-lab-2.pcap udp && port 53

The repeated pattern of queries from 172.16.146.2 to 172.16.146.1 on port 53, and the corresponding responses from 172.16.146.1 to 172.16.146.2 on port 53, clearly indicates that 172.16.146.1 is acting as a DNS server for the client 172.16.146.2.

Answer: 172.16.146.1

Section Five: Analysis with Wireshark

Wireshark is a free and open-source network traffic analyzer much like tcpdump but with a graphical interface. Wireshark is multi-platform and capable of capturing live data off many different interface types (to include WiFi, USB, and Bluetooth) and saving the traffic to several different formats.

which wireshark                          # Locating Wireshark
sudo apt install wireshark               # Installing Wireshark On Linux

TShark VS. Wireshark (Terminal vs. GUI)

Both TShark and Wireshark have their advantages. TShark is a terminal-based tool derived from Wireshark, sharing its features, syntax, and options, making it ideal for machines without a desktop environment and for passing capture data to other command-line tools. Wireshark, with its rich GUI, offers a comprehensive experience for traffic capture and analysis, suitable for users working on machines with a desktop environment.

Basic TShark Switches

Switch Command
Result

D

Will display any interfaces available to capture from and then exit out.

L

Will list the Link-layer mediums you can capture from and then exit out. (ethernet as an example)

i

choose an interface to capture from. (-i eth0)

f

packet filter in libpcap syntax. Used during capture.

c

Grab a specific number of packets, then quit the program. Defines a stop condition.

a

Defines an autostop condition. Can be after a duration, specific file size, or after a certain number of packets.

r (pcap-file)

Read from a file.

W (pcap-file)

Write into a file using the pcapng format.

P

Will print the packet summary while writing into a file (-W)

x

will add Hex and ASCII output into the capture.

h

See the help menu

TShark Basic Usage

which tshark
tshark -D
tshark -i 1 -w /tmp/test.pcap
sudo tshark -i eth0 -w /tmp/test.pcap        # Selecting an Interface & Writing to a File
sudo tshark -i eth0 -f "host 172.16.146.2"   # Applying Filters

Wireshark GUI Walkthrough

Capture Filters

Capture Filters- are entered before the capture is started. These use BPF syntax like host 214.15.2.30 much in the same fashion as TCPDump.

Here is a table of common and helpful capture filters with a description of each:

Capture Filters
Result

host x.x.x.x

Capture only traffic pertaining to a certain host

net x.x.x.x/24

Capture traffic to or from a specific network (using slash notation to specify the mask)

src/dst net x.x.x.x/24

Using src or dst net will only capture traffic sourcing from the specified network or destined to the target network

port #

will filter out all traffic except the port you specify

not port #

will capture everything except the port specified

port # and #

AND will concatenate your specified ports

portrange x-x

portrange will grab traffic from all ports within the range only

ip / ether / tcp

These filters will only grab traffic from specified protocol headers.

broadcast / multicast / unicast

Grabs a specific type of traffic. one to one, one to many, or one to all.

Applying a Capture Filter

Before we apply a capture filter, let us take a look at the built-in filters. To do so: Click on the capture radial at the top of the Wireshark window → then select capture filters from the drop-down.

Display Filters

Display Filters- are used while the capture is running and after the capture has stopped. Display filters are proprietary to Wireshark, which offers many different options for almost any protocol.

Display Filters
Result

ip.addr == x.x.x.x

Capture only traffic pertaining to a certain host. This is an OR statement.

ip.addr == x.x.x.x/24

Capture traffic pertaining to a specific network. This is an OR statement.

ip.src/dst == x.x.x.x

Capture traffic to or from a specific host

dns / tcp / ftp / arp / ip

filter traffic by a specific protocol. There are many more options.

tcp.port == x

filter by a specific tcp port.

tcp.port / udp.port != x

will capture everything except the port specified

and / or / not AND

will concatenate, OR will find either of two options, NOT will exclude your input option.

Let's begin by addressing the questions for this lab, starting with the first one.

1) True or False: Wireshark can run on both Windows and Linux.

Answer: True

2) Which Pane allows a user to see a summary of each packet grabbed during the capture?

Answer: Packet List

3) Which pane provides you insight into the traffic you captured and displays it in both ASCII and Hex?

Answer: Packet Bytes

4) What switch is used with TShark to list possible interfaces to capture on?

Answer: -D

5) What switch allows us to apply filters in TShark?

Answer: -f

6) Is a capture filter applied before the capture starts or after? (answer before or after)

Answer: before

Section Six: Wireshark Advanced Usage

1) Which plugin tab can provide us with a way to view conversation metadata and even protocol breakdowns for the entire PCAP file?

Answer: statistics

2) What plugin tab will allow me to accomplish tasks such as applying filters, following streams, and viewing expert info?

Answer: Analyze

2) What stream oriented Transport protocol enables us to follow and rebuild conversations and the included data?

Answer: TCP

3) True or False: Wireshark can extract files from HTTP traffic.

Answer: True

4) True or False: The ftp-data filter will show us any data sent over TCP port 21.

Answer: False

Section Seven: Packet Inception, Dissecting Network Traffic With Wireshark

Tasks

1) Apply a filter to include only HTTP (80/TCP) requests.

2) Follow the stream and extract the item(s) found.

To export the images: Select "File → Export Objects → HTTP → Rise-Up.jpg "

3) How many conversations can be seen?

From Statistics → Conversations

4) Perform FTP Analysis

Guided Lab: Traffic Analysis Workflow

1) What was the name of the new user created on mrb3n's host?

I use the filter !udp && !arp to capture TCP packets.

Then Right-click -> Follow -> TCP Stream

A new user named "hacker" has been added to the administrators group.

Answer: hacker

2) How many total packets were there in the Guided-analysis PCAP?

Answer: 44

3) What was the suspicious port that was being used?

Port 4444 is not a standard port used by well-known services. Unlike ports 80 (HTTP) or 443 (HTTPS), which are used for web traffic, or port 25 for SMTP, port 4444 does not have a standard, widely accepted usage.

It is often associated with Metasploit, a popular penetration testing framework. The Metasploit Framework uses port 4444 as the default port for its reverse shell payloads. A reverse shell allows an attacker to gain remote control over a compromised machine.

Answer: 4444

Last updated