Intro to Network Traffic Analysis Module
Section One: Tcpdump Fundamentals
Tcpdump
is a command-line packet sniffer that can directly capture and interpret data frames from a file or network interface. It was built for use on any Unix-like operating system and had a Windows twin called WinDump
Locate Tcpdump
To validate if the package exists on our host, use the following command:
Install Tcpdump
Basic Capture Options
These switches can be chained together to craft how the tool output is shown to us in STDOUT and what is saved to the capture file. This is not an exhaustive list, and there are many more we can use, but these are the most common and valuable.
D
Will display any interfaces available to capture from.
i
Selects an interface to capture from. ex. -i eth0
n
Do not resolve hostnames.
nn
Do not resolve hostnames or well-known ports.
e
Will grab the ethernet header along with upper-layer data.
X
Show Contents of packets in hex and ASCII.
XX
Same as X, but will also specify ethernet headers. (like using Xe)
v, vv, vvv
Increase the verbosity of output shown and saved.
c
Grab a specific number of packets, then quit the program.
s
Defines how much of a packet to grab.
S
change relative sequence numbers in the capture display to absolute sequence numbers. (13248765839 instead of 101)
q
Print less protocol information.
r
file.pcap Read from a file.
w
file.pcap Write into a file
Tcpdump Man Page
To see the complete list of switches, we can utilize the man pages:
Here are some examples of basic Tcpdump switch usage along with descriptions of what is happening:
This section covers the fundamentals of tcpdump. Let's proceed to solve the first lab.
1) For the first question, I need to identify the server in the communication shown in the following photo.
Answer: 174.143.213.184
2) For the second question, I was asked whether absolute or relative sequence numbers were used in the capture shown above.
Absolute Numbers: The actual sequence and acknowledgment numbers used by TCP, which include the ISN and range up to 4,294,967,295.
Relative Numbers: Sequence and acknowledgment numbers displayed relative to the ISN, starting from 0, for easier interpretation and analysis.
Answer: relative
3) For the third question, I've been asked to specify the switches for starting a capture with no hostname resolution, verbose output, showing contents in ASCII and hex, and capturing the first 100 packets, in the order mentioned.
answer: -nvXc 100
4) For the fourth question, I was asked: "Given the capture file at /tmp/capture.pcap, what tcpdump command will read from the capture and display the output in Hex and ASCII?"
answer: sudo tcpdump -Xr /tmp/capture.pcap
5) For the fifth question, I need to specify the TCPDump switch that increases output verbosity, including the hyphen with the switch.
answer: -v
Section Two: Fundamentals Lab
Tasks
1) Validate Tcpdump is installed on our machine.
2) Start a capture.
3) Utilize Basic Capture Filters.
4) Save a Capture to a .PCAP file.
5) Read the Capture from a .PCAP file.
Now that we’ve completed the tasks, let’s answer the section questions to test our understanding.
1) What TCPDump switch will allow us to pipe the contents of a pcap file out to another function such as 'grep'?
Answer: -l
2) True or False: The filter "port" looks at source and destination traffic.
Answer: TRUE
3) If we wished to filter out ICMP traffic from our capture, what filter could we use? ( word only, not symbol please.)
Answer: not icmp
4) What command will show you where / if TCPDump is installed?
Answer: which tcpdump
5) How do you start a capture with TCPDump to capture on eth0?
Answer: tcpdump -i eth0
6) What switch will provide more verbosity in your output?
Answer: -v
7) What switch will write your capture output to a .pcap file?
Answer: -w
8) What switch will read a capture from a .pcap file?
Answer: -r
9) What switch will show the contents of a capture in Hex and ASCII?
Answer: -X
Section Three: Tcpdump Packet Filtering
Tcpdump provides a robust and efficient way to parse the data included in our captures via packet filters. This section will examine those filters and get a glimpse at how it modifies the output from our capture.
Helpful TCPDump Filters:
host
host
will filter visible traffic to show anything involving the designated host. Bi-directional
src / dest
src
and dest
are modifiers. We can use them to designate a source or destination host or port.
net
net
will show us any traffic sourcing from or destined to the network designated. It uses / notation.
proto
will filter for a specific protocol type. (ether, TCP, UDP, and ICMP as examples)
port
port
is bi-directional. It will show any traffic with the specified port as the source or destination.
portrange
portrange
allows us to specify a range of ports. (0-1024)
less / greater "< >"
less
and greater
can be used to look for a packet or protocol option of a specific size.
and / &&
and
&&
can be used to concatenate two different filters together. for example, src host AND port.
or
or
allows for a match on either of two conditions. It does not have to meet both. It can be tricky.
not
not
is a modifier saying anything but x. For example, not UDP.
With these filters, we can filter the network traffic on most properties to facilitate the analysis. Let us look at some examples of these filters and how they look when we use them.
Tips and Tricks
The -v
, -X
, and -e
switches can help you increase the amount of data captured, while the -c
, -n
, -s
, -S
, and -q
switches can help reduce and modify the amount of data written and seen.
Let's begin solving the lab for this section, starting with the first question.
1) What filter will allow me to see traffic coming from or destined to the host with an ip of 10.10.20.1?
Answer: host 10.10.20.1
2) What filter will allow me to capture based on either of two options?
Answer: OR
3) True or False: TCPDump will resolve IPs to hostnames by default.
Answer: True
Section Four: Interrogating Network Traffic With Capture and Display Filters
Tasks
Utilizing TCPDump-lab-2.zip
in the optional resources, perform the lab to the best of your ability. Finding everything on the first shot is not the goal. Our understanding of the concepts is our primary concern. As we perform these actions repeatedly, it will get easier.
1) What are the client and server port numbers used in first full TCP three-way handshake? (low number first then high number)
The filter read the packets from TCPDump-lab-2.pcap
file where the TCP flags byte (the 13th byte of the TCP header) has either the SYN flag (0x02) or the ACK flag (0x10) set.
Answer: 80 43804
2) Based on the traffic seen in the pcap file, who is the DNS server in this network segment? (ip address)
The repeated pattern of queries from 172.16.146.2
to 172.16.146.1
on port 53, and the corresponding responses from 172.16.146.1
to 172.16.146.2
on port 53, clearly indicates that 172.16.146.1
is acting as a DNS server for the client 172.16.146.2
.
Answer: 172.16.146.1
Section Five: Analysis with Wireshark
Wireshark
is a free and open-source network traffic analyzer much like tcpdump but with a graphical interface. Wireshark is multi-platform and capable of capturing live data off many different interface types (to include WiFi, USB, and Bluetooth) and saving the traffic to several different formats.
TShark VS. Wireshark (Terminal vs. GUI)
Both TShark and Wireshark have their advantages. TShark is a terminal-based tool derived from Wireshark, sharing its features, syntax, and options, making it ideal for machines without a desktop environment and for passing capture data to other command-line tools. Wireshark, with its rich GUI, offers a comprehensive experience for traffic capture and analysis, suitable for users working on machines with a desktop environment.
Basic TShark Switches
D
Will display any interfaces available to capture from and then exit out.
L
Will list the Link-layer mediums you can capture from and then exit out. (ethernet as an example)
i
choose an interface to capture from. (-i eth0)
f
packet filter in libpcap syntax. Used during capture.
c
Grab a specific number of packets, then quit the program. Defines a stop condition.
a
Defines an autostop condition. Can be after a duration, specific file size, or after a certain number of packets.
r (pcap-file)
Read from a file.
W (pcap-file)
Write into a file using the pcapng format.
P
Will print the packet summary while writing into a file (-W)
x
will add Hex and ASCII output into the capture.
h
See the help menu
TShark Basic Usage
Wireshark GUI Walkthrough
Capture Filters
Capture Filters-
are entered before the capture is started. These use BPF syntax like host 214.15.2.30
much in the same fashion as TCPDump.
Here is a table of common and helpful capture filters with a description of each:
host x.x.x.x
Capture only traffic pertaining to a certain host
net x.x.x.x/24
Capture traffic to or from a specific network (using slash notation to specify the mask)
src/dst net x.x.x.x/24
Using src or dst net will only capture traffic sourcing from the specified network or destined to the target network
port #
will filter out all traffic except the port you specify
not port #
will capture everything except the port specified
port # and #
AND will concatenate your specified ports
portrange x-x
portrange will grab traffic from all ports within the range only
ip / ether / tcp
These filters will only grab traffic from specified protocol headers.
broadcast / multicast / unicast
Grabs a specific type of traffic. one to one, one to many, or one to all.
Applying a Capture Filter
Before we apply a capture filter, let us take a look at the built-in filters. To do so: Click on the capture radial at the top of the Wireshark window → then select capture filters from the drop-down.
Display Filters
Display Filters-
are used while the capture is running and after the capture has stopped. Display filters are proprietary to Wireshark, which offers many different options for almost any protocol.
ip.addr == x.x.x.x
Capture only traffic pertaining to a certain host. This is an OR statement.
ip.addr == x.x.x.x/24
Capture traffic pertaining to a specific network. This is an OR statement.
ip.src/dst == x.x.x.x
Capture traffic to or from a specific host
dns / tcp / ftp / arp / ip
filter traffic by a specific protocol. There are many more options.
tcp.port == x
filter by a specific tcp port.
tcp.port / udp.port != x
will capture everything except the port specified
and / or / not AND
will concatenate, OR will find either of two options, NOT will exclude your input option.
Let's begin by addressing the questions for this lab, starting with the first one.
1) True or False: Wireshark can run on both Windows and Linux.
Answer: True
2) Which Pane allows a user to see a summary of each packet grabbed during the capture?
Answer: Packet List
3) Which pane provides you insight into the traffic you captured and displays it in both ASCII and Hex?
Answer: Packet Bytes
4) What switch is used with TShark to list possible interfaces to capture on?
Answer: -D
5) What switch allows us to apply filters in TShark?
Answer: -f
6) Is a capture filter applied before the capture starts or after? (answer before or after)
Answer: before
Section Six: Wireshark Advanced Usage
1) Which plugin tab can provide us with a way to view conversation metadata and even protocol breakdowns for the entire PCAP file?
Answer: statistics
2) What plugin tab will allow me to accomplish tasks such as applying filters, following streams, and viewing expert info?
Answer: Analyze
2) What stream oriented Transport protocol enables us to follow and rebuild conversations and the included data?
Answer: TCP
3) True or False: Wireshark can extract files from HTTP traffic.
Answer: True
4) True or False: The ftp-data filter will show us any data sent over TCP port 21.
Answer: False
Section Seven: Packet Inception, Dissecting Network Traffic With Wireshark
Tasks
1) Apply a filter to include only HTTP (80/TCP) requests.
2) Follow the stream and extract the item(s) found.
To export the images: Select "File → Export Objects → HTTP → Rise-Up.jpg
"
3) How many conversations can be seen?
From Statistics → Conversations
4) Perform FTP Analysis
Guided Lab: Traffic Analysis Workflow
1) What was the name of the new user created on mrb3n's host?
I use the filter !udp && !arp
to capture TCP packets.
Then Right-click -> Follow -> TCP Stream
A new user named "hacker" has been added to the administrators group.
Answer: hacker
2) How many total packets were there in the Guided-analysis PCAP?
Answer: 44
3) What was the suspicious port that was being used?
Port 4444 is not a standard port used by well-known services. Unlike ports 80 (HTTP) or 443 (HTTPS), which are used for web traffic, or port 25 for SMTP, port 4444 does not have a standard, widely accepted usage.
It is often associated with Metasploit, a popular penetration testing framework. The Metasploit Framework uses port 4444 as the default port for its reverse shell payloads. A reverse shell allows an attacker to gain remote control over a compromised machine.
Answer: 4444
Last updated