Learn how to sniff network packets. Jungwoo demonstrates how to use tcpdump to sniff network packets and open a pcap dump file by using Wireshark.
- [Instructor] A majority of packet captured tools use a software library called pcap to sniff network data. There are two well-known tools we can use to capture and analyze packets. The first is Tcpdump a simple command-line interface packet sniffer. The second is Wireshark which is a more advanced version complete with very sophisticated graphical user interface. Imagine that I'd like to intercept all the secure shell traffic on my Ubuntu operating system.
To accomplish this goal, I type the following command: tcpdump - s 0 port ssh. Dash s zero is an option that allows me to capture an entire packet. Port ssh indicates that I'm only interested in packets coming in and going out of my local secure shell server. By pressing Enter, I just executed this command. Now tcpdump is waiting for a secure shell packet to appear.
To generate the packets of our interest, I can open another terminal window and sign on to the secure shell server. Type ssh, user name osboxes, and then the IP address of the secure shell server 10.0.2.2 and press Enter. Did you see the packets being exchanged on the tcpdump site? Let me finish signing on by typing in the password.
And let me quit tcpdump. Let's see if the open file is actually created. Type ls. And you see dump.pcap there. Let's see what's inside the file by typing more dump.pcap. As you can see, it's not a simple text file. In fact, the file format used here is pcap and we need a special tool such as Wireshark to open it.
Let's use Wireshark to open the pcap file. Let's get out of this by typing q. And I'm going to type Wireshark to start Wireshark. Ignore the warning. Go to File. Go to Open. Choose the dump.pcap file. And click on Open. Now you can see the details. Captioning packets is relatively easy. With a simple tool like tcpdump, you can regularly store them in a file.
The real challenge is the sheer amount of data and its analysis. So much data is going through your network every second and it takes a lot of storage and processing power to save the data. Unless you can effectively analyze the packet data, all the storage and processing power are simply wasted. This is why a tool like Wireshark is much more appealing than tcpdump with all these features specifically designed to support the analysis process.
- Network security concepts
- The basic functions of a firewall
- Intrusion detection and prevention systems
- Using network data to improve security
- Using log servers to collect data
- Collecting application data
- Collecting OS data
- Network forensics
- Network security visualization