Scribd
Upload
126 views

Tcpdump Tutorial

The document provides instructions for using tcpdump and packet sender to analyze network traffic between a Windows 7 VM and Kali Linux VM. It describes how to use tcpdump commands to view traffic by IP address, port, and protocol. It also explains how to use packet sender on Windows 7 to generate different types of traffic and see it in the tcpdump output on Kali Linux.

Uploaded by

Ayesha Amjad
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
126 views

Tcpdump Tutorial

The document provides instructions for using tcpdump and packet sender to analyze network traffic between a Windows 7 VM and Kali Linux VM. It describes how to use tcpdump commands to view traffic by IP address, port, and protocol. It also explains how to use packet sender on Windows 7 to generate different types of traffic and see it in the tcpdump output on Kali Linux.

Uploaded by

Ayesha Amjad
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Generate ICP traffic from Windows7 VM to Kali VM

Use Ifconfig command at Kali to obtain IP address

Go to Windows7 and run ping flowed by the IP address of Kali Linux

Everything on an interface
Just see what’s going on, by looking at what’s hitting your interface.

Or get all interfaces with -i any.

tcpdump -i eth0

Find Traffic by IP
One of the most common queries, using host, you can see traffic that’s going to or from
172.16.222.45.

Expression Types:

host, net, and port.

Directions:

src and dst.


Types:

host, net, and port.

Protocols:

tcp, udp, icmp, and many more.

tcpdump host 172.16.22.45

Filtering by Source and/or Destination


If you only want to see traffic in one direction or the other, you can use src and dst.

Related

An ICS/SCADA Primer

tcpdump src 172.16.22.37

tcpdump dst 172.16.22.37


Get Packet Contents with Hex Output
Hex output is useful when you want to see the content of the packets in question, and it’s often
best used when you’re isolating a few candidates for closer scrutiny.

tcpdump -c 1 -X icmp

A single ICMP packet captured by tcpdump

tcpdump is the tool everyone should learn as their base for packet analysis.

Download and install Packet Sender


Using windows VM ( Any desk or remote desktop )

Download Packet sender using the following link

https://packetsender.com/download#show

Install packet sender

Show Traffic Related to a Specific Port


You can find specific port traffic by using the port option followed by the port number.

tcpdump port 80

Use packet Sender installed at windows (anydesk or remote desktop )to generate http traffic as
shown below

Press send bottom many times to generate http traffic toward kali Linux VM

Notice the tcpdump output in kali Linux

Common Options:

-nn : Don’t resolve hostnames or port names.

-S : Get the entire packet.

-X : Get hex output.

Show Traffic of One Protocol


If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others
as well.
tcpdump udp

Use packet Sender installed at windows (anydesk or remote desktop )to generate http traffic as
shown below

Press send bottom many time to generate http traffic toward kali Linux VM

Notice the tcpdump output in kali Linux

Show only IP6 Traffic


You can also find all IP6 traffic using the protocol option.

tcpdump ip6

Reading / Writing Captures to a File (pcap)


It’s often useful to save packet captures into a file for analysis in the future. These files are
known as PCAP (PEE-cap) files, and they can be processed by hundreds of different
applications, including network analyzers, intrusion detection systems, and of course by tcpdump
itself. Here we’re writing to a file called capture_file using the -w switch.

tcpdump port 443 -w capture_file


Use packet Sender installed at windows (anydesk or remote desktop )to generate http traffic as
shown below

Press send bottom many time to generate http traffic toward kali Linux VM

You can read PCAP files by using the -r switch. Note that you can use all the regular commands
within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and
process what doesn’t exist in the file already.

tcpdump -r capture_file

Advanced
Now that we’ve seen what we can do with the basics through some examples, let’s look at some
more advanced stuff.

More options

Here are some additional ways to tweak how you call tcpdump.

 -X : Show the packet’s contents in both hex and ASCII.


 -XX : Same as -X, but also shows the ethernet header.
 -D : Show the list of available interfaces
 -l : Line-readable output (for viewing as you save, or sending to other commands)
 -q : Be less verbose (more quiet) with your output.
 -t : Give human-readable timestamp output.
 -tttt : Give maximally human-readable timestamp output.
 -i eth0 : Listen on the eth0 interface.
 -vv : Verbose output (more v’s gives more output).
 -c : Only get x number of packets and then stop.
 -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything,
unless you are intentionally capturing less.
 -S : Print absolute sequence numbers.
 -e : Get the ethernet header as well.
 -q : Show less protocol information.
 -E : Decrypt IPSEC traffic by providing an encryption key.

You might also like