Utilize TCPDump for Packet Capture

Hands-On Lab

 

Photo of Justin Mitchell

Justin Mitchell

Security Training Architect II in Content

Length

01:00:00

Difficulty

Intermediate

In this hands-on lab, we will learn how to capture network traffic using the tcpdump command line tool. We will install and configure tcpdump on Server1 to capture web traffic coming from Client1.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Utilize Tcpdump for Packet Capture

Introduction

In this hands-on lab, we will learn how to capture network traffic using the tcpdump command line tool. We will install and configure tcpdump on Server1 to capture web traffic coming from Client1.

Connecting to the Lab

Log In to Client1

  1. Open your terminal application, and run the following command. (Remember to replace <CLIENT1_PRIVATE_IP> with the private IP you were provided on the lab instructions page.)
    ssh cloud_user@<CLIENT1_PRIVATE_IP>
  2. Type yes at the prompt.
  3. Enter your password at the prompt.

Log In to Server1

  1. Open a new window in your terminal application, and run the following command. (Remember to replace <SERVER1_PRIVATE_IP> with the private IP you were provided on the lab instructions page.)
    ssh cloud_user@<SERVER1_PRIVATE_IP>
  2. Type yes at the prompt.
  3. Enter your password at the prompt.

Install Tcpdump

  1. From your Server1 terminal window, run the following command:
    sudo yum install tcpdump
  2. Type y at the prompt.
  3. When prompted, enter the password for cloud_user.

Begin the Packet Capture

  1. Apply a capture filter that instructs tcpdump to capture only web requests.
    sudo tcpdump port 80 -w capture.pcap

Generate Traffic

  1. Switch to your Client1 terminal window.
  2. Generate traffic from Client1 (10.0.1.11) to Server1 (10.0.1.10).
    curl -I 10.0.1.10
  3. Run the above command several times to generate simulated traffic.

Cancel the Capture and View the Results

  1. Switch to your Server1 terminal window.
  2. Press Ctrl + C to cancel the capture process.
  3. Run tcpdump to view the results of the capture.
    tcpdump port 80 -w capture.pcap

Conclusion

Congratulations, you've successfully completed this hands-on lab!