Packet Capture and Analysis

Hands-On Lab

 

Photo of Stosh Oldham

Stosh Oldham

Course Development Director in Content

Length

01:00:00

Difficulty

Intermediate

It's crucial for any security or systems administrator to be able to capture and analyze network traffic. This allows for advanced troubleshooting as well as security review. Furthermore, having a working knowledge of the traditional capture filters, like those used in the tcpdump and wireshark utilities, is a requirement of some certification exams, such as the LPIC-3 303-200.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Packet Capture and Analysis

Introduction

It's crucial for any security or systems administrator to be able to capture and analyze network traffic. This allows for advanced troubleshooting as well as security review. Furthermore, having a working knowledge of the traditional capture filters, like those used in the tcpdump and wireshark utilities, is a requirement of some certification exams, such as the LPIC-3 303-200.

Solution

How to log in to the lab environment

Use a tshark capture filter to collect TCP traffic on port 80.

  1. Use a tshark capture filter to collect TCP traffic on port 80. Store the capture command output in /root/http_out.

    tshark -f "tcp port 80" -V -R http > http_out
  2. In another SSH session, run curl www.exapmle.com/index.html during the capture.

    curl www.example.com/index.html

    > Note: curl may produce output but it does not need to be recorded.

Use a tshark display filter to collect HTTP traffic and print only HTTP response codes

  1. Use a tshark display filter to collect HTTP traffic and print only HTTP response codes. Store the capture command output in /root/http_response.

    tshark -Y http -Tfields -e http.response.code > http_resopnse
  2. In a separate SSH session, run curl www.example.com/index.html and then curl www.example.com/error.html during the capture:

    curl www.example.com/index.html
    curl www.example.com/error.html

    > Note: curl may produce output but it does not need to be recorded.

Use a tshark capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22.

  1. Use a tshark capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22. Observe any IP addresses printed after several seconds.

    tshark -f "tcp src port 22" -Tfields -e ip.dst

    Add the IP address(es) to /root/ssh_ip in a newline-delimited format.

Conclusion

Congratulations — you've completed this hands-on lab!