Skip to main content

Performing a Packet Capture

Hands-On Lab

 

Photo of Michael Christian

Michael Christian

Course Development Director in Content

Length

01:00:00

Difficulty

Intermediate

In this learning activity, you will need to perform a packet capture of web requests from Client1 (10.0.1.11) to Server1 (10.0.1.10) and the requisite responses. The resulting file should only contain this data.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Performing a Packet Capture

The Scenario

We've been asked to obtain evidence of our network's latency and response as it pertains to web requests from Client1 to Server1. We need to perform a packet capture of this port 80 traffic, generating the traffic if necessary, and provide the results in a file named capture.pcap.

Getting Logged In

Use the credentials provided in the hands-on lab overview page, and pay attention to the shell prompts in this guide. They'll indicate which machine is running which command.

Install tcpdump

The tool we need is called tcpdump, and we'll need to install it. We may as well grab screen too, since it comes in handy for things like this. Become root (with su -) and then run this installation command:

[root@host]# yum -y install tcpdump screen

Before we move on, let's start screen up, and get it split.

[root@host]# screen

Once we're in, press Ctrl+a (all the screen commands we run will be prefaced by Ctrl+a), then press |. This will split the screen. To switch from one side of the window to the other, pressing Ctrl+a followed by Tab will do it. In the blank side of the window (on the right), start up another terminal with Ctrl+a and c. Swap back and forth between them with Ctrl+a and Tab.

Begin the Packet Capture

In the right-hand side, let's start a caprture, but with a filter so that we're only getting web requests, and dump the output to a file:

[root@host]# tcpdump port 80 -w capture.pcap

Generate Some Traffic

Now in the left-hand side, generate some web traffic (so that tcpdump has something to capture) with a curl command. We'll aim the requests for Server1 over at 10.0.1.10.

[root@host]# curl -I 10.0.1.10

Run that command three or four times, so that more data gets thrown in the capture file we're making.

Cancel the Capture and View the File

In the right-hand window, press Ctrl+k to kill the packet capture. Then, we can look at the file with another tcpdump command:

[root@host]# tcpdump -r capture.pcap

Conclusion

We're done. We captures some traffic on port 80, dumped it into a file, and it's ready for the people who wanted it, whenever they decide to look at it. Congratulations!