Cryptography

Lab 3: Wireshark and TCP dump tool

Lab

In this lab, students will learn

 To utilize Wireshark and TCPdump tool for capturing packets and analyze its contents

Table of Contents
Overview......................................................................................................................................2
Task 1: Installing Wireshark and tcpdump...................................................................................2
Task 2: http and https application data.........................................................................................2
Task 2a: to show https is more secure than http on www.example.com.............................................2
Task 2b: capture and analyze TCP handshake packets.......................................................................3
Task 2c: Filtering packets based on source IP address........................................................................3
Task 3: Basic Usage of Tcpdump.................................................................................................3
Task 3a: understand tcpdump Syntax and Command Structure........................................................3
Task 3b: Simple Packet Capture Examples.........................................................................................3
Task 3c: Capturing Real-time Output.................................................................................................3
Task 3d: Capturing packet data and saving to a File..........................................................................3
Task 3e: Reading from a File:..............................................................................................................4
Task 4: Combining Options and Filter Expressions.....................................................................4
Task 5: To capture particular protocol packets.............................................................................4
Other tcpdump commands............................................................................................................4

1
BNM Institute of Technology Department of CSE
Cryptography
Lab 3: Wireshark and TCP dump tool

Overview
This lab focuses on the installation of Wireshark and tcpdump tool for capturing and
analyzing how each layer sends and receive packet information.
 Wireshark is a free and open-source packet analyzer. It is used for network
troubleshooting, analysis software, and communications protocol development, and
education.
 Network administrators use tcpdump to analyze traffic in Linux systems. Learn how
to install and use tcpdump, as well as examine the results of captured traffic. Protocol
analyzers, also known as packet sniffers, capture network data for display or use by
administrators. The captures include transport layer content, application layer
information and header information, such as physical and logical addresses. Network
administrators usually find this information more useful than the actual data payload.

Lab Tasks
Task 1: Installing Wireshark and tcpdump
Step 1: for Wireshark tool
https://www.wireshark.org/download.html

Step 2: to install tcpdump

yum install tcpdump
apt-get install tcpdump
Note: in Linux, tcpdump is already installed.
Give your observation with a screenshot.

Task 2: http and https application data

Task 2a: to show https is more secure than http on www.example.com
Step 1: find the IP address of www.exmple.com
Ping www.example.com

Give your observation with a screenshot.

Step 2: capture the data packets by running the Wireshark in the background and
htttp://www.example.com in the browser.

Give your observation with a screenshot!

2
BNM Institute of Technology Department of CSE
Cryptography
Lab 3: Wireshark and TCP dump tool

Step 3: capture the data packets by running the Wireshark in the background and
https://www.example.com in the browser.

Give your observation with a screenshot!

Task 2b: capture and analyze TCP handshake packets.

Give your observation with a screenshot!

Task 2c: Filtering packets based on source IP address

In the Wireshark tool specify the source address ip.src==93.184.215.14
Give your observation with a screenshot!

Task 3: Basic Usage of Tcpdump

Task 3a: understand tcpdump Syntax and Command Structure
- Tcpdump follows a simple syntax: `tcpdump [options] [filter expression]`
- Options modify the behavior of Tcpdump, such as `-i` for interface and `-n` for displaying
numeric addresses.
- Filter expression allows you to specify which packets to capture based on criteria like
source/destination IP, port numbers, protocols, etc.
Give your observation with a screenshot.

Task 3b: Simple Packet Capture Examples

- To capture packets on a specific interface:
tcpdump -i eth0
// find out which interface is available by running the command ifconfig
- To capture packets from a specific IP address:
tcpdump host 192.168.1.100
// can use any IP address found out by using the ping command on any domain name
- To capture packets on a specific port:
tcpdump port 80
Give your observation with a screenshot.

Task 3c: Capturing Real-time Output

- By default, Tcpdump captures packets in real-time and displays them on the terminal.
tcpdump
- You can stop the capture by pressing `Ctrl+C`.
Give your observation with a screenshot.

3
BNM Institute of Technology Department of CSE
Cryptography
Lab 3: Wireshark and TCP dump tool

Task 3d: Capturing packet data and saving to a File

- To save captured packets to a file:
tcpdump -i eth0 -w capture.pcap
This command captures packets on interface `eth0` and saves them to a file named
`capture.pcap`.
Give your observation with a screenshot.

Task 3e: Reading from a File:

- To read packets from a saved capture file:
tcpdump -r capture.pcap

This command reads packets from the file `capture.pcap` and displays them on the
terminal. // try reading with cat command also
Give your observation with a screenshot.

Task 4: Combining Options and Filter Expressions

- You can combine options and filter expressions to customize packet capture according to
your requirements.
- For example, to capture packets from a specific IP address and save them to a file:
tcpdump host 192.168.1.100 -w capture.pcap
Give your observation with a screenshot.

Task 5: To capture particular protocol packets

Example ICMP packets
tcpdump icmp
captures only ICMP packets

To capture ICMP packets from or to a specific host, you can specify the host using its IP
address
tcpdump icmp host <host_IP>

To capture ICMP packets from the specified host on interface eth0

tcpdump -i eth0 icmp and host <host_IP>

Give your observation with a screenshot.

Other tcpdump commands

##TCP FLAGS##

Unskilled Attackers Pester Real Security Folks

==============================================
TCPDUMP FLAGS
Unskilled = URG = (Not Displayed in Flag Field, Displayed elsewhere)
Attackers = ACK = (Not Displayed in Flag Field, Displayed elsewhere)
Pester = PSH = [P] (Push Data)
Real = RST = [R] (Reset Connection)
Security = SYN = [S] (Start Connection)

4
BNM Institute of Technology Department of CSE
Cryptography
Lab 3: Wireshark and TCP dump tool

Folks = FIN = [F] (Finish Connection)

SYN-ACK = [S.] (SynAcK Packet)
[.] (No Flag Set)

##USAGE##
Basic communication // see the basics without many options
# tcpdump -nS

Basic communication (very verbose) // see a good amount of traffic, with

verbosity and no name help
# tcpdump -nnvvS

A deeper look at the traffic // adds -X for payload but doesn’t grab any more of
the packet
# tcpdump -nnvvXS

Heavy packet viewing // the final “s” increases the snaplength, grabbing the
whole packet
# tcpdump -nnvvXSs 1514

host // look for traffic based on IP address (also works with hostname if you’re
not using -n)
# tcpdump host 1.2.3.4

src, dst // find traffic from only a source or destination (eliminates one side
of a host conversation)
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6

net // capture an entire network using CIDR notation

# tcpdump net 1.2.3.0/24

proto // works for tcp, udp, and icmp. Note that you don’t have to type proto
# tcpdump icmp

port // see only traffic to or from a certain port

# tcpdump port 3389

src, dst port // filter based on the source or destination port

# tcpdump src port 1025 # tcpdump dst port 389

src/dst, port, protocol // combine all three

# tcpdump src port 1025 and tcp
# tcpdump udp and src port 53

You also have the option to filter by a range of ports instead of declaring them
individually, and to only see packets that are above or below a certain size.

Port Ranges // see traffic to any port in a range

tcpdump portrange 21-23

Packet Size Filter // only see packets below or above a certain size (in bytes)
tcpdump less 32
tcpdump greater 128
[ You can use the symbols for less than, greater than, and less than or equal /
greater than or equal signs as well. ]

// filtering for size using symbols

5
BNM Institute of Technology Department of CSE
Cryptography
Lab 3: Wireshark and TCP dump tool

tcpdump > 32
tcpdump <= 128

[ Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump‘s flag
field output. URGs and ACKs are displayed, but they are shown elsewhere in the
output rather than in the flags field ]

Keep in mind the reasons these filters work. The filters above find these
various packets because tcp[13] looks at offset 13 in the TCP header, the number
represents the location within the byte, and the !=0 means that the flag in
question is set to 1, i.e. it’s on.

Show all URG packets:

# tcpdump 'tcp[13] & 32 != 0'

Show all ACK packets:

# tcpdump 'tcp[13] & 16 != 0'

Show all PSH packets:

# tcpdump 'tcp[13] & 8 != 0'

Show all RST packets:

# tcpdump 'tcp[13] & 4 != 0'

Show all SYN packets:

# tcpdump 'tcp[13] & 2 != 0'

Show all FIN packets:

# tcpdump 'tcp[13] & 1 != 0'

Show all SYN-ACK packets:

# tcpdump 'tcp[13] = 18'

Show icmp echo request and reply

#tcpdump -n icmp and 'icmp[0] != 8 and icmp[0] != 0'

Show all IP packets with a non-zero TOS field (one byte TOS field is at offset 1
in IP header):
# tcpdump -v -n ip and ip[1]!=0

Show all IP packets with TTL less than some value (on byte TTL field is at
offset 8 in IP header):
# tcpdump -v ip and 'ip[8]<2'

Show TCP SYN packets:

# tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'
# tcpdump tcp and port 80 and 'tcp[tcpflags] == tcp-syn'
# tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) != 0"

Show TCP ACK packets:

# tcpdump -i <interface> "tcp[tcpflags] & (tcp-ack) != 0"

Show TCP SYN/ACK packets (typically, responses from servers):

# tcpdump -n tcp and 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'
# tcpdump -n tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn' and 'tcp[tcpflags] &
tcp-ack == tcp-ack'
# tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

6
BNM Institute of Technology Department of CSE
Cryptography
Lab 3: Wireshark and TCP dump tool

Show TCP FIN packets:

# tcpdump -i <interface> "tcp[tcpflags] & (tcp-fin) != 0"

Show ARP Packets with MAC address

# tcpdump -vv -e -nn ether proto 0x0806

Show packets of a specified length (IP packet length (16 bits) is located at
offset 2 in IP header):
# tcpdump -l icmp and '(ip[2:2]>50)' -w - |tcpdump -r - -v ip and '(ip[2:2]<60)'

More Details:
http://danielmiessler.com/study/tcpdump/

7
BNM Institute of Technology Department of CSE