Getting Started With TCPDump
Hello and welcome, my name is John Strand and in this video, we’re going to be talking about getting started with TCPDump.
Now, TCPDump is a fantastic tool, it’s one of the core essential tools that every single IT professional should have, especially Infosec professionals. The reason why is TCPDump gives us the ability to actually see inside the network traffic that’s coming and going from our computer system and if we’re on a span, port, on a switch or a mirrored port on a switch, or if we’re on a wireless network that broadcasts everything, we can see all the traffic on that particular interface as well. But the key is, first starting out by identifying which interface you’re going to look at.
Inside of TCPDump, you can run
This will actually list out all of the available interfaces that TCPDump has to be able to sniff on. Now it’s generally just good practice 99.99% of the situations to identify the interface you’re going to sniff on. And in this situation on my handy-dandy security onion system, you can see that there are multiple interfaces that are running. Specifically, though we’re going to be looking at the ethernet interface and this one’s named ens33. Now if you’re familiar with some older versions of Linux, they used to call everything eth0, eth1, and so on. They changed that recently, we can get into that a little bit later in a video. But the name of my ethernet interface on my security onion system is ens33. I’m also going to be looking at the local loopback adapter a little bit later.
So let’s dive in and actually start some sniffing.
So I can do TCPDump and then I can actually specify my interface and in this situation, I provide ens33, your ethernet interface will most likely be different, and I’m also going to add a couple of additional switches.
I’m going to add
The reason why I’m putting in the X and the A is because with those two switches combined, it’s going to show me the hexadecimal output and it’s going to show me the ASCII code of that hex.
X is for Hex. A is for ASCII.
Why is that important? Let me show you.
So we’re going to run TCPDump, specify the interface is ens33 on my computer system, yours will be different, and I do
-XA. Now as soon as I run that, it pops up and it says you do not have permission to actually start sniffing. The reason for this is TCPDump requires Superuser permissions.
On a Linux or Unix based system, you need to be root. Or on a Windows computer system, if you’re running the Windows equivalent called WinDump, you need me to running as administrator because we’re going to be running very very low-level permissions to be able to sniff the traffic on a computer.
Now to get around this error, if you ever get it, all you need to do is put a
sudo in front of it. If you’ve seen the xkcd comic, sudo make me a sandwich.
This is going to switch users and then do the command
tcpdump. It’s going to ask me for my password, I put in my password, hit enter and then TCPDump should be running… if I type my password correctly, which I did not.
There we go, now it’s running.
So with this, I now want to start sending traffic that TCPDump can see. So I’m going to start by pinging 184.108.40.206 and that’s going to be Google’s DNS server. And as soon as I hit enter, Huzzah! You can see the packets being sent and the responses coming back from Google.
Now what’s interesting about this is I am doing a standard ping of Google, sending an icmp echo request to Google, and you can see that Google is responding. What’s interesting is if you look at what’s being sent you can see I’m sending to Google could you please send back 0 1 2 3 4 5 6 7 and then the reply, down here you can see the request, and then the reply is 0 1 2 3 4 5 6 7. Ok, so it’s not all that interesting, alright I get it, so now let’s change this up just a hair okay?
So now what we’re going to do is I’m going to specify a different adapter, I’m going to specify my local loopback adapter. And I’m going to actually send some data back and forth. So whenever I start up TCPDump, I’m going to fire up Netcat, because I’m old, people. I’m going to run Netcat listening on port 2222. Then I’m going to connect, we’re going to send data through that.
So there I have my Netcat listener and then on the other side, I’m going to do Netcat 127.0.0.1 and then we’re going to go 2222 and then hit enter. And I type HELLOOOOOOOOOOOO, lots of O’s, it’s important. Hit enter and it shows up on the other side.
What did I just do?
Well, I created a little port listener on Port 2222 and then I connected and I sent through the data HELLOOOOOOOOOOOO and if we look, you can actually see inside of that packet which is unencrypted. You can see that TCPDump was able to actually see that raw data.
That’s pretty cool.
Now there’s some other really neat options that you can run with TCPDump.
One of the things you can do with TCPDump is you can actually read in the contents of a file. So in this situation, I’m reading in a pcap file, but we’re going to spend some more time looking into that actually has command and control backdoor data in it. So we’re going to use taidoor, we’re going to look at the traffic, no interactions, just a straight pcap, it’s a really small pcap, we’re going to read in that capture file, we’re going to see the hex decode and the ASCII decode and specifically we want to look at all the data coming and going from a host.
In this situation, the compromised host is 10.0.2.15 and the port is 80. So whenever I hit enter, it’s going to read that data from that capture file and you can see the HTTP requests being sent back and forth. Up here a little bit further you’re actually able to see the encoded data with the backdoor being sent.
We’ll talk more about encoding and decoding a little bit later, but this kind of helps you get started with TCPDump.
One other quick note, whenever you’re running with TCPDump you can run TCPDump and then you can also write out the data to a file. So I’m going to specify my ethernet interface but now I’m going to do the
-W, and I’m going to give it a file, ihateclowns2.pcap.
There we go. And now what it’s going to do is, well if I’m root, I’m going to hit
sudo, hit enter and now it’s sniffing on our interface and it’s writing all the data to a file. This can then be shared with other Professionals for troubleshooting and offline analysis.
One of the other great features of TCPDump is it is very fast, very lightweight, and very efficient at capturing and writing out large packet capture files. I hope you had a good time in this video and I hope to see you in the other videos in the very near future.
Want to level up your skills and learn more straight from John himself?
You can check out his classes below!
Active Defense & Cyber Deception
Getting Started in Security with BHIS and MITRE ATT&CK
Available live/virtual and on-demand