How to perform a PCAP on Ubuntu
Running a PCAP is primarily useful in analyzing packets. By performing a PCAP we can review our network characteristics and identify issues with our network. In this instance, we are going to use TCPDump in order to analyze our packets.
Utilizing TCPDump
To start off we have to install TCPDump. TCPDump is a packet analyzer- which in this instance will be used to perform our PCAP.
Debian-based Linux Distros
apt install tcpdump
RPM-based Linux Distros
yum install tcpdump
Running TCPDump
To just run a basic packet analysis we can run the following:
tcpdump
This bare-bone command merely provides us a live-time of all network-packet traffic.
To show a collection of a certain amount of packets we can add the -c (count) option, as is shown in the example below.
tcpdump -c 10
To log a series of 100 packets to a file named example.pcap we can run the following command:
tcpdump -c 100 -w example.pcap
Filtering Protocol
In an instance where we want to read a larger quantity of packets, we can remove the count field entirely and rather swap it to only read one protocol, as in the following example.
tcpdump -w example.pcap icmp
In this example, we are writing solely ICMP packets to the example.pcap file.
Filtering Host
We can also go as far as filtering packets from a specific host- in this case, 192.168.1.1.
tcpdump -w example.pcap host 192.168.1.1
In this example, we are only capturing packets coming from or going to the 192.168.1.1 address.
Filtering Port
Filtering the port can be very useful for trying to mitigate information going to and from specific addresses- we will use the SSH port 22 as an example.
tcpdump -w example.pcap port 22
Filtering Source Hostname
Further along, we can filter packets based on their source or destination. In this example, we will use source 192.168.1.1.
tcpdump -w example.pcap src 192.168.1.1
Conversely, if we were to target filtering for the destination- we would run the command as follows:
tcpdump -w example.pcap dst 192.168.1.1
Complex Filtering
We can combine some of the aforementioned filters to filter a combination.
tcpdump -w example.pcap host 192.168.1.1 and port 22
In this case, we are filtering both for port 22 & the host 192.168.1.1 and then writing the output to example.pcap.
Understanding the PCAP
Prior to reading an example of a packet save- we have to identify the flags- or at least the common ones.
Value | Flag Type | Description |
S | SYN | Connection Started |
F | FIN | Connection Finished |
P | PUSH | Data Pushed |
R | RST | Connection Reset |
. | ACK | Acknowledgment |
We can read this as the following:
- Time: 21:17:42.551749
- Hostserver: ubuntu-s-1-vcpu-1gb-nyc1-01.ssh
- Destination: 198.211.111.194:32820
- Flags: Data Pushed
- Sequence: 609168:609408 (240 bytes)
- Ack: 1
- Window Size: 502
- Length In Bytes: 240
For more information on expressions or protocols, I recommend checking out The TCPDump Manuscripts.