How to perform a PCAP on Ubuntu
Running a PCAP is primarily useful in analyzing packets. By performing a PCAP we can review our network characteristics and identify issues with our network. In this instance, we are going to use TCPDump in order to analyze our packets.
Utilizing TCPDump
To start off we have to install TCPDump. TCPDump is a packet analyzer- which in this instance will be used to perform our PCAP.
Debian-based Linux Distros
apt install tcpdumpRPM-based Linux Distros
yum install tcpdumpRunning TCPDump
To just run a basic packet analysis we can run the following:
tcpdumpThis bare-bone command merely provides us a live-time of all network-packet traffic.
To show a collection of a certain amount of packets we can add the -c (count) option, as is shown in the example below.
tcpdump -c 10To log a series of 100 packets to a file named example.pcap we can run the following command:
tcpdump -c 100 -w example.pcapFiltering Protocol
In an instance where we want to read a larger quantity of packets, we can remove the count field entirely and rather swap it to only read one protocol, as in the following example.
tcpdump -w example.pcap icmpIn this example, we are writing solely ICMP packets to the example.pcap file.
Filtering Host
We can also go as far as filtering packets from a specific host- in this case, 192.168.1.1.
tcpdump -w example.pcap host 192.168.1.1In this example, we are only capturing packets coming from or going to the 192.168.1.1 address.
Filtering Port
Filtering the port can be very useful for trying to mitigate information going to and from specific addresses- we will use the SSH port 22 as an example.
tcpdump -w example.pcap port 22Filtering Source Hostname
Further along, we can filter packets based on their source or destination. In this example, we will use source 192.168.1.1.
tcpdump -w example.pcap src 192.168.1.1Conversely, if we were to target filtering for the destination- we would run the command as follows:
tcpdump -w example.pcap dst 192.168.1.1Complex Filtering
We can combine some of the aforementioned filters to filter a combination.
tcpdump -w example.pcap host 192.168.1.1 and port 22In this case, we are filtering both for port 22 & the host 192.168.1.1 and then writing the output to example.pcap.
Understanding the PCAP
Prior to reading an example of a packet save- we have to identify the flags- or at least the common ones.
| Value | Flag Type | Description |
| S | SYN | Connection Started |
| F | FIN | Connection Finished |
| P | PUSH | Data Pushed |
| R | RST | Connection Reset |
| . | ACK | Acknowledgment |
We can read this as the following:
- Time: 21:17:42.551749
- Hostserver: ubuntu-s-1-vcpu-1gb-nyc1-01.ssh
- Destination: 198.211.111.194:32820
- Flags: Data Pushed
- Sequence: 609168:609408 (240 bytes)
- Ack: 1
- Window Size: 502
- Length In Bytes: 240
For more information on expressions or protocols, I recommend checking out The TCPDump Manuscripts.
