How to perform a PCAP on Ubuntu Print

  • ubuntu, pcap, 22.04
  • 0

How to perform a PCAP on Ubuntu

Running a PCAP is primarily useful in analyzing packets. By performing a PCAP we can review our network characteristics and identify issues with our network. In this instance, we are going to use TCPDump in order to analyze our packets.


Utilizing TCPDump

To start off we have to install TCPDump. TCPDump is a packet analyzer- which in this instance will be used to perform our PCAP.


Debian-based Linux Distros

apt install tcpdump

RPM-based Linux Distros

yum install tcpdump

Running TCPDump

To just run a basic packet analysis we can run the following:

tcpdump

This bare-bone command merely provides us a live-time of all network-packet traffic.
To show a collection of a certain amount of packets we can add the -c (count) option, as is shown in the example below.

tcpdump -c 10

To log a series of 100 packets to a file named example.pcap we can run the following command:

tcpdump -c 100 -w example.pcap

Filtering Protocol

In an instance where we want to read a larger quantity of packets, we can remove the count field entirely and rather swap it to only read one protocol, as in the following example.

tcpdump -w example.pcap icmp

In this example, we are writing solely ICMP packets to the example.pcap file.

Filtering Host

We can also go as far as filtering packets from a specific host- in this case, 192.168.1.1.

tcpdump -w example.pcap host 192.168.1.1

In this example, we are only capturing packets coming from or going to the 192.168.1.1 address.

Filtering Port

Filtering the port can be very useful for trying to mitigate information going to and from specific addresses- we will use the SSH port 22 as an example.

tcpdump -w example.pcap port 22

Filtering Source Hostname

Further along, we can filter packets based on their source or destination. In this example, we will use source 192.168.1.1.

tcpdump -w example.pcap src 192.168.1.1

Conversely, if we were to target filtering for the destination- we would run the command as follows:

tcpdump -w example.pcap dst 192.168.1.1

Complex Filtering

We can combine some of the aforementioned filters to filter a combination.

tcpdump -w example.pcap host 192.168.1.1 and port 22

In this case, we are filtering both for port 22 & the host 192.168.1.1 and then writing the output to example.pcap.

Understanding the PCAP

Prior to reading an example of a packet save- we have to identify the flags- or at least the common ones.

Value Flag Type Description
S SYN Connection Started
F FIN Connection Finished
P PUSH Data Pushed
R RST Connection Reset
. ACK Acknowledgment

We can read this as the following:

  • Time: 21:17:42.551749
  • Hostserver: ubuntu-s-1-vcpu-1gb-nyc1-01.ssh
  • Destination: 198.211.111.194:32820
  • Flags: Data Pushed
  • Sequence: 609168:609408 (240 bytes)
  • Ack: 1
  • Window Size: 502
  • Length In Bytes: 240

 

For more information on expressions or protocols, I recommend checking out The TCPDump Manuscripts.


Was this answer helpful?

« Back