Capturing packets is a foundational skill in IT security. In this video, you’ll learn about Wireshark, tcpdump, and Tcpreplay.
As a security professional, we will always have a requirement to capture raw data from the network. One of the easiest ways to do this and be able to easily view this information is to use a utility like Wireshark. Wireshark has both graphical and text based packet capture capabilities, and it can provide us with a decode of every packet so that we can see exactly what information may be contained within this network traffic.
Using Wireshark, we can easily capture information that’s being sent over in the ethernet network or an 802.11 wireless network. And once we capture that information, we can view all of the packets, we can get a breakdown of the timestamps, the IP address that was used as the source, the destination the specific protocol, and then a breakdown of what other information may be contained within that particular packet. If you need to document exactly what a particular attacker may be doing on the network, then you want to be sure to get the packets. One of the easiest ways is to use Wireshark.
Here’s a real time packet capture of Wireshark on my local network. This is on my [INAUDIBLE] distribution, and it’s really just receiving broadcasts and multicasts on my local network. Right now that consists of a number of ICMP version six and some SSDP, which is this simple service discovery protocol. With each one of these, I can select a particular frame. I get a breakdown or a detailed view of that frame, I can even extend some of this out to see exactly what may be sending this discovery protocol, and you also get a hexadecimal breakdown of this decode so that you can really see exactly what information is being sent over the network.
Once you’ve captured these packets, they can be saved in a file so that you can pull this up later and have the documentation to understand exactly what was sent across the network during that time frame. If you’re working on a system at the command prompt, you may not have a graphical front end that you can use with Wireshark, so instead, you need something that can perform the same function at the command line level, and a good utility for that is tcpdump. This is often included in many Linux distributions, so you may not even have to install any new software to be able to have the tcpdump capabilities. If you run tcpdump, it can display information on the screen. You can have other options to provide additional decodes as this is capturing, and even include the option to write all of this information into a capture file that you can later look at inside of tcpdump, or use Wireshark.
I’m going to run tcpdump on my colleague distribution. I’m going to run it with elevated permission, so that I have rights to capture this information. And as the packets are coming through, just as we saw with Wireshark, we start to see, in this case, broadcasts and multicasts that are being sent over the network, and the decodes are being sent to our screen. We could have also used parameters on the command line to also write this information into a file so that we can reference that information later.
Now that we’ve captured these packets, we can, of course, look at this information inside of a protocol decoder like Wireshark, or we can replay this information back onto the network using a utility called Tcpreplay. This allows us to take the information that we’ve gathered and simply send it right back out our network interface card so that other devices on the network can see that traffic as well. This is a great way to test your security devices. If you’ve captured some malicious software and you want to see if your IP can recognize it, you can simply send that information across the network and see if anything shows up in the logs of your IPS. This is also a good way to test firewall rules to see if the information you’re sending through the network will either be allowed or denied access at the firewall.
I’ve also used Tcpreplay to be able to send large amounts of information across the network to test for monitoring tools and how well they’re operating. So if you want to check IP flow, or NetFlow devices, or other packet capture devices on the network, you can send hundreds of thousands of traffic flows across the network at very high speed and see how those devices happen to respond when they’re receiving that data. This is also a good way to do some stress testing of the other devices on your network. So if you want to see how a switch will perform, how a firewall might react to all of this data coming through the network, you can use Tcpreplay.