TCPdump: Network Traffic Analysis and Packet Capturing

Overview: 

In this Coursera Guided Project, I used TCPdump as a sudo user to capture and analyze network packets. I filtered and displayed the first 10 packets with numbering, in hexadecimal, ASCII, and human-readable time formats. I explored all network interfaces, specifically filtering for "ens5." Further, I captured 10 packets from "skyroute66.com" on port 443 and saved the results in numeric, hexadecimal, and human-readable formats to a dump file using the VS Code terminal. This project showcases a systematic approach to packet analysis and effective filtering using TCPdump.

TCPdump Introduction:

TCPdump is a command-line packet analyzer for Unix-like systems. It captures and displays real-time network traffic, aiding network administrators and security professionals in diagnosing issues. With powerful filtering options, it allows users to inspect packets based on various criteria, offering valuable insights into network communication for troubleshooting and security analysis.

Key Terminologies:

Packet: It is a small unit of data that is transmitted over a network. It is the fundamental unit of information in network communication and is used to encapsulate data for transmission from one device to another.

Super user: The term "superuser" typically refers to a user account with elevated privileges or permissions beyond those of regular users. In different contexts, this concept is known by different names, such as "root" in Unix and Linux systems or "Administrator" in Windows systems.

Dump file: It is a binary file that stores captured network packets, facilitating offline analysis and inspection of network activity.

Shell Scripts: Enable the automation and customization of packet capture tasks, allowing users to specify conditions, filters, and actions to analyze network traffic efficiently.

ASCI Format: ASCII (American Standard Code for Information Interchange) is a character encoding standard that represents text in computers and other devices, using a 7-bit binary code to represent each character.

Hexadecimal Format: Hexadecimal format is a base-16 number system that uses the digits 0-9 and the letters A-F to represent values.

Network Interfaces: A network interface is a hardware or software component that enables a computer or device to connect and communicate with a network, using specific naming conventions such as "ens5" or "eth0" to identify individual interfaces.

ens5: It is a predictable network interface name in Linux systems, representing a specific network interface typically associated with Ethernet connectivity.

Ethernet: It is a widely-used networking technology that enables wired communication between devices within a local area network (LAN), operating on the data link layer of the OSI model.

VS Code: It is a lightweight, extensible source-code editor by Microsoft.

Wireshark: It is an open-source network protocol analyzer that allows users to capture and inspect data on a network in real-time, providing detailed insights into network traffic.

Task 1: Getting Started:

Used following commands

• sudo tcpdump  to initialize TCPdump as a sudo user which started packet capturing
• CTRL+C to stop packet capturing

• sudo tcpdump  -c 10  Filtered packet capturing by capturing only first 10 packets

• sudo tcpdump  -c 10 -#  Filtered packet capturing by capturing only first 10 packets also added numbering before packets.

• sudo tcpdump  -c 10  -#XX  Captured 10 packets and displayed them in hexadecimal and ASCI format.

• sudo tcpdump  -c 10  -#ttt  Showed first 10 captured packets with numbers and in human readable time format.

• sudo tcpdump –D Showed all the interfaces on the network

• sudo tcpdump –I ens5 –c 10  Filtered 10 packets but for only ens5 network interface

Task 2: Created Shell Scripts

Used command sudo tcpdump -#XXttt –c 10 port 443 and host skyroute66.com to capture 10 packets that are coming to and from host skyroute66.com and port 443 and displayed in the form of numbers, hexadecimal and human readable form.

• sudo tcpdump -#XXttt –c 10 port 443 and src skyroute66.com  

This command captured 10 packets that are coming from host skyroute66.com and port 443 and displayed in the form of numbers, hexadecimal and human readable form..

• sudo tcpdump -#XXttt –c 10 port 443 and dest skyroute66.com  

This command captured 10 packets that are going to host skyroute66.com and port 443 and displayed in the form of numbers, hexadecimal and human readable form. 

Task 3: Created and read dump files

Dumped pcaps in a dump file using sudo tcpdump -#XXttt host skyroute66.com –w capture.pcap  command in VS Code

Read dump file by running sudo tcpdump –r capture.pcap ommand in VS Code terminal because cannot ust simply read dump file by simply opening it, it’s a garbage (You can see in the image below reddish content, which is a garbage. By running sudo tcpdump –r capture.pcap command the unreadable content is converted into readable format in the VS Code terminal) .

Task 4: Created sequence of dump files using time and size limits

Used sudo tcpdump -#XXttt host skyroute66.com –w capture.pcap –G 15 command to capture network traffic involving the host 'skyroute66.com', saving to 'capture.pcap', rotating files every 15 seconds.

Wiped out after 15 seconds

Used sudo tcpdump -#XXttt host skyroute66.com –w capture.pcap –C 1 – 600  command to capture packets involving 'skyroute66.com', write to 'capture.pcap', limit file size to 1 MB, and keep up to 600 files.

Lessons Learned:

• The dump file can also be read by opening it in Wireshark.
• Managing captured packet files, especially in larger projects, can become cumbersome. Organize and name captured files systematically. Consider timestamping filenames or using specific naming conventions to easily identify and manage different captures.
• Capturing an excessive number of packets can overwhelm the analysis process. Use appropriate filters to focus on specific traffic of interest, such as filtering by host, port, or protocol. This helps in managing and analyzing relevant data.
• Identifying the correct network interface might be challenging, especially on systems with multiple interfaces. Use tools like ifconfig or ip command to list available interfaces, and verify the correct one before starting packet capture.
• If the network traffic is encrypted, interpreting packet contents becomes challenging.Consider using additional tools or protocols like Wireshark, which may offer decryption capabilities if the necessary keys are available.
• Running packet captures on production systems may impact performance.Schedule captures during low-traffic periods, or use port mirroring to capture traffic on a separate, dedicated system without affecting the production environment.

Conclusion:

This project has significantly enhanced my proficiency in network packet analysis using TCPdump. Through hands-on experience, I gained a deeper understanding of the tool's capabilities, from initiating captures to nuanced filtering and analysis. The systematic approach to displaying and saving packets in various formats, coupled with the exploration of specific network interfaces, has equipped me with practical skills applicable in real-world scenarios. This project not only reinforced my technical knowledge but also provided a solid foundation for future endeavors in network security and troubleshooting.

CERTIFICATE OF COMPLETION