Previously we have discussed networking fundamentals, the OSI model, and various protocols; now it's time to dig deeper into packet capturing and analysis. To accomplish this, we'll leverage
tcpdumpon the Packet Squirrel and
Wiresharkon a full computer. These two powerful tools make up most workflows for capturing and decoding packets.
tcpdumpis a command-line packet capturing tool available on most Unix-like (Linux, macOS) systems. It enables capturing network traffic, basic display of the packets, and logging to a standard file format (pcap) for analysis with other tools.
tcpdumpalso supports filtering during capture, with options to filter based on protocol, source and destination addresses, port, and more.
tcpdumpis pre-installed on the Packet Squirrel.
To experiment with
tcpdump, connect to the Packet Squirrel with
sshor open the web terminal. Some basic commands include:
-ioption to capture packets from a specific interface. On the Packet Squirrel this will almost always be
br-lan, which is the virtual bridge interface that connects the Target and Network ports. In some network modes, capturing directly from
eth1may be more useful.
tcpdump -i br-lan
To capture a conversation for a single address, the
hostfilter can be used:
tcpdump -i br-lan host 188.8.131.52
To capture packets for a single protocol, such as TCP or UDP, simply include the protocol as a filter:
tcpdump -i br-lan tcp
tcpdump -i br-lan udp
-woption to write packets to a file for later analysis. On the Packet Squirrel, packets should always be written to an external USB storage device.
tcpdump -i br-lan -w /usb/packets.pcap
The packet log file can be transferred using
scp, sent to a Cloud C² server via
C2EXFIL, or the USB drive can be plugged into a computer.
Tcpdump (or more precisely, libpcap, the library Tcpdump is built on top of) implements a filter language which compiles to a high-speed high-efficiency binary format called BPF, or the Berkeley Packet Filter system.
BPF filters are implemented in the Linux kernel and filter packets before they reach a program such as
tcpdumpor a payload; filtering packets at the capture level can greatly increase the performance of the system by reducing the number of packets processed by the capture tool. Modern Linux implementations of BPF even including just-in-time (JIT) compilation of the filter to native code.
A filter consists of multiple primitives: A filter primitive consists of a matching rule for a type of traffic (
host, etc), direction of traffic (
dst, etc), or a protocol (
ether, and so on).
Some commonly useful filter terms include:
Filter terms can be logically combined using standard terms (
not, etc). By combining multiple terms the filter can be made even more selective. While not a full programming language, packet filters are extremely powerful.
Available logic operators include:
Capture all packets from a known client on the Target port with an IP of
tcpdump -i br-lan "host 172.16.32.45"
Capture all packets from a specific client using UDP port 5001:
tcpdump -i br-lan "host 172.16.32.45 udp port 5001"
Capture all packets from from the Target network, excluding the Packet Squirrel itself:
tcpdump -i br-lan "net 172.16.32.0/24 and not host 172.16.32.1"
Capture all packets on a range of ports:
tcpdump -i br-lan "tcp port 5000-6000"
Capture all packets from specific ports:
tcpdump -i br-lan "tcp port 80 or tcp port 443"
Capture packets from specific ports, which are greater in size than 512 bytes:
tcpdump -i br-lan "(tcp port 80 or tcp port 443) and greater 512"
While Tcpdump primarily focuses on capturing packets and doing a minimal decoding of the packet contents, Wireshark is a complete packet inspection tool with incredible support for a huge variety of protocols and packet formats, connection following, and more.
The main Wireshark UI showing the example Wake on LAN packet capture file from https://wireshark.org
Wireshark has a rich graphical environment, and runs on your computer, not the Packet Squirrel: There are versions for Linux, macOS, and Windows, and for Intel and Arm/Silicon systems.
Wireshark can capture locally on your computer from local network interfaces, but can also open packet capture files from other platforms, such as pcap packet files logged on the Packet Squirrel.
Wireshark boasts extensive protocol support, making it proficient in dissecting a vast array of network protocols, from common ones like TCP, UDP, and HTTP to more specialized protocols like DNS, FTP, SNMP, and VoIP protocols. Wireshark can automatically dissect packets based on the identified protocols, providing valuable information about the structure, headers, and payloads of each packet.
Wireshark will attempt to decode all protocols contained in a packet, in order. In other words, it can show the nested content, such as Ethernet holding IP holding UDP holding DNS.
Wireshark showing the packet tree of a WoL packet
Wireshark also has the ability to follow TCP conversations, graph TCP packet sizes and windows, can decode thousands of protocols, and more. It is an indispensable tool for packet and data analysis.
Wireshark also has a filter language, which is much more complex than the libpcap/tcpdump filter language. The Wireshark filters run in Wireshark itself, not the kernel of the capturing system, and trade completeness for absolute speed.
Wireshark filters expose every packet attribute of every protocol Wireshark decodes. Combined with capture filters on the Packet Squirrel, Wireshark display filters can help sort through large packet captures and identify key data quickly.
Show only packets from a specific host, using Wireshark display filters:
ip.addr == 172.16.32.45
Show only packets from a specific client using UDP port 5001:
ip.addr == 172.16.32.45 && udp.port == 5001
Display all packets from from the Target network, excluding the Packet Squirrel itself:
ip.addr == 172.16.32.0/24 && !ip.addr == 172.16.32.1
Display packets on a range of ports:
tcp.port >= 5000 && tcp.port <= 6000
Display packets from specific ports:
tcp.port == 80 || tcp.port == 443
Display packets from specific ports, which are greater in size than 512 bytes:
(tcp.port == 80 || tcp.port == 443) && frame.len > 512
Display all Wake on LAN packets:
Remember that the Wireshark and Tcpdump filter languages are different!