Packet capture
Digging into packets
Previously we have discussed networking fundamentals, the OSI model, and various protocols; now it's time to dig deeper into packet capturing and analysis. To accomplish this, we'll leverage tcpdump
on the Packet Squirrel and Wireshark
on a full computer. These two powerful tools make up most workflows for capturing and decoding packets.
Tcpdump
tcpdump
is a command-line packet capturing tool available on most Unix-like (Linux, macOS) systems. It enables capturing network traffic, basic display of the packets, and logging to a standard file format (pcap) for analysis with other tools. tcpdump
also supports filtering during capture, with options to filter based on protocol, source and destination addresses, port, and more.
tcpdump
is pre-installed on the Packet Squirrel.
Tcpdump basics
To experiment with tcpdump
, connect to the Packet Squirrel with ssh
or open the web terminal. Some basic commands include:
Capture packets from a specific interface
Use the -i
option to capture packets from a specific interface. On the Packet Squirrel this will almost always be br-lan
, which is the virtual bridge interface that connects the Target and Network ports. In some network modes, capturing directly from eth0
or eth1
may be more useful.
Capture packets for a single host
To capture a conversation for a single address, the host
filter can be used:
Capture packets for a single protocol
To capture packets for a single protocol, such as TCP or UDP, simply include the protocol as a filter:
or
Saving packets to a file
Use the -w
option to write packets to a file for later analysis. On the Packet Squirrel, packets should always be written to an external USB storage device.
The packet log file can be transferred using scp
, sent to a Cloud C² server via C2EXFIL
, or the USB drive can be plugged into a computer.
Tcpdump filters
Tcpdump (or more precisely, libpcap, the library Tcpdump is built on top of) implements a filter language which compiles to a high-speed high-efficiency binary format called BPF, or the Berkeley Packet Filter system.
BPF filters are implemented in the Linux kernel and filter packets before they reach a program such as tcpdump
or a payload; filtering packets at the capture level can greatly increase the performance of the system by reducing the number of packets processed by the capture tool. Modern Linux implementations of BPF even including just-in-time (JIT) compilation of the filter to native code.
A filter consists of multiple primitives: A filter primitive consists of a matching rule for a type of traffic (tcp
, udp
, port
, host
, etc), direction of traffic (src
, dst
, etc), or a protocol (udp
, tcp
, ether
, and so on).
Some commonly useful filter terms include:
ip
Packet contains IP data
ip6
Packet contains IPv6 data
tcp
Packet contains TCP data
udp
Packet contains UDP data
arp
Packet contains ARP data
icmp
Packet contains ICMP (ping) data
less [n]
Packet size is less than N bytes
greater [n]
Packet size is greater than N bytes
dst host [host]
Packet has an IP or IPv6 destination of [host]
src host [host]
Packet has an IP or IPv6 source of [host]
host [host]
Packet has an IP or IPv6 source or destination of [host]
net [network]
Packet is part of the IP network [network] (ie 172.16.32.0/24)
ether dst [ether]
Packet has an Ethernet destination of [ether] MAC
ether src [ether]
Packet has an Ethernet source of [ether] MAC
ether host [ether]
Packet has an Ethernet source or destination of [ether] MAC
dst port [port]
Packet has an IP or IPv6 destination port of [port]
src port [port]
Packet has an IP or IPv6 source port of [port]
port [port]
Packet has an IP or IPv6 source or destination port of [port]
vlan [id]
Packet was seen on VLAN [id]
Filter terms can be logically combined using standard terms (and
, or
, not
, etc). By combining multiple terms the filter can be made even more selective. While not a full programming language, packet filters are extremely powerful.
Available logic operators include:
and (&&)
Combine terms
or (||)
Either term
not (!)
Negate term
Parentheses
Combine multiple terms
Examples
Capture all packets from a known client on the Target port with an IP of 172.16.32.45
:
Capture all packets from a specific client using UDP port 5001:
Capture all packets from from the Target network, excluding the Packet Squirrel itself:
Capture all packets on a range of ports:
Capture all packets from specific ports:
Capture packets from specific ports, which are greater in size than 512 bytes:
Wireshark
While Tcpdump primarily focuses on capturing packets and doing a minimal decoding of the packet contents, Wireshark is a complete packet inspection tool with incredible support for a huge variety of protocols and packet formats, connection following, and more.
Wireshark has a rich graphical environment, and runs on your computer, not the Packet Squirrel: There are versions for Linux, macOS, and Windows, and for Intel and Arm/Silicon systems.
Wireshark is free and open source, and is available from the primary Wireshark website, https://www.wireshark.org
Wireshark can capture locally on your computer from local network interfaces, but can also open packet capture files from other platforms, such as pcap packet files logged on the Packet Squirrel.
Decoding packets
Wireshark boasts extensive protocol support, making it proficient in dissecting a vast array of network protocols, from common ones like TCP, UDP, and HTTP to more specialized protocols like DNS, FTP, SNMP, and VoIP protocols. Wireshark can automatically dissect packets based on the identified protocols, providing valuable information about the structure, headers, and payloads of each packet.
Wireshark will attempt to decode all protocols contained in a packet, in order. In other words, it can show the nested content, such as Ethernet holding IP holding UDP holding DNS.
Wireshark also has the ability to follow TCP conversations, graph TCP packet sizes and windows, can decode thousands of protocols, and more. It is an indispensable tool for packet and data analysis.
Wireshark filters
Wireshark also has a filter language, which is much more complex than the libpcap/tcpdump filter language. The Wireshark filters run in Wireshark itself, not the kernel of the capturing system, and trade completeness for absolute speed.
Wireshark filters expose every packet attribute of every protocol Wireshark decodes. Combined with capture filters on the Packet Squirrel, Wireshark display filters can help sort through large packet captures and identify key data quickly.
Wireshark filter examples
Show only packets from a specific host, using Wireshark display filters:
Show only packets from a specific client using UDP port 5001:
Display all packets from from the Target network, excluding the Packet Squirrel itself:
Display packets on a range of ports:
Display packets from specific ports:
Display packets from specific ports, which are greater in size than 512 bytes:
Display all Wake on LAN packets:
Remember that the Wireshark and Tcpdump filter languages are different!
Last updated