Packet capture

Digging into packets

Previously we have discussed networking fundamentals, the OSI model, and various protocols; now it's time to dig deeper into packet capturing and analysis. To accomplish this, we'll leverage tcpdump on the Packet Squirrel and Wireshark on a full computer. These two powerful tools make up most workflows for capturing and decoding packets.

Tcpdump

tcpdump is a command-line packet capturing tool available on most Unix-like (Linux, macOS) systems. It enables capturing network traffic, basic display of the packets, and logging to a standard file format (pcap) for analysis with other tools. tcpdump also supports filtering during capture, with options to filter based on protocol, source and destination addresses, port, and more.

tcpdump is pre-installed on the Packet Squirrel.

Tcpdump basics

To experiment with tcpdump, connect to the Packet Squirrel with ssh or open the web terminal. Some basic commands include:

Capture packets from a specific interface

Use the -i option to capture packets from a specific interface. On the Packet Squirrel this will almost always be br-lan, which is the virtual bridge interface that connects the Target and Network ports. In some network modes, capturing directly from eth0 or eth1 may be more useful.

tcpdump -i br-lan

Capture packets for a single host

To capture a conversation for a single address, the host filter can be used:

tcpdump -i br-lan host 1.2.3.4

Capture packets for a single protocol

To capture packets for a single protocol, such as TCP or UDP, simply include the protocol as a filter:

tcpdump -i br-lan tcp

or

tcpdump -i br-lan udp

Saving packets to a file

Use the -w option to write packets to a file for later analysis. On the Packet Squirrel, packets should always be written to an external USB storage device.

tcpdump -i br-lan -w /usb/packets.pcap

The packet log file can be transferred using scp, sent to a Cloud C² server via C2EXFIL, or the USB drive can be plugged into a computer.

Tcpdump filters

Tcpdump (or more precisely, libpcap, the library Tcpdump is built on top of) implements a filter language which compiles to a high-speed high-efficiency binary format called BPF, or the Berkeley Packet Filter system.

BPF filters are implemented in the Linux kernel and filter packets before they reach a program such as tcpdump or a payload; filtering packets at the capture level can greatly increase the performance of the system by reducing the number of packets processed by the capture tool. Modern Linux implementations of BPF even including just-in-time (JIT) compilation of the filter to native code.

A filter consists of multiple primitives: A filter primitive consists of a matching rule for a type of traffic (tcp, udp, port, host, etc), direction of traffic (src, dst, etc), or a protocol (udp, tcp, ether, and so on).

Some commonly useful filter terms include:

FilterResult

ip

Packet contains IP data

ip6

Packet contains IPv6 data

tcp

Packet contains TCP data

udp

Packet contains UDP data

arp

Packet contains ARP data

icmp

Packet contains ICMP (ping) data

less [n]

Packet size is less than N bytes

greater [n]

Packet size is greater than N bytes

dst host [host]

Packet has an IP or IPv6 destination of [host]

src host [host]

Packet has an IP or IPv6 source of [host]

host [host]

Packet has an IP or IPv6 source or destination of [host]

net [network]

Packet is part of the IP network [network] (ie 172.16.32.0/24)

ether dst [ether]

Packet has an Ethernet destination of [ether] MAC

ether src [ether]

Packet has an Ethernet source of [ether] MAC

ether host [ether]

Packet has an Ethernet source or destination of [ether] MAC

dst port [port]

Packet has an IP or IPv6 destination port of [port]

src port [port]

Packet has an IP or IPv6 source port of [port]

port [port]

Packet has an IP or IPv6 source or destination port of [port]

vlan [id]

Packet was seen on VLAN [id]

Filter terms can be logically combined using standard terms (and, or, not, etc). By combining multiple terms the filter can be made even more selective. While not a full programming language, packet filters are extremely powerful.

Available logic operators include:

OperatorResult

and (&&)

Combine terms

or (||)

Either term

not (!)

Negate term

Parentheses

Combine multiple terms

Examples

Capture all packets from a known client on the Target port with an IP of 172.16.32.45:

tcpdump -i br-lan "host 172.16.32.45"

Capture all packets from a specific client using UDP port 5001:

tcpdump -i br-lan "host 172.16.32.45 udp port 5001"

Capture all packets from from the Target network, excluding the Packet Squirrel itself:

tcpdump -i br-lan "net 172.16.32.0/24 and not host 172.16.32.1"

Capture all packets on a range of ports:

tcpdump -i br-lan "tcp port 5000-6000"

Capture all packets from specific ports:

tcpdump -i br-lan "tcp port 80 or tcp port 443"

Capture packets from specific ports, which are greater in size than 512 bytes:

tcpdump -i br-lan "(tcp port 80 or tcp port 443) and greater 512"

Wireshark

While Tcpdump primarily focuses on capturing packets and doing a minimal decoding of the packet contents, Wireshark is a complete packet inspection tool with incredible support for a huge variety of protocols and packet formats, connection following, and more.

Wireshark has a rich graphical environment, and runs on your computer, not the Packet Squirrel: There are versions for Linux, macOS, and Windows, and for Intel and Arm/Silicon systems.

Wireshark is free and open source, and is available from the primary Wireshark website, https://www.wireshark.org

Wireshark can capture locally on your computer from local network interfaces, but can also open packet capture files from other platforms, such as pcap packet files logged on the Packet Squirrel.

Decoding packets

Wireshark boasts extensive protocol support, making it proficient in dissecting a vast array of network protocols, from common ones like TCP, UDP, and HTTP to more specialized protocols like DNS, FTP, SNMP, and VoIP protocols. Wireshark can automatically dissect packets based on the identified protocols, providing valuable information about the structure, headers, and payloads of each packet.

Wireshark will attempt to decode all protocols contained in a packet, in order. In other words, it can show the nested content, such as Ethernet holding IP holding UDP holding DNS.

Wireshark also has the ability to follow TCP conversations, graph TCP packet sizes and windows, can decode thousands of protocols, and more. It is an indispensable tool for packet and data analysis.

Wireshark filters

Wireshark also has a filter language, which is much more complex than the libpcap/tcpdump filter language. The Wireshark filters run in Wireshark itself, not the kernel of the capturing system, and trade completeness for absolute speed.

Wireshark filters expose every packet attribute of every protocol Wireshark decodes. Combined with capture filters on the Packet Squirrel, Wireshark display filters can help sort through large packet captures and identify key data quickly.

Wireshark filter examples

Show only packets from a specific host, using Wireshark display filters:

ip.addr == 172.16.32.45

Show only packets from a specific client using UDP port 5001:

ip.addr == 172.16.32.45 && udp.port == 5001

Display all packets from from the Target network, excluding the Packet Squirrel itself:

ip.addr == 172.16.32.0/24 && !ip.addr == 172.16.32.1

Display packets on a range of ports:

tcp.port >= 5000 && tcp.port <= 6000

Display packets from specific ports:

tcp.port == 80 || tcp.port == 443

Display packets from specific ports, which are greater in size than 512 bytes:

(tcp.port == 80 || tcp.port == 443) && frame.len > 512

Display all Wake on LAN packets:

wol.mac

Remember that the Wireshark and Tcpdump filter languages are different!

Last updated