Network Traffic Analysis · Mark Thompson Portfolio

Introduction

This lab demonstrates how to monitor and analyze network traffic using tcpdump and Wireshark. You'll see how to generate realistic traffic (including simulated malicious activity), capture it, save it to PCAP, and perform targeted analysis.

Environment: Two VMs on a virtual network — Kali Linux (traffic generation, tcpdump, Wireshark) and Ubuntu (target with ports 22 and 80 open).

Lab Objectives

Introduce key tcpdump commands and filtered captures.
Generate diverse traffic, including simulated malicious activity.
Save captures to .pcap and analyze with Wireshark.

What is `tcpdump`?

tcpdump is a CLI packet capture tool. Its flexible filtering and ability to write PCAPs make it a core utility in security workflows.

Capturing Traffic with `tcpdump`

Basic capture: tcpdump -i eth0 – capture all traffic on the interface.
Port filter: tcpdump -i eth0 port 80 – focus on HTTP.
Advanced filter: tcpdump -i eth0 src 10.38.1.113 and dst port 22 – SSH from Kali to Ubuntu.

Generating Network Traffic

1) Ping Sweeps and Network Scans

Run a sweep/scan from Kali using arp-scan, fping, and nmap -sn to find live hosts. The first three can create significant ARP traffic.

ARP scan and ping sweep (nmap -sn) — ARP/ping discovery activity.

Ubuntu port scan — Port probing against Ubuntu target.

2) File Transfers via SSH

Establish SSH from Kali to Ubuntu and use scp to move files.

File transfer verification on Ubuntu — Verified file presence on the destination.

3) Simulated Malicious Activity

Use hping3 to craft suspicious packets and floods.

hping SYN flood on port 80 — Port 80 flood.

hping fragmented packets — Fragmentation.

hping data injection — Payload injection.

hping spoofed IP source — Spoofed source IP.

Saving Captures for Analysis

Write traffic to a PCAP for later analysis:

tcpdump -i eth0 -w network_capture.pcap

Analyzing Traffic with Wireshark

Load the capture: Open network_capture.pcap.
Apply filters: Narrow to HTTP/ICMP/SSH as needed.
Identify patterns & anomalies: Look for reconnaissance, floods, fragments, or unusual payloads.

Below are representative findings from the capture.

Reconnaissance Traffic

ARP-Scan Traffic

Large bursts of ARP requests/replies reveal active hosts and MAC addresses (classic network mapping behavior).

Ping Sweep Traffic

ICMP echo requests across ranges quickly reveal which hosts are up.

Nmap Scan Traffic

SYN scans probe many ports; closed ports reset, open ones reply with SYN/ACK.

SSH Traffic

SSH TCP three-way handshake — Follow > TCP Stream to view the handshake.

SCP file transfer pattern over SSH — Encrypted SSHv2 packets; size/frequency patterns align with file transfer.

ACK/PSH flags during data transfer — ACK/PSH commonly observed during active data transfer.

Attack Patterns

TCP SYN Flood on Port 80

Rapid SYNs without completion create half-open connections — classic DoS symptom.

Malformed (Fragmented) Packets

Deliberate fragmentation (MF flag) can stress reassembly and slip past defenses.

Custom Payload

Example: hping -S -p 443 -d 100 --data "malicious payload" 10.38.1.116 — target replies with RST,ACK indicating rejection of unexpected traffic.

Spoofed Traffic

Example: hping3 -S -p 80 --spoof 192.168.1.100 10.38.1.116 — packets show forged source IP, masking origin.

Real-World Application

tcpdump and Wireshark provide critical visibility for detection and troubleshooting — from spotting reconnaissance to confirming legitimate encrypted transfers — and are foundational tools for defenders.