In the realm of network security, understanding how to monitor and analyze network traffic is a fundamental skill. This lab serves as a practical demonstration of tcpdump and Wireshark, two indispensable tools for network analysis. This lab is designed to showcase their capabilities through a controlled creative scenario.
The following outlines generating, capturing, saving, and analyzing network traffic, with an emphasis on how these tools apply to real-world cybersecurity challenges.
The setup consists of a small, virtualized network consisting of two virtual machines (VMs): a Kali Linux VM for generating, capturing, and analyzing traffic, and a Ubuntu Linux VM. This setup allows to simulate diverse traffic scenarios and provides meaningful data for analysis.
tcpdump commands and demonstrate how to capture specific types of traffic.Kali Linux VM: Used for generating traffic withhpingand capturing traffic withtcpdumpand analyzing the traffic with Wireshark..
Ubuntu Linux VM: Used as the simulated target with ports 22 and 80 open.
These machines are connected via a virtual network to ensure controlled and reproducible results.
tcpdump is a command-line tool used to capture and analyze network traffic. It acts metaphorically as a powerful magnifying glass, allowing us to filter and observe data packets as they traverse through a network medium. Tcpdump is a highly customizable command and forms the backbone of many network analysis workflows, particularly in cybersecurity. It’s versatility and ability to save traffic for later analysis make it invaluable for professionals working to secure computer networks.
With traffic flowing, it's time to capture it using tcpdump:
tcpdump -i eth0tcpdump -i eth0 port 80tcpdump -i eth0 src 10.38.1.113 and dst port 22Conduct a ping sweep or a network scan from Kali using tools like arp-scan, pfing, and nmap -sn to identify active hosts. These first three commands will generate a very large ARP storm.
Establish an SSH session from Kali to Ubuntu and use scp to transfer files. This simulates secure file transfer.
SSH connection from Kali VM to Ubuntu VM successful. Before proceeding further, I'll create a tst file on the Kali VM and then transfer it to the Ubuntu VM.
File transfer verification on Ubuntu VM.
Use tools like hping3 on Kali to create malformed or suspicious packets, mimicking attack patterns.
Examples of malicious traffic:
hping flood on port 80
hping icmp flood
hping fragmented packets
hping data injection
hping spoofed IP source
Use the following command to save traffic to a PCAP file:
tcpdump -i eth0 -w network_capture.pcap
To preserve captured traffic for analysis with Wireshark, use the -w option: tcpdump -i eth0 -w network_capture.pcap. This saves the traffic to a PCAP file, which can be loaded into Wireshark for detailed inspection.
Wireshark allows for in-depth examination of network data:
Let's further examine the network_capture.pcap file.
The commands ran in this lab produce various traffic types on computer networks. In this lab, I've captured various traffic types to simulate reconnaissance, attacks, and legitimate activity. In this section, the most interesting findings will be analyzed.
Address Resolution Protocol - ARP is essential for mapping IP addresses to MAC addresses on a local network. However, attackers or administrators can exploit ARP to discover devices by sending a series or ARP requests to various IP addresses. This traffic demonstrates an ARP sweep, which systematically queries a range of IP addresses to identify active hosts on a local network.
This ARP storm demonstrates how attackers or network administrators might query an entire subnet to discover active hosts. The systematic ARP request (who has ?) and the corresponding replies ( is at ) reveal live devices and their MAC addresses. This behavior is typical of reconnaissance activity and highlights the importance of monitoring ARP traffic to detect and mitigate unauthorized network mapping attempts.
This ping sweep traffic demonstrates how attackes can use ICMP traffic to discover live hosts on a network. The systematic nature of Echo Requests (targeting multiple IPs) and the rapid sequence of packets indicate automated reconnaissance. The responses from specific hosts reveal which devices are active and reachable, providing valuable information for further attacks. This activity underscores the importance of monitoring ICMP traffic and implementing network defenses and block reconnaissance attempts.
This capture highlights an Nmap SYN scan, where the scanner sequentually probes multiple ports on the target system. Closed ports respond with RST, ACK packets, while open ports (e.g., SSH port port 22) sends SYN, ACK packets. This reconnaissance activity demonstrates the early stages of an attack, providing critical information about a targets network and services.
Port 22 SYN, ACK - Port 22 Open
Port 80 SYN, ACK - Port 80 Open
If we right click on the first SSH packet and select Follow > TCP Stream, we have the TCP Threeway Handshake for the SSH connection.
SSH Traffic Details
Here we the client/server communication for the key exchange. Packets we can sift through and gather meta data from.
Encrypted Traffic Related to SCP File Transfer.
Here we have the consistent traffic pattern of Encrypted Packet Client/Server communication over the SSHv2 protocol. The sequence and frequency of packets align with the behavior of a file transfer, where data is segmented into chucks and set over the SSH connection. The varying packet lengths (len=44, len=628, etc.) indicate data transfer activity. Larger packets suggest chucks of the file being sent, while smaller packets include control messages and acknowledgements.
In addition to that the packets of this traffic have the TCP ACK and PSH flags set, which are commonly seen during active data transfer.
These packets represent a TCP SYN Flood attack targeting port 80 on the destination IP. The rapid rate of SYN packets with no corresponding responses indicates a deliberate attempt to exhuast the target's resources by creating half-open TCP connections. This is a classic Denial of Service (DoS) tactic, designed to disrupt services by overwhelming the target's ability to handle legitimate traffic.
This traffic highlights the deliberate fragmentation of packets, with the More Fragments (MF) flag set. Fragmented packets, each with a small size of 54 bytes, are sent in rapid succession to overwhelm the target. This technique can evade firewalls and IDS by making reassembly difficult, demonstrating how attackers might bypass detection or consume system resources.
Here we have the traffic from the command "hping -S -p 443 -d 100 --data "malicious payload" 10.38.1.116"
The [RST, ACK] flags indicate that the receiving system (destination) is rejecting the connection. This is expected if the system is not configured to handle the specific payload or if it identifies the packets as malformed or suspicious. The packet length (60) matches the size of the TCP headers plus any payload. Since the -d 100 option was used, the payload adds extra bytes to the total length. The high volume of packets sequential source ports suggests that this is artificially generated traffic, consistent with hping3's behavior. The receiving system is responding with TCP Reset (RST), which occurs when a system does not expect or cannot process a connection request. This is often a sign of suspicious or malformed traffic being rejected.
Here we can see the traffic from the command "hping3 -S -p 80 --spoof 192.168.1.100 10.38.1.116".
All packets have a spoofed source IP address of 192.168.1.100. The actual system sending the traffic (Kali VM) is hiding its true IP by crafting packets with this fake source address.
This lab demonstrates how tcpdump and Wireshark can monitor, diagnose, and secure network environments. From identifying potential intrusions to analyzing legitimate traffic, these tools provide cybersecurity professionals with critical visibility into network activity.