wireshark & tcpdump
Packets refer to the data sent across a network when our devices communicate with servers or each other. These two packet sniffer tools are useful for analyzing packets on our interfaces.
To start. Wireshark is the graphical interface version we can use to sniff packets and tcpdump is the command line interface we can use. Tcpdump is generally faster and less resource-consuming than wireshark, however it’s less efficient at analyzing packets than wireshark and we can’t see as much information.
what are packets? and what does sniffing them mean?
Packet sniffing is essentially just intercepting packets so we can understand more about what our interface is interacting with. In this case we are intercepting and analysing these packets to understand more about protocols, source destination, in some cases HTTP stream. Packets are pieces of data sent across the network containing data that has been split into smaller pieces. Once the packets reach their destination they are reassmbled in order.
I would liken internet communication to ordering furniture like a bed, from ikea. Exept imagine each part of the bed is sent in a different parcel. You order a bed and it arrives in a package with the destination address, the source address, the weight of the parcel, whats inside, what the item actually is. Once it reaches its destination (your house) you reassmble the bed so you can sleep in it. Packet sniffing in this analogy, is essentially intercepting the parcels that contain each part of the bed and looking at the address and feeling the parcel to make sure its actually what you ordered.
The anatomy of data packets is important to understand, the figure below shows the anatomy of an IP (internet protocol) packet. Think of a packet like a parcel, this contains all of the information about the data being stored in the packet. The actual information eg. images, text, videos is referred to as the payload.
version- refers to the version of the IP being used (4 bits)
IHL (IP header field)- shows how many 32 bit words are in the IP header
flags- helps the user control fragments (3 bits) the value of the first bit is always zero, bit one means do not fragment, and bit two indicates how many fragments its split into.
indentification- IP header field, a unique number that has been assigned to a packet by the host. essentially the address and routing instructions for the packet.
total length- specifies the length of the packet
fragment offset- tell us the offset of the data for fragmented packets.
type of service- decides priority of the packet and what quality of packet.
protocol- eg, TCP or UDP or ICMP etc.
Header checksum- tells us if there are errors
Packet sniffing tools access the networks data-link layer where packets are encapsulated before they are sent through the network. Packet sniffers can be positioned strategically at different points of a network to intercept traffic for example routers, switches, and firewalls.
In the above diagram, packet sniffers are positioned at points of the network to intercept packets. Unencryoted packets can be read and analysed by potential attackers (or you). In this case we are going to be analysing packets being sent from a client to a server so our sniffing will look more like this:
The suspicious looking person is you intercepting your own network traffic after you learn how to use wireshark and tcpdump.
installing wireshark
Wireshark is the graphical interface (GUI) packet sniffing tool we are going to use. To start we are going to launch our VM. I am using Kali Linux.
I would reccomend using the ‘sudo apt-get update’ to make sure your machine is up to date and ‘sudo apt upgrade’. this ensures you can install wireshark with no errors
we are going to use the ‘sudo apt install wireshark’ command to install wireshark onto our virtual machine.
then simply type ‘wireshark’
our graphical interface is going to appear on our virtual machine, we can now configure it to caputure traffic. First choose your interface, ideally ‘eth0’ as that is the interface that your traffic is being transmitted across normally.
result of packets captured when I launch Firefox on Kali Linux.
how do we analyse packets?
protocols-
DNS- domain name system, shown when your host attempts to resolve the IP address of a domain to send a packet.
DHCP- Dynamic host configuration protocol
http- hypertext transfer protocol
https- secure hypertext transfer protocol
TCP- transmission control protocol
OCP- open core protocol
Each packet contains the following fields; number in order since the capture, timestamp in UNIX format, source IP, Destination IP, protocol, length, information which varys depending on the packet like some will display querys for certain protocol like DNS.
We can apply filters to our packet capture as one small capture will result in thousands of packets that are hard examine individually. here I am applying HTTP port filter to see what HTTP requests I can find.
If we want to save our capture for later, File, save as, and choose pcap format to save our file.
If we want to follow the http stream of a packet. We can right click on the packet, click follow, then click http stream, in this instance the packet is encrypted which is good. HTTP packets will not be encrypted.
lets try this on a non-encrypted website
on testphp.vulnweb, I have created the user puxnet and the password puxnet1. The yellow highlight is my username and password being shown on my http stream from the packet. We can see that if we are using http websites, our credentials can be read.
tcpdump basics
Tcpdump is a command-line tool used to capture and analyze network packets. When you run tcpdump, it captures packets from the network interface you specify. These packets contain information about the source and destination addresses, protocols used, and the data being transmitted. Tcpdump displays this information in human-readable format, making it easy to understand.
What are some basic tcpdump commands and switches?
a basic command for listening on our eth0 interface is going to look like
tcpdump {options} {expression}
we can also use the -v or verbose command for more details
hdh