Packet Capture and Analysis

1 hour
  • 3 Learning Objectives

About this Hands-on Lab

It’s crucial for any security or systems administrator to be able to capture and analyze network traffic. This allows for advanced troubleshooting as well as security review. Furthermore, having a working knowledge of the traditional capture filters, like those used in the `tcpdump` and `wireshark` utilities, is a requirement of some certification exams, such as the LPIC-3 303-200.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Use a `tshark` capture filter to collect TCP traffic on port 80.
  1. Use a tshark capture filter to collect TCP traffic on port 80. Store the capture command output in /root/http_out.

    tshark -f "tcp port 80" -V -R http > http_out
  2. In another SSH session, run curl www.exapmle.com/index.html during the capture.

    curl www.example.com/index.html

    Note: curl may produce output but it does not need to be recorded.

Use a `tshark` display filter to collect HTTP traffic and print only HTTP response codes.
  1. Use a tshark display filter to collect HTTP traffic and print only HTTP response codes. Store the capture command output in /root/http_response.

    tshark -Y http -Tfields -e http.response.code > http_resopnse
  2. In a separate SSH session, run curl www.example.com/index.html and then curl www.example.com/error.html during the capture:

    curl www.example.com/index.html
    curl www.example.com/error.html

    Note: curl may produce output but it does not need to be recorded.

Use a `tshark` capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22.
  1. Use a tshark capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22. Observe any IP addresses printed after several seconds.

    tshark -f "tcp src port 22" -Tfields -e ip.dst

    Add the IP address(es) to /root/ssh_ip in a newline-delimited format.

Additional Resources

Note: For best performance, you should run two simultaneous SSH sessions to the test workstation while you work on this lab. Use one session to perform captures, and the other to perform the curl commands.

You have been asked to generate a few network traffic captures from a workstation on a possibly compromised network for the security team to review. In the first report, they need you to collect a sample (no more than 30 to 40 seconds) of all TCP traffic on port 80 using tshark capture filters, and then store the results in /root/http_out. While the capture is running, in a second SSH session, perform a curl of www.example.com/index.html on the workstation to provide some baseline traffic for comparison.

Run a second capture of HTTP traffic using tshark display filters so that only the HTTP response codes are returning to the workstation. Redirect the output of that capture command to /root/http_response. While the capture is running, in a second SSH session, perform a curl of www.example.com/index.html and www.example.com/error.html on the workstation to provide some baseline traffic for comparison. The capture only needs to run long enough for you to perform the curl commands.

Run a third and final capture to determine if any other hosts are connected to the workstation over SSH (port 22). You should use a capture filter that prints the IP address of any host connecting to the workstation. This one will only need to run about 20 seconds. Create a file called /root/ssh_ip and list any IP addresses you observe communicating with the workstation over SSH.

Please note all necessary packages have been installed on the test server for convenience.

Summary tasks list:

  1. Use a tshark capture filter to collect TCP traffic on port 80. Run curl www.exapmle.com/index.html during the capture. Store the capture command output in /root/http_out.
  2. Use a tshark display filter to collect HTTP traffic and print only HTTP response codes. Run curl www.exapmle.com/index.html and curl www.example.com/error.html during the capture. Store the capture command output in /root/http_response.
  3. Use a tshark capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22. Make note of what IP addresses are sending such traffic and write the address(es) to the file /root/ssh_ip, delimited by newlines.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!