Capturing and analysing network traffic can be a big help when you are dealing with network issues, auditing network security controls, investigating possible security incident or when you just want to get “big picture” of network traffic.
In this blog post you will learn how to use tcpdump command to capture network traffic, and then use tshark for analysis and reporting the findings from PCAP files.
Capturing Traffic with tcpdump #
Before we can hop into analysis part, we first must capture some traffic. When using Linux or UNIX-based system tcpdump is the go-to tool traffic capture, applying filters, and saving data for later analysis.
You can make a capture from a network tap, SPAN/Mirror port on a switch, network hub or any other way that let’s use see all traffic from the network segment. Let’s use tcpdump for our first capture.
Tcpdump #
Basic traffic capture is straightforward—you just need to know the interface to monitor and escalate privileges:
$ sudo tcpdump -i eth0
However, this raw approach quickly becomes overwhelming on busy networks. Filters are essential for managing the data volume.
Here are the most useful tcpdump filters:
Traffic to/from a specific host:
$ sudo tcpdump -i eth0 host 10.26.30.20
Traffic to a specific IP:
$ sudo tcpdump -i eth0 dst 10.26.30.20
Traffic from a specific IP:
$ sudo tcpdump -i eth0 src 10.26.30.20
Filter by port:
$ sudo tcpdump -i eth0 port 3389
Combine host and port filters:
$ sudo tcpdump -i eth0 host 10.26.30.20 and dst port 3389
Capture full packets to file:
$ sudo tcpdump -i eth0 -s0 -nn -w capture.pcap
Capinfo #
When you need capture metadata, capinfo provides detailed information about PCAP files:
$ capinfos cap01.pcap
File name: cap01.pcap
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
Number of packets: 36
File size: 40 kB
Capture duration: 0.204428112 seconds
First packet time: 2022-05-24 12:41:15.611731928
Last packet time: 2022-05-24 12:41:15.816160040
Average packet size: 1078.36 bytes
SHA256: 5179eb338edda35e4a731b5fcf8edce2ef9605f320c93599a33fc4c3e2297e72
Analysis Tools #
Once you’ve captured the data, several tools can help with analysis:
- Wireshark - GUI-based protocol analyzer
- tshark - Command-line version of Wireshark
- Zeek - Network security monitoring framework
Tshark #
Tshark is Wireshark’s command-line counterpart and main topic of this blog post. Without options, it behaves like tcpdump but offers more powerful filtering and analysis capabilities.
There are two types of filters:
- Capture filters - Define what traffic is captured from the wire
- Display filters - Define what captured data is displayed
TLS Decryption #
When browsing through capture files, you will probably notice encrypted traffic. You can decrypt TLS traffic if you have the appropriate keys. The SSLKEYLOGFILE environment variable enables key logging during the TLS handshake.
First, capture some HTTPS traffic:
$ sudo tshark -i ens18 -w cap01.pcap -nn tcp and port 443
Standard output shows encrypted TLS traffic:
4 0.092228375 10.26.30.20 → 142.250.74.142 TLSv1 583 Client Hello
6 0.109619599 142.250.74.142 → 10.26.30.20 TLSv1.3 2902 Server Hello, Change Cipher Spec
9 0.109893489 142.250.74.142 → 10.26.30.20 TLSv1.3 2499 Application Data
To decrypt the traffic, set up key logging and capture simultaneously:
$ export SSLKEYLOGFILE="$PWD/tls.key"
$ sudo tshark -i ens18 -w cap01.pcap -nn tcp and port 443 &
$ curl https://google.com
This generates a key file containing the TLS session keys:
$ cat tls.key
SERVER_HANDSHAKE_TRAFFIC_SECRET a5b587ffd779d3280b0edf7bcc5b8069bb31c60631b29a556801dd25bc416523 ee31f6889f3c3bd99b18e1781db562bf219f4d421a74d2aa53065c5037b39f131a81e0d735f7ac76286038fa5171ba92
CLIENT_TRAFFIC_SECRET_0 a5b587ffd779d3280b0edf7bcc5b8069bb31c60631b29a556801dd25bc416523 13960c779d3ccbeea3b723543380c9c29bac0ab54d28d135c8e01436fdb78518ba801b3ea1e7ab12156eb577d7378843
Now you can analyze the decrypted traffic:
$ tshark -o tls.keylog_file:$SSLKEYLOGFILE -r cap01.pcap
The output reveals the decrypted HTTP/2 traffic:
13 0.116325478 10.26.30.20 → 142.250.74.142 HTTP2 112 Magic
16 0.116658659 10.26.30.20 → 142.250.74.142 HTTP2 124 HEADERS[1]: GET /
25 0.283679536 142.250.74.142 → 10.26.30.20 HTTP2 522 HEADERS[1]: 301 Moved Permanently
This technique works with any application that supports the SSLKEYLOGFILE environment variable, including most modern browsers and HTTP clients.
That covers the fundamentals of network traffic capture and analysis. These techniques form the foundation for deeper network security analysis and troubleshooting. In the next part, we will dig deeper into the analysis. See you there :-)