KB: 1069
How to capture packet and trace them through tcp dump utility?
The tcpdump utility is a powerful command-line tool for capturing and analyzing network traffic. It allows you to capture packets that pass through a network interface and provides detailed information about the network activity
Below is the example of command to run the tcp dump utility-
Command: -
tcpdump -i <interface> port <port> -w <filename>.pcap
For example:
tcpdump -i any port 443 host 10.0.0.1 -w dump.pcap`
Before running this command, make sure the user has root access.
Below are the arguments that can be used based on the requirement-
Arguments: -
-
-i <interface>
: Specifies the network interface to listen on. -
host <hostname>
: Captures packets to or from a specific IP. -
port <port>
: Captures packets to or from a specific port. -
-w <file>
: Writes the captured packets to a file instead of displaying them on the screen. -
-A
: Displays the packet contents in ASCII, which is useful for inspecting HTTP requests or other text-based protocols -
-X
: Displays the packet contents in both hex and ASCII. -
-c
: Specify the number of packets to capture before stopping -
-r <filename>
: Read and analyze packets from a previously saved capture file -
src host <host>
: Capture packets originating from a specific host -
dst host <host>
: Capture packets that are destined for a specific host
To analyze the decrypted content, you can use a tool like Wireshark. To decrypt encrypted traffic captured in a dump file using Wireshark, you need specific keys or passwords depending on the encryption protocol used (e.g., SSL/TLS). Below are the reference documents decrypting SSL/TLS traffic in Wireshark.
Reference 1: How to decrypt SSL/TLS traffic using Wireshark and private keys?