Tcpdump: The basics

Cyber Security 101 > Networking > Tcpdump: The Basics

Task 1

Introduction

1. What is the name of the library that is associated with tcpdump?

libpcap

Task 2

Basic Packet Capture

1. What option can you add to your command to display addresses only in numeric format?

-n

Task 3

Filtering Expressions

1. How many packets in traffic.pcap use the ICMP protocol?

Run this command:

tcpdump icmp -r traffic.pcap | wc -l

26

2. What is the IP address of the host that asked for the MAC address of 192.168.124.137?

Run this command:

tcpdump -r traffic.pcap dst 192.168.124.137 and arp

192.168.124.148

3. What hostname (subdomain) appears in the first DNS query?

Run this command:

tcpdump -r traffic.pcap port 53 -c 1

mirrors.rockylinux.org

Task 4

Advanced Filtering

1. How many packets have only the TCP Reset (RST) flag set?

Run this command:

tcpdump -r traffic.pcap "tcp[tcpflags] == tcp-rst" | wc -l

57

2. What is the IP address of the host that sent packets larger than 15000 bytes?

Run this command:

tcpdump -r traffic.pcap greater 15000 -c 1 -n

185.117.80.53

Task 5

Displaying Packets

1. What is the MAC address of the host that sent an ARP request?

Run this command:

tcpdump arp -r traffic.pcap -e

52:54:00:7c:d3:5b

Task 6

Conclusion

1. Ensure you have noted the various Tcpdump options we covered in this room.

No answer needed