Cyber Security 101 > Networking > Tcpdump: The Basics
Task 1
Introduction
- What is the name of the library that is associated with tcpdump?
libpcap
Task 2
Basic Packet Capture
- What option can you add to your command to display addresses only in numeric format?
-n
Task 3
Filtering Expressions
- How many packets in traffic.pcap use the ICMP protocol?
Run this command:
tcpdump icmp -r traffic.pcap | wc -l
26
- What is the IP address of the host that asked for the MAC address of 192.168.124.137?
Run this command:
tcpdump -r traffic.pcap dst 192.168.124.137 and arp
192.168.124.148
- What hostname (subdomain) appears in the first DNS query?
Run this command:
tcpdump -r traffic.pcap port 53 -c 1
mirrors.rockylinux.org
Task 4
Advanced Filtering
- How many packets have only the TCP Reset (RST) flag set?
Run this command:
tcpdump -r traffic.pcap "tcp[tcpflags] == tcp-rst" | wc -l
57
- What is the IP address of the host that sent packets larger than 15000 bytes?
Run this command:
tcpdump -r traffic.pcap greater 15000 -c 1 -n
185.117.80.53
Task 5
Displaying Packets
- What is the MAC address of the host that sent an ARP request?
Run this command:
tcpdump arp -r traffic.pcap -e
52:54:00:7c:d3:5b
Task 6
Conclusion
- Ensure you have noted the various Tcpdump options we covered in this room.
No answer needed