Packet Capture Tools Overview

Jul 1, 2025

Overview

This lecture covers packet capture and analysis tools, focusing on TCPdump and Wireshark, their features, differences, and importance in network security.

TCPdump Overview

  • TCPdump is a lightweight, command-line utility for capturing and analyzing network packets.
  • Utilizes the open-source libpcap library for packet capture.
  • Can write packet captures to a file and read packet captures from files for analysis or replay.
  • By default, provides brief packet analysis with human-readable output (IP addresses, ports, etc.).
  • Output includes timestamp, protocol, source/destination (address and port), TCP flags, sequence and acknowledgment numbers, window size, options, and payload size.
  • Attempts to resolve addresses and ports to hostnames and service names, which can be disabled with the -n flag.
  • Use -x to display raw packet data in hex, or -X for both hex and ASCII.
  • Allows inspection of packet headers and fields directly.

Wireshark Overview

  • Wireshark is a graphical, advanced packet capture and analysis tool, also using libpcap.
  • More powerful in protocol and application analysis compared to TCPdump.
  • Can decode encrypted payloads if the key is known and extract data from file transfers.
  • Supports filter rules for application-level analysis (e.g., HTTP request URIs).
  • Interface includes packet list, layered packet details, and hex/ASCII views.
  • Packet list is color-coded by protocol type and highlights problematic packets.
  • Offers complex display filtering by protocol and specific fields.
  • Can follow and reassemble TCP streams, showing both sides of communication.
  • Supports wireless (WPA/WEP), Bluetooth, USB, Zigbee, file carving, and audio extraction from unencrypted VoIP.

Security Applications

  • Packet capture and analysis are crucial for network security, similar to log analysis.
  • Traffic analysis aids in understanding and protecting network traffic flows.

Key Terms & Definitions

  • TCPdump — Command-line tool for capturing and analyzing network packets.
  • Libpcap — Library providing packet capture capabilities to analysis tools.
  • Wireshark — Advanced graphical packet analysis tool supporting extensive protocols and features.
  • Traffic Analysis — Examination of network packet flows to understand or secure a network.

Action Items / Next Steps

  • Practice using TCPdump and Wireshark for packet capture and analysis.
  • Review how to apply filters and analyze output to identify network issues or security threats.

View note source

https://d3c33hcgiwev3.cloudfront.net/q3dnpq-8St2HLKXRu9VE7A.processed/full/720p/index.mp4?Expires=1751500800&Signature=LjmrntwKdIp1SOevniCLTt-~4HnschKBeHQUTqGWcGNw0G48~chL-Dk6-PsfLZadVms0j3yav937X2cWKOPkAn8kuCc4DNk5zKYHFqkupPiYBef3TE8JXW7NMVvpBrP-x6vcL1b~SwwS3TS2fv6JaCReOiTmY81xU4spp1N~AzA_&Key-Pair-Id=APKAJLTNE6QMUY6HBC5A