🖥️

Packet Capture Tools Overview

Sep 5, 2025

Overview

This lecture covers packet capture and analysis tools, focusing on TCPdump and Wireshark, their features, usage, and their importance in network security.

TCPdump Overview

  • TCPdump is a lightweight, command-line tool for capturing and analyzing packets.
  • It uses the open source libpcap library for packet capture.
  • TCPdump can write packet captures to files for later analysis, sharing, or replay.
  • It also reads packet capture files for review.
  • By default, TCPdump provides a brief analysis, converting key Layer 3+ information into human-readable format.
  • Output includes timestamp, protocol (e.g., IPv4), source/destination IP addresses and ports, TCP flags, sequence numbers, acknowledgment numbers, window size, options, and payload size.
  • TCPdump resolves IPs to hostnames and ports to service names by default; this can be disabled with the -n flag.
  • To view raw packet data as hexadecimal, use -x or -X flags.

Wireshark Overview

  • Wireshark is a more powerful, graphical packet capture and analysis tool also using libpcap.
  • It excels at protocol and application analysis, beyond TCPdump’s capabilities.
  • Wireshark can decode encrypted payloads if keys are known and extract files from protocols like SMB or HTTP.
  • Filters can be highly specific, e.g., searching for HTTP requests with certain URL strings.
  • The interface: packet list (top), layered protocol view (middle), hex and ASCII view (bottom).
  • Packet list is color-coded by traffic type: green (TCP), light blue (UDP), dark blue (DNS), black (problematic TCP).
  • Display filters (for shown packets) differ from capture filters (for capturing packets).
  • Wireshark supports over 2,000 protocols and can reassemble and display entire TCP sessions.
  • It can decode WPA/WEP wireless packets, Bluetooth, USB, Zigbee, carve files from transfers, and extract VoIP audio streams.

Packet Capture in Network Security

  • Packet capture and analysis are essential for understanding traffic flow on a network.
  • Traffic analysis helps with network security, similar to log analysis.

Key Terms & Definitions

  • TCPdump — A command-line tool for packet capture and brief analysis using libpcap.
  • Wireshark — A graphical application for deep packet inspection, protocol analysis, and traffic filtering.
  • libpcap — An open-source library for packet capture, used by many network tools.
  • Packet capture — The process of recording network packets for analysis.
  • Traffic analysis — The inspection of captured packets to understand network activity.

Action Items / Next Steps

  • Practice capturing and analyzing traffic with TCPdump and Wireshark.
  • Explore TCPdump flags (-n, -x, -X) for customized output.
  • Experiment with Wireshark’s display and capture filters.

View note sourcehttps://d3c33hcgiwev3.cloudfront.net/q3dnpq-8St2HLKXRu9VE7A.processed/full/720p/index.mp4?Expires=1757203200&Signature=iBVO88xFubi0fVN-nNv94rEqiAgOtcXlTuaVlmln3XZcA2uk7scgoarD2ifEk7KHlg5Z-nZfYlUGuf5stthBQQ3FHFUrnCsmYkDX-rIP5We5G7G9s1DXLzXSeRxIBK5iTtCZZjU8UURyRkiXeYwqGldpFdvO9UaZ3x1LFObUo6Y_&Key-Pair-Id=APKAJLTNE6QMUY6HBC5A