This post is a tutorial on the basics of using TCPdump, a command-line packet capturing tool commonly used in cybersecurity. This tutorial also provides the answres of TryHackMe TCPDump room.

OSCP Study Notes

Certified Cyber Defender (CCD) Study Notes

Introduction to TCPdump

TCPdump is introduced as a command-line tool for capturing and analyzing network traffic, similar to Wireshark.

The tutorial covers capturing live traffic, reading packets from .pcap files, and using filters to extract insights.

Setting Up TCPdump

  • To capture live traffic, the network interface must be specified using the -i flag.
    Example:
sudo tcpdump -i ens5

The command ip address show is recommended to identify available network interfaces.

Saving Captured Packets

To save captured packets for later analysis:

sudo tcpdump -i ens5 -w packets.pcap

Reading from a Capture File

Packets can be read from .pcap files without needing superuser permissions:

tcpdump -r packets.pcap

Limiting Captured Packets

The -c flag limits the number of packets captured or processed.
Example:

tcpdump -r traffic.pcap -c 5

Disabling DNS and Port Resolution

Use -n to disable IP-to-DNS resolution and -nn to disable both DNS and port number resolution.

Verbose Mode

-v, -vv, and -vvv increase the verbosity of the output, providing more packet details.

Basic Filtering Techniques

IP Address Filtering:

  • Filter by source or destination
tcpdump -r traffic.pcap src host tryhackme.com
tcpdump -r traffic.pcap dst host tryhackme.com

Port Filtering:

  • Filter by source or destination ports
tcpdump -r traffic.pcap dst port 80
tcpdump -r traffic.pcap port 80

Protocol Filtering:

  • Filter by protocols like ICMP, TCP, UDP
tcpdump -r traffic.pcap icmp
tcpdump -r traffic.pcap udp

Counting Packets

Use wc -l to count the number of packets captured

tcpdump -r traffic.pcap port 80 | wc -l

TCP Flags Filtering

TCP flags like SYN, ACK, FIN, RST, and PSH are used to filter packets by connection state.
Example for SYN flag only:

tcpdump -r traffic.pcap 'tcp[tcpflags] == tcp-syn'
  • Combine flags using logical operators
tcpdump -r traffic.pcap 'tcp[tcpflags] & tcp-syn != 0'

Conclusion

  • The post emphasizes using TCPdump efficiently to analyze network traffic and detect anomalies.
  • Practical demonstrations cover real-world scenarios for network analysis.

TryHackMe TCPDump | Room Answers

What is the name of the library that is associated with tcpdump?

libpcap

What option can you add to your command to display addresses only in numeric format?
-n

How many packets in traffic.pcap use the ICMP protocol?

26

What is the IP address of the host that asked for the MAC address of 192.168.124.137?

192.168.124.148

What hostname (subdomain) appears in the first DNS query?

mirrors.rockylinux.org

How many packets have only the TCP Reset (RST) flag set?
57

What is the IP address of the host that sent packets larger than 15000 bytes?

185.117.80.53

What is the MAC address of the host that sent an ARP request?

52:54:00:7c:d3:5b

Video Walkthrough

, ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles