WEBVTT

0:00:02.980000 --> 0:00:07.300000
 In this video, we will be using
 a tool called TCP Dump.

0:00:07.300000 --> 0:00:11.900000
 TCP Dump is the traffic acquisition tool
 of choice when it comes to performance.

0:00:11.900000 --> 0:00:15.960000
 Due to its low overhead and the lack
 of graphical user interface, the

0:00:15.960000 --> 0:00:19.560000
 traffic capturing and analysis
 process requires less memory.

0:00:19.560000 --> 0:00:23.140000
 As you can imagine, this is of great importance
 when capturing and analyzing

0:00:23.140000 --> 0:00:25.460000
 the traffic of a big network.

0:00:25.460000 --> 0:00:29.240000
 TCP Dump is the best tool for this,
 and you will most likely need it for

0:00:29.240000 --> 0:00:30.680000
 traffic acquisition.

0:00:30.680000 --> 0:00:33.180000
 In other words, traffic capturing.


0:00:33.180000 --> 0:00:37.960000
 To use TCP Dump, we need to use it
 with root privileges, so I'm going

0:00:37.960000 --> 0:00:40.660000
 to use it with sudo like this.

0:00:40.660000 --> 0:00:47.920000
 Or we can use the minus n switch.

0:00:47.920000 --> 0:00:53.160000
 We can now see that it is
 capturing the traffic.

0:00:53.160000 --> 0:00:56.320000
 Let's open this web explorer to see what
 type of traffic is being captured

0:00:56.320000 --> 0:00:58.720000
 and what the n switch means.

0:00:58.720000 --> 0:01:04.240000
 Some traffic has been generated
 when we open this.

0:01:04.240000 --> 0:01:07.920000
 We also press ctrl C to stop it.

0:01:07.920000 --> 0:01:10.920000
 The first column represents the
 arrival date of the packet.

0:01:10.920000 --> 0:01:14.620000
 To the right of that, this represents
 the protocol carrying the packet.

0:01:14.620000 --> 0:01:19.900000
 This represents the source
 IP of the packet.

0:01:19.900000 --> 0:01:23.660000
 Here's the source port of the packet,
 that is, which port this is coming

0:01:23.660000 --> 0:01:28.620000
 from. This represents
 the flow direction.

0:01:28.620000 --> 0:01:33.800000
 So this IP is communicating with this
 IP, which is the destination.

0:01:33.800000 --> 0:01:39.600000
 And this is the destination port.

0:01:39.600000 --> 0:01:42.140000
 Here we see the flags.

0:01:42.140000 --> 0:01:47.960000
 For example, here we have
 P, which is for push.

0:01:47.960000 --> 0:01:51.820000
 Here we have S for sin packet.

0:01:51.820000 --> 0:01:58.760000
 Here's the sequence number, the window
 frame size and other options.

0:01:58.760000 --> 0:02:05.580000
 I like to use the n switch because it
 displays the results in an numeric

0:02:05.580000 --> 0:02:10.720000
 format. It won't display results
 using any host resolution.

0:02:10.720000 --> 0:02:14.080000
 So let's remove this
 and do another test.

0:02:14.080000 --> 0:02:20.980000
 I'll also press ctrl C again.

0:02:20.980000 --> 0:02:27.500000
 Here we can see the home
 router, CPE domain.

0:02:27.500000 --> 0:02:30.380000
 We can also see that there's
 been some resolution.

0:02:30.380000 --> 0:02:35.060000
 Let's do another test.

0:02:35.060000 --> 0:02:40.380000
 I'll go ahead and run it again.

0:02:40.380000 --> 0:02:45.480000
 Now let's go to eLearn Security.

0:02:45.480000 --> 0:02:48.740000
 So now we can see a
 lot of resolutions.

0:02:48.740000 --> 0:03:00.400000
 If we can resolve an IP to a
 hostname, it will do that.

0:03:00.400000 --> 0:03:04.320000
 It won't display details in numeric values,
 except when there's no resolution

0:03:04.320000 --> 0:03:06.260000
 for an IP address.

0:03:06.260000 --> 0:03:10.660000
 So, what if we want to dispecify
 the type of interface?

0:03:10.660000 --> 0:03:19.720000
 If we type in ifconfig, it displays the
 interfaces we have on our machine.

0:03:19.720000 --> 0:03:23.720000
 We can specify the type of interface we
 want to use with the minus i switch

0:03:23.720000 --> 0:03:26.500000
 and then specify the
 interface we want.

0:03:26.500000 --> 0:03:31.460000
 We only have one interface, which
 is why I specified eth0.

0:03:31.460000 --> 0:03:35.580000
 This is extremely useful when you want
 to listen to a specific interface.

0:03:35.580000 --> 0:03:43.360000
 And here, we can see that we are now
 listening to this specific interface.

0:03:43.360000 --> 0:03:47.820000
 What if we want to run a specific interface
 but only capture five packets?

0:03:47.820000 --> 0:03:51.000000
 Minus C will allow us to do that and
 we'll be able to capture only five

0:03:51.000000 --> 0:03:56.420000
 packets. So here we have the
 first and second packet.

0:03:56.420000 --> 0:03:59.440000
 Now we have the third and fourth
 packet as well as the fifth.

0:03:59.440000 --> 0:04:02.540000
 Here, we can see that five packets
 have been captured in zero packets

0:04:02.540000 --> 0:04:04.720000
 have been dropped by the kernel.

0:04:04.720000 --> 0:04:08.700000
 This is very useful when you want to
 capture a specific number of packets.

0:04:08.700000 --> 0:04:14.860000
 So now, let's say that you want to
 capture two packets, but we want it

0:04:14.860000 --> 0:04:16.820000
 displayed in ASCII format.

0:04:16.820000 --> 0:04:19.400000
 We can do that by using minus A.

0:04:19.400000 --> 0:04:28.240000
 We saw these details earlier
 and know what this means.

0:04:28.240000 --> 0:04:31.680000
 This here is the duration and
 this is the arrival time.

0:04:31.680000 --> 0:04:34.060000
 Here is the protocol that
 is carrying the packet.

0:04:34.060000 --> 0:04:36.880000
 This is the source
 IP and source port.

0:04:36.880000 --> 0:04:41.640000
 This is the destination
 IP and destination port.

0:04:41.640000 --> 0:04:46.180000
 This is the protocol and lastly,
 we have the length of the packet.

0:04:46.180000 --> 0:04:49.060000
 Here we can see the contents of this
 packet and it's displayed in ASCII

0:04:49.060000 --> 0:04:53.340000
 as that is what we specified.

0:04:53.340000 --> 0:04:56.780000
 What if we no longer want to display
 it in ASCII and we want to display

0:04:56.780000 --> 0:04:58.240000
 it in hexadecimal?

0:04:58.240000 --> 0:05:01.180000
 We can do that with the
 minus x-x switch.

0:05:01.180000 --> 0:05:07.220000
 Now, everything is displayed
 in hexadecimal.

0:05:07.220000 --> 0:05:13.320000
 What if we want to check the source and
 destination of the MAC addresses?

0:05:13.320000 --> 0:05:16.180000
 We can do that using
 the minus-C switch.

0:05:16.180000 --> 0:05:19.360000
 It will try to add
 the MAC addresses.

0:05:19.360000 --> 0:05:22.160000
 This may be useful for you if you want
 to know what MAC addresses are

0:05:22.160000 --> 0:05:33.480000
 available. As you can see here, it will
 use the MAC address of the source,

0:05:33.480000 --> 0:05:37.020000
 in the MAC address of the destination,
 which usually might be the router

0:05:37.020000 --> 0:05:39.400000
 instead of IP addresses.

0:05:39.400000 --> 0:05:43.880000
 What if we want to show the inter-arrival
 time instead of the arrival

0:05:43.880000 --> 0:05:45.200000
 time in the results?

0:05:45.200000 --> 0:05:48.120000
 We can do that with minus ttt.

0:05:48.120000 --> 0:05:55.360000
 This will show the inter-arrival time
 instead of the arrival time of the

0:05:55.360000 --> 0:06:01.900000
 results. Everything we've seen thus
 far was simply displaying results

0:06:01.900000 --> 0:06:06.940000
 on the fly. So, we haven't
 actually captured anything.

0:06:06.940000 --> 0:06:09.240000
 But what if we want to
 capture something?

0:06:09.240000 --> 0:06:13.520000
 What if we want to store
 what we are capturing?

0:06:13.520000 --> 0:06:17.260000
 For example, we can do
 this by using minus-C.

0:06:17.260000 --> 0:06:19.940000
 And let's say we want
 to capture 10 packets.

0:06:19.940000 --> 0:06:23.300000
 And then write .pcap
 to capture it.

0:06:23.300000 --> 0:06:30.120000
 Now, it will capture 10 packets and it's
 also listening on ethernet zero.

0:06:30.120000 --> 0:06:33.020000
 Let's go to our web
 browser real quick.

0:06:33.020000 --> 0:06:38.960000
 So now, it shows us that 10 packets were
 captured and stored in the file.

0:06:38.960000 --> 0:06:42.200000
 And we use the minus w
 switch to capture them.

0:06:42.200000 --> 0:06:45.560000
 What if we want to read this file?


0:06:45.560000 --> 0:06:50.080000
 We can use minus r and then capture
 .pcap to read the capture.

0:06:50.080000 --> 0:06:58.760000
 So, minus w will write to a capture
 file, while minus r will read the

0:06:58.760000 --> 0:07:05.920000
 capture. You can also apply the filters,
 which we did early with minus

0:07:05.920000 --> 0:07:10.060000
 a and minus x x.

0:07:10.060000 --> 0:07:13.740000
 So, minus a will read the capture file
 and interpret all the details and

0:07:13.740000 --> 0:07:19.380000
 ASCII values. What minus x x will do
 is read the capture and interpret

0:07:19.380000 --> 0:07:24.060000
 the results using hexadecimal.

0:07:24.060000 --> 0:07:28.360000
 And here, we can see the details.

0:07:28.360000 --> 0:07:32.960000
 What if we want to capture packets that
 are greater than a specific size?

0:07:32.960000 --> 0:07:36.380000
 We can do that by entering greater and
 then a specific size, while used

0:07:36.380000 --> 0:07:53.360000
 1,024. Here we see that these packets
 are all greater than 1,024.

0:07:53.360000 --> 0:07:56.480000
 So, all you need to do is specify
 the packet size and bytes.

0:07:56.480000 --> 0:07:59.720000
 And here, we can see they are greater
 than our specified size.

0:07:59.720000 --> 0:08:03.380000
 What if we want to use packets
 that are less than this size?

0:08:03.380000 --> 0:08:05.960000
 We can simply change
 greater to less.

0:08:05.960000 --> 0:08:08.220000
 Let's go ahead and write this too.


0:08:08.220000 --> 0:08:11.260000
 We'll say write less.pcap.

0:08:11.260000 --> 0:08:17.440000
 So, this will write any packets
 that are less than 1,024.

0:08:17.440000 --> 0:08:21.280000
 Now, I'm going to do some browsing
 to generate some packets.

0:08:21.280000 --> 0:08:32.620000
 Here, we can see that 484
 packets were captured.

0:08:32.620000 --> 0:08:38.840000
 Now, let's read the pcap by typing in
 sudo, TCPdump, minus r, less.pcap.

0:08:38.840000 --> 0:08:43.060000
 All of the packets are displayed.

0:08:43.060000 --> 0:08:48.720000
 We can see various lengths, ranging
 from 46 to 319 to 93 and many more.

0:08:48.720000 --> 0:08:52.880000
 This is really useful when you want
 to filter traffic based on capture

0:08:52.880000 --> 0:08:58.940000
 size. What if we want to capture traffic,
 but for a specific protocol?

0:08:58.940000 --> 0:09:04.500000
 So, let's type in TCPdump and then
 minus n, for a specific numeric.

0:09:04.500000 --> 0:09:07.740000
 And then, we want to capture
 the arp protocol.

0:09:07.740000 --> 0:09:13.360000
 Let's also add a few more things, minus
 c2, so we capture two packets.

0:09:13.360000 --> 0:09:18.880000
 So now, we're going to only filter
 out any traffic that is arp, and we

0:09:18.880000 --> 0:09:20.640000
 want to capture two packets.

0:09:20.640000 --> 0:09:27.040000
 So, we need to wait
 for just a bit.

0:09:27.040000 --> 0:09:29.140000
 Let's try a different protocol.

0:09:29.140000 --> 0:09:34.600000
 Let's use TCP. We can see here that as
 soon as we specified the protocol,

0:09:34.600000 --> 0:09:36.500000
 we got the results back.

0:09:36.500000 --> 0:09:41.260000
 So, both of these packets are actually
 using the TCP protocol, which is

0:09:41.260000 --> 0:09:43.360000
 why they were captured.

0:09:43.360000 --> 0:09:48.540000
 This is based on protocol, but instead
 of specifying a protocol, what

0:09:48.540000 --> 0:09:52.620000
 if we wanted to specify the port?

0:09:52.620000 --> 0:09:57.740000
 Let's say we want port 443, and we also
 want to capture four packets going

0:09:57.740000 --> 0:10:01.740000
 to this port, which
 is for the HTTPS.

0:10:01.740000 --> 0:10:05.100000
 Here we have two packets.

0:10:05.100000 --> 0:10:10.220000
 And here's our final two.

0:10:10.220000 --> 0:10:16.780000
 So, we were able to capture four packets
 and specify the destination port.

0:10:16.780000 --> 0:10:20.740000
 What if we want to capture traffic
 for a specific source IP?

0:10:20.740000 --> 0:10:29.800000
 So, let's type in sudo, TCP dump, minus
 n, minus c, and then we want to

0:10:29.800000 --> 0:10:31.620000
 capture four packets.

0:10:31.620000 --> 0:10:36.580000
 Now, let's enter SRC, and then we want
 to capture for this IP address

0:10:36.580000 --> 0:10:43.900000
 here. So, this will capture traffic
 in numerical format, capture four

0:10:43.900000 --> 0:10:47.720000
 packets, and the source
 is 10.0.2.15.

0:10:47.720000 --> 0:10:52.800000
 So, here we can see that all four of
 these packets have a source IP like

0:10:52.800000 --> 0:11:00.220000
 that. Let's add another filtering
 letter and put in port 80.

0:11:00.220000 --> 0:11:12.200000
 Also, let's change the
 source to destination.

0:11:12.200000 --> 0:11:15.460000
 We'll use this here.

0:11:15.460000 --> 0:11:17.720000
 We'll update source to DST.

0:11:17.720000 --> 0:11:21.340000
 And then let's add this.

0:11:21.340000 --> 0:11:26.540000
 And let's actually change
 the port from 80 to 443.

0:11:26.540000 --> 0:11:28.460000
 I forgot to add the and.

0:11:28.460000 --> 0:11:29.760000
 I'll do that now.

0:11:29.760000 --> 0:11:34.980000
 Now, this will capture traffic going to
 this IP that's going to this specific

0:11:34.980000 --> 0:11:38.360000
 port. It will only capture
 four packets.

0:11:38.360000 --> 0:11:47.800000
 Let's go over to our web
 browser really quick.

0:11:47.800000 --> 0:11:57.320000
 So, we managed to capture four packets
 going to the destination 64, 233,

0:11:57.320000 --> 0:12:00.920000
 167, 156 on port 443.

0:12:00.920000 --> 0:12:03.680000
 Can we store this?

0:12:03.680000 --> 0:12:09.620000
 Yes, we can. We can just
 enter minus w DST 1.pcap.

0:12:09.620000 --> 0:12:17.080000
 Let's just generate some traffic.

0:12:17.080000 --> 0:12:26.880000
 Finally, we got some traffic.

0:12:26.880000 --> 0:12:30.320000
 If we want to read it, we'll just enter
 in what we've done previously.

0:12:30.320000 --> 0:12:35.560000
 TCP dump minus r and DST 1.pcap.

0:12:35.560000 --> 0:12:38.460000
 This is the traffic we captured.

0:12:38.460000 --> 0:12:42.320000
 This is very useful when you want to
 specify and capture traffic as well

0:12:42.320000 --> 0:12:44.280000
 as apply filters.

0:12:44.280000 --> 0:12:49.680000
 This time, let's capture two DST
 two and we'll do another filter.

0:12:49.680000 --> 0:13:07.600000
 Let's capture 10 packets and this time
 we'll specify not TCP and ICMP.

0:13:07.600000 --> 0:13:11.940000
 Let's go here and do a ping
 to elearnsecurity.com.

0:13:11.940000 --> 0:13:19.860000
 Great, we finished.

0:13:19.860000 --> 0:13:23.020000
 Let's just stop this one here.

0:13:23.020000 --> 0:13:25.120000
 Let's clear this.

0:13:25.120000 --> 0:13:28.820000
 So, in this capture, we specified that
 we didn't want any TCP by inputting

0:13:28.820000 --> 0:13:34.340000
 not TCP. And then we also specified that
 we wanted only ICMPs by inputting

0:13:34.340000 --> 0:13:46.460000
 and ICMP. So now, if we enter TCP dump
 minus r and then DST 2.pcap, what

0:13:46.460000 --> 0:13:49.300000
 we'll only see is ICMP packets.

0:13:49.300000 --> 0:13:53.380000
 There are a lot of capture filters
 that can be applied.

0:13:53.380000 --> 0:13:55.340000
 I highly recommend
 you check this out.

0:13:55.340000 --> 0:13:59.300000
 All you need to know is the BPF, the
 Berkeley packet filtering directives.

0:13:59.300000 --> 0:14:02.820000
 That are being used so you can easily
 switch between these filters and

0:14:02.820000 --> 0:14:04.600000
 even apply your own filters.

0:14:04.600000 --> 0:14:10.080000
 There are more complex filters, but these
 are the basics to get you started.

0:14:10.080000 --> 0:14:13.720000
 I want to add one final point before
 we conclude this video lesson.

0:14:13.720000 --> 0:14:20.580000
 Let's enter in pseudo, TCP dump, minus
 C, and we'll capture four packets.

0:14:20.580000 --> 0:14:27.360000
 Next, we'll type in not ARP and not ICMP,
 but we want to go to the destination

0:14:27.360000 --> 0:14:49.760000
 www.google.com. I just needed
 to add the AND at the end.

0:14:49.760000 --> 0:15:03.340000
 So, let's run this in the background
 and now let's go to google.com.

0:15:03.340000 --> 0:15:08.080000
 We managed to capture four packets,
 which are not ARP and are also not

0:15:08.080000 --> 0:15:13.120000
 ICMP, but we wanted to capture packets
 when the destination was the hostname.

0:15:13.120000 --> 0:15:18.180000
 I wanted to show you this, as in the
 hostname you don't have to specify

0:15:18.180000 --> 0:15:22.840000
 IP addresses, rather we can
 just specify a hostname.

0:15:22.840000 --> 0:15:26.160000
 This one here did not work because the
 hostname was misspelled and I did

0:15:26.160000 --> 0:15:29.420000
 not put the AND directive
 after not ICMP.

0:15:29.420000 --> 0:15:33.680000
 To continue, it needed to know
 what I wanted it to do.

0:15:33.680000 --> 0:15:38.380000
 When we went to DST, it captured all
 of these packets that were destined

0:15:38.380000 --> 0:15:43.940000
 to google.com. So, that's
 all for this video.

0:15:43.940000 --> 0:15:46.960000
 I hope you found this video beneficial
 to you and that you start capturing

0:15:46.960000 --> 0:15:48.760000
 traffic using TCP dump.

0:15:48.760000 --> 0:15:51.900000
 All you need is to practice a few times
 and then you should be good to

0:15:51.900000 --> 0:15:54.700000
 go to capture your own
 network traffic.

0:15:54.700000 --> 0:15:59.680000
 And this concludes our video lesson
 on acquiring network traffic using