Link to my Notion Notes - Steps for installation and initial packet captures using TCPDUMP and Wireshark
My YouTube Video - Showing my steps for installation and initial use of TCPDUMP and Wireshark
My Home Network
Nothing really fancy probably what everyone else's home network might look like.
I decided to further investigate my computer named “titan” because I use this computer every day. It has an IP address of 10.0.0.24 on my local network assigned by my router’s DHCP. I executed a packet dump using TCPDUMP. Just to make sure I could understand the output I from the tool I performed a ping and nslookup command going to google.com. I also went to YouTube to run a video to see if I can capture some other kinds of traffic such as UDP packets.
TCPDUMP Fun
When running TCPDUMP below is a snippet of the lines captured when I performed the ping and nslookup to google.com. I did see various other traffic, but I was not exactly sure what it was and feel I need to get more experience with the tooling and how to filter through all the noise. These lines had “AAAA” and saw them pop up in the terminal as I was doing the ping and nslookup. The book Digital Forensics and Incident Response (Second Edition) by Gerard Johansen has a lot of good information of the various switches to try with the base command (Johansen, 2020). I was able to use the help command as well as the switches for verbose to get more information during the packet capture process.
Below are some of the lines captured when watching a YouTube video. I figured there would be some sort of streaming traffic and UDP packets which there were!
Wireshark Fun
I ran the Wireshark tool and was amazed at the amount of detail it was capturing. I saw all sorts of traffic and at one point traffic from other people’s phones in the house. I have a feeling that Wireshark was not only listening to what was isolated on my one “titan” machine but also bouncing around from what I labeled as “Wireless Router South” or even leveraging traffic going through Wi-Fi connectivity bouncing around the local network.
Johansen's book was also useful describing the process to perform name resolution, coloring packet lists, and how to read Display filters, identify hosts/hostname, physical connections, and protocols. The author points to https://www.chappell-university.com for exercises and training packet captures to "hone skills around analysis." When I looked at this the full year course seemed pricy, but the books seemed like something worth buying to work through. I did sign up for the email newsletter which comes with "Laura's Hands-On Labs: Set 1." So will work through that when I get a moment. Laura’s Blog Posts also seemed interesting, I saw a post related to PG&E and DDoS. I worked in San Francisco a long while back consulting for PG&E!
I again did a ping and nslookup while Wireshark was running. I saw similar “AAAA” packets like TCPDUMP, but there was also “A” records and more back and forth traffic it seems.
When running video, I similarly was able to see the UDP traffic, but what was interesting was there was this intermingled TCP ACK and TLSv1.2 packets. Again, there was so much happening with what was being captured I will have to do a lot more playing around to master this tool.
I tried to save data from TCPDUMP and open it in Wireshark. What was neat was how some of the command line arguments I found Wireshark just did for you as part of the graphical user interface. Below is the comparison of how Wireshark shows the same kind of data as TCPDUMP.
Reference
- Chappell University Website - https://www.chappell-university.com
- Johansen, G. (2020). Digital Forensics and incident response: Incident response techniques and procedures to respond to modern cyber threats. Packt Publishing Limited.
- TCPDUMP & LIBPCAP Website - https://www.tcpdump.org
- Wireshark Website - https://www.wireshark.org