Skip to content

P IconBonus Lab 1.0: tcpdump and Wireshark Hands-On

Objectives

  • Re-familiarize yourself with the basic operations of two of our core tools.
    • Use tcpdump to capture traffic being sent across the network in real-time.
    • Use tcpdump to store network traffic to a pcap file.
    • Use tcpdump to read from an existing pcap file for the purposes of data reduction.
    • Use Wireshark to access pcap data and use basic display filters.
  • Become familiar with tshark functionality.

Preparation

We have collected a sample of larger pcap files from public sources. These are available in your FOR572 SIFT Workstation Virtual Machine in the /cases/for572/sample_pcaps/ directory. (Download links will be provided for non-students below when needed.) Although not an extraordinary amount of data, we will use tcpdump, Wireshark, and tshark to slice this data down to something more manageable. This approach can be used for much larger data sets as well – even those reaching into the hundreds of gigabytes or terabyte range

To prepare:

  1. Log into your SIFT Workstation VMware image.
  2. These lab instructions are written with the assumption that you are using the FOR572-specific build of the Linux SANS SIFT Workstation virtual machine. Screenshots, command lines, and other aspects of these instructions correspond to the FOR572-specific SIFT Workstation. While results generated on other virtual machines will generally align with what is in this lab, your results may vary.
  3. These lab instructions assume your local user account is sansforensics, which is the default user account for the FOR572-specific distribution of the SANS SIFT Workstation. If your local user account differs, please adjust the instructions accordingly.

  4. If needed, create, then change to a working directory for this lab named lab-1.0. If using the FOR572 SIFT VM, this is already created as /cases/for572/lab-1.0/ and no further action is needed.

    Command lines

    mkdir -p /cases/for572/demo/lab-1.0/

    Hint

    In these lab instructions, command lines are provided in convenient copyable blocks. If you want, simply click the "copy" icon at the right of the command-line block to paste the commands to your local virtual machine's shell prompt. Of course this is optional, so if you're a more experienced Linux user, or you've gone through the lab a few times already, you can skip this feature and go right to typing.

Lab Content

Observe Traffic with tcpdump

Although the SIFT Workstation VM is technically in a very small-scale network environment, we can still generate and observe network traffic on the VMware image's NAT interface. Because this network segment exists solely between your host system and the virtual machine(s) you're running, it is convenient in a classroom environment while also avoiding some potentially sticky legal concerns that come along with capturing traffic from a live network. To accomplish this task, we will first send a large chunk of network data and then experiment with some BPF constructs to zero in on traffic that might be more interesting.

Verify that your SIFT VM is attached to the "NAT" segment using the VMware GUI and has an IP address using the ip addr (or ifconfig) command within the VM. The SIFT Workstation must have an IPv4 IP address assigned to the "ens33" interface. Your VM may have another interface name, such as eth1 or eth2. This document will use ens33, but you may need to substitute accordingly.

  1. Open a shell window on your SIFT Workstation and run a tcpdump command that will observe all TCP traffic using source or destination port 80 on the ens33 network interface1. (Capturing packets in promiscuous mode will likely cause VMware to pop up a dialog requiring you to authenticate as an administrative user on your host system. If you see this, enter administrative credentials for your host system in the dialog.)

    What command can you use to accomplish this?

    Command lines

    sudo tcpdump -n -i ens33 -s 0 'tcp and port 80'

  2. Using a web browser from within your SIFT Workstation (Chromium suggested), load the http://capture.for572.com home page. (Note that this is an HTTP URL, not an HTTPS one! This HTTP host is specifically configured to only use plaintext HTTP, for the purposes of this lab.) Watch the output of the tcpdump command in the shell while the page loads.

    Examine the tcpdump output in the shell's scrollback buffer. You should see a lot of TCP 80 traffic, but tcpdump shows just a few Layer 3 and Layer 4 header fields.

    (The tcpdump output in the shell would be similar to the following, but your results WILL vary from those shown here, depending on VMware configuration and other factors.)

    Notional results 
    sansforensics@siftworkstation: ~
$ sudo tcpdump -n -i ens33 -s 0 'tcp and port 80'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:20:31.178425 IP 192.168.139.160.51832 > 70.32.97.206.80: Flags [S], seq 664947886, win 29200, options [mss 1460,sackOK,TS val 220227616 ecr 0,nop,wscale 7], length 0
21:20:31.249652 IP 70.32.97.206.80 > 192.168.139.160.51832: Flags [S.], seq 817086834, ack 664947887, win 64240, options [mss 1460], length 0
21:20:31.249688 IP 192.168.139.160.51832 > 70.32.97.206.80: Flags [.], ack 1, win 29200, length 0
21:20:31.249879 IP 192.168.139.160.51832 > 70.32.97.206.80: Flags [P.], seq 1:319, ack 1, win 29200, length 318
...

  3. Now you will limit the collection only to those TCP port 80 packets involving IP addresses that are not associated with the capture.for572.com hostname.

    In the shell, press Ctrl+C to terminate the previous tcpdump command if you have not already done so. Determine the current IP address(es) for the capture.for572.com hostname with the host, dig, or nslookup commands or your preferred choice.

    What IP address do you receive?

    Your answer may differ, but at the time of publication, it is 70.32.97.206.

    Command lines 
    host capture.for572.com
    Notional results 
    sansforensics@siftworkstation: ~
$ host capture.for572.com
capture.for572.com has address 70.32.97.206

    (Note that your IP address lookup results may vary—adjust remaining commands according to your own IP address results.)

    Modify the previous tcpdump command to rule out traffic to or from this IP address. Force the browser to reload the http://capture.for572.com page by holding the Shift key while clicking the browser's "Refresh" button, as shown.

    Browser reload

    What tcpdump command line can you use to accomplish this?

    Command lines

    sudo tcpdump -n -i ens33 -s 0 'tcp and port 80 and not host 70.32.97.206'
    Notional results 
    sansforensics@siftworkstation: ~
$ sudo tcpdump -n -i ens33 -s 0 'tcp and port 80 and not host 70.32.97.206'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:22:35.458052 IP 192.168.139.160.58506 > 151.101.32.193.80: Flags [S], seq 84383970, win 29200, options [mss 1460,sackOK,TS val 220258686 ecr 0,nop,wscale 7], length 0
21:22:35.524187 IP 151.101.32.193.80 > 192.168.139.160.58506: Flags [S.], seq 4166054650, ack 84383971, win 64240, options [mss 1460], length 0
21:22:35.524237 IP 192.168.139.160.58506 > 151.101.32.193.80: Flags [.], ack 1, win 29200, length 0
21:22:39.180158 IP 192.168.139.160.40951 > 72.21.91.29.80: Flags [.], ack 2526736093, win 30248, length 0
...

    The tcpdump output in the shell should be much less than before because we eliminated the packets to or from the capture.for572.com host.

    In the shell, press Ctrl+C to terminate the tcpdump command before moving forward.

Write Packets to pcap File

One of the key benefits of most libpcap-based capture applications such as tcpdump is that they can write the packets to a pcap file for later analysis. The evidentiary value of this approach is obvious, and the ability to separate capture and analysis platforms, tools, and personnel is another major benefit. Also, analyzing packets stored in a pcap file does not necessarily require administrative privileges—bonus! As long as the operating system's access controls are met on the pcap file, you generally will not need to run your analysis tools with elevated privileges.

  1. In the shell, run a tcpdump command that will capture all network traffic and write it to a file: /case/for572/lab-1.0/httpload.pcap.

    What tcpdump command line can you use to accomplish this?

    Command lines

    sudo tcpdump -n -i ens33 -s 0 -w /cases/for572/lab-1.0/httpload.pcap
    Expected results 
    sansforensics@siftworkstation: ~
$ sudo tcpdump -n -i ens33 -s 0 -w /cases/for572/lab-1.0/httpload.pcap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

  2. Force the browser to reload the capture.for572.com web page by holding the Shift key while clicking the browser's "Refresh" button. After the page reloads, open 3–5 additional pages on other sites.

  3. Press Ctrl+C to terminate the tcpdump command a few seconds after you've loaded a few pages.

  4. Because the pcap file was created by a process with elevated privileges, change the owner and group to sansforensics, and then make the file read-only.

    What chown and chmod commands can you use to accomplish this?

    Command lines

    sudo chown sansforensics:sansforensics /cases/for572/lab-1.0/httpload.pcap
chmod -w /cases/for572/lab-1.0/httpload.pcap

Analyze Traffic in Wireshark

Now we will look at this traffic in Wireshark. Open Wireshark by clicking the Wireshark icon in the bottom menu bar of your SIFT Workstation's desktop. Because the sansforensics user has permissions for this pcap file, you will not need to run Wireshark as root—nor should you ever do this if possible2! (If you are not using the FOR572 SIFT Workstation VM, run wireshark & from the shell - don't forget the &!)

  1. Open the /cases/for572/lab-1.0/httpload.pcap file in Wireshark and browse through the packets you captured earlier. You'll likely see a number of protocols, including HTTP, DNS, HTTPS, ARP, and possibly more.

    To display just HTTP requests, apply a display filter of http.request. Although this is not a distinct field, it is a "superfield" that includes many individual protocol fields present in the HTTP request.

    After applying this filter, you should see a number of frames, each of which contains an HTTP request message.

    Update your display filter to rule out the IP address associated with the capture.for572.com hostname.

    What display filter did you use?

    Wireshark display filter

    http.request and not ip.addr == 70.32.97.206

    This will show just the requests issued to other IP addresses, but you can quickly clear or adjust the display filter itself to rescan the entire packet capture contained in the pcap file.

Reduce Data with pcap Utilities and BPFs

  1. Back in the shell, use the capinfos command to determine the time frames covered in your newly created pcap file and identify its SHA256 hash3. If you are not familiar with this or any of the other commands we'll use, be sure to reference the man pages.

    What command line can you use to accomplish this?

    Command lines

    cd /cases/for572/lab-1.0/
capinfos -Hae httpload.pcap
    Notional results 
    sansforensics@siftworkstation: ~
$ cd /cases/for572/lab-1.0/
sansforensics@siftworkstation: /cases/for572/lab-1.0
$ capinfos -Hae httpload.pcap
File name:           httpload.pcap
First packet time:   2023-09-14 02:42:53.899436
Last packet time:    2023-09-14 02:43:25.047585
SHA256:              d9ac148c1614c200e9a7be50b8fdb2b1f694e070224b4ec9f65a18a9d9a54019
RIPEMD160:           c6f1e814947c8042ef9d9089c9feb7fced703800
SHA1:                cb4930fbfd701ea997f42dcd444fe7d22bcb3a69

    Warning!

    Your time and hash values will differ.

    We will be using a few console-based utilities to nondestructively extract some of the traffic for further examination. Of course, these derived pcap files will not change the original source data.

  2. Use the editcap command to isolate the first few seconds of traffic from your newly created httpload.pcap file. Put this slice of traffic into a new file named /cases/for572/lab-1.0/httpload-firstseconds.pcap. Choose a time that is a few seconds AFTER the "Start Time" noted above. When done, run the capinfos command against the new file for a validation check.

    What command lines can you use to accomplish this?

    Command lines

    cd /cases/for572/lab-1.0/
editcap -F pcap -B '2023-09-14 02:43:15' httpload.pcap httpload-firstseconds.pcap
capinfos -Hae httpload-firstseconds.pcap
    Notional results 
    sansforensics@siftworkstation: /cases/for572/lab-1.0
$ capinfos -Hae httpload-firstseconds.pcap
File name:           httpload-firstseconds.pcap
First packet time:   2023-09-14 02:42:53.899436
Last packet time:    2023-09-14 02:43:14.997941
SHA256:              dc0b8e135c3d52accc4ebb62b6c9dff0c4053d785f4373f1facb0f75a7443a7b
RIPEMD160:           50fc5c836631be2856ca5c545e85369a975428d2
SHA1:                8c91a7295070f1324b3ebf544aa47e3e80ebbaf7

    Warning!

    Your time value will differ, based on the time frame used from the originally-created file and the parameters to the editcap command. Your hash value will also differ.

  3. Now, use tcpdump to reduce your original httpload.pcap packet capture file using a BPF. Include only TCP port 80 traffic but rule out all traffic to or from the IP address you identified above for the capture.for572.com host. Write the reduced data to a file named /cases/for572/lab-1.0/httpload-non572.pcap. Consult the pcap-filter man page for the syntax needed in this BPF if needed.

    What command line can you use to accomplish this?

    Command lines

    cd /cases/for572/lab-1.0/
tcpdump -n -r httpload.pcap -w httpload-non572.pcap 'tcp and port 80 and not host 70.32.97.206'

  4. Bonus Challenge: Consider different ways to evaluate the reduced data that should be present in the httpload-non572.com pcap file. Various command-line parameters to the capinfos command will help – use the man page if needed.

    What artifacts from the pcap file can help and what commands can you use to access them?

    There are several ways to accomplish this. The start and end times may be different in the reduced data set, so the capinfos tool's -a and -e options might help. However, packet count and total volume are likely to provide more definitive means of determining data reduction. The capinfos tool can display the packet count with the -c option, the total file size with the -s option and the data payload portion of the packets contained in the pcap file with the -d option. By default, these options will display the results in human readable formats (MB, thousands or millions of packets, etc.). To display these values in their native, un-estimated forms, use the -M option.

    Command lines 
    cd /cases/for572/lab-1.0/
capinfos -Mcsd httpload.pcap

    Warning!

    Your results will be unique, so we cannot give you specific expectations regarding the capinfos output. You should check your results for rationality—date and time, etc.

    Command lines 
    cd /cases/for572/lab-1.0/
capinfos -Mcsd httpload-non572.pcap

    Warning!

    Your results will be unique, so we cannot give you specific expectations regarding the capinfos output. You should check your results for rationality—date and time, etc.

Scale to a Larger Data Set with tshark

  1. Using tshark, build a list of all HTTP Server Strings in the /cases/for572/lab-1.0/httpload.pcap file. (Hint: Use Wireshark to explore field names, and then use tshark's -Y '<%DISPLAY_FILTER%>' option with the -T fields and -e <%FIELD_NAME%> output options.)

    Hint: You can use a Linux shell "pipe sequence" to coalesce raw input data into a convenient histogram-like format. On the same command line (such as that of the tshark command for this question), append the following:

    Command lines

    | sort | uniq -c | sort -nr

    You will use this chained set of shell commands often during the course!

    What tshark command line can you use to do this and what are the resulting HTTP Server: strings?

    Command lines

    cd /cases/for572/lab-1.0/
tshark -n -r httpload.pcap -Y 'http.server' -T fields -e http.server | sort | uniq -c | sort -nr
    Notional results 
    sansforensics@siftworkstation: /cases/for572/lab-1.0
$ tshark -n -r httpload.pcap -Y 'http.server' -T fields -e http.server | sort | uniq -c | sort -nr
    6 Apache
    4 Apache/2.4.57 ()
    1 ECS (dcb/7FA8)
    1 ECS (dcb/7EEE)
    1 cloudflare

Bonus Challenge

  1. Download or create a symbolic link to the nitroba.pcap file.

    1. If you are using the FOR572 SIFT Workstation VM, create a symbolic link to the supplied file in the /cases/for572/lab-1.0/ directory.

      Command lines

      cd /cases/for572/lab-1.0/
ln -s /cases/for572/sample_pcaps/nitroba.pcap ./

    2. If you are not using the FOR572 SIFT Workstation VM, download the nitroba.pcap file using the following commands. You'll need Internet access to your VM. FOR572

      Command lines

      cd /cases/for572/lab-1.0/
curl -L -o nitroba.pcap https://for572.com/nitrobapcap

  2. Examine the contents of /cases/for572/lab-1.0/nitroba.pcap on your SIFT VM. Determine the list of all HTTP server IPs and corresponding Server: header values that contain the substring mod_ssl. The presence of this substring suggests the servers support the encryption extension by the same name.

    Remember tshark's -Y, -T, and -e options and the histogram-generating shell command sequence.

    What tshark command can you use to do this?

    Command lines

    cd /cases/for572/lab-1.0/
tshark -n -r nitroba.pcap -Y 'http.server contains "mod_ssl"' -T fields -e ip.src -e http.server | sort | uniq -c | sort -nr
    Expected results 
    sansforensics@siftworkstation: ~
$ cd /cases/for572/lab-1.0/
sansforensics@siftworkstation: /cases/for572/for572/lab-1.0
$ tshark -n -r nitroba.pcap -Y 'http.server contains "mod_ssl"' -T fields -e ip.src -e http.server | sort | uniq -c | sort -nr
 56 69.22.167.239   Apache/1.3.41 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8a
 24 18.7.22.69      MIT Web Server Apache/1.3.26 Mark/1.5 (Unix) mod_ssl/2.8.9 OpenSSL/0.9.7c
 21 64.94.186.12    Apache/1.3.41 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8b
 16 209.123.229.231 Apache/1.3.37 (Unix) mod_gzip/1.3.26.1a mod_fastcgi/2.4.2 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b
  6 66.150.96.119   Apache/2.0.54 (Debian GNU/Linux) mod_fastcgi/2.4.2 mod_ssl/2.0.54 OpenSSL/0.9.7e
  5 67.15.76.53     Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7a PHP/5.2.5
  5 66.33.212.43    Apache/2.0.61 (Unix) PHP/4.4.7 mod_ssl/2.0.61 OpenSSL/0.9.7e mod_fastcgi/2.4.2 DAV/2
  5 63.247.140.161  Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
  5 206.55.125.137  Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7a
  2 66.98.172.25    Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7a PHP/5.2.5
  2 64.128.80.61    Apache/1.3.41 (Unix) PHP/5.2.6 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b
  2 18.7.7.97       Apache/1.3.26 (Unix) PHP/4.3.4 mod_fastcgi/mod_fastcgi-SNAP-0203131834 mod_ssl/2.8.9 OpenSSL/0.9.7c
  1 85.10.206.119   Apache/2.2.4 (Unix) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8d PHP/5.2.1 mod_apreq2-20051231/2.5.7 mod_perl/2.0.2 Perl/v5.8.7
  1 74.54.77.137    Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
  1 69.22.167.232   Apache-AdvancedExtranetServer/1.3.27 (Mandrake Linux/8mdk) mod_ssl/2.8.12 OpenSSL/0.9.7
  1 67.15.56.64     Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7a PHP/5.2.5
  1 216.64.142.80   Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 mod_auth_passthrough/2.1 FrontPage/5.0.2.2635 PHP/5.2.5

Key Takeaways

  • tcpdump is the primary tool many organizations use to observe and capture network traffic.
    • Real-time analysis is helpful to determine if traffic is flowing as expected (or not).
    • Saving packets to a pcap file is the primary method of saving network-based data as evidence.
    • tcpdump and editcap are effective tools to reduce large packet captures into more manageable files for interactive analysis.
  • Wireshark's extensive decoding engines can make quick work of protocol exploration and analysis.
    • Display filters provide a powerful all-layer means to concentrate on traffic that meets specified characteristics without changing the underlying evidence.
  • tshark provides all of Wireshark's power in a script-able, console-based tool.
    • Because tshark uses the same code as Wireshark, nearly any Wireshark feature can be used in the console.
    • Analysis can transition from the research phase to a larger scale by shifting from Wireshark to tshark.
    • The -T fields output mode enables simple yet powerful shell-based analytics.

  1. We want to capture packets promiscuously, meaning any packets that cross the network segment and not just those destined for your VM's own MAC address. To do this in Linux, we need root privileges, so you will need to run commands that capture live traffic with the sudo utility. This will probably pop up a VMware dialog asking you to authenticate as an administrator on the host. 

  2. Parsers are often easy targets for exploitation because they are complicated, and their writers must often make assumptions about the data they will parse. If a malicious actor were to exploit a weakness in one of Wireshark's parsers, the exploit would take advantage of whatever user account executed the application. There is no easy way to explain to your boss how you managed to compromise the network forensic systems through poor practices. 

  3. The latest version of the capinfos utility only provides the SHA1, RIPEMD160, and SHA256 checksum values for supplied pcap files. While there is an acknowledged theoretical collision risk with MD5, its use in validating file content is generally intact. For most purposes in this class, we will use MD5 for checksum validation purposes. Note that your local guidance may dictate preferred checksum algorithms.