Network Capture and Analysis Guide

A common go-to when troubleshooting network issues is to use a packet sniffer. However running Wireshark directly on a headless server with no GUI, potentially hundreds or thousands of miles away, presents problems.

The good news is you can create pcap files with tcpdump which you can then download to your desktop and review inside Wireshark.

Capturing Traffic with tcpdump

Open a Terminal: Access your command line or terminal. tcpdump usually requires root privileges, so you might need to use sudo on Linux, FreeBSD, or macOS.

Run tcpdump: To capture all packets on a specific interface and write them to a file, use the following command syntax:

sudo tcpdump -n -i [interface] -w [filename].pcap

Note: We recommend using the -n flag to disable DNS lookups which can cause slowdowns and make the output harder to process later, plus reverse DNS can be less than accurate. But this is a personal preference and up to you.

• Replace [interface] with the name of the network interface you want to capture packets from (e.g., eth0 for Ethernet, wlan0 for Wi-Fi on Linux). Use tcpdump -D to list all available interfaces.
• Replace [filename] with the desired name for your capture file.

Specify Filters (Optional): You can also add filters to capture only specific types of traffic.

For example, to capture only TCP traffic, you can add tcp at the end of the command:

sudo tcpdump -n -i [interface] -w [filename].pcap tcp

To filter by a specific port:

sudo tcpdump -n -i [interface] -w [filename].pcap src or dst port 110

To filter by a specific host:

sudo tcpdump -n -i [interface] -w [filename].pcap src or dst host 1.2.3.4

Stop the Capture: Let tcpdump run for as long as you need to capture the packets of interest. When you’re ready to stop, press Ctrl+C.

Analyzing the pcap File with Wireshark

Open Wireshark: Start the Wireshark application on your desktop. You can download and install Wireshark from its official website if it’s not already installed.

Open the pcap File: In Wireshark, go to File > Open and navigate to the location of your .pcap file. Select the file and click Open to load it into Wireshark.

Analyze the Traffic: Once your pcap file is loaded, you’ll see a list of packets captured during the session. Here are a few things you can do to start analyzing the traffic:

• Use Filters: Wireshark allows you to apply various filters to narrow down the displayed packets. For example, typing http in the filter bar will show only HTTP traffic.
• Inspect Packet Details: Click on a packet to see its detailed breakdown. This includes protocol information, source and destination addresses, and other protocol-specific data.
• Follow Streams: To view the entire conversation between two endpoints, right-click on a packet and select Follow > TCP Stream (or UDP, depending on the protocol).

Looking for Common Problems

When analyzing the pcap file in Wireshark, you’re often looking for anomalies or specific issues. Here are a few common problems to look for:

• Retransmissions and Duplicate ACKs: Indications of packet loss or network congestion.
• Unusually Long Timeframes: Large gaps in the time column might indicate delays in the network.
• ARP Issues: Excessive ARP requests can suggest problems with IP address configurations or ARP spoofing attacks.
• DNS Queries Without Responses: Could indicate DNS misconfigurations or issues with the DNS server.
• Suspicious Protocols or Ports: Unusual traffic patterns or connections on unexpected ports might suggest malicious activity.

Security Considerations: Handling of pcap Files

When working with pcap files, it’s crucial to be aware of the potential security risks they pose. These files contain a snapshot of all network traffic captured during the session, including potentially sensitive data like passwords, emails, and personal information. Therefore, proper handling and disposal of pcap files are essential to prevent unauthorized access to this sensitive information.

• Limit Access: Ensure that pcap files are stored securely and that access is restricted to authorized personnel only. Use encryption if the files need to be stored for longer periods.
• Analyze Locally: Whenever possible, analyze pcap files on a secure, isolated machine without internet access to mitigate the risk of accidental exposure or malware infection.
• Secure Deletion: Once you’ve completed your analysis, securely delete the pcap files to ensure they cannot be recovered. Simply deleting the file may not be enough, as it could potentially be restored. Use a tool designed to securely erase files or follow your organization’s data disposal policy.