Time
6 minutes
Difficulty
Intermediate

Video Transcription

00:05
Hello and welcome back to breaking stuff with Joe. I as always I'm your host, Joe Perry. And today you may have noticed we've got a little bit of a different backdrop. Instead of working out of the Siberian studio, I'm working out of the studio in my home office here in Philadelphia. So instead of having all the cool side very strong behind me instead we have a lot of very nerdy books. Doesn't change the text of the video just so you know.
00:25
So what we're gonna be working on today our tool of choice is going to be TCP dump. It's a command line utility for linen that is one of the most useful lightweight, packet sniffing tools on the market. I use it pretty often because it's a great tool not just for security, not just for
00:39
offensive or defensive security, but also just for basic troubleshooting identifying their problems with the tool using if your connections are actually being established the way you want them to be and just sort of making sure that what you think is happening on the wire is actually happening. I'm gonna walk you through The tool fortunately comes installed on Callie limits are
00:56
our primary operating system of choice for breaking stuff with Joe,
01:00
so it's very easy to find and use. And I'm gonna walk you through just a couple of commands so you can get familiar with this great utility and find ways to use it in your own cybersecurity and I t work. So stay tuned. This is breaking stuff with Joe on Cyber Eri on demand.
01:17
So here we are on our trusty Callie BM and this tool, lady said, is a pretty straightforward when to use. But it does have a few different options that we can take a second and have a quick look at you. You're gonna go ahead and open up the man page for TCP dump
01:30
and you can see here. It's got a whole array of different options that it can employ. Buffer size changes, file size changes, count, changes you confined, you change the velocity, and you can control just how much information is put out from it. If you look down here the description and gives a pretty good rundown of exactly how t C D dump works on what it's for,
01:49
and this is a long form description of what I said in the intro video was just just straightforward.
01:53
This is a packet sniffing tool. It's a simple lightweight. Pats never,
01:59
and we could scroll down here to the bottom of the man Paige see about what? There we go just went flying past it. So here, where auctions start out, one
02:07
that's used pretty often is this taxi option. The count option. If you don't use that, you have to manually kill TCP dump, which isn't a terrible thing. It's not taking up tons of tons of memory. But if you're only trying to get a small chunk of traffic if you're trying to, for example, troubleshoot a problem than taxi is a great option to just get a few packets that you actually want.
02:29
You have here a list of interface or a wayto list interfaces so you can see which interface you want to bind to. And that's something that's key to understand. About packet sniffers in general is that if you're trying to capture all of the traffic on your system, that's a very easy thing to do, and I'll show you how to do that in this video. But a lot of times what you're actually looking for a specific traffic
02:46
over one connection. It might be over your Ethernet connection.
02:49
It might be over WiFi. It might be over some, You know, some specific interface that's only used for VM wear or local networks, or whatever it might be. But very often, when you're performing a packet captured, you're looking to kind of paired down the sources of data because it's very easy. Obviously, everything is interact connected right now,
03:07
and so it's very, very easy to get too much information is very easy to just overload yourself in overwhelm yourself
03:14
with data and so controlling the counter packets you take in control, which interfaces you buy into. All of these things have a direct impact on how much data you get and therefore, how much data you have to sit through.
03:24
So actually use this tool. We can very easily just run the command TC Peeta, and we're just gonna run it by itself so that you can see what this packet capture looks like. And then you can go into the lab and play around some of the options
03:37
So TCP don't you can see here we've got
03:39
verbose output is suppressed so we can actually get Maur information by using the tax lower case of you or tacular case double V. If you use upper case that effects. I think that's the file command. It determines what you're out. Profile is gonna be here in. But if I was gonna be lower case K sensitivity is very important for most Lennox commands.
03:58
So now that we have this running and you could see it's not doing anything because the bm that it's sitting on is not actively communicated in the Internet,
04:04
but we can see what it looks like when we do communicate.
04:08
So for this case, we're gonna do something very, very simple and we're just going to paying.
04:13
Let's say Amazon
04:16
and we were on the ping and you can see that it's gotten a communication back.
04:19
Cool. We transmitted four packets of ping,
04:24
but when you come over here, I'm gonna sue this out a little bit.
04:26
When you come over here, you can see we did a lot more communication than just those four packets. And that's one of the really useful things about CP dump. Is that what you may not know what's happening under the hood when you're grunting, commands using tools. And this is just gonna give you all of the traffic that's happening on the system or on the interface to which is bound.
04:44
Running the command by itself, as you can see, doesn't mind it to a particular interface. It just listens
04:47
by basically people.
04:50
It's listening on zero,
04:53
so we'll attempt to make it a sum.
04:55
Make an assumption about what? Pork to bind her. What interface to bind to if you don't give it one to look for.
05:02
So going back down here, you can kind of see some of the traffic, and you get a little bit more information about exactly what's happening under the hood. You can see here it's communicating through a gateway, and then it's looking for a name. Records. It's performing a D. N s. Look up and you can see that it's looking in at her Arpaio. That's a pretty dead giveaway that it's looking for. D. N s resolution
05:23
performs the NS resolution runs down, and then finally, you can see
05:27
right here after it's gotten its final see name response, and it knows exactly where to find the website. It actually starts sending the ICMP pains,
05:34
so that's all there is to TCP dump. It's a pretty straightforward tool. Like I said, there are a lot of different options and switches you can use for it. You can apply that sort of information to help you filter and perform searches against the data that you've captured. We've talked before in previous breaking subjectivity is what it was like. N grap there specifically looking for
05:54
You know they're using grip utility against network your network objects.
05:57
If you used TCP dump and you dump it to a file, you could just perform regular grab. Uh, it's a great tool, very, very useful. As you can see, it gives you a lot of information because it's very low. Close to the lowest level of the communication is going to be happening. You're seeing all of the you can see are you can see all of the I P request
06:15
anything that's actually happening under the hood. To communicate to the Internet.
06:17
TCP dump is capable of capturing and providing information off. That's all there is for today's video. Hopefully, you enjoyed. Hopefully, you can see how useful this tool could be not only in cyber security, but in all of I t. And hopefully you will find uses for this tool in your own personal work. Until next time I have been your host, Joe Perry, and you've been watching breaking stuff with Joe
06:36
Cy Bury on
06:39
it.

How to Use tcpdump (BSWJ)

TCPDump is one of the best light-weight utilities for performing network traffic capture. It's extremely simple to use, but performs network scanning effectively and efficiently without all of the overhead associated with tools like Wireshark, making it a key part of any Cybersecurity practitioner's toolbox.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor