Hello. My name is Dustin, and welcome to pen test basics sniffing
TCP Dump is also a packet capture an analyzer tool, but it is a command line packet capture tool, so it is very similar to a wire shark, but it just uses the command line versus a gooey.
It's typically used on Lenox machines, but it does have a Windows version called Wind Dump as well.
TCP Dump is very lightweight and easy to use for both capturing packets in reading previous Packet captures
in this demo, we're going to go over a few different things is starting with installing Windham on our Windows machine,
and then we're actually gonna hop into our Callie Lennox machine and get right into capturing life data. ESO. We'll go over some P camps and show you how to open a peek up pea cap as well. So let's go ahead and pop in to our Windows machine.
All right, so you can see we are in our Windows machine here, so it's Wyndham is really easy to install. All we'll need to do is grab the file, and you can get that from Win p capt dot org's slash wind dump
and we will get computers and our shared folder.
As you can see, I've got wind dump right here.
So I right click it and we're gonna copy it over
and let's go ahead and just double click it.
There we go. So already listening on this device
and you can see it's just capturing data that's going on through this device, so it's really easy to use. There are different flags and different options you can use to actually run with it,
but we'll get into that on our Lennox machine.
All right, so here is our limits machine
and we'll log in with the default route and tour,
and we will let that load. So TCP Dump, like I mentioned, is a command line interface tool. So it'll do pretty much everything the wire shark does just with the command line, which is kind of nice. If you need to script anything, it's a lot easier to do than trying to script things with a gooey. So if we open
let it come up here with me, close out my other virtual machine,
give us a little more memory back, all right, So let's go ahead.
Okay, so we've got our terminal open, so TCP dump is as simple as typing TCP dump. So if we launch our help first,
you can see how to use it. It's pretty easy to use. You can basically sort by bite size count, file size. Um, open up files or I'm sorry, right files
Everything all right from the command mines, It's really easy to use. So the first and probably most common thing you'll do with this start dumping traffic from an interface. So if we run and I have config, we'll see what interfaces we've got available.
So we've got each zero and w land zero. Let's try and dump traffic from our East zero.
gash I for interface, and then we're gonna do eat zero.
We will see it is listening on each zero so it doesn't look like he's getting things. Let's kind of start generating some traffic will open fire fox,
heard it's pretty cool.
Looks pretty cool. So let's go ahead and cancel that out.
Go back to our terminal. And as you can see, you hit control C to stop.
got quite a bit of traffic here.
Throw back up to the top.
And so it is all in command line interface. So typically, what you would do is you would write this to a file to further analyze or use scripts to kind of go through it and find exactly what you're looking for.
Yeah, lots and lots of traffic that went through there and just that quick amount of time.
So as we mentioned amusing the TCP dump Dash I interface. And then whatever interface you'd like to dump traffic on is probably your most common use. You can also don't traffic on all interfaces, and that's another one that you may need to do. And that's just TCP dump Dash I for interface
as you can see, it is listening on all ports,
it generates more traffic.
And again, you saw how much traffic that generated just by
doing, the quick ones will exit out of there
terminal. So we've got a ton of traffic again.
So if we'd like to see traffic that's going to our from a host, You can use the TCP dump Post Command. So let's see what our,
uh 10 0 to 15. So we do TCP
I want to make sure we d'oh post
it is now listening on each zero for any traffic going to or from this host.
So if we open another terminal here
the traffic's coming right through already. Because we're filtering for this host,
destination. In that time, I d s t And we'll just do any traffic. They do
Google. So it is listening for this any any traffic destine to eat. Dottie, Dottie, Dottie! So we pain
poured up or not for four.
See? Nothing's going through.
What if we kill that?
So it did resolve it.
It doesn't look like things are going through. That's okay though. But as you see on the right, where we're listening, we're not seeing any traffic.
So let's go ahead and king.
And now we're seeing traffics. If you were just looking for a specific, um, destination I p, you can filter by that as well.
Another way to filter is with the network command TCP Dump net. And with that, you can actually type in the particular net address or ah, subject as well. So blue TCP dumb
nets and in the impact, your network 19 to 1 *** age.
He was one. Got one network for zero network
and so that would filter traffic just on that network.
You can also filter by specific ports or protocols.
So if we only wanted to see, um,
let's see remote desktop traffic.
And that would only look for traffic of on that port. And you can also do, um,
protocol name. Like I see in peace. You could just dump ICMP traffic,
and that's just TCP dump than the protocol name.
Another one that may be useful is a specific port range. If you're only looking for certain ports, you TCP dump
and then you can take in the port range. And that's the range of traffic reports that it would be looking for.
There's a lot of different ways to filter traffic, depending on what you're looking for, and if you ever need help? You just do that TCP dump help Commander Man TCP tum to see it
Another thing. It's really useful if you don't like just reading over the stuff you're not gonna script anything is writing it to a file, which you can then open up, like with a wire shark. Gooey. So if we wanted to dump all traffic, um, say
And actually, no. Well d'oh
All of our Google traffic or anything going Thio got a study study
and we want to write it too.
And so it's gonna do that. It's listening.
you don't see anything happening over here. But let's take a look here. We're gonna open up.
do TCP dump and we want to read a file, it's just are for me. And we named a Google Dina stop
and you can see that we actually opened up that file. So it's not actively out putting it to the screen is writing it to a file,
so that's useful for a lot of different reasons. If you just didn't want to fill up everything or you wanted to say that to analyze it at a later time.
You can do that by writing in to a file.