The field of network packet analysis is vast and can be the subject of entire courses and books. This lesson will introduce the fundamentals. Packet analysis involves capturing and inspecting the data that travels across a network. It is an essential skill for network troubleshooting, performance tuning, and security analysis. By examining individual packets, you can gain deep insights into what's happening on your network at a low level.
Popular Network Packet Analysis Tools
There are two extremely popular network packet analysis tools: Wireshark and tcpdump. Both are powerful packet analyzer applications that scan your network interfaces, capture packet activity, and parse the data for inspection. They allow us to get into the nitty-gritty of network analysis. We will use tcpdump for its command-line simplicity, but if you plan to delve deeper into network packet analysis, exploring Wireshark's graphical interface is highly recommended.
Installing tcpdump
On Debian-based systems like Ubuntu, you can install tcpdump with the following command:
sudo apt install tcpdumpCapturing Live Packet Data
To start capturing data on a specific interface, use the -i flag followed by the interface name.
pete@icebox:~$ sudo tcpdump -i wlan0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:28:23.958840 IP icebox.lan > nuq04s29-in-f4.1e100.net: ICMP echo request, id 1901, seq 2, length 64
11:28:23.970928 IP nuq04s29-in-f4.1e100.net > icebox.lan: ICMP echo reply, id 1901, seq 2, length 64
11:28:24.960464 IP icebox.lan > nuq04s29-in-f4.1e100.net: ICMP echo request, id 1901, seq 3, length 64
11:28:24.979299 IP nuq04s29-in-f4.1e100.net > icebox.lan: ICMP echo reply, id 1901, seq 3, length 64
11:28:25.961869 IP icebox.lan > nuq04s29-in-f4.1e100.net: ICMP echo request, id 1901, seq 4, length 64
11:28:25.976176 IP nuq04s29-in-f4.1e100.net > icebox.lan: ICMP echo reply, id 1901, seq 4, length 64
11:28:26.963667 IP icebox.lan > nuq04s29-in-f4.1e100.net: ICMP echo request, id 1901, seq 5, length 64
11:28:26.976137 IP nuq04s29-in-f4.1e100.net > icebox.lan: ICMP echo reply, id 1901, seq 5, length 64
11:28:30.674953 ARP, Request who-has 172.254.1.0 tell ThePickleParty.lan, length 28
11:28:31.190665 IP ThePickleParty.lan.51056 > 192.168.86.255.rfe: UDP, length 306You'll notice a lot of activity when you run a packet capture, which is expected given the constant background network traffic. The example above shows a snippet of a capture taken while pinging www.google.com.
Interpreting tcpdump Output
Let's break down a line from the capture:
11:28:23.958840 IP icebox.lan > nuq04s29-in-f4.1e100.net: ICMP echo request, id 1901, seq 2, length 64- Timestamp: The first field (
11:28:23.958840) shows when the packet was captured. - Protocol:
IPindicates the network layer protocol. - Source and Destination:
icebox.lan > nuq04s29-in-f4.1e100.netshows the packet's origin and destination. - Protocol-Specific Info: The rest of the line contains details specific to the protocol. For this ICMP packet:
seq: The sequence number of the packet.length: The packet length in bytes.
As you can see, our machine sent an ICMP echo request and received an ICMP echo reply. Different protocols will show different information, so refer to the manpage for more details.
Saving Captures for Later Analysis
Instead of viewing live traffic, you can save the capture to a file using the -w flag. This is useful for more in-depth, offline packet analysis.
sudo tcpdump -w /some/file.pcapWe have only scratched the surface of packet analysis. There is much more to explore, including advanced filtering and inspecting packet contents in Hex and ASCII. Countless online resources can help you master network packet analysis tools, and we encourage you to continue your learning journey.