Laboratory Activity: Network Traffic Analysis with tcpdump and Wireshark

Objective:
●​ To learn how to capture network traffic using tcpdump.
●​ To analyze captured network traffic using Wireshark.
●​ To understand basic network protocols and their behavior.
Materials:
●​ Kali Linux Virtual Machine or Physical Machine
●​ Internet Connection
●​ A target website or application for traffic generation (e.g., a simple web server or a test
website)
Procedure:
Part 1: Setting up the Environment and Installing Necessary Tools
1.​ Ensure Kali Linux is Updated:
○​ Open a terminal in Kali Linux.
○​ Run the following commands:​
Bash​
sudo apt update​
sudo apt upgrade -y​

2.​ Verify tcpdump Installation:

○​ tcpdump is usually pre-installed in Kali Linux. Verify by typing:​
Bash​
tcpdump --version​

○​ If not installed, install it using:​

Bash​
sudo apt install tcpdump -y​

3.​ Verify Wireshark Installation:

○​ Wireshark is also usually pre-installed. Verify by typing:​
Bash​
wireshark --version​

○​ If not installed, install it using:​

Bash​
sudo apt install wireshark -y​

Part 2: Capturing Network Traffic with tcpdump

1.​ Identify the Network Interface:
○​ Determine the network interface connected to the internet using:​
Bash​
ip a​
 ■​ Look for an interface like eth0, wlan0, or enp0s3.
2.​ Capture Traffic using tcpdump:
○​ Capture traffic on the identified interface and save it to a file named capture.pcap.
Replace [interface] with your network interface.​
Bash​
sudo tcpdump -i [interface] -w capture.pcap​

○​ Example:​
Bash​
sudo tcpdump -i eth0 -w capture.pcap​

3.​ Generate Network Traffic:

○​ Open a web browser and visit a website (e.g., example.com).
○​ Or use curl from the command line:​
Bash​
curl example.com​

○​ You can also ping a website:​

Bash​
ping example.com​

4.​ Stop the tcpdump Capture:

○​ Press Ctrl + C in the terminal to stop the tcpdump capture.
Part 3: Analyzing Captured Traffic with Wireshark
1.​ Open Wireshark:
○​ Open Wireshark from the Kali Linux applications menu or by typing wireshark in the
terminal.
2.​ Open the Captured File:
○​ In Wireshark, go to "File" > "Open" and select the capture.pcap file.
3.​ Analyze the Traffic:
○​ Observe the captured packets in the main window.
○​ Use the filter bar to filter specific traffic (e.g., http, tcp, udp, icmp).
○​ Examine the details of individual packets in the packet details pane.
○​ Follow TCP streams by right clicking on a TCP packet, and selecting "Follow" then
"TCP Stream"
Observation Questions:
1.​ What is the IP address of your Kali Linux machine?
2.​ What is the IP address of the website you visited?
3.​ What protocols were used during the communication (e.g., TCP, UDP, ICMP, HTTP)?
4.​ What is the port number used for HTTP traffic?
5.​ What is the purpose of the TCP three-way handshake? Can you identify it in the
captured traffic?
6.​ If you used ping, what protocol was used, and what type of packets were
exchanged?
 7.​ If you visited a webpage, can you locate HTTP GET requests in the captured traffic?
8.​ Can you find the HTTP response from the web server in the captured traffic? What
is the HTTP status code?
9.​ What information can you extract from the TCP stream of the HTTP traffic?
10.​What are the differences between TCP and UDP traffic observed in the capture?
11.​How can you use Wireshark filters to isolate specific network traffic? Give an
example.
12.​What information is contained in the IP header of the packets captured?
13.​What information is contained in the TCP or UDP header of the packets captured?
14.​What is the purpose of DNS queries, and can you identify any in the captured
traffic?
Further Exploration:
●​ Try capturing traffic from different applications (e.g., SSH, FTP).
●​ Experiment with different tcpdump filters to capture specific types of traffic.
●​ Explore advanced Wireshark features like statistical analysis and protocol dissection.
●​ Capture traffic while using a secure website (HTTPS) and observe the differences.
This laboratory activity provides a hands-on introduction to network traffic analysis using
tcpdump and Wireshark. By analyzing captured traffic, students can gain a deeper
understanding of network protocols and how they function.