Video on YouTube

tcpdump Install

• tcpdump website

• I used my windows WSL2 kali-linux bash terminal to install tcpdump

  sudo apt install tcpdump
  

  

Using tcpdump

• Find my ethernet connection looks like it is eth0

  ifconfig
  

  

• Can see what tcpdump can see

  sudo tcpdump -D
  

  

• Ran tcpdump on eth0 with verbose parameter and wrote to a file name capture.pcap

  sudo tcpdump
  sudo tcpdump -i any     #any traffic
  sudo tcpdump -i eth0     #eth0 my computer specific traffic
  
  sudo tcpdump -i eth0 -v -w tcpdump_capture.pcap     #capture on eth0 and writing dump to file
  
  sudo tcpdump -w capture.pcap -c 50     #writing to a file and only capture 50 packets
  sudo tcpdump -i eth0 -v -w tcpdump_capture.pcap -c 50     #capture on eth0, verbose, and capturing only 50 packets
  

• While capturing ping, nslookup, and watch video

  ping google.com
  nslookup google.com
  
  

• YouTube Video I watched -> Splunk Server & Forwarder on AWS EC2 - https://youtu.be/piD3rxFp2i0

• Read capture_file

tail -100 capture.pcap     #File is binary

sudo tcpdump -r capture.pcap

sudo tcpdump -r capture.pcap -e     #shows mac addresses
sudo tcpdump -r capture.pcap -c 1     #shows one packet
sudo tcpdump -r capture.pcap -c 1 -XX     #hex and asci form

• I could see the ping and nslookup looked like these lines

  13:19:40.650403 IP titan.mshome.net.mdns > 224.0.0.251.mdns: 0 AAAA (QM)? NPI49B6F6.local. (33)13:19:40.650957 IP6 titan.mdns > ff02::fb.mdns: 0 AAAA (QM)? NPI49B6F6.local. (33)
  13:19:40.653228 IP titan.mshome.net.mdns > 224.0.0.251.mdns: 0 AAAA (QM)? NPI49B6F6.local. (33)13:19:40.653707 IP6 titan.mdns > ff02::fb.mdns: 0 AAAA (QM)? NPI49B6F6.local. (33)
  

• Screenshot of the lines above

  

• I could see UDP packets for the video

  13:19:40.705098 IP titan.mshome.net.domain > 172.29.252.180.46269: 48754 NXDomain* 0/1/0 (122)
  13:19:41.152808 IP titan.mshome.net.netbios-ns > 172.29.255.255.netbios-ns: UDP, length 50
  13:19:41.199705 IP titan.mshome.net.domain > 172.29.252.180.44889: 56729 NXDomain 0/1/0 (103)
  13:19:41.199721 IP 172.29.252.180 > titan.mshome.net: ICMP 172.29.252.180 udp port 44889 unreachable, length 139
  13:19:41.258448 IP titan.mshome.net.domain > 172.29.252.180.34128: 34618 NXDomain 0/1/0 (154)
  13:19:41.258465 IP 172.29.252.180 > titan.mshome.net: ICMP 172.29.252.180 udp port 34128 unreachable, length 190
  13:19:42.218693 IP titan.mshome.net.domain > 172.29.252.180.50150: 13958 NXDomain* 0/1/0 (122)
  13:19:42.218710 IP 172.29.252.180 > titan.mshome.net: ICMP 172.29.252.180 udp port 50150 unreachable, length 158
  13:19:43.238863 IP titan.mshome.net.domain > 172.29.252.180.49702: 28322 NXDomain 0/1/0 (99)
  13:19:43.238884 IP 172.29.252.180 > titan.mshome.net: ICMP 172.29.252.180 udp port 49702 unreachable, length 135
  13:19:43.703295 IP titan.mshome.net.domain > 172.29.252.180.46269: 48754 NXDomain* 0/1/0 (122)
  13:19:43.703316 IP 172.29.252.180 > titan.mshome.net: ICMP 172.29.252.180 udp port 46269 unreachable, length 158
  13:19:44.116168 IP titan.mshome.net.49334 > 239.255.255.250.1900: UDP, length 101
  

• Screenshot of the lines above

  

Wireshark Install

• Wireshark website

• Download Wireshark

  

• Windows Install (64-bit)