In this lab, I used tcpdump on a Linux VM to capture and filter live network traffic. I learned how to identify the correct network interface, apply capture filters, save packets to a file, and re-filter the saved data for detailed analysis.
As the user analyst already logged into a Linux terminal, I needed to use tcpdump to examine both live interface traffic and a provided pcap file. My goals were to identify available interfaces, filter HTTP and DNS packets in real time, record the traffic to a file, and then inspect that file with further filters.
| Task | My Response |
|---|---|
| Identify interfaces | I ran sudo tcpdump -D to list all network interfaces and confirmed eth0 was up with an IP address. This ensured I captured traffic on the correct interface. |
| Filter live traffic | I executed sudo tcpdump -i eth0 port 80 to display only HTTP packets in real time. Observing the filtered output helped me verify that the filter syntax was correct. |
| Capture to file | I used sudo tcpdump -i eth0 -w capture.pcap to record live traffic into a pcap file. This allowed me to save the entire packet stream for offline review. |
| Filter saved capture | I applied tcpdump -r capture.pcap 'tcp port 80' to isolate HTTP traffic from the saved file and tcpdump -r capture.pcap udp port 53 to review DNS queries. This step confirmed my ability to re-analyze packets with different filters. |
By completing this exercise, I gained hands-on experience identifying network interfaces, using tcpdump filters for both live and recorded traffic, interpreting packet details, and saving/loading pcap files. These skills are fundamental for efficient command-line packet analysis in a Linux environment.