1 00:00:00,000 --> 00:00:17,260 Hey guys and welcome back. So there is one more command that we want to learn about with 2 00:00:17,260 --> 00:00:24,080 respect to this current exam objective and that command is TCP dump. So if we go into 3 00:00:24,080 --> 00:00:28,920 the man page for TCP dump, we can see here this is going to allow us to dump traffic 4 00:00:28,920 --> 00:00:33,560 on a network. Simply put, this is going to allow us to see the contents of packets on 5 00:00:33,560 --> 00:00:39,079 a network interface. So you can conceptualize this as a type of packet sniffer, allowing 6 00:00:39,079 --> 00:00:44,840 us to view traffic traversing our local network. Now one thing to say here is that even though 7 00:00:44,840 --> 00:00:50,760 the name happens to suggest that all TCP dump will do will allow you to capture TCP based 8 00:00:50,760 --> 00:00:56,799 traffic. That is really more the common use of the tool indeed. It can also support capturing 9 00:00:56,799 --> 00:01:03,399 things like UDP and ICMP so on and so forth. So don't let the name fool you is what I'm saying. 10 00:01:03,399 --> 00:01:08,759 Now let's just have a brief look at how we can use this tool. What we could just say is TCP 11 00:01:08,759 --> 00:01:13,879 dump and if we hit enter, of course I have to use super user privileges. I'm always forgetting 12 00:01:13,879 --> 00:01:18,959 that. Let's type in my password. Look at all this information blasting down the screen right now. 13 00:01:18,959 --> 00:01:23,799 Okay. So what I'm going to do is I'm going to press Ctrl Z to stop this. Clearly we have way 14 00:01:23,840 --> 00:01:28,759 too much information, but the good news is, is that with TCP dump we can actually control 15 00:01:28,759 --> 00:01:34,959 the output. Just like we could with the pin command, we could specify the count i.e. the 16 00:01:34,959 --> 00:01:40,400 number of packets we want to capture. So I could say TCP dump and I could say dash C and of course 17 00:01:40,400 --> 00:01:46,879 I better use super user privileges. Forgetting that again. And I'll say dash C with the value 10 18 00:01:46,879 --> 00:01:53,200 i.e. just capture and print 10 packets. If I hit enter, check this out now. We just captured 19 00:01:53,240 --> 00:01:59,840 10 packets and printed them out. Now realistically, if you happen to have multiple interfaces, 20 00:01:59,840 --> 00:02:06,120 maybe say interface ethernet zero, interface ethernet one, interface ethernet two, so on 21 00:02:06,120 --> 00:02:11,599 so forth, you may want to actually be picky and actually select a particular interface on 22 00:02:11,599 --> 00:02:16,520 which to listen. So what we could do here is, is we could say sudo TCP dump and we could use the 23 00:02:16,520 --> 00:02:21,960 dash i flag and then specify a particular interface. Now as it transpires, I only have one 24 00:02:21,960 --> 00:02:27,520 ethernet interface that is ENP zero S3. So if I hit enter, we're going to get the same information 25 00:02:27,520 --> 00:02:32,040 blasting on through. But you'll be happy to know we can actually combine and chain these commands 26 00:02:32,040 --> 00:02:36,640 like accountness to maybe say seven packets, but do a space there actually. So that we're only 27 00:02:36,640 --> 00:02:41,200 going to target a particular interface for account of seven. So if I hit enter now, we can 28 00:02:41,200 --> 00:02:47,159 particularly hone in on this traffic traversing the local network. Now you may notice here is that 29 00:02:47,159 --> 00:02:52,199 we're getting information relating to IP the protocol, but also getting information relating 30 00:02:52,199 --> 00:02:57,159 to the particular sockets, ie the IP address and the port number. We can actually filter this 31 00:02:57,159 --> 00:03:02,800 information if we so wish. So let's say I wanted to exact a little bit more control, I could say 32 00:03:02,800 --> 00:03:10,240 sudo TCP dump. And all I want to get is information coming from a particular source. So I could say 33 00:03:10,560 --> 00:03:18,480 source 192 168 0.1. And if I hit enter, we're just going to be listening for traffic that is sourced 34 00:03:18,480 --> 00:03:24,200 from this IP address. Now as it transpires, it doesn't seem like much is coming through on that IP 35 00:03:24,200 --> 00:03:28,760 address. So what I'll do is I'll just stop this right now. Let me try it with the IP address of 36 00:03:28,760 --> 00:03:36,480 source 0.39. And I will count for 20 packets. Now look at this here. We've just pulled out 20 packet 37 00:03:36,479 --> 00:03:41,359 captures that are sourced from this particular IP address. And we can see the port number here. 38 00:03:41,359 --> 00:03:50,560 And it's going to my IPv0 dot SSH. Simply put, this is my Windows machine, establishing this SSH 39 00:03:50,560 --> 00:03:55,799 connection. And all we're doing here is sniffing that out. Similarly, I could say sudo TCP dump, 40 00:03:55,799 --> 00:04:02,919 and I could target traffic going for a particular destination by using the DST keyword. And I will 41 00:04:02,919 --> 00:04:09,560 give my IP address. So any traffic that is destined for me, there is my IP address. And I will say 42 00:04:09,560 --> 00:04:15,639 count of 25 packets. If I enter, we're getting the same type of information we are filtering on 43 00:04:15,639 --> 00:04:23,199 anything that is coming to this IP address as a destination. Now if I want to target maybe say a 44 00:04:23,199 --> 00:04:30,319 port, I could say sudo TCP dump, and I could find absolutely anything that is destined for port number 45 00:04:30,360 --> 00:04:36,439 22. And again, I'll just say see to capture maybe 15 packets. If I enter, we are seeing all the 46 00:04:36,439 --> 00:04:40,560 connections, which in this case just happens to be coming from the one computer. But if there were 47 00:04:40,560 --> 00:04:46,519 multiple connections, we would capture them all here. So long as that connection had a destination 48 00:04:46,519 --> 00:04:53,839 port of 22, ie the connection was an SSH based connection, which is port number 22. Similarly, 49 00:04:53,839 --> 00:04:59,159 if I want to maybe grab anything that is sourced from this port, we'll get the same information 50 00:04:59,200 --> 00:05:07,800 just a different way. So I'll say from the source port of 49763, and I'll just capture four packets, 51 00:05:07,800 --> 00:05:13,560 if I enter same type of deal. So lots of ways to control this data, as opposed to just saying TCP 52 00:05:13,560 --> 00:05:18,960 dump and being absolutely overwhelmed by the constant stream of information, particularly if 53 00:05:18,960 --> 00:05:24,440 you happen to be on a large network, where there are tons and tons of devices all communicating. So 54 00:05:24,439 --> 00:05:30,199 the TCP dump command is indeed very, very useful for being able to monitor traffic traversing your 55 00:05:30,199 --> 00:05:34,920 local network. Like I say, there are many more options that we have left unexplored. If you go 56 00:05:34,920 --> 00:05:39,120 through the man page, you can see all these different switches to control the particular 57 00:05:39,120 --> 00:05:44,800 outputs. We can do things like the dash W flag, which will allow us to actually write the data 58 00:05:44,800 --> 00:05:50,920 to a particular file as opposed to printing that data onto the terminal screen. And when you happen 59 00:05:50,960 --> 00:05:56,280 to create one of these files, it's actually going to be written in binary. So if you want to be able 60 00:05:56,280 --> 00:06:02,680 to read that file afterwards, you can then use the dash R flag to read that packet capture file. But 61 00:06:02,680 --> 00:06:08,319 like I say, there are a whole ton of different options available using the TCP dump command. And 62 00:06:08,319 --> 00:06:14,720 as always, I'd recommend you do some exploration and labbing on your own. Okay, so that is us for 63 00:06:14,720 --> 00:06:19,319 our introduction into the TCP dump command. I hope this has been informative for you. And I'd like 64 00:06:19,319 --> 00:06:20,560 to thank you for viewing.