CyberSchool Module 4 · Packet Analysis
Home › Module 4 › Packet Analysis
Lesson 6

Packet Analysis: Wireshark & tcpdump

Nmap told you which doors are open. Packet analysis lets you read the actual conversations going through them — the individual letters as they travel. This is how you prove what really happened on a network, whether you're debugging, defending, or investigating.

Introduction — what is a packet capture?

Every message on a network is broken into small chunks called packets (recall Lesson 3). A packet capture (or “pcap”) is a recording of those packets as they pass your network card, so you can replay and study them.

Analogy — A recording of a phone call Nmap tells you two people are on the phone. A packet capture is a recording of the whole call — you can hear every word, who spoke first, and where the line went quiet. Wireshark is the player that lets you scrub back and forth and read the transcript.
Capture only your own traffic Recording other people's traffic without permission is wiretapping and is illegal. Capture only on networks and machines you own or are authorised to monitor — in this course, your own lab.

Two tools, one job

ToolWhat it isBest for
tcpdumpA command-line capture toolServers, quick captures, remote machines with no screen
WiresharkA graphical analyser with colour, filters and decodingDeep visual analysis, learning, following conversations

A common professional workflow is to capture with tcpdump on a remote server, then open the file in Wireshark on your laptop to study it.

Tool deep dive: tcpdump

tcpdump ships with Kali. It prints (or saves) packets matching a filter.

$ sudo tcpdump -D # list capture interfaces (eth0, wlan0, any) $ sudo tcpdump -i eth0 # capture live on eth0 (Ctrl+C to stop) $ sudo tcpdump -i eth0 -n port 80 # only web traffic; -n = don't resolve names $ sudo tcpdump -i eth0 -w capture.pcap # save raw packets to a file for Wireshark $ sudo tcpdump -r capture.pcap # read a saved capture back

Filters are how you cut through noise: host 192.168.56.101, port 22, tcp, or combined like host 192.168.56.101 and port 80.

Tool deep dive: Wireshark

What it is & why it exists

Wireshark is the world's most popular network analyser. It captures packets and decodes them into a readable, colour-coded list, understanding hundreds of protocols so you don't have to read raw bytes. It exists because staring at hex is painful — Wireshark turns raw traffic into a story.

Install & launch

$ sudo apt update && sudo apt install wireshark $ wireshark & # launch the graphical app

The three panes

Once capturing, Wireshark shows three stacked panes:

Display filters (the real skill)

Type these into the green filter bar to show only what matters:

FilterShows only
ip.addr == 192.168.56.101Traffic to/from that host
tcp.port == 443HTTPS traffic
httpWeb requests and responses
dnsName lookups
tcp.flags.syn == 1 && tcp.flags.ack == 0Connection start (SYN) packets
Follow the conversation Right-click any packet → Follow → TCP Stream. Wireshark stitches every packet of that conversation into one readable transcript — the single most useful button in the whole program.
Try It Yourself (practice terminal)

Try: tcpdump -D, tcpdump -i eth0 -n port 80, or tcpdump -r capture.pcap.

kali@lab: ~
Capture practice. Try a command below.
kali@lab:~$
Practical Exercise 6.1 — Catch a login in the act

Goal: prove why unencrypted protocols are dangerous, by capturing a plain-text login on your own lab. This shows exactly what Module 9 (cryptography) later fixes.

  1. Start a capture on your lab interface:
    $ sudo tcpdump -i eth0 -w login.pcap host 192.168.56.101
  2. From another terminal, connect to a plain FTP or Telnet service on your Metasploitable target and log in with the test account (these old protocols send passwords unencrypted on purpose, which is what we're demonstrating).
  3. Stop the capture (Ctrl + C) and open it:
    $ wireshark login.pcap
  4. Filter with ftp (or telnet), right-click a packet → Follow → TCP Stream.
    Result: you'll see the username and password in plain text. Now repeat the idea over ssh (port 22) and confirm it's unreadable — that contrast is the whole argument for encryption.
Quick check: Which Wireshark feature reassembles all packets of one conversation into a readable transcript?
Packet bytes pane
Follow → TCP Stream
Interface list (-D)
The colour rules
Follow → TCP Stream stitches a whole conversation together — the fastest way to read what two hosts actually said.
Why does this matter for your career? Packet analysis is the daily bread of SOC analysts, network engineers, and incident responders. When an alarm fires, the capture is the ground truth. Wireshark skills appear across Security+, CCNA, and CEH, and “can you read a pcap?” is a standard interview question.

Key takeaways

  • A packet capture records traffic so you can replay and study it.
  • tcpdump captures on the command line; Wireshark analyses visually.
  • Filters (http, ip.addr==, tcp.port==) cut the noise.
  • Follow TCP Stream reveals whole conversations — and why unencrypted protocols are unsafe.