Packet Analysis: Wireshark & tcpdump
Nmap told you which doors are open. Packet analysis lets you read the actual conversations going through them — the individual letters as they travel. This is how you prove what really happened on a network, whether you're debugging, defending, or investigating.
Introduction — what is a packet capture?
Every message on a network is broken into small chunks called packets (recall Lesson 3). A packet capture (or “pcap”) is a recording of those packets as they pass your network card, so you can replay and study them.
Two tools, one job
| Tool | What it is | Best for |
|---|---|---|
| tcpdump | A command-line capture tool | Servers, quick captures, remote machines with no screen |
| Wireshark | A graphical analyser with colour, filters and decoding | Deep visual analysis, learning, following conversations |
A common professional workflow is to capture with tcpdump on a remote server, then open the file in Wireshark on your laptop to study it.
Tool deep dive: tcpdump
tcpdump ships with Kali. It prints (or saves) packets matching a filter.
Filters are how you cut through noise: host 192.168.56.101, port 22, tcp, or combined like host 192.168.56.101 and port 80.
Tool deep dive: Wireshark
What it is & why it exists
Wireshark is the world's most popular network analyser. It captures packets and decodes them into a readable, colour-coded list, understanding hundreds of protocols so you don't have to read raw bytes. It exists because staring at hex is painful — Wireshark turns raw traffic into a story.
Install & launch
The three panes
Once capturing, Wireshark shows three stacked panes:
- Packet list (top) — one row per packet: time, source, destination, protocol.
- Packet details (middle) — that packet expanded by OSI layer (Ethernet → IP → TCP → HTTP). This is the OSI model made visible.
- Packet bytes (bottom) — the raw data in hex and text.
Display filters (the real skill)
Type these into the green filter bar to show only what matters:
| Filter | Shows only |
|---|---|
| ip.addr == 192.168.56.101 | Traffic to/from that host |
| tcp.port == 443 | HTTPS traffic |
| http | Web requests and responses |
| dns | Name lookups |
| tcp.flags.syn == 1 && tcp.flags.ack == 0 | Connection start (SYN) packets |
Try: tcpdump -D, tcpdump -i eth0 -n port 80, or tcpdump -r capture.pcap.
Goal: prove why unencrypted protocols are dangerous, by capturing a plain-text login on your own lab. This shows exactly what Module 9 (cryptography) later fixes.
- Start a capture on your lab interface:
$ sudo tcpdump -i eth0 -w login.pcap host 192.168.56.101
- From another terminal, connect to a plain FTP or Telnet service on your Metasploitable target and log in with the test account (these old protocols send passwords unencrypted on purpose, which is what we're demonstrating).
- Stop the capture (Ctrl + C) and open it:
$ wireshark login.pcap
- Filter with ftp (or telnet), right-click a packet →
Follow → TCP Stream.
Result: you'll see the username and password in plain text. Now repeat the idea over ssh (port 22) and confirm it's unreadable — that contrast is the whole argument for encryption.
Key takeaways
- A packet capture records traffic so you can replay and study it.
- tcpdump captures on the command line; Wireshark analyses visually.
- Filters (http, ip.addr==, tcp.port==) cut the noise.
- Follow TCP Stream reveals whole conversations — and why unencrypted protocols are unsafe.