Who and Why uses the TCPDump?

The people who use TCPDump are traffic analyzer to monitor the packet transfers that passes between a set of network. The analyzer can also see the details of the packet from the result of packet dumping.

Where and When to use TCPDump?

TCPDump is mostly used when a packet analyzer wanted to see the logs of TCP/IP traffic in a network and also the content of the packet.

How to use TCPDump(PRACTICE)

TCPDump– To dump the packet captured in format of .pcap

Link: http://www.tcpdump.org/#latest-release

Wireshark – To open the dumping result of TCPDump

Scenario – We aim to see the credential transfer of a login request on a website(techpanda.org)

1. Look up target’s virtual machine and find the ip address with ifconfig
2. On the main virtual machine, type “echo 1 > /proc/sys/net/php/ipv4/ip_forward and after that arpspoof -t [target ip] [router ip]”
3. Then make two new console tabs, type “Arpspoof -t [router ip] [target ip]”
4. And in the other tab type tcpdump -vvn -i eth0 src [target ip] -w [filename].pcap
5. Start browsing in the other virtual machine, go to techpanda.org and try to fill in form then login(type randomly into the form). After trying the login, cancel out the tcpdump console tab.
6. In the home folder, the .pcap file will be created.
7. Open the .pcap file with wireshark application.
8. Find the http protocol with info POST /index.php.
9. The information of the browsed website will be shown, such as domain and even the typed credential in the form.

Conclusion and Solution

So as discussed above, we can conclude that TCPDump is a powerful tool to see, inspect, or analyze a packet transferred between a network. TCPDump gives crucial information of data transfer such as account’s login credential.

To avoid TCPDump is probably  best to always check the security of a website on the browser, and also ensure oneself whether to put important credential on the website or not.