The tcpdump utility exists on Ubuntu and kali by default, though we will confirm your setup below.
Note: Try to use a modern version of tcpdump so you get the new --print parameter which allows you to see the packets in realtime even while writing (-w) to file.
For Windows users, be sure to watch the great tutorials from this teacher who is amazing. In the first hour you will learn how to setup your interface like a pro.
#link to youtube playlist
https://youtu.be/OU-A2EmVrKQ
Note: Even if you do not use Windows, you might consider presenting captures with WireShark because it looks great.
You can optionally keep everything in one folder, but here we break things out to organize your traces, etc. By using the ~ symbol the new folder is placed in your home directory for the examples below.
#make directory
mkdir ~/captures
#optional
mkdir ~/describe
#optional
mkdir ~/netstats
Note: The describe folder is for optionally adding text files or otherwise echoing notes about any current sessions being sniffed. The netstats folder is optional as well, but great for collecting general network info with netstat and saving it in a logical place. We talk about netstat later.
The following will return [installed] if you have the package already.
sudo apt list tcpdump
This is important if you want the new --print parameter which is awesome. It comes with the tcpdump that is on Ubuntu 22.04 and also on Kali Linux, but users of Ubuntu 20.04 will have an older version of tcpdump which does not have the --print parameter yet.
tcpdump --version
This is included by default, but if somehow you need it, you can install tcpdump with the following command.
sudo apt install tcpdump
Note: If you already have the package, no action will be taken.
Optionally, we can use which to see the location of tcpdump.
which tcpdump
Note: Typically you will simply type tcpdump and will not need the path when running it.
From here on, we will need sudo since this is required for tcpdump.
#optional - warm up your sudo by running sync or some other command
sudo sync
We can press CTRL+l to quickly clear the screen, or type the clear command.
#clear the screen
clear
This does not require sudo but do not forget to use sudo later when actually capturing.
tcpdump -D
mike@ubuntu03:~$ tcpdump -D
1.enp3s0 [Up, Running]
2.lo [Up, Running, Loopback]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.virbr0 [Up]
5.bluetooth-monitor (Bluetooth Linux Monitor) [none]
6.nflog (Linux netfilter log (NFLOG) interface) [none]
7.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
8.wlp4s0 [none]
9.bluetooth0 (Bluetooth adapter number 0) [none]
10.virbr0-nic [none]
mike@ubuntu03:~$
Now comes the sudo requirement. If you forget sudo the command will simply not run, so you will notice it.
sudo tcpdump -i 1
Note: In the above, the interface parameter (-i) specifies value of 1 to tell tcpdump to use the ethernet adapter known as enp3s0,
Tip: Your adapter name may vary compared to the example, so be sure to choose the desired adapter number from your list as outputted from tcpdump -D.)
sudo tcpdump -i 1 -w ./capture.pcap
Note: In the above, a file will be created called "capture" in the current directory ./ with a file extension of .pcap (though you can use any extension name you like).
This example appends the date/time in UTC by using -u parameter of date).
sudo tcpdump -i 1 -w ./capture-$(date -u +"%FT%H%MZ").pcap
Tip: The above date formatting should be fine, but if needed check out https://unix.stackexchange.com/questions/278939/how-do-you-put-date-and-time-in-a-file-name.
Since tcpdump uses the standard format you can simply open in WireShark or your with your favorite viewer.
There are many paramters to limit the file size and rotate, etc. so be see to check the man page.
man tcpdump
If you do not have tmux yet, you might like having this for opening multiple terminals with various horizontal and vertical splits. It takes a bit of getting used to, but nonetheless.
#installing tmux
sudo apt install tmux
#launching
tmux new
#interactive help and menu list
press CTRL+B and then ?
#more help
man tmux
#common commands (after pressing CTRL+B)
" (horizonal split)
% (vertical split)
o (move the cursor "over" one terminal)
c (create new window)
0 switch to first windows
1 switch to second window
You can optionally watch logs as well, which is great to do on a new system so you understand the normal and expected log entries, etc.
#follow the logs in realtime
journalctl -f
#show all of today's logs merged
journalctl -m --since=today
#ignore alerts about blacklisted sites (if you use a hosts boot list)
journalctl -m --since=today | grep -v '/etc/hosts' |more
This example writes one time using the current date and time to a directory called netstats (but name as desired for your path).
mkdir ~/netstats
netstat > ~/netstats/netstat-$(hostname)-$(date -u +"%FT%H%MZ").txt
Using tcpdump or wireshark to baseline systems is great. It is also valuable to collect or review other logging such as journalctl in Linux or eventvwr in Windows.