Packet Sniffing Tutorial — CYBR 2106 Pentesting Guide

What is Penetration Testing?

Penetration testing is when security professionals legally hack into systems to find vulnerabilities before attackers do. The process includes reconnaissance (gathering info), scanning (finding weak points), gaining access (exploiting vulnerabilities), and reporting findings.

Packet sniffing fits into the reconnaissance and scanning phases. By capturing and analyzing network traffic, pentesters can discover active hosts, services, protocols, and even sensitive data being transmitted.

What is Packet Sniffing?

Packet sniffing is capturing and analyzing network traffic. Every time you browse the web, send an email, or stream a video, your computer sends and receives data in small chunks called "packets." A packet sniffer intercepts these packets so you can see what's being transmitted.

Why It Matters

Network traffic analysis reveals:

Network Mapping: Discover what devices are on the network
Service Identification: See what applications and protocols are running
Security Flaws: Detect unencrypted passwords and weak protocols
Attack Vectors: Identify potential entry points for exploitation

If you capture HTTP traffic (unencrypted web), you might see usernames, passwords, and session cookies in plain text. This is why HTTPS is critical.

The Tools

tcpdump - Command-Line Sniffer

tcpdump is a powerful CLI tool for Linux, macOS, and Windows. It's lightweight, fast, and perfect for capturing packets on remote servers.

Wireshark - GUI Analyzer

Wireshark provides a user-friendly interface for analyzing captured packets. It can read tcpdump files and offers advanced filtering and visualization.

This tutorial focuses on tcpdump since it's available on most systems.

Using tcpdump

Basic command to capture packets on a network interface:

sudo tcpdump -i eth0

Filter by port (example: HTTP traffic):

sudo tcpdump -i eth0 port 80

View packet contents in ASCII:

sudo tcpdump -i eth0 -A port 80

tcpdump capturing HTTP traffic on port 80

This shows network packets in real-time. You can see source/destination IPs, ports, protocols, and packet contents. During pentesting, this helps identify active hosts, services, and potential vulnerabilities like unencrypted data transmission.