Skip to content

Packet Capture

Some special challenges require competitors to capture packets from an endpoint. This guide will go over the packet-capturing tool, tcpdump as well as Wireshark.


This simulates a more realistic offensive security element of collecting data from networks. Additionally, packet captures are great for debugging networking and infrastructure.


tcpdump is a built in command line utility that captures network traffic and prints it out for you. For example, if I want to show all packets on the eth0 interface. I can specify tcpdump to listen to it.

sudo tcpdump -i eth0
Eth0 Example

scribbl@rogstation:~/examples$ sudo tcpdump -i eth0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:32:07.557403 IP > UDP, length 44
17:32:07.633396 IP > 38921+ PTR? (45)
17:32:07.634756 IP > 0 PTR (QM)? (51)
17:32:07.635213 IP6 rogstation.mdns > ff02::fb.mdns: 0 PTR (QM)? (51)
17:32:07.640442 IP > 0 PTR (QM)? (51)
17:32:07.640689 IP6 rogstation.mdns > ff02::fb.mdns: 0 PTR (QM)? (51)
17:32:08.718973 IP > 0 PTR (QM)? (51)

Let's specify tcpdump to only list traffic from the source and save the information to a file.

sudo tcpdump -i eth0 -w packets.pcap src 
We can then use a tool like tshark to see our packets in the command line.

scribbl@rogstation:~/examples$ tshark -r packets.pcap
1   0.000000  MDNS 87 Standard query 0x0000 PTR _spotify-connect._tcp.local, "QM" question
2   0.000355 fe80::a6ee:2618:bd01:f6c5  ff02::fb     MDNS 107 Standard query 0x0000 PTR _spotify-connect._tcp.local, "QM" question
3   3.036792 SSDP 167 M-SEARCH * HTTP/1.1
4  12.456780 UDP 86 57621  57621 Len=44
5  45.024825 UDP 86 57621  57621 Len=44


Wireshark is a really good resource to view packets and see their contents. We can also use Wireshark to capture packets on our interface just like tcpdump. Here in this example, I have a ping command running in a WSL instance.

Wireshark Record