Home Design Work Security Contact
Network Analysis · Forensics

tcpdump
Traffic Analysis

Demonstrated proficiency in using tcpdump to capture and analyse TCP traffic — covering installation, packet filtering, performance monitoring, security analysis, and integration with network monitoring workflows.

Tool
tcpdump · Wireshark
Protocol
TCP/IP
Use Cases
Monitoring · Forensics

Why tcpdump

tcpdump is a command-line packet analyser used by security analysts and network engineers to capture and inspect network traffic in real time. It is a foundational tool for network troubleshooting, security monitoring, and forensic investigation.

This project demonstrates the ability to install, configure, and operate tcpdump effectively — capturing traffic, applying filters, analysing packets, and producing a clear report of findings and recommendations.

tcpdump in Practice

# Install tcpdump sudo apt-get install tcpdump # Capture all TCP traffic on eth0 interface sudo tcpdump -i eth0 tcp # Filter by source/destination IP and port sudo tcpdump -i eth0 src 192.168.1.10 and port 443 # Save capture to a pcap file for offline analysis sudo tcpdump -i eth0 -w capture.pcap # Read saved capture file tcpdump -r capture.pcap # Filter for SYN packets (start of TCP handshake) sudo tcpdump 'tcp[tcpflags] & tcp-syn != 0'

Project Phases

🔧 Installation & Setup

  • Installed tcpdump on the target system
  • Configured to capture TCP traffic on the correct network interface
  • Familiarised with TCP/IP protocols and common TCP-based applications

📡 Capturing Traffic

  • Started captures on the live network interface
  • Applied filters by source/destination IP, port, and protocol
  • Saved traffic to .pcap files for offline and repeated analysis

🔍 Analysis & Interpretation

  • Identified TCP three-way handshake: SYN, SYN-ACK, ACK
  • Analysed TCP flags, sequence numbers, and window sizes
  • Used Wireshark alongside tcpdump for visual packet inspection

⚡ Performance Monitoring

  • Monitored TCP round-trip times (RTT) and throughput
  • Identified retransmission patterns indicating network congestion
  • Analysed TCP window scaling and congestion control behaviour

🛡️ Security Analysis

  • Detected SYN flood patterns indicative of DDoS attacks
  • Identified suspicious connections with abnormal packet behaviour
  • Captured traffic during simulated security incidents for forensic review

📄 Documentation

  • Documented all commands used with filters and rationale
  • Summarised findings including anomalies and threats identified
  • Produced recommendations for network optimisation and security improvements

What This Demonstrates

Practical proficiency with tcpdump — installation, interface configuration, filtering, and packet capture.
Understanding of the TCP three-way handshake and how to read SYN, SYN-ACK, and ACK packets to understand communication patterns.
Ability to apply filters to isolate specific traffic streams by IP, port, protocol, and TCP flag — essential for efficient analysis in noisy environments.
Security analysis skills — detecting SYN floods, TCP hijacking patterns, and other anomalous behaviour from captured traffic.
Performance monitoring knowledge — identifying bottlenecks through RTT, retransmission rates, and congestion window analysis.
Awareness of compliance considerations when capturing network traffic — data privacy regulations and organisational policies.
Back to the beginning
Incident Report Analysis →