Network Analysis · Forensics
tcpdump
tcpdump
Traffic Analysis
Demonstrated proficiency in using tcpdump to capture and analyse TCP traffic — covering installation, packet filtering, performance monitoring, security analysis, and integration with network monitoring workflows.
Objective
Why tcpdump
tcpdump is a command-line packet analyser used by security analysts and network engineers to capture and inspect network traffic in real time. It is a foundational tool for network troubleshooting, security monitoring, and forensic investigation.
This project demonstrates the ability to install, configure, and operate tcpdump effectively — capturing traffic, applying filters, analysing packets, and producing a clear report of findings and recommendations.
Commands Used
tcpdump in Practice
# Install tcpdump
sudo apt-get install tcpdump
# Capture all TCP traffic on eth0 interface
sudo tcpdump -i eth0 tcp
# Filter by source/destination IP and port
sudo tcpdump -i eth0 src 192.168.1.10 and port 443
# Save capture to a pcap file for offline analysis
sudo tcpdump -i eth0 -w capture.pcap
# Read saved capture file
tcpdump -r capture.pcap
# Filter for SYN packets (start of TCP handshake)
sudo tcpdump 'tcp[tcpflags] & tcp-syn != 0'
Methodology
Project Phases
🔧 Installation & Setup
- Installed tcpdump on the target system
- Configured to capture TCP traffic on the correct network interface
- Familiarised with TCP/IP protocols and common TCP-based applications
📡 Capturing Traffic
- Started captures on the live network interface
- Applied filters by source/destination IP, port, and protocol
- Saved traffic to .pcap files for offline and repeated analysis
🔍 Analysis & Interpretation
- Identified TCP three-way handshake: SYN, SYN-ACK, ACK
- Analysed TCP flags, sequence numbers, and window sizes
- Used Wireshark alongside tcpdump for visual packet inspection
⚡ Performance Monitoring
- Monitored TCP round-trip times (RTT) and throughput
- Identified retransmission patterns indicating network congestion
- Analysed TCP window scaling and congestion control behaviour
🛡️ Security Analysis
- Detected SYN flood patterns indicative of DDoS attacks
- Identified suspicious connections with abnormal packet behaviour
- Captured traffic during simulated security incidents for forensic review
📄 Documentation
- Documented all commands used with filters and rationale
- Summarised findings including anomalies and threats identified
- Produced recommendations for network optimisation and security improvements
Key Takeaways
What This Demonstrates
Practical proficiency with tcpdump — installation, interface configuration, filtering, and packet capture.
Understanding of the TCP three-way handshake and how to read SYN, SYN-ACK, and ACK packets to understand communication patterns.
Ability to apply filters to isolate specific traffic streams by IP, port, protocol, and TCP flag — essential for efficient analysis in noisy environments.
Security analysis skills — detecting SYN floods, TCP hijacking patterns, and other anomalous behaviour from captured traffic.
Performance monitoring knowledge — identifying bottlenecks through RTT, retransmission rates, and congestion window analysis.
Awareness of compliance considerations when capturing network traffic — data privacy regulations and organisational policies.
Back to the beginning
Incident Report Analysis →