Packet Captures
(OBJ 4.9)
Packet Capture
- Captures data going to or from a network
- Gathers all data sent to or from a specific network device
- Can be set up on a span port to capture all data going to and from devices on the network
- Packet captures in exam are typically short snippets, not massive data dumps
Packet Capture Columns
- Number
- Packet sequence number in the capture
- Time
- Elapsed time since the capture started
- Make sure to consolidate and correlate across all your devices
- Source/Destination IP Addresses
- Show where the data is coming from and going to
- Protocol
- Length
- The size of the packet
- Info
- Provides information from the packet header, including flags, sequence, window, length, MSS, source port, and destination port
- Example:
[SYN] Seq=0 Win=1024 Len=0 MSS=1460 SPort=54321 DPort=80
Packet Capture Tips
- Look for patterns that indicate attack types, such as SYN floods or DDoS attacks
- Consider the relationship between source and destination IP addresses to identify the type of attack
Packet Capture Example
Example 1
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250724182545.png)
- This is actually a Port scan!
- A port scan of the top 19 ports
- 80, 23, 22, 21, 443, 53, 443, etc.
- A port scan of the top 19 ports
Example 2
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250724183448.png)
- The ... are saying that there are other packets happening but are not shown
- Whole packet captured happened within 0.1 seconds, pretty fast to get 1000 packets through
- Now we don not have ports associated with the SYN flags
- This is actually a type of DoS Attack that is called a SYN Flood
- Note we are not seeing any acknowledgements coming back from that destination server to our source, and we're not seeing any SYN-ACKs going from our source back to our destination.
- Attacker initiates a SYN packet for a half-open connection but does not complete the action
- It eats up resources on destination server
Example 3
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250724183905.png)
- Now we have different sources targeting the same destination IP
- Every 500 we are going to another system and using a different IP address
- This is showing us a DDoS Attack where we have multiple systems all going and attacking the same server
- 3500 packets bing sent in about 1.75 seconds from across multiple different IP addresses