Hi everyone,

Traffic analysis plays a big role in watching intruders and tracing unwanted activity.I am going to introduce traffic analysis the home grown way using tcpdump / windump. So here we go

1. Getting Tcpdump /Windump
For linux users tcpdump generally ships with the installation if not get it from
for windows users get windump from

2. Tcpdump/Windump operates by putting the network card into promiscuous mode in order
to capture all the packets going through the wire.

3. Note you have to be root or member of Admininstrative group too run tcpdump/windump.

4. open shell / command prompt type

5. If everthing goes well you will see something like the following
23:21:33.174141 IP > maximus.4993: 1 NXDomain 0/1/0 (114) (DF)
23:21:33.236647 IP maximus.4994 > 2+ PTR?
addr.arpa. (45)
23:21:33.305759 IP > maximus.4994: 2 NXDomain 0/1/0 (114) (DF)
23:21:33.309055 IP maximus.4995 > 3+ PTR?
addr.arpa. (45)
23:21:33.369485 IP > maximus-4nikqbi.4995: 3 NXDomain 0/1/0 (114) (DF)

Without any options tcpdump displays output in the form

timestamp protocol source.port > destination.port : flags


(a) timestamp: it is the time at which packet is being monitored.
(b) protocol : the protocol(not very specific) being used IP,TCP,ICMP,arp-who-has etc.
(c) source.port: originating ip and port separated by a dot.
(d) > : signifies the packet flow
(e) Flags: they can be of the form
S 4183223882:4183223882(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
S 2428998098:2428998098(0)
ack 4183223883 win 8190 <mss 1460>
S meams a SYN packet was sent (I will expain this later)
ACK means an acknowldgement packet was recieved etc.(I will expain this later)
The numbers are tcp sequence numbers of the form(I will expain this later)
starting sequence number : ending sequence number (data bytes)
Windows size etc.

6. A few other options are
-X : Display ascii data
-v : verbose output
-vvv: very verbose

Next time detailed description of packet format,connections etc and traffic analysis.