Network Sniffing

Every packet your network sends can be read by anyone on the same segment — unless it is encrypted. This lesson covers how to capture and read live traffic, what credentials and data leak through plaintext protocols, and what defenders can do about it.

The network sees everything

When data travels across a network it does so as a stream of packets — discrete chunks of bytes, each containing source and destination addresses alongside the actual payload. On a shared network segment, every device receives every packet whether it was addressed to them or not. Normally the network card silently discards packets not addressed to it. Put the card into promiscuous mode and it reads everything.

That is what a packet sniffer does. It instructs the network interface to capture all traffic on the segment — not just traffic addressed to the machine running the tool — and stores it for analysis. On a switched network this is limited to the local broadcast domain, but in many corporate environments the broadcast domains are large enough to capture significant traffic. On a wireless network, anyone within range can capture all unencrypted traffic without being connected to it at all.

Wireshark — capturing and reading packets visually

Wireshark is the most widely used packet analyser in the world. It captures traffic in real time, decodes dozens of protocols automatically, and provides a graphical interface for filtering and inspecting individual packets and sessions. Security teams use it for incident investigation. Pen testers use it to identify what traffic reveals about a network's configuration and security posture.

The scenario: You have a position on the same network segment as the Metasploitable target — either through a compromised host or a direct lab connection. The Metasploitable machine is running Telnet, FTP, and HTTP — all plaintext protocols. You want to capture live authentication attempts and read what the protocols reveal.

# Wireshark can be started from the Kali terminal
# Or launched from Applications → Sniffing & Spoofing → Wireshark

# Start Wireshark from terminal and immediately begin capture on eth0
wireshark -i eth0 &

# Useful Wireshark display filters — type these in the filter bar
# to isolate specific traffic from the full capture:

# Show only FTP traffic (port 21) — reveals FTP credentials in plaintext
# ftp

# Show only Telnet traffic (port 23) — every character typed is visible
# telnet

# Show only HTTP traffic — reveals form data, cookies, auth headers
# http

# Show traffic to or from a specific IP
# ip.addr == 192.168.56.101

# Show only packets containing the word "password" in the payload
# frame contains "password"

# Combine filters with and / or
# ftp or telnet

--- Wireshark capture: FTP traffic to 192.168.56.101 ---
No.   Time      Source           Destination      Protocol  Info
1     0.000     192.168.56.1     192.168.56.101   FTP       Response: 220 (vsFTPd 2.3.4)
2     0.102     192.168.56.1     192.168.56.101   FTP       Request: USER msfadmin
3     0.204     192.168.56.101   192.168.56.1     FTP       Response: 331 Please specify password
4     0.308     192.168.56.1     192.168.56.101   FTP       Request: PASS msfadmin
5     0.412     192.168.56.101   192.168.56.1     FTP       Response: 230 Login successful

tcpdump — command-line packet capture

Wireshark requires a graphical interface. When you are working on a headless server, over SSH, or in an automated pipeline, tcpdump is the tool. It captures packets and writes them to a file — which can later be opened in Wireshark for visual analysis — or pipes them directly to grep or strings for quick credential extraction.

tcpdump is installed on almost every Unix system by default. It can capture and save traffic from a compromised server for later analysis — a technique used both by pen testers demonstrating network-level exposure and by attackers who have positioned themselves on a network segment to harvest credentials passively.

# tcpdump captures packets from the command line — no GUI needed
# Requires root or CAP_NET_RAW capability to run

# -i eth0  capture on the eth0 interface
# -w capture.pcap  write raw packets to a file instead of printing to screen
#   the .pcap file can be opened directly in Wireshark later
# -v  verbose mode — prints more detail about each captured packet
tcpdump -i eth0 -w /tmp/capture.pcap -v

# Filter for specific protocols while capturing — saves disk space
# and makes later analysis faster when only one protocol matters

# Capture only FTP traffic (port 21)
tcpdump -i eth0 -w /tmp/ftp_capture.pcap port 21

# Capture Telnet traffic — every keystroke visible in plaintext
tcpdump -i eth0 -w /tmp/telnet_capture.pcap port 23

# Quick extraction — pipe to strings to find readable text in captured packets
# useful for a fast first look without opening Wireshark
# -A prints packet contents in ASCII alongside hex
# grep -i "pass" filters lines containing "pass" — catches PASS and password
tcpdump -i eth0 -A port 21 | grep -i "pass\|user\|login"

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

--- After piping through grep ---
USER msfadmin
PASS msfadmin
USER postgres
PASS postgres

Reading a pcap file — analysing saved captures

Captures saved to .pcap files can be analysed offline — useful when the capture was taken on a server without a graphical interface and needs to be transferred back to Kali for detailed review. Wireshark opens pcap files directly. For command-line analysis, tcpdump reads them back with the -r flag, and tools like strings extract readable text from binary capture files.

# Read back a saved pcap file using tcpdump
# -r reads from a file instead of a live interface
# -A prints packet contents in ASCII so credentials are readable
tcpdump -r /tmp/capture.pcap -A

# Filter the saved capture for just FTP traffic
tcpdump -r /tmp/capture.pcap -A port 21

# Use strings to extract all readable text from the binary pcap file
# strings finds sequences of printable characters of 4+ length
# Useful for a broad first pass to see everything readable in the capture
strings /tmp/capture.pcap | grep -E "USER|PASS|login|password"

# Open the pcap in Wireshark for visual analysis
wireshark /tmp/capture.pcap

# Follow a TCP stream in Wireshark to read a full session
# Right-click any packet in the session → Follow → TCP Stream
# This reassembles the entire conversation and shows it as readable text
# Every command and response in a Telnet or FTP session becomes fully visible

--- strings | grep result ---
USER msfadmin
PASS msfadmin
USER postgres
PASS postgres
login: msfadmin
Password: msfadmin

--- Wireshark TCP Stream: Telnet session ---
Ubuntu 8.04
login: msfadmin
Password: msfadmin

Last login: Mon Nov 12 09:30:01 2024
Linux metasploitable 2.6.24-16-server #1 SMP
msfadmin@metasploitable:~$ whoami
msfadmin
msfadmin@metasploitable:~$ sudo su
root@metasploitable:/home/msfadmin#

What network sniffing reveals beyond credentials

Credentials are the most headline-grabbing finding from a sniffing exercise — but they are not the only thing a capture reveals. A thorough review of network traffic tells the story of what systems exist, what protocols they use, what software versions they announce, and how users interact with them.

Defences against network sniffing

The most effective defence against network sniffing is encryption — making captured traffic unreadable even if an attacker has a copy of every packet. But encryption alone is not complete. The transport is encrypted; the metadata is not. An attacker capturing encrypted traffic still learns which hosts are communicating, how often, and how much data they exchange. That metadata is more revealing than most people appreciate.

Quiz