capturing packets

Packet Capture / Protocol Analysis

tcpdump and wireshark

Use a bootable knoppix CD to start your computer.

Do the following

Bring up two shell windows (use the icon that looks like a terminal/monitor on the taskbar). Position them so you can see both, or most of both, at the same time.

In each of them, become the "root" user (at the command prompt type "su -" then press Enter)

Capture with tcpdump

In the first shell window, run the tcpdump command to capture up to 6 packets on your local, loopback interface:
tcpdump -nt -c 6 -i lo

Then, in the second window, have the machine ping itself 3 times:
ping -c 3 127.0.0.1

Observe the activity in the first window caused by the ping command in the second.

Now repeat the procedure, except this time have the tcpdump command put its output in a file named testfile.cap instead of on the screen:
tcpdump -nt -c 6 -i lo -w testfile.cap

Playback by tcpdump

The session results, depicting the 6 packets that traversed the network in the course of executing three successful pings, now sit in the file. We can play them back onto the screen with tcpdump:
tcpdump -n -r testfile.cap

Playback by wireshark

We can also play them back using Wireshark, because tcpdump stores data in a file format compatible with Wireshark. Wireshark will happily read testfile.cap. You need to run Wireshark as user root. To do that you'll be asked for root's password. In Knoppix, users have no passwords by default. So we have to give root a password first, in order to be able to use Wireshark. "password" is the password we will give root. To do that, in either of your shell windows, the command is "passwd". Run it, and when asked for an initial entry and a confirmation re-entry of a password, type "password". Now run Wireshark:

K/Internet/Wireshark (Network Analyzer) give the password when asked
File/Open menu choice
In the left panel, click "filesystem"
Then in the right panel click "root" then select "testfile.cap" and press the "Open" button.
Note you are looking at the same material you saw in tcpdump, differently presented.