VISVESVARAYA TECHNOLOGICAL UNIVERSITY

BELGAUM - 590018, KARNATAKA

INTERNSHIP REPORT ON

“Network traffic analyzer using TCPdump”

A dissertation work submitted in partial fulfillment of requirements for the award of the
degree of

BACHELOR OF
ENGINEERING IN
COMPUTER SCIENCE & ENGINEERING

Submitted by:

MADHUSHREE M G
(1EW21CS087)

Internal Guide: - External Guide: -

Prof. SHWETHA N Mallikarjun Kulkarni
Assistant Professor CEO
Dept, Of CSE, EWIT Tech Fortune

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

EAST WEST INSTITUTE OF TECHNOLOGY
BENGALURU-560091
2023-2024
 EAST WEST INSTITUTE OF TECHNOLOGY
(Affiliated to Visvesvaraya Technological University, Belagavi)
Recognized by Govt. of Karnataka |Approved by AICTE, New
Delhi)
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

This is to certify that MADHUSHREE M G (1EW21CS087) has satisfactorily

submitted Internship Report titled “NETWORK TRAFFIC ANALYSIS USING
TCPDUMP” in fulfillment of the requirements as prescribed by the Visveswaraya
Technical University, Belagavi for 8th semester, Bachelor of Engineering in
“COMPUTER SCIENCE AND ENGINEERING”, during the academic year
2023-24. The Internship report has been approved as it satisfies the academic
requirements in respect to the Internship prescribed for the Bachelor of
Engineering degree.

..……………………….. ….…………………………
Signature of Internal Guide Signature of External Guide
Prof. Shwetha N Mallikarjun Kulkarni
Assistant Professor HR-MANAGER
Dept, of CSE, EWIT Tech Fortune

..……………………….. ….…………………………..
Signature of HOD Signature of Principal
Dr. Achyutha Prasad N Dr. K Channakeshavalu
Professor & Head Principal/Director
Department of CSE East West Institute of

Technology Name of the External Examiners & Signature with Date:

 ACKOWLEDGEMENT
The satisfaction and euphoria that accompany the successful completion of any
task would be incomplete without the mention of the people who made it
possible, whose constant guidance and encouragement crowned our effort with
success.

I express our sincere gratitude to our Principal Dr. K Channakeshavalu,

Principal East West Institute of Technology, Bengaluru for his inspiration. We
wish to place on record our grateful thanks to Dr. Achyutha Prasad N,
Professor and Head of the Department, Computer Science and
Engineering, East West Institute of Technology, Bengaluru for providing
encouragement and guidance.

I also thank our guide and are grateful to Prof. SHWETHA N, Assistant
Professor, Department of Computer Science and Engineering, for the timely
inspection and guiding us throughout the process.

I also thank the entire coordinator Prof. Nithyashree G D and Prof. Laxmi,
Assistant Professor, Department of Computer Science and Engineering for
their support and guidance.

Finally, express my sincere thanks to my parents, well-wishers and friends for

their moral support, encouragement & help throughout the completion of the
internship work.

MADHUSHREE MG

(1EW21CS087)
 II

DECLARATION

I hereby declare that this Internship report entitled “NETWORK TRAFFIC

ANALYSIS USING TCPDUMP” submitted to East West Institute of
Technology, Bengaluru in partial fulfilment of requirement for the award of the
degree Bachelor of engineering in Computer Science and Engineering of
Visveswaraya Technical University, Belagavi during the academic year 2022-
23 is a record of bonafide work carried out by MADHUSHREE MG
(1EW21CS087), under the guidance of Prof. SHWETHA N Assistant
Professor, Dept of CSE EWIT.

Place: EWIT, Bengaluru.

Date:

MADHUSHREE MG

(1EW21CS087)
 III

INTERNSHIP CERTIFICATE
 IV

ABSTRACT
The project "Network Traffic Analysis Using tcpdump" aims to provide a comprehensive
understanding of network behaviour and security through the detailed examination of packet
data. Leveraging the powerful packet capture tool tcpdump, this project captures and analyses
network traffic to identify patterns, anomalies, and potential security threats. By collecting
data at the packet level, we can dissect the communication protocols, source and destination
addresses, and payload contents, thereby gaining insights into network performance and
vulnerabilities.

The analysis process involves filtering and interpreting the captured traffic to distinguish
between normal and suspicious activities. This includes recognizing common attack vectors
such as Denial of Service (DoS) attacks, port scanning, and man-in-the-middle attacks.
Furthermore, the project explores the effectiveness of tcpdump in monitoring network traffic
in real-time and generating actionable intelligence to enhance network security measures.
Ultimately, this project aims to demonstrate the critical role of network traffic analysis in
maintaining robust cybersecurity defenses and optimizing network performance.

In addition to identifying and mitigating security threats, this project also explores the
practical applications of tcpdump in network troubleshooting and performance optimization.
By analyzing traffic patterns and detecting bottlenecks, administrators can pinpoint issues
such as network congestion, misconfigurations, and inefficient routing. This enables the
implementation of proactive measures to improve overall network efficiency and reliability.
The project also highlights the importance of integrating tcpdump with other network
analysis tools and techniques to provide a holistic view of the network environment. Through
detailed case studies and real-world scenarios, this project underscores tcpdump’s versatility
as an essential tool for both network security and performance management.
 V

CONTENTS
ACKNOWEDGEMENT I

DECLARATION II

INTERNSHIP CERTIFICATE

III ABSTARCT IV

CONTENTS V

LIST OF FIGURES VI

CHAPTER CHAPTER NAME PAGE NO

NO
01 ABOUT THE COMPANY 01-03
02 INTRODUCTION TO THE DOMAIN 04-06
03 INTRODUCTION TO PROJECT 07-09
04 NETWORK TRAFFIC ANALYSIS USING
TCPDUMP 10-13
5 ARCHITECTURE 14-16
05 IMPLEMENTATION AND RESULT 16-24
ANALYSIS
 VI

LIST OF FIGURES

FIGURE TITLE PAGE NO

NO.
6.2.1 Actively running networks 21
6.2.2 UDP connections 22
6.2.3 Port 433 connections 22
6.2.4 Host connections 22
Network traffic analysis using Tcpdump

CHAPTER 1

ABOUT THE COMPANY

1.1 Introduction
Tech Fortune is a Technology Organization providing solutions for all Cybersecurity, web
design and development, MYSQL, PYTHON Programming, C#, HTML, CSS, ASP .NET and
LINQ. Meeting the ever-increasing automation requirements Tech Fortune specialize in ERP,
Connectivity, SEO Services, Conference Management, effective web promotion and tailor-made
software products, designing solutions best suiting client’s requirements.

Tech Fortune, strive to be the front runner in creativity and innovation in software development
through their well-researched expertise and establish it as an out of the box software
development company in Bangalore, India. As a software development company, they translate
this software development expertise into value for their customers through their professional
solutions.

They understand that the best desired output can be achieved only by understanding the client’s
demand better. Tech Fortune works with their clients and helps them to define their exact
solution requirement. Sometimes even they wonder that they have completely redefined their
solution or new application requirement during the brainstorming session, and here they position
themselves as an IT solutions consulting group comprising of high caliber consultants.

1.2 Major Milestones in Tech Fortune

The organization have a right mix of professionals as a stakeholder to help serve clients with best
of our capability and with at par industry standards. They have young, enthusiastic, passionate
and creative professionals to develop technological innovations in the field of mobile
technologies, web applications as well as business and enterprise solution. Motto of organization
is to “Collaborate with our clients to provide them with best technological solution hence
creating good present and better future for our client which will bring a cascading a positive
effect in their business shape as well” “Good Present Better Future” is not just our tag line it is
vision for our clients and for us. We strive hard to achieve it.

Dept. Of CSE, EWIT 2023-24 Page 1

Network traffic analysis using Tcpdump

1.3 About Tech Fortune

They believe that Technology when used properly can help any business to scale and achieve
new heights of success. It helps improve its efficiency, profitability, reliability to put it in one
sentence “Technology helps you to delight your customers” and that is what we want to achieve.
We want to help you delight your customers with our technological innovations.

Times are changing and so are computing platform, time has come where the computers have
come of age from desktop and to some extent even laptops. Mobile platforms having real time
information on the go is what is ask of the time right now. It has become very crucial to be
always connected to your business statistics. Mobile hardware’s such as smart phones and tablet
pc’s along with high speed wireless data connectivity is where the critical business information
would be made available real time in near future.

As an organization they are highly focused on Mobile platforms technology and are committed
to develop Optimal, efficient, reliable, simple, and value for investment solutions as software
products.

1.4 Products of Tech Fortune

1.4.1 Antivirus Software

Antivirus software is a crucial cybersecurity product designed to detect, prevent, and remove
malicious software, such as viruses, worms, and trojans. It operates by scanning files and
programs on a computer or network, comparing them against a database of known malware
signatures. When a match is found, the antivirus software can quarantine or delete the malicious
file. Additionally, modern antivirus solutions often include features like real-time protection,
email scanning, and web protection to defend against a wide range of cyber threats. Popular
antivirus software includes products like Norton, McAfee, and Bitdefender.

1.4.2 Firewalls

Firewalls are security devices or software programs that monitor and control incoming and
outgoing network traffic based on predetermined security rules. They act as a barrier between a
trusted internal network and untrusted external networks, such as the internet. Firewalls can be
configured to block or allow specific types of traffic, helping to prevent unauthorized access and

Dept. Of CSE, EWIT 2023-24 Page 2

Network traffic analysis using Tcpdump

potential attacks. There are hardware firewalls, which are physical devices, and software
firewalls, which are installed on individual computers or servers. Examples of firewall solutions
include Cisco ASA, pfSense, and Windows Firewall

1.4.3 Web design

It is encompassing many different skills and disciplines in the production and maintenance of
websites. The different areas of web design include web graphic design; interface design;
authoring, including standardized code and proprietary software; user experience design; and
search engine optimization. Often many individuals will work in teams covering different
aspects of the design process, although some designers will cover them all. The term web design
is normally used to describe the design process relating to the front-end (client side) design of a
website including writing mark up. Web design partially overlaps web engineering in the broader
scope of web development.

Web designers are expected to have an awareness of usability and if their role involves creating
markup then they are also expected to be up to date with web accessibility guidelines. Web
design partially overlaps web engineering in the broader scope of web development. Web
designers are expected to have an awareness of us- ability and if their role involves creating
markup then they are also expected to be up to date with web accessibility guidelines.

1.4.4 Artificial Intelligence (AI)

It is a way of making a computer, a computer-controlled robot, or a software think intelligently,

in the similar manner the intelligent humans think. AI is accomplished by studying how human
brain think, and how humans learn, decide, and work while trying to solve a problem, and then
using the outcomes of this study as a basis of developing intelligent software and systems.

In computer science, artificial intelligence (AI), sometimes called machine intelligence, is

intelligence demonstrated by machines, in contrast to the natural intelligence displayed by
humans and animals. Colloquially, the term "artificial intelligence" is used to describe machines
that mimic "cognitive" functions that humans associate with other human minds, such as
"learning" and "problem solving".

Dept. Of CSE, EWIT 2023-24 Page 3

Network traffic analysis using Tcpdump

CHAPTER 2

INTRODUCTION
2.1 Introduction
Cybersecurity is a vast and multifaceted domain dedicated to safeguarding information systems,
networks, and data from digital attacks, unauthorized access, damage, and disruptions. In an era
where digital transformation is accelerating across industries, the importance of cybersecurity
has grown exponentially, making it a critical aspect of modern life and business.

The roots of cybersecurity trace back to the early days of computing in the 1960s and 1970s,
when the primary focus was on securing mainframe computers and early networking
technologies. Initially, the main concerns were physical security and preventing unauthorized
access to terminals. However, as computer networks expanded, especially with the advent of the
internet in the 1990s, the scope of cybersecurity broadened significantly. The rise of personal
computers, mobile devices, and the proliferation of interconnected systems brought new
challenges and threats, necessitating more sophisticated and comprehensive security measures.

2.2 Core Concepts and Principles

At its core, cybersecurity revolves around several key principles designed to protect the
confidentiality, integrity, and availability (CIA) of information:

 Confidentiality: Ensuring that sensitive information is accessed only by authorized

individuals. Techniques like encryption and access control mechanisms are employed to
protect data privacy.
 Integrity: Maintaining the accuracy and reliability of data. This involves protecting data
from unauthorized alterations, ensuring that information remains uncorrupted and
trustworthy.
 Availability: Ensuring that information and resources are accessible to authorized users
when needed. This involves maintaining systems and networks to prevent downtime from
attacks or technical failures.

Dept. Of CSE, EWIT 2023-24 Page 4

Network traffic analysis using Tcpdump

2.3 Threat Landscape

The threat landscape in cybersecurity is dynamic and continually evolving. Cyber threats can
come from various sources, including:

 Malware: Malicious software such as viruses, worms, trojans, ransomware, and spyware
designed to disrupt, damage, or gain unauthorized access to systems.
 Phishing: Social engineering attacks aimed at tricking individuals into revealing sensitive
information, such as passwords or credit card numbers.
 Denial-of-Service (DoS) Attacks: Attempts to overwhelm a network or system, rendering
it unavailable to users.
 Advanced Persistent Threats (APTs): Long-term, targeted attacks often orchestrated by
nation-states or organized crime groups aiming to steal data or cause damage.
 Insider Threats: Threats originating from within the organization, often involving
employees or contractors who misuse their access to data or systems.

2.4 Defensive Measures and Technologies

To counter these threats, cybersecurity employs a range of defensive measures and technologies:

 Firewalls: Act as a barrier between trusted and untrusted networks, filtering traffic based
on predefined security rules.
 Intrusion Detection and Prevention Systems (IDPS): Monitor network traffic for
suspicious activity and can take action to prevent detected threats.
 Antivirus and Antimalware: Software designed to detect and remove malicious software.
 Encryption: Protects data by converting it into a secure format that can only be read by
someone with the decryption key.
 Access Controls: Policies and technologies that restrict access to information and
resources based on user roles and permissions.
 Security Information and Event Management (SIEM): Solutions that provide real-time
analysis of security alerts generated by network hardware and applications.
 Incident Response: Processes and tools used to detect, respond to, and recover from
security breaches.

Dept. Of CSE, EWIT 2023-24 Page 5

Network traffic analysis using Tcpdump

2.5 Regulatory and Ethical Considerations

Cybersecurity is also shaped by regulatory and ethical considerations. Various laws and
regulations, such as the General Data Protection Regulation (GDPR) in Europe and the Health
Insurance Portability and Accountability Act (HIPAA) in the U.S., mandate specific security
practices to protect personal and sensitive information. Compliance with these regulations is
crucial for avoiding legal penalties and maintaining customer trust.

Ethically, cybersecurity professionals must balance the need for security with respect for user
privacy and civil liberties. This involves ethical hacking practices, transparent data handling
policies, and ensuring that security measures do not unnecessarily infringe on individual rights.

2.6 Emerging Trends and Future Directions

The field of cybersecurity is continually evolving to address new challenges and leverage
technological advancements. Emerging trends include:

 Artificial Intelligence (AI) and Machine Learning: Enhancing threat detection and
response through automated analysis and adaptive learning.
 Zero Trust Security: A model that assumes no implicit trust and continuously verifies
every request as though it originates from an open network.
 Quantum Computing: Potentially revolutionizing encryption and posing new challenges
for data security.
 Internet of Things (IoT) Security: Addressing the unique vulnerabilities of interconnected
devices and systems.

In conclusion, cybersecurity is a critical and dynamic field that underpins the safe and reliable
operation of modern digital infrastructure. Its importance will only continue to grow as
technology advances and cyber threats become increasingly sophisticated. As such, continuous
innovation, education, and vigilance are essential to protect against the ever-evolving landscape
of cyber risks.

Dept. Of CSE, EWIT 2023-24 Page 6

Network traffic analysis using Tcpdump

CHAPTER 3

INTRODUCTION TO PROJECT
3.1 Introduction

Network traffic analysis is an essential practice in cybersecurity and network management,

providing deep insights into the functioning, performance, and security of networks. One of the
powerful tools used for network traffic analysis is tcpdump, a command-line packet analyser.
This project, "Network Traffic Analysis using tcpdump," aims to utilize tcpdump for capturing,
analysing, and interpreting network traffic to enhance network security and performance.

3.2 Understanding Network Traffic Analysis

Network traffic analysis involves monitoring and examining the data flowing across a network to
understand its behaviour, detect anomalies, troubleshoot issues, and ensure security. This process
is crucial for network administrators and cybersecurity professionals, as it helps in identifying
potential threats, optimizing network performance, and maintaining compliance with
organizational policies and regulatory requirements.

3.3 The Role of tcpdump

tcpdump is a powerful and versatile network packet analyser that captures and displays the
packets being transmitted or received over a network. Developed in the late 1980s, it has become
a staple tool for network administrators due to its efficiency, flexibility, and robustness.
Tcpdump works by intercepting packets that pass through a network interface and displaying
their contents in a human-readable format, providing valuable insights into the network's
operation.

3.4 Project Objectives

The primary objectives of the "Network Traffic Analysis using tcpdump" project are: Packet
Capture: Utilize tcpdump to capture network packets in real-time. This involves setting up
tcpdump on a network interface to intercept traffic and save the captured data for further
analysis.

Dept. Of CSE, EWIT 2023-24 Page 7

Network traffic analysis using Tcpdump

 Packet Analysis: Analyse the captured packets to understand the types of traffic flowing
through the network. This includes identifying protocols in use, examining packet
headers and payloads, and detecting any unusual patterns or anomalies.
 Traffic Monitoring: Monitor network traffic to identify performance issues, such as
congestion, latency, and packet loss. By analysing traffic patterns, administrators can
optimize network performance and ensure efficient data flow.
 Security Analysis: Detect and investigate potential security threats, such as unauthorized
access, malware activity, and network intrusions. Tcpdump can help in identifying
suspicious traffic and facilitating incident response.
 Reporting and Visualization: Generate reports and visualizations based on the analysed
data to provide clear insights into network behaviour and performance. This includes
creating graphs, charts, and summaries that highlight key findings.

3.5 Implementation Steps

The implementation of this project involves several steps:

Environment Setup: Install tcpdump on the target system, typically a server or a network node.
Ensure that the system has the necessary permissions to capture network traffic.

Packet Capture Configuration: Configure tcpdump to capture traffic on specific network

interfaces and define capture filters to focus on relevant traffic. For example, filters can be set to
capture only HTTP traffic, traffic from a specific IP address, or traffic on a particular port.

Data Collection: Run tcpdump to start capturing packets and save the captured data to files for
later analysis. This step may involve running tcpdump for extended periods to capture enough
data for comprehensive analysis.

Data Analysis: Use tcpdump's built-in options and other tools like Wireshark to analyze the
captured packets. This includes examining packet headers for protocol information, payload
analysis for content inspection, and identifying patterns indicative of performance or security
issues.

Dept. Of CSE, EWIT 2023-24 Page 8

Network traffic analysis using Tcpdump

Visualization and Reporting: Use data visualization tools to create visual representations of the
captured data. This helps in identifying trends, anomalies, and providing clear reports to
stakeholders. Tools like Wireshark, Grafana, or even custom scripts can be used for this purpose.

3.5 Challenges and Considerations

While tcpdump is a powerful tool, its use comes with certain challenges and considerations:

Data Volume: Capturing and storing large volumes of network traffic can consume significant
disk space and processing power. Efficient data management practices are essential to handle
this.

Privacy and Legal Compliance: Monitoring network traffic involves handling potentially
sensitive information. Ensuring privacy and compliance with legal regulations is crucial to avoid
legal and ethical issues.

Interpreting Data: Analysing raw packet data requires a deep understanding of networking
protocols and traffic patterns. Training and expertise are necessary to accurately interpret the
data and draw meaningful conclusions.

Dept. Of CSE, EWIT 2023-24 Page 9

Network traffic analysis using Tcpdump

CHAPTER 4

NETWORK TRAFFIC ANALYSIS USING TCPdump

Network traffic analysis is a crucial aspect of cybersecurity and network management, aimed at
monitoring, analysing, and understanding the flow of data across a network. By examining the
packets transmitted between devices, network administrators and security professionals can
identify patterns, detect anomalies, and diagnose issues that may affect network performance or
security. One of the powerful tools used for this purpose is tcpdump, a command-line packet
analyser. Tcpdump captures network packets in real-time, providing detailed insights into the
data traversing the network. This project, "Network Traffic Analysis Using tcpdump," focuses on
utilizing tcpdump to conduct a comprehensive analysis of network traffic, enhancing the
understanding of network behaviour and identifying potential security threats.

4.1 Objectives

The primary objectives of this project are:

Capture and Analyse Network Traffic: Utilize tcpdump to capture network packets and
perform detailed analysis to understand the nature and behaviour of network traffic.

Identify Network Anomalies and Security Threats: Detect unusual patterns and potential
security threats, such as unauthorized access attempts, malware communication, and data
exfiltration.

Diagnose Network Performance Issues: Identify performance bottlenecks, such as network

congestion, packet loss, and latency issues, to optimize network performance.

Document and Visualize Findings: Generate comprehensive reports and visualizations of the
network traffic analysis, highlighting key findings and insights.

Develop Best Practices for Network Monitoring: Establish guidelines and best practices for
continuous network monitoring and proactive threat detection using tcpdump.

Dept. Of CSE, EWIT 2023-24 Page 10

Network traffic analysis using Tcpdump

4.2 Methodology

The methodology for this project involves several steps, each designed to ensure a thorough and
effective analysis of network traffic:

Environment Setup:

Install tcpdump on the target system. Ensure appropriate permissions and configurations to
capture network traffic effectively.

Data Capture:

Use tcpdump to capture live network traffic over a specified period or during peak usage times.
Save captured packets in .pcap files for detailed offline analysis.

Preliminary Analysis:

Filter and sort captured data to focus on relevant traffic, using tcpdump options and expressions.
Identify and categorize different types of network traffic, such as HTTP, HTTPS, DNS, and FTP.

Detailed Packet Analysis:

Use tcpdump and complementary tools like Wireshark to perform deep packet inspection.
Analyse packet headers and payloads to understand the structure and content of the network
communication. Identify any unusual patterns or anomalies, such as repeated failed login
attempts, unexpected data transfers, or communication with known malicious IP addresses.

Performance Diagnosis:

Measure key performance metrics, such as throughput, latency, and packet loss. Identify any
network congestion points or devices causing significant delays.

Documentation and Visualization:

Compile findings into a detailed report, including summaries, data tables, and interpretations.
Create visualizations, such as graphs and charts, to illustrate traffic patterns, anomalies, and
performance issues.

Dept. Of CSE, EWIT 2023-24 Page 11

Network traffic analysis using Tcpdump

Developing Best Practices:

Based on the analysis, develop recommendations for network monitoring and security
improvements. Establish procedures for regular network traffic analysis using tcpdump.

4.3 Limitations

Despite the comprehensive approach of using tcpdump for network traffic analysis, there are
several limitations to consider:

Data Volume and Complexity:

Network traffic can generate a vast amount of data, making it challenging to capture, store, and
analyse effectively. High traffic volume may lead to performance issues on the monitoring
system.

Encryption:

Encrypted traffic (e.g., HTTPS) poses a significant challenge as tcpdump can only capture packet
headers, not the encrypted payloads. This limitation makes it difficult to analyse the content of
encrypted communications directly.

Resource Intensive:

Continuous packet capture and analysis can be resource-intensive, potentially impacting the
performance of the monitoring system. Requires significant processing power and storage
capacity to handle large data sets.

Skill Requirement:

Effective use of tcpdump requires a good understanding of network protocols and packet
structures. Analysing captured data and identifying meaningful patterns or anomalies demands
expertise in network security and analysis.

False Positives and Negatives:

Automated detection of anomalies and threats may result in false positives (benign activities
flagged as suspicious) or false negatives (actual threats not detected). Requires careful tuning and
validation of detection rules and filters.

Dept. Of CSE, EWIT 2023-24 Page 12

Network traffic analysis using Tcpdump

Scope of Analysis:

tcpdump provides a low-level view of network traffic, which may not capture higher-level
application behaviours or user activities comprehensively. Complementary tools and methods
may be required for a holistic analysis.

Dept. Of CSE, EWIT 2023-24 Page 13

Network traffic analysis using Tcpdump

CHAPTER 5
ARCHITECTURE
Creating a project for "Network Traffic Analysis Using tcpdump" involves several components
and steps to ensure a comprehensive analysis. Here's an architecture outline for such a project:

5.1 Project Overview

Objective: Capture, analyze, and visualize network traffic data using tcpdump.

Tools: tcpdump, Python (or other scripting languages), data analysis libraries (e.g., pandas), and
visualization tools (e.g., matplotlib, seaborn).

5.2 Architecture Components

5.2.1 Data Collection

 tcpdump: A powerful command-line packet analyzer.

 Function: Capture network packets.
 Deployment: Installed on a server or network node to monitor traffic.
 Configuration: Define filters for capturing specific types of traffic (e.g., HTTP, HTTPS,
FTP).

5.2.2 Data Storage

 Raw Packet Data: Store the captured packet data.

 Format: .pcap files.
 Location: Local storage or cloud storage (depending on data size and access requirements).

5.2.3 Data Processing

 Packet Parsing: Extract useful information from raw packet data.

 Tools: scapy (Python library), pyshark.
 Functions: Parse .pcap files, extract metadata (e.g., source/destination IPs, ports,
protocols).
 Data Cleaning: Remove unnecessary data and handle missing values.
 Tools: Python (pandas).

Dept. Of CSE, EWIT 2023-24 Page 14

Network traffic analysis using Tcpdump

 Functions: Filter out irrelevant packets, handle missing or malformed data.

5.2.4 Data Analysis

 Statistical Analysis: Compute statistics on the captured data.

 Tools: Python (pandas, numpy).
 Functions: Calculate metrics (e.g., packet counts, traffic volume, top talkers).
 Anomaly Detection: Identify unusual patterns in the traffic.
 Techniques: Threshold-based, machine learning algorithms.
 Tools: Python (scikit-learn, TensorFlow).

5.2.5 Data Visualization

 Visual Reports: Generate visual representations of the network traffic.

 Tools: Python (matplotlib, seaborn, Plotly), Grafana.
 Functions: Plot time series, histograms, heatmaps.
 Dashboards: Interactive dashboards for real-time monitoring.
 Tools: Grafana, Kibana, or custom web-based dashboards.
 Functions: Real-time data visualization, drill-down capabilities.

5.2.6 Alerts and Notifications

 Automated Alerts: Notify administrators of detected anomalies.

 Tools: Python (smtplib for emails), Slack API.
 Functions: Send alerts via email, SMS, or messaging platforms.

5.3. Workflow

5.3.1 Setup and Configuration

 Install tcpdump on the server or network device.

 Define capture filters to specify the traffic of interest.

5.3.2 Data Capture

 Run tcpdump to capture network traffic.

 Store captured packets in .pcap files.

Dept. Of CSE, EWIT 2023-24 Page 15

Network traffic analysis using Tcpdump

5.3.3 Data Processing and Analysis

 Parse .pcap files using scapy or pyshark.

 Clean and preprocess the data using pandas.
 Perform statistical analysis to compute metrics.
 Detect anomalies using machine learning or threshold-based techniques.

5.3.4 Data Visualization and Reporting

 Create visual reports using matplotlib, seaborn, or Plotly.

 Build interactive dashboards using Grafana or Kibana.

5.3.5 Alerts and Notifications

 Configure alert thresholds or train anomaly detection models.

 Set up notification mechanisms (e.g., email, Slack).

5.3.6 Continuous Monitoring and Improvement

 Monitor network traffic continuously using the established system.

 Refine filters and models based on feedback and new requirements.
 Update dashboards and reports to reflect changes in network traffic patterns.

5.4. Technologies and Tools

 Capture: tcpdump
 Parsing and Analysis: Python, scapy, pyshark, pandas, numpy
 Visualization: matplotlib, seaborn, Plotly, Grafana, Kibana
 Machine Learning: scikit-learn, TensorFlow
 Alerts and Notifications: smtplib (email), Slack API

By following this architecture, you can build a robust system for network traffic analysis using
tcpdump. The modular approach allows for flexibility and scalability as your network and
analysis needs grow

Dept. Of CSE, EWIT 2023-24 Page 16

Network traffic analysis using Tcpdump

CHAPTER 6
IMPLEMENTATION AND RESULT ANALYSIS

6.1 Implementation

STEP1: SETUP AND INSTALLION

Install TCPdump

First, install tcpdump on your server or network device. For Ubuntu/Debian:

 sudo apt-get update

 sudo apt-get install tcpdump

Define capture filters

Define the capture filters to specify the type of traffic you are interested in. For example, to
capture HTTP traffic:

 tcpdump -i eth0 tcp port 80 -w capture.pcap

This command captures HTTP traffic on interface eth0 and writes it to capture. pcap.

STEP 2: DATA CAPTURE

Run tcpdump to start capturing network traffic:

 sudo tcpdump -i eth0 -w capture.pcap

Let tcpdump run for the desired period to collect sufficient data.

STEP 3:DATA PROCESSING

Use Python and the scapy library to parse the captured .pcap files.Install scapy:

Dept. Of CSE, EWIT 2023-24 Page 17

Network traffic analysis using Tcpdump

 pip install scapy

Create a script to parse the .pcap file:

from scapy.all import rdpcap

# Read the pcap file

packets = rdpcap('capture.pcap')
# Extract useful information
data = []
for packet in packets:
if packet.haslayer('IP'):
ip_src = packet['IP'].src
ip_dst = packet['IP'].dst
protocol = packet['IP'].proto
data.append((ip_src, ip_dst, protocol))
# Convert to Data Frame for analysis
import pandas as pd
df = pd.DataFrame(data, columns=['Source IP', 'Destination IP', 'Protocol'])
print(df.head())

Clean and preprocess data

Use pandas to clean and preprocess the data:

python
Copy code
# Remove duplicates and handle missing values
df.drop_duplicates(inplace=True)
df.dropna(inplace=True)
# Display the cleaned
data print(df.head())

Dept. Of CSE, EWIT 2023-24 Page 18

Network traffic analysis using Tcpdump

STEP 4:DATA ANALYSIS

# Count the number of packets for each protocol

protocol_counts = df['Protocol'].value_counts()
print(protocol_counts)
# Top source and destination IPs
top_src_ips = df['Source IP'].value_counts().head(10)
top_dst_ips = df['Destination IP'].value_counts().head(10)
print(top_src_ips)
print(top_dst_ips)

Threshold-based anomaly detection:

# Set a threshold for the number of packets from a single

IP threshold = 1000
# Identify IPs exceeding the threshold
anomalous_src_ips = df['Source IP'].value_counts()[df['Source IP'].value_counts() > threshold]
print(anomalous_src_ips)

STEP 5:DATA VISUALIZATION

Use matplotlib and seaborn for visualization:

import matplotlib.pyplot as plt

import seaborn as sns
# Plot protocol distribution
plt.figure(figsize=(10, 6))
sns.countplot(x='Protocol', data=df)
plt.title('Protocol Distribution')
plt.show()
# Plot top source IPs
plt.figure(figsize=(10, 6))
top_src_ips.plot(kind='bar')

Dept. Of CSE, EWIT 2023-24 Page 19

Network traffic analysis using Tcpdump

plt.title('Top Source IPs')

plt.xlabel('Source IP')
plt.ylabel('Packet Count')
plt.show()
Dashboard :
import plotly.express as px

# Plot protocol distribution

fig = px.histogram(df, x='Protocol', title='Protocol Distribution')
fig.show()
# Plot top source IPs
fig = px.bar(top_src_ips, title='Top Source IPs', labels={'index': 'Source IP', 'value': 'Packet
Count'})
fig.show()

STEP 6: ALERTS AND NOTIFICATIONS

Send alerts via email when an anomaly is detected:

import smtplib
from email.mime.text import MIMEText
def send_email(subject, body, to_email):
from_email = "[email protected]"
password = "your_password"

msg = MIMEText(body)
msg['Subject'] = subject
msg['From'] = from_email
msg['To'] = to_email

server = smtplib.SMTP_SSL('smtp.example.com', 465)

server.login(from_email, password)

Dept. Of CSE, EWIT 2023-24 Page 20

Network traffic analysis using Tcpdump

server.sendmail(from_email, [to_email], msg.as_string())

server.quit()
# Send alert if anomalies are
detected if not
anomalous_src_ips.empty:
subject = "Anomaly Detected in Network Traffic"
body = f"Anomalous Source IPs:\n{anomalous_src_ips}"
send_email(subject, body, "[email protected]")

STEP 7: MONITOR NETWORK TRAFFIC

Set up a cron job or a continuous monitoring system to run tcpdump and analyze the data
periodically. Regularly review and update capture filters and anomaly detection models based on
new insights and requirements.

6.2 Results:

Fig. 6.2.1 Actively running networks.

Dept. Of CSE, EWIT 2023-24 Page 21

Network traffic analysis using Tcpdump

Fig. 6.2.2 UDP connections.

Fig. 6.2.3. Port 433 connections.

Fig.6.2.4.Host connections.

Dept. Of CSE, EWIT 2023-24 Page 22

Network traffic analysis using Tcpdump

CONCLUSION

In conclusion, the network traffic analysis using tcpdump provides valuable insights into
network performance, security, and overall traffic patterns. By capturing and analyzing packets,
we can identify potential issues such as network congestion, packet loss, and malicious activities.
The detailed examination of traffic data allows for the detection of anomalies and the
optimization of network configurations to enhance efficiency and security. This project
demonstrates the effectiveness of tcpdump as a powerful tool for network administrators and
cybersecurity professionals to maintain robust and secure network environments. The ability to
interpret and act on the data collected ensures that networks can operate smoothly, minimizing
downtime and preventing potential threats. Overall, the deployment of tcpdump in network
traffic analysis not only enhances security measures but also contributes to the strategic planning
and optimization of network resources, supporting the sustained growth and reliability of
network infrastructure.

Dept. Of CSE, EWIT 2023-24 Page 23

Network traffic analysis using Tcpdump

REFERENCES

[1]. https://youtu.be/e45Kt1IYdCI?si=QQh5GopnnHnVfweC: tcpdump and how to

use it by howtonetwork
[2]. https:/ /www.youtube.com/watch?v=4tdyZUn8LCc - Introduction to tcpdump
[3]. "Practical Packet Analysis: Using Wireshark to Solve Real-World Network
Problems" by Chris Sanders.
[4]. "Network Security Monitoring: Basics for Beginners" by Jacob I. Pinsky.
[5]. "TCP/IP Illustrated, Volume 1: The Protocols" by W. Richard Stevens.

Dept. Of CSE, EWIT 2023-24 Page 24