Ethical Hacking: Capturing and Analyzing Packet Packets with TShark and tcpdump

Introduction to Tshark

Using the apt package manager on our Ubuntu host, we can install Tshark by running the command:

apt update; apt install -y tshark

You will receive a message asking if “non-superusers be able to capture packets”. It is good security practice to select no, unless you know what you are doing, or your users need access to the Tshark package.

After the prompt, the installation should continue and you will be brought back to the bash terminal prompt.

Verify Installation Completed

To verify that Tshark is installed, execute Tshark with the --version flag to output the version number.

tshark --version

Docker

The rest of the scenario will use Docker to simulate a vulnerable host on a network. The gravemind Docker container is obtained from Docker Hub. Multiple hosts will be set up for you using Docker.

Please verify that two gravemind instances are running using the following command:

docker ps

If no containers running, a setup script is provided in your home directory and can be executed by running: bash ~/gravemind_docker_network_setup.sh

These two containers have statically assigned IP Addresses:

  • Container 1: 10.0.0.5
  • Container 2: 10.0.0.6

Getting started with Tshark

When invoking Tshark, the program will indefinitely print out all captured packets on the first interface of your device. To start Tshark, run the tshark command.

You will see a list of packets similar to the following output:

root@katacoda:~# tshark -i br-5039c3895eb9
Running as user "root" and group "root". This could be dangerous.
Capturing on 'br-5039c3895eb9'
    1 0.000000000     10.0.0.1 → 10.0.0.5     ICMP 98 Echo (ping) request  id=0x0fd2, seq=1/256, ttl=64
    2 0.000030969     10.0.0.5 → 10.0.0.1     ICMP 98 Echo (ping) reply    id=0x0fd2, seq=1/256, ttl=64 (request in 1)
    3 1.018681059     10.0.0.1 → 10.0.0.5     ICMP 98 Echo (ping) request  id=0x0fd2, seq=2/512, ttl=64
    4 1.018709052     10.0.0.5 → 10.0.0.1     ICMP 98 Echo (ping) reply    id=0x0fd2, seq=2/512, ttl=64 (request in 3)
    5 2.046488928     10.0.0.1 → 10.0.0.5     ICMP 98 Echo (ping) request  id=0x0fd2, seq=3/768, ttl=64
    6 2.046515187     10.0.0.5 → 10.0.0.1     ICMP 98 Echo (ping) reply    id=0x0fd2, seq=3/768, ttl=64 (request in 5)
    7 3.066487395     10.0.0.1 → 10.0.0.5     ICMP 98 Echo (ping) request  id=0x0fd2, seq=4/1024, ttl=64
    8 3.066514907     10.0.0.5 → 10.0.0.1     ICMP 98 Echo (ping) reply    id=0x0fd2, seq=4/1024, ttl=64 (request in 7)
    9 5.146577501 02:42:d0:4e:95:8b → 02:42:0a:00:00:05 ARP 42 Who has 10.0.0.5? Tell 10.0.0.1
   10 5.146564837 02:42:0a:00:00:05 → 02:42:d0:4e:95:8b ARP 42 Who has 10.0.0.1? Tell 10.0.0.5
   11 5.146662842 02:42:d0:4e:95:8b → 02:42:0a:00:00:05 ARP 42 10.0.0.1 is at 02:42:d0:4e:95:8b
   12 5.146667771 02:42:0a:00:00:05 → 02:42:d0:4e:95:8b ARP 42 10.0.0.5 is at 02:42:0a:00:00:05

Note: Packets will be different than the above output depending on the generated network traffic ongoing on the host.

To stop Tshark at any time, use the keybinding ^C.

Selecting an interface to listen through.

In many cases, hosts will have more than one interface connected at a time. For example, on our Ubuntu host we can see the different interfaces present by using the command:

ip link

$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 02:42:ac:11:00:24 brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:0c:66:4e:d1 brd ff:ff:ff:ff:ff:ff
4: br-285319d5dca3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 02:42:90:8c:93:14 brd ff:ff:ff:ff:ff:ff
6: veth1786149@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-285319d5dca3 state UP mode DEFAULT group default 
    link/ether 3a:08:87:64:fb:c8 brd ff:ff:ff:ff:ff:ff link-netnsid 1
8: vethfa857fe@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-285319d5dca3 state UP mode DEFAULT group default 
    link/ether 82:4f:00:c9:80:53 brd ff:ff:ff:ff:ff:ff link-netnsid 0

Our gravemind containers are running on the 10.0.0.0/24 network. We can verify which interface this network is attached to by using the command:

ip route

$ ip route
default via 172.17.0.1 dev ens3 
10.0.0.0/24 dev br-285319d5dca3 proto kernel scope link src 10.0.0.1 
172.17.0.0/16 dev ens3 proto kernel scope link src 172.17.0.36 
172.18.0.0/24 dev docker0 proto kernel scope link src 172.18.0.1 linkdown

Above we can see that the 10.0.0.0/24 interface is connected through the br-XXXXXXXXXX network.

Tshark also provides the -D or --list-interfaces arguments that will list all scannable interfaces. To view all interfaces using Tshark run the command:

tshark -D

1. veth80cadfe
2. vethdaf12b0
3. ens3
4. br-45f4ba650740
5. lo (Loopback)
6. any
7. docker0
8. bluetooth-monitor
9. nflog
10. nfqueue
11. ciscodump (Cisco remote capture)
12. dpauxmon (DisplayPort AUX channel monitor capture)
13. randpkt (Random packet generator)
14. sdjournal (systemd Journal Export)
15. sshdump (SSH remote capture)
16. udpdump (UDP Listener remote capture)

To run Tshark on this interface, run the command:

tshark -i br-45f4ba650740

IMPORTANT: The docker bridge interface may be named differently so please use the interface name shown to you from within the ip route command. You can easily execute the following command to make sure that the correct bridge interface is selected: ip -brie a | grep br- | awk '{print $1}' | xargs tshark -i

Due to a ping command initiated at container setup, should see a series of ping requests populate the screen. The output will be similar to the following:

$ tshark -i br-285319d5dca3
Running as user "root" and group "root". This could be dangerous.
Capturing on 'br-285319d5dca3'
    1 0.000000000 02:42:0a:00:00:05 → 02:42:90:8c:93:14 ARP 42 Who has 10.0.0.1? Tell 10.0.0.5
    2 0.000054833 02:42:90:8c:93:14 → 02:42:0a:00:00:05 ARP 42 10.0.0.1 is at 02:42:90:8c:93:14
    3 0.000115543     10.0.0.1 → 10.0.0.5     ICMP 98 Echo (ping) request  id=0x0008, seq=205/52480, ttl=64
    4 0.000145285     10.0.0.5 → 10.0.0.1     ICMP 98 Echo (ping) reply    id=0x0008, seq=205/52480, ttl=64 (request in 3)
    5 1.024159304     10.0.0.1 → 10.0.0.5     ICMP 98 Echo (ping) request  id=0x0008, seq=206/52736, ttl=64
    6 1.024207545     10.0.0.5 → 10.0.0.1     ICMP 98 Echo (ping) reply    id=0x0008, seq=206/52736, ttl=64 (request in 5)
    7 2.048099767     10.0.0.1 → 10.0.0.5     ICMP 98 Echo (ping) request  id=0x0008, seq=207/52992, ttl=64
    8 2.048144338     10.0.0.5 → 10.0.0.1     ICMP 98 Echo (ping) reply    id=0x0008, seq=207/52992, ttl=64 (request in 7)

[ ... additional output omitted ... ]

Note: For the remainder of the scenario, you must substitute the br-XXXXXXXXXX for the interface found above.

Listing Tsharks available commands

If you are stuck or are curious about available commands, you can run the tshark --help command to receive the help menu

Tshark output and filtering

Tshark output can be filtered and saved to multiple file formats.

Writing a scan to a file

Raw packet output can be saved to a file, usually with the file extension .pacp, by using the -w FILENAME argument.

tshark -w FILENAME.pcap -i br-285319d5dca3

Note: Please enter the interface found when executing ip route

root@katacoda:~# tshark -i eth0 -w ~/output.txt
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'

Reading a scan from a .pcap file

In many instances, you may want to take the raw packet output from a file generated by the -w argument and parse through the information. You can read back the file using the -r FILENAME.pacp argument.

tshark -r FILENAME.pcap

root@katacoda:~# tshark -r output.txt 
Running as user "root" and group "root". This could be dangerous.
    1 0.000000000     10.0.0.1 → 10.0.0.5     ICMP 98 Echo (ping) request  id=0xf318, seq=1/256, ttl=64
    2 0.000036209     10.0.0.5 → 10.0.0.1     ICMP 98 Echo (ping) reply    id=0xf318, seq=1/256, ttl=64 (request in 1)
    3 1.029341860     10.0.0.1 → 10.0.0.5     ICMP 98 Echo (ping) request  id=0xf318, seq=2/512, ttl=64
    4 1.029376035     10.0.0.5 → 10.0.0.1     ICMP 98 Echo (ping) reply    id=0xf318, seq=2/512, ttl=64 (request in 3)
    5 2.053337195     10.0.0.1 → 10.0.0.5     ICMP 98 Echo (ping) request  id=0xf318, seq=3/768, ttl=64
    6 2.053366902     10.0.0.5 → 10.0.0.1     ICMP 98 Echo (ping) reply    id=0xf318, seq=3/768, ttl=64 (request in 5)
    7 3.077335500     10.0.0.1 → 10.0.0.5     ICMP 98 Echo (ping) request  id=0xf318, seq=4/1024, ttl=64

[ ... additional output omitted ... ]

Exporting a scan in JSON

Tshark provides the ability to output scans in JSON formatting by using the -T json argument.

tshark -T json -i br-285319d5dca3

root@katacoda:~# tshark -T json -i br-acafd867c66c | head -n 30 
Running as user "root" and group "root". This could be dangerous.
Capturing on 'br-acafd867c66c'
[
  {
    "_index": "packets-2021-08-21",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame": {
          "frame.interface_id": "0",
          "frame.interface_id_tree": {
            "frame.interface_name": "br-acafd867c66c"
          },
          "frame.encap_type": "1",
          "frame.time": "Aug 21, 2021 03:31:27.912030025 UTC",
          "frame.offset_shift": "0.000000000",
          "frame.time_epoch": "1629516687.912030025",
          "frame.time_delta": "0.000000000",
          "frame.time_delta_displayed": "0.000000000",
          "frame.time_relative": "0.000000000",
          "frame.number": "1",
          "frame.len": "74",
          "frame.cap_len": "74",
          "frame.marked": "0",
          "frame.ignored": "0",
          "frame.protocols": "eth:ethertype:ip:tcp"
        },
        "eth": {
          "eth.dst": "02:42:0a:00:00:05",
          "eth.dst_tree": {
            "eth.dst_resolved": "02:42:0a:00:00:05",

This output can be appended to a file by redirecting the standard output to a file.

tshark -T json -i br-285319d5dca3 >> output.json

root@katacoda:~# head -n 20 output.json 
[
  {
    "_index": "packets-2021-08-21",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame": {
          "frame.interface_id": "0",
          "frame.interface_id_tree": {
            "frame.interface_name": "br-285319d5dca3"
          },
          "frame.encap_type": "1",
          "frame.time": "Aug 21, 2021 02:49:33.974522255 UTC",
          "frame.offset_shift": "0.000000000",
          "frame.time_epoch": "1629514173.974522255",

After scanning we can view the file by using the cat command as shown below:

cat output.json

root@katacoda:~# cat output.json 
[
  {
    "_index": "packets-2021-08-21",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame": {
          "frame.interface_id": "0",
          "frame.interface_id_tree": {
            "frame.interface_name": "br-285319d5dca3"
          },
          "frame.encap_type": "1",
          "frame.time": "Aug 21, 2021 02:47:21.169964855 UTC",
          "frame.offset_shift": "0.000000000",
          "frame.time_epoch": "1629514041.169964855",
          "frame.time_delta": "0.000000000",
          "frame.time_delta_displayed": "0.000000000",
          "frame.time_relative": "0.000000000",
          "frame.number": "1",

[ ... additional output omitted ... ]

Alternatively, we can use the tail -f output.json command to receive the output in real-time, indefinitely.

To exit out of the tail use the ^C keybinding.

Supported formats for the -T command include:

  -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
                           format of text output (def: text)

Applying capture filtering to a scan

In many cases, a particular network interface we want to scan would be congested with a lot of noise. Sometimes we only want to view a specific port or protocol passing through. We can specify a filter to use during a scan by appending the -f "FILTER_EXPRESSION" argument, where the filter expression must be written as a single argument.

For example, if only wanted output for the HTTP protocol, we can use the following filter below:

tshark -f "port http" -i br-285319d5dca3

root@katacoda:~# tshark -f "port http" -i br-285319d5dca3
Running as user "root" and group "root". This could be dangerous.
Capturing on 'br-285319d5dca3'
    1 0.000000000     10.0.0.1 → 10.0.0.5     TCP 74 47522 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=1762344937 TSecr=0 WS=128
    2 0.000036819     10.0.0.5 → 10.0.0.1     TCP 74 80 → 47522 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2863087775 TSecr=1762344937 WS=128
    3 0.000055143     10.0.0.1 → 10.0.0.5     TCP 66 47522 → 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=1762344937 TSecr=2863087775
    4 0.000102772     10.0.0.1 → 10.0.0.5     HTTP 138 GET / HTTP/1.1 
    5 0.000109554     10.0.0.5 → 10.0.0.1     TCP 66 80 → 47522 [ACK] Seq=1 Ack=73 Win=65152 Len=0 TSval=2863087775 TSecr=1762344937
    6 0.000253152     10.0.0.5 → 10.0.0.1     TCP 306 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
    7 0.000285312     10.0.0.1 → 10.0.0.5     TCP 66 47522 → 80 [ACK] Seq=73 Ack=241 Win=64128 Len=0 TSval=1762344937 TSecr=2863087775

[ ... additional output omitted ... ]

The same can be done for the ICMP ping requests shown earlier by executing:

tshark -f "icmp[icmptype]==icmp-echo" -i br-285319d5dca3

root@katacoda:~# tshark -f "icmp[icmptype]==icmp-echo" -i br-285319d5dca3 Running as user "root" and group "root". This could be dangerous. Capturing on 'br-285319d5dca3' 1 0.000000000 10.0.0.1 → 10.0.0.5 ICMP 98 Echo (ping) request id=0xf318, seq=2906/23051, ttl=64 2 1.020019024 10.0.0.1 → 10.0.0.5 ICMP 98 Echo (ping) request id=0xf318, seq=2907/23307, ttl=64 3 2.044199094 10.0.0.1 → 10.0.0.5 ICMP 98 Echo (ping) request id=0xf318, seq=2908/23563, ttl=64 4 3.068206736 10.0.0.1 → 10.0.0.5 ICMP 98 Echo (ping) request id=0xf318, seq=2909/23819, ttl=64 5 4.092000483 10.0.0.1 → 10.0.0.5 ICMP 98 Echo (ping) request id=0xf318, seq=2910/24075, ttl=64

Introduction to tcpdump

tcpdump is lightweight and easily accessible. It is highly recommended to become familiar with both Tshark and tcpdump.

Installing tcpdump

Similar to Tshark, we can install tcpdump by using the apt package manager. This can be done by executing the following:

apt update; apt install -y tcpdump

After the download completes we can verify that tcpdump is installed by using the --version flag to output the version number.

tcpdump --version

Below is an example of the version output:

tcpdump version 4.9.3
libpcap version 1.10.0 (with TPACKET_V3)
OpenSSL 1.1.1  16 Feb 2021

Starting tcpdump

Tcpdump can be started by using the tcpdump command.

root@katacoda:~# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-acafd867c66c, link-type EN10MB (Ethernet), capture size 262144 bytes
03:05:52.209799 IP katacoda > 10.0.0.5: ICMP echo request, id 62232, seq 4551, length 64
03:05:52.209832 IP 10.0.0.5 > katacoda: ICMP echo reply, id 62232, seq 4551, length 64
03:05:52.531066 IP katacoda.54820 > 10.0.0.5.http: Flags [S], seq 1462452098, win 64240, options [mss 1460,sackOK,TS val 1764921019 ecr 0,nop,wscale 7], length 0
03:05:52.531114 IP 10.0.0.5.http > katacoda.54820: Flags [S.], seq 3112095514, ack 1462452099, win 65160, options [mss 1460,sackOK,TS val 2865663857 ecr 1764921019,nop,wscale 7], length 0
03:05:52.531133 IP katacoda.54820 > 10.0.0.5.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1764921019 ecr 2865663857], length 0
03:05:52.531184 IP katacoda.54820 > 10.0.0.5.http: Flags [P.], seq 1:73, ack 1, win 502, options [nop,nop,TS val 1764921019 ecr 2865663857], length 72: HTTP: GET / HTTP/1.1

Selecting an interface

First, we must list all available interfaces by using the -D argument, similar to Tshark.

tcpdump -D

root@katacoda:~# tcpdump -D
1.br-acafd867c66c [Up, Running]
2.veth4e0d04e [Up, Running]
3.vethc0fb4b7 [Up, Running]
4.eth0 [Up, Running]

Next, to have tcpdump run on a specific interface use the -i argument. From our example above, we can select the br-acafd867c66c interface as we know this interface is bound to our docker 10.0.0.0/24 network found by running ip route from earlier.

tcpdump -i br-XXXXXXXXXX

Note: The following sections of the scenario will require you to substitute the br-XXXXXXXXXX interface with the found interface name.

Help output

To list all possible arguments tcpdump can receive, use the -h argument.

tcpdump -h

Documentation

To read the complete documentation for tcpdump, please visit:

https://www.tcpdump.org/manpages/tcpdump.1.html

Tcpdump output and filtering

Writing a scan to a file

Similar to Tshark, we can write the raw packet output to a file, usually with the file extension .pacp, by using the -w FILENAME argument.

tcpdump -w FILENAME.pcap -i br-XXXXXXXX

Note: Please enter the interface found when executing ip route

root@katacoda:~# tcpdump -w FILENAME.pcap -i br-acafd867c66c
tcpdump: listening on br-acafd867c66c, link-type EN10MB (Ethernet), capture size 262144 bytes

Tcpdump will continue running indefinitely or until you run out of hard drive space. To stop the scan, execute the ^C keybinding.

Reading a scan from a .pcap file

In many instances, you may want to take the raw packet output from a file generated by the -w argument and parse through the information. You can read back the file using the -r FILENAME.pacp argument.

tcpdump -r FILENAME.pcap

root@katacoda:~# tcpdump -r FILENAME.pcap
reading from file FILENAME.pcap, link-type EN10MB (Ethernet)
03:20:56.401804 IP katacoda > 10.0.0.5: ICMP echo request, id 62232, seq 5434, length 64
03:20:56.401837 IP 10.0.0.5 > katacoda: ICMP echo reply, id 62232, seq 5434, length 64
03:20:56.930375 IP katacoda.57280 > 10.0.0.5.http: Flags [S], seq 1734658261, win 64240, options [mss 1460,sackOK,TS val 1765825418 ecr 0,nop,wscale 7], length 0
03:20:56.930411 IP 10.0.0.5.http > katacoda.57280: Flags [S.], seq 4109180634, ack 1734658262, win 65160, options [mss 1460,sackOK,TS val 2866568256 ecr 1765825418,nop,wscale 7], length 0
03:20:56.930447 IP katacoda.57280 > 10.0.0.5.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1765825418 ecr 2866568256], length 0
03:20:56.930508 IP katacoda.57280 > 10.0.0.5.http: Flags [P.], seq 1:73, ack 1, win 502, options [nop,nop,TS val 1765825418 ecr 2866568256], length 72: HTTP: GET / HTTP/1.1
03:20:56.930515 IP 10.0.0.5.http > katacoda.57280: Flags [.], ack 73, win 509, options [nop,nop,TS val 2866568256 ecr 1765825418], length 0
03:20:56.930639 IP 10.0.0.5.http > katacoda.57280: Flags [P.], seq 1:241, ack 73, win 509, options [nop,nop,TS val 2866568256 ecr 1765825418], length 240: HTTP: HTTP/1.1 200 OK

[ ... additional output omitted ... ]

Applying capture filtering to a scan

Tcpdump expects a filter to be written as the primary argument when executing the tcpdump command. If no filter is specified, tcpdump will output all captured packets to standard output.

As an example, to filter only icmp-echo and icmp-echoreply packets, we can use the following filter:

tcpdump -i br-XXXXXXXX 'icmp[icmptype] == icmp-echo or icmp[icmptype] == icmp-echoreply'

root@katacoda:~# tcpdump -i br-acafd867c66c 'icmp[icmptype] == icmp-echo or icmp[icmptype] == icmp-echoreply'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-acafd867c66c, link-type EN10MB (Ethernet), capture size 262144 bytes
03:34:34.577925 IP katacoda > 10.0.0.5: ICMP echo request, id 62232, seq 6233, length 64
03:34:34.577960 IP 10.0.0.5 > katacoda: ICMP echo reply, id 62232, seq 6233, length 64
03:34:35.601816 IP katacoda > 10.0.0.5: ICMP echo request, id 62232, seq 6234, length 64
03:34:35.601847 IP 10.0.0.5 > katacoda: ICMP echo reply, id 62232, seq 6234, length 64

Or similarly to view all HTTP IPv4 packets, we can specify the port we want to monitor by using the filter:

tcpdump -i br-XXXXXXXX 'tcp port 80'

root@katacoda:~# tcpdump -i br-acafd867c66c 'tcp port 80' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br-acafd867c66c, link-type EN10MB (Ethernet), capture size 262144 bytes 03:47:19.444883 IP katacoda.33392 > 10.0.0.5.http: Flags [S], seq 223629244, win 64240, options [mss 1460,sackOK,TS val 1767407933 ecr 0,nop,wscale 7], length 0 03:47:19.444929 IP 10.0.0.5.http > katacoda.33392: Flags [S.], seq 777217578, ack 223629245, win 65160, options [mss 1460,sackOK,TS val 2868150771 ecr 1767407933,nop,wscale 7], length 0 03:47:19.444948 IP katacoda.33392 > 10.0.0.5.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1767407933 ecr 2868150771], length 0 03:47:19.446035 IP katacoda.33392 > 10.0.0.5.http: Flags [P.], seq 1:73, ack 1, win 502, options [nop,nop,TS val 1767407934 ecr 2868150771], length 72: HTTP: GET / HTTP/1.1 03:47:19.446052 IP 10.0.0.5.http > katacoda.33392: Flags [.], ack 73, win 509, options [nop,nop,TS val 2868150772 ecr 1767407934], length 0 03:47:19.446158 IP 10.0.0.5.http > katacoda.33392: Flags [P.], seq 1:241, ack 73, win 509, options [nop,nop,TS val 2868150772 ecr 1767407934], length 240: HTTP: HTTP/1.1 200 OK 03:47:19.446191 IP katacoda.33392 > 10.0.0.5.http: Flags [.], ack 241, win 501, options [nop,nop,TS val 1767407934 ecr 2868150772], length 0 03:47:19.446276 IP 10.0.0.5.http > katacoda.33392: Flags [P.], seq 241:7481, ack 73, win 509, options [nop,nop,TS val 2868150772 ecr 1767407934], length 7240: HTTP