[ Certified Ethical Hacker v10 ] :: [ Chapter 4 ] :: Sniffing, Evasion and Packet Analysis

This entry is part 7 of 30 in the series [ Certified Ethical Hacker Training ]

Chapter 4: Sniffing, Evasion and Packet Analysis

This is kind of an odd grouping, especially because “sniffing” doesn’t sound that different from “scanning,” which we did several steps ago. Learn how to split this hair: scanning is looking for hosts and ports, sniffing is capturing and examining traffic. (Yes, that’s wildly oversimplified.)

Using Wireshark, tshark and tcpdump


Wireshark is the de facto (meaning “in real life”) and de jure (meaning “in law”) standard for traffic (packet) sniffing. If you’re dragged into court you’ll want your evidence to be produced by Wireshark, then promptly MD5 or SHA checksummed.

(Note the Get Help menu for tutorial options.)

When you go looking for tutorials on Wireshark, be aware: the Wireshark user interface changes quite a bit across versions, so what you see on your computer may be different. Look for the newest videos, from good sources.

If you are totally new to Wireshark, meet HowToGeek.com and scan this tutorial:

Wireshark Capture Filters are kind of a big deal. You’ll need to know the basic syntax and operators. These guys have a great wiki, so take advantage of it. Start with this page:


Sample VOIP captures are a great way to learn to use Wireshark. I suggest getting one here:

You can open this file in Wireshark, select a packet of the call and follow (play) it.




The tcpdump command lets you sniff traffic, by which we mean it lets you watch and capture the packets flowing on your network. It’s like a CLI for Wireshark. 😉

Here’s a chance to get to know Jeremy Druin (@webpwnized), who has put out great infosec videos for years. See his series, Introduction to Packet Analysis – Part 7: Capturing Network Traffic with TCPDump

The basics: https://www.youtube.com/watch?v=AIQVNlI_A20&t=155s

Building a lab to demo tcpdump: https://www.youtube.com/watch?v=Gdmz3jtqjMM


First there was hping, then hping2, and currently hping3. The versions are substantially different, so be careful which one you’re actually using/typing.

This packet-crafting utility lets you build custom IP packets, with total control over the size, source and destination IPs, flags, fragmentation, contents and everything else about them. Try thinking of it as an alternate nmap. And like nmap, you will need to know hping3 switches and syntax for the CEH exam.

Short example:

Longer example (from Hackersploit):

A place to practice:


Evading IDS, IPS and Firewalls

There are at least three ways to evade detection, especially detection of malware you’re sending over the wire.

The first is packet fragmentation, easy to do in nmap with just the -f flag.

The second is encryption, which could be done a whole lot of different ways.

And the third is timing: Keeping your scans slow and small helps them go undetected. See page 167 in our CEH textbook for Matt Walker’s discussion with a “perimeter security guy”: How could he scan a network of over 10,000 hosts undetected? The response: keep your scans to less than 2 minutes each, and he could scan the whole network in about 2 days. So: slow down, scan smaller target ranges, and keep good records.

Scanning Firewalls with Firewalk

This takes three systems: your Kali attacker, a firewall, and a target system inside the firewall.

firewalk --S1 -1024 -i <interface> -n -pTCP <gateway IP> <target IP>

How it works:


How to Use Firewalk on Kali


Summary and Examples from the nmap site


Firewall/IDS Evasion and Spoofing from nmap.org


Bypassing Firewall Rules from nmap.org



  1. Perform a firewalk of the target system I will supply (on-site classes only) using the firewalk tool..
  2. Perform a similar test with nmap.
  3. Run an nmap scan using the fragmentation flag.
Series Navigation<< [ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Vulnerability Analysis[ Certified Ethical Hacker v10 ] :: [ Chapter 5 ] :: System Hacking >>