You can use RHEL's task scheduling capabilities in scenarios like automating system maintenance (for example, log rotation or backup operations), managing routine administrative tasks (like user account cleanup or security updates), or orchestrating complex workflows in enterprise environments. These scheduling tools are essential for maintaining system health and ensuring that critical operations run without manual intervention.

For system administrators, think of task scheduling as the backbone of automated system management, enabling you to set up processes that run reliably in the background while you focus on more strategic initiatives. Its power lies in its flexibility and reliability, making it an indispensable skill for anyone managing Linux systems in production environments.

In this tutorial, you’ll learn how to schedule tasks in Red Hat Enterprise Linux using various built-in tools and techniques. This content is part of Schedule Future Tasks, which is Chapter 2 of the Red Hat System Administration (RH134) course. RH134 is a fundamental course for the Red Hat Certified System Administrator (RHCSA) certification, one of the most respected credentials in the Linux administration field.

This hands-on tutorial provides practical experience with the scheduling concepts covered in the RH134 curriculum, giving you the skills needed to automate tasks effectively in enterprise RHEL environments.

Here's what we'll cover:

• How to Schedule a One-time Job with 'at'

• How to Manage 'at' jobs

• How to Schedule Recurring User Jobs with 'crontab'

• How to Manage User 'crontab' Entries

• How to Schedule Recurring System Jobs with cron Directories

• How to Configure systemd Timers for Recurring Tasks

• How to Manage Temporary Files with systemd-tmpfiles

Prerequisites

This tutorial is designed to be beginner-friendly! You just need basic familiarity with using the Linux command line. If you can navigate directories and run simple commands, you're ready to start.

For those looking to deepen their RHEL knowledge, the RHEL Skill Tree offers comprehensive hands-on labs including RH124, RH134, RH294, and other courses for RHCSA and RHCE certifications.

Don't worry if you're new to Red Hat Enterprise Linux – I'll explain everything step by step, and these concepts work on most Linux distributions too.

How to Schedule a One-time Job with 'at'

First, let’s learn how to schedule a job to run once at a future time using the at command. The at command is useful for executing commands that don’t need to be run repeatedly. We will schedule a simple job, inspect its details, and then remove it.

In this tutorial, we will work directly on the local system to learn task scheduling. You’ll execute all commands in your current terminal environment.

Let's schedule a job to print the current date and time into a file named ~/myjob.txt in your home directory. We'll schedule it to run 3 minutes from now:

at now + 3 minutes << EOF
date > ~/myjob.txt
EOF

The warning: commands will be executed using /bin/sh message is normal. The job N at ... output indicates the job number and the scheduled execution time. Make a note of the job number, as you will need it later.

Next, let's schedule another job interactively. This method is useful for entering multiple commands or more complex scripts. We will schedule a job to append "Hello from at job!" to ~/at_output.txt 5 minutes from now:

at now + 5 minutes

After typing the command and pressing Enter, you will see an at> prompt. Type your command and then press Ctrl+d to finish:

at > echo "Hello from at job!" >> ~/at_output.txt
at > Ctrl+d

To view the jobs currently in the at queue, use the atq command. This command lists all pending at jobs for the current user.

atq

The output will show the job number, the scheduled time, the queue, and the user who scheduled it.

You can inspect the commands that a specific at job will run using the at -c command followed by the job number. Replace N with one of the job numbers you noted earlier.

at -c N

This command will display the shell script that at will execute for that job. You should see the date > ~/myjob.txt or echo "Hello from at job!" >> ~/at_output.txt command within the output.

Finally, to remove a scheduled at job, use the atrm command followed by the job number. Let's remove the first job we scheduled. Replace N with the job number of your first job.

atrm N

After removing the job, you can use atq again to verify that it is no longer in the queue.

atq

You should now only see the second job (if it hasn't executed yet) or an empty queue if both jobs have been removed or executed.

This completes the first step of scheduling one-time jobs with the at command.

How to Manage 'at' jobs

Now, let’s delve deeper into managing at jobs, including scheduling jobs with different queues and verifying their execution. Understanding at queues can be useful for prioritizing tasks or separating different types of one-time jobs.

We will continue working on the local system to explore more advanced at job management features.

The at command allows you to specify a queue using the -q option. Queues are single letters from a to z. Queue a is the default, and jobs in queues a through z are executed with decreasing niceness (priority). Queue a has the highest priority, and queue z has the lowest. Queue b is reserved for batch jobs.

Let's schedule a job in queue g (a lower priority queue) to run in 2 minutes. This job will create a file named ~/queue_g_job.txt with a timestamp:

at -q g now + 2 minutes << EOF
date > ~/queue_g_job.txt
EOF

You will see output similar to job N at .... Note down this job number.

Next, let's schedule another job, this time in queue b (batch queue), which is typically used for jobs that can run when system load is low. This job will append "Batch job executed!" to ~/batch_job.txt. We'll schedule it to run 4 minutes from now:

at -q b now + 4 minutes << EOF
echo "Batch job executed!" >> ~/batch_job.txt
EOF

Again, note down the job number.

To see all pending jobs, including those in different queues, use atq.

atq

You should now see both jobs listed, with their respective queue letters (g and b).

Now, wait for your scheduled jobs to execute. Wait for at least 5 minutes to allow all jobs to complete. You can check if the files created by your at jobs exist and contain the expected content.

Check ~/queue_g_job.txt:

cat ~/queue_g_job.txt

You should see a date and time string.

Check ~/batch_job.txt:

cat ~/batch_job.txt

You should see "Batch job executed!".

If the files are not present or empty, it might mean the jobs haven't executed yet, or there was an issue with the command. You can re-check atq to see if they are still pending.

How to Schedule Recurring User Jobs with 'crontab'

Next, you’ll learn how to schedule recurring tasks for a specific user using crontab. Unlike at jobs, which run once, cron jobs run repeatedly at specified intervals. This is ideal for routine maintenance, data backups, or generating reports.

We will continue working on the local system to learn about user crontab management.

The crontab command allows users to create, edit, and view their own cron jobs. Each user has their own crontab file.

To edit your crontab file, use the crontab -e command. This will open your crontab file in the default text editor (usually vim).

crontab -e

Vim editor instructions:

• Press i to enter insert mode (you'll see -- INSERT -- at the bottom)

• Use arrow keys to navigate

• To save and exit: Press Esc to exit insert mode, then type :wq and press Enter

• To exit without saving: Press Esc, then type :q! and press Enter

Inside the editor, you will add a new line to define your cron job. A cron entry has five time-and-date fields, followed by the command to be executed. The fields are:

• Minute (0-59)

• Hour (0-23)

• Day of Month (1-31)

• Month (1-12)

• Day of Week (0-7, where 0 or 7 is Sunday)

You can use * as a wildcard to mean "every" for a field, or / to specify step values (for example, */5 for every 5 minutes).

Let's schedule a job that appends the current date and time to a file named ~/my_cron_log.txt every minute. This will allow us to quickly observe the cron job in action.

Follow these steps in Vim:

1. Press i to enter insert mode

2. Add the following line to the crontab file:

* * * * * /usr/bin/date >> ~/my_cron_log.txt

3. Press Esc to exit insert mode

4. Type :wq and press Enter to save and exit

You should see a message indicating that a new crontab has been installed:

crontab: installing new crontab

To verify that your cron job has been successfully added, you can list your crontab entries using the crontab -l command:

crontab -l

You should see the line you just added:

* * * * * /usr/bin/date >> ~/my_cron_log.txt

Now, wait for a minute or two to allow the cron job to execute at least once. You can check the current time to see when the next minute mark will occur:

date

After waiting for at least two minutes to allow the cron job to execute a couple of times, check the content of the ~/my_cron_log.txt file.

cat ~/my_cron_log.txt

You should see one or more lines, each containing a date and time, indicating that your cron job has executed.

Mon Apr 8 10:30:01 AM EDT 2025
Mon Apr 8 10:31:01 AM EDT 2025

How to Manage User 'crontab' Entries

Now you will learn more advanced techniques for managing user crontab entries, including editing existing jobs, adding multiple jobs, and understanding special cron strings. Effective crontab management is crucial for automating routine tasks.

We will continue working on the local system to explore advanced crontab management techniques.

Let's start by adding a new cron job. This job will append "Hello from cron!" to ~/cron_messages.txt every two minutes.

Open your crontab for editing:

crontab -e

In Vim:

1. Press i to enter insert mode

2. Add the following line to the crontab file:

*/2 * * * * echo "Hello from cron!" >> ~/cron_messages.txt

3. Press Esc to exit insert mode

4. Type :wq and press Enter to save and exit

Verify that the entry is added:

crontab -l

You should see the newly added line.

Now, let's add another cron job that runs daily at 08:00 AM. This job will record the disk usage of your home directory to ~/disk_usage.log.

Open your crontab for editing again:

crontab -e

In Vim:

1. Press i to enter insert mode

2. Add the following line below the previous one:

0 8 * * * du -sh ~ >> ~/disk_usage.log

3. Press Esc to exit insert mode

4. Type :wq and press Enter to save and exit

Verify that both entries are present:

crontab -l

You should now see both cron jobs listed.

cron also supports special strings that can simplify common schedules. These include @reboot, @yearly, @annually, @monthly, @weekly, @daily, @midnight, and @hourly. For example, @hourly is equivalent to 0 * * * *.

Let's add a job that runs hourly and records the system uptime to ~/uptime_log.txt.

Open your crontab for editing:

crontab -e

In Vim:

1. Press i to enter insert mode

2. Add the following line:

@hourly uptime >> ~/uptime_log.txt

3. Press Esc to exit insert mode

4. Type :wq and press Enter to save and exit

Verify all three entries:

crontab -l

You should now see all three cron jobs.

To demonstrate the effect of these jobs, we will wait for a short period. Since the jobs are scheduled at different intervals, we won't see all of them execute immediately, but we can verify the setup.

Wait for at least 3 minutes to allow the */2 job to run at least once.

Check the ~/cron_messages.txt file:

cat ~/cron_messages.txt

You should see at least one "Hello from cron!" message.

Hello from cron!

The ~/disk_usage.log and ~/uptime_log.txt files might not be created yet, depending on the current time, as they are scheduled for daily and hourly execution, respectively. The important part is that their entries are correctly configured in your crontab.

How to Schedule Recurring System Jobs with cron Directories

In this step, you will learn how to schedule recurring system-wide tasks using cron directories. Unlike user crontab entries, which are specific to a user, system cron jobs are managed by the root user and affect the entire system. These are typically used for system maintenance, log rotation, and other administrative tasks.

We will continue working on the local system to explore system-wide cron job configuration.

System-wide cron jobs are defined in /etc/crontab or by placing scripts in specific directories:

• /etc/cron.hourly/: Scripts in this directory run once an hour.

• /etc/cron.daily/: Scripts in this directory run once a day.

• /etc/cron.weekly/: Scripts in this directory run once a week.

• /etc/cron.monthly/: Scripts in this directory run once a month.

These directories are processed by the run-parts utility, which executes all executable files within them.

To manage system cron jobs, you need root privileges. Since the labex user has sudo access, we can use sudo for the required commands.

Let's create a simple script that logs a message to the system log. We will place this script in /etc/cron.hourly/ to make it run hourly.

First, create the script file /etc/cron.hourly/my_hourly_script:

sudo nano /etc/cron.hourly/my_hourly_script

Add the following content to the file:

#!/bin/bash
logger "Hourly cron job executed at $(date)"

Save and exit the editor (Ctrl+o, Enter, Ctrl+x in nano).

Next, you need to make the script executable. Without execute permissions, run-parts will ignore it.

sudo chmod +x /etc/cron.hourly/my_hourly_script

Now, let's verify that the script is executable:

ls -l /etc/cron.hourly/my_hourly_script

You should see x in the permissions, for example: -rwxr-xr-x.

Since cron.hourly jobs run once an hour, we can't wait for a full hour to verify its execution in this tutorial. But we can manually trigger the run-parts command for the hourly directory to simulate its execution.

sudo run-parts /etc/cron.hourly/

This command will execute all executable scripts in /etc/cron.hourly/. The script we created uses the logger command to write messages to the system log.

In a real RHEL system, you would be able to check the system logs using journalctl or /var/log/messages to verify that the script executed successfully.

This completes the system cron job management step. The script will remain in place and would execute hourly in a real system environment.

How to Configure systemd Timers for Recurring Tasks

Next, you will learn about systemd timers, which are a modern alternative to cron for scheduling tasks on Linux systems. systemd timers offer more flexibility and better integration with the systemd ecosystem.

systemd timers work in conjunction with systemd service units. A timer unit (.timer file) defines when a task should run, and a service unit (.service file) defines what task should be executed.

We will continue working on the local system to explore systemd timer configuration.

You will need root privileges to create systemd unit files in system directories. Since the labex user has sudo access, we can use sudo for the required commands.

Let's create a simple service that logs a message to a file. We will place this service unit file in /etc/systemd/system/ which is where custom service units are typically stored.

Create the service unit file /etc/systemd/system/my-custom-task.service:

sudo nano /etc/systemd/system/my-custom-task.service

Add the following content to the file:

[Unit]
Description=My Custom Scheduled Task

[Service]
Type=oneshot
ExecStart=/bin/bash -c 'echo "My custom task executed at $(date)" >> /var/log/my-custom-task.log'

Save and exit the editor (Ctrl+o, Enter, Ctrl+x in nano).

Next, create the timer unit file /etc/systemd/system/my-custom-task.timer. This timer will activate our service every 5 minutes.

sudo nano /etc/systemd/system/my-custom-task.timer

Add the following content to the file:

[Unit]
Description=Run My Custom Scheduled Task every 5 minutes

[Timer]
OnCalendar=*:0/5
Persistent=true

[Install]
WantedBy=timers.target

Save and exit the editor.

Explanation of OnCalendar:

• *:0/5 means "every 5 minutes".

  • * for year, month, day, hour (any value).

  • 0/5 for minute, meaning starting at minute 0, every 5 minutes (0, 5, 10, ..., 55).

In a typical systemd environment, you would now run systemctl daemon-reload to make systemd aware of the new unit files, and then systemctl enable --now my-custom-task.timer to start the timer.

Let's verify the existence of the created files:

ls -l /etc/systemd/system/my-custom-task.service
ls -l /etc/systemd/system/my-custom-task.timer

You should see output indicating that both files exist.

To simulate the execution of the service, you can manually run the command defined in ExecStart:

sudo /bin/bash -c 'echo "My custom task executed at $(date)" >> /var/log/my-custom-task.log'

Now, check the log file to see the output:

sudo cat /var/log/my-custom-task.log

You should see the message you just logged:

My custom task executed at Tue Jun 10 06:54:40 UTC 2025

This completes the systemd timer configuration step. The service and timer unit files will remain in place for reference.

How to Manage Temporary Files with systemd-tmpfiles

Now you’ll learn how to manage temporary files and directories using systemd-tmpfiles. This utility is part of systemd and is responsible for creating, deleting, and cleaning up volatile and temporary files and directories. It's commonly used to manage /tmp, /var/tmp, and other temporary storage locations, ensuring that old files are removed periodically.

We will continue working on the local system to explore systemd-tmpfiles configuration.

You will need root privileges to configure systemd-tmpfiles. Since the labex user has sudo access, we can use sudo for the required commands.

systemd-tmpfiles reads configuration files from /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/. These files define rules for creating, deleting, and managing files and directories.

Let's create a custom configuration file to manage a new temporary directory. We will create a directory /run/my_temp_dir and configure systemd-tmpfiles to clean files older than 1 minute from it.

Create the configuration file /etc/tmpfiles.d/my_temp_dir.conf:

sudo nano /etc/tmpfiles.d/my_temp_dir.conf

Add the following content to the file:

d /run/my_temp_dir 0755 labex labex 1m

Explanation of the line:

• d: Specifies that this entry defines a directory.

• /run/my_temp_dir: The path to the directory.

• 0755: The permissions for the directory.

• labex labex: The owner and group for the directory.

• 1m: The age after which files in this directory should be deleted (1 minute).

Save and exit the editor (Ctrl+o, Enter, Ctrl+x in nano).

Now, let's tell systemd-tmpfiles to apply this configuration. The --create option will create the directory if it doesn't exist.

sudo systemd-tmpfiles --create /etc/tmpfiles.d/my_temp_dir.conf

Verify that the directory has been created with the correct permissions and ownership:

ls -ld /run/my_temp_dir

You should see output similar to:

drwxr-xr-x 2 labex labex 6 Jun 10 06:55 /run/my_temp_dir

Next, let's create a test file inside this new temporary directory:

sudo touch /run/my_temp_dir/test_file.txt

Verify the file exists:

ls -l /run/my_temp_dir/test_file.txt

Now, we need to wait for more than 1 minute for the file to become "old" according to our configuration. Wait for at least 70 seconds (1 minute and 10 seconds).

After waiting for more than 1 minute, we will manually run systemd-tmpfiles with the --clean option to trigger the cleanup process based on our configuration.

sudo systemd-tmpfiles --clean /etc/tmpfiles.d/my_temp_dir.conf

Finally, check if the test_file.txt has been removed:

ls -l /run/my_temp_dir/test_file.txt

You should get a "No such file or directory" error, indicating that systemd-tmpfiles successfully cleaned up the old file.

This completes configuring the systemd-tmpfiles. The configuration file and temporary directory will remain in place for reference.

Summary

In this tutorial, you learned how to schedule and manage one-time tasks using the at command, including scheduling jobs interactively and non-interactively, viewing the at queue with atq, and deleting pending jobs with atrm. You also learned how to schedule recurring user-specific tasks using crontab, including how to edit, list, and remove cron jobs, and you learned the cron syntax for specifying execution times.

We also demonstrated how to schedule system-wide recurring tasks by placing scripts in standard cron directories (/etc/cron.hourly, /etc/cron.daily, etc.) and how to create custom cron jobs in /etc/cron.d.

Finally, you explored advanced task scheduling with systemd timers, learning to create and enable service and timer units for recurring tasks, and how to manage temporary files and directories using systemd-tmpfiles for automated cleanup.

This comprehensive tutorial provided practical experience in managing diverse task scheduling needs on RHEL systems, from simple one-off commands to complex recurring system processes.

To practice the operations from this tutorial, try the interactive hands-on lab: Schedule Tasks in Red Hat Enterprise Linux.

You can use Wireshark in scenarios like troubleshooting network performance issues (for example, slow connections or dropped packets), investigating suspicious activity (like detecting malware or unauthorized access), or learning how protocols like HTTP, TCP, or DNS function in real-world environments.

For beginners, think of it as a window into the invisible world of network communication, revealing what’s happening behind the scenes when you browse the web, send an email, or stream a video. Its power lies in its ability to provide granular insights, making it an indispensable tool for network administrators, cybersecurity enthusiasts, and anyone curious about how networks operate.

In this tutorial, you will learn how to use Wireshark display filters to analyze network traffic and spot potential security threats. Wireshark is a powerful network protocol analyzer that can capture and dissect network packets, which is crucial for cybersecurity professionals.

Here’s what we’ll cover:

• How to Start Wireshark and Analyze Network Traffic

• How to Work with Network Capture Files

• Understanding the Wireshark Interface

• Understanding and Applying Basic Display Filters

• Advanced Filtering Techniques

• Analyzing Security-Related Traffic

• Analyzing Sample Traffic and Generating New Traffic

Prerequisites

Before we start, you'll need to know Linux Basic Syntax. You can learn it through this Linux Skill Tree.

Don't worry if you're new to Wireshark – I’ll explain everything as we go.

How to Start Wireshark and Analyze Network Traffic

In this step, we're going to start using Wireshark. First, you'll learn how to launch it. Then, you'll either capture network traffic or use a provided sample file for analysis. Understanding the Wireshark interface is crucial, as it helps you view and analyze packet data.

Installing Wireshark on Ubuntu 22.04

Before you can start using Wireshark, you need to install it. Open a terminal window and run the following commands:

sudo apt update
sudo apt install wireshark -y

Launching Wireshark

To start Wireshark, you need to open a terminal window. You can do this by clicking on the terminal icon in the taskbar or by pressing Ctrl+Alt+T. Once the terminal is open, you'll use a command to start Wireshark. In the terminal, type the following command and press Enter:

wireshark

This command tells your system to start the Wireshark application. After a few seconds, Wireshark will open. You should see a window similar to the one shown below:

How to Work with Network Capture Files

For this part of the tutorial, you have two options:

Option 1: Use the Provided Sample File

# Download a sample packet capture file with mixed traffic
wget -q https://s3.amazonaws.com/tcpreplay-pcap-files/smallFlows.pcap -O /home/labex/project/sample.pcapng

# Make sure the user has access to the file
chmod 644 /home/labex/project/sample.pcapng

I’ve prepared a sample capture file for you at /home/labex/project/sample.pcapng. This file contains a variety of network traffic that you can analyze.

To open this file:

1. In Wireshark, go to File > Open

2. Navigate to /home/labex/project/sample.pcapng

3. Click "Open"

The file will load in Wireshark, showing various packets that have been captured previously.

Option 2: Capture Your Own Traffic

If you prefer to capture your own traffic:

1. In the Wireshark main window, look for the list of available network interfaces.

2. Find the eth1 interface. In this lab environment, eth1 is the main network interface we'll use for capturing packets.

3. Double-click on eth1. This action immediately starts the packet capture process.

4. Generate some network traffic by opening a new terminal and running:

    curl www.google.com
   

5. Once you've captured enough packets (aim for at least 20-30 packets), click the red square "Stop" button in the Wireshark toolbar.

Understanding the Wireshark Interface

The Wireshark interface is divided into three main panels, each with a specific purpose:

1. Packet List (top panel): This panel shows all the packets that have been captured in the order they were received. It gives you a quick overview of the captured traffic.

2. Packet Details (middle panel): When you select a packet in the top panel, this middle panel shows the details of that packet in a hierarchical format. It breaks down the packet's structure, showing information like the source and destination IP addresses, protocol types, and more.

3. Packet Bytes (bottom panel): This panel displays the raw bytes of the selected packet in hexadecimal format. It's useful for in-depth analysis, especially when you need to look at the exact data being transmitted.

To see how these panels work together, click on different packets in the top panel. You'll see the corresponding details and raw bytes update in the middle and bottom panels.

Understanding and Applying Basic Display Filters

In this step, we're going to explore display filters in Wireshark. Display filters are essential tools when it comes to analyzing network traffic. They help you focus on specific types of packets instead of having to sift through all the captured data.

By the end of this section, you'll know what display filters are, why they're useful, and how to apply basic ones to isolate specific types of network traffic.

What Are Display Filters?

When you're analyzing network traffic, looking at every single captured packet can be overwhelming. You usually want to focus on specific types of packets. That's where Wireshark display filters come in. They allow you to show only the packets that meet certain criteria. This makes the analysis process much more efficient because you're not wasting time on irrelevant data.

Display filters in Wireshark use a special syntax. This syntax enables you to filter packets based on various attributes such as protocols, IP addresses, ports, and even the content of the packets. Understanding this syntax is key to effectively using display filters.

Filter Toolbar

Take a look at the top of the Wireshark window. You'll notice a text field. It might be labeled "Apply a display filter..." or simply show "Expression...". This is the place where you'll enter your display filters. Once you enter a filter and press Enter, Wireshark will use that filter to show only the relevant packets.

Basic Protocol Filters

Let's start with a simple example. Suppose you want to view only HTTP traffic. HTTP is the protocol used for web browsing. To do this, you'll enter a filter in the filter toolbar. Type the following filter and then press Enter:

http

After you apply this filter, Wireshark will only display HTTP packets. All other packets will be temporarily hidden. You'll notice that the filter bar turns green when you apply a valid filter. This is a visual indication that your filter is working correctly.

The output should now show only packets related to HTTP traffic. This typically includes web requests (when you ask a website for information) and responses (when the website sends you the information). If you don't see any HTTP traffic in the sample file, you can try different protocols that might be present, such as TCP, UDP, or DNS:

tcp

Or try generating more HTTP traffic by running the curl command in a terminal:

curl www.google.com

IP Address Filters

Next, let's filter traffic based on IP addresses. An IP address is like a unique identifier for a device on a network. First, look at your packet list. You'll see columns labeled "Source" and "Destination". These columns show the IP addresses of the devices sending and receiving the packets.

Once you've identified an IP address that appears frequently in your capture (for example, let's say you see 192.168.1.1), you can use it to create a filter. Type the following filter in the filter toolbar to see only packets from that source:

ip.src == 192.168.3.131

You can replace 192.168.3.131 with an IP address that you actually see in your capture. After applying this filter, only packets with that source IP address will be shown.

If you want to see all the packets again, you can clear the current filter. Just click the "Clear" button (X) on the right side of the filter bar.

Port Filters

Many network services operate on specific ports. A port is like a door on a device that allows specific types of network traffic to enter or leave. For example, HTTP typically uses port 80.

To filter packets by port number, you can use the following filter:

tcp.port == 80

This filter will show both incoming and outgoing packets that use TCP port 80. You might also try other common ports like 443 (HTTPS) or 53 (DNS) depending on what's available in your capture.

Combining Filters

You can make your filters more powerful by combining them using logical operators like and and or. For example, if you want to show only HTTP traffic that uses port 80, you can use the following filter:

http and tcp.port == 80

Try applying different combinations of filters and observe how the displayed packets change. Remember, before trying a new filter, you can either clear the previous one by clicking the "Clear" button or modify the existing filter directly in the filter bar to build upon it.

Advanced Filtering Techniques

In this part, we'll explore how to create more sophisticated filters for detailed network traffic analysis. As a beginner, you might wonder why we need advanced filtering. Well, in real-world scenarios, network capture files can be extremely large, filled with all kinds of traffic. Advanced filtering techniques are like a powerful magnifying glass for security professionals. They help us quickly pick out the suspicious or important traffic from the sea of data in these large capture files.

Complex Filters with Multiple Conditions

Wireshark gives you the ability to build complex filters by combining multiple conditions. This is very useful when you want to be more precise in your traffic analysis. Let's start by creating a filter to find HTTP GET requests.

http.request.method == "GET"

This filter is designed to display only HTTP packets that contain GET requests. When you apply this filter, you'll see packets that are requests sent to web servers. The reason we use this filter is that GET requests are a common type of HTTP request used to retrieve data from a server. By isolating these requests, we can focus on the data retrieval activities in the network.

If your sample file doesn't contain HTTP GET requests, try this alternative filter to find TCP SYN packets which indicate connection attempts:

tcp.flags.syn == 1

Now, let's make our filter more specific. We'll add a port condition:

tcp.port == 80 and http.request.method == "GET"

This new filter shows only HTTP GET requests that occur on the standard HTTP port (80). The standard HTTP port is widely used for unencrypted web traffic. By adding this port condition, we're narrowing down our search to only those GET requests that are using the typical HTTP communication channel.

Filtering Based on Packet Size

Network attacks often involve packets with unusual sizes. Attackers might use large or small packets to hide malicious data or to disrupt the normal functioning of the network. To filter based on packet size, we use a specific syntax:

tcp.len >= 100 and tcp.len <= 500

This filter displays TCP packets with a payload length between 100 and 500 bytes. You can adjust these values according to your needs. For example, if you suspect that an attack involves larger packets, you can increase the upper limit. By filtering based on packet size, we can identify abnormal traffic patterns that might indicate an attack.

Filtering Based on Specific Content

You can also filter traffic based on specific content within packets. This is very useful when you're looking for traffic related to a particular website or service. For example, let's find HTTP traffic related to a specific website.

http.host contains "google"

This filter shows only HTTP traffic where the host header contains "google". You can replace "google" with any domain you're interested in analyzing. The host header in an HTTP request tells the server which website the client is trying to access. By filtering based on the host header, we can focus on the traffic related to a specific domain.

If your sample file doesn't have HTTP traffic with host headers, try this more general content filter:

frame contains "http"

Using the "contains" Operator for Text Searching

The contains operator is a handy tool for searching for specific text strings in packets. It allows us to look for certain keywords within the packet data.

frame contains "password"

This filter shows packets containing the word "password" anywhere in the packet data. This can be very helpful for detecting possible security issues. For example, if passwords are being sent in clear text (which is a big security risk), this filter can help us spot those packets.

Or try this filter:

frame contains "login"

Negating Filters

Sometimes, you might want to see all the traffic except for certain types. That's where the not operator comes in.

not arp

This filter hides all ARP packets. ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses in a local network. Sometimes, ARP traffic can be very common and might clutter your analysis. By using the not operator, you can exclude this type of traffic and focus on other more relevant packets.

Saving and Applying Filter Bookmarks

If you find yourself using certain filters frequently, you don't have to type them in every time. You can save them as bookmarks. Here's how:

1. Enter a filter in the filter bar. This is where you type in the filter expressions we've been learning about.

2. Click the "+" button on the right side of the filter bar. This button is used to save the current filter as a bookmark.

3. Give your filter a name and click "OK". Naming the filter makes it easy to identify later.

Once you've saved your filter, you can apply it by clicking on its name in the filter dropdown menu. This saves you time and effort, especially when you're doing repeated analysis.

Exporting Filtered Packets

After you've filtered your traffic to show only the packets of interest, you might want to save just these packets to a new file. This is useful for sharing specific findings with colleagues or for further analysis. Here's how you do it:

1. Apply your desired filter. Make sure you've set up the filter to show only the packets you want to save.

2. Click on File > Export Specified Packets. This option allows you to export a specific set of packets.

3. Make sure "Displayed" is selected in the Packet Range section. This ensures that only the packets that are currently visible (that is, the ones that match your filter) are exported.

4. Choose a filename and location. This is where you decide where to save the new capture file and what to name it.

5. Click "Save". This creates a new capture file containing only the packets that matched your filter.

Analyzing Security-Related Traffic

In this step, we're going to focus on using Wireshark filters for security analysis. Security analysis is crucial in the world of cybersecurity as it helps us spot potentially malicious activities in network traffic. By the end of this section, you'll be able to identify various types of security threats using specific Wireshark filters.

Identifying Port Scanning Activities

Port scanning is a common technique used by attackers to gather information about a target system. Attackers use it to find open ports on a network, which they can then exploit.

To detect potential port scanning, we look for a large number of connection attempts from a single source to multiple ports.

Let's use a specific filter to identify such activities. Try this filter in Wireshark:

tcp.flags.syn == 1 and tcp.flags.ack == 0

This filter shows SYN packets without the ACK flag. In a TCP connection, the SYN packet is the first one sent to initiate a connection, and the ACK packet is used to acknowledge the connection. When we see a lot of SYN packets without ACK from one source to different destination ports, it's a strong indication of port scanning.

Detecting Suspicious DNS Traffic

DNS tunneling and other DNS-based attacks are becoming more common. These attacks use the DNS protocol to hide malicious activities, such as data exfiltration or command and control communication. To detect such attacks, we need to look for unusual DNS traffic.

Use this filter to examine DNS queries:

dns

Once you apply this filter, look for unusually long domain names or a high volume of DNS requests to the same domain. These could be signs of data exfiltration or command and control communication.

Identifying Password Brute Force Attempts

Password brute force attacks are a common way for attackers to gain unauthorized access to services like SSH or FTP. In a brute force attack, the attacker tries multiple password combinations until they find the correct one.

To detect potential brute force password attempts, we can filter for failed login attempts. Use this filter:

ftp contains "530" or ssh contains "Failed"

This filter shows FTP and SSH packets that contain common failure response messages. If you see multiple failures from the same source, it may indicate a brute force attempt.

Analyzing HTTP Error Responses

Web application attacks often generate HTTP error responses. Attackers may try to exploit vulnerabilities in web applications, and these attempts can result in error responses from the server.

Filter for these error responses with:

http.response.code >= 400

This filter shows HTTP response packets with status codes of 400 or higher. All these status codes represent error responses. By examining these packets, we can identify attempted web exploits.

Finding Clear-Text Credentials

Transmitting credentials in clear text is a major security risk. If an attacker intercepts these credentials, they can gain unauthorized access to the system.

To detect clear-text credentials, use this filter:

http contains "user" or http contains "pass" or http contains "login"

This filter helps us find HTTP traffic that might contain login information. Carefully examine the packets that match this filter to identify potential security risks.

Analyzing Sample Traffic and Generating New Traffic

Now that you've learned various security-focused filters, it's time to put your knowledge into practice. You can either analyze the provided sample file or generate and analyze new traffic.

Analyzing the Sample File

If you're using the provided sample file (/home/labex/project/sample.pcapng), try applying some of the security filters we've discussed to identify any interesting patterns:

tcp.flags.syn == 1 and tcp.flags.ack == 0

Look for patterns that might indicate scanning, suspicious connections, or other security concerns.

Generating and Analyzing New Traffic

Alternatively, open a new terminal window. In this window, we'll generate some HTTP traffic with multiple requests. Run the following commands:

for i in {1..5}; do
  curl -I www.google.com
  sleep 1
done

These commands send five HTTP HEAD requests to www.google.com with a one-second interval between each request.

Next, go to Wireshark and apply this filter to find all HTTP requests:

http.request

This filter will show all the HTTP requests in the captured traffic.

Look through these packets to identify patterns of normal HTTP traffic. Notice the headers, the frequency of requests, and other details.

Finally, try to create a filter that can distinguish normal HTTP browsing from automated scanning tools. For example:

http.request and !(http.user_agent contains "Mozilla")

This filter shows HTTP requests that don't have browser user agents. Since most normal web browsing is done using browsers with Mozilla in the user agent, requests without it might indicate automated tools rather than normal browsing.

By practicing these security-focused filtering techniques, you'll develop the skills needed to quickly identify suspicious traffic in real-world network captures.

Conclusion

In this tutorial, you have learned how to use Wireshark display filters for network traffic analysis and potential security threat identification.

You began by either working with a provided sample capture file or capturing live network traffic and familiarizing yourself with the Wireshark interface. Then, you mastered basic display filters to isolate specific traffic types according to protocols, IP addresses, and ports. You also advanced your skills with complex filtering techniques, combining multiple conditions and searching for specific content. Finally, you applied these skills in security analysis scenarios to detect suspicious activities such as port scanning, credential exposure, and potential attacks.

These Wireshark filtering skills are crucial for efficient network troubleshooting and security analysis. By quickly isolating relevant packets from large captures, you can greatly reduce the time required to identify and respond to network issues and security incidents.

As you keep practicing with Wireshark, you will gain an intuitive understanding of network protocols and traffic patterns, enhancing your overall cybersecurity capabilities.

To practice the operations from this tutorial, try the interactive hands-on lab: Analyze Network Traffic with Wireshark Display Filters

We’ll start with basic message transmission. Then you'll progress to creating a file transfer system, and you’ll ultimately develop a secure chat application with encryption.

Here’s what we’ll cover:

• Prerequisites

• Install Netcat

• Your First Network Connection

• How to Build a Simple File Transfer Tool

• How to Create a Secure Chat System

• Conclusion

• Practice Your Skills

Prerequisites

Before we start, you'll need:

• A Linux-based system: I recommend Ubuntu. Alternatively, you can use the Online Linux Terminal if you don't have Linux installed.

• Basic terminal knowledge (how to use cd and ls)

Don't worry if you're new to networking - I’ll explain everything as we go!

Install Netcat

Netcat is like a digital "pipe" between computers – anything you put in one end comes out the other. Before we start using it, let's get it installed on your system.

Open your terminal and run these commands:

# Update your system's package list
sudo apt update

# Install Netcat
sudo apt install netcat -y

To check if the installation worked, run:

nc -h

You should see a message starting with "OpenBSD netcat". If you do, great! If not, try running the installation commands again.

Your First Network Connection

Before we dive into building tools, let's understand what a network connection actually is. Think of it like a phone call: one person needs to wait for the call (the listener), and another person needs to make the call (the connector).

In networking, we use "ports" to make these connections. You can think of ports like different phone lines – they let multiple conversations happen at the same time.

Let's try making our first connection:

1. Open a terminal window and create a listener:

nc -l 12345

What did we just do? The -l tells Netcat to "listen" for a connection, and 12345 is the port number we chose. Your terminal will look like it's frozen – that's normal! It's waiting for someone to connect.

2. Open another terminal window and connect to your listener:

nc localhost 12345

Here, localhost means "this computer" – we're connecting to ourselves for practice. If you want to connect to another computer, you can replace localhost with its IP address.

Now try typing a message (like "hi") in either window and press Enter. Cool, right? The message appears in the other window! This is exactly how basic network communication works.

To stop the connection, press Ctrl+C in both windows.

What Just Happened?

You just created your first network connection! The first terminal was like someone waiting by a phone, and the second terminal was like someone calling that phone. When they connected, they could send messages back and forth.

How to Build a Simple File Transfer Tool

Now that we understand basic connections, let's build something more useful: a tool to transfer files between computers.

First, let's create a test file to send:

# Create a file with some content
echo "This is my secret message" > secret.txt

To transfer this file, we'll need two terminals again, but this time we'll use them differently:

1. In the first terminal, set up the receiver:

nc -l 12345 > received_file.txt

This tells Netcat to:

• Listen for a connection (-l)

• Save whatever it receives to a file called received_file.txt (>)

2. In the second terminal, send the file:

nc localhost 12345 < secret.txt

The < tells Netcat to send the contents of our file.

3. Press Ctrl+C in both terminals to stop the transfer. Then check if it worked:

cat received_file.txt

You should see your message!

This is similar to our chat system, but instead of typing messages, we're:

1. Taking content from a file

2. Sending it through our network connection

3. Saving it to a new file on the other end

Think of it like sending a document through a fax machine!

How to Create a Secure Chat System

Our previous examples sent everything as plain text – anyone could read it if they intercepted the connection. Let's make something more secure by adding encryption.

First, let's understand what encryption does:

• It's like putting your message in a locked box

• Only someone with the right key can open it

• Even if someone sees the box, they can't read your message

We'll create two scripts: one for sending messages and one for receiving them.

1. Create the sender script:

nano secure_sender.sh

Copy this code into the file:

#!/bin/bash

echo "Secure Chat - Type your messages below"
echo "Press Ctrl+C to exit"

while true; do
  # Get the message
  read message

  # Encrypt and send it
  echo "$message" | openssl enc -aes-256-cbc -salt -base64 \
    -pbkdf2 -pass pass:chatpassword 2>/dev/null | \
    nc -N localhost 12345
done

This script will:

1. Read messages from user input.

2. Encrypt them using OpenSSL's AES-256-CBC encryption (a strong encryption standard).

3. Send the encrypted message to the specified port.

Press Ctrl+X, then Y, then Enter to save.

2. Create the receiver script:

nano secure_receiver.sh

Copy this code:

#!/bin/bash

echo "Waiting for messages..."

while true; do
  # Receive and decrypt messages
  nc -l 12345 | openssl enc -aes-256-cbc -d -salt -base64 \
    -pbkdf2 -pass pass:chatpassword 2>/dev/null
done

This script will:

1. Listen for incoming encrypted messages.

2. Decrypt them using the same encryption key.

3. Display the decrypted messages.

Save this file too.

3. Make both scripts executable:

chmod +x secure_sender.sh secure_receiver.sh

4. Try it out:

• In one terminal: ./secure_receiver.sh

• In another terminal: ./secure_sender.sh

Type a message in the sender terminal. The receiver will show your decrypted message!

Enhancing Our Chat System

Now that we have a working basic chat system, let's make it more user-friendly and informative. We'll add features like timestamps, color-coded messages, and encryption status updates. This enhanced version will help you better understand what's happening during the encryption and transmission process.

If you're comfortable with the basic version, try this improved version:

1. Create an enhanced sender script (save it as secure_sender_v2.sh):

#!/bin/bash

# Set up color codes for better visibility
GREEN='\033[0;32m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

echo -e "${GREEN}Secure Chat Sender - Started at $(date)${NC}"
echo -e "${BLUE}Type your messages below. Press Ctrl+C to exit${NC}"
echo "----------------------------------------"

while true; do
    # Show prompt with timestamp
    echo -ne "${GREEN}[$(date +%H:%M:%S)]${NC} Your message: "

    # Get the message
    read message

    # Skip if message is empty
    if [ -z "$message" ]; then
        continue
    fi

    # Add timestamp to message
    timestamped_message="[$(date +%H:%M:%S)] $message"

    # Show encryption status
    echo -e "${BLUE}Encrypting and sending message...${NC}"

    # Encrypt and send it, showing the encrypted form
    encrypted=$(echo "$timestamped_message" | openssl enc -aes-256-cbc -salt -base64 \
        -pbkdf2 -iter 10000 -pass pass:chatpassword 2>/dev/null)

    echo -e "${BLUE}Encrypted form:${NC} ${encrypted:0:50}..." # Show first 50 chars
    echo "$encrypted" | nc -N localhost 12345

    echo -e "${GREEN}Message sent successfully!${NC}"
    echo "----------------------------------------"
done

2. Create an enhanced receiver script (save as secure_receiver_v2.sh):

#!/bin/bash

# Set up color codes for better visibility
GREEN='\033[0;32m'
BLUE='\033[0;34m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

echo -e "${GREEN}Secure Chat Receiver - Started at $(date)${NC}"
echo -e "${BLUE}Waiting for messages... Press Ctrl+C to exit${NC}"
echo "----------------------------------------"

while true; do
    # Receive and show the encrypted message
    echo -e "${BLUE}Waiting for next message...${NC}"

    encrypted=$(nc -l 12345)

    # Skip if received nothing
    if [ -z "$encrypted" ]; then
        continue
    fi

    echo -e "${YELLOW}Received encrypted message:${NC} ${encrypted:0:50}..." # Show first 50 chars
    echo -e "${BLUE}Decrypting...${NC}"

    # Decrypt and display the message
    decrypted=$(echo "$encrypted" | openssl enc -aes-256-cbc -d -salt -base64 \
        -pbkdf2 -iter 10000 -pass pass:chatpassword 2>/dev/null)

    # Check if decryption was successful
    if [ $? -eq 0 ]; then
        echo -e "${GREEN}Decrypted message:${NC} $decrypted"
    else
        echo -e "\033[0;31mError: Failed to decrypt message${NC}"
    fi

    echo "----------------------------------------"
done

3. Make the enhanced scripts executable:

chmod +x secure_sender_v2.sh secure_receiver_v2.sh

Try running both versions to see how the additional feedback helps you better understand the encryption and communication process.

The enhanced version (v2) adds several improvements:

• Colorized output for better readability.

• Timestamps for each message.

• Status updates showing the encryption/decryption process.

• Error handling for failed decryption attempts.

• Preview of encrypted messages before sending/after receiving.

Conclusion

This tutorial taught you how to use Netcat as a versatile networking tool. We started with basic message sending, progressed to building a simple file transfer system, and then created a secure chat system with encryption.

You've gained hands-on experience with:

• Setting up network listeners and connections

• Transferring files securely between systems

• Implementing basic encryption for secure communication

• Adding user-friendly features like timestamps and status updates

The skills you've learned here form a solid foundation for understanding network communication and can be applied to more complex networking projects. To practice the operations from this tutorial, try the interactive hands-on lab.

Practice Your Skills

Now that you've learned the basics of Netcat and built a secure chat system, let's put your skills to the test with a real-world scenario. Try the "Receive Messages Using Netcat" lab challenge where you'll play the role of a junior interstellar communications analyst. Your mission: intercept and log signals from an alien civilization using your newfound Netcat knowledge.