• Post author:
  • Post category:Kelvin
  • Post comments:0 Comments
  • Post last modified:15/10/2017
  • Reading time:2 mins read

In this post, I would like to share a .PCAP file of a TACACS+ TCP stream. This file was captured in a lab environment and is for educational purposes only.

TACACS+ communication is encrypted by default so I have included the TACACS+ key so that you can see the decrypted information.

Download link: https://blog.synack.co.uk/download/pcap-tacacs-pcap-file/

Key: Cisco123

Let me explain a little about the capture…

  • We can see the initial TCP 3-way handshake occurs from a source of with a destination port of 49 (TACACS+). The device starts by sending an SYN request to
  • Device responds with a source port of 49 to destination with a TCP SYN-ACK
  • receives the SYN-ACK and responds with an ACK


  • After the TCP 3-way handshake has finished, device sends a TACACS+ authentication request. At this stage, you can use the key to decrypted and analyse the TACACS+ communication. We can see that a user: synack has sent a login authentication request to
  • Device sends an acknowledgement and then sends a TACACS+ packet back to Once this TACACS+ message is decrypted we can see that the TACACS+ server has now asked for a password for user: synack.
  • Device sends an acknowledgement to say that is has received the request for the password.
  • Device then sends the password: Password1 back to the TACACS+ server
  • The TACACS+ server responds with an authentication passed. This means that the user: synack has now been authenticated
  • The TCP session is now torn down with the device sending a FIN-ACK



Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he had achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply