-->

A Tcpdump Tutorial Together With Primer Amongst Examples

A Tcpdump Tutorial Together With Primer Amongst Examples

Why tcpdump?

tcpdump is the premier network analysis tool for data safety professionals. Having a enterprise grasp of this über-powerful application is mandatory for anyone desiring a thorough agreement of TCP/IP. Many prefer to move higher score analysis tools such equally Wireshark, but I believe this to commonly hold upward a mistake.
When using a tool that displays network traffic a to a greater extent than natural (raw) way the burden of analysis is placed straight on the human rather than the application. This approach cultivates continued as well as elevated agreement of the TCP/IP suite, as well as for this argue I strongly advocate using tcpdump instead of other tools whenever possible.
15:31:34.079416 IP (tos 0x0, ttl 64, id 20244, offset 0, flags [DF],  proto: TCP (6), length: 60) source.35970 > dest.80: S, cksum 0x0ac1  (correct), 2647022145:2647022145(0) win 5840 0x0000: 4500 003c 4f14  4006 7417 0afb 0257  E..  0x0010: 4815 222a 8c82 0050 9dc6 5a41 0000  0000  H."*...P..ZA.... 0x0020: a002 16d0 0ac1 0000 0204 05b4  0402 080a  ................ 0x0030: 14b4 1555 0000 0000 0103 0302
TABLE 1. — Raw TCP/IP Output.

Basics

Below are a few options you lot tin give the sack move when configuring tcpdump. They’re slowly to forget and/or confuse amongst other types of filters, e.g., Wireshark, hence hopefully this page tin give the sack serve equally a reference for you, equally it does me. hither are the chief ones I similar to hold inwards heed depending on what I’m looking at.

Options

  • -i any : Listen on all interfaces merely to run across if you’re seeing whatsoever traffic.
  • -i eth0 : Listen on the eth0 interface.
  • -D : Show the listing of available interfaces
  • -n : Don’t resolve hostnames.
  • -nn : Don’t resolve hostnames or port names.
  • -q : Be less verbose (more quiet) amongst your output.
  • -t : Give human-readable timestamp output.
  • -tttt : Give maximally human-readable timestamp output.
  • -X : Show the packet’s contents inwards both hex as well as ASCII.
  • -XX : Same equally -X, but also shows the ethernet header.
  • -v, -vv, -vvv : Increase the amount of parcel data you lot acquire back.
  • -c : Only acquire x position out of packets as well as hence stop.
  • -s : Define the snaplength (size) of the capture inwards bytes. Use -s0 to acquire everything, unless you lot are intentionally capturing less.
  • -S : Print absolute sequence numbers.
  • -e : Get the ethernet header equally well.
  • -q : Show less protocol information.
  • -E : Decrypt IPSEC traffic past times providing an encryption key.
[ The default snaplength equally of tcpdump 4.0 has changed from 68 bytes to 96 bytes. While this volition give you lot to a greater extent than of a parcel to see, it soundless won’t acquire everything. Use -s 1514 or -s 0 to acquire total coverage ]

Expressions

In tcpdump, Expressions allow you lot to cut down out diverse types of traffic as well as break exactly what you’re looking for. Mastering the expressions as well as learning to combine them creatively is what makes 1 really powerful amongst tcpdump.
There are 3 chief types of expression: type, dir, as well as proto.
  • Type options are: host, net, as well as port.
  • Direction lets you lot practise src, dst, as well as combinations thereof.
  • Proto(col) lets you lot designate: tcp, udp, icmp, ah, as well as many more.

Examples

So, directly that we’ve seen what our options are, let’s seem at some real-world examples that we’re probable to run across inwards our everyday work.

Basic Communication

Just run across what’s going on, past times looking at all interfaces.
# tcpdump -i any

Specific Interface

Basic persuasion of what’s happening on a detail interface.
# tcpdump -i eth0

Raw Output View

Verbose output, amongst no resolution of hostnames or port numbers, absolute sequence numbers, as well as human-readable timestamps.
# tcpdump -ttttnnvvS

Find Traffic past times IP

One of the most mutual queries, this volition present you lot traffic from 1.2.3.4, whether it’s the rootage or the destination.
# tcpdump host 1.2.3.4

Seeing More of the Packet amongst Hex Output

Hex output is useful when you lot desire to run across the content of the packets inwards question, as well as it’s oftentimes best used when you’re isolating a few candidates for closer scrutiny.
# tcpdump -nnvXSs 0 -c1 icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), 23:11:10.370321 IP  (tos 0x20, ttl  48, id 34859, offset 0, flags [none], length: 84)  69.254.213.43 > 72.21.34.42: icmp 64: echo asking seq 0          0x0000:  4520 0054 882b 0000 3001 7cf5 45fe d52b  E..T.+..0.|.E..+         0x0010:  4815 222a 0800 3530 272a 0000 25ff d744  H."..50'..%..D         0x0020:  ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213  .^..............         0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#         0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123         0x0050:  3435 3637                                4567 1 packets captured 1 packets received past times filter 0 packets dropped past times inwardness 
TABLE 2. — Verbose Capture of an ICMP Packet.

Filtering past times Source as well as Destination

It’s quite slowly to isolate traffic based on either rootage or goal using src as well as dst.
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6

Finding Packets past times Network

To break packets going to or from a detail network, move the net option. You tin give the sack combine this amongst the src or dst options equally well.
# tcpdump net 1.2.3.0/24

Show Traffic Related to a Specific Port

You tin give the sack break specific port traffic past times using the port selection followed past times the port number.
# tcpdump port 3389

# tcpdump src port 1025

Show Traffic of One Protocol

If you’re looking for 1 detail variety of traffic, you lot tin give the sack move tcp, udp, icmp, as well as many others equally well.
# tcpdump icmp

Show entirely IP6 Traffic

You tin give the sack also break all IP6 traffic using the protocol option.
# tcpdump ip6

Find Traffic Using Port Ranges

You tin give the sack also move a attain of ports to break traffic.
# tcpdump portrange 21-23

Find Traffic Based on Packet Size

If you’re looking for packets of a detail size you lot tin give the sack move these options. You tin give the sack move less, greater, or their associated symbols that you lot would seem from mathematics.
# tcpdump less 32

# tcpdump greater 64

# tcpdump <= 128

Writing Captures to a File

It’s oftentimes useful to salve parcel captures into a file for analysis inwards the future. These files are known equally PCAP (PEE-cap) files, as well as they tin give the sack hold upward processed past times hundreds of dissimilar applications, including network analyzers, intrusion detection systems, as well as of course of report past times tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.
# tcpdump port 80 -w capture_file

Reading PCAP files

You tin give the sack read PCAP files past times using the -r switch. Note that you lot tin give the sack move all the regular commands inside tcpdump patch reading inwards a file; you’re entirely limited past times the fact that you lot can’t capture as well as procedure what doesn’t be inwards the file already.
# tcpdump -r capture_file

Advanced

Now that we’ve seen what nosotros tin give the sack practise amongst the basics through some examples, let’s seem at some to a greater extent than advanced stuff.

It’s All About the Combinations

Being able to practise these diverse things individually is powerful, but the existent magic of tcpdump comes from the powerfulness to combine options inwards creative ways inwards guild to isolate exactly what you’re looking for. There are 3 ways to practise combinations, as well as if you’ve studied programming at all they’ll hold upward pretty familar to you.
  1. AND
    and or &&
  2. OR
    or or ||
  3. EXCEPT
    not or !
Here are some examples of combined commands.

From specific IP as well as destined for a specific Port

Let’s break all traffic from 10.5.2.3 going to whatsoever host on port 3389.
tcpdump -nnvvS src 10.5.2.3 and dst port 3389

From One Network to Another

Let’s seem for all traffic coming from 192.168.x.x as well as going to the 10.x or 172.16.x.x networks, as well as we’re showing hex output amongst no hostname resolution as well as 1 score of extra verbosity.
tcpdump -nvX src internet 192.168.0.0/16 and dst internet 10.0.0.0/8 or 172.16.0.0/16

Non ICMP Traffic Going to a Specific IP

This volition present us all traffic going to 192.168.0.2 that is not ICMP.
tcpdump dst 192.168.0.2 and src net and not icmp

Traffic From a Host That Isn’t on a Specific Port

This volition present us all traffic from a host that isn’t SSH traffic (assuming default port usage).
tcpdump -vv src mars and not dst port 22
As you lot tin give the sack see, you lot tin give the sack create queries to break merely close anything you lot need. The fundamental is to commencement figure out precisely what you’re looking for as well as hence to create the syntax to isolate that specific type of traffic.
Complex Grouping as well as Special Characters
Also hold inwards heed that when you’re edifice complex queries you lot powerfulness have got to grouping your options using unmarried quotes. Single quotes are used inwards guild to state tcpdump to ignore certainly exceptional characters—in this illustration below the “( )” brackets. This same technique tin give the sack hold upward used to grouping using other expressions such equally host, port, net, etc. Take a seem at the ascendency below.
# Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (incorrect)
# tcpdump src 10.0.2.4 and (dst port 3389 or 22)
If you lot tried to run this otherwise really useful command, you’d acquire an error because of the parenthesis. You tin give the sack either create this past times escaping the parenthesis (putting a \ earlier each one), or past times putting the entire ascendency inside unmarried quotes:
# Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (correct)
# tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
Isolating Specific TCP Flags
You tin give the sack also capture traffic based on specific TCP flag(s).
[ NOTE: The filters below break these diverse packets because tcp[13] looks at offset thirteen inwards the TCP header, the position out represents the location inside the byte, as well as the !=0 way that the flag inwards enquiry is laid to 1, i.e. it’s on. ]
Show me all URGENT (URG) packets…
# tcpdump 'tcp[13] & 32!=0'
Show me all ACKNOWLEDGE (ACK) packets…
# tcpdump 'tcp[13] & 16!=0'
Show me all PUSH (PSH) packets…
# tcpdump 'tcp[13] & 8!=0'
Show me all RESET (RST) packets…
# tcpdump 'tcp[13] & 4!=0'
Show me all SYNCHRONIZE (SYN) packets…
# tcpdump 'tcp[13] & 2!=0'
Show me all FINISH (FIN) packets…
# tcpdump 'tcp[13] & 1!=0'
Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets…
# tcpdump 'tcp[13]=18'
[ Note: Only the PSH, RST, SYN, as well as FIN flags are displayed inwards tcpdump‘s flag champaign output. URGs as well as ACKs are displayed, but they are shown elsewhere inwards the output rather than inwards the flags field. ]
As amongst most powerful tools, however, at that topographic point are multiple ways to practise things. The illustration below shows some other way to capture packets amongst specific TCP flags set.
# tcpdump 'tcp[tcpflags] == tcp-syn'
Capture RST Flags Using the tcpflags option…
# tcpdump 'tcp[tcpflags] == tcp-rst'
Capture FIN Flags Using the tcpflags option…
# tcpdump 'tcp[tcpflags] == tcp-fin'
[ Note: The same technique tin give the sack hold upward used for the other flags equally well; they have got been omitted inwards the involvement of space. ]
Identifying Noteworthy Traffic
Finally, at that topographic point are a few quick recipes you’ll desire to retrieve for catching specific as well as specialized traffic, such equally malformed / likely-malicious packets.

Packets amongst both the RST as well as SYN flags laid (this should never hold upward the case)


# tcpdump 'tcp[13] = 6'

Find cleartext HTTP GET requests


# tcpdump 'tcp[32:4] = 0x47455420'

Find SSH connections on whatsoever port (via banner text)


# tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

Packets amongst a TTL less than 10 (usually indicates a employment or move of traceroute)


# tcpdump 'ip[8] < 10'

Packets amongst the Evil Bit laid (hacker trivia to a greater extent than than anything else)


# tcpdump 'ip[6] & 128 != 0'

Summary


  1. tcpdump is a valuable tool for anyone looking to move into networking or data security.
  2. The raw way it interfaces amongst traffic, combined amongst the precision it offers inwards inspecting packets acquire inwards the best possible tool for learning TCP/IP.
  3. Protocol Analyzers similar Wireshark are great, but if you lot desire to really original packet-fu, you lot must acquire 1 amongst tcpdump first.
Well, this primer should acquire you lot going strong, but the homo page should ever hold upward handy for the most advanced as well as one-off usage scenarios. I really promise this has been useful to you, as well as experience costless to contact me if you lot have got whatsoever questions.
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser