- Why
tcpdump
? - Basics
- Examples
- Basic Communication
- Specific Interface
- Raw Output View
- Find Traffic past times IP
- Seeing Packet Contents amongst Hex Output
- Filtering past times Source and/or Destination
- Finding Packets past times Network
- Show Traffic Related to a Port
- Show Traffic of One Protocol
- Show Only IP6 Traffic
- Find Traffic Using Port Ranges
- Find Traffic Based on Packet Size
- Writing Captures to a File
- Reading Traffic from a File
- Advanced
- It’s all About the Combinations
- From Specific IP as well as Destined for a Specific Port
- From 1 Network to Another
- Non ICMP Traffic Going to a Specific IP
- Traffic from a Host That Isn’t on a Specific Port
- Complex Grouping as well as Special Characters
- Isolating Specific TCP Flags
- Identifying Noteworthy Traffic
- Summary
Why tcpdump
?
tcpdump
is the premier network analysis tool for data safety professionals. Having a enterprise grasp of this über-powerful application is mandatory for anyone desiring a thorough agreement of TCP/IP. Many prefer to move higher score analysis tools such equally Wireshark, but I believe this to commonly hold upward a mistake.When using a tool that displays network traffic a to a greater extent than natural (raw) way the burden of analysis is placed straight on the human rather than the application. This approach cultivates continued as well as elevated agreement of the TCP/IP suite, as well as for this argue I strongly advocate using
tcpdump
instead of other tools whenever possible.15:31:34.079416 IP (tos 0x0, ttl 64, id 20244, offset 0, flags [DF], proto: TCP (6), length: 60) source.35970 > dest.80: S, cksum 0x0ac1 (correct), 2647022145:2647022145(0) win 5840 0x0000: 4500 003c 4f14 4006 7417 0afb 0257 E.. 0x0010: 4815 222a 8c82 0050 9dc6 5a41 0000 0000 H."*...P..ZA.... 0x0020: a002 16d0 0ac1 0000 0204 05b4 0402 080a ................ 0x0030: 14b4 1555 0000 0000 0103 0302
TABLE 1. — Raw TCP/IP Output.
Basics
Below are a few options you lot tin give the sack move when configuringtcpdump
. They’re slowly to forget and/or confuse amongst other types of filters, e.g., Wireshark, hence hopefully this page tin give the sack serve equally a reference for you, equally it does me. hither are the chief ones I similar to hold inwards heed depending on what I’m looking at.Options
-i any
: Listen on all interfaces merely to run across if you’re seeing whatsoever traffic.-i eth0
: Listen on the eth0 interface.-D
: Show the listing of available interfaces-n
: Don’t resolve hostnames.-nn
: Don’t resolve hostnames or port names.-q
: Be less verbose (more quiet) amongst your output.-t
: Give human-readable timestamp output.-tttt
: Give maximally human-readable timestamp output.-X
: Show the packet’s contents inwards both hex as well as ASCII.-XX
: Same equally-X
, but also shows the ethernet header.-v, -vv, -vvv
: Increase the amount of parcel data you lot acquire back.-c
: Only acquire x position out of packets as well as hence stop.-s
: Define the snaplength (size) of the capture inwards bytes. Use-s0
to acquire everything, unless you lot are intentionally capturing less.-S
: Print absolute sequence numbers.-e
: Get the ethernet header equally well.-q
: Show less protocol information.-E
: Decrypt IPSEC traffic past times providing an encryption key.
[ The default snaplength equally of
tcpdump
4.0 has changed from 68 bytes to 96 bytes. While this volition give you lot to a greater extent than of a parcel to see, it soundless won’t acquire everything. Use -s 1514
or -s 0
to acquire total coverage ]Expressions
Intcpdump
, Expressions allow you lot to cut down out diverse types of traffic as well as break exactly what you’re looking for. Mastering the expressions as well as learning to combine them creatively is what makes 1 really powerful amongst tcpdump
.There are 3 chief types of expression:
type
, dir
, as well as proto
.- Type options are:
host
,net
, as well asport
. - Direction lets you lot practise
src
,dst
, as well as combinations thereof. - Proto(col) lets you lot designate:
tcp
,udp
,icmp
,ah
, as well as many more.
Examples
So, directly that we’ve seen what our options are, let’s seem at some real-world examples that we’re probable to run across inwards our everyday work.Basic Communication
Just run across what’s going on, past times looking at all interfaces. # tcpdump -i any
Specific Interface
Basic persuasion of what’s happening on a detail interface. # tcpdump -i eth0
Raw Output View
Verbose output, amongst no resolution of hostnames or port numbers, absolute sequence numbers, as well as human-readable timestamps. # tcpdump -ttttnnvvS
Find Traffic past times IP
One of the most mutual queries, this volition present you lot traffic from 1.2.3.4, whether it’s the rootage or the destination. # tcpdump host 1.2.3.4
Seeing More of the Packet amongst Hex Output
Hex output is useful when you lot desire to run across the content of the packets inwards question, as well as it’s oftentimes best used when you’re isolating a few candidates for closer scrutiny. # tcpdump -nnvXSs 0 -c1 icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), 23:11:10.370321 IP (tos 0x20, ttl 48, id 34859, offset 0, flags [none], length: 84) 69.254.213.43 > 72.21.34.42: icmp 64: echo asking seq 0 0x0000: 4520 0054 882b 0000 3001 7cf5 45fe d52b E..T.+..0.|.E..+ 0x0010: 4815 222a 0800 3530 272a 0000 25ff d744 H."..50'..%..D 0x0020: ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213 .^.............. 0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"# 0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123 0x0050: 3435 3637 4567 1 packets captured 1 packets received past times filter 0 packets dropped past times inwardness
TABLE 2. — Verbose Capture of an ICMP Packet.
Filtering past times Source as well as Destination
It’s quite slowly to isolate traffic based on either rootage or goal usingsrc
as well as dst
. # tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6
# tcpdump dst 3.4.5.6
Finding Packets past times Network
To break packets going to or from a detail network, move thenet
option. You tin give the sack combine this amongst the src
or dst
options equally well. # tcpdump net 1.2.3.0/24
Show Traffic Related to a Specific Port
You tin give the sack break specific port traffic past times using theport
selection followed past times the port number. # tcpdump port 3389
# tcpdump src port 1025
# tcpdump src port 1025
Show Traffic of One Protocol
If you’re looking for 1 detail variety of traffic, you lot tin give the sack move tcp, udp, icmp, as well as many others equally well. # tcpdump icmp
Show entirely IP6 Traffic
You tin give the sack also break all IP6 traffic using the protocol option. # tcpdump ip6
Find Traffic Using Port Ranges
You tin give the sack also move a attain of ports to break traffic. # tcpdump portrange 21-23
Find Traffic Based on Packet Size
If you’re looking for packets of a detail size you lot tin give the sack move these options. You tin give the sack move less, greater, or their associated symbols that you lot would seem from mathematics. # tcpdump less 32
# tcpdump greater 64
# tcpdump <= 128
# tcpdump greater 64
# tcpdump <= 128
Writing Captures to a File
It’s oftentimes useful to salve parcel captures into a file for analysis inwards the future. These files are known equally PCAP (PEE-cap) files, as well as they tin give the sack hold upward processed past times hundreds of dissimilar applications, including network analyzers, intrusion detection systems, as well as of course of report past timestcpdump
itself. Here we’re writing to a file called capture_file using the -w
switch. # tcpdump port 80 -w capture_file
Reading PCAP files
You tin give the sack read PCAP files past times using the-r
switch. Note that you lot tin give the sack move all the regular commands inside tcpdump patch reading inwards a file; you’re entirely limited past times the fact that you lot can’t capture as well as procedure what doesn’t be inwards the file already. # tcpdump -r capture_file
Advanced
Now that we’ve seen what nosotros tin give the sack practise amongst the basics through some examples, let’s seem at some to a greater extent than advanced stuff.It’s All About the Combinations
Being able to practise these diverse things individually is powerful, but the existent magic oftcpdump
comes from the powerfulness to combine options inwards creative ways inwards guild to isolate exactly what you’re looking for. There are 3 ways to practise combinations, as well as if you’ve studied programming at all they’ll hold upward pretty familar to you.- AND
and
or&&
- OR
or
or||
- EXCEPT
not
or!
From specific IP as well as destined for a specific Port
Let’s break all traffic from 10.5.2.3 going to whatsoever host on port 3389. tcpdump -nnvvS src 10.5.2.3 and dst port 3389
From One Network to Another
Let’s seem for all traffic coming from 192.168.x.x as well as going to the 10.x or 172.16.x.x networks, as well as we’re showing hex output amongst no hostname resolution as well as 1 score of extra verbosity. tcpdump -nvX src internet 192.168.0.0/16 and dst internet 10.0.0.0/8 or 172.16.0.0/16
Non ICMP Traffic Going to a Specific IP
This volition present us all traffic going to 192.168.0.2 that is not ICMP. tcpdump dst 192.168.0.2 and src net and not icmp
Traffic From a Host That Isn’t on a Specific Port
This volition present us all traffic from a host that isn’t SSH traffic (assuming default port usage). tcpdump -vv src mars and not dst port 22
As you lot tin give the sack see, you lot tin give the sack create queries to break merely close anything you lot need. The fundamental is to commencement figure out precisely what you’re looking for as well as hence to create the syntax to isolate that specific type of traffic.Complex Grouping as well as Special Characters
Also hold inwards heed that when you’re edifice complex queries you lot powerfulness have got to grouping your options using unmarried quotes. Single quotes are used inwards guild to state
tcpdump
to ignore certainly exceptional characters—in this illustration below the “( )” brackets. This same technique tin give the sack hold upward used to grouping using other expressions such equally host
, port
, net
, etc. Take a seem at the ascendency below. # Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (incorrect)
# tcpdump src 10.0.2.4 and (dst port 3389 or 22)
# Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (correct)
# tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
You tin give the sack also capture traffic based on specific TCP flag(s).
[ NOTE: The filters below break these diverse packets because
tcp[13]
looks at offset thirteen inwards the TCP header, the position out represents the location inside the byte, as well as the !=0 way that the flag inwards enquiry is laid to 1, i.e. it’s on. ] Show me all URGENT (URG) packets…
# tcpdump 'tcp[13] & 32!=0'
Show me all ACKNOWLEDGE (ACK) packets…
# tcpdump 'tcp[13] & 16!=0'
Show me all PUSH (PSH) packets…
# tcpdump 'tcp[13] & 8!=0'
Show me all RESET (RST) packets…
# tcpdump 'tcp[13] & 4!=0'
Show me all SYNCHRONIZE (SYN) packets…
# tcpdump 'tcp[13] & 2!=0'
Show me all FINISH (FIN) packets…
# tcpdump 'tcp[13] & 1!=0'
Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets…
# tcpdump 'tcp[13]=18'
[ Note: Only the PSH, RST, SYN, as well as FIN flags are displayed inwards
As amongst most powerful tools, however, at that topographic point are multiple ways to practise things. The illustration below shows some other way to capture packets amongst specific TCP flags set.tcpdump
‘s flag champaign output. URGs as well as ACKs are displayed, but they are shown elsewhere inwards the output rather than inwards the flags field. ] # tcpdump 'tcp[tcpflags] == tcp-syn'
Capture RST Flags Using the
tcpflags
option… # tcpdump 'tcp[tcpflags] == tcp-rst'
Capture FIN Flags Using the
tcpflags
option… # tcpdump 'tcp[tcpflags] == tcp-fin'
[ Note: The same technique tin give the sack hold upward used for the other flags equally well; they have got been omitted inwards the involvement of space. ]
Identifying Noteworthy TrafficFinally, at that topographic point are a few quick recipes you’ll desire to retrieve for catching specific as well as specialized traffic, such equally malformed / likely-malicious packets.
Packets amongst both the RST as well as SYN flags laid (this should never hold upward the case)
# tcpdump 'tcp[13] = 6'
Find cleartext HTTP GET requests
# tcpdump 'tcp[32:4] = 0x47455420'
Find SSH connections on whatsoever port (via banner text)
# tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'
Packets amongst a TTL less than 10 (usually indicates a employment or move of traceroute
)
# tcpdump 'ip[8] < 10'
Packets amongst the Evil Bit laid (hacker trivia to a greater extent than than anything else)
# tcpdump 'ip[6] & 128 != 0'
Summary
tcpdump
is a valuable tool for anyone looking to move into networking or data security.- The raw way it interfaces amongst traffic, combined amongst the precision it offers inwards inspecting packets acquire inwards the best possible tool for learning TCP/IP.
- Protocol Analyzers similar Wireshark are great, but if you lot desire to really original packet-fu, you lot must acquire 1 amongst
tcpdump
first.