Tcpdump
Contents
1 Usage
tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -Z user ] [ 'expression' ] -e Display the datalink/etheret header layer. -F Filter expression in file. -i Listen on specific interface only -n Don't resolve DNS names -nn Don't resolve DNS names or Port names -r Read packets from file -s Get snaplen bytes from each packet -S Print sbsolute sequence numbers -t No timestamp -v, -vv, -vvv Verbosity (can me used multiple times for increased verbosity) -w Write captured packets to a file -x Display packets in hex -X Display packets in ascii & hex
Running tcpdump by it's self will begin recording traffic that is seen on the wire printing the output to the screen.
By default tcpdump will ONLY capture the first 68 bytes of each packet it sees on the wire. If you would like to view
more you can use the -s SIZE option. SIZE should be a number specified in bytes, using -s0 will capture the ENTIRE packet.
A size of 1514 is usually good enough for most captures.
See example below:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 12:42:49.861865 IP t0peka.ssh > 192.168.2.20.34069: P 1681019935:1681020051(116) ack 541908079 win 12236 12:42:50.211371 IP t0peka.ssh > 192.168.2.20.34069: P 116:232(116) ack 1 win 12236 12:42:49.862004 IP 192.168.2.20.34069 > t0peka.ssh: . ack 232 win 64819 12:42:49.907619 IP t0peka.22931 > cumin.apnic.net.domain: 17249 A? blackhole-2.iana.org. (38) 12:42:50.177954 IP cumin.apnic.net.domain > t0peka.22931: 17249*- 1/0/0 A blackhole-2.iana.org (54) 12:42:50.178055 IP t0peka.11585 > blackhole-1.iana.org.domain: 32216 PTR? 20.2.168.192.in-addr.arpa. (43) 12:42:50.210992 IP blackhole-1.iana.org.domain > t0peka.11585: 32216 NXDomain*- 0/1/0 (98) 12:42:50.211649 IP t0peka.ssh > 192.168.2.20.34069: P 232:540(308) ack 1 win 12236 12:42:50.211916 IP t0peka.8280 > g.gtld-servers.net.domain: 20004 A? NS3.APNIC.NET. (31)
2 Basic Usage Examples
View Basic Network communication
tcpdump -nS #Don't resolve DNS names, print the absolute sequence numbers
View Basic Network communication, with added verbosity
tcpdump -nnvvS #Don't resolve DNS or Port names, be more verbose when printing info, print the absolute sequence numbers
View Network Communication Payloads in HEX
tcpdump -nnvvXS #Same as above, but this time prints the packets payload in HEX
View Detailed Packet Information
tcpdmp -nnvvXSs 1514 #Same as above, this time we are specifying a packet length with -s 1514
As you can see running the above on a busy network will produce loads of network traffic information.
This can be close to impossible to interpret as-is.. Tcpdump has a wonderfull thing called 'expressions'.
Using the tcpdump expressions we can remove all of the traffic we do not wish to see andonly view exactly
what we are looking for.
3 TCPDump Expression
The packet direction is specified by using dir, with this directive you can use the src, dst, src or dst and src and dst options. Below are some examples of using each of these.
host - Looks for traffic based on the specified IP address, this can also be a valid dns name if the -n options is not specified. tcpdump host 192.168.1.1
src,dst - Looks for traffic from a specific source or destination. tcpdump src 192.168.1.2 tcpdump dst 192.168.1.3
net - Looks for traffic from an entire CIDR range. tcpdump net 192.168.1.0/24
proto - Looks for the type of traffic specified. proto does not need to be specified. tcpdump tcp tcpdump udp tcpdump icmp
port - Looks for traffic to or from specified port. Port names can be specified by there name or numeric value. tcpdump port 22 or tcpdump port ssh
src port, dst port - Looks for traffic based on the source or destination ports. tcpdump src port 1025 tcpdump dst port 22
4 Tcpdump Advanced Expressions
1. AND - and, && 2. OR - or, || 3. EXCEPT - not, !
5 Advanced Expression Usage
Capture TCP traffic to SSH(port 22) from the host 192.168.2.20 tcpdump -nnvvSc 2 tcp and src 192.168.2.20 and dst port ssh tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 16:17:33.917187 IP (tos 0x0, ttl 128, id 55757, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.2.20.34069 > 192.168.2.51.22: ., cksum 0x9c8f (correct), 541916307:541916307(0) ack 1681034071 win 64535 Capture TCP traffic that is not to SSH(port 22) from the host 192.168.2.20 tcpdump -vv src 192.168.2.20 and not dst port 22 Capture TCP traffic coming from 192.168.2.0/24 going to 192.168.1.0/24 tcpdump -nvX src net 192.168.2.0/24 and dst net 192.168.1.0/24 Capture TCP traffic coming from 192.168.2.0/24 going to 192.168.1.0/24 or 192.168.3.0/24 tcpdump -nvX src net 192.168.2.0/24 and dst net 192.168.1.0/24 or 192.168.3.0/24 Capture SMTP traffic to file for later analysis by wireshark tcpdump -i ens160 -s 0 -w smtp.pcap port 25
6 TCP flags & expressions
Using tcpdump to capture packets with TCP specific flags set. Remembering al of the TCP flags is quite simple. Here is an easy mnemonic I found online to use for remembering TCP flags.
############################################################ ### Unskilled Attackers Pester Real Security Folks ### ### URG ARG PSH RST SYN FYN ### ############################################################ URG: tcpdump 'tcp[13] & 32 != 0' ACK: tcpdump 'tcp[13] & 16 != 0' PSH: tcpdump 'tcp[13] & 8 != 0' RST: tcpdump 'tcp[13] & 4 != 0' SYN: tcpdump 'tcp[13] & 2 != 0' FIN: tcpdump 'tcp[13] & 1 != 0' IPv6: tcpdump ip6 SYN-ACK: tcpdump 'tcp[13] = 18' SYN and RST: tcpdump 'tcp[13] = 6' Evil Bit: tcpdump 'ip[6] & 128 != 0'