What is tcpdump
tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. It is available under most of the Linux/Unix based operating systems. tcpdump also gives us an option to save captured packets in a file for future analysis. It saves the file in a pcap format, that can be viewed by tcpdump command or an open source GUI based tool called Wireshark (Network Protocol Analyzer) that reads tcpdump pcap format files.
One of the most common uses of tcpdump is to determine whether you are getting basic two-way communication. Lack of communication could be due to the following:
- Bad routing
- Faulty cables, interfaces of devices in the packet flow
- The server not listening on the port because the software isn’t installed or started
- A network device in the packet path is blocking traffic; common culprits are firewalls, routers with access control lists and even your Linux box running iptables.
tcpdump is the premier network analysis tool for information security professionals. Having a solid grasp of this über-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. Many prefer to use higher level analysis tools such as Wireshark, but I believe this to usually be a mistake.
When using a tool that displays network traffic a more natural (raw) way the burden of analysis is placed directly on the human rather than the application. This approach cultivates a continued and elevated understanding of the TCP/IP suite, and for this reason, I strongly advocate using tcpdump instead of other tools whenever possible.
Below are a few options you can use when configuring tcpdump. They’re easy to forget and/or confuse with other types of filters, e.g., Wireshark, so hopefully, this page can serve as a reference for you, as it does me. here are the main ones I like to keep in mind depending on what I’m looking at.
# tcpdump --help tcpdump version 4.1-PRE-CVS_2016_11_02 libpcap version 1.4.0 Usage: tcpdump [-aAdDefhIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ] [ -i interface ] [ -j tstamptype ] [ -M secret ] [ -Q|-P in|out|inout ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ] [ -Z user ] [ expression ]
-i any : Listen on all interfaces just to see if you’re seeing any traffic.
-D : Show the list of available interfaces
-n : Don’t resolve hostnames.
-nn : Don’t resolve hostnames or port names.
-q : Be less verbose (more quiet) with your output.
-t : Give human-readable timestamp output.
-tttt : Give maximally human-readable timestamp output.
-X : Show the packet’s contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
In tcpdump, Expressions allow you to trim out various types of traffic and find exactly what you’re looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump.
There are three main types of expression: type, dir, and proto.
- Type options are: host, net, and port.
- Direction lets you do src, dst, and combinations thereof.
- Proto(col) lets you designate: tcp, udp, icmp, ah, and many more.
How to Install tcpdump in Linux
Many of Linux distributions already shipped with tcpdump tool, if in case you don’t have it on systems, you can install it using following Yum command for RedHat Based linux.
# yum install tcpdump
Once the tcpdump tool is installed on systems, you can continue to browse following commands with their examples.
So, now that we’ve seen what our options are, let’s look at some real-world examples that we’re likely to see in our everyday work.
1. BASIC COMMUNICATION
Just see what’s going on, by looking at all interfaces.
# tcpdump -i any
2. SPECIFIC INTERFACE
Basic view of what’s happening on a particular interface.
# tcpdump -i eth0
3. RAW OUTPUT VIEW
Verbose output, with no resolution of hostnames or port numbers, absolute sequence numbers, and human-readable timestamps.
# tcpdump -ttttnnvvS
4. FIND TRAFFIC BY IP
One of the most common queries, this will show you traffic from 18.104.22.168, whether it’s the source or the destination.
# tcpdump host 22.214.171.124
5. SEEING MORE OF THE PACKET WITH HEX OUTPUT
Hex output is useful when you want to see the content of the packets in question, and it’s often best used when you’re isolating a few candidates for closer scrutiny.
# tcpdump -nnvXSs 0 -c1 icmp
6. FILTERING BY SOURCE AND DESTINATION
It’s quite easy to isolate traffic based on either source or destination using src and dst.
# tcpdump src 126.96.36.199 # tcpdump dst 188.8.131.52
7. FINDING PACKETS BY NETWORK
To find packets going to or from a particular network, use the net option. You can combine this with the src or dst options as well.
# tcpdump net 184.108.40.206/24
8. SHOW TRAFFIC RELATED TO A SPECIFIC PORT
You can find specific port traffic by using the port option followed by the port number.
# tcpdump port 3389 # tcpdump src port 1025
9. SHOW TRAFFIC OF ONE PROTOCOL
If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well.
# tcpdump icmp
10. SHOW ONLY IP6 TRAFFIC
You can also find all IP6 traffic using the protocol option.
# tcpdump ip6
11. FIND TRAFFIC USING PORT RANGES
You can also use a range of ports to find traffic.
# tcpdump portrange 21-23
12. FIND TRAFFIC BASED ON PACKET SIZE
If you’re looking for packets of a particular size you can use these options. You can use less, greater, or their associated symbols that you would expect from mathematics.
# tcpdump less 32 # tcpdump greater 64 # tcpdump <= 12
13. WRITING CAPTURES TO A FILE
It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.
# tcpdump port 80 -w capture_file
14. READING PCAP FILES
You can read PCAP files by using the -r switch. Note that you can use all the regular commands within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already.
# tcpdump -r capture_file
Now that we’ve seen what we can do with the basics through some examples, let’s look at some more advanced stuff.
IT’S ALL ABOUT THE COMBINATIONS
Being able to do these various things individually is powerful, but the real magic of tcpdump comes from the ability to combine options in creative ways in order to isolate exactly what you’re looking for. There are three ways to do combinations, and if you’ve studied programming at all they’ll be pretty familiar to you.
AND and or && OR or or || EXCEPT not or !
Here are some examples of combined commands.
1. FROM SPECIFIC IP AND DESTINED FOR A SPECIFIC PORT
Let’s find all traffic from 10.5.2.3 going to any host on port 3389.
# tcpdump -nnvvS src 10.5.2.3 and dst port 3389
2. FROM ONE NETWORK TO ANOTHER
Let’s look for all traffic coming from 192.168.x.x and going to the 10.x or 172.16.x.x networks, and we’re showing hex output with no hostname resolution and one level of extra verbosity.
# tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
3. NON ICMP TRAFFIC GOING TO A SPECIFIC IP
This will show us all traffic going to 192.168.0.2 that is not ICMP.
# tcpdump dst 192.168.0.2 and src net and not icmp
4. TRAFFIC FROM A HOST THAT ISN’T ON A SPECIFIC PORT
This will show us all traffic from a host that isn’t SSH traffic (assuming default port usage).
# tcpdump -vv src mars and not dst port 22
As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you’re looking for and then to build the syntax to isolate that specific type of traffic.
tcpdump is a valuable tool for anyone looking to get into networking or information security. The raw way it interfaces with traffic, combined with the precision it offers in inspecting packets make it the best possible tool for learning TCP/IP. Protocol Analyzers like Wireshark are great, but if you want to truly master packet-fu, you must become one with tcpdump first.
Well, this primer should get you going strong, but the man page should always be handy for the most advanced and one-off usage scenarios. I truly hope this has been useful to you.