Log in Go to the main page Page Discussion History Go to the file list Go to the site toolbox

Tcpdump Masterclass

From NetworkCommands



Contents

Command Syntax

tcpdump [interface] [parameters] [expression(s)]

image:yast-controller-medium.png Specifying An Interface

-i interface

You do not need to specify the interface if you wish to capture traffic on the lowest numbered, configured interface on the system (often eth0.) Loopback interfaces are ignored.

For Linux, use the ifconfig command to display information on interfaces available to the system

Parameters

Image:Text-x-generic-medium.png Writing To a File

-w filename

Image:Text-x-generic-medium.png Reading From a File

-r filename

Image:Vm-power-on-medium.png Quick Mode

-q - display only time, source address and port, destination address and port, protocol (tcp/udp,) length and whether the DF bit is set or not. This switch is very good at ensuring all data for a packet displays on a single line of output.

Image:Lan-segment-medium.png Displaying Link Level (Layer II - Data Link) Headers

-e

Image:Package-x-generic-medium.png Displaying Packet Contents - Format

-x - display packet contents in Hex

-X - display packet contents in both Hex and ASCII

Both these options display the first 68 bytes of each packet only by default unless the -s option is used, see below;

Note: This option is not necessary if you are writing the capture to a file, this option only applies when using tcpdump to display packets in real time.

Image:Package-x-generic-medium.png Displaying Packet Contents - How Much?

-s bytes - display the specified number of bytes of each packet (default is 68)

Image:Dialog-password2-medium.png Decrypting/Decoding SSL/TLS

tcpdump can not decrypt or decode SSL/TLS packet data.

To do this, either;

In either case, you will need the SSL/TLS private key.

Expressions

Use expressions to limit or filter what is actually captured. Valid operators include and, or and not.

Single Host

One Way: src 1.1.1.1

One Way: dst 1.1.1.1

Two Way: src or dst 1.1.1.1

Multiple Hosts

One Way: src 1.1.1.1 or 1.1.1.2

One Way: dst 1.1.1.1 or 1.1.1.2

Two Way: src or dst 1.1.1.1

Single Network

One Way: src net 1.1.1.0/24

One Way: dst net 1.1.1.0/24

Two Way: src or dst net 1.1.1.0/24

Multiple Networks

One Way: src net 1.1.1.0/24 or 2.2.2.0/24

One Way: dst net 1.1.1.0/24 or 2.2.2.0/24

Two Way: src or dst net 1.1.1.0/24 or 2.2.2.0/24

TCP/IP Ports

[src | dst] port port-number - specify a source or destination port, if src or dst is not specified, port can be either

Packet Size

less length - specify a packet size equal to or less than length in bytes

greater length - specify a packet size equal to or greater than length in bytes

Spanning Tree Protocol

To capture Spanning Tree Protocol (STP) frames only, ignore the tcpdump man page which suggests ether proto stp, simply use the expression stp

Address Resolution Protocol

To capture Address Resolution Protocol (ARP) packets only, ignore the tcpdump man page which suggests ether proto arp, simply use the expression arp

ICMP

To capture Internet Control Message Protocol (ICMP) frames only, ignore the tcpdump man page which suggests ether proto icmp, simply use the expression icmp

UDP

To capture only UDP packets, use the expression udp

TCP

To capture only TCP packets, use the expression tcp

Image:Preferences-desktop-locale-medium.png TCP Flags

[13] is the TCP packet octet to be inspected.

Show me all URG packets:

  1. tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets:

  1. tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets:

  1. tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets:

  1. tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets:

  1. tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets:

  1. tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets:

  1. tcpdump 'tcp[13] = 18'

Image:Video-display-medium.png Understanding Output

. is an ACK

S is a SYN

Examples

tcpdump -i external-interface -X -s 1500 -vv -n src or dst 10.0.0.10 -w capture_file - Would capture packets flowing through the interface named external-interface while displaying the first 1500 bytes of data in the packet with a source or destination of 10.0.0.10 and would output the captured packets to a file called capture_file (usually found in the users home directory)

Image:accessories-dictionary-medium.png Further Information

The tcpdump/libpcap website: http://www.tcpdump.org/

The Wikipedia entry for tcpdump: http://en.wikipedia.org/wiki/Tcpdump

Image:internet-group-chat-small.png We really do appreciate all feedback so please do send your comments, suggestions or corrections to steve#networkstuff.eu (replacing the # with an @)



Retrieved from "http://www.networkcommands.eu/index.php/Tcpdump_Masterclass"

Site Toolbox:

Personal tools
This page was last modified on 14 December 2008, at 17:39. - This page has been accessed 50 times. - Disclaimers - About NetworkCommands
Powered by MediaWiki