Tcpdump Masterclass

From NetworkCommands

right

This masterclass article provides in-depth technical information on the installation, usage and operation of the classic, very popular tcpdump program including; alternatives, running tcpdump as a process, building expressions, understanding output and more.

font color=redPrecautions/font

tcpdump output can be considerable if the network traffic your expression defines is in heavy use, particularly if you are capturing more than the default 64 bytes of packet content.

Capturing packets, for example, related to a large file transfer or a web server being actively used by hundreds or thousands of clients will produce an overwhelming amount of output. If writing this output to stdout you will probably be unable to enter commands in your terminal, if writing to a file you may exhaust the host's disk space. In either case tcpdump is also likely to consume a great deal of CPU and memory resources.

To avoid these issues;

• Be very careful when specifying expressions and try to make them as specific as possible

• Don't capture during times of heavy traffic/load

• If you wish to capture entire packet contents, do a test capture only capturing the default 64Bytes first and make a judgement on whether the system will cope with the full packet content capture

• Where writing to disk, carefully monitor the size of the file and ensure the host in question has the likely disk resources required available, or use the font color=deepskyblue-c/font parameter to limit the number of packets captured.

• Never use an expression that would capture traffic to or from your remote telnet/SSH/whatever terminal/shell. tcpdump output would generate traffic to your terminal, resulting in further output, resulting in more traffic to your terminal and so on in an infinite and potentially harmful feedback loop.

Installation

tcpdump can be installed or upgraded as follows, depending on your platform;

• Ubuntu: apt-get install tcpdump
• Fedora Core: yum install tcpdump
• FreeBSD: pkg_add -v -r tcpdump

Availability

tcpdump is only available for Unix/Linux.

File:Object-flip-horizontal-medium.png Linux Alternatives

For capturing and decrypting/decoding SSL/TLS packets and data at the CLI, ssldump can be used: http://www.rtfm.com/ssldump/

The tshark and dumpcap CLI programs which are a part of Wireshark or of course, Wireshark itself.

ngrep

File:Preferences-system-windows-small.png Windows Equivalents

WinDump has equivalent functionality and runs in a Windows command prompt: http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/packet-capture/winpcap/windump/. WinDump requires WinPcap which can be obtained here: http://www.winpcap.org/install/default.htm. UCommand syntax is exactly the same as tcpdump, but some older version/U, most options and syntax detailed in this article will work.

The tshark and dumpcap command prompt programs which are a part of Wireshark or of course, Wireshark itself.

Usage Syntax

tcpdump [font color=limegreen-i interface/font] [font color=deepskyblueparameter(s)/font] [font color=darkvioletexpression(s)/font]

file:eclipse-medium.png Running tcpdump As A Process (Unattended Captures)

You can use the nohup command' and the shell function ' to run tcpdump as a background process that will continue running even if the terminal/shell it is launched from is closed. This is very useful for running unattended captures and in situations where, for instance, an SSH shell is terminated after a period of inactivity.

Use following command syntax;

nohup tcpdump [font color=limegreen-i interface/font] [font color=deepskyblueparameters/font] font color=deepskyblue-w/font [font color=darkorangedir//font]font color=darkorangefilename/font [font color=darkvioletexpression(s)/font]

UNote:/U Output must be written to a file using the font color=deepskyblue-w/font option.

Specifying An Interface

font color=limegreen-i interface/font

You do not need to specify the interface if you wish to capture traffic on the lowest numbered, configured interface on the system (often eth0.) Loopback interfaces are ignored.

For Linux, use the ifconfig command to display information on interfaces available to the system, but note this command limits the display of interface names to 9 characters. Alternatively, use the ip link command which displays names up to 255 characters long.

On Linux systems with kernel 2.2 or later an interface argument of font color=limegreenany/font is supported. This captures packets from all interfaces but not in promiscuous mode.

Parameters

Writing To a File

font color=deepskyblue-w/font [font color=darkorangedir/font/]font color=darkorangefile_name/font

Ufont color=redWarning:/font/U Writing to a file you may exhaust the host's disk space if a great deal of traffic is being captured. To avoid this issue ensure you do one of the following;

• Test your capture first, without saving to a file and ensure your expression(s) are specific enough that an excessive amount of traffic is not being captured
• Monitor the size of the specified file
• Use the font color=deepskyblue-c/font parameter to restrict the capture to a specific number of packets, as detailed in the next section

UNotes;/U

• The file format used is libpcap

• If you specify the name of an existing file it will be overwritten without warning!

• If two or more instances of tcpdump specify the same output file, only the output of the last instance started will be recorded to the file

Restricting The Number Of Packets Captured

font color=deepskyblue-c nn/font

This option will restrict the packets captured to the number specified by font color=deepskybluenn/font. Using this option is particularly sensible to avoid issues when;

• You expect a great deal of output (and may be unable to stop the capture)
• You are writing the capture to a file and want to be sure you do not exhaust the host's disk space
• You are running an unattended capture

Reading From a File

font color=deepskyblue-r/font [font color=darkorangedir/font/]font color=darkorangefile_name/font

This option will display the entire contents of the file, without pause, so you may want to use the more or less commands to control and 'browse' the output in an orderly way.

Quick Mode

font color=deepskyblue-q/font - display only time, source address and port, destination address and port, protocol (tcp/udp,) data (not packet) length and whether the DF bit is set or not. This parameter is very good at ensuring all data for a packet displays on a single line of output.

14:04:10.381763 10.68.5.122.10050  10.68.5.9.49702: tcp 0 (DF)

Without -q;

14:04:17.370776 10.68.5.122.10050  10.68.5.9.49761: S 3293224573:3293224573(0) ack 1427800123 win 16384 mss 1460,nop,
wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK

Verbose Mode

-v - include flags (such as DF,) TTL, packet length

14:05:04.395870 10.68.5.122.10050  10.68.5.9.50187: P 1449:1700(251) ack 23 win 65513 nop,nop,timestamp 5953631 522357663 
(DF) (ttl 128, id 7979, len 303)

-vv, -vvv

Capturing Link Level (Layer 2 - Data Link) Headers

font color=deepskyblue-e/font

This option will display link level information not displayed by default. Below are two example captures, the first without this option specified, the second with;

tcpdump -i vlan2 host 10.68.5.9 and icmp;

12:39:08.589829 10.68.5.9  10.68.5.121: icmp: echo request (DF)
12:39:08.590352 10.68.5.121  10.68.5.9: icmp: echo reply (DF)

tcpdump -i vlan2 -e host 10.68.5.9 and icmp;

12:38:53.660102 0:1:d7:57:3:c8 0:21:5a:45:57:42 ip 54: 10.68.5.9  10.68.5.121: icmp: echo request (DF)
12:38:53.660629 0:21:5a:45:57:42 0:1:d7:57:3:c8 ip 60: 10.68.5.121  10.68.5.9: icmp: echo reply (DF)

Note the additional MAC address, layer 3 protocol and packet length information displayed.

Capturing Packet Contents - Format

font color=deepskyblue-x/font - display packet contents in Hex

font color=deepskyblue-X/font - display packet contents in both Hex and ASCII

Below are two example captures, the first with font color=deepskyblue-x/font specified, the second with font color=deepskyblue-X/font;

tcpdump -i vlan28 -x host 10.68.5.9 and icmp;

12:52:03.577960 10.68.5.9  10.68.5: icmp: echo request (DF)
                         4500 0028 0000 4000 4001 4902 c0a8 3809
                         c0a8 3879 0800 7f87 effd ed06 4001 c71f
                         c0a8 3828 7078 2b09
12:52:03.578493 10.68.5.121  10.68.5.9: icmp: echo reply (DF)
                         4500 0028 42db 4000 8001 c626 c0a8 3879
                         c0a8 3809 0000 8787 effd ed06 4001 c71f
                         c0a8 3828 7078 2b09 0000 0000 0000

tcpdump -i vlan28 -X host 10.68.5.9 and icmp;

12:52:13.577833 10.68.5.9  10.68.5.121: icmp: echo request (DF)
0x0000   4500 0028 0000 4000 4001 4902 c0a8 3809        E..(..@.@.I...8.
0x0010   c0a8 3879 0800 3683 3904 ed06 4001 c71d        ..8y..6.9...@...
0x0020   c0a8 3828 7078 2b09                            ..8(px+.
12:52:13.578348 10.68.5.121  10.68.5.9: icmp: echo reply (DF)
0x0000   4500 0028 44bb 4000 8001 c446 c0a8 3879        E..(D.@....F..8y
0x0010   c0a8 3809 0000 3e83 3904 ed06 4001 c71d        ..8....9...@...
0x0020   c0a8 3828 7078 2b09 0000 0000 0000             ..8(px+.......

Both these options display the first 68 bytes of each packet only by default unless the font color=deepskyblue-s/font option is used, see below;

UNote:/U This option is not necessary if you are writing the capture to a file, this option only applies when using tcpdump to display packets in real time or from a capture file.

Capturing Packet Contents - How Much?

font color=deepskyblue-s bytes/font - capture the specified number of bytes of each packet (default is 68.)

UNote:/U Use font color=deepskyblue-s 0/font to capture the entirety of every packet, regardless of size.

Disabling DNS Lookups

font color=deepskyblue-n/font -

Expressions

Use expressions to limit or filter what is actually captured. Valid operators include and ('), or and not ('!).

Single Host

One Way: src 1.1.1.1 - capture traffic from the specified source only

One Way: dst 1.1.1.1 - capture traffic to the specified destination only

Two Way: host 1.1.1.1 - capture traffic destined to Uand/U sourced from the specified host only

Multiple Hosts

One Way: src 1.1.1.1 or 1.1.1.2 - capture traffic from the specified sources only

One Way: dst 1.1.1.1 or 1.1.1.2 - capture traffic to Ueither/U of the specified destinations only

Two Way: host 1.1.1.1 or host 1.1.1.2 - capture traffic destined to Uand/U sourced from Ueither/U of the specified hosts only

Two Way: host 1.1.1.1 and host 1.1.1.2 - capture traffic Ubetween/U the specified two hosts only

Single Network

One Way: src net 1.1.1.0/24

One Way: dst net 1.1.1.0/24

Two Way: src or dst net 1.1.1.0/24

Multiple Networks

One Way: src net 1.1.1.0/24 or 2.2.2.0/24

One Way: dst net 1.1.1.0/24 or 2.2.2.0/24

Two Way: src or dst net 1.1.1.0/24 or 2.2.2.0/24

Specific UDP or TCP Port(s)

[font color=darkvioletudp/font | font color=darkviolettcp/font] [font color=darkvioletsrc/font | font color=darkvioletdst/font] font color=darkvioletport port-number/font - specify a protocol, source or destination port and port number;

• If font color=darkvioletudp/font or font color=darkviolettcp/font is not specified, traffic will be captured if the port is used with either UDP or TCP
• If font color=darkvioletsrc/font or font color=darkvioletdst/font is not specified, traffic will be captured if the specified port is used as either a source or destination

UDP Only Packets

To capture only UDP packets, use the expression font color=darkvioletudp/font.

An example would be good.

TCP Only Packets

To capture only TCP packets, use the expression font color=darkviolettcp/font.

An example would be good.

Packet Size

font color=darkvioletless length/font - specify a packet size equal to or less than length in bytes

font color=darkvioletgreater length/font - specify a packet size equal to or greater than length in bytes

Spanning Tree Protocol

To capture Spanning Tree Protocol (STP) frames only, ignore the tcpdump man page which suggests ether proto stp, simply use the expression font color=darkvioletstp/font. To exclude STP packets, use font color=darkviolet! stp/font.

Address Resolution Protocol

To capture Address Resolution Protocol (ARP) packets only, ignore the tcpdump man page which suggests ether proto arp, simply use the expression font color=darkvioletarp/font. To exclude ARP packets, use font color=darkviolet! arp/font.

ICMP

To capture Internet Control Message Protocol (ICMP) frames only, ignore the tcpdump man page which suggests ether proto icmp, simply use the expression font color=darkvioleticmp/font. To exclude icmp packets, use font color=darkviolet! icmp/font.

TCP Flags

[13] is the TCP packet octet to be inspected.

Show me all URG packets:

1. tcpdump 'tcp[13] 32 != 0'

Show me all ACK packets:

1. tcpdump 'tcp[13] 16 != 0'

Show me all PSH packets:

1. tcpdump 'tcp[13] 8 != 0'

Show me all RST packets:

1. tcpdump 'tcp[13] 4 != 0'

Show me all SYN packets:

1. tcpdump 'tcp[13] 2 != 0'

Show me all FIN packets:

1. tcpdump 'tcp[13] 1 != 0'

Show me all SYN-ACK packets:

1. tcpdump 'tcp[13] = 18'

Understanding Output

. is an ACK

S is a SYN

Decrypting/Decoding SSL/TLS

tcpdump can capture but not decrypt or decode SSL/TLS packet data.

To do this, either;

• Use a real-time tool such as ssldump (available at: http://www.rtfm.com/ssldump/)

• Write your capture to a file and use a tool such as Wireshark (available at: http://www.wireshark.org) to decode the packet data instead. See the Using Wireshark to Decrypt SSL/TLS Packet Data article for information on how to do this.

In either case, you will need the SSL/TLS private key.

Related Files

The tcpdump executable is normally found here: /usr/sbin/tcpdump

Further Information

The tcpdump/libpcap website: http://www.tcpdump.org/

The Wikipedia entry for tcpdump: http://en.wikipedia.org/wiki/Tcpdump

We really do appreciate all feedback so please do send your comments, suggestions or corrections to steve#networkstuff.eu (replacing the # with an @)