Tcpdump Masterclass
From NetworkCommands
Contents |
Command Syntax
tcpdump [interface] [parameters] [expression(s)]
Specifying An Interface
-i interface
You do not need to specify the interface if you wish to capture traffic on the lowest numbered, configured interface on the system (often eth0.) Loopback interfaces are ignored.
For Linux, use the ifconfig command to display information on interfaces available to the system
Parameters
Writing To a File
-w filename
Reading From a File
-r filename
Quick Mode
-q - display only time, source address and port, destination address and port, protocol (tcp/udp,) length and whether the DF bit is set or not. This switch is very good at ensuring all data for a packet displays on a single line of output.
Displaying Link Level (Layer II - Data Link) Headers
-e
Displaying Packet Contents - Format
-x - display packet contents in Hex
-X - display packet contents in both Hex and ASCII
Both these options display the first 68 bytes of each packet only by default unless the -s option is used, see below;
Note: This option is not necessary if you are writing the capture to a file, this option only applies when using tcpdump to display packets in real time.
Displaying Packet Contents - How Much?
-s bytes - display the specified number of bytes of each packet (default is 68)
Decrypting/Decoding SSL/TLS
tcpdump can not decrypt or decode SSL/TLS packet data.
To do this, either;
- Use a real-time tool such as ssldump (available at: http://www.rtfm.com/ssldump/)
- Save your capture to a file and use a tool such as Wireshark (available at: http://www.wireshark.org) to decode the packet data instead. See the Using Wireshark to Decrypt SSL/TLS Packet Data article for information on how to do this.
In either case, you will need the SSL/TLS private key.
Expressions
Use expressions to limit or filter what is actually captured. Valid operators include and, or and not.
Single Host
One Way: src 1.1.1.1
One Way: dst 1.1.1.1
Two Way: src or dst 1.1.1.1
Multiple Hosts
One Way: src 1.1.1.1 or 1.1.1.2
One Way: dst 1.1.1.1 or 1.1.1.2
Two Way: src or dst 1.1.1.1
Single Network
One Way: src net 1.1.1.0/24
One Way: dst net 1.1.1.0/24
Two Way: src or dst net 1.1.1.0/24
Multiple Networks
One Way: src net 1.1.1.0/24 or 2.2.2.0/24
One Way: dst net 1.1.1.0/24 or 2.2.2.0/24
Two Way: src or dst net 1.1.1.0/24 or 2.2.2.0/24
TCP/IP Ports
[src | dst] port port-number - specify a source or destination port, if src or dst is not specified, port can be either
Packet Size
less length - specify a packet size equal to or less than length in bytes
greater length - specify a packet size equal to or greater than length in bytes
Spanning Tree Protocol
To capture Spanning Tree Protocol (STP) frames only, ignore the tcpdump man page which suggests ether proto stp, simply use the expression stp
Address Resolution Protocol
To capture Address Resolution Protocol (ARP) packets only, ignore the tcpdump man page which suggests ether proto arp, simply use the expression arp
ICMP
To capture Internet Control Message Protocol (ICMP) frames only, ignore the tcpdump man page which suggests ether proto icmp, simply use the expression icmp
UDP
To capture only UDP packets, use the expression udp
TCP
To capture only TCP packets, use the expression tcp
TCP Flags
[13] is the TCP packet octet to be inspected.
Show me all URG packets:
- tcpdump 'tcp[13] & 32 != 0'
Show me all ACK packets:
- tcpdump 'tcp[13] & 16 != 0'
Show me all PSH packets:
- tcpdump 'tcp[13] & 8 != 0'
Show me all RST packets:
- tcpdump 'tcp[13] & 4 != 0'
Show me all SYN packets:
- tcpdump 'tcp[13] & 2 != 0'
Show me all FIN packets:
- tcpdump 'tcp[13] & 1 != 0'
Show me all SYN-ACK packets:
- tcpdump 'tcp[13] = 18'
Understanding Output
. is an ACK
S is a SYN
Examples
tcpdump -i external-interface -X -s 1500 -vv -n src or dst 10.0.0.10 -w capture_file - Would capture packets flowing through the interface named external-interface while displaying the first 1500 bytes of data in the packet with a source or destination of 10.0.0.10 and would output the captured packets to a file called capture_file (usually found in the users home directory)
Further Information
The tcpdump/libpcap website: http://www.tcpdump.org/
The Wikipedia entry for tcpdump: http://en.wikipedia.org/wiki/Tcpdump






