Tcpdump commands. tcpdump examples on Linux
Tcpdump is an extremely convenient network analyzer that is very helpful for both network administrators and security professionals. Naturally, to obtain maximum information when working with tcpdump, you simply need to have an understanding of the TCP/IP protocol stack. For convenience, you can use more convenient and intelligent programs, for example, but situations often arise when it is not possible to install additional services on the machine under test, and then tcpdump is simply irreplaceable, because the administrator, for the sake of analyzing packets, does not want to install X- on a Unix server. Windows, especially since in most Unix systems, the tcpdump utility is installed by default.
Understanding the TCP/IP protocol gives a wide scope for using the analyzer and troubleshooting network problems and problems by parsing packets. Since optimal use of this utility requires a good understanding of network protocols and their operation, this creates a funny situation in which the engineer in any case needs to know and understand the mechanisms of data transfer on the network. incl. tcpdump is useful in all respects: both troubleshooting and self-education.
Below are several options that will help you use this utility more fully and in detail, especially since all these boxes and keys are quite easily forgotten, and these examples are very useful for refreshing your memory.
The first key used is -n, which prohibits attempts to convert addresses into domain names, thereby giving us clean IP addresses with ports.
The second is -X which specifies for each packet to output both hex and ASCII contents of the packet.
And the last option is -S which replaces the output of relative TCP numbering with absolute one. The point is that with relative numbering, some problems may be hidden from your attention.
You need to understand that the main advantage of tcpdump over other utilities is that it allows detailed and manual analysis of packets. You also need to remember that by default tcpdump uses only the first 68 bytes of the packet, incl. if you need to see more, then you should use the -s number switch, where number is the number of bytes that should be captured. If number 0 is specified, the packet will be completely captured, so it is better to use the value 1514, which will completely capture the standard packet for Ethernet networks.
List of most commonly used keys:
-c: checks the size of the capture file before each next recording of the captured packet; if the size is larger, then the file is saved and the recording goes to a new file
-e: Print the ethernet header (link layer) in each dump line
-i any: Listen on all interfaces, in case you need all traffic.
-n: disables resolution of addresses to domain or symbolic names
-nn: disables resolution of addresses and ports to domain or symbolic names
-q: Concise output of information by reducing the output of protocol information.
-X: Print both hex and ASCII contents of the packet
-v, -vv, -vvv: Specifies the output of additional information about captured packets, which allows for broader analysis.
Some examples to use:
# Standard packet output
tcpdump -nS
# Extended standard output
tcpdump -nnvvS
# Deep parse of a package
tcpdump -nnvvXS
# The most detailed traffic information
tcpdump -nnvvXSs 1514
Expressions allow you to perform more targeted scanning and specify traffic types. The ability to use expressions makes tcpdump a very productive tool in the hands of a system administrator. There are three main types of expressions: type, dir, and proto.
The options for the type expression are host, net, and port.
To express the direction specified by dir, the existing options are src, dst, src or dst, and src and dst.
A few standard expressions:
host // analyze traffic based on IP address (also works with symbolic names if -n is not specified)
tcpdump host 1.2.3.4
src, dst // analyze traffic only for a specific destination or transmitter
tcpdump src 2.3.4.5
tcpdump dst 3.4.5.6
net // capture traffic belonging to a specific network
tcpdump net 1.2.3.0/24
proto // works with tcp, udp, and icmp. It must be remembered that proto is not mentioned
tcpdump icmp
port // analyze traffic from a specific port (incoming or outgoing)
tcpdump port 3389
src, dst port // filter based on incoming or outgoing port
tcpdump src port 1025
tcpdump dst port 3389
But the most powerful tool is operands, which allow you to set conditions for expressions and options for more detailed isolation of information about the analyzed traffic.
AND
and or &&
OR
or or ||
EXCEPT
not or!
TCP traffic from resource 10.15.123.33 with destination port 3379:
# tcpdump -nnvvS tcp and src 10.15.123.33 and dst port 3379
Traffic moving from network 192.168 with destination on networks 10 or 172.16:
# tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
Non-ICMP traffic to destination 192.168.0.2 and from network 172.16:
# tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net 172.16.0.0/16 and not icmp
Traffic from Eros or Ares hosts, but not going to the standard SSH port (name resolution is required for this expression):
# tcpdump -vv src eros or are and not dst port 22
As can be seen from the examples given, we can build any expressions for any purpose. Also, using complex syntax, we can exclude any type of traffic from analysis.
We should also remember that we can build queries that include groups and pools of options specified in a single query. But in order for the tcpdump utility to pay attention to them, they need to be placed in brackets, taking the expression in single quotes:
Traffic coming from host 10.0.2.4 to destination ports 3379 or 22:
# tcpdump ‘src 10.0.2.4 and (dst port 3379 or 22)’
It is also possible to filter based on TCP flags, for example to isolate SYN or RST packets:
Analyze all URG packages:
# tcpdump ‘tcp & 32 != 0′
Analyze all ACK packets:
# tcpdump ‘tcp & 16 != 0′
Analyze all PSH packets:
# tcpdump ‘tcp & 8 != 0′
Analyze all RST packets:
# tcpdump ‘tcp & 4 != 0′
Analyze all SYN packets:
# tcpdump ‘tcp & 2 != 0′
If you need to analyze or intercept network packets in Linux, the best way to do this is to use a console utility tcpdump. But the problem arises in its rather complex management. The average user will find it inconvenient to work with the utility, but this is only at first glance. The article will tell you how tcpdump works, what syntax it has, how to use it, and will also provide numerous examples of its use.
Read also: Guides for setting up an Internet connection in Ubuntu, Debian, Ubuntu Server
Most developers of Linux-based operating systems include the tcpdump utility in the list of preinstalled ones, but if for some reason it is missing from your distribution, you can always download and install it via "Terminal". If your OS is based on Debian, and this is Ubuntu, Linux Mint, Kali Linux and the like, you need to run this command:
sudo apt install tcpdump
During installation you need to enter a password. Please note that it is not displayed when typing; you also need to enter the symbol to confirm the installation "D" and press Enter.
If you have Red Hat, Fedora or CentOS, the installation command will look like this:
sudo yam install tcpdump
After the utility is installed, you can use it immediately. This and much more will be discussed further in the text.
Syntax
Like any other command, tcpdump has its own syntax. Knowing it, you can set all the necessary parameters that will be taken into account when executing the command. The syntax is as follows:
tcpdump options -i interface filters
When using the command, you must specify the interface for tracking. Filters and options are not required variables, but they allow for more flexible customization.
Options
Although the option does not have to be specified, you still need to list the available ones. The table does not show their entire list, but only the most popular ones, but they are more than enough to solve most of the tasks.
| Option | Definition |
|---|---|
| -A | Allows you to sort packages with ASCII format |
| -l | Adds scrolling functionality |
| -i | After entering, you need to specify the network interface that will be monitored. To start monitoring all interfaces, enter the word “any” after the option. |
| -c | Ends the tracking process after checking the specified number of packets |
| -w | Generates a text file with the inspection report |
| -e | Shows the internet connection level of the data package |
| -L | Displays only those protocols that are supported by the specified network interface |
| -C | Creates another file while the package is being written if its size is larger than the specified size |
| -r | Opens a file for reading that was created using the -w option |
| -j | TimeStamp format will be used to record packets |
| -J | Allows you to view all available TimeStamp formats |
| -G | Serves to create a file with logs. The option also requires specifying a temporary value, after which a new log will be created |
| -v, -vv, -vvv | Depending on the number of characters in the option, the command output will become more detailed (the increase is directly proportional to the number of characters) |
| -f | The output shows the domain name of the IP addresses |
| -F | Allows you to read information not from the network interface, but from the specified file |
| -D | Demonstrates all network interfaces that can be used |
| -n | Deactivates the display of domain names |
| -Z | Specifies the user under whose account all files will be created |
| -K | Skip checksum analysis |
| -q | Brief information display |
| -H | Allows detection of 802.11s headers |
| -I | Used when capturing packets in monitor mode |
Having examined the options, below we will move directly to their applications. In the meantime, filters will be considered.
Filters
As mentioned at the very beginning of the article, you can add filters to the tcpdump syntax. Now we will consider the most popular of them:
All of the above filters can be combined with each other, so in the command output you will see only the information that you want to see. To understand in more detail the use of the above filters, it is worth giving examples.
Examples of using
The most commonly used syntax for the tcpdump command will now be described. It will not be possible to list them all, since there can be an infinite number of variations.
View a list of interfaces
It is recommended that each user initially check the list of all their network interfaces that can be monitored. From the above table we know that for this we need to use the option -D so in terminal run the following command:
As you can see, there are eight interfaces in the example that can be viewed using the tcpdump command. The article will provide examples with ppp0, you can use any other one.
Regular traffic capture
If you need to monitor one network interface, you can do this using the option -i. After entering it, do not forget to indicate the name of the interface. Here is an example of running such a command:
sudo tcpdump -i ppp0
Please note: you need to enter “sudo” before the command itself, since it requires superuser rights.
Note: after pressing Enter, the captured packets will be continuously displayed in the “Terminal”. To stop their flow, you need to press the key combination Ctrl+C.
If you run the command without additional options and filters, you will see the following format for displaying monitored packages:
22:18:52.597573 IP vrrp-topf2.p.mail.ru.https > 10.0.6.67.35482 : Flags , seq 1:595, ack 1118, win 6494, options , length 594
Where is highlighted in color:
- blue - time of receiving the package;
- green - sender's address;
- purple - recipient's address;
- gray - additional information about tcp;
- red - packet size (displayed in bytes).
This syntax has the ability to display in a window "Terminal" without using additional options.
Capture traffic with the -v option
As is known from the table, the option -v allows you to increase the amount of information. Let's look at it with an example. Let's check the same interface:
sudo tcpdump -v -i ppp0
Here you can notice that the following line appears in the output:
IP (tos 0x0, ttl 58, id 30675, offset 0, flags, proto TCP (6) , length 52
Where is highlighted in color:
- orange - protocol version;
- blue - protocol lifetime;
- green - field header length;
- purple - tcp package version;
- red - package size.
You can also add the option to the command syntax -vv or -vvv, which will further increase the amount of information displayed on the screen.
Option -w and -r
The options table mentioned the ability to save all output data to a separate file so that it can be viewed later. The option is responsible for this -w. Using it is quite simple, just specify it in the command, and then enter the name of the future file with the extension ".pcap". Let's look at everything using an example:
sudo tcpdump -i ppp0 -w file.pcap
Please note: while logs are being written to a file, no text is displayed on the Terminal screen.
When you want to view the recorded output, you need to use the option -r, after which write the name of the previously recorded file. It is applied without other options and filters:
sudo tcpdump -r file.pcap
Both of these options are great when you need to save large amounts of text for later parsing.
IP filtering
From the filter table we know that dst allows you to display on the console screen only those packets that were received by the address specified in the command syntax. This makes it very convenient to view the packets received by your computer. To do this, you just need to specify your IP address in the command:
sudo tcpdump -i ppp0 ip dst 10.0.6.67
As you can see, in addition to dst, we also specified a filter in the command ip. In other words, we told the computer to pay attention to the IP address when selecting packets, and not to other parameters.
You can also filter sent packets by IP. Let's use our IP again as an example. That is, now we will track which packets are sent from our computer to other addresses. To do this you need to run the following command:
sudo tcpdump -i ppp0 ip src 10.0.6.67
As you can see, we have changed the filter in the command syntax dst on src, thereby telling the machine to look for the sender by IP.
Filtering by HOST
By analogy with IP, we can specify a filter in the command host to filter out packets with the host of interest. That is, in the syntax, instead of the IP address of the sender/recipient, you will need to indicate its host. It looks like this:
sudo tcpdump -i ppp0 dst host google-public-dns-a.google.com
In the image you can see that in "Terminal" Only those packets that were sent from our IP to the host google.com are displayed. As you can understand, instead of the google host, you can enter any other one.
As with IP filtering, the syntax dst can be replaced by src to see the packets that are sent to your computer:
sudo tcpdump -i ppp0 src host google-public-dns-a.google.com
Please note: the host filter must come after dst or src, otherwise the command will throw an error. In the case of IP filtering, on the contrary, dst and src come before the ip filter.
Applying the and and or filters
If you need to use several filters at once in one command, then for this you need to use a filter and or or(depends on the case). By specifying filters in the syntax and separating them with these operators, you "make" them work as one. In an example it looks like this:
sudo tcpdump -i ppp0 ip dst 95.47.144.254 or ip src 95.47.144.254
From the command syntax it is clear that we want to display "Terminal" all packets that were sent to the address 95.47.144.254 and packets received by the same address. You can also change some of the variables in this expression. For example, instead of IP, specify HOST or replace the addresses themselves.
Port and portrange filter
Filter port Perfect for those cases when you need to get information about packets on a specific port. So, if you only need to see DNS responses or requests, you need to specify port 53:
sudo tcpdump -vv -i ppp0 port 53
If you want to view http packets, you need to enter port 80:
sudo tcpdump -vv -i ppp0 port 80
Among other things, it is possible to track a range of ports at once. A filter is used for this portrange:
sudo tcpdump portrange 50-80
As you can see, in conjunction with the filter portrange It is not necessary to specify additional options. You just need to set the range.
Filtering by protocol
You can also display only traffic that matches a particular protocol. To do this, you need to use the name of this very protocol as a filter. Let's look at an example udp:
sudo tcpdump -vvv -i ppp0 udp
As you can see in the image, after executing the command in "Terminal" only protocol packets were displayed udp. Accordingly, you can filter by others, for example, arp:
sudo tcpdump -vvv -i ppp0 arp
or tcp:
sudo tcpdump -vvv -i ppp0 tcp
Filter net
Operator net helps filter packets based on their network designation. Using it is as easy as the others - you need to specify the attribute in the syntax net, then enter the network address. Here is an example of such a command:
sudo tcpdump -i ppp0 net 192.168.1.1
Filter by package size
We have not considered two more interesting filters: less And greater. From the table with filters we know that they serve to display larger data packets ( less) or less ( greater) size specified after entering the attribute.
Let's say we want to monitor only packets that do not exceed the 50-bit mark, then the command will look like this:
sudo tcpdump -i ppp0 less 50
Now let's display in "Terminal" packets larger than 50 bits:
sudo tcpdump -i ppp0 greater than 50
As you can see, they are used in the same way, the only difference is in the name of the filter.
Conclusion
At the end of the article, we can conclude that the team tcpdump is an excellent tool with which you can track any data packet transmitted over the Internet. But for this it is not enough to simply enter the command itself in "Terminal". You can achieve the desired result only if you use all kinds of options and filters, as well as their combinations.
This tutorial will show you how to isolate traffic in various ways—from IP, to port, to protocol, to application-layer traffic—to make sure you find exactly what you need as quickly as possible.
tcpdump is the tool everyone should learn as their base for packet analysis.
Install tcpdump with apt install tcpdump (Ubuntu), or yum install tcpdump (Redhat/Centos)
Let’s start with a basic command that will get us HTTPS traffic:
tcpdump -nn S X port 443
04:45:40.573686 IP 78.149.209.110.27782 > 172.30.0.144 .443 : Flags [.], ack 278239097, win 28, options , length 0 0x0000: 4500 0034 0014 0000 2e06 c005 4e8e d16e E..4........N..n 0x0010: ac1e 0090 6c86 01bb 8e0a b73e 1095 9779 ....l......>...y 0x0020: 8010 001c d202 0000 0101 080a 3803 7b55 ............8.(U 0x0030: 4801 8100
You can get a single packet with -c 1 , or n number with -c n .
This showed some HTTPS traffic, with a hex display visible on the right portion of the output (alas, it’s encrypted). Just remember—when in doubt, run the command above with the port you’re interested in, and you should be on your way.
Examples
PacketWizard™ isn’t really trademarked, but it should be.
a practitioner preparing to run tcpdump
Now that you are able to get basic traffic, let’s step through numerous examples that you are likely to need during your job in networking, security, or as any type of PacketWizard™.
Everything on an interface
Just see what’s going on, by looking at what’s hitting your interface.
Or get all interfaces with -i any .
tcpdump -i eth0
Find Traffic by IP
One of the most common queries, using host , you can see traffic that’s going to or from 1.1.1.1.
Expression Types:
host, net, and port.
src and dst.
host, net, and port.
tcp, udp, icmp, and many more.
tcpdump host 1.1.1.1
06:20:25.593207 IP 172.30.0.144.39270 > one.one.one.one .domain : 12790+ A? google.com. (28) 06:20:25.594510 IP one.one.one.one .domain > 172.30.0.144.39270: 12790 1/0/0 A 172.217.15.78 (44)
If you only want to see traffic in one direction or the other, you can use src and dst .
tcpdump src 1.1.1.1
tcpdump dst 1.0.0.1
Finding Packets by Network
To find packets going to or from a particular network or subnet, use the net option.
You can combine this with the src and dst options as well.
tcpdump net 1.2.3.0/24
Get Packet Contents with Hex Output
Hex output is useful when you want to see the content of the packets in question, and it’s often best used when you’re isolating a few candidates for closer scrutiny.
tcpdump -c 1 -X icmp
Summary
Here are the takeaways.
- tcpdump is a valuable tool for anyone looking to get into networking or .
- The raw way it interfaces with traffic, combined with the precision it offers in inspecting packets make it the best possible tool for learning TCP/IP.
- Protocol Analyzers like Wireshark are great, but if you want to truly master packet-fu, you must become one with tcpdump first.
Well, this primer should get you going strong, but the man page should always be handy for the most advanced and one-off usage scenarios. I truly hope this has been useful to you, and feel free to if you have any questions.
Notes
- I’m currently (sort of) writing a book on tcpdump for No Starch Press.
- The leading image is from SecurityWizardry.com.
- Some of the isolation filters borrowed from
The tcpdump utility is a very powerful and popular tool for intercepting and analyzing network packets. It allows you to view all packets incoming and outgoing from a specific interface and works on the command line. Of course, you could use Wirshark to analyze network packets, it is a graphical utility, but sometimes there are situations when you need to work only in the terminal.
Tcpdump is no worse than Wireshark, and has all the necessary capabilities for analyzing packets, in addition, you can save all intercepted packets to a file to analyze them later using the same Wireshark. In this article we will look at how to use tcpdump to intercept network packets.
Many distributions come with the tcpdump command by default, but if your distribution doesn't have it, you can very easily install it from the official repositories. For example, in Ubuntu/Debian:
sudo apt install tcpdum p
On Fedora/Red Hat/CentOS:
sudo yum install tcpdump
When the installation is complete, you can proceed to work.
tcpdump command
Before moving on to examples of working with the utility, let's look at its syntax and basic options. The command has the following syntax:
$ tcpdump options -i interface filters
When calling, you must pass the interface that you will monitor. If the interface is not specified, the first one in the list will be used. Options configure the display and basic capabilities of the utility, and filters allow you to filter out unnecessary packages. Now let's look at the main options:
- -A- output all packages in ASCII format;
- -c- close the program after intercepting the nth number of packets;
- -C- when writing packages to a file, check the file size, and if it is larger than the specified one, create a new file;
- -D- display a list of available network interfaces;
- -e- display connection level information for each packet, this can be useful, for example, to display the MAC address;
- -f- display domain name for IP addresses;
- -F- read packages from a file, not from an interface;
- -G- create a new log file after a specified period of time;
- -H- detect 802.11s headers;
- -i- name of the interface for packet interception. You can capture packets from all interfaces; to do this, specify any;
- -I- switch the interface to monitor mode to capture all passing packets;
- -j- set the Timestamp format for recording packets;
- -J- view available Timestamps;
- -K- do not check packet checksums;
- -l- add scrolling support to the output;
- -L- display supported connection protocols for the interface;
- -n- do not display domain names;
- -r- read packages from a file created with -w;
- -v, -vv, -vvv- more detailed output;
- -q- display a minimum of information;
- -w- write the output to a file;
- -Z- the user on whose behalf the files will be created.
These are not all the options, but they will be enough for you to solve most problems. We will use filters more often. Using filters, you can filter out only those types of packets that you want to see. You can filter by IP address, protocol, network, interface and many other parameters. But we will look at tcpdump filters using examples.
How to use tcpdump
Before you move on to using tcpdump, you need to look at what network interfaces you can use. To do this, run the command with the -D option:
Let's start looking at tcpdump examples by capturing traffic on the eth0 interface; for me, this is the main interface that is connected to the Internet. The program requires superuser rights to run, so don't forget to use sudo:
sudo tcpdump -i eth0
To stop the command, press Ctrl+C. In the output you will immediately see all intercepted packets. The record format for each package will look like this:
13:03:41.795599 IP udp032919uds.hawaiiantel.net.6881> 192.168.1.2.52055 : Flags [.], seq 640160396:640161844, ack 436677393, win 2050, options , length 1448
This format is typical for data packets; depending on the protocol, the text highlighted in black will differ. First comes the timestamp, then the protocol, then the sender’s IP address is green, and the address of the recipient, in this case, our computer, is blue. Next are additional tcp parameters and at the end the packet size in bytes. The detail of the output can be controlled using the -v options. For example:
sudo tcpdump -v -i eth0
Information about the IP protocol already appears here:
IP (tos 0x0, ttl 64, id 50309, offset 0, flags, proto TCP (6), length 64)
We can find out information about the TTL packet lifetime, TCP protocol version and header field length. The -vv option will output package checksum verification and contents in some cases.
After the options you can specify filters for packets. Here are the main parameters by which you can filter out packets:
- host- host name;
- ip- IP address;
- proto- protocol;
- net- network or subnet address;
- port- port address;
- src- parameter related to the sender;
- dst- parameter related to the recipient;
- The following protocols are available: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp And udp.
You can combine all this with each other to get the desired result. Let's look in more detail using examples. Let's filter out only packets addressed to our computer:
sudo tcpdump -i eth0 ip dst 192.168.1.2
We can also select packets sent to a specific node:
sudo tcpdump -i eth0 dst host google-public-dns-a.google.com
As you can see, these are DNS packets and instead of TCP flags, they contain useful information, a request for the host’s IP address. You can also select response packets from a specific host:
sudo tcpdump -i eth0 src host google-public-dns-a.google.com
This is not the full contents of the package, if you want to get it you need to use the -v or -vv option:
sudo tcpdump -vv -i eth0 host dst google-public-dns-a.google.com
With the and operator you can combine multiple filters into one:
sudo tcpdump -i eth0 dst host google-public-dns-a.google.com and src host google-public-dns-a.google.com
The merging operations available are and and or, and you can also use parentheses to indicate precedence. You do not have to specify host, in many cases src or dst is enough, the utility itself will understand what was meant. The exact same design can be used for ports. For example, we can filter out all requests or responses to DNS (on port 53):
sudo tcpdump -vv -i eth0 port 53
The exact same thing can be done for http (port 80):
sudo tcpdump -vv -i eth0 port 80
Naturally, dst and src can also be used here for more specific results. You can filter not just one port, but a whole range of ports:
sudo tcpdump portrange 21-23
If you specify one of the protocols, you will filter only packets from that protocol, such as tcp, udp, or arp:
sudo tcpdump -vv arp
In the same way, you can select all udp packets:
sudo tcpdump -vv udp
A filter by network designation is also available:
sudo tcpdump net 129.168.1.1/24
Additionally, you can filter packets by their size, for example less than 32 bytes:
sudo tcpdump less than 32
Or more than 128:
tcpdump greater than 128
sudo tcpdump -i eth0 -w file.pcap
This file can be opened using any program for reading such files, such as Wireshark. To open packages saved to a file, use the -r option:
sudo tcpdump -r file.pcap
There is one more point that is worth paying attention to. This is a format for displaying the contents of packages. You can output the package contents in ASCII format using the -A option:
sudo tcpdump -A -i eth0
You can also display content in HEX and ASCII format, use -XX for this:
sudo tcpdump -XX -i eth0
conclusions
In this article we looked at how to use tcpdump. This is a very powerful network analyzer that works only through the command line. I hope this information was useful to you and now using tcpdump will be much easier, if you have any questions, ask in the comments!
To conclude the video with a lecture on tcpdump:
Dec 19, 2011 By Henry Van Styn
in HOW-TOs
Packet capture is one of the most powerful ways to analyze network processes. You can learn a lot about what's happening on a network by intercepting and examining raw data flowing across network connections. Modern traffic analysis utilities allow you to capture, interpret and describe data streams in a human-readable style.
tcpdump is an essential traffic listening, or sniffing, tool, it provides many analysis capabilities and can even export interpreted packet fields to other programs.
If you think utilities like tcpdump are losing their value with the advent of graphical tools like Wireshark, think again. Wireshark is a great application, but it is not a universal tool for absolutely all situations. As a universal lightweight solution for various applications (such as the Unix tools cat, less and hexdump), tcpdump looks much cooler. And its most impressive feature is its ease of use. As a behavioral style, it follows an approximation of the "one line command" concept to obtain quick, one-step responses. In addition, it can be used within an ssh session without the need for graphics. By supporting command line syntax conventions (such as outputting a data stream to standard output that can be redirected), tcpdump can be used in all types of pipelines to build interesting and useful utilities.
In this article, I will look at some basic principles of using tcpdump and the basics of its syntax.
Basics
Before you become a master at using tcpdump, there are some fundamental concepts you should understand. Firstly, packet capture is a passive process; it does not change the traffic in any way and does not broadcast anything to the network from itself. Secondly, you can only capture packets that your system receives. If any two hosts exchange packets directly and that traffic bypasses your computer, you won't see anything, regardless of the monitoring tool. Third, you can only capture packets that are destined for your system unless the network interface is put in promiscuous mode.
Since it assumes that you are interested in more than just the packages for your system, tcpdump will put the first interface on the system (unless another is explicitly specified) into promiscuous mode automatically. This operation requires superuser privileges.
Anatomy of tcpdump commands
The tcpdump command consists of two parts: options and a filter expression (Figure 1).
Figure 1. Example tcpdump Command
The filter expression determines which packets to capture, and the options - which of them to show in the output; the options also determine the behavior of the utility.
Options
Tcpdump options follow standard command line conventions, so the option format is flag-value. Some flags have no parameter value because they are switches themselves. For example, -i is followed by the interface name, and -n disables name resolution through DNS.
The man page describes a lot of options, but there are a few that you can't do without:
I interface: the interface on which tcpdump will listen for traffic;
V, -vv, -vvv: output verbosity;
Q: quiet mode;
E: print link layer frame headers (Ethernet);
N: resolve domain names of hosts;
T: do not print timestamps;
N: do not resolve domain names of hosts;
S0 (or -s 0): maximum capture, entire packets are captured; in recent versions of tcpdump this is the default behavior.
None of the options are required. User-defined values only change the program's default behavior, which is to capture on the first interface and print packet information on a single line.
Filter Expressions
Filter expressions are Boolean criteria (yes/no) to evaluate whether a packet matches a pattern. All packets that do not meet the specified conditions are ignored.
The packet filter syntax is powerful and transparent. At the beginning it contains keywords called "primitives", which are different qualifiers for packets, these can be protocol, address, port or direction. They can be connected to each other in chains using operators and/or, grouped and combined by inheritance rules, sorted using negation.
Thanks to self-explanatory criteria names, filter expressions typically appear to be self-explanatory, making them fairly easy to construct and understand. The full syntax is described in the pcap-filter man page, and some examples are provided here:
ARP is a simple protocol, it is used to resolve IP addresses to MAC addresses of network cards. As you can see above, tcpdump describes these packets in a rather primitive manner. DNS packages, on the other hand, will be described slightly differently:
| IP 10.0.0.2.50435 > 10.0.0.1.53: 19+ A? linuxjournal.com. (34) IP 10.0.0.1.53 > 10.0.0.2.50435: 19 1/0/0 A 76.74.252.198 (50) |
This may not seem clear enough at first, but as you learn how the different layers of protocols work, it will make more sense. DNS is a much more complex protocol than ARP, but it also operates at a higher level. This means that the underlying protocol packets also appear in the output. Unlike ARP, which is not routed between different physical network segments, DNS is an Internet-wide protocol. The IP layer is used to route these packets; UDP is used for transport. This makes DNS a layer 5 protocol (IP is layer 3, UDP is layer 4).
UDP/IP layer information containing the source address and port is displayed on the left side of the line, and specific DNS information is displayed on the right. Although the syntax is quite condensed, it is sufficient to define the basic elements of DNS. The first packet is an address request for linuxjournal.com, the second packet is a response giving the address 76.74.252.198. This is a typical sequence for simple DNS queries.
See the "OUTPUT FORMAT" section of the tcpdump man page for a complete description of all protocol-dependent output formats. Some protocol packets are better visible in the output than others, but important information is usually easy to find.
Capture output to file
In addition to the usual mode with output to the console (standard output), tcpdump also supports a mode for writing output to a file. The mode is activated by the -w option, which specifies the path to the file.
When writing to a file, tcpdump uses a different format than when outputting to the screen. This is the so-called raw output; it does not perform primary analysis of the packet. These files can then be used in third-party programs such as Wireshark, because the format of the entries in the file follows the universal "pcap" format (such a file can be supplied to tcpdump input using the -r option). This feature allows us to capture packets on one machine and analyze them on another. For example, you have Wireshark on your laptop. You do not need to connect it to the network being analyzed in order to scan a previously captured file.
Analysis of TCP-based protocols
tcpdump is a packet analyzer, so it works well with packet-based protocols such as IP, UDP, DHCP, DNS, and ICMP. If there is a "stream", or a sequence of packets to establish a connection, tcpdump will not be able to directly analyze these streams and connection scenarios. Protocols such as HTTP, SMTP, and IMAP are much more like interactive applications from a networking perspective than "packet" protocols.
TCP handles all the low-level details required for communication sessions within session protocols transparently to the user. This is where flow-oriented data is encapsulated into packets (segments) that can then be sent over the network. All such details are hidden below the application layer. Therefore, additional steps are required to capture connection-oriented protocol packets. Since each TCP segment is a piece of application-level data, information about it cannot be used directly. For this to make sense, you need to completely reconstruct the TCP session (flow) from a sequence of individual packets. tcpdump does not have this feature. To analyze session protocols, you can use what I call the "string trick."
String trick
Usually, when capturing traffic, I mean the purpose of analyzing the causes of some errors. The data does not have to be perfect to view in order to understand the reasons for any incidents. In such cases, speed of understanding is more important than anything else. The next trick is one of my favorite tcpdump techniques. This works because:
TCP segments are usually in chronological order;
- text-based application protocols generate packets with a text load;
- the data surrounding the text load (for example, package headers) is not text;
- UNIX utilities can save text from application binary output;
- if you run tcpdump with the -w - option, it will generate raw information to standard output.
Putting everything together, we get a tool for capturing HTTP session data.
Additionally, you should be aware that the output may contain some garbage. The excess can be cut off using the strings utility option, which limits the length of the string output (see man strings).
This trick works quite well for any text based protocols.
HTTP and SMTP Analysis
The string trick from the previous section can help to capture HTTP session data, despite the lack of a built-in stream analyzer. The resulting data can be “analyzed” and then in many different ways.
For example, you might want to check the availability of all sites that have “davepc” in their name in real time. The following command, running on the firewall, will help (assuming the internal interface is eth1):
These are just two simple examples to illustrate the possibilities. You can go so far as to, for example, write a Perl script to analyze the received strings in more depth.
So the real power of tcpdump comes when you want to quickly get answers to some questions without much effort. This is especially important when debugging network applications.
Debugging routing and VPN connections
tcpdump can be a great help when debugging things like VPN connections. All you need is to understand on which hosts which packets appear and on which they do not.
Let's take a standard scheme for connecting two networks via a VPN connection. Networks 10.0.50.0/24 and 192.168.5.0/24 (Figure 2).
Figure 2. Example VPN Topology
If this works correctly, hosts on different networks should ping each other. If pings don't respond (in this case, let's assume they don't come from D to host A), we can use tcpdump to find out where things are being lost.
If the request packets go to host C (the remote gateway) but not to D, this indicates that the VPN connection itself is working, but there are routing problems. If host D receives requests but does not send responses, this may indicate that ICMP is blocked. If replies are sent but do not reach C, the default gateway may be configured incorrectly on D.