Never Ending Security

It starts all here

Tag Archives: tcpdump

TCPdump Commands Cheatsheet


Tcpdump

tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. tcpdump also gives us an option to save captured packets in a file for future analysis. It saves the data in a pcap format, that can be viewed by tcpdump command or a open source GUI based tool called Wireshark (Network Protocol Analyzier).

How to Install tcpdump in Linux

Many of Linux distributions already shipped with tcpdump tool, if in case you don’t have it on systems, you can install it using following Yum command.

# yum install tcpdump

Once tcpdump tool is installed on systems, you can continue to browse following commands with their examples.

Capture Packets from Specific Interface

tcpdump command it will captures from all the interfaces by default, with -i switch it will only capture from a specific interface.

# tcpdump -i eth0

Capture Only N Number of Packets

Using -c switch, you can capture specified number of packets. The below example will only capture 4 packets.

# tcpdump -c 5 -i eth0

Print Captured Packets in ASCII

The below tcpdump command with option -A displays the package in ASCII format. It is a character-encoding scheme format.

# tcpdump -A -i eth0

Display Available Interfaces

To list number of available interfaces on the system, run the following command with -D option.

# tcpdump -D

Display Captured Packets in HEX and ASCII

The following command with option -XX capture the data of each packet, including its link level header in HEX and ASCII format.

# tcpdump -XX -i eth0

Capture and Save Packets in a File

As we said, that tcpdump has a feature to capture and save the file in a .pcap format, to do this just execute command with -w option.

# tcpdump -w 0001.pcap -i eth0

Read Captured Packets File

To read and analyze captured packet 0001.pcap file use the command with -r option, as shown below.

# tcpdump -r 0001.pcap

Capture IP address Packets

To capture packets for a specific interface, run the following command with option -n.

# tcpdump -n -i eth0

Capture only TCP Packets.

To capture packets based on TCP port, run the following command with option tcp.

# tcpdump -i eth0 tcp

Capture Packet from Specific Port

Let’s say you want to capture packets for specific port 22, execute the below command by specifying port number 22 as shown below.

# tcpdump -i eth0 port 22

Capture Packets from source IP

To capture packets from source IP, say you want to capture packets for 192.168.0.2, use the command as follows.

# tcpdump -i eth0 src 192.168.1.2

Capture Packets from destination IP

To capture packets from destination IP, say you want to capture packets for 50.116.66.139, use the command as follows.

# tcpdump -i eth0 dst 111.111.111.111

Tcpdump tutorial – Sniffing and analysing packets from the commandline


Tcpdump

Tcpdump is a commandline network analyzer tool or more technically a packet sniffer. It can be thought of as the commandline version of wireshark (only to a certain extent, since wireshark is much more powerful and capable).

As a commandline tool tcpdump is quite powerful for network analysis as filter expressions can be passed in and tcpdump would pick up only the matching packets and dump them.

In this tutorial we are going to learn to use tcpdump and how it can be used for network analysis. On ubunut for example it can be installed by typing the following in terminal

$ sudo apt-get install tcpdump

Tcpdump depends on libpcap library for sniffing packets. It is documented here.

For windows use the alternative called windump. It is compatible with tcpdump (in terms of usage and options). Download from http://www.winpcap.org/windump/default.htm

Basic sniffing

Lets start using tcpdump. The first simple command to use is tcpdump -n

$ sudo tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:34:57.266865 IP 173.194.36.6 > 192.168.1.101: ICMP echo reply, id 19941, seq 1176, length 64
16:34:57.267226 IP 192.168.1.101.21271 > 218.248.255.163.53: 23380+ PTR? 6.36.194.173.in-addr.arpa. (43)
16:34:57.274549 IP 218.248.255.163.53 > 192.168.1.101.21271: 23380 1/4/2 PTR bom04s01-in-f6.1e100.net. (195)
16:34:57.297874 IP 192.168.1.101.56295 > 186.105.77.150.38213: UDP, length 105

Why sudo ? Because tcpdump needs root privileges to be able to capture packets on network interfaces. On ubuntu prepending sudo to any command makes it run with superuser/root privileges. The -n parameter is given to stop tcpdump from resolving ip addresses to hostnames, which take look and not required right now.

Lets take a line from the above output to analyse.

16:34:57.267226 IP 192.168.1.101.21271 > 218.248.255.163.53: 23380+ PTR? 6.36.194.173.in-addr.arpa. (43)

The first thing “16:34:57.267226” is the timestamp with microsecond precision. Next is the protocol of the packet called IP (stands for Internet protocol and it is under this protocol that most of the internet communication goes on). Next is the source ip address joined with the source port. Following next is the destination port and then some information about the packet.

Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy. Here is a quick example

$ sudo tcpdump -v -n
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:43:13.058660 IP (tos 0x20, ttl 54, id 50249, offset 0, flags [DF], proto TCP (6), length 40)
    64.41.140.209.5222 > 192.168.1.101.35783: Flags [.], cksum 0x6d32 (correct), ack 1617156745, win 9648, length 0
16:43:13.214621 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > 173.194.36.6: ICMP echo request, id 19941, seq 1659, length 64
16:43:13.355334 IP (tos 0x20, ttl 54, id 48656, offset 0, flags [none], proto ICMP (1), length 84)
    173.194.36.6 > 192.168.1.101: ICMP echo reply, id 19941, seq 1659, length 64
16:43:13.355719 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 71)
    192.168.1.101.22181 > 218.248.255.163.53: 28650+ PTR? 6.36.194.173.in-addr.arpa. (43)
16:43:13.362941 IP (tos 0x0, ttl 251, id 63454, offset 0, flags [DF], proto UDP (17), length 223)
    218.248.255.163.53 > 192.168.1.101.22181: 28650 1/4/2 6.36.194.173.in-addr.arpa. PTR bom04s01-in-f6.1e100.net. (195)
16:43:13.880338 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.3 tell 192.168.1.101, length 28
16:43:14.215904 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > 173.194.36.6: ICMP echo request, id 19941, seq 1660, length 64

Now with the verbose switch lots of additional details about the packet are also being displayed. And these include the ttl, id, tcp flags, packet length etc.

Getting the ethernet header (link layer headers)

In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.

$ sudo tcpdump -vv -n -e
[sudo] password for enlightened: 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:57:27.218531 00:25:5e:1a:3d:f1 > 00:1c:c0:f8:79:ee, ethertype IPv4 (0x0800), length 98: (tos 0x20, ttl 54, id 53046, offset 0, flags [none], proto ICMP (1), length 84)
    173.194.36.6 > 192.168.1.101: ICMP echo reply, id 19941, seq 6015, length 64
17:57:27.218823 00:1c:c0:f8:79:ee > 00:25:5e:1a:3d:f1, ethertype IPv4 (0x0800), length 85: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 71)
    192.168.1.101.53134 > 218.248.255.163.53: [bad udp cksum 0x9cee -> 0xe5f6!] 23855+ PTR? 6.36.194.173.in-addr.arpa. (43)
17:57:27.226352 00:25:5e:1a:3d:f1 > 00:1c:c0:f8:79:ee, ethertype IPv4 (0x0800), length 269: (tos 0x0, ttl 251, id 10513, offset 0, flags [DF], proto UDP (17), length 255)
    218.248.255.163.53 > 192.168.1.101.53134: [udp sum ok] 23855 q: PTR? 6.36.194.173.in-addr.arpa. 1/4/4 6.36.194.173.in-addr.arpa. PTR bom04s01-in-f6.1e100.net. ns: 194.173.in-addr.arpa. NS NS4.GOOGLE.COM., 194.173.in-addr.arpa. NS NS2.GOOGLE.COM., 194.173.in-addr.arpa. NS NS1.GOOGLE.COM., 194.173.in-addr.arpa. NS NS3.GOOGLE.COM. ar: NS1.GOOGLE.COM. A 216.239.32.10, NS2.GOOGLE.COM. A 216.239.34.10, NS3.GOOGLE.COM. A 216.239.36.10, NS4.GOOGLE.COM. A 216.239.38.10 (227)

Now the first thing after the timestamp is the source and destination mac address.

Sniffing a particular interface

In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.

$ sudo tcpdump -D
1.eth0
2.usbmon1 (USB bus number 1)
3.usbmon2 (USB bus number 2)
4.any (Pseudo-device that captures on all interfaces)
5.lo

Next we can use the interface number of name with the -i switch to sniff the particular interface.

$ sudo tcpdump -i 1
$ sudo tcpdump -i eth0

Filtering packets using expressions

The next important feature of tcpdump as a network analysis tool is to allow the user to filter packets and select only those that match a certain rule or criteria. And like before this too is quite simple and can be learned easily. Lets take a few simple examples.

Selecting protocols

$ sudo tcpdump -n tcp

The above command will show only tcp packets. Similary udp or icmp can be specified.

Particular host or port

Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101

$ sudo tcpdump -n 'src 192.168.1.101'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:04:04.856379 IP 192.168.1.101.47141 > 173.194.36.1.443: Flags [.], seq 2781603453:2781604873, ack 338206850, win 41850, length 1420
20:04:05.216372 IP 192.168.1.101.33885 > 193.219.128.49.6667: Flags [P.], seq 3980513010:3980513027, ack 2134949138, win 28400, length 17

Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.

$ sudo tcpdump -n 'udp and dst port 53'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:06:48.015359 IP 192.168.1.101.33990 > 218.248.255.163.53: 41001+ A? s.gateway.messenger.live.com. (46)
20:06:50.842530 IP 192.168.1.101.32954 > 218.248.255.163.53: 12380+ A? DB3MSGR5010722.gateway.messenger.live.com. (59)

The above output shows the dns requests made by local system to the dns server 218.248.255.163 port 53. Its all very intuitive and simple. Note the “and” which is used to combine multiple conditions. This is where the creativity begins, to write powerful expressions to analyse the network.

To display the FTP packets coming from 192.168.1.100 to 192.168.1.2

$ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'

Note that the port number 21 has been specified by its name – ftp.

So similarly many different kinds of expressions can be developed to fit the needs of the network analyst and pick up matching packets.

Search the network traffic using grep

Grep can be used along with tcpdump to search the network traffic. Here is a very simple example

$ sudo tcpdump -n -A | grep -e 'POST'
[sudo] password for enlightened: 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
E...=.@.@......e@.H..'.P(.o%~...P.9.PN..POST /blog/wp-admin/admin-ajax.php HTTP/1.1
E...c_@.@..=...e@.H..*.PfC<....wP.9.PN..POST /blog/wp-admin/admin-ajax.php HTTP/1.1
E.....@.@......e@.H...."g;.(.-,WP.9.Nj..POST /login/?login_only=1 HTTP/1.1

The above example detects packets with the string “POST” in them. It detects http post requests as shown.
The -A option displays the content of the packet in ascii text form, which is searchable using grep.

On windows the grep command is not available, but has an equivalent called find/findstr. Example usage

C:\tools>WinDump.exe -A | findstr "GET"
WinDump.exe: listening on \Device\NPF_{6019E682-FD40-4A54-BB75-9C2ACFA56CAA}
.....&....P..W.....P....k..GET /search?hl=en&sclient=psy-ab&q=asda&oq
.....&....P..[{..N.P...%-..GET /csi?v=3&s=web&action=&ei=LrmPUMrLNoHO
.P-%.}....P..$Ch..GET /subscribe?host_int=139535925&ns_map=2

So in the above example we used windump and searched the sniffed packet for the string “GET” (which mostly discover the http get requests).

So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
Here is quick example to sniff passwords using egrep

tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20

Source

Resources

http://www.tcpdump.org/tcpdump_man.html