Tcpdump is one of the best network analysis-tools ever for information security professionals. Tcpdump is for everyone for hackers and people who have less of TCP/IP understanding. Many prefer to use higher-level analysis tools such Wireshark, but I believe it is a mistake. With tcpdump you can decode layers 2-7 of OSI model. The first layer represent only electrical signals and 000-zeros and 111-ones.
Options
Below are some tcpdump options (with useful examples) that will help you working with the tool. They’re very easy to forget and/or confuse with other types of filters, i.e. ethereal, so hopefully this article can serve as a reference for you, as it does me:)
The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves.
The second is -X, which displays both hex and ascii content within the packet.
The final one is -S, which changes the display of sequence numbers to absolute rather than relative.
-i any : Listen on all interfaces just to see if you’re seeing any traffic.
-n : Don’t resolve hostnames.
-nn : Don’t resolve hostnames or port names.
-X : Show the packet’s contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
-s : Set the snaplength, i.e. the amount of data that is being captured in bytes
-c : Only capture x number of packets, e.g. ‘tcpdump -c 3′
1. Basic communication // see the basics without many options
2. Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
3. A deeper look at the traffic // adds -X for payload but doesn’t grab any more of the packet
4. Heavy packet viewing // the final “s” increases the snaplength, grabbing the whole packet
Expressions
* host // look for traffic based on IP address (also works with hostname if you’re not using -n)
1
| tcpdump host 192.168.1.1 |
* src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
1
2
| tcpdump src 192.168.1.1
tcpdump dst 10.1.100.3 |
* net // capture an entire network using CIDR notation
* proto // works for tcp, udp, and icmp. Note that you don’t have to type proto
* port // see only traffic to or from a certain port
* src, dst port // filter based on the source or destination port
1
2
| tcpdump src port 1025
tcpdump dst port 389 |
* src/dst, port, protocol // combine all three
1
2
| tcpdump src port 1025 and tcp
tcpdump udp and src port 53 |
* Port Ranges // see traffic to any port in a range
1
| tcpdump portrange 21-23 |
* Packet Size Filter // only see packets below or above a certain size (in bytes)
1
2
| tcpdump less 32
tcpdump greater 128 |
[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]
// filtering for size using symbols
1
2
| tcpdump > 32
tcpdump <= 128 |
Writing to a File
Capture all Port 80 traffic to a file:
1
| tcpdump -i eth1 port 80 -w http_traffic |
Read Captured Traffic back into tcpdump:
1
| tcpdump -r http_traffic |
You can use it for “screen” and later for graphical wireshark analyzes.
Getting Creative
Expressions are very nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for. There are three ways to do combination:
1. AND
and or &&
2. OR
or or ||
3. EXCEPT
not or !
Traffic that’s from 192.168.1.1 AND destined for ports 3389 or 22
1
| tcpdump 'src 192.168.1.1 and (dst port 3389 or 22)' |
Advanced
Show me all URG packets:
1
| tcpdump 'tcp[13] & 32 != 0' |
Show me all ACK packets:
1
| tcpdump 'tcp[13] & 16 != 0' |
Show me all PSH packets:
1
| tcpdump 'tcp[13] & 8 != 0' |
Show me all RST packets:
1
| tcpdump 'tcp[13] & 4 != 0' |
Show me all SYN packets:
1
| tcpdump 'tcp[13] & 2 != 0' |
Show me all FIN packets:
1
| tcpdump 'tcp[13] & 1 != 0' |
Show me all SYN-ACK packets:
Show all traffic with both SYN and RST flags set: (that should never happen)
Show all traffic with the “evil bit” set:
1
| tcpdump 'ip[6] & 128 != 0' |
Display all IPv6 Traffic:
