Tcpdump is one of the best network analysis-tools ever for information security professionals. Tcpdump is for everyone for hackers and people who have less of TCP/IP understanding. Many prefer to use higher-level analysis tools such Wireshark, but I believe it is a mistake. With tcpdump you can decode layers 2-7 of OSI model. The first layer represent only electrical signals and 000-zeros and 111-ones.
Below are some tcpdump options (with useful examples) that will help you working with the tool. They’re very easy to forget and/or confuse with other types of filters, i.e. ethereal, so hopefully this article can serve as a reference for you, as it does me:)
The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves.
The second is -X, which displays both hex and ascii content within the packet.
The final one is -S, which changes the display of sequence numbers to absolute rather than relative.
-i any : Listen on all interfaces just to see if you’re seeing any traffic.
-n : Don’t resolve hostnames.
-nn : Don’t resolve hostnames or port names.
-X : Show the packet’s contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
-s : Set the snaplength, i.e. the amount of data that is being captured in bytes
-c : Only capture x number of packets, e.g. ‘tcpdump -c 3’
1. Basic communication // see the basics without many options
2. Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
3. A deeper look at the traffic // adds -X for payload but doesn’t grab any more of the packet
4. Heavy packet viewing // the final “s” increases the snaplength, grabbing the whole packet
tcpdump -nnvvXSs 1514
* host // look for traffic based on IP address (also works with hostname if you’re not using -n)
tcpdump host 192.168.1.1
* src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
tcpdump src 192.168.1.1 tcpdump dst 10.1.100.3
* net // capture an entire network using CIDR notation
tcpdump net 18.104.22.168/24
* proto // works for tcp, udp, and icmp. Note that you don’t have to type proto
* port // see only traffic to or from a certain port
tcpdump port 3389
* src, dst port // filter based on the source or destination port
tcpdump src port 1025 tcpdump dst port 389
* src/dst, port, protocol // combine all three
tcpdump src port 1025 and tcp tcpdump udp and src port 53
* Port Ranges // see traffic to any port in a range
tcpdump portrange 21-23
* Packet Size Filter // only see packets below or above a certain size (in bytes)
tcpdump less 32 tcpdump greater 128
[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]
// filtering for size using symbols
tcpdump > 32 tcpdump <= 128
Writing to a File
Capture all Port 80 traffic to a file:
tcpdump -i eth1 port 80 -w http_traffic
Read Captured Traffic back into tcpdump:
tcpdump -r http_traffic
You can use it for “screen” and later for graphical wireshark analyzes.
Expressions are very nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for. There are three ways to do combination:
and or &&
or or ||
not or !
Traffic that’s from 192.168.1.1 AND destined for ports 3389 or 22
tcpdump 'src 192.168.1.1 and (dst port 3389 or 22)'
Show me all URG packets:
tcpdump 'tcp & 32 != 0'
Show me all ACK packets:
tcpdump 'tcp & 16 != 0'
Show me all PSH packets:
tcpdump 'tcp & 8 != 0'
Show me all RST packets:
tcpdump 'tcp & 4 != 0'
Show me all SYN packets:
tcpdump 'tcp & 2 != 0'
Show me all FIN packets:
tcpdump 'tcp & 1 != 0'
Show me all SYN-ACK packets:
tcpdump 'tcp = 18'
Show all traffic with both SYN and RST flags set: (that should never happen)
tcpdump 'tcp = 6'
Show all traffic with the “evil bit” set:
tcpdump 'ip & 128 != 0'
Display all IPv6 Traffic: