tcpdump

tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

tcpdump prints the contents of network packets. Packets from a network interface card or from a previously created saved packet file can be read by  tcpdump. The latter can write packets to standard output or a file.

It is also possible to use tcpdump for the sole purpose of intercepting and displaying the communications of another user or computer.

Firstly, I like to add a few options to the tcpdump command itself, depending on what I’m looking at.

  • The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves always being displayed.
  • The second is -X, which displays both hex and ascii content within the packet.
  • The advantage of using tcpdumpvs. another tool is getting manual interaction with the packets.

Here’s a short list of the options I use:

  1. -i eth0 : Listen on the eth0 interface.i-eth0

     

  2. -D : Show the list of available interfaces_d
  3. -X : Show the packet’s contents in both hex and ASCII.x
  4. -XX : Same as -X, but also shows the Ethernet header.xx
  5. -q : Show less protocol information.q
  6. -i any : Listen on all interfaces just to see if you’re seeing any traffic.i-any
  7. icmp : Only get ICMP packets. (ping http://www.google.com)icmp

 

 

Expressions allow you to trim out various types of traffic and find exactly what you’re looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump. There are three main types of expression: type, dir, and proto.

Type options are host, net, and port. Direction is indicated by dir, and there you can have src, dst, src or dst, and src and dst. Here are a few that you should definitely be comfortable with:

  • host // look for traffic based on IP address (also works with hostname if you’re not using -n)

    # tcpdump host 192.168.1.4

  • src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)

    # tcpdump src 210.30.4.52
    # tcpdump dst 180.4.50.69

  • net // capture an entire network using CIDR notation

    # tcpdump net 192.168.1.0/24

  • proto // works for tcp, udp, and icmp. Note that you don’t have to type proto

    # tcpdump icmp

  • port // see only traffic to or from a certain port

    # tcpdump port 8080

  • src, dst port // filter based on the source or destination port

    # tcpdump src port 125 # tcpdump dst port 3389

  • src/dst, port, protocol // combine all three

    # tcpdump src port 25 and tcp
    # tcpdump udp and src port 53

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s