Docu review done: Thu 29 Jun 2023 12:23:41 CEST

General

tcpdump is without question the premier network analysis tool because it provides both power and simplicity in one interface.

Table of content

Commands

CommandsDescription
-XShow the packet’s contents in both hex and ascii.
-XXSame as -X, but also shows the ethernet header.
-DShow the list of available interfaces
-lLine-readable output (for viewing as you save, or sending to other commands)
-qBe less verbose (more quiet) with your output.
-tGive human-readable timestamp output.
-ttttGive maximally human-readable timestamp output.
-i [interface]Listen on the specific interface.
-vvVerbose output (more v’s gives more output).
-cOnly get x number of packets and then stop.
-sDefine the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-SPrint absolute sequence numbers.
-eGet the ethernet header as well.
-qShow less protocol information.
`-Q [inout
-EDecrypt IPSEC traffic by providing an encryption key.

TCP Flags

FlagDescription
[S]Syn
[F]Fin
[P]Push
[R]Reset
[U]Urgent
[W]ECN1 CWR2
[E]ECN1-Echo3
[.]Ack
[]no flag set
1

Explicit Congestion Notification (ECN) - is an extention to the TCP/IP protocol and is part of the network congestion avoidance

2

Congestion Window Reduction (CWR) - is used to inform the destiatnion about the reduction of the congestion window.

3

Is the acknowledment flag (inside of a ACK package) of a CE4 flag from the receiver.

4

Congestion Experienced

5

ECN Capabel Transport

TCP Flags sample

Here is the opening portion of an rlogin from host rtsg to host csam.

IP rtsg.1023 > csam.login: Flags [S], seq 768512:768512, win 4096, opts [mss 1024]
IP csam.login > rtsg.1023: Flags [S.], seq, 947648:947648, ack 768513, win 4096, opts [mss 1024]
IP rtsg.1023 > csam.login: Flags [.], ack 1, win 4096
IP rtsg.1023 > csam.login: Flags [P.], seq 1:2, ack 1, win 4096, length 1
IP csam.login > rtsg.1023: Flags [.], ack 2, win 4096
IP rtsg.1023 > csam.login: Flags [P.], seq 2:21, ack 1, win 4096, length 19
IP csam.login > rtsg.1023: Flags [P.], seq 1:2, ack 21, win 4077, length 1
IP csam.login > rtsg.1023: Flags [P.], seq 2:3, ack 21, win 4077, urg 1, length 1
IP csam.login > rtsg.1023: Flags [P.], seq 3:4, ack 21, win 4077, urg 1, length 1

Path of ENC Method

  • ETC5 bit (IP header) gets sets by sender to provie that ECN1 is supported.
  • A router which is abel to deal with ECN1 will create a package, while the cache fills, instead of dropping it and add the CE4 flag before forwarding it.
  • The receiver acks the CE4 flag and returns this during the ACK package by setting the ECN1-Echo3 flag.
  • Based ont hat the sender can detect limitations in the bandwith and acts like it would have received a Package Drop by shrinking the congestion windows.
  • To inform the destination that the congestion window gots reduced, the sender send out a package with the CWR2.

Filter expression

The filter expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers (type, dir and proto).

For mor details you can have a look a man pcap-filter

type Qualifier

type qualifiers say what kind of thing the id name or number refers to

If there is no type qualifier, host is assumed

  • host
  • net
  • port
  • portrange

dir Qualifier

dir qualifiers specify a particular transfer direction to and/or from id

If therreis no dir qualifier src or dst is assumed. The ra, ta, addr1, addr2, addr3, and addr4 qualifiers are only valid for IEEE 802.11 Wireless LAN link layers.

  • src
  • dst
  • src or dst
  • src and dst
  • ra
  • ta
  • addr1
  • addr2
  • addr3
  • addr4

proto Qualifier

proto qualifiers restrict the match to a particular protocol.

If there is no proto qualifier, all protocols consistent with the type are assumed.

  • ether
  • fddi
  • tr
  • wlan
  • ip
  • ip6
  • arp
  • rarp
  • decnet
  • tcp
  • udp

Combinations

Being able to do these various things individually is powerful, but the real magic of tcpdump comes from the ability to combine options in creative ways in order to isolate exactly what you’re looking for. There are three ways to do combinations, and if you’ve studied programming at all they’ll be pretty familiar to you.

AND

and or &&

OR

or or ||

NOT

not or !

Combinding combinations

You can of course combind combinations as written above. There are several ways to do so, lets just make three examples

  1. You can just add them one after the other like this

By running these you will capture packages for ip 127.0.0.1 and port 22 or for the second one instead of the port an additional ip

$ tcpdump -i any host 127.0.0.1 and port 22
$ tcpdump -i any host 127.0.0.1 or host 192.168.0.2
  1. You can also combine different multible combinations

This will on the two networks and exclude the 192.168.0.10 address as well

$ tcpdump -i any net 192.168.0.0/24 or net 172.24.0.0/24 and not 192.168.0.10
  1. You can also group combinations and combine these groups with other combinations

Lets assume the 192.168.0.2 is the ip of your host where you are running the tcpdump. This filter will capture both networks but will not display results for himself and port 443

$ tcpdump -i any net 192.168.0.0/24 or net 172.24.0.0/24 and not \(host 192.168.0.2 and port 443\)

Basic HTTPS trafic

This showed some HTTPS traffic, with a hex display visible on the right portion of the output (alas, it’s encrypted). Just remember—when in doubt, run the command above with the port you’re interested in, and you should be on your way

Command:

$ tcpdump -nnSX port 443

Output:

04:45:40.573686 IP 78.149.209.110.27782 > 172.30.0.144.443: Flags [.], ack
278239097, win 28, options [nop,nop,TS val 939752277 ecr 1208058112], length 0
    0x0000:  4500 0034 0014 0000 2e06 c005 4e8e d16e  E..4........N..n
    0x0010:  ac1e 0090 6c86 01bb 8e0a b73e 1095 9779  ....l......>...y
    0x0020:  8010 001c d202 0000 0101 080a 3803 7b55  ............8.{U
    0x0030:  4801 8100

Find trafic by ip

One of the most common queries, using host, you can see traffic that’s going to or from 1.1.1.1

Command:

$ tcpdump host 1.1.1.1

Output:

06:20:25.593207 IP 172.30.0.144.39270 > one.one.one.one.domain:
12790+ A? google.com.
(28) 06:20:25.594510 IP one.one.one.one.domain > 172.30.0.144.39270:
12790 1/0/0 A 172.217.15.78 (44)

Filtering by Source and or Destination

If you only want to see traffic in one direction or the other, you can use src and dst

Command:

$ tcpdump src 192.168.0.1
$ tcpdump dst 192.168.0.1

Src Dst combined with

Finding Packets by Network

To find packets going to or from a particular network or subnet, use the net option

Command:

$ tcpdump net 192.168.0.0/24

Get Packet Contents with Hex Output

Hex output is useful when you want to see the content of the packets in question, and it’s often best used when you’re isolating a few candidates for closer scrutiny

Command:

$ tcpdump -c 1 -X icmp

Show Traffic Related to a Specific Port

You can find specific port traffic by using the port option followed by the port number

Command:

$ tcpdump port 3389
$ tcpdump src port 1025

Show Traffic of One Protocol

If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well

Command:

$ tcpdump icmp

Show only IP6 Traffic

You can also find all IP6 traffic using the protocol option

Command:

$ tcpdump ip6

Find Traffic Using Port Ranges

You can also use a range of ports to find traffic

Command:

$ tcpdump portrange 21-23

Find Traffic Based on Packet Size

If you’re looking for packets of a particular size you can use these options. You can use less, greater, or their associated symbols that you would expect from mathematics.

Command:

$ tcpdump less 32
$ tcpdump greater 64
$ tcpdump <= 128

Reading or Writing Captures to a pcap File

It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.

Command:

$ tcpdump port 80 -w capture_file

You can read PCAP files by using the -r switch. Note that you can use all the regular commands within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already.

Command:

$ tcpdump -r capture_file

Advanced

Raw Output View

Use this combination to see verbose output, with no resolution of hostnames or port numbers, using absolute sequence numbers, and showing human-readable timestamps.

$ tcpdump -ttnnvvS

From specific IP and destined for a specific Port

Let’s find all traffic from 10.5.2.3 going to any host on port 3389

Command:

$ tcpdump -nnvvS src 10.5.2.3 and dst port 3389

From One Network to Another

Let’s look for all traffic coming from 192.168.x.x and going to the 10.x or 172.16.x.x networks, and we’re showing hex output with no hostname resolution and one level of extra verbosity.

Command:

$ tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non ICMP Traffic Going to a Specific IP

This will show us all traffic going to 192.168.0.2 that is not ICMP.

Command:

$ tcpdump dst 192.168.0.2 and src net and not icmp

Traffic From a Host That Is Not on a Specific Port

This will show us all traffic from a host that is not SSH traffic (assuming default port usage).

Command:

$ tcpdump -vv src mars and not dst port 22

As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you’re looking for and then to build the syntax to isolate that specific type of traffic.

Keep in mind that when you’re building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell tcpdump to ignore certain special characters—in this case below the “( )” brackets. This same technique can be used to group using other expressions such as host, port, net, etc.

$ tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

Isolate TCP Flags

You can also use filters to isolate packets with specific TCP flags set.

Isolate TCP RST flag

$ tcpdump 'tcp[13] & 4!=0'
$ tcpdump 'tcp[tcpflags] == tcp-rst'

Isolate TCP SYN flags

$ tcpdump 'tcp[13] & 2!=0'
$ tcpdump 'tcp[tcpflags] == tcp-syn'

Isolate packets that have both the SYN and ACK flags set

$ tcpdump 'tcp[13]=18'

Isolate TCP URG flags

$ tcpdump 'tcp[13] & 32!=0'
$ tcpdump 'tcp[tcpflags] == tcp-urg'

Isolate TCP ACK flags

$ tcpdump 'tcp[13] & 16!=0'
$ tcpdump 'tcp[tcpflags] == tcp-ack'

Isolate TCP PSH flags

$ tcpdump 'tcp[13] & 8!=0'
$ tcpdump 'tcp[tcpflags] == tcp-psh'

Isolate TCP FIN flags

$ tcpdump 'tcp[13] & 1!=0'
$ tcpdump 'tcp[tcpflags] == tcp-fin'

Everyday Recipe Examples

Finally, now that we the theory out of the way, here are a number of quick recipes you can use for catching various kinds of traffic.

Both SYN and RST Set

$ tcpdump 'tcp[13] = 6'

Find HTTP User Agents

$ tcpdump -vvAls0 | grep 'User-Agent:'

Cleartext GET Requests

$ tcpdump -vvAls0 | grep 'GET'

Find HTTP Host Headers

$ tcpdump -vvAls0 | grep 'Host:'

Find HTTP Cookies

$ tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'

Find SSH Connections

This one works regardless of what port the connection comes in on, because it’s getting the banner response.

$ tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

Find DNS Traffic

$ tcpdump -vvAs0 port 53

Find FTP Traffic

$ tcpdump -vvAs0 port ftp or ftp-data

Find NTP Traffic

$ tcpdump -vvAs0 port 123

Find Cleartext Passwords

$ tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '

Find traffic with evil bit

There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled.

$ tcpdump 'ip[6] & 128 != 0'

Remove arp packages from capture

There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled.

$ tcpdump -i any not arp