Docu review done: Thu 29 Jun 2023 12:23:41 CEST
General
tcpdump is without question the premier network analysis tool because it provides both power and simplicity in one interface.
Table of content
- Commands
- TCP Flags
- Filter Expression
- Combinations
- Basic HTTPS trafic
- Find trafic by ip
- Filtering by Source and or Destination
- Finding Packets by Network
- Get Packet Contents with Hex Output
- Show Traffic Related to a Specific Port
- Show Traffic of One Protocol
- Show only IP6 Traffic
- Find Traffic Using Port Ranges
- Find Traffic Based on Packet Size
- Reading or Writing Captures to a pcap File
- Advanced
- Everyday Recipe Examples
Commands
Commands | Description |
---|---|
-X | Show the packet’s contents in both hex and ascii. |
-XX | Same as -X , but also shows the ethernet header. |
-D | Show the list of available interfaces |
-l | Line-readable output (for viewing as you save, or sending to other commands) |
-q | Be less verbose (more quiet) with your output. |
-t | Give human-readable timestamp output. |
-tttt | Give maximally human-readable timestamp output. |
-i [interface] | Listen on the specific interface. |
-vv | Verbose output (more v ’s gives more output). |
-c | Only get x number of packets and then stop. |
-s | Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less. |
-S | Print absolute sequence numbers. |
-e | Get the ethernet header as well. |
-q | Show less protocol information. |
`-Q [in | out |
-E | Decrypt IPSEC traffic by providing an encryption key. |
TCP Flags
Flag | Description |
---|---|
[S] | Syn |
[F] | Fin |
[P] | Push |
[R] | Reset |
[U] | Urgent |
[W] | ECN1 CWR2 |
[E] | ECN1-Echo3 |
[.] | Ack |
[] | no flag set |
Explicit Congestion Notification (ECN
) - is an extention to the TCP/IP protocol and is part of the network congestion avoidance
Congestion Window Reduction (CWR
) - is used to inform the destiatnion about the reduction of the congestion window.
Is the acknowledment flag (inside of a ACK
package) of a CE
4 flag from the receiver.
Congestion Experienced
ECN Capabel Transport
TCP Flags sample
Here is the opening portion of an rlogin from host rtsg to host csam.
IP rtsg.1023 > csam.login: Flags [S], seq 768512:768512, win 4096, opts [mss 1024]
IP csam.login > rtsg.1023: Flags [S.], seq, 947648:947648, ack 768513, win 4096, opts [mss 1024]
IP rtsg.1023 > csam.login: Flags [.], ack 1, win 4096
IP rtsg.1023 > csam.login: Flags [P.], seq 1:2, ack 1, win 4096, length 1
IP csam.login > rtsg.1023: Flags [.], ack 2, win 4096
IP rtsg.1023 > csam.login: Flags [P.], seq 2:21, ack 1, win 4096, length 19
IP csam.login > rtsg.1023: Flags [P.], seq 1:2, ack 21, win 4077, length 1
IP csam.login > rtsg.1023: Flags [P.], seq 2:3, ack 21, win 4077, urg 1, length 1
IP csam.login > rtsg.1023: Flags [P.], seq 3:4, ack 21, win 4077, urg 1, length 1
Path of ENC Method
ETC
5 bit (IP header) gets sets by sender to provie thatECN
1 is supported.- A router which is abel to deal with
ECN
1 will create a package, while the cache fills, instead of dropping it and add theCE
4 flag before forwarding it. - The receiver acks the
CE
4 flag and returns this during theACK
package by setting theECN
1-Echo
3 flag. - Based ont hat the sender can detect limitations in the bandwith and acts like it would have received a
Package Drop
by shrinking the congestion windows. - To inform the destination that the congestion window gots reduced, the sender send out a package with the
CWR
2.
Filter expression
The filter expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers (type, dir and proto).
For mor details you can have a look a man pcap-filter
type Qualifier
type qualifiers say what kind of thing the id name or number refers to
If there is no type qualifier, host is assumed
- host
- net
- port
- portrange
dir Qualifier
dir qualifiers specify a particular transfer direction to and/or from id
If therreis no dir qualifier
src or dst
is assumed. Thera
,ta
,addr1
,addr2
,addr3
, andaddr4
qualifiers are only valid for IEEE 802.11 Wireless LAN link layers.
- src
- dst
- src or dst
- src and dst
- ra
- ta
- addr1
- addr2
- addr3
- addr4
proto Qualifier
proto qualifiers restrict the match to a particular protocol.
If there is no proto qualifier, all protocols consistent with the type are assumed.
- ether
- fddi
- tr
- wlan
- ip
- ip6
- arp
- rarp
- decnet
- tcp
- udp
Combinations
Being able to do these various things individually is powerful, but the real magic of tcpdump
comes from the ability to combine options in creative ways in order to isolate exactly what you’re looking for. There are three ways to do combinations, and if you’ve studied programming at all they’ll be pretty familiar to you.
AND
and
or &&
OR
or
or ||
NOT
not
or !
Combining combinations
You can of course combind combinations as written above. There are several ways to do so, lets just make three examples
- You can just add them one after the other like this
By running these you will capture packages for ip 127.0.0.1
and port 22
or for the second one instead of the port an additional ip
$ tcpdump -i any host 127.0.0.1 and port 22
$ tcpdump -i any host 127.0.0.1 or host 192.168.0.2
- You can also combine different multible combinations
This will on the two networks and exclude the 192.168.0.10
address as well
$ tcpdump -i any net 192.168.0.0/24 or net 172.24.0.0/24 and not 192.168.0.10
- You can also group combinations and combine these groups with other combinations
Lets assume the 192.168.0.2
is the ip of your host where you are running the tcpdump
.
This filter will capture both networks but will not display results for himself and port 443
$ tcpdump -i any net 192.168.0.0/24 or net 172.24.0.0/24 and not \(host 192.168.0.2 and port 443\)
Basic HTTPS trafic
This showed some HTTPS traffic, with a hex display visible on the right portion of the output (alas, it’s encrypted). Just remember—when in doubt, run the command above with the port you’re interested in, and you should be on your way
Command:
$ tcpdump -nnSX port 443
Output:
04:45:40.573686 IP 78.149.209.110.27782 > 172.30.0.144.443: Flags [.], ack
278239097, win 28, options [nop,nop,TS val 939752277 ecr 1208058112], length 0
0x0000: 4500 0034 0014 0000 2e06 c005 4e8e d16e E..4........N..n
0x0010: ac1e 0090 6c86 01bb 8e0a b73e 1095 9779 ....l......>...y
0x0020: 8010 001c d202 0000 0101 080a 3803 7b55 ............8.{U
0x0030: 4801 8100
Find trafic by ip
One of the most common queries, using host
, you can see traffic that’s going to or from 1.1.1.1
Command:
$ tcpdump host 1.1.1.1
Output:
06:20:25.593207 IP 172.30.0.144.39270 > one.one.one.one.domain:
12790+ A? google.com.
(28) 06:20:25.594510 IP one.one.one.one.domain > 172.30.0.144.39270:
12790 1/0/0 A 172.217.15.78 (44)
Filtering by Source and or Destination
If you only want to see traffic in one direction or the other, you can use src
and dst
Command:
$ tcpdump src 192.168.0.1
$ tcpdump dst 192.168.0.1
Src Dst combined with
Finding Packets by Network
To find packets going to or from a particular network or subnet, use the net
option
Command:
$ tcpdump net 192.168.0.0/24
Get Packet Contents with Hex Output
Hex output is useful when you want to see the content of the packets in question, and it’s often best used when you’re isolating a few candidates for closer scrutiny
Command:
$ tcpdump -c 1 -X icmp
Show Traffic Related to a Specific Port
You can find specific port traffic by using the port
option followed by the port number
Command:
$ tcpdump port 3389
$ tcpdump src port 1025
Show Traffic of One Protocol
If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well
Command:
$ tcpdump icmp
Show only IP6 Traffic
You can also find all IP6 traffic using the protocol option
Command:
$ tcpdump ip6
Find Traffic Using Port Ranges
You can also use a range of ports to find traffic
Command:
$ tcpdump portrange 21-23
Find Traffic Based on Packet Size
If you’re looking for packets of a particular size you can use these options. You can use less, greater, or their associated symbols that you would expect from mathematics.
Command:
$ tcpdump less 32
$ tcpdump greater 64
$ tcpdump <= 128
Reading or Writing Captures to a pcap File
It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump
itself. Here we’re writing to a file called capture_file using the -w
switch.
Command:
$ tcpdump port 80 -w capture_file
You can read PCAP files by using the -r
switch. Note that you can use all the regular commands within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already.
Command:
$ tcpdump -r capture_file
Advanced
Raw Output View
Use this combination to see verbose output, with no resolution of hostnames or port numbers, using absolute sequence numbers, and showing human-readable timestamps.
$ tcpdump -ttnnvvS
From specific IP and destined for a specific Port
Let’s find all traffic from 10.5.2.3 going to any host on port 3389
Command:
$ tcpdump -nnvvS src 10.5.2.3 and dst port 3389
From One Network to Another
Let’s look for all traffic coming from 192.168.x.x and going to the 10.x or 172.16.x.x networks, and we’re showing hex output with no hostname resolution and one level of extra verbosity.
Command:
$ tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
Non ICMP Traffic Going to a Specific IP
This will show us all traffic going to 192.168.0.2 that is not ICMP.
Command:
$ tcpdump dst 192.168.0.2 and src net and not icmp
Traffic From a Host That Is Not on a Specific Port
This will show us all traffic from a host that is not SSH traffic (assuming default port usage).
Command:
$ tcpdump -vv src mars and not dst port 22
As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you’re looking for and then to build the syntax to isolate that specific type of traffic.
Keep in mind that when you’re building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell tcpdump
to ignore certain special characters—in this case below the “( )” brackets. This same technique can be used to group using other expressions such as host
, port
, net
, etc.
$ tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
Isolate TCP Flags
You can also use filters to isolate packets with specific TCP flags set.
Isolate TCP RST flag
$ tcpdump 'tcp[13] & 4!=0'
$ tcpdump 'tcp[tcpflags] == tcp-rst'
Isolate TCP SYN flags
$ tcpdump 'tcp[13] & 2!=0'
$ tcpdump 'tcp[tcpflags] == tcp-syn'
Isolate packets that have both the SYN and ACK flags set
$ tcpdump 'tcp[13]=18'
Isolate TCP URG flags
$ tcpdump 'tcp[13] & 32!=0'
$ tcpdump 'tcp[tcpflags] == tcp-urg'
Isolate TCP ACK flags
$ tcpdump 'tcp[13] & 16!=0'
$ tcpdump 'tcp[tcpflags] == tcp-ack'
Isolate TCP PSH flags
$ tcpdump 'tcp[13] & 8!=0'
$ tcpdump 'tcp[tcpflags] == tcp-psh'
Isolate TCP FIN flags
$ tcpdump 'tcp[13] & 1!=0'
$ tcpdump 'tcp[tcpflags] == tcp-fin'
Everyday Recipe Examples
Finally, now that we the theory out of the way, here are a number of quick recipes you can use for catching various kinds of traffic.
Both SYN and RST Set
$ tcpdump 'tcp[13] = 6'
Find HTTP User Agents
$ tcpdump -vvAls0 | grep 'User-Agent:'
Cleartext GET Requests
$ tcpdump -vvAls0 | grep 'GET'
Find HTTP Host Headers
$ tcpdump -vvAls0 | grep 'Host:'
Find HTTP Cookies
$ tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'
Find SSH Connections
This one works regardless of what port the connection comes in on, because it’s getting the banner response.
$ tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'
Find DNS Traffic
$ tcpdump -vvAs0 port 53
Find FTP Traffic
$ tcpdump -vvAs0 port ftp or ftp-data
Find NTP Traffic
$ tcpdump -vvAs0 port 123
Find Cleartext Passwords
$ tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '
Find traffic with evil bit
There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled.
$ tcpdump 'ip[6] & 128 != 0'
Remove arp packages from capture
There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled.
$ tcpdump -i any not arp