Tcpdump Masterclass

From NetworkStuff

This masterclass article provides in-depth technical information on the installation, usage and operation of the classic, very popular tcpdump program including; alternatives, running tcpdump as a process, building expressions, understanding output and more.

Contents 1 Precautions 2 Installation 3 Availability 4 Linux Alternatives 5 Windows Equivalents 6 Usage Syntax 7 Running tcpdump As A Process (Unattended Captures) 8 Specifying An Interface 9 Parameters 9.1 Writing To a File 9.2 Restricting The Number Of Packets Captured 9.3 Reading From a File 9.4 Quick Mode 9.5 Verbose Mode 9.6 Capturing Link Level (Layer 2 - Data Link) Headers 9.7 Capturing Packet Contents - Format 9.8 Capturing Packet Contents - How Much? 9.9 Disabling DNS Lookups 10 Expressions 10.1 Single Host 10.2 Multiple Hosts 10.3 Single Network 10.4 Multiple Networks 10.5 Specific UDP or TCP Port(s) 10.6 UDP Only Packets 10.7 TCP Only Packets 10.8 Packet Size 10.9 Spanning Tree Protocol 10.10 Address Resolution Protocol 10.11 ICMP 10.12 TCP Flags 11 Understanding Output 12 Decrypting/Decoding SSL/TLS 13 Related Files 14 Further Information

Precautions

tcpdump output can be considerable if the network traffic your expression defines is in heavy use, particularly if you are capturing more than the default 64 bytes of packet content.

Capturing packets, for example, related to a large file transfer or a web server being actively used by hundreds or thousands of clients will produce an overwhelming amount of output. If writing this output to stdout you will probably be unable to enter commands in your terminal, if writing to a file you may exhaust the host's disk space. In either case tcpdump is also likely to consume a great deal of CPU and memory resources.

To avoid these issues;

• Be very careful when specifying expressions and try to make them as specific as possible

• Don't capture during times of heavy traffic/load

• If you wish to capture entire packet contents, do a test capture only capturing the default 64Bytes first and make a judgement on whether the system will cope with the full packet content capture

• Where writing to disk, carefully monitor the size of the file and ensure the host in question has the likely disk resources required available, or use the -c parameter to limit the number of packets captured.

• Never use an expression that would capture traffic to or from your remote telnet/SSH/whatever terminal/shell. tcpdump output would generate traffic to your terminal, resulting in further output, resulting in more traffic to your terminal and so on in an infinite and potentially harmful feedback loop.

Installation

tcpdump can be installed or upgraded as follows, depending on your platform;

• Ubuntu: apt-get install tcpdump
• Fedora Core: yum install tcpdump
• FreeBSD: pkg_add -v -r tcpdump

Availability

tcpdump is only available for Unix/Linux.

Linux Alternatives

For capturing and decrypting/decoding SSL/TLS packets and data at the CLI, ssldump can be used: http://www.rtfm.com/ssldump/

The tshark and dumpcap CLI programs which are a part of Wireshark or of course, Wireshark itself.

ngrep

Windows Equivalents

WinDump has equivalent functionality and runs in a Windows command prompt: http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/packet-capture/winpcap/windump/. WinDump requires WinPcap which can be obtained here: http://www.winpcap.org/install/default.htm. Command syntax is exactly the same as tcpdump, but some older version, most options and syntax detailed in this article will work.

The tshark and dumpcap command prompt programs which are a part of Wireshark or of course, Wireshark itself.

Usage Syntax

tcpdump [-i interface] [parameter(s)] [expression(s)]

Running tcpdump As A Process (Unattended Captures)

You can use the nohup command and the shell function & to run tcpdump as a background process that will continue running even if the terminal/shell it is launched from is closed. This is very useful for running unattended captures and in situations where, for instance, an SSH shell is terminated after a period of inactivity.

Use following command syntax;

nohup tcpdump [-i interface] [parameters] -w [dir/]filename [expression(s)] &

Note: Output must be written to a file using the -w option.

Specifying An Interface

-i interface

You do not need to specify the interface if you wish to capture traffic on the lowest numbered, configured interface on the system (often eth0.) Loopback interfaces are ignored.

For Linux, use the ifconfig command to display information on interfaces available to the system, but note this command limits the display of interface names to 9 characters. Alternatively, use the ip link command which displays names up to 255 characters long.

On Linux systems with kernel 2.2 or later an interface argument of any is supported. This captures packets from all interfaces but not in promiscuous mode.

Parameters

Writing To a File

-w [dir/]file_name

Warning: Writing to a file you may exhaust the host's disk space if a great deal of traffic is being captured. To avoid this issue ensure you do one of the following;

• Test your capture first, without saving to a file and ensure your expression(s) are specific enough that an excessive amount of traffic is not being captured
• Monitor the size of the specified file
• Use the -c parameter to restrict the capture to a specific number of packets, as detailed in the next section

Notes;

• The file format used is libpcap

• If you specify the name of an existing file it will be overwritten without warning!

• If two or more instances of tcpdump specify the same output file, only the output of the last instance started will be recorded to the file

Restricting The Number Of Packets Captured

-c nn

This option will restrict the packets captured to the number specified by nn. Using this option is particularly sensible to avoid issues when;

• You expect a great deal of output (and may be unable to stop the capture)
• You are writing the capture to a file and want to be sure you do not exhaust the host's disk space
• You are running an unattended capture

Reading From a File

-r [dir/]file_name

This option will display the entire contents of the file, without pause, so you may want to use the more or less commands to control and 'browse' the output in an orderly way.

Quick Mode

-q - display only time, source address and port, destination address and port, protocol (tcp/udp,) data (not packet) length and whether the DF bit is set or not. This parameter is very good at ensuring all data for a packet displays on a single line of output.

14:04:10.381763 10.68.5.122.10050 > 10.68.5.9.49702: tcp 0 (DF)

Without -q;

14:04:17.370776 10.68.5.122.10050 > 10.68.5.9.49761: S 3293224573:3293224573(0) ack 1427800123 win 16384 <mss 1460,nop,
wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>

Verbose Mode

-v - include flags (such as DF,) TTL, packet length

14:05:04.395870 10.68.5.122.10050 > 10.68.5.9.50187: P 1449:1700(251) ack 23 win 65513 <nop,nop,timestamp 5953631 522357663> 
(DF) (ttl 128, id 7979, len 303)

-vv, -vvv

Capturing Link Level (Layer 2 - Data Link) Headers

-e

This option will display link level information not displayed by default. Below are two example captures, the first without this option specified, the second with;

tcpdump -i vlan2 host 10.68.5.9 and icmp;

12:39:08.589829 10.68.5.9 > 10.68.5.121: icmp: echo request (DF)
12:39:08.590352 10.68.5.121 > 10.68.5.9: icmp: echo reply (DF)

tcpdump -i vlan2 -e host 10.68.5.9 and icmp;

12:38:53.660102 0:1:d7:57:3:c8 0:21:5a:45:57:42 ip 54: 10.68.5.9 > 10.68.5.121: icmp: echo request (DF)
12:38:53.660629 0:21:5a:45:57:42 0:1:d7:57:3:c8 ip 60: 10.68.5.121 > 10.68.5.9: icmp: echo reply (DF)

Note the additional MAC address, layer 3 protocol and packet length information displayed.

Capturing Packet Contents - Format

-x - display packet contents in Hex

-X - display packet contents in both Hex and ASCII

Below are two example captures, the first with -x specified, the second with -X;

tcpdump -i vlan28 -x host 10.68.5.9 and icmp;

12:52:03.577960 10.68.5.9 > 10.68.5: icmp: echo request (DF)
                         4500 0028 0000 4000 4001 4902 c0a8 3809
                         c0a8 3879 0800 7f87 effd ed06 4001 c71f
                         c0a8 3828 7078 2b09
12:52:03.578493 10.68.5.121 > 10.68.5.9: icmp: echo reply (DF)
                         4500 0028 42db 4000 8001 c626 c0a8 3879
                         c0a8 3809 0000 8787 effd ed06 4001 c71f
                         c0a8 3828 7078 2b09 0000 0000 0000

tcpdump -i vlan28 -X host 10.68.5.9 and icmp;

12:52:13.577833 10.68.5.9 > 10.68.5.121: icmp: echo request (DF)
0x0000   4500 0028 0000 4000 4001 4902 c0a8 3809        E..(..@.@.I...8.
0x0010   c0a8 3879 0800 3683 3904 ed06 4001 c71d        ..8y..6.9...@...
0x0020   c0a8 3828 7078 2b09                            ..8(px+.
12:52:13.578348 10.68.5.121 > 10.68.5.9: icmp: echo reply (DF)
0x0000   4500 0028 44bb 4000 8001 c446 c0a8 3879        E..(D.@....F..8y
0x0010   c0a8 3809 0000 3e83 3904 ed06 4001 c71d        ..8...>.9...@...
0x0020   c0a8 3828 7078 2b09 0000 0000 0000             ..8(px+.......

Both these options display the first 68 bytes of each packet only by default unless the -s option is used, see below;

Note: This option is not necessary if you are writing the capture to a file, this option only applies when using tcpdump to display packets in real time or from a capture file.

Capturing Packet Contents - How Much?

-s bytes - capture the specified number of bytes of each packet (default is 68.)

Note: Use -s 0 to capture the entirety of every packet, regardless of size.

Disabling DNS Lookups

-n -

Expressions

Use expressions to limit or filter what is actually captured. Valid operators include and (&), or and not (!).

Single Host

One Way: src 1.1.1.1 - capture traffic from the specified source only

One Way: dst 1.1.1.1 - capture traffic to the specified destination only

Two Way: host 1.1.1.1 - capture traffic destined to and sourced from the specified host only

Multiple Hosts

One Way: src 1.1.1.1 or 1.1.1.2 - capture traffic from the specified sources only

One Way: dst 1.1.1.1 or 1.1.1.2 - capture traffic to either of the specified destinations only

Two Way: host 1.1.1.1 or host 1.1.1.2 - capture traffic destined to and sourced from either of the specified hosts only

Two Way: host 1.1.1.1 and host 1.1.1.2 - capture traffic between the specified two hosts only

Single Network

One Way: src net 1.1.1.0/24

One Way: dst net 1.1.1.0/24

Two Way: src or dst net 1.1.1.0/24

Multiple Networks

One Way: src net 1.1.1.0/24 or 2.2.2.0/24

One Way: dst net 1.1.1.0/24 or 2.2.2.0/24

Two Way: src or dst net 1.1.1.0/24 or 2.2.2.0/24

Specific UDP or TCP Port(s)

[udp | tcp] [src | dst] port port-number - specify a protocol, source or destination port and port number;

• If udp or tcp is not specified, traffic will be captured if the port is used with either UDP or TCP
• If src or dst is not specified, traffic will be captured if the specified port is used as either a source or destination

UDP Only Packets

To capture only UDP packets, use the expression udp.

An example would be good.

TCP Only Packets

To capture only TCP packets, use the expression tcp.

An example would be good.

Packet Size

less length - specify a packet size equal to or less than length in bytes

greater length - specify a packet size equal to or greater than length in bytes

Spanning Tree Protocol

To capture Spanning Tree Protocol (STP) frames only, ignore the tcpdump man page which suggests ether proto stp, simply use the expression stp. To exclude STP packets, use ! stp.

Address Resolution Protocol

To capture Address Resolution Protocol (ARP) packets only, ignore the tcpdump man page which suggests ether proto arp, simply use the expression arp. To exclude ARP packets, use ! arp.

ICMP

To capture Internet Control Message Protocol (ICMP) frames only, ignore the tcpdump man page which suggests ether proto icmp, simply use the expression icmp. To exclude icmp packets, use ! icmp.

TCP Flags

[13] is the TCP packet octet to be inspected.

Show me all URG packets:

1. tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets:

1. tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets:

1. tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets:

1. tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets:

1. tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets:

1. tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets:

1. tcpdump 'tcp[13] = 18'

Understanding Output

. is an ACK

S is a SYN

Decrypting/Decoding SSL/TLS

tcpdump can capture but not decrypt or decode SSL/TLS packet data.

To do this, either;

• Use a real-time tool such as ssldump (available at: http://www.rtfm.com/ssldump/)

• Write your capture to a file and use a tool such as Wireshark (available at: http://www.wireshark.org) to decode the packet data instead. See the Using Wireshark to Decrypt SSL/TLS Packet Data article for information on how to do this.

In either case, you will need the SSL/TLS private key.

Related Files

The tcpdump executable is normally found here: /usr/sbin/tcpdump

Further Information

The tcpdump/libpcap website: http://www.tcpdump.org/

The Wikipedia entry for tcpdump: http://en.wikipedia.org/wiki/Tcpdump

We really do appreciate all feedback so please do send your comments, suggestions or corrections to steve#networkstuff.eu (replacing the # with an @)