Tcpdump Masterclass
From NetworkStuff
This masterclass article provides in-depth technical information on the installation, usage and operation of the classic and very popular tcpdump network traffic analysis program including; alternatives, running tcpdump as a process, building expressions, understanding output and more.
Precautions
tcpdump output can be considerable if the network traffic your expression defines is considerable; particularly if you are capturing more than the default 68 Bytes of packet content.
Capturing packets, for example, related to a large file transfer or a web server being actively used by hundreds or thousands of clients will produce an overwhelming amount of output. If writing this output to stdout you will probably be unable to enter commands in your terminal, if writing to a file you may exhaust the host's disk space. In either case tcpdump is also likely to consume a great deal of CPU and memory resources.
To avoid these issues;
- Be very careful when specifying expressions and try to make them as specific as possible.
- Don't capture during times of heavy traffic/load.
- If you wish to capture entire packet contents, do a test capture only capturing the default 68Bytes first and make a judgement on whether the system will cope with the full packet content capture.
- Where writing to disk, carefully monitor the size of the file and ensure the host in question has the likely disk resources required available, or use the -c parameter to limit the number of packets captured.
- Never use an expression that would capture traffic to or from your remote telnet/SSH/whatever terminal/shell. tcpdump output would generate traffic to your terminal, resulting in further output, resulting in more traffic to your terminal and so on in an infinite and potentially harmful feedback loop.
Installation
tcpdump can be installed or upgraded as follows, depending on your platform;
- Ubuntu/Debian: apt-get install tcpdump
- RHEL/Fedora Core/CentOS: yum install tcpdump
- FreeBSD: pkg_add -v -r tcpdump
Availability
tcpdump is only available for Unix/Linux.
Linux Alternatives
For capturing and decrypting/decoding SSL/TLS packets and data at the CLI, ssldump can be used: http://www.rtfm.com/ssldump/
The tshark and dumpcap CLI programs which are a part of Wireshark or of course, Wireshark itself.
The ngrep CLI program: http://ngrep.sourceforge.net/
Windows Equivalents
WinDump has equivalent functionality and runs in a Windows command prompt: http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/packet-capture/winpcap/windump/. WinDump requires WinPcap which can be obtained here: http://www.winpcap.org/install/default.htm. Command syntax is exactly the same as tcpdump, but some older version, most options and syntax detailed in this article will work.
The tshark and dumpcap command prompt programs which are a part of Wireshark or of course, Wireshark itself.
Decrypting/Decoding SSL/TLS
tcpdump can capture but not decrypt or decode SSL/TLS packet data.
To do this, either;
- Use a real-time tool such as ssldump (available at: http://www.rtfm.com/ssldump/)
- Write your capture to a file and use a tool such as Wireshark (available at: http://www.wireshark.org) to decode the packet data instead. See our Using Wireshark to Decrypt SSL/TLS Packet Data article for information on how to do this.
In either case, you will need the SSL/TLS private key.
Usage Syntax
tcpdump [-i interface] [parameter(s)] [expression(s)]
Running tcpdump As A Process (Unattended Captures)
You can use the nohup command and the shell function & to run tcpdump as a background process that will continue running even if the terminal/shell it is launched from is closed. This is very useful for running unattended captures and in situations where, for instance, an SSH shell is terminated after a period of inactivity.
Use following command syntax;
nohup tcpdump [-i interface] [parameters] -w [dir/]filename [expression(s)] &
Note: Output must be written to a file using the -w option.
To stop the process, use the ps command to identify the relevant tcpdump process and then the kill command to terminate it.
Standard Output & Writing To A File
You can display tcpdump output on standard output (STDOUT,) the default, and capture that output to a file as well using the tee command, using the syntax below;
tcpdump [-i interface] [parameters] [expression(s)] | tee [dir/]filename
Notes;
- The file will be saved as a text file, not in the format used when the -w parameter is used (libpcap.)
- You will not be able to use Wireshark or similar tools to analyse the output captured in the file, as the format is not supported.
- If you specify the name of an existing file it will be overwritten without warning unless you specify the tee command parameter -a.
Specifying An Interface
-i interface
You do not need to specify the interface if you wish to capture traffic on the lowest numbered, configured interface on the system (often eth0.) Loopback interfaces are ignored.
For Linux, use the ifconfig command to display information on interfaces available to the system, but note this command limits the display of interface names to 9 characters. Alternatively, use the ip link command which displays names up to 255 characters long.
On Linux systems with kernel 2.2 or later an interface argument of any is supported. This captures packets from all interfaces but not in promiscuous mode.
Parameters
Writing To a File
-w [dir/]file_name
Warning: Writing to a file you may exhaust the host's disk space if a great deal of traffic is being captured. To avoid this issue ensure you do one of the following;
- Test your capture first, without saving to a file and ensure your expression(s) are specific enough that an excessive amount of traffic is not being captured
- Monitor the size of the specified file
- Use the -c parameter to restrict the capture to a specific number of packets, as detailed in the next section
Notes;
- The file format used is libpcap
- If you specify the name of an existing file it will be overwritten without warning!
- If two or more instances of tcpdump specify the same output file, only the output of the last instance started will be recorded to the file
Restricting The Number Of Packets Captured
-c nn
tcpdump will restrict the packets captured to the number specified by nn. Using this option is particularly sensible to avoid issues when;
- You expect a great deal of output (and may be unable to stop the capture)
- You are writing the capture to a file and want to be sure you do not exhaust the host's disk space
- You are running an unattended capture
Reading From a File
-r [dir/]file_name
tcpdump will display the entire contents of the file, without pause, so you may want to use the more or less commands to control and 'browse' the output in an orderly way.
Quick Mode
-q
tcpdump will display only time, source address and port, destination address and port, protocol (tcp/udp,) data (not packet) length and whether the DF bit is set or not. This parameter is very good at ensuring all data for a packet displays on a single line of output, as shown below;
14:04:10.381763 10.68.5.122.10050 > 10.68.5.9.49702: tcp 0 (DF)
Here's what you would get without quick mode;
14:04:17.370776 10.68.5.122.10050 > 10.68.5.9.49761: S 3293224573:3293224573(0) ack 1427800123 win 16384 <mss 1460,nop, wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
Verbose Mode
-v
tcpdump will display additional fields including flags (such as DF,) TTL and packet length, as this example output shows;
14:05:04.395870 10.68.5.122.10050 > 10.68.5.9.50187: P 1449:1700(251) ack 23 win 65513 <nop,nop,timestamp 5953631 522357663> (DF) (ttl 128, id 7979, len 303)
-vv will display additional protocol and application specific fields.
-vvv will display even more protocol and application specific fields.
Capturing Link Level (Layer 2 - Data Link) Headers
-e
tcpdump will display link level information not displayed by default, such as source and destination MAC addresses, layer 3 protocol and frame size. Below are two example captures, the first without this option specified, the second with;
- tcpdump -i vlan2 host 10.68.5.9 and icmp;
12:39:08.589829 10.68.5.9 > 10.68.5.121: icmp: echo request (DF) 12:39:08.590352 10.68.5.121 > 10.68.5.9: icmp: echo reply (DF)
- tcpdump -i vlan2 -e host 10.68.5.9 and icmp;
12:38:53.660102 0:1:d7:57:3:c8 0:21:5a:45:57:42 ip 54: 10.68.5.9 > 10.68.5.121: icmp: echo request (DF) 12:38:53.660629 0:21:5a:45:57:42 0:1:d7:57:3:c8 ip 60: 10.68.5.121 > 10.68.5.9: icmp: echo reply (DF)
Capturing Packet Contents - Format
-x will display packet contents in Hex.
-X will display packet contents in both Hex and ASCII.
Below are two example captures, the first with -x specified, the second with -X;
- tcpdump -i vlan28 -x host 10.68.5.9 and icmp;
12:52:03.577960 10.68.5.9 > 10.68.5: icmp: echo request (DF)
4500 0028 0000 4000 4001 4902 c0a8 3809
c0a8 3879 0800 7f87 effd ed06 4001 c71f
c0a8 3828 7078 2b09
12:52:03.578493 10.68.5.121 > 10.68.5.9: icmp: echo reply (DF)
4500 0028 42db 4000 8001 c626 c0a8 3879
c0a8 3809 0000 8787 effd ed06 4001 c71f
c0a8 3828 7078 2b09 0000 0000 0000
- tcpdump -i vlan28 -X host 10.68.5.9 and icmp;
12:52:13.577833 10.68.5.9 > 10.68.5.121: icmp: echo request (DF) 0x0000 4500 0028 0000 4000 4001 4902 c0a8 3809 E..(..@.@.I...8. 0x0010 c0a8 3879 0800 3683 3904 ed06 4001 c71d ..8y..6.9...@... 0x0020 c0a8 3828 7078 2b09 ..8(px+. 12:52:13.578348 10.68.5.121 > 10.68.5.9: icmp: echo reply (DF) 0x0000 4500 0028 44bb 4000 8001 c446 c0a8 3879 E..(D.@....F..8y 0x0010 c0a8 3809 0000 3e83 3904 ed06 4001 c71d ..8...>.9...@... 0x0020 c0a8 3828 7078 2b09 0000 0000 0000 ..8(px+.......
Both these options display the first 68 Bytes of each packet only by default unless the -s option is used, see below;
Note: This option is not necessary if you are writing the capture to a file, this option only applies when using tcpdump to display packets in real time or from a capture file.
Capturing Packet Contents - How Much?
-s bytes
tcpdump will capture the specified number of Bytes of each packet (the default is 68.)
Note: Use -s 0 to capture the entirety of every packet, regardless of size.
Disabling DNS Lookups
-n
tcpdump will not translate host addresses to host names, thus disabling DNS lookups. Not using this option could potentially result in a huge amount of DNS requests and create unnecessary load on DNS servers.
Also Disabling Service Name Lookups
-nn
tcpdump will not translate port and protocol to service names, (port 80 to http for example,) as well as not translate host addresses to host names.
Expressions
Use expressions to limit or filter what is actually captured. Valid operators include and (&), or and not (!).
You can also use commands such as grep to further filter output; this is sometimes easier than constructing complex expressions.
It's normally best construct your expressions to capture traffic to/from the host furthest away from the device you're running tcpdump on. Doing so will probably reduce the 'background noise' that may appear with hosts close to the device, such as host management, administration and other traffic that you most likely don't want to see.
Single Host
One Way;
- src 1.1.1.1 - capture traffic from the specified source only
- dst 1.1.1.1 - capture traffic to the specified destination only
Two Way;
- host 1.1.1.1 - capture traffic destined to and/or sourced from the specified host only
Multiple Hosts
One Way;
- src 1.1.1.1 or 1.1.1.2 - capture traffic from the specified sources only
- dst 1.1.1.1 or 1.1.1.2 - capture traffic to either of the specified destinations only
Two Way;
- host 1.1.1.1 or host 1.1.1.2 - capture traffic destined to and/or sourced from either of the specified hosts only
- host 1.1.1.1 and host 1.1.1.2 - capture traffic between the specified two hosts only
Single Network
One Way;
- src net 1.1.1.0/24 - capture traffic from the specified source network only
- dst net 1.1.1.0/24 - capture traffic to the specified destination network only
Two Way;
- net 1.1.1.0/24 - capture traffic destined to and/or sourced from the specified host only
For mask/prefix information see our Network Mask Reference, TCP/IP v4.
Multiple Networks
One Way;
- src net 1.1.1.0/24 or 2.2.2.0/24
- dst net 1.1.1.0/24 or 2.2.2.0/24
Two Way;
- net 1.1.1.0/24 or 2.2.2.0/24
For mask/prefix information see our Network Mask Reference, TCP/IP v4.
Specific UDP or TCP Port(s)
[udp | tcp] [src | dst] port port-number - specify a protocol, source or destination port and port number;
- If udp or tcp is not specified, traffic will be captured if the port is used with either UDP or TCP
- If src or dst is not specified, traffic will be captured if the specified port is used as either a source or destination
TCP Only Packets
To capture only IP (UDP or TCP) packets, use the expression ip.
An example would be good.
UDP Only Packets
To capture only UDP packets, use the expression udp.
An example would be good.
TCP Only Packets
To capture only TCP packets, use the expression tcp.
An example would be good.
Packet Size
less length - specify a packet size equal to or less than length in bytes
greater length - specify a packet size equal to or greater than length in bytes
Spanning Tree Protocol
To capture Spanning Tree Protocol (STP) frames only, ignore the tcpdump man page which suggests ether proto stp, simply use the expression stp. To exclude STP packets, use ! stp.
Address Resolution Protocol
To capture Address Resolution Protocol (ARP) packets only, ignore the tcpdump man page which suggests ether proto arp, simply use the expression arp. To exclude ARP packets, use ! arp.
ICMP
To capture Internet Control Message Protocol (ICMP) frames only, ignore the tcpdump man page which suggests ether proto icmp, simply use the expression icmp. To exclude icmp packets, use ! icmp.
TCP Flags
[13] is the TCP packet octet to be inspected.
Show me all URG packets:
- tcpdump 'tcp[13] & 32 != 0'
Show me all ACK packets:
- tcpdump 'tcp[13] & 16 != 0'
Show me all PSH packets:
- tcpdump 'tcp[13] & 8 != 0'
Show me all RST packets:
- tcpdump 'tcp[13] & 4 != 0'
Show me all SYN packets:
- tcpdump 'tcp[13] & 2 != 0'
Show me all FIN packets:
- tcpdump 'tcp[13] & 1 != 0'
Show me all SYN-ACK packets:
- tcpdump 'tcp[13] = 18'
Understanding Output
. is an ACK flag
S is a SYN flag
P is a PUSH flag
UDP Output Field
Timestamp Source address Source port Destination address Destination port Protocol Size
TCP Output Field
Timestamp Source address Source port Destination address Destination port Flags Sequence number (also start byte) Contained data bytes from sqeuence number upto but not including Number of user data bytes in datagram Details of acknowledgements, Window size and Header flags
Related Files
The tcpdump executable is normally found here: /usr/sbin/tcpdump
System Limitations
F5 BigIP
All F5 Networks BigIP tcpdump operation limitations are detailed in this article: http://support.f5.com/kb/en-us/solutions/public/6000/500/sol6546.html?sr=9413229. In brief;
- tcpdump will not capture traffic for fully PVA accelerated virtual servers if the tcpdump interface specified is a VLAN. This applies if the virtual server has a FastL4 profile assigned which has a PVA setting of full, even if other virtual server settings result in only partial (assisted) PVA acceleration.
- tcpdump will capture a maximum of 200 packets per second if the tcpdump interface specified is a physical interface.
- On VIPRION, if the tcpdump interface specified is a physical interface, the command must be run on the blade that contains that interface.
Further Information
The tcpdump/libpcap website: http://www.tcpdump.org/
The Wikipedia entry for tcpdump: http://en.wikipedia.org/wiki/Tcpdump
 We really do appreciate all feedback so please do send your comments, suggestions or corrections to steve#networkstuff.eu (replacing the # with an @)
|
