Tcpdump

Tcpdump is a commandline network analyzer tool or more technically a packet sniffer. It can be thought of as the commandline version of wireshark (only to a certain extent, since wireshark is much more powerful and capable).

As a commandline tool tcpdump is quite powerful for network analysis as filter expressions can be passed in and tcpdump would pick up only the matching packets and dump them.

In this tutorial we are going to learn to use tcpdump and how it can be used for network analysis. On ubunut for example it can be installed by typing the following in terminal

Install Tcpdump

$ sudo apt-get install tcpdump

Tcpdump depends on libpcap library for sniffing packets. It is documented here.

For windows use the alternative called windump. It is compatible with tcpdump (in terms of usage and options). Download from http://www.winpcap.org/windump/default.htm

1. List available interfaces

The "-D" option or "--list-interfaces" option can be used to list all the interfaces that are available.

$ tcpdump -D 1.enp1s0 [Up, Running] 2.lo [Up, Running, Loopback] 3.any (Pseudo-device that captures on all interfaces) [Up, Running] 4.nflog (Linux netfilter log (NFLOG) interface) [none] 5.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]

Usually the main network interface of the system is listed at the first position. Here its enp1s0.

Also note that there is a pseudo device named "any" which can be used to capture on all interfaces. However when using the "any" interface, tcpdump will not be able to set promiscuous mode.

Next we can use the interface number or name with the -i switch to sniff the particular interface.

$ sudo tcpdump -i 1 $ sudo tcpdump -i enp1s0

2. Basic sniffing

Lets start using tcpdump. The first simple command to use is tcpdump -n

$ sudo tcpdump -n -i enp1s0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes 10:45:49.039713 IP 157.240.198.17.443 > 192.168.1.207.37796: Flags [P.], seq 1962806914:1962806942, ack 2688974967, win 147, options [nop,nop,TS val 685332416 ecr 2592326574], length 28 10:45:49.039734 IP 192.168.1.207.37796 > 157.240.198.17.443: Flags [.], ack 28, win 501, options [nop,nop,TS val 2592326772 ecr 685332416], length 0 10:45:49.200921 IP 192.168.1.207.51198 > 23.63.110.208.443: Flags [.], ack 1192842501, win 4214, options [nop,nop,TS val 334661899 ecr 1423090223], length 0 10:45:49.211724 IP 104.18.89.237.443 > 192.168.1.207.45876: Flags [P.], seq 3270916051:3270916081, ack 689276623, win 130, length 30 10:45:49.211747 IP 192.168.1.207.45876 > 104.18.89.237.443: Flags [.], ack 30, win 501, length 0 10:45:49.230015 IP 23.63.110.208.443 > 192.168.1.207.51198: Flags [.], ack 1, win 1392, options [nop,nop,TS val 1423135274 ecr 334616919], length 0 10:45:50.634641 IP 172.217.194.189.443 > 192.168.1.207.48926: UDP, length 41

Tcpdump needs to run with root privileges in order to capture packets on network interfaces, so we need to use sudo.

The "-n" parameter stops tcpdump from resolving ip addresses to hostnames, which is not required and saves time.

Lets take a line from the above output to analyse.

10:45:49.211724 IP 104.18.89.237.443 > 192.168.1.207.45876: Flags [P.], seq 3270916051:3270916081, ack 689276623, win 130, length 30

The first thing "10:45:49.211724" is the timestamp with microsecond precision.

Next is the protocol of the packet called IP (stands for Internet protocol and it is under this protocol that most of the internet communication goes on).

Next is the Source IP Address joined with the source port. Following next is the destination port and then some information about the packet.

3. More details with "-v"

The "-v" option will print verbose output with more details.

$ sudo tcpdump -n -v -i enp1s0 [sudo] password for enlightened: tcpdump: listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes 11:08:20.242575 IP (tos 0x80, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 69) 74.125.200.189.443 > 192.168.1.207.43614: UDP, length 41 11:08:20.243971 IP (tos 0x80, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 47) 74.125.200.189.443 > 192.168.1.207.43614: UDP, length 19 11:08:20.260945 IP (tos 0x0, ttl 64, id 35846, offset 0, flags [DF], proto UDP (17), length 57) 192.168.1.207.43614 > 74.125.200.189.443: UDP, length 29

Now with the verbose switch lots of additional details about the packet are also being displayed. And these include the ttl, id, tcp flags, packet length etc.

4. Get Ethernet Header (link layer headers)

In the above examples details of the ethernet header are not printed.

Use the "-e" option to print the ethernet header details as well.

$ sudo tcpdump -n -v -e -i enp1s0 tcpdump: listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes 11:09:35.112650 98:35:ed:d4:e1:42 > 1c:1b:0d:c8:82:4d, ethertype IPv4 (0x0800), length 84: (tos 0x0, ttl 59, id 49586, offset 0, flags [DF], proto TCP (6), length 70) 104.18.90.237.443 > 192.168.1.207.57940: Flags [P.], cksum 0xb57a (correct), seq 3449770361:3449770391, ack 1675631523, win 139, length 30 11:09:35.112676 1c:1b:0d:c8:82:4d > 98:35:ed:d4:e1:42, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 27221, offset 0, flags [DF], proto TCP (6), length 40) 192.168.1.207.57940 > 104.18.90.237.443: Flags [.], cksum 0xa59e (correct), ack 30, win 501, length 0 11:09:35.353812 1c:1b:0d:c8:82:4d > 98:35:ed:d4:e1:42, ethertype IPv4 (0x0800), length 143: (tos 0x0, ttl 64, id 33536, offset 0, flags [DF], proto TCP (6), length 129) 192.168.1.207.52774 > 104.28.9.44.443: Flags [P.], cksum 0xb199 (correct), seq 1672023643:1672023732, ack 2490974632, win 501, length 89

Now the first thing after the timestamp is the source and destination mac address.

5. Filtering Packets using Expressions

The next important feature of tcpdump as a network analysis tool is to allow the user to filter packets and select only those that match a certain rule or criteria.

And like before this too is quite simple and can be learned easily. Lets take a few simple examples.

Selecting protocols

$ sudo tcpdump -n tcp

The above command will show only tcp packets. Similary udp or icmp can be specified.

Particular host or port

Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101

$ sudo tcpdump -n 'src 192.168.1.101' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 20:04:04.856379 IP 192.168.1.101.47141 > 173.194.36.1.443: Flags [.], seq 2781603453:2781604873, ack 338206850, win 41850, length 1420 20:04:05.216372 IP 192.168.1.101.33885 > 193.219.128.49.6667: Flags [P.], seq 3980513010:3980513027, ack 2134949138, win 28400, length 17

Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.

$ sudo tcpdump -n 'udp and dst port 53' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 20:06:48.015359 IP 192.168.1.101.33990 > 218.248.255.163.53: 41001+ A? s.gateway.messenger.live.com. (46) 20:06:50.842530 IP 192.168.1.101.32954 > 218.248.255.163.53: 12380+ A? DB3MSGR5010722.gateway.messenger.live.com. (59)

The above output shows the dns requests made by local system to the dns server 218.248.255.163 port 53. Its all very intuitive and simple. Note the "and" which is used to combine multiple conditions.

This is where the creativity begins, to write powerful expressions to analyse the network.

To display the FTP packets coming from 192.168.1.100 to 192.168.1.2

$ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'

Note that the port number 21 has been specified by its name - ftp.

So similarly many different kinds of expressions can be developed to fit the needs of the network analyst and pick up matching packets.

6. Search the network traffic using grep

Grep can be used along with tcpdump to search the network traffic. Here is a very simple example

The above example detects packets with the string "POST" in them. It detects http post requests as shown.

The -A option displays the content of the packet in ascii text form, which is searchable using grep.

On windows the grep command is not available, but has an equivalent called find/findstr. Example usage

C:\tools>WinDump.exe -A | findstr "GET" WinDump.exe: listening on \Device\NPF_{6019E682-FD40-4A54-BB75-9C2ACFA56CAA} .....&....P..W.....P....k..GET /search?hl=en&sclient=psy-ab&q=asda&oq .....&....P..[{..N.P...%-..GET /csi?v=3&s=web&action=&ei=LrmPUMrLNoHO .P-%.}....P..$Ch..GET /subscribe?host_int=139535925&ns_map=2

So in the above example we used windump and searched the sniffed packet for the string "GET" (which mostly discover the http get requests).

So what is the idea behind searching packets. Well one good thing can be to sniff passwords.

Here is quick example to sniff passwords using egrep

tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20

Source

Conclusion

Tcpdump is a simple yet powerful packet capture tool that is used extensively in the fields of network security and development of low level network libraries and services.

For example you can use tcpdump to monitor network traffic and check for unusual activity and catch any security issues early on.

Or if you are developing network level applications like a DNS or FTP server then you often times need to see if your application is generating network packets as expected.

Wireshark is the GUI packet sniffer based on Libpcap and has many more features compared to Tcpdump. But tcpdump is equally powerful as a command line tool, specially when you are working on a linux server where a desktop environment is not available.

Resources

To learn more about Tcpdump check out the manual page:

To sniff and capture specific http request packets with tcpdump, check out this tutorial: