tcpdump tool

OPTIONS -i any : Listen on all interfaces just to see if you’re seeing any traffic. -i eth0 : Listen on the eth0 interface. -D : Show the list of available interfaces -n : Don’t resolve hostnames. -nn : Don’t resolve hostnames or port names. -q : Be less verbose (more quiet) with your output. -t : Give human-readable timestamp output. -tttt : Give maximally human-readable timestamp output. -X : Show the packet’s contents in both hex and ASCII. -XX : Same as -X, but also shows the ethernet header. -v, -vv, -vvv : Increase the amount of packet information you get back. -c : Only get x number of packets and then stop. -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less. -S : Print absolute sequence numbers. -e : Get the ethernet header as well. -q : Show less protocol information. -E : Decrypt IPSEC traffic by providing an encryption key.

1. Just see what’s going on, by looking at all interfaces.

 # tcpdump -i any

2. Basic view of what’s happening on a particular interface.

 # tcpdump -i eth0

3. Verbose output, with no resolution of hostnames or port numbers, absolute sequence numbers, and human-readable timestamps.

# tcpdump -ttttnnvvS

4. One of the most common queries, this will show you traffic from 1.2.3.4, whether it’s the source or the destination.

# tcpdump host 1.2.3.4

5. Hex output is useful when you want to see the content of the packets in question, and it’s often best used when you’re isolating a few candidates for closer scrutiny.

# tcpdump -nnvXSs 0 -c1 icmp

6. It’s quite easy to isolate traffic based on either source or destination using src and dst.

# tcpdump src 2.3.4.5

# tcpdump dst 3.4.5.6

7. To find packets going to or from a particular network, use the net option. You can combine this with the src or dst options as well.

# tcpdump net 1.2.3.0/24

8. You can find specific port traffic by using the port option followed by the port number.

# tcpdump port 3389

# tcpdump src port 1025

9. If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well.

# tcpdump icmp

10. You can also find all IP6 traffic using the protocol option.

# tcpdump ip6

11. You can also use a range of ports to find traffic.

# tcpdump portrange 21-23

12. If you’re looking for packets of a particular size you can use these options. You can use less, greater, or their associated symbols that you would expect from mathematics.

# tcpdump less 32

# tcpdump greater 64

# tcpdump <= 128

13. It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.

# tcpdump port 80 -w capture_file

14. You can read PCAP files by using the -r switch. Note that you can use all the regular commands within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already.

# tcpdump -r capture_file

15. Let’s find all traffic from 10.5.2.3 going to any host on port 3389.

#tcpdump -nnvvS src 10.5.2.3 and dst port 3389

16. Let’s look for all traffic coming from 192.168.x.x and going to the 10.x or 172.16.x.x networks, and we’re showing hex output with no hostname resolution and one level of extra verbosity.

#tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

17. This will show us all traffic going to 192.168.0.2 that is not ICMP.

#tcpdump dst 192.168.0.2 and src net and not icmp

19. This will show us all traffic from a host that isn’t SSH traffic (assuming default port usage).

#tcpdump -vv src mars and not dst port 22

20. Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (correct)

# tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

N 0000 0000 {0x00}

F 0000 0001 {0x01}

S 0000 0010 {0x02)

R 0000 0100 {0x04}

P 0000 1000 {0x08}

A 0001 0000 {0x10}

U 0010 0000 (0x20} 

21. Show me all URGENT (URG) packets…

# tcpdump 'tcp[13] & 32!=0'

 

22. Show me all ACKNOWLEDGE (ACK) packets…

# tcpdump 'tcp[13] & 16!=0'

 

23. Show me all PUSH (PSH) packets…

# tcpdump 'tcp[13] & 8!=0'

 

24. Show me all RESET (RST) packets…

# tcpdump 'tcp[13] & 4!=0'

 

25. Show me all SYNCHRONIZE (SYN) packets…

# tcpdump 'tcp[13] & 2!=0'

 

26. Show me all FINISH (FIN) packets…

# tcpdump 'tcp[13] & 1!=0'

 

27. Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets…

# tcpdump 'tcp[13]=18'

# tcpdump 'tcp[tcpflags] == tcp-syn'

 

# tcpdump 'tcp[tcpflags] == tcp-rst'

 

# tcpdump 'tcp[tcpflags] == tcp-fin'

PACKETS WITH BOTH THE RST AND SYN FLAGS SET (THIS SHOULD NEVER BE THE CASE)

# tcpdump 'tcp[13] = 6'

 

 

FIND CLEARTEXT HTTP GET REQUESTS

# tcpdump 'tcp[32:4] = 0x47455420'

 

 

FIND SSH CONNECTIONS ON ANY PORT (VIA BANNER TEXT)

# tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

 

 

PACKETS WITH A TTL LESS THAN 10 (USUALLY INDICATES A PROBLEM OR USE OF TRACEROUTE)

# tcpdump 'ip[8] < 10'

 

 

PACKETS WITH THE EVIL BIT SET (HACKER TRIVIA MORE THAN ANYTHING ELSE)

# tcpdump 'ip[6] & 128 != 0'