Tcpdump is a utility for capturing and traffic analysis. It is recommended to be used for network diagnostics. With this tool you can see packet traffic and sockets of each packet.
https://www.tcpdump.org/ – official utility resource.
It output of tcpdump each line is a single captured packet.
Example of tcpdump output:
12:54:21.590381 IP 10.20.3.215 > 10.100.1.50: ICMP echo request, id 27945, seq 1, length 64
What information can be seen in the output of the command:
- Timestamp
- Protocol
- Source IP address or name
- Source Port
- Destination IP address or name
- Destination Port
- Flags
- Packet Sequence Number
- Acknowledgement
- Window size
- Payload
To stop utility – press Crtl+C
TCP Flags
There could be more than one flag in single packet.
- S – SYN
- F – FIN
- . – ACK
- P – PUSH
- R – RST
For Example:
tcpdump ‘tcp[tcpflags] == tcp-rst’
Utility Tcpdump can be launced with root righs or your account must be container in sudoers file.
Tcpdump Options
tcpdump -D – output of all interfaces, that could be used for capture.
tcpdump –list-interfaces – the same
For output filtering use language BPF
sudo tcpdump port 53 Here “port 53” is BPF Filter.
Another BPF Filters:
- port
- portrange
- net
- mask
- host
- src
- dst
- tcp
- udp
- icmp
- greater
- ip6
- less
- <=
For combining filters you can use boolean operators:
- and
- or
- not
Example:
tcpdump -A greater 1000 and \(src host amazon.com or src host tcpdump.com\)
Brackets are used here becuase we want packets greate 1000 byte for tcpdump.com also.
“\” – is used because brackets in shell have specific meaning
tcpdump -A greater 1000 and \(src host amazon.com or tcpdump.com\) – also correct. We exclude repeated operator.
tcpdump `greater 1000 and (src host amazon.com or tcpdump.com)` – also correct.
If you want to use tcpdump output for analyzing through wireshark, save file in format .pcap
tcpdump -w – to save otput into file.
ssh <remote.ip> tcpdump -pni any -w – -s0 -U port dest_port | wireshark -k -i – to translate tcpdump output into wireshark
sudo tcpdump host host_ip -w filename -c 10000 — save output to file only 10000 packets.
-i – for interface fitering it is recommended to point interface or to use -i any, because default interface can be wrong.
-A – full packet ottput in ASCII format (-X – for output in HEX). -x – Hex output of first 82 byte of packet. For ethernet-header output use -xx (add 14 byte).
-n – to deny IP-to-name translation. By default IP are translated into names.
This translation can become a problem when there is a huge flow of packets or when there is a problem with DNS Server.
-e – L2 information in output. For example MAC addresses.
-P – for certain IP address shows only packets with source IP or Destination IP equal to target IP
Flags -v, -vv, -vvv – define the verbosity of information.
-t – no timestamp in output
-tt – Show the time in format: the amount of seconds passed from 1.01.1970
-ttt – shows the time as delta between current string and the previous
-tttt – real time format
-r – to read dump file
-s – size of captured packet. By default, when dump is saved there are only firts 68 byte of data, add -s 0 – to save the whole packet.
Examples:
tcpdump src net 10.208.148.0 mask 255.255.255.0
tcpdump src net 10.208.148.0/24
tcpdump -ni eth1 greater 1000
Used sources:
Let’s learn tcpdump! by Julia Evans.
https://habr.com/ru/company/alexhost/blog/531170/
http://www.alexonlinux.com/tcpdump-for-dummies