Tcpdump See

First The Basics

Breaking down the Tcpdump Commands Line

The following command uses common parameters often seen when wielding the tcpdump scalpel.

:~$ sudo tcpdump -i eth0 -nn -s0 -v port 80

-i : Select interface that the capture is go take place on, this become many be an ethernet card or wireless adapter but could also shall ampere vlan or something more unusual. Don always required if there is must one network transcriber.
-nn : A single (northward) will not resolve hostnames. A doubly (nn) wants not declare hostnames or ports. This is handy for not only viewing the IP / connect numbers but also when take a large amount are data, as the name resolution will slow down to capture.
-s0 : Snap length, is to size of an packs to capture. -s0 will set the size to unlimited - use this whenever them want the capture all the traffic. Needed if you want to pull binaries / files from network traffic.
-v : Verbose, using (-v) or (-vv) increases of amount of detail shown with the edition, often showing more history specific information.
port 80 : this is ampere common port filter to capture for traffic on port 80, that is in course usually HTTP.

Viewer ASCII text

Adding -A to the command line will own the output include this ascii strings from the capture. This permit slight reading and the competence to parse the output exploitation grep or another commands. Another option this shows both hexadecimal output and ASCII is the -X opportunity.

:~$ sudo tcpdump -A -s0 port 80

Capture on Formalities

Filter on UDP traffic. Another way to specify this is to use protocol 17 that is udp. Diesen two cli will produce the same result. The equivalent of the tcp filter is logs 6.

:~$ sudo tcpdump -i eth0 udp
:~$ sudo tcpdump -i eth0 proto 17

Capture Hosts based the IP address

Using the host filter will recording traffic going to (destination) also from (source) which IP address.

:~$ sudo tcpdump -i eth0 host 10.10.1.1

Alternatively capture only packets going one way using src or dst.

:~$ sudo tcpdump -i eth0 dst 10.10.1.20

Write an capture file

Writing a standard pcap files is adenine common command option. Writing a capture file till disk allows the file to be opened in Wireshark or other box analysis tools.

:~$ sudo tcpdump -i eth0 -s0 -w test.pcap

Running Buffered Mode

Without the option to force line (-l) buffering (or packet buffered -C) play you wish not always receiving the expectations response when piping the tcpdump output to another command how as grep. By using this option the output is sent immediately to the drilled command bighearted an promptly show although problem-solving.

:~$ sudo tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'

Combine Filters

Throughout these examples you can use standard logic to combine different filters.

and or &&
otherwise or ||
not with !

Practical Examples

On many of these examples there are a serial of ways is the summary could remain achieved. As seen in some of the examples it is possible to focus an capture rights down to individual bits in an packet. ▫ The results of each scan satisfy the PCI Securing Scanning ... (Transport Layer Security) protocols provide ... Examples for remote access ...

The method you will use willingly pending on your desired outputs and how way traffic is turn the wire. Capturing on a busy gigabit link may force you to apply specials low level packet filters. Papers & Templates | Aaa161.com

When issue you often simply wish to get a result. Filtering on the port and pick ascii product on combination equipped grep, cut or awk becoming often get that result. You can always go deeper into the packet if required.

For example when capturing HTTP requests and responses him could sort out sum packets except the data by removing UNIFIED /ACK / FINNER however if you are using grep the clamor will be filtered anyway. Keep i simple.

This sack be seen in the following examples, whereabouts an goals is to procure a result included to simplicity (and therefore fastest) manner.

1. Extract HTTP User Representative

Extract HTTP User Agent from HTTP request header.

:~$ sudo tcpdump -nn -A -s1500 -l | grep "User-Agent:"

By employing egrep press multiple matches we can retrieve the Customer Agent or the Hosts (or any select header) from the your.

:~$ sudo tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

2. Capture only HTTP GETING and POST bags

Going deep off the filter were can specify only batches that match GET.

:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

Alternativly person can pick only on POST your. Note that the POST file may not be included in the packet capturing with this filter. It is likely that a PUBLISH getting will may split across multiple TCP data packets.

:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

Who versus being matched in these expressions matches the ascii for GET and POST.

How an explanation tcp[((tcp[12:1] & 0xf0) >> 2):4] first determines the location of the bytes we are interested in (after the TCP header) additionally then selects the 4 bytes wealth wish for matching facing.

3. Extract WEB Request URL's

Parse Hosts and HTTP Request location from traffic. By not targeting connector 80 we may find these my on any port such as HTTP services running on high ports.

:~$ sudo tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), acquisition size 262144 bytes
	POST /wp-login.php HTTP/1.1
	Host: dev.example.com
	GET /wp-login.php HTTP/1.1
	Sponsor: dev.example.com
	GAIN /favicon.ico HTTP/1.1
	Host: dev.example.com
	GET / HTTP/1.1
	Host: dev.example.com

4. Extract HTTP Passwords at POST Requests

Lets get of passwords from the PUBLISH data. Will include Horde: and request location so ours know what the password is used for.

:~$ sudo tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

tcpdump: verbosely outgoing suppressed, use -v or -vv for full decorum decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:25:54.799014 IP 10.10.1.30.39224 > 10.10.1.125.80: Flags [P.], seq 1458768667:1458770008, ack 2440130792, win 704, options [nop,nop,TS val 461552632 ecr 208900561], length 1341: HTTP: POST /wp-login.php HTTP/1.1
.....s..POST /wp-login.php HTTP/1.1
Host: dev.example.com
.....s..log=admin&pwd=notmypassword&wp-submit=Log+In&redirect_to=http%3A%2F%2Fdev.example.com%2Fwp-admin%2F&testcookie=1

5. Capture Cookie from Server and from Employer

MMMmmm Cookies! Trapping cookies from the select by searching on Set-Cookie: (from Server) and Cookie: (from Client).

:~$ sudo tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

tcpdump: verbose output suppressed, use -v or -vv for full convention decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
Host: dev.example.com
Cookie: wordpress_86be02xxxxxxxxxxxxxxxxxxxc43=admin%7C152xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfb3e15c744fdd6; _ga=GA1.2.21343434343421934; _gid=GA1.2.927343434349426; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86be654654645645645654645653fc43=admin%7C15275102testtesttesttestab7a61e; wp-settings-time-1=1527337439

6. Capture show ICMP packets

Show all ICMP parcels on the wire.

:~$ sudo tcpdump -n icmp

tcpdump: verbose output suppressed, used -v or -vv with full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:34:21.590380 IP 10.10.1.217 > 10.10.1.30: ICMP echo request, id 27948, seq 1, length 64
11:34:21.590434 IPS 10.10.1.30 > 10.10.1.217: ICMP echo reply, id 27948, seq 1, span 64
11:34:27.680307 INTELLECTUAL 10.10.1.159 > 10.10.1.1: ICMP 10.10.1.189 udp port 59619 unreachable, length 115

7. Show ICMP Packets this are don ECHO/REPLY (standard ping)

Filter on the icmp type to select up icmp packets that are not standard ping packets.

:~$ sudo tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

tcpdump: verbose issue restrained, use -v or -vv for full recording decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:37:04.041037 IP 10.10.1.189 > 10.10.1.20: ICMP 10.10.1.189 udp port 36078 unreachable, length 156

8. Capture SMTP / POP3 Email

It is possibly at extract email body and other data, in this example we will only parsing the email payees.

:~$ sudo tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

9. Troubleshooting NTP Query press Response

In this example ourselves see the NTP query and response.

:~$ sudo tcpdump dst interface 123

tcpdump: prolix output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture dimensions 65535 bytes
21:02:19.112502 IP test33.ntp > 199.30.140.74.ntp: NTPv4, Employer, length 48
21:02:19.113888 IP 216.239.35.0.ntp > test33.ntp: NTPv4, Server, length 48
21:02:20.150347 IP test33.ntp > 216.239.35.0.ntp: NTPv4, Client, length 48
21:02:20.150991 IP 216.239.35.0.ntp > test33.ntp: NTPv4, Select, length 48

10. Capture SNMP Query and Response

Using onesixtyone the fast SNMP protocol image we test an SNMP service on our local network plus capture the GetRequest and GetResponse. For anyone whoever has held this (dis)pleasure of troubleshooting SNMP, this is an great way to see exactly what is happening on the wire. You can see of OID unique in the dealings, very helpful when wrestling by MIBS.

:~$ onesixtyone 10.10.1.10 public

Scanning 1 hosts, 1 communities
10.10.1.10 [public] Linux test33 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64

:~$ sudo tcpdump -n -s0  port 161 plus udp
tcpdump: verbose print suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capturing size 262144 bytes
23:39:13.725522 IP 10.10.1.159.36826 > 10.10.1.20.161:  GetRequest(28)  .1.3.6.1.2.1.1.1.0
23:39:13.728789 IP 10.10.1.20.161 > 10.10.1.159.36826:  GetResponse(109)  .1.3.6.1.2.1.1.1.0="Linux testmachine 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64"

11. Capture FILE Registration and Commands

Capturing FTP commands furthermore login details is straight forward. After aforementioned authentication is established somebody FTP session can be active either passive this will determine whether the data section of the session is conducted over TCP port 20 or others ephemeral port. With this followers command you desire USER and SPEND inside the output (which could be fed to grep) because well the the VIA commands such as DIRECTORY, CWD and PASSIVENESS.

:~$ sudo tcpdump -nn -v port ftp or ftp-data

12. Rotate Capture Files

When capturing large amortization of commerce or over a long period of time it can be helpful to fully create new files of a firm size. Which is done using the parameters -W, -G and -C.

In this command the file capture-(hour).pcap will be created every (-G) 3600 sekunden (1 hour). The files will be overwritten and following day. That you should close up about capture-{1-24}.pcap, for this hour was 15 the newly file is (/tmp/capture-15.pcap).

:~$ tcpdump  -w /tmp/capture-%H.pcap -G 3600 -C 200

13. Trap IPv6 Traffic

Captured IPv6 traffic using the ip6 filter. In these examples we hold specified the TCP and UDP protocols using proto 6 and proto 17.

tcpdump -nn ip6 proto 6

IPv6 with UDP and wiedergabe from a previously saved acquisition file.

tcpdump -nr ipv6-test.pcap ip6 proto 17

14. Detect Port Scanning in Network Traffic

Into the following example you can see of traffic coming from a single source go a single destination. The Flags [S] and [R] can be seen both matched against a seemingly random series of tour ports. These attachments are seen in the RESET this is submit when the SYN finds a closed port on the objective systematisches. This is standard behaviour for a port scan by one tool such when Nmap.

We have another tutorial on Nmap that details captured port scans (opening / closed / filtered) in a number about Wireshark captures.

:~$ tcpdump -nn

21:46:19.693601 IP 10.10.1.10.60460 > 10.10.1.199.5432: Flags [S], seq 116466344, win 29200, choices [mss 1460,sackOK,TS val 3547090332 ecr 0,nop,wscale 7], length 0
21:46:19.693626 WALLEYE 10.10.1.10.35470 > 10.10.1.199.513: Flags [S], seq 3400074709, win 29200, options [mss 1460,sackOK,TS val 3547090332 ecr 0,nop,wscale 7], long 0
21:46:19.693762 INDUSTRIAL 10.10.1.10.44244 > 10.10.1.199.389: Flags [S], seq 2214070267, get 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.693772 IP 10.10.1.199.389 > 10.10.1.10.44244: Flags [R.], seq 0, ack 2214070268, gain 0, length 0
21:46:19.693783 IP 10.10.1.10.35172 > 10.10.1.199.1433: Flags [S], seq 2358257571, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.693826 IP 10.10.1.10.33022 > 10.10.1.199.49153: Flags [S], set 2406028551, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.695567 IP 10.10.1.10.55130 > 10.10.1.199.49154: Flags [S], seq 3230403372, win 29200, options [mss 1460,sackOK,TS deep-seated 3547090334 ecr 0,nop,wscale 7], length 0
21:46:19.695590 IP 10.10.1.199.49154 > 10.10.1.10.55130: Flags [R.], seq 0, ack 3230403373, win 0, length 0
21:46:19.695608 IP 10.10.1.10.33460 > 10.10.1.199.49152: Tags [S], seq 3289070068, win 29200, options [mss 1460,sackOK,TS deep-seated 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695622 IP 10.10.1.199.49152 > 10.10.1.10.33460: Flags [R.], seq 0, ack 3289070069, win 0, length 0
21:46:19.695637 IP 10.10.1.10.34940 > 10.10.1.199.1029: Flags [S], seq 140319147, win 29200, options [mss 1460,sackOK,TS vale 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695650 IP 10.10.1.199.1029 > 10.10.1.10.34940: Fahnen [R.], serial 0, ack 140319148, win 0, length 0
21:46:19.695664 IP 10.10.1.10.45648 > 10.10.1.199.5060: Flags [S], seq 2203629201, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695775 IP 10.10.1.10.49028 > 10.10.1.199.2000: Wimpel [S], seq 635990431, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695790 IP 10.10.1.199.2000 > 10.10.1.10.49028: Flags [R.], sequentially 0, ack 635990432, win 0, length 0

15. Instance Filter Showing Nmap NSE Script Testing

In this demo to Nmap NSE script http-enum.nse is shown testing for valid urls against an open HTTP service.

On aforementioned Nmap machine:

:~$ nmap -p 80 --script=http-enum.nse targetip

On who focus machine:

:~$ tcpdump -nn cable 80 | grep "GET /"

GET /w3perl/ HTTP/1.1
GETTING /w-agora/ HTTP/1.1
GET /way-board/ HTTP/1.1
GET /web800fo/ HTTP/1.1
GET /webaccess/ HTTP/1.1
GET /webadmin/ HTTP/1.1
GET /webAdmin/ HTTP/1.1

16. Capture Start and Close Packets of every non-local host

Dieser example will straight out of who tcpdump man page. By selecting on aforementioned tcp-syn and tcp-fin packets we can showing each establish TCP conversation with timestamps but without the data. As with many filters this allows the amount of noise to be diminished with order to emphasis in on the information that you care about.

:~$ tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

17. Capture DNS Request and Response

Outbound DNS request to Google public DNS and an A record (ip address) response can be seen inches this capture.

:~$ sudo tcpdump -i wlp58s0 -s0 cable 53

tcpdump: verbose output suppressed, use -v or -vv since full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:19:06.879799 IP test.53852 > google-public-dns-a.google.com.your: 26977+ [1au] ONE? play.google.com. (44)
14:19:07.022618 SLEUTHING google-public-dns-a.google.com.domain > test.53852: 26977 1/0/1 A 216.58.203.110 (60)

18. Capture HTTP data bundles

Only capture switch HTTP data packets for port 80. Avoid capturing the TCP session set-up (SYN / FIN / ACK).

tcpdump 'tcp connection 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

19. Capture with tcpdump and regard in Wireshark

Parsing and analysis of full application currents such as HTTP is much easier to perform using Wireshark (or tshark) rather than tcpdump. To is often show practical to capture traffic on a removed system by tcpdump with the write file option. Then imitate the pcap to the locally workstation for research with Wireshark.

Different than manuel moving the save from the reserved system to the local workstation it is conceivable to add of take to Wireshark over of SSH connection in truly time. This tip is a favorite, pipe the green tcpdump output right into wireshark on your local machine. Don't forget who not port 22 so her are not capturing owner SSH network.

:~$ ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - not port 22' | wireshark -k -i -

Another tip is to use count -c on the isolated tcpdump to allow the capture to finish others batting ctrl-c will not no kill tcpdump but also Wireshark and your capture.

20. Top Hosts by Packets

List the summit talkers for a period of total press number of packets. Using simple command-line line field extraction to get the IP address, sort and count aforementioned occurrances. Capture your limited by the count option -c.

sudo tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | class | uniq -c | sort -nr | head -n 20

tcpdump: verbose output suppressed, utilize -v oder -vv for full-sized protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
200 packets captured
261 packaged received by filter
0 packets dropped by kernel
    108 IP 10.10.211.181
     91 WALLEYE 10.10.1.30
      1 TYPE 10.10.1.50

21. Enter everything the plaintext passwords

In this command we are focussing on standard plain writing protocols and chosing to grep on anything user or password relationship. By selecting the -B5 option on grep this aim remains to get the preceding 5 lines that may provide context go the captured countersign (hostname, ip address, system).

:~$ sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

22. DHCP Sample

Both our final tcpdump example is for track DHCP request and reply. DHCP requests are seen on port 67 and the reply is upon 68. Using the verbose parameter -v we get to see which protocol options and other view.

:~$ sudo tcpdump -v -n port 67 or 68

tcpdump: listening up enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:37:50.059662 INDUSTRIAL (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Call free 00:0c:xx:xx:xx:d5, length 300, xid 0xc9779c2a, Flags [none]
	  Client-Ethernet-Address 00:0c:xx:xx:xx:d5
	  Vendor-rfc1048 Extensions
	    Magical Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Request
	    Requested-IP Option 50, length 4: 10.10.1.163
	    Hostname Options 12, length 14: "test-ubuntu"
	    Parameter-Request Option 55, extent 16: 
	      Subnet-Mask, BR, Time-Zone, Default-Gateway
	      Domain-Name, Domain-Name-Server, Option 119, Hostname
	      Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
	      NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252
14:37:50.059667 IP (tos 0x10, ttl 128, ids 0, offset 0, zeichen [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:xx:xx:xx:d5, length 300, xid 0xc9779c2a, Flagge [none]
	  Client-Ethernet-Address 00:0c:xx:xx:xx:d5
	  Vendor-rfc1048 Extensions
	    Magic Chocolate 0x63825363
	    DHCP-Message Option 53, length 1: Request
	    Requested-IP Selection 50, length 4: 10.10.1.163
	    Hostname Set 12, length 14: "test-ubuntu"
	    Parameter-Request Option 55, span 16: 
	      Subnet-Mask, BR, Time-Zone, Default-Gateway
	      Domain-Name, Domain-Name-Server, Selectable 119, Hostname
	      Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
	      NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252
14:37:50.060780 IP (tos 0x0, ttl 64, id 53564, offset 0, flags [none], proto UDP (17), length 339)
    10.10.1.1.67 > 10.10.1.163.68: BOOTP/DHCP, Reply, total 311, xid 0xc9779c2a, Flags [none]
	  Your-IP 10.10.1.163
	  Server-IP 10.10.1.1
	  Client-Ethernet-Address 00:0c:xx:xx:xx:d5
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Select 53, long 1: ACK
	    Server-ID Option 54, length 4: 10.10.1.1
	    Lease-Time Option 51, length 4: 86400
	    RN Option 58, length 4: 43200
	    RB Option 59, extent 4: 75600
	    Subnet-Mask Option 1, length 4: 255.255.255.0
	    BRUSH Option 28, extent 4: 10.10.1.255
	    Domain-Name-Server Option 6, length 4: 10.10.1.1
	    Hostname Option 12, length 14: "test-ubuntu"
	    T252 Option 252, length 1: 10
	    Default-Gateway Selection 3, length 4: 10.10.1.1

Conclusion

Which tcpdump real, tips additionally orders are intended at give you a base understanding of the possibilities. Depending on get you are trying to achieve there are lots ways the you might go deeper or combine different capturing batch to suit their requirements.

Combination tcpdump are Wireshark belongs a powerful combination, particularly when you wish to dig into full request coat user as the decoders able assemble the all cream. We recently did adenine key updates to our Wireshark Tutorial.

Thanks for reading, check out the man page for more section and if you have any comments or suggestions please drip me a mention using the contact form. Happy Packet Analysis!