Warning: Cannot modify header information - headers already sent by (output started at /data/web/virtuals/85063/virtual/www/domains/waldauf.org/lib/plugins/color/syntax.php:1) in /data/web/virtuals/85063/virtual/www/domains/waldauf.org/inc/actions.php on line 180
linux:tcpdump - WiKi

TCPDUMP

Filtering

Filtering hosts

  • Match any traffic involving 192.168.1.1 as destination or source
    # tcpdump -i eth1 host 192.168.1.1
  • As soure only
    # tcpdump -i eth1 src host 192.168.1.1
  • As destination only
    # tcpdump -i eth1 dst host 192.168.1.1

Filtering ports

  • Match any traffic involving port 25 as source or destination
    # tcpdump -i eth1 port 25
  • Source
    # tcpdump -i eth1 src port 25
  • Destination
    # tcpdump -i eth1 dst port 25

Network filtering

# tcpdump -i eth1 net 192.168
# tcpdump -i eth1 src net 192.168
# tcpdump -i eth1 dst net 192.168

Protocol filtering

# tcpdump -i eth1 arp
# tcpdump -i eth1 ip

# tcpdump -i eth1 tcp
# tcpdump -i eth1 udp
# tcpdump -i eth1 icmp

Let's combine expressions

Negation : ! or “not” (without the quotes) Concatanate : && or “and” Alternate : || or “or”

  • This rule will match any TCP traffic on port 80 (web) with 192.168.1.254 or 192.168.1.200 as destination host
    # tcpdump -i eth1 '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))'


  • Will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05
    # tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'


  • Will match any traffic for the destination network 192.168 except destination host 192.168.1.200
    # tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))'

Advanced header filtering

Before we continue, we need to know how to filter out info from headers

proto[x:y] will start filtering from byte x for y bytes. ip[2:2] would filter bytes 3 and 4 (first byte begins by 0)
proto[x:y] & z = 0 will match bits set to 0 when applying mask z to proto[x:y]
proto[x:y] & z !=0 some bits are set when applying mask z to proto[x:y]
proto[x:y] & z = z every bits are set to z when applying mask z to proto[x:y]
proto[x:y] = z p[x:y] has exactly the bits set to z

Operators : >, <, >=, ⇐, =, !=

This may not be clear in the first place but you'll find examples below involving these.

Of course, it is important to know what the protocol headers look like before diving into more advanced filters.

Tcpdump and output file

  • Capture the packets and write into a file using tcpdump -w. Tcpdump allows you to save the packets to a file, and later you can use the packet file for further analysis.
    $ tcpdump -w 08232010.pcap -i eth0
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    32 packets captured
    32 packets received by filter
    0 packets dropped by kernel
    -w option writes the packets into a given file. The file extension should be .pcap, which can be read by any network protocol
    analyzer.


  • Reading the packets from a saved file using tcpdump -r. You can read the captured pcap file and view the packets for analysis, as shown below.
    $tcpdump -tttt -r data.pcap
    2010-08-22 21:35:26.571793 00:50:56:9c:69:38 (oui Unknown) > Broadcast, ethertype Unknown (0xcafe), length 74:
            0x0000:  0200 000a ffff 0000 ffff 0c00 3c00 0000  ............<...
            0x0010:  0000 0000 0100 0080 3e9e 2900 0000 0000  ........>.).....
            0x0020:  0000 0000 ffff ffff ad00 996b 0600 0050  ...........k...P
            0x0030:  569c 6938 0000 0000 8e07 0000            V.i8........
    2010-08-22 21:35:26.571797 IP valh4.lell.net.ssh > zz.domain.innetbcp.net.50570: P 800464396:800464448(52) ack 203316566 win 71
    2010-08-22 21:35:26.571800 IP valh4.lell.net.ssh > zz.domain.innetbcp.net.50570: P 52:168(116) ack 1 win 71
    2010-08-22 21:35:26.584865 IP valh5.lell.net.ssh > 11.154.12.255.netbios-ns: NBT UDP PACKET(137): Q


  • Capture packets with IP address using tcpdump -n. In all the above examples, it prints packets with the DNS address, but not the ip address. The following example captures the packets and it will display the IP address of the machines involved.
    $ tcpdump -n -i eth0
    15:01:35.170763 IP 10.0.19.121.52497 > 11.154.12.121.ssh: P 105:157(52) ack 18060 win 16549
    15:01:35.170776 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136(148) ack 157 win 113
    15:01:35.170894 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 24136:24380(244) ack 157 win 113


  • Capture packets with proper readable timestamp using tcpdump -tttt
    $ tcpdump -n -tttt -i eth0
    2010-08-22 15:10:39.162830 IP 10.0.19.121.52497 > 11.154.12.121.ssh: . ack 49800 win 16390
    2010-08-22 15:10:39.162833 IP 10.0.19.121.52497 > 11.154.12.121.ssh: . ack 50288 win 16660
    2010-08-22 15:10:39.162867 IP 10.0.19.121.52497 > 11.154.12.121.ssh: . ack 50584 win 16586
Navigation
Print/export
Toolbox