If not redirected, please click here https://www.thesecuritybuddy.com/network-security/network-analysis-with-tcpdump/
Tcpdump is a network analysis
tool using which one can analyze inbound and outbound network traffic
in a system. Tcpdump is quite a powerful tool. Using various command
line options and expressions one can filter network traffic and
analyze the network packets.
Tcpdump gives output in rather a raw
way compared to other network analyzer tools. And, it is always
better to do the analysis by humans than by some other tools. So, if
someone can utilize tcpdump properly, it would prove to be much more
powerful.
In this short article, I would explain
how to use tcpdump in network analysis.
Installing
tcpdump
tcpdump can be easily installed in a
system.
For example, in Ubuntu, one can install
tcpdump using :
# sudo apt-get install tcpdump
# sudo apt-get install tcpdump
Note : Please note that one should
have root privileges to run tcpdump. So, in Linux one should run
tcpdump commands with 'sudo'.
Some basic tcpdump commands
tcpdump outputs contents of selected
network packets. The output is typically preceded by a timestamp
which is printed by default as :
<hours> :
<minutes> : <seconds> . <fractions of a second>
By default, tcpdump keeps printing
outputs until a SIGINT signal is received. On terminating, it prints
:
- Number of packets captured
- Number of packets received by filter used in tcpdump command
- Number of packets dropped by the kernel, i.e. number of packets dropped mainly because of lack of bufferspace.
1. Basic command
# sudo tcpdump
-i eth0
This would output the packets captured by the interface specified (here eth0). This output is typically preceded by timestamp, source hostname, destination hostname and the port.
This would output the packets captured by the interface specified (here eth0). This output is typically preceded by timestamp, source hostname, destination hostname and the port.
2. Increase
verbosity of output
Verbosity of outputs of tcpdump can be increased using the command line option -v, -vv or -vvv. Typically, output is more verbose with -vv than with -v and more verbose with -vvv than with -vv. i.e. verbosity increases with number of v's.
# sudo tcpdump -v -i eth0
Verbosity of outputs of tcpdump can be increased using the command line option -v, -vv or -vvv. Typically, output is more verbose with -vv than with -v and more verbose with -vvv than with -vv. i.e. verbosity increases with number of v's.
# sudo tcpdump -v -i eth0
# sudo tcpdump -vv -i eth0
# sudo tcpdump -vvv -i eth0
3. Do not
resolve hostnames
By default, tcpdump output resolves hostnames. But, it may not be convenient always. To tell tcpdump not to resolve hostnames you can use the command line option -n.
# sudo tcpdump -n -i eth0
By default, tcpdump output resolves hostnames. But, it may not be convenient always. To tell tcpdump not to resolve hostnames you can use the command line option -n.
# sudo tcpdump -n -i eth0
4. Print absolute TCP sequence number of network packets
By default, tcpdump prints relative TCP sequence numbers of packets captured. To print the absolute TCP sequence number, one should use the command line option -S.
# sudo tcpdump -nS -i eth0
In
the output, TCP sequence number is typically printed like “seq
<numbers>” , after the source and destination hosts of the
packet.
5. Do not convert port numbers
By default, tcpdump converts hostnames and port numbers wherever possible. As it is not convenient always, one can tell tcpdump not to convert these host addresses as well as port numbers.
To not to convert port numbers, one can use the option -nn.
# sudo tcpdump -nn -i eth0
5. Do not convert port numbers
By default, tcpdump converts hostnames and port numbers wherever possible. As it is not convenient always, one can tell tcpdump not to convert these host addresses as well as port numbers.
To not to convert port numbers, one can use the option -nn.
# sudo tcpdump -nn -i eth0
6. Receive only certain number of packets
By default, tcpdump keeps printing outputs until it receives a SIGINT. But, one can limit the number of packets captured in the output of tcpdump. Command line option -c<number> or -c <number> can be used for that purpose.
# sudo tcpdump -c 5 -i eth0
# sudo tcpdump -c5 -i eth0
7.
Print packet data in hex and ASCII
One can use -X command line option to print data of each packets along with the headers. -X option prints the packet data in hex as well as in ASCII.
One can use -X command line option to print data of each packets along with the headers. -X option prints the packet data in hex as well as in ASCII.
# sudo tcpdump -X -i eth0
8. Change snapshot length of data
One can change the snapshot length of data using the command line option -s.
# sudo tcpdump -nnSXs 6000 -c5 -i eth0
The above command would output headers and data contents of 5 packets captured through interface eth0. -nnSXs indicates host names and port numbers will not be resolved, absolute TCP sequence numbers will be printed and snapshot-length will be snarfed to 6000.
Using expressions with tcpdump
One
can filter the packets captured using tcpdump further using filter
expressions. Filter expressions typically consists of one or more of
the following qualifiers :
type
:
type
may indicate a host,
net
,
port
or portrange.
direction
:
This
qualifier may indicate a source, destination or address from which or
to which the packets are received.
protocol :
This qualifier specifies packets that match a particular protocol. Possible protocols are : ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp.
9. Capture packets to or from a certain host
protocol :
This qualifier specifies packets that match a particular protocol. Possible protocols are : ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp.
9. Capture packets to or from a certain host
# sudo tcpdump -nnSX -i eth0 host 192.123.1.10
This
command would capture packets that come from host 192.123.1.10 or
goes to host 192.123.1.10.
# sudo tcpdump -nnSX -i eth0 src host 192.123.1.11
The above command would capture packets coming from only the host 192.123.1.11
#
sudo tcpdump -nnSX -i eth0 dst host 192.123.1.12
The above command would capture packets that goes only to host 192.123.1.12
The above command would capture packets that goes only to host 192.123.1.12
10.
Capture packets to or from a network
# sudo tcpdump -i eth0 net 192.123.1.0/24
The above command would capture only the packets that involve the network 192.123.1.0/24
# sudo tcpdump -i eth0 src net 192.123.1.0/24
# sudo tcpdump -i eth0 net 192.123.1.0/24
The above command would capture only the packets that involve the network 192.123.1.0/24
# sudo tcpdump -i eth0 src net 192.123.1.0/24
The above command would capture only the packets that come from the network 192.123.1.0/24
# sudo tcpdump -i eth0 dst net 192.123.1.0/24
The above command would capture only the packets that goes to the network 192.123.1.0/24
11. Capture packets to or from a certain port
#
sudo tcpdump -n -i eth0 port 36709
The above command would capture only the packets that involve port 36709.
# sudo tcpdump -n -i eth0 src port 36709
The above command would capture only the packets that come from port 36709.
# sudo tcpdump -n -i eth0 dst port 36709
The above command would capture only the packets are destined to port 36709.
12. Capture packets to or from a port range
The above command would capture only the packets that involve port 36709.
# sudo tcpdump -n -i eth0 src port 36709
The above command would capture only the packets that come from port 36709.
# sudo tcpdump -n -i eth0 dst port 36709
The above command would capture only the packets are destined to port 36709.
12. Capture packets to or from a port range
#
sudo tcpdump -n -i eth0 portrange 30000-60000
The above command would capture only the packets that involve ports ranging from port numbers 30000 to 60000.
# sudo tcpdump -n -i eth0 src portrange 30000-60000
The above command would capture only the packets that come from ports ranging from port numbers 30000 to 60000.
# sudo tcpdump -n -i eth0 dst portrange 30000-60000
The above command would capture only the packets that are destined to ports ranging from port numbers 30000 to 60000.
13. Capture packets of certain protocol type
# sudo tcpdump -n -i eth0 tcp
The above command would capture only the tcp packets.
# sudo tcpdump -n -i eth0 udp
The above command would capture only the udp packets.
# sudo tcpdump -n -i eth0 icmp
The above command would capture only the icmp packets.
Possible protocols that can be specified are: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp.
14. Capture packets below or above a certain size
# sudo tcpdump -n -i eth0 greater 100
The above commands would capture only the packets that have length greater than or equal to 100 bytes.
# sudo tcpdump -n -i eth0 less 1000
The above commands would capture only the packets that have length less than or equal to 100 bytes.
15. Capture output to a file
The above command would capture only the packets that involve ports ranging from port numbers 30000 to 60000.
# sudo tcpdump -n -i eth0 src portrange 30000-60000
The above command would capture only the packets that come from ports ranging from port numbers 30000 to 60000.
# sudo tcpdump -n -i eth0 dst portrange 30000-60000
The above command would capture only the packets that are destined to ports ranging from port numbers 30000 to 60000.
13. Capture packets of certain protocol type
# sudo tcpdump -n -i eth0 tcp
The above command would capture only the tcp packets.
# sudo tcpdump -n -i eth0 udp
The above command would capture only the udp packets.
# sudo tcpdump -n -i eth0 icmp
The above command would capture only the icmp packets.
Possible protocols that can be specified are: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp.
14. Capture packets below or above a certain size
# sudo tcpdump -n -i eth0 greater 100
The above commands would capture only the packets that have length greater than or equal to 100 bytes.
# sudo tcpdump -n -i eth0 less 1000
The above commands would capture only the packets that have length less than or equal to 100 bytes.
15. Capture output to a file
#
sudo tcpdump -n -c10 -i eth0 -w tcpdump-output
The
above command would capture the output of the tcpdump command in the
output file tcpdump-output.
16. Capture input from a file
16. Capture input from a file
By
default, tcpdump output file is not human readable. So, we need to
use option -r to read the output already captured in a specific
output file.
# sudo tcpdump -n -c10 -i eth0 less 1000 -r tcpdump-output
The above command would read tcpdump output that is already captured in the output file tcpdump-output.
More complex filter expressions
One can combine two or more of the above filter expressions with and, or, not. This enables the filtering capabilities of the packets even further.
17.
TCP traffic from a network and to a certain portrange
# sudo tcpdump -n -i eth0 src net 192.123.0.0/16 and dst portrange 30000-60000
# sudo tcpdump -n -i eth0 src net 192.123.0.0/16 and dst portrange 30000-60000
The above command would capture only the packets that are coming from the network 192.123.0.0/16 and destined to port ranging from port numbers 30000 to 60000.
18. TCP traffic destined to either of two certain ports
# sudo tcpdump -n -i eth0 dst port 443 or dst port 36709
The above command would capture only the packets that are destined to port 443 or port 36709 of the system.
19. Capturing non-TCP traffic
- # sudo tcpdump -n -i eth0 not tcp
The
above command would capture only the non-tcp packets from the
interface eth0.
20. Capturing TCP or UDP traffic from a certain network
# sudo tcpdump -n -i eth0 tcp or udp and src net 192.123.1.0/24
20. Capturing TCP or UDP traffic from a certain network
# sudo tcpdump -n -i eth0 tcp or udp and src net 192.123.1.0/24
The
above command would capture tcp or udp packets that come from the
network 192.123.1.0/24.
21. Capturing packets from a network that are not destined to a certain port
21. Capturing packets from a network that are not destined to a certain port
- # sudo tcpdump -n -i eth0 src net 192.123.1.0/24 and not port 443
The
above commands would capture the packets that are coming from the
network 192.123.1.0/24 and are not destined to port number 443.
22. Capturing packets from a certain network or to a certain port
22. Capturing packets from a certain network or to a certain port
- # sudo tcpdump -n -i eth0 src net 192.123.1.0/24 or not dst port 443
The
above command would capture the packets that are coming from the
network 192.123.1.0/24 or coming to the port number 443 of the
system.
Grouping filter expressions
One can even further group the filter expressions to filter the captured packets in a better way. Typically, single quote (') and brackets are used to group the filter expressions.
23. Capturing packets from a network and to port 443 or 36709
Grouping filter expressions
One can even further group the filter expressions to filter the captured packets in a better way. Typically, single quote (') and brackets are used to group the filter expressions.
23. Capturing packets from a network and to port 443 or 36709
- # sudo tcpdump -n -i eth0 'src net 192.123.1.0/24 and (dst port 443 or 36709)'
The
above command would capture the packets that are coming from the
network 192.123.1.0/24 and are destined to either port 443 or port
36709.
24. Capturing tcp or udp traffic coming from a source and not destined to certain portrange
24. Capturing tcp or udp traffic coming from a source and not destined to certain portrange
- # sudo tcpdump -n -i eth0 'tcp or udp and (src 192.123.1.10 and not dst portrange 1000-4000)'
The
above command would capture the tcp or udp packets that are coming
from the host 192.123.1.10, but not destined to any port ranging from
1000 to 4000.
25. To print the TCP packets that does not involve a certain network
25. To print the TCP packets that does not involve a certain network
#
sudo tcpdump -n -i eth0 'tcp and not src and dst net
192.123.1.0/24'
The above command would capture the TCP packets that do not involve the network 192.123.1.0/24.
The above command would capture the TCP packets that do not involve the network 192.123.1.0/24.
No comments:
Post a Comment