Tcpdump tutorial – Sniffing and analysing packets from the commandline

2 Flares Filament.io 2 Flares ×

Tcpdump

Tcpdump is a commandline network analyzer tool or more technically a packet sniffer. It can be thought of as the commandline version of wireshark (only to a certain extent, since wireshark is much more powerful and capable).







As a commandline tool tcpdump is quite powerful for network analysis as filter expressions can be passed in and tcpdump would pick up only the matching packets and dump them.

In this tutorial we are going to learn to use tcpdump and how it can be used for network analysis. On ubunut for example it can be installed by typing the following in terminal

$ sudo apt-get install tcpdump

Tcpdump depends on libpcap library for sniffing packets. It is documented here.

For windows use the alternative called windump. It is compatible with tcpdump (in terms of usage and options). Download from http://www.winpcap.org/windump/default.htm

Basic sniffing

Lets start using tcpdump. The first simple command to use is tcpdump -n

$ sudo tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:34:57.266865 IP 173.194.36.6 > 192.168.1.101: ICMP echo reply, id 19941, seq 1176, length 64
16:34:57.267226 IP 192.168.1.101.21271 > 218.248.255.163.53: 23380+ PTR? 6.36.194.173.in-addr.arpa. (43)
16:34:57.274549 IP 218.248.255.163.53 > 192.168.1.101.21271: 23380 1/4/2 PTR bom04s01-in-f6.1e100.net. (195)
16:34:57.297874 IP 192.168.1.101.56295 > 186.105.77.150.38213: UDP, length 105

Why sudo ? Because tcpdump needs root privileges to be able to capture packets on network interfaces. On ubuntu prepending sudo to any command makes it run with superuser/root privileges. The -n parameter is given to stop tcpdump from resolving ip addresses to hostnames, which take look and not required right now.

Lets take a line from the above output to analyse.

16:34:57.267226 IP 192.168.1.101.21271 > 218.248.255.163.53: 23380+ PTR? 6.36.194.173.in-addr.arpa. (43)

The first thing "16:34:57.267226" is the timestamp with microsecond precision. Next is the protocol of the packet called IP (stands for Internet protocol and it is under this protocol that most of the internet communication goes on). Next is the source ip address joined with the source port. Following next is the destination port and then some information about the packet.

Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy. Here is a quick example







$ sudo tcpdump -v -n
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:43:13.058660 IP (tos 0x20, ttl 54, id 50249, offset 0, flags [DF], proto TCP (6), length 40)
    64.41.140.209.5222 > 192.168.1.101.35783: Flags [.], cksum 0x6d32 (correct), ack 1617156745, win 9648, length 0
16:43:13.214621 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > 173.194.36.6: ICMP echo request, id 19941, seq 1659, length 64
16:43:13.355334 IP (tos 0x20, ttl 54, id 48656, offset 0, flags [none], proto ICMP (1), length 84)
    173.194.36.6 > 192.168.1.101: ICMP echo reply, id 19941, seq 1659, length 64
16:43:13.355719 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 71)
    192.168.1.101.22181 > 218.248.255.163.53: 28650+ PTR? 6.36.194.173.in-addr.arpa. (43)
16:43:13.362941 IP (tos 0x0, ttl 251, id 63454, offset 0, flags [DF], proto UDP (17), length 223)
    218.248.255.163.53 > 192.168.1.101.22181: 28650 1/4/2 6.36.194.173.in-addr.arpa. PTR bom04s01-in-f6.1e100.net. (195)
16:43:13.880338 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.3 tell 192.168.1.101, length 28
16:43:14.215904 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > 173.194.36.6: ICMP echo request, id 19941, seq 1660, length 64

Now with the verbose switch lots of additional details about the packet are also being displayed. And these include the ttl, id, tcp flags, packet length etc.

Getting the ethernet header (link layer headers)

In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.

$ sudo tcpdump -vv -n -e
[sudo] password for enlightened: 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:57:27.218531 00:25:5e:1a:3d:f1 > 00:1c:c0:f8:79:ee, ethertype IPv4 (0x0800), length 98: (tos 0x20, ttl 54, id 53046, offset 0, flags [none], proto ICMP (1), length 84)
    173.194.36.6 > 192.168.1.101: ICMP echo reply, id 19941, seq 6015, length 64
17:57:27.218823 00:1c:c0:f8:79:ee > 00:25:5e:1a:3d:f1, ethertype IPv4 (0x0800), length 85: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 71)
    192.168.1.101.53134 > 218.248.255.163.53: [bad udp cksum 0x9cee -> 0xe5f6!] 23855+ PTR? 6.36.194.173.in-addr.arpa. (43)
17:57:27.226352 00:25:5e:1a:3d:f1 > 00:1c:c0:f8:79:ee, ethertype IPv4 (0x0800), length 269: (tos 0x0, ttl 251, id 10513, offset 0, flags [DF], proto UDP (17), length 255)
    218.248.255.163.53 > 192.168.1.101.53134: [udp sum ok] 23855 q: PTR? 6.36.194.173.in-addr.arpa. 1/4/4 6.36.194.173.in-addr.arpa. PTR bom04s01-in-f6.1e100.net. ns: 194.173.in-addr.arpa. NS NS4.GOOGLE.COM., 194.173.in-addr.arpa. NS NS2.GOOGLE.COM., 194.173.in-addr.arpa. NS NS1.GOOGLE.COM., 194.173.in-addr.arpa. NS NS3.GOOGLE.COM. ar: NS1.GOOGLE.COM. A 216.239.32.10, NS2.GOOGLE.COM. A 216.239.34.10, NS3.GOOGLE.COM. A 216.239.36.10, NS4.GOOGLE.COM. A 216.239.38.10 (227)

Now the first thing after the timestamp is the source and destination mac address.

Sniffing a particular interface

In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.

$ sudo tcpdump -D
1.eth0
2.usbmon1 (USB bus number 1)
3.usbmon2 (USB bus number 2)
4.any (Pseudo-device that captures on all interfaces)
5.lo

Next we can use the interface number of name with the -i switch to sniff the particular interface.

$ sudo tcpdump -i 1
$ sudo tcpdump -i eth0

Filtering packets using expressions

The next important feature of tcpdump as a network analysis tool is to allow the user to filter packets and select only those that match a certain rule or criteria. And like before this too is quite simple and can be learned easily. Lets take a few simple examples.

Selecting protocols

$ sudo tcpdump -n tcp

The above command will show only tcp packets. Similary udp or icmp can be specified.

Particular host or port

Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101

$ sudo tcpdump -n 'src 192.168.1.101'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:04:04.856379 IP 192.168.1.101.47141 > 173.194.36.1.443: Flags [.], seq 2781603453:2781604873, ack 338206850, win 41850, length 1420
20:04:05.216372 IP 192.168.1.101.33885 > 193.219.128.49.6667: Flags [P.], seq 3980513010:3980513027, ack 2134949138, win 28400, length 17

Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.

$ sudo tcpdump -n 'udp and dst port 53'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:06:48.015359 IP 192.168.1.101.33990 > 218.248.255.163.53: 41001+ A? s.gateway.messenger.live.com. (46)
20:06:50.842530 IP 192.168.1.101.32954 > 218.248.255.163.53: 12380+ A? DB3MSGR5010722.gateway.messenger.live.com. (59)

The above output shows the dns requests made by local system to the dns server 218.248.255.163 port 53. Its all very intuitive and simple. Note the "and" which is used to combine multiple conditions. This is where the creativity begins, to write powerful expressions to analyse the network.

To display the FTP packets coming from 192.168.1.100 to 192.168.1.2

$ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'

Note that the port number 21 has been specified by its name - ftp.

So similarly many different kinds of expressions can be developed to fit the needs of the network analyst and pick up matching packets.

Search the network traffic using grep

Grep can be used along with tcpdump to search the network traffic. Here is a very simple example

$ sudo tcpdump -n -A | grep -e 'POST'
[sudo] password for enlightened: 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
E...=.@.@......e@.H..'.P(.o%~...P.9.PN..POST /blog/wp-admin/admin-ajax.php HTTP/1.1
E...c_@.@..=...e@.H..*.PfC<....wP.9.PN..POST /blog/wp-admin/admin-ajax.php HTTP/1.1
E.....@.@......e@.H...."g;.(.-,WP.9.Nj..POST /login/?login_only=1 HTTP/1.1

The above example detects packets with the string "POST" in them. It detects http post requests as shown.
The -A option displays the content of the packet in ascii text form, which is searchable using grep.

On windows the grep command is not available, but has an equivalent called find/findstr. Example usage

C:\tools>WinDump.exe -A | findstr "GET"
WinDump.exe: listening on \Device\NPF_{6019E682-FD40-4A54-BB75-9C2ACFA56CAA}
.....&....P..W.....P....k..GET /search?hl=en&sclient=psy-ab&q=asda&oq
.....&....P..[{..N.P...%-..GET /csi?v=3&s=web&action=&ei=LrmPUMrLNoHO
.P-%.}....P..$Ch..GET /subscribe?host_int=139535925&ns_map=2

So in the above example we used windump and searched the sniffed packet for the string "GET" (which mostly discover the http get requests).

So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
Here is quick example to sniff passwords using egrep

tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20

Source

Resources

http://www.tcpdump.org/tcpdump_man.html
Last Updated On : 14th November 2012

Subscribe to get updates delivered to your inbox

About Silver Moon

Php developer, blogger and Linux enthusiast. He can be reached at m00n.silv3r@gmail.com. Or find him on Google+

  • prince

    this is very great. man thank you. it there a way of limiting the logs of same UDP connections originating from same IP?

2 Flares Twitter 0 Facebook 0 Google+ 2 LinkedIn 0 StumbleUpon 0 Filament.io 2 Flares ×