tcpdump | find cleartext passwords | find http host headers | tcpdump port 80 -w capture_file | tcpdump -r capture_file |
http://www.k-max.name/linux/tcpdump-v-primerax/
basic communication
Just see what’s going on, by looking at all interfaces.
# tcpdump -i any
specific interface
Basic view of what’s happening on a particular interface.
# tcpdump -i eth0
raw output view
Verbose output, with no resolution of hostnames or port numbers, absolute sequence numbers, and human-readable timestamps.
# tcpdump -ttttnnvvS
find traffic by ip
One of the most common queries, this will show you traffic from 1.2.3.4, whether it’s the source or the destination.
# tcpdump host 1.2.3.4
seeing more of the packet with hex output
Hex output is useful when you want to see the content of the packets in question, and it’s often best used when you’re isolating a few candidates for closer scrutiny.
# tcpdump -nnvXSs 0 -c1 icmp
filtering by source and destination
It’s quite easy to isolate traffic based on either source or destination using src and dst.
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6
finding packets by network
To find packets going to or from a particular network, use the net option. You can combine this with the src or dst options as well.
# tcpdump net 1.2.3.0/24
show traffic related to a specific port
You can find specific port traffic by using the port option followed by the port number.
# tcpdump port 3389
# tcpdump src port 1025
find traffic using port ranges
You can also use a range of ports to find traffic.
# tcpdump portrange 21-23
find traffic based on packet size
If you’re looking for packets of a particular size you can use these options. You can use less, greater, or their associated symbols that you would expect from mathematics.
# tcpdump less 32
# tcpdump greater 64
# tcpdump <= 128
reading / writing captures to a file
It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.
# tcpdump port 80 -w capture_file
1.2k
Shares
A tcpdump Tutorial and Primer with Examples
CREATED: JANUARY 4, 2004 | UPDATED: JULY 15, 2018
tcpdump-primer-examples
Basic Examples
basic communication
find traffic by ip
filter by source and/or destination
show traffic by network
show traffic by port
show traffic by protocol
show ipv6 traffic
find traffic using port ranges
find traffic based on packet size
writing to a file
Advanced Examples
isolate tcp flags
find http user agents
find cleartext http gets
find http hosts
find http cookies
find ssh connections
find dns traffic
find ftp traffic
find cleartext passwords
find packets with evil bit
summary
Why tcpdump?
Tcpdump is the premier network analysis tool for information security professionals. Having a solid grasp of this über-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. Many prefer to use higher level analysis tools such as Wireshark, but I believe this to usually be a mistake.
When using a tool that displays network traffic a more natural (raw) way the burden of analysis is placed directly on the human rather than the application. This approach cultivates continued and elevated understanding of the TCP/IP suite, and for this reason I strongly advocate using tcpdump instead of other tools whenever possible.
Basics
Below are a few options you can use when configuring tcpdump. They’re easy to forget and/or confuse with other types of filters, e.g., Wireshark, so hopefully this page can serve as a reference for you, as it does me. here are the main ones I like to keep in mind depending on what I’m looking at.
Options
-i any : Listen on all interfaces just to see if you’re seeing any traffic.
-i eth0 : Listen on the eth0 interface.
-D : Show the list of available interfaces
-l : Line-readable output (for viewing as you save, or sending to other commands)
-A : Display output in ASCII.
-n : Don’t resolve hostnames.
-nn : Don’t resolve hostnames or port names.
-q : Be less verbose (more quiet) with your output.
-t : Give human-readable timestamp output.
-tttt : Give maximally human-readable timestamp output.
-X : Show the packet’s contents in both hex and ascii.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
The default snaplength as of tcpdump 4.0 has changed from 68 bytes to 96 bytes. While this will give you more of a packet to see, it still won’t get everything. Use -s 1514 or -s 0 to get full coverage.
Expressions
In tcpdump, Expressions allow you to trim out various types of traffic and find exactly what you’re looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump.
There are three main types of expression: type, dir, and proto.
Type options are: host, net, and port.
Direction lets you do src, dst, and combinations thereof.
Proto(col) lets you designate: tcp, udp, icmp, ah, and many more.
Examples
So, now that we’ve seen what our options are, let’s look at some real-world examples that we’re likely to see in our everyday work.
basic communication
Just see what’s going on, by looking at all interfaces.
# tcpdump -i any
specific interface
Basic view of what’s happening on a particular interface.
# tcpdump -i eth0
raw output view
Verbose output, with no resolution of hostnames or port numbers, absolute sequence numbers, and human-readable timestamps.
# tcpdump -ttttnnvvS
find traffic by ip
One of the most common queries, this will show you traffic from 1.2.3.4, whether it’s the source or the destination.
# tcpdump host 1.2.3.4
seeing more of the packet with hex output
Hex output is useful when you want to see the content of the packets in question, and it’s often best used when you’re isolating a few candidates for closer scrutiny.
# tcpdump -nnvXSs 0 -c1 icmp
filtering by source and destination
It’s quite easy to isolate traffic based on either source or destination using src and dst.
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6
finding packets by network
To find packets going to or from a particular network, use the net option. You can combine this with the src or dst options as well.
# tcpdump net 1.2.3.0/24
show traffic related to a specific port
You can find specific port traffic by using the port option followed by the port number.
# tcpdump port 3389
# tcpdump src port 1025
show traffic of one protocol
If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well.
# tcpdump icmp
show only ip6 traffic
You can also find all IP6 traffic using the protocol option.
# tcpdump ip6
find traffic using port ranges
You can also use a range of ports to find traffic.
# tcpdump portrange 21-23
find traffic based on packet size
If you’re looking for packets of a particular size you can use these options. You can use less, greater, or their associated symbols that you would expect from mathematics.
# tcpdump less 32
# tcpdump greater 64
# tcpdump <= 128
reading / writing captures to a file
It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.
# tcpdump port 80 -w capture_file
You can read PCAP files by using the -r switch. Note that you can use all the regular commands within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already.
# tcpdump -r capture_file
from specific ip and destined for a specific port
Let’s find all traffic from 10.5.2.3 going to any host on port 3389.
tcpdump -nnvvS src 10.5.2.3 and dst port 3389
non icmp traffic going to a specific ip
This will show us all traffic going to 192.168.0.2 that is not ICMP.
tcpdump dst 192.168.0.2 and src net and not icmp
isolate tcp flags
You can also use filters to isolate packets with specific TCP flags set.
Isolate TCP RST flags.
The filters below find these various packets because tcp[13] looks at offset 13 in the tcp header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.
# tcpdump 'tcp[13] & 4!=0'
# tcpdump 'tcp[tcpflags] == tcp-rst'
Isolate TCP SYN flags.
# tcpdump 'tcp[13] & 2!=0'
# tcpdump 'tcp[tcpflags] == tcp-syn'
find http user agents
The -l switch lets you see the traffic as you’re capturing it, and helps when sending to commands like grep.
# tcpdump -vvAls0 | grep 'User-Agent:'
find http host headers
# tcpdump -vvAls0 | grep 'Host:'
find http cookies
# tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'
find ssh connections
This one works regardless of what port the connection comes in on, because it’s getting the banner response.
# tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'
find dns traffic
# tcpdump -vvAs0 port 53
find cleartext passwords
# tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
debian:~# tcpdump <опции> <фильтр>
debian:~# tcpdump -i eth0 host 10.0.0.1
debian:~# tcpdump -i eth0 dst 10.0.0.5 and port 53
basic communication
Just see what’s going on, by looking at all interfaces.
# tcpdump -i any
specific interface
Basic view of what’s happening on a particular interface.
# tcpdump -i eth0
raw output view
Verbose output, with no resolution of hostnames or port numbers, absolute sequence numbers, and human-readable timestamps.
# tcpdump -ttttnnvvS
find traffic by ip
One of the most common queries, this will show you traffic from 1.2.3.4, whether it’s the source or the destination.
# tcpdump host 1.2.3.4
seeing more of the packet with hex output
Hex output is useful when you want to see the content of the packets in question, and it’s often best used when you’re isolating a few candidates for closer scrutiny.
# tcpdump -nnvXSs 0 -c1 icmp
filtering by source and destination
It’s quite easy to isolate traffic based on either source or destination using src and dst.
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6
finding packets by network
To find packets going to or from a particular network, use the net option. You can combine this with the src or dst options as well.
# tcpdump net 1.2.3.0/24
show traffic related to a specific port
You can find specific port traffic by using the port option followed by the port number.
# tcpdump port 3389
# tcpdump src port 1025
find traffic using port ranges
You can also use a range of ports to find traffic.
# tcpdump portrange 21-23
find traffic based on packet size
If you’re looking for packets of a particular size you can use these options. You can use less, greater, or their associated symbols that you would expect from mathematics.
# tcpdump less 32
# tcpdump greater 64
# tcpdump <= 128
reading / writing captures to a file
It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.
# tcpdump port 80 -w capture_file
1.2k
Shares
A tcpdump Tutorial and Primer with Examples
CREATED: JANUARY 4, 2004 | UPDATED: JULY 15, 2018
tcpdump-primer-examples
Basic Examples
basic communication
find traffic by ip
filter by source and/or destination
show traffic by network
show traffic by port
show traffic by protocol
show ipv6 traffic
find traffic using port ranges
find traffic based on packet size
writing to a file
Advanced Examples
isolate tcp flags
find http user agents
find cleartext http gets
find http hosts
find http cookies
find ssh connections
find dns traffic
find ftp traffic
find cleartext passwords
find packets with evil bit
summary
Why tcpdump?
Tcpdump is the premier network analysis tool for information security professionals. Having a solid grasp of this über-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. Many prefer to use higher level analysis tools such as Wireshark, but I believe this to usually be a mistake.
When using a tool that displays network traffic a more natural (raw) way the burden of analysis is placed directly on the human rather than the application. This approach cultivates continued and elevated understanding of the TCP/IP suite, and for this reason I strongly advocate using tcpdump instead of other tools whenever possible.
Basics
Below are a few options you can use when configuring tcpdump. They’re easy to forget and/or confuse with other types of filters, e.g., Wireshark, so hopefully this page can serve as a reference for you, as it does me. here are the main ones I like to keep in mind depending on what I’m looking at.
Options
-i any : Listen on all interfaces just to see if you’re seeing any traffic.
-i eth0 : Listen on the eth0 interface.
-D : Show the list of available interfaces
-l : Line-readable output (for viewing as you save, or sending to other commands)
-A : Display output in ASCII.
-n : Don’t resolve hostnames.
-nn : Don’t resolve hostnames or port names.
-q : Be less verbose (more quiet) with your output.
-t : Give human-readable timestamp output.
-tttt : Give maximally human-readable timestamp output.
-X : Show the packet’s contents in both hex and ascii.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
The default snaplength as of tcpdump 4.0 has changed from 68 bytes to 96 bytes. While this will give you more of a packet to see, it still won’t get everything. Use -s 1514 or -s 0 to get full coverage.
Expressions
In tcpdump, Expressions allow you to trim out various types of traffic and find exactly what you’re looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump.
There are three main types of expression: type, dir, and proto.
Type options are: host, net, and port.
Direction lets you do src, dst, and combinations thereof.
Proto(col) lets you designate: tcp, udp, icmp, ah, and many more.
Examples
So, now that we’ve seen what our options are, let’s look at some real-world examples that we’re likely to see in our everyday work.
basic communication
Just see what’s going on, by looking at all interfaces.
# tcpdump -i any
specific interface
Basic view of what’s happening on a particular interface.
# tcpdump -i eth0
raw output view
Verbose output, with no resolution of hostnames or port numbers, absolute sequence numbers, and human-readable timestamps.
# tcpdump -ttttnnvvS
find traffic by ip
One of the most common queries, this will show you traffic from 1.2.3.4, whether it’s the source or the destination.
# tcpdump host 1.2.3.4
seeing more of the packet with hex output
Hex output is useful when you want to see the content of the packets in question, and it’s often best used when you’re isolating a few candidates for closer scrutiny.
# tcpdump -nnvXSs 0 -c1 icmp
filtering by source and destination
It’s quite easy to isolate traffic based on either source or destination using src and dst.
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6
finding packets by network
To find packets going to or from a particular network, use the net option. You can combine this with the src or dst options as well.
# tcpdump net 1.2.3.0/24
show traffic related to a specific port
You can find specific port traffic by using the port option followed by the port number.
# tcpdump port 3389
# tcpdump src port 1025
show traffic of one protocol
If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well.
# tcpdump icmp
show only ip6 traffic
You can also find all IP6 traffic using the protocol option.
# tcpdump ip6
find traffic using port ranges
You can also use a range of ports to find traffic.
# tcpdump portrange 21-23
find traffic based on packet size
If you’re looking for packets of a particular size you can use these options. You can use less, greater, or their associated symbols that you would expect from mathematics.
# tcpdump less 32
# tcpdump greater 64
# tcpdump <= 128
reading / writing captures to a file
It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.
# tcpdump port 80 -w capture_file
You can read PCAP files by using the -r switch. Note that you can use all the regular commands within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already.
# tcpdump -r capture_file
from specific ip and destined for a specific port
Let’s find all traffic from 10.5.2.3 going to any host on port 3389.
tcpdump -nnvvS src 10.5.2.3 and dst port 3389
non icmp traffic going to a specific ip
This will show us all traffic going to 192.168.0.2 that is not ICMP.
tcpdump dst 192.168.0.2 and src net and not icmp
isolate tcp flags
You can also use filters to isolate packets with specific TCP flags set.
Isolate TCP RST flags.
The filters below find these various packets because tcp[13] looks at offset 13 in the tcp header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.
# tcpdump 'tcp[13] & 4!=0'
# tcpdump 'tcp[tcpflags] == tcp-rst'
Isolate TCP SYN flags.
# tcpdump 'tcp[13] & 2!=0'
# tcpdump 'tcp[tcpflags] == tcp-syn'
find http user agents
The -l switch lets you see the traffic as you’re capturing it, and helps when sending to commands like grep.
# tcpdump -vvAls0 | grep 'User-Agent:'
find http host headers
# tcpdump -vvAls0 | grep 'Host:'
find http cookies
# tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'
find ssh connections
This one works regardless of what port the connection comes in on, because it’s getting the banner response.
# tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'
find dns traffic
# tcpdump -vvAs0 port 53
find cleartext passwords
# tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
Comments
Post a Comment