TCPDump
Basics
- TCPDump done with "-i any" will result in packets with No Ethernet Headers captured in wireshark.
tcpdump -i eth0
- TCPDump uses libpcap which processes packets before they get processed by IPTables.
- Therefore TCPDump will see Incoming Ping packets though they are dropped by IPTables.
- TCPDump will see inbound traffic before iptables, but will see outbound traffic only after the firewall has processed it.
Filters
Source: [thegeekstuff.com]
- General TCPDump command:
sudo tcpdump -s 0 -i ens160 host 10.1.1.1 -v -w /tmp/packet_capture.cap sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and port 22 -v -w /tmp/packet_capture.cap sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and port not 22 and port not 80 -v -w /tmp/packet_capture.cap sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and tcp port not 22 and tcp port not 80 -v -w /tmp/packet_capture.cap
| Description | Command |
|---|---|
| Capture packets from a particular interface | tcpdump -i eth1 |
| Capture only N number of packets | tcpdump -c 200 -i eth0 |
| Display Captured Packets in ASCII | tcpdump -A -i eth0 |
| Display Captured Packets in HEX and ASCII | tcpdump -XX -i eth0 |
| Capture the packets and write into a file | tcpdump -w 08232010.pcap -i eth0 |
| Capture packets with IP address without DNS resolution | tcpdump -n -i eth0 |
| Capture packets with proper readable timestamp | tcpdump -n -tttt -i eth0 |
| Read packets only longer or smaller than N bytes | tcpdump -w capture.pcap greater 1024 tcpdump -w capture.pcap less 1024 |
| Receive only the packets of a specific protocol type | tcpdump -i eth0 arp |
| Receive packets flows on a particular port | tcpdump -i eth0 port 22 |
| Capture packets for particular destination IP and Port | tcpdump -w xpackets.pcap -i eth0 dst 10.181.140.216 and port 22 |
| Capture TCP communication packets between two hosts | tcpdump -w comm.pcap -i eth0 udp and \(host 172.20.68.176 and host 172.24.173.9\) |
| Capture all the packets other than arp and rarp 'and' 'or' and 'not' condition are used to filter the packets |
tcpdump -i eth0 not arp and not rarp |
Reading PCAPs
| Header text | Header text |
|---|---|
| Reading pcap file | tcpdump -r data.pcap |
| Viewing all headers | tcpdump -e -nn -vv -r data.pcap |
| Viewing hexadecimal data | tcpdump -XX -r data.pcap |
TCPDump Parameters
Modifiers
| Symbol | Words |
|---|---|
| ! | not |
| && | and |
| || | or |
Examples
| Filter | Description |
|---|---|
| udp dst port not 53 | UDP not bound for port 53 |
| host 10.0.0.1 && host 10.0.0.2 | Traffic between these hosts |
| tcp dst port 80 or 8080 | Packets to either TCP port |
Protocol keywords
| Keywords | ||
|---|---|---|
| arp | ether | icmp |
| ip | ip6 | ppp |
| rarp | tcp | udp |
| wlan | ||
TCP Flags
| Flag Keywords | ||
|---|---|---|
| tcp-urg | tcp-rst | |
| tcp-ack | tcp-syn | |
| tcp-psh | tcp-fin | |
Capture Filter Primitives
| Filter | Description |
|---|---|
| [src|dst] host <host> | Matches a host as the IP source, destination, or either |
| ether [src|dst] host <ehost> | Matches a host as the Ethernet source, destination, or either |
| gateway host <host> | Matches packets which used host as a gateway |
| [src|dst] net <network>/<len> | Matches packets to or from an endpoint residing in network |
| [tcp|udp] [src|dst] port <port> | Matches TCP or UDP packets sent to/from port |
| [tcp|udp] [src|dst] portrange <p1>-<p2> | Matches TCP or UDP packets to/from a port in the given range |
| less <length> | Matches packets less than or equal to length |
| greater <length> | Matches packets greater than or equal to length |
| (ether|ip|ip6) proto <protocol> | Matches an Ethernet, IPv4, or IPv6 protocol |
| (ether|ip) broadcast | Matches Ethernet or IPv4 broadcasts |
| (ether|ip|ip6) multicast | Matches Ethernet, IPv4, or IPv6 multicasts |
| type (mgt|ctl|data) [subtype <subtype>] | Matches 802.11 frames based on type and optional subtype |
| vlan [<vlan>] | Matches 802.1Q frames, optionally with a VLAN ID of vlan |
| mpls [<label>] | Matches MPLS packets, optionally with a label of label |
| <expr> <relop> <expr> | Matches packets by an arbitrary expression |
Command Line Options
-A Print frame payload in ASCII -c <count> Exit after capturing count packets -D List available interfaces -e Print link-level headers -F <file> Use file as the filter expression -G <n> Rotate the dump file every n seconds -i <iface> Specifies the capture interface -K Don't verify TCP checksums -L List data link types for the interface -n Don't convert addresses to names -p Don't capture in promiscuous mode -q Quick output -r <file> Read packets from file -s <len> Capture up to len bytes per packet -S Print absolute TCP sequence numbers -t Don't print timestamps -v[v[v]] Print more verbose output -w <file> Write captured packets to file -x Print frame payload in hex -X Print frame payload in hex and ASCII -y <type> Specify the data link type
Docker Packet Captures
docker exec -it 428947239426349 tcpdump -N -A 'port 80' -w capture.pcap
Advanced Packet Filtering
- List interesting traffic from all the PCAP files:
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host 1.1.1.1 or host 2.2.2.2) and host 3.3.3.3) and port 445' ; echo -e "\n"; done
- References
{{#widget:DISQUS
|id=networkm
|uniqid=TCPDump
|url=https://aman.awiki.org/wiki/TCPDump
}}