how to use tcpdump

how-to-use-tcpdump

Tcpdump command is a famous network packet analyzing tool that is used to display TCP IP & other network packets being transmitted over the network attached to the system on which tcpdump has been installed. Tcpdump uses libpcap library to capture the network packets & is available on almost all Linux/Unix flavors.

Linux Tcpdump: Filter ipv6 ntp ping packets

Tcpdump: capture DHCP & DHCPv6 packets

20 Advanced Tcpdump Examples On Linux

10 Useful tcpdump command examples

TCPDUMP

README

Tcpdump is one of the best network analysis-tools ever for information security professionals.

Tcpdump is for everyone for hackers and people who have less of TCP/IP understanding.

OPTIONS

Below are some tcpdump options (with useful examples) that will help you working with the tool. They’re very easy to forget and/or confuse with other types of filters, i.e. ethereal, so hopefully this article can serve as a reference for you, as it does me:)

• The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves.
• The second is -X, which displays both hex and ascii content within the packet.
• The final one is -S, which changes the display of sequence numbers to absolute rather than relative.

Show the packet’s contents in both hex and ascii.

tcpdump -X ....         

Same as -X, but also shows the ethernet header.

tcpdump -XX

Show the list of available interfaces

tcpdump -D

Line-readable output (for viewing as you save, or sending to other commands)

tcpdump -l

Be less verbose (more quiet) with your output.

tcpdump -q

Give human-readable timestamp output.

tcpdump -t :

Give maximally human-readable timestamp output.

tcpdump -tttt : 

Listen on the eth0 interface.

tcpdump -i eth0

Verbose output (more v’s gives more output).

tcpdump -vv 

Only get x number of packets and then stop.

tcpdump -c 

Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.

tcpdump -s 

Print absolute sequence numbers.

tcpdump -S 

Get the ethernet header as well.

tcpdump -e 

Decrypt IPSEC traffic by providing an encryption key.

tcpdump -E

For more options, read manual:

• Find all options here
• Linux Tcpdump: Filter ipv6 ntp ping packets
• Tcpdump: capture DHCP & DHCPv6 packets
• 20 Advanced Tcpdump Examples On Linux
• 10 Useful tcpdump command examples

BASIC USAGE

Display Available Interfaces

tcpdump -D

tcpdump --list-interfaces

Let’s start with a basic command that will get us HTTPS traffic:

tcpdump -nnSX port 443

Find Traffic by IP

tcpdump host 1.1.1.1

Filtering by Source and/or Destination

tcpdump src 1.1.1.1 

tcpdump dst 1.0.0.1

Finding Packets by Network

tcpdump net 1.2.3.0/24

Low Output:

tcpdump -nnvvS

Medium Output:

tcpdump -nnvvXS

Heavy Output:

tcpdump -nnvvXSs 1514

Getting Creative

• Expressions are very nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for.

There are three ways to do combination:

AND

and or &&

OR

or or ||

EXCEPT

not or !

Usage Example:

Traffic that’s from 192.168.1.1 AND destined for ports 3389 or 22

tcpdump 'src 192.168.1.1 and (dst port 3389 or 22)'

Advanced

Show me all URG packets:

tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets:

tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets:

tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets:

tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets:

tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets:

tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets:

tcpdump 'tcp[13] = 18'

Show all traffic with both SYN and RST flags set: (that should never happen)

tcpdump 'tcp[13] = 6'

Show all traffic with the “evil bit” set:

tcpdump 'ip[6] & 128 != 0'

Display all IPv6 Traffic:

tcpdump ip6

Print Captured Packets in ASCII

tcpdump -A -i eth0

Display Captured Packets in HEX and ASCII

tcpdump -XX -i eth0

Capture and Save Packets in a File

tcpdump -w 0001.pcap -i eth0

Read Captured Packets File

tcpdump -r 0001.pcap

Capture IP address Packets

tcpdump -n -i eth0

Capture only TCP Packets.

tcpdump -i eth0 tcp

Capture Packet from Specific Port

tcpdump -i eth0 port 22

Capture Packets from source IP

tcpdump -i eth0 src 192.168.0.2

Capture Packets from destination IP

tcpdump -i eth0 dst 50.116.66.139

Capture any packed coming from x.x.x.x

tcpdump -n src host x.x.x.x

Capture any packet coming from or going to x.x.x.x

tcpdump -n host x.x.x.x

Capture any packet going to x.x.x.x

tcpdump -n dst host x.x.x.x

Capture any packed coming from x.x.x.x

tcpdump -n src host x.x.x.x

Capture any packet going to network x.x.x.0/24

tcpdump -n dst net x.x.x.0/24

Capture any packet coming from network x.x.x.0/24

tcpdump -n src net x.x.x.0/24

Capture any packet with destination port x

tcpdump -n dst port x

Capture any packet coming from port x

tcpdump -n src port x

Capture any packets from or to port range x to y

tcpdump -n dst(or src) portrange x-y

Capture any tcp or udp port range x to y

tcpdump -n tcp(or udp) dst(or src) portrange x-y

Capture any packets with dst ip x.x.x.x and port y

tcpdump -n "dst host x.x.x.x and dst port y"

Capture any packets with dst ip x.x.x.x and dst ports x, z

tcpdump -n "dst host x.x.x.x and (dst port x or dst port z)"

Capture ICMP , ARP

tcpdump -v icmp(or arp)

Capture packets on interface eth0 and dump to cap.txt file

tcpdump -i eth0 -w cap.txt

Get Packet Contents with Hex Output

tcpdump -c 1 -X icmp

Show Traffic Related to a Specific Port

tcpdump port 3389 

tcpdump src port 1025

Show Traffic of One Protocol

tcpdump icmp

Find Traffic by IP

tcpdump host 1.1.1.1

Filtering by Source and/or Destination

tcpdump src 1.1.1.1 

tcpdump dst 1.0.0.1

Finding Packets by Network

tcpdump net 1.2.3.0/24

Get Packet Contents with Hex Output

tcpdump -c 1 -X icmp

Show Traffic Related to a Specific Port

tcpdump port 3389 

tcpdump src port 1025

Show Traffic of One Protocol

tcpdump icmp

Show only IP6 Traffic

tcpdump ip6

Find Traffic Using Port Ranges

tcpdump portrange 21-23

Find Traffic Based on Packet Size

 tcpdump less 32 

 tcpdump greater 64 

 tcpdump <= 128

 tcpdump => 128

Reading / Writing Captures to a File (pcap)

tcpdump port 80 -w capture_file

tcpdump -r capture_file

It’s All About the Combinations

Raw Output View

tcpdump -ttnnvvS

Here are some examples of combined commands.

From specific IP and destined for a specific Port

tcpdump -nnvvS src 10.5.2.3 and dst port 3389

From One Network to Another

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non ICMP Traffic Going to a Specific IP

tcpdump dst 192.168.0.2 and src net and not icmp

Traffic From a Host That Isn’t on a Specific Port

tcpdump -vv src mars and not dst port 22

Isolate TCP RST flags.

tcpdump 'tcp[13] & 4!=0'

tcpdump 'tcp[tcpflags] == tcp-rst'

Isolate TCP SYN flags.

tcpdump 'tcp[13] & 2!=0'

tcpdump 'tcp[tcpflags] == tcp-syn'

Isolate packets that have both the SYN and ACK flags set.

tcpdump 'tcp[13]=18'

Isolate TCP URG flags.

tcpdump 'tcp[13] & 32!=0'

tcpdump 'tcp[tcpflags] == tcp-urg'

Isolate TCP ACK flags.

tcpdump 'tcp[13] & 16!=0'

tcpdump 'tcp[tcpflags] == tcp-ack'

Isolate TCP PSH flags.

tcpdump 'tcp[13] & 8!=0'

tcpdump 'tcp[tcpflags] == tcp-psh'

Isolate TCP FIN flags.

tcpdump 'tcp[13] & 1!=0'

tcpdump 'tcp[tcpflags] == tcp-fin'

Commands that I using almost daily

Both SYN and RST Set

tcpdump 'tcp[13] = 6'

Find HTTP User Agents

tcpdump -vvAls0 | grep 'User-Agent:'

tcpdump -nn -A -s1500 -l | grep "User-Agent:"

By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request.

tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

Capture only HTTP GET and POST packets only packets that match GET.

tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

Extract HTTP Request URL's

tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

Extract HTTP Passwords in POST Requests

tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

Capture Cookies from Server and from Client

tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

Capture all ICMP packets

tcpdump -n icmp

Show ICMP Packets that are not ECHO/REPLY (standard ping)

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Capture SMTP / POP3 Email

tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

Troubleshooting NTP Query and Response

tcpdump dst port 123

Capture FTP Credentials and Commands

tcpdump -nn -v port ftp or ftp-data

Rotate Capture Files

tcpdump  -w /tmp/capture-%H.pcap -G 3600 -C 200

Capture IPv6 Traffic

tcpdump -nn ip6 proto 6

IPv6 with UDP and reading from a previously saved capture file.

tcpdump -nr ipv6-test.pcap ip6 proto 17

Detect Port Scan in Network Traffic

tcpdump -nn

USAGE EXAMPLE

Example Filter Showing Nmap NSE Script Testing

• On Target:

  nmap -p 80 --script=http-enum.nse targetip

• On Server:

  tcpdump -nn port 80 | grep "GET /"

       GET /w3perl/ HTTP/1.1

       GET /w-agora/ HTTP/1.1

       GET /way-board/ HTTP/1.1

       GET /web800fo/ HTTP/1.1

       GET /webaccess/ HTTP/1.1

       GET /webadmin/ HTTP/1.1

       GET /webAdmin/ HTTP/1.1

Capture Start and End Packets of every non-local host

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

Capture DNS Request and Response

Filtering DNS with Tcpdump

tcpdump -i wlp58s0 -s0 port 53

Capture HTTP data packets

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Top Hosts by Packets

tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

Capture all the plaintext passwords

tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '

DHCP Example

tcpdump -v -n port 67 or 68

Cleartext GET Requests

tcpdump -vvAls0 | grep 'GET'

Find HTTP Host Headers

tcpdump -vvAls0 | grep 'Host:'

Find HTTP Cookies

tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'

Find SSH Connections

tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

Find DNS Traffic

tcpdump -vvAs0 port 53

Find FTP Traffic

tcpdump -vvAs0 port ftp or ftp-data

Find NTP Traffic

tcpdump -vvAs0 port 123

Capture SMTP / POP3 Email

tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

Line Buffered Mode

tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'

Find traffic with evil bit

tcpdump 'ip[6] & 128 != 0'

Filter on protocol (ICMP) and protocol-specific fields (ICMP type)

Tcpdump: Filter Packets with Tcp Flags

tcpdump -n icmp and 'icmp0 != 8 and icmp0 != 0'

Same command can be used with predefined header field offset (icmptype) and ICMP type field values (icmp-echo and icmp-echoreply):

tcpdump -n icmp and icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply

Filter on TOS field

tcpdump -v -n ip and ip[1]!=0

Filter on TTL field

tcpdump -v ip and 'ip[8]<2'

Filter on TCP flags (SYN/ACK)

tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'

In the example above, all packets with TCP SYN flag set are captured. Other flags (ACK, for example) might be set also. Packets which have only TCP SYN flags set, can be captured

tcpdump tcp and port 80 and 'tcp[tcpflags] == tcp-syn'

Catch TCP SYN/ACK packets (typically, responses from servers):

tcpdump -n tcp and 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'

tcpdump -n tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn' and 'tcp[tcpflags] & tcp-ack == tcp-ack'

Catch ARP packets

tcpdump -vv -e -nn ether proto 0x0806

Filter on IP packet length

tcpdump -l icmp and '(ip[2:2]>50)' -w - |tcpdump -r - -v ip and '(ip[2:2]<60)'

Remark: due to some bug in tcpdump, the following command doesn't catch packets as expected:

tcpdump -v -n icmp and '(ip[2:2]>50)' and '(ip[2:2]<60)'

Filter on encapsulated content (ICMP within PPPoE)

tcpdump -v -n icmp

Queiter

tcpdump -q -i eth0

tcpdump -t -i eth0

tcpdump -A -n -q -i eth0 'port 80'

tcpdump -A -n -q -t -i eth0 'port 80'

Print only useful packets from the HTTP traffic

tcpdump -A -s 0 -q -t -i eth0 'port 80 and ( ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12:2]&0xf0)>>2)) != 0)'

Dump SIP Traffic

tcpdump -nq -s 0 -A -vvv port 5060 and host 1.2.3.4

Checking packet content

tcpdump -i any -c10 -nn -A port 80

Checking packet content

sudo tcpdump -i any -c10 -nn -A port 80

References & Awesome wikis

Capture ICMP Packets With Tcpdump

Debugging SSH Packets with Tcpdump

Using Tcpdump to Filter DNS Packets

Learn tcpdump Quick Guide

Filtering DNS with Tcpdump

Filtering CDP LLDP packets with Tcpdump

Tcpdump Cheat Sheet (Basic Advanced Examples)

END!