tcpdump

tcpdump

tcpdump is a widely-used command-line network packet analyzer that captures and displays packets being transmitted over a network in real-time. It’s an essential tool for network administrators, security professionals, and penetration testers to troubleshoot network issues, monitor traffic, and inspect security vulnerabilities. By specifying filters and interfaces, tcpdump provides fine-grained control over what data is captured, making it extremely versatile for both simple and complex network analysis tasks.

Common tcpdump Options and Switches:

  • -i <interface>
    Specifies the network interface to capture packets from (e.g., eth0, wlan0). If not specified, tcpdump will use the first available interface by default.
  • -n
    Disables hostname and port number resolution for faster output, which is especially useful for large captures or high-traffic environments.
  • -v
    nables verbose mode, which increases the level of detail in the output. This includes additional packet information such as IP TTL and protocol-specific details.
  • -vv
    Very verbose mode, offering even more detailed information, including fields like window sizes and IP options. This is particularly useful for deeper analysis of packet contents.
  • -x
    Displays the packet data in hexadecimal format, helpful for detailed packet inspection.
  • -s0
    Sets the snapshot length to capture the entire packet, useful for complete packet analysis.
  • -c <count>
    Limits the capture to a specific number of packets. This is useful when analyzing a limited number of packets or avoiding overwhelming your system with continuous traffic capture.
  • -A
    Outputs the packet contents in ASCII format, useful for reading clear-text data such as HTTP headers and requests.
  • -B
    Sets the buffer size for packet capture, which can prevent packet drops in high-traffic scenarios.
  • -e
    Displays the link-layer header on each packet, showing source and destination MAC addresses.
  • -L
  • Lists available data link types for the specified interface, helping to confirm the correct capture layer.
  • -w <file>
    Writes the captured packets to a file, typically in .pcap format, which can be later analyzed using tools like Wireshark. This is helpful for large captures or for conducting more thorough analysis at a later time.
  • -tt
    Outputs timestamps for each packet. This can be valuable for correlating events in network logs or analyzing latency and delays between packet transmissions.
  • -s0
    Sets the snapshot length to capture the entire packet, useful for complete packet analysis.
  • <filter expression>
    Specifies a filter to capture only certain types of traffic. Filters can be applied to capture specific protocols (e.g., tcp, udp), traffic to or from a certain IP address, traffic on a specific port, or a combination of these criteria. Filter expressions are essential for narrowing down what you’re looking for, especially on busy networks.

Packet Count

Using the -c option to capture a specific packet count is particularly helpful when you’re looking to analyze a specific event on the network, such as the initiation of a TCP connection, without needing to sift through thousands of irrelevant packets. For example, capturing 10 packets during an HTTP request can provide insight into the full sequence of a TCP handshake, the HTTP request, and the response.

Example:

> tcpdump -i eth0 -c 10

This command will capture 10 packets from the eth0 interface and then stop, giving you a concise snapshot of activity.

Filter Expressions

Filter expressions are one of the most powerful features of tcpdump, allowing you to capture only the traffic you’re interested in by specifying packet characteristics. By using a filter, you can exclude unnecessary traffic and focus on specific packets, such as traffic from or to a specific host, or packets using a particular protocol.

Here are some common types of filter expressions and their usage:

  • Host filtering: Captures traffic from or to a specific host.
    > tcpdump host 192.168.1.100
  • Protocol filtering: Captures traffic of a specific protocol (e.g., tcp, udp, icmp, arp).
    > tcpdump tcp
  • Port filtering: Captures packets going to or coming from a specific port.
    > tcpdump port 80
  • Combining filters: You can combine multiple filter expressions using and, or, and not.
    • Capture all tcp packets coming from 192.168.1.100 and destined for port 22:
      > tcpdump tcp and src host 192.168.1.100 and port 22
  • Direction filtering: You can also specify the direction of traffic with src (source) and dst (destination).
    • Capture packets only from the source IP 192.168.1.100:
      > tcpdump src 192.168.1.100
  • Network filtering: Capture packets to or from any host in a specific subnet.
    > tcpdump net 192.168.1.0/24

Advanced Filter Examples

  • Capture HTTP traffic on port 80:
    > tcpdump tcp port 80
  • Capture only traffic from a specific source IP address:
    > tcpdump src host 10.0.0.5
  • Capture traffic to a specific destination port:
    > tcpdump dst port 443
  • Capture all ICMP packets (often used for ping requests)
    > tcpdump icmp
  • Capture traffic from a specific network:
    > tcpdump net 192.168.0.0/16

By combining various filter expressions, you can hone in on exactly the traffic you need to inspect, whether it’s capturing SSH login attempts, HTTP requests, or specific ICMP pings.

Examples of tcpdump Commands

  1. Capture all packets on interface eth0:
    > tcpdump -i eth0
  2. Capture all TCP packets on port 80 (HTTP):
    > tcpdump tcp port 80
  3. Capture 100 packets and save them to a file for later analysis:
    > tcpdump -i eth0 -c 100 -w capture.pcap
  4. Capture UDP traffic to or from the IP 192.168.1.1:
    > tcpdump udp and host 192.168.1.1
  5. Capture ICMP traffic (e.g., ping requests):
    > tcpdump icmp
  6. Capture packets on wlan0 interface with detailed (verbose) output:
    > tcpdump -i wlan0 -vv
  7. Capture packets on a specific network (subnet) and save to a file:
    > tcpdump -i eth0 net 192.168.1.0/24 -w network_capture.pcap

Use Cases

tcpdump is invaluable in a wide range of scenarios:

  1. Network troubleshooting: Quickly identify issues with network traffic, such as dropped packets, delays, or unexpected communication between devices.
  2. Security analysis: Monitor for suspicious activity on your network, such as unauthorized access attempts or unusual traffic patterns.
  3. Traffic monitoring: Keep an eye on the types of traffic being transmitted and received, especially useful for ensuring proper network performance and detecting congestion points.
  4. Protocol inspection: Capture and analyze the details of specific network protocols (e.g., DNS, HTTP) to ensure they are functioning correctly or to identify issues in communication.