tcpdump

 

посмотреть трафик на интерфейсе:

tcpdump -i fxp1

посмотреть трафик одного хоста:

tcpdump host 1.2.3.4

посмотреть трафик на порте:

tcpdump src port 80

посмотреть IP трафик на хост:

tcpdump ip host 1.2.3.4

посмотреть ARP трафик на хост:

tcpdump arp host 1.2.3.4

посмотреть RARP трафик на хост:

tcpdump rarp host 1.2.3.4

посмотреть трафик, кроме хоста unixserver:

tcpdump not host unixserver

посмотреть трафик на server1 и server2

tcpdump host server1 or host server2

посмотреть содержимое пакетов на интерфейсе tun0 на хост ya.ru

tcpdump -X -i tun0 host ya.ru

подсмотреть номера и пароли к icq

tcpdump -X -i fxp1 port aol

посмотреть содержимое пакетов на интерфейсе tun0 на хост ya.ru, при этом прочитать из каждого пакета по 1500 байт и не преобразовывать IP в имя хоста

tcpdump -X -s 1500 -n -i tun0 host ya.ru

 

Внешние ссылки

http://www.linuxshare.ru/docs/net/tcpdump.html

http://acs.lbl.gov/~jason/tcpdump_advanced_filters.txt

---

Альтернативы

Ethereal — GUI анализатор трафика

Tethereal — консольная версия Ethereal

// В FreeBSD - ставить из портов

// В большинстве прочих дистрибутивов есть в опциональных пакетах

tethereal -i fxp0 -T text -f 'tcp port 5190' -w icqtext

Trafshow — консольный монитор трафика

 

Today I found myself needing to save packets from tcpdump to a file but also view them on screen. I've wanted to do that in the past, but today it became more important. It was suggested to me to use two instances of tcpdump, but I thought there had to be a better way. Luckily there is.

# tcpdump -U -s 1500 -w - <bpf> |tee <file> | tcpdump -lnr -

 

tcpdump -U -i any -s 0 -w - 'tcp port 29080 or 180 or 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'| tee /root/out.tcpdump |tcpdump -vvv -A -lr - |egrep '(GET|HTTP|Job|opwv|flv|mp4|3gp|Host\:|low|medium|high)'

 

---

Fun with Tcpdump

 

Tcpdump is a really useful program for capturing packets that are on the wire. It can be used to view packets going through your own interface, on a network with a hub, or on a switched network (arp-cache poisoning or mirrored switch ports).

 

The output from tcpdump can either be sent to the screen, written to a raw file using -w and viewed with tcpdump (using -r) or the capture files can be read with a tool such as Wireshark.

 

Tcpdump is a tool that anyone who is interested in networks should be familiar with. It will help you understand what normal traffic looks like on your network at a packet level so you can quickly identify abnormal traffic.

 

The purpose of this blog post is to get a few of the commands documented to familierize myself with tool so i can quickly apply filters when needed.

 

For the Windows users there is a very good port of tcpdump called Windump, the syntax is very similar if not identical.

 

 

Using Tcpdump

 

When first running tcpdump without any filters the output can be overwhelming. Don't worry about this, as you begin to get familiar with the filters you can quickly get to the information you want.

 

If you have multiple interfaces that are up you may need to use the -i {interface} switch.

 

tcpdump -i eth1

 

The command can be terminated with ctrl+c.

 

I recommend using the -n switch to prevent name resolution whilst you are performing the capture. The name resolution can always be performed later.

 

tcpdump -i eth1 -n

 

You can also cut down the amount of data you capture by using the quiet option (-q)

 

tcpdump -q

 

Or to really cut down on what i can see I could use the following which would just display the from and to, the protocol and the packet size:

 

tcpdump -qt

 

As previously mentioned the output of tcpdump can be sent to a file using the -w switch or straight to a text file using the redirect >

 

I recommend writing the output to libpcap format using a command such as:

 

tcpdump -i eth1 -n -w capture.lpc

 

However, you may want to view the output on the screen as you write it to a file, this can be done by using the -l switch and piping through tee into the file:

 

tcpdump -l | tee mydump

 

 

You can also limit the capture to a certain amount of packets using the -c switch. To only collect 100 packets:

 

tcpdump -c 100

 

 

The -c switch can also be used when reading from a packet capture file:

 

tcpdump -n -s 1514 -r capture.lpc -c 5 tcp

 

The command above will read the first 5 tcp packets from the capture.lpc file.

 

 

 

 

Collecting Packets Based on Size

 

Usually tcpdump does not collect the entire packet. Use the snaplen option -s 0 to force it to do so:

 

tcpdump -s 0

 

Or to only collect the first 1514 bytes of a packet:

 

tcpdump -s 1514

 

1514 bytes will capture the ethernet portion without VLAN tagging. To capture the VLAN tagging information an additional 4 bytes will need to be added.

 

 

To only collect packets from a particular host:

 

tcpdump -i eth 1 -n -w capture.lpc host 208.68.234.113

 

 

Name Resolution

 

As mentioned earlier, by default tcpump will resolve network addresses into names. To disable this use the -n switch. And to disable port resolution use -nn:

 

tcpdump -nn

 

Use -f to prevent remote name resolution.

 

 

If you are on a local LAN and want to capture only traffic based on a MAC address use:

 

tcpdump ether host 11:22:33:44:55:66:77:00

 

Or if you want the Ethernet header in the output use the -e option:

 

tcpdump -i eth1 -e -n -s 1514-w capture.lpc

 

To restrict the capture to a network use:

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 net 192.168.1

 

or

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 net 192.168.1.0 mask 255.255.255.0

 

 

Using Keywords

 

Keywords alow you to easily filter traffic. The Keywords that can be used are ip, tcp, udp, icmp and igmp.

 

As an example of using keywords, to capture all IP traffic use keywords:

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 ip

 

or to capture just TCP traffic:

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 tcp

 

Other traffic types without keywords can be captured using the "ip proto" option:

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 ip proto l2tp

 

or by its protocalnumber as found in the /etc/protocols file:

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 ip proto 115

 

 

To capture traffic based on it's application from further up the stack such as ftp traffic specify the port:

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 port 21

 

And to capture the data portion of the FTP traffic as well you could add port 20:

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 port 21 && port 20

 

This could have been specified by name as detailed in the /etc/services file.

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 port ftp && port ftp-data

 

In the examples above I have used && to add 2 filters together. I could have used the word 'and' instead. You can also use 'or' to idicate that i want one filter to apply or another filter to apply. || means the same as 'or' also.

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 port http or https

tcpdump -i eth1 -n -w capture.lpc -s 1514 port 80 || 443

 

The above filters will capture the same data.

 

 

Filtering by Packet Size

 

You could create a filter to capture packets that are larger than a certain size (in bytes):

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 greater 250

 

This type of filter can be useful if you are trying to locate certain types of packet based on attributes from further up the stack.

 

 

 

 

We can also tell tcpdump to leave out certain types of traffic, in this example we don't want http or https traffic but we want everything else:

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 " (not tcp port http and not tcp port https)"

 

 

 

To view the output in output in ascii use -X (the verbose -v is optional):

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 -X -v

 

To dump the whole packet in hex use:

 

tcpdump -i eth1 -n -w capture.lpc -s 1514 -x -v

 

 

Further Examples

 

To display a list of visited sites:

 

tcpdump -w dumpfile

tcpdump -r dumpfile > textfile

cat textfile /usr/bin/cut -f 8 -d ' ' /bin/grep -i www*

 

 

Looking at ICMP

 

Although you can capture all ICMP traffic, you could actually capture only particular types of ICMP based on attributes of the protocol. For example, if i wanted to capture just ICMP echo requests knowing that an ICMP echo request is a Type 8 i might use:

 

tcpdump -e -x "icmp[0]=8"

 tcpdump

посмотреть трафик на интерфейсе:

tcpdump -i fxp1

посмотреть трафик одного хоста:

tcpdump host 1.2.3.4

посмотреть трафик на порте:

tcpdump src port 80

посмотреть IP трафик на хост:

tcpdump ip host 1.2.3.4

посмотреть ARP трафик на хост:

tcpdump arp host 1.2.3.4

посмотреть RARP трафик на хост:

tcpdump rarp host 1.2.3.4

посмотреть трафик, кроме хоста unixserver:

tcpdump not host unixserver

посмотреть трафик на server1 и server2

tcpdump host server1 or host server2

посмотреть содержимое пакетов на интерфейсе tun0 на хост ya.ru

tcpdump -X -i tun0 host ya.ru

подсмотреть номера и пароли к icq

tcpdump -X -i fxp1 port aol

посмотреть содержимое пакетов на интерфейсе tun0 на хост ya.ru, при этом прочитать из каждого пакета по 1500 байт и не преобразовывать IP в имя хоста

tcpdump -X -s 1500 -n -i tun0 host ya.ru

Внешние ссылки

To capture just ICMP repies (Type 0) i might use:

 

tcpdump -e -x "icmp[0]=0"

 

 

Wireless Stuff

 

If i was curious about what networks wireless clients are probing for I could set my card into promiscuous mode (ifconfig -i eth1 promisc), configure my wireless settings to monitor (iwconfig eth1 mode monitor) and issue the following command:

 

tcpdump -i eth1 -s0 -nn -vv -t | grep -i request

 

This would reduce the output to just display probe requets from nearby wireless clients.

 

 

 

 

Note: I will update this blog entry with new and interesting uses for Tcpdump as I learn them.

 

 

Links

 

For a great book on network monitoring using Tcpdump as well as many other opensource tools try "The Tao of Network Security Monitoring" from Richard Bejtlich.

 

Another great book on this topic is "Practical Packet Analysis"

Posted by SynJunkie

Labels: Packet Sniffing, Traffic Analysis

 

 

---

Today I found myself needing to save packets from tcpdump to a file but also view them on screen. I've wanted to do that in the past, but today it became more important. It was suggested to me to use two instances of tcpdump, but I thought there had to be a better way. Luckily there is.

# tcpdump -U -s 1500 -w - <bpf> |tee <file> | tcpdump -lnr -

Export HTTP Objects

1. Find the gzipped object of interest and right-click on the corresponding packet in the packet list, selecting, "Follow TCP Stream" to isolate the stream.

2. Within the "Follow TCP Stream" window, note the name of the gzipped object in the previous GET block.

3. From the main window, choose File -> Export Objects -> HTTP.

4. Select the object. The packet number should match the packet number you discovered in step 1, and the Filename should match the name seen in step 2. Note that the content type that appears is the uncompressed content type, so e.g., text/html, and not gzip.

4. Choose Save As, then Save. This will be the uncompressed object.

Note that you don't necessarily need to do "Follow TCP Stream" as long as you know the packet number and object name of the object of interest, or if you simply want to export all objects.

TCPDUMP expressions are also known as BPF, or Berkeley Packet Filters. On a TCPDUMP command line it is recommended to place them inside single quotes (UNIX) or double quotes (Windows) to avoid confusion and possible parsing errors.

Expressions

tcpdump host profl

dumps all packets to or from host profl

tcpdump ether host 11:22:33:44:55:66

dumps all packets to or from that MAC address

tcpdump net 192.168.12.4/30

dumps all packets to or from a network, specified using CIDR notation

tcpdump net 192.168.12.4 mask 255.255.255.252

dumps all packets to or from a network, specified using a mask

tcpdump tcp src port 53

dumps all packets with source port 22/tcp

tcpdump host {thisIP}

Show only IP traffic to or from thisIP

tcpdump host {thisIP} && host {thatIP}

Show only IP traffic between thisIP and thatIP

tcpdump !(host {myIP}) && {remainder of expression}

Ignore traffic from myIP (necessary if you're running TCPDUMP on a remote machine to stop it from capturing the terminal session with your machine)

Primitives

icmp[0]

Show only echo reply

tcp[13] & 3 != 0
tcp[tcpflags] & (tcp-syn | tcp-fin) != 0

show only SYN or FIN packets

tcp[13] & 0x12 != 0
tcp[tcpflags] & (tcp-syn & tcp-ack) != 0

show only SYN/ACK packets

tcp[tcpflags] & (tcp-syn | tcp-fin | tcp-rst) != 0

show SYN, FIN, and RST packets

ip[2,2] > 576

show only packets longer than 576 bytes

icmp[0] = 3 and icmp[1] = 4

Show ICMP type 3, code 4 (Needs fragmenting but DF bit set)

ip[6] & 0x40 = 0x40

Show only IP packets with DF bit set

vlan && ip

Show only IEEE 802.1q IP packets. Changes the decoding offsets for the remainder of the expression, as if the VLAN header had been stripped away.

vlan 186 && ip

Show only IP packets in IEEE 802.1q VLAN number 186.

Assorted

ip proto 50

Show only ESP packets (IP protocol 50)

ip proto 112

show only VRRP packets (IP protocol 112)

proto vrrp

all VRRP packets (works on IPSO)