Analyzing network traffic with tcpdump –part 1 February 19, 2011Posted by Tournas Dimitrios in Linux admin tools.
tcpdump is a common network packet analyzer that runs under the command line. It allows the user to intercept and display packets being transmitted or received over a network to which the computer is attached. tcpdump is mandatory for anyone desiring a thorough understanding of TCP/IP. tcpdump works on most Unix-like operating systems: BSD, Linux, Mac OS X, Solaris, HP-UX and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets , which is used by nmap among others . There is also a port of tcpdump for Windows called WinDump and it uses WinPcap, which is a port of libpcap to Windows.
Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression of the filter. It can also be run with the -w flag, which causes it to save the packet data to a file (pcap) for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression will be processed by tcpdump . The “pcap” file format is an binary file that many networking utilities (Wireshark , nmap , ngrep etc..) can read/write from , so there is compatibility with these tools .
This article will present examples with the most used command line options and assumes that the reader is familiar with tcp / ip stack terminology . My previous article is a remainder to network architecture concepts .
An alternative well-known GUI tool is Wireshark (formerly ethereal) . tshark is the command line interface of Wireshark , it’s display filters and options are very different from tcpdump . tsark’s options are complicated and output is MUCH more verbose . tcpdump options are simple and output is compact .
tcpdump -s0 -A -nni eth0 dst port 80 and dst host xyz
tshark -f “tcp dst port 80 and host xyz” -nni eth0 -V
If we run previous commands , output of tcpdump is 3pages and tshark’s output is 30pages !!!!!! . One area where tshark beats tcpdump is : ssl decryption , tshark can decrypt ssl while tcpdump don’t .
Tcpdump will, if not run with the -c flag, continue capturing packets until it is interrupted by a SIGINT signal (generated, for example, by typing your interrupt character, typically control-C) or a SIGTERM signal (typically generated with the kill(1) command); if run with the -c flag, it will capture packets until it is interrupted by a SIGINT or SIGTERM signal or the specified number of packets have been processed. When tcpdump finishes capturing packets, it will report counts of:
- packets “captured” (this is the number of packets that tcpdump has received and processed)
- packets “received by filter” (the meaning of this depends on the OS on which you’re running tcpdump, and possibly on the way the OS was configured – if a filter was specified on the command line, on some OS’s it counts packets regardless of whether they were matched by the filter expression and, even if they were matched by the filter expression,
- packets “dropped by kernel” (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS )
The general format of a tcpdump protocol line is:
time-stamp src > dst: flags data-seqno ack window urgent options
- Src and dst are the source and destination IP addresses and ports.
- Flags are some combination of
- S (SYN) : This bit is used at the start of the TCP handshake to establish the connection
- A (ACK) : Acknowledgement –used to indicate that data has been successfully received . Also used when establishing and tearing down TCP connections . In many cases , every packet in a TCP connection has this flag checked after the initial SYN.
- F (FIN) : Used to gracefully tear connections down . Each side of the connection sends a FIN , followed by an ACK , then the connection is finished
- P (PUSH) : Often set at the end of a block of data , signaling the receiver to process the block of data . This bit can be used to monitor the application blocks on the sending application .
- R (RST) : This bit is used to inform the receiver that the sender has shut this connection down. A reset is an abrupt way to do this , but may be legitimately seen at the end of some TCP connections . Watch for these when experiencing application disconnects .
- W (ECN CWR) or E (ECN-Echo) : Only used in TCP connections where Explicit Congestion Notification is used . Rarely seen in most TCP conversations.
- or a single `.‘ (no flags)
- Data-seqno describes the portion of sequence space covered by the data in this packet (see example below).
- Ack is sequence number of the next data expected the other direction on this connection.
- Window is the number of bytes of receive buffer space available the other direction on this connection.
- Urg indicates there is `urgent’ data in the packet.
- Options are tcp options enclosed in angle brackets (e.g., <mss 1024>).
Src, dst and flags are always present. The other fields depend on the contents of the packet’s tcp protocol header and are output only if appropriate
|tcpdump basic options|
|-i eth0||Listen on all interfaces just to see if you’re seeing any traffic. Interface : lo , eth0 , venet0 (virtual machin)|
|-v, -vv, -vvv||Increase the amount of packet information you get back.|
|-c||Only get x number of packets and then stop.|
|-s||Set the amount of data that is being captured in bytes|
|-c||Only capture x number of packets, example: ‘tcpdump -c 5’|
|-q||Show less protocol information.|
|-w / -r||Write the raw packets to file rather than parsing and printing
them out. They can later be printed with the -r option. Stan-
dard output is used if file is “-”.
|dst||watch only traffic destined to a net , host or port|
|src||watch only traffic whose src is a net , host or port|
|host||specifies a host IP or domain name|
|port /portrange||specidies a port or port-rang vs 22-80|
|proto||protocol ie tcp , udp , icmp|
|Expressions are nice , but the real magic of tcpdump comes from the ability to combine them in creative ways in order o isolate exactly what you’re looking for . There are three ways to do combinations , and if you’ve studied computers at all they’ll be pretty familar to you :
When you’re building complex queries you might have to group your options using single quotes . Single quotes are used in order to tell tcpdump to ignore certain special characters , kin this case “( )” brackets. This same technique can be used to group using other expressions such as host , port , net ,……
By default tcpdump reads the headers (96 bytes) of the tcp/ip layer of the packets , if you would like to look at more , add the -s number option to the mix , where number is the number of bytes you want to capture . The number given can be up to 1514 (to get everything) .