jump to navigation

Analyzing network traffic with tcpdump –part 1 February 19, 2011

Posted by Tournas Dimitrios in Linux admin tools.

tcpdump is a common network packet analyzer that runs under the command line. It allows the user to intercept and display packets being transmitted or received over a network to which the computer is attached. tcpdump is mandatory for anyone desiring a thorough understanding of TCP/IP. tcpdump works on most Unix-like operating systems: BSD, Linux, Mac OS X, Solaris, HP-UX and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets , which is used by nmap among others . There is also a port of tcpdump for Windows called WinDump and it uses WinPcap, which is a port of libpcap to Windows.

Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression of the filter. It can also be run with the -w flag, which causes it to save the packet data to a file (pcap) for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression will be processed by tcpdump . The “pcap” file format is an binary file that many networking utilities (Wireshark , nmap , ngrep etc..)  can read/write from , so there is compatibility with these tools .

This article will present examples with the most used command  line options and assumes that the reader is familiar with tcp / ip stack terminology . My previous article is a remainder to network architecture concepts .

An alternative well-known GUI tool  is Wireshark (formerly ethereal) . tshark is the command line interface of Wireshark , it’s display filters and options are very different from tcpdump . tsark’s options are complicated and output is MUCH more verbose . tcpdump options are simple and output is compact .
tcpdump -s0 -A -nni eth0 dst port 80 and dst host xyz
tshark -f “tcp dst port 80 and host xyz” -nni eth0 -V

If we run previous commands , output of tcpdump  is 3pages   and tshark’s output is 30pages !!!!!!  . One area where tshark beats tcpdump is : ssl decryption , tshark can decrypt ssl while tcpdump don’t .

Tcpdump will, if not run with the -c flag, continue capturing packets until it is interrupted by a SIGINT signal (generated, for example, by typing your interrupt character, typically control-C) or a SIGTERM signal (typically generated with the kill(1) command); if run with the -c flag, it will capture packets until it is interrupted by a SIGINT or SIGTERM signal or the specified number of packets have been processed. When tcpdump finishes capturing packets, it will report counts of:

  • packets “captured” (this is the number of packets that tcpdump has received and processed)
  • packets  “received by filter” (the meaning of this depends on the OS on which you’re running tcpdump, and possibly on the way the OS was configured – if a filter was specified on the command line, on some OS’s it counts packets regardless of whether they were matched by the filter expression and, even if they were matched by the filter expression,
  • packets  “dropped by kernel” (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS )

The general format of a tcpdump protocol line is:
time-stamp src > dst:  flags  data-seqno  ack  window urgent options

  • Src and dst are the source and destination IP addresses and ports.
  • Flags are some combination of
    • S (SYN) : This bit is used at the start of the TCP handshake to establish the connection
    • A (ACK) : Acknowledgement –used to indicate that data has been successfully received . Also used when establishing and tearing down TCP connections . In many cases , every packet in a TCP connection has this flag checked after the initial SYN.
    • F (FIN) : Used to gracefully tear connections down . Each side of the connection sends a FIN , followed by an ACK , then  the connection is finished
    • P (PUSH) : Often set at the end of a block of data , signaling the receiver to process the block of data . This bit can be used to monitor the application blocks on the sending application .
    • R (RST) : This bit is used to inform the receiver that the sender has shut this connection down. A reset is an abrupt way to do this , but may be legitimately seen at the end of some TCP connections . Watch for these when experiencing application disconnects .
    • W (ECN CWR) or E (ECN-Echo) : Only used in TCP connections where Explicit Congestion Notification is used . Rarely seen in most TCP conversations.
    • or a single `.‘ (no flags)
  • Data-seqno describes the portion of sequence space covered by the data in this packet (see example below).
  • Ack is sequence number of the next data expected the other direction on this connection.
  • Window is the number of bytes of receive buffer space available the other direction on this connection.
  • Urg indicates there is `urgent’ data in the packet.
  • Options are tcp options enclosed in angle brackets (e.g., <mss 1024>).

Src, dst and flags are always present. The other fields depend on the contents of the packet’s tcp protocol header and are output only if appropriate

tcpdump basic options
-i eth0 Listen on all interfaces just to see if you’re seeing any traffic. Interface : lo , eth0 , venet0 (virtual machin)
  • -n
  • -nn
  • Don’t resolve hostnames.
  • Don’t resolve hostnames or port names.
-v, -vv, -vvv Increase the amount of packet information you get back.
-c Only get x number of packets and then stop.
-s Set the amount of data that is being captured in bytes
-c Only capture x number of packets, example: ‘tcpdump -c 5’
-q Show less protocol information.
-w  / -r Write the raw packets to file rather than parsing and printing
them out. They can later be printed with the -r option. Stan-
dard output is used if file is “-”.
dst watch only traffic destined  to a net , host or port
src watch only traffic whose src is a net , host or port
host specifies a host  IP or domain name
port /portrange specidies a port or port-rang vs 22-80
proto protocol ie tcp , udp , icmp


Practical examples

  • Do not resolve hostnames; print absolute sequence numbers:
    tcpdump -nS
  • Do not resolve hostnames or port names with verbosity:
    tcpdump -nnvvS
  • host ( look for traffic based on IP address or hostname if you are not using ‘-n’ ) :
    tcpdump host
  • src, dst ( find traffic from only a source or destination hostname or IP ) :
    tcpdump src
    tcpdump dst
  • net ( capture an entire network /subnet using CIDR notation) :
    tcpdump  net
  • port ( see only traffic to or from a certain port ) :
    tcpdump port 80
  • prot  works for tcp, udp, and icmp protocols. Note that you don’t have to type proto
    tcpdump  tcp
  • View TCP traffic from and destination port 1234:
    tcpdump tcp and src and dst port 1234
  • View the Non-ICMP traffic destined for from the 172.16 network:
    tcpdump dst and src net and not icmp
  • View the traffic originating from the 192.168 network headed for the 10 or 172.16 networks:
    tcpdump src net and dst net or
  • View the traffic that’s from and destination ports 1234 or 1235:
    tcpdump ‘src and \(dst port 1234 or 1235\)’>
  • View the traffic originating from host1 or host2 that isn’t to the SSH port:
    tcpdump -vv srchost1 or host2 and not dst port 22A


Getting Creative

Expressions are nice , but the real magic of tcpdump comes from the ability to combine them in creative ways in order o isolate exactly what you’re looking for . There are three ways to do combinations , and if you’ve studied computers at all they’ll be pretty familar to you : 

  1. AND
    and or &&
  2. OR
    or or ||
    not or !
  • TCP traffic from destined for port 4433
    tcpdump -nnvvS tcp and src and dst port 4433
  • Traddic originating from the 192.168 network headed for the 10 or 172.16 network :
    tcpdum -nvX src net and dst net or
  • Non ICMP traffic destined for from the 172.16 network :
    tcpdump -nvvXSs 1514 dst and src net and not icmp
  • Traffic originating from yyy.com or zzz.com that isn’t to the SSH port :
    tcpdump -vv src yyy.com or zzz.com and not dst port 22
    requires name resolution , no n included

When you’re building complex queries you might have to group your options using single quotes . Single quotes are used in order to tell tcpdump to ignore certain special characters , kin this case “( )” brackets. This same technique can be used to group using other expressions such  as host , port , net ,……

Example :

  • Traffic that’s from and destined for ports 4433 or 22
    tcpdump src and  ( dst port 4433 or 22 )
    If you tried to run this very useful command , you’d get an error because of the parenthesis . You can either fix this by escaping the parenthesis (putting a \ before each one ) , or by putting the entire command within single quotes :
    tcpdump ‘src and  ( dst port 4433 or 22 ) ‘
    tcpdump src and  \( dst port 4433 or 22 \)

By default tcpdump reads the headers (96 bytes) of the tcp/ip layer of the packets , if you would like to look at more , add the -s number option to the mix , where number is the number of bytes you want to capture . The number given can be up to 1514 (to get everything) .



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s