Tcpdump at different levels
The Tcpdump utility is familiar to any network administrator; with its help we collect traffic for subsequent analysis. A typical story – we collect traffic coming to the desired interface and then analyze it with Wireshark. The approach is practical, because Wireshark is indeed a very powerful and useful tool and we will write more than one article about it, but today we will talk about Tcpdump. It is no secret that the Tcpdump utility does not interpret application layer protocols, limiting itself to working with the transport layer. However, in this article we will look at various options for using the Tcpdump utility for deeper traffic filtering.
So, Tcpdump is a UNIX utility that allows you to intercept and analyze network traffic passing or coming through the computer on which this program is running.
First, let's find out what interfaces we can work with using the command:
tcpdump --list-interfaces
If we want to collect all traffic from the interface the old fashioned way and save it to a file, then we can do the following:
sudo tcpdump –i eth0 –w dump1.pcap
But without filters, we risk getting a huge file that doesn't contain many useful packages. Therefore, it is better to filter out the necessary packages. We can filter by various criteria.
Setting up the buffer
Before you start capturing packets, I suggest setting up the buffer that Tcpdump uses to capture packets. If too many packets arrive at the network interface, exceeding the buffer size, the OS kernel will discard “extra” packets in order to make room for new ones.
To adjust the buffer size, use the -B switch. The size is measured in kilobytes.
When is ARP needed?
ARP is used to determine the MAC address of another computer from a known IP address. When using Tcpdump to capture ARP packets, you must use the -X switches to output the packet contents in hexadecimal, and the -e switch to decode Ethrenet headers. You can also use the -XX switch to view headers.
$ sudo tcpdump -nnvvv -e -X arp
Filter by IP
Let's look at the most common filters. First of all, we can filter the packets by the nodes we need.
The host filter will show which packages the specified host appears in:
sudo tcpdump –i eth0 host 192.168.222.161
It does not matter whether this node is the sender or the recipient.
If we want to find out where this node appears as a source, then we need to use the src filter
sudo tcpdump –i eth0 src 192.168.222.161
If we are interested in the receiver, then the dst filter:
sudo tcpdump –i eth0 dst 192.168.222.161
Thus, the important difference between host and src and dst is that this filter shows where the node appeared, while the remaining two filters show where the node was present as a source and destination, respectively.
Also, Tcpdump contains several logical operators AND, OR, NOT. With these operators everything is quite simple. In the example below, we are looking for packets where the source is a host in the 192.168.0.0/16 subnet and the destination is in the 10.0.0.0/8 or 172.16.0.0/16 subnets.
sudo tcpdump –i eth0 –n src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
Ports and protocols
In the simplest case, to filter by a specific port, we need a port filter
sudo tcpdump –i eth0 port 443
In a more complex case, we may need a range of ports, and then the portrange filter will help us
sudo tcpdump –i eth0 portrange 21-23
Next, let's look at transport layer protocols and start with UDP. Everything is quite simple here
sudo tcpdump –i eth0 udp
Same with ICMP
sudo tcpdump –i eth0 icmp
But with TCP everything is much more interesting. Of course, in the simplest case we can simply sample using this protocol:
sudo tcpdump –i eth0 tcp
But in reality, various interesting things can happen with the TCP protocol.
TCP packets use the following format:
Very often there is a need to search for packages with different flags. The inclusion of a particular flag is determined by the corresponding bit.
Let us recall how TCP implements a three-way handshake that precedes data exchange.
So, to search for packets with the SYN flag, we need to specify the value of field 13 in the TCP packet equal to 0x002, that is, SYN.
sudo tcpdump –i eth0 tcp[13]==2
An alternative, and perhaps more convenient option for filtering by flags is to use the 'tcp' construct[tcpflags] & (tcp-flag_name) != 0'. For example, for the SYN flag:
'tcp[tcpflags] & (tcp-syn) != 0'
Similarly with other flags: ACK, URG, PSH, RST, FIN. In order to identify which nodes most often send packets with the SYN flag, but do not respond with ACK, you can use the following script:
while :; do
date;
sudo tcpdump -i eth0 -n -c 100 \
'tcp[tcpflags] & (tcp-syn) != 0' and \
'tcp[tcpflags] & (tcp-ack) == 0' \
| awk '{ print $3}' \
| sort | uniq -c | sort | tail -5;
echo;
sleep 1
doneKeep-Alive Capture
Keep Alive packets are used to maintain the connection, but do not carry any data. Having a large number of Keep Alives may be a sign of network problems.
Such packets contain an ACK flag but do not contain a payload. You can filter such packets using the following query:
$ sudo tcpdump -vv "tcp[tcpflags] == tcp-ack and less 1"
Application layer
As stated earlier, Tcpdump does not work with application layer packets. But this does not mean that we cannot try to identify application protocols, for example, by the initial bytes in packets.
As an example, let's look at searching for TLS/SSL packets. If a non-standard port is used, filtering by port will not help us. We need signs of TLS packets, and here we need the following filter:
tcpdump -ni eth0 "(tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)"
Yes, we won’t see the contents of the packets, but at least we will be able to identify encrypted traffic.
Let's consider another example – searching for SSH packages. Here we are targeting the “SSH-” character set in the packet payload. The request contains ASCII character codes.
tcpdump 'tcp[(tcp[12] >>2):4] = 0x5353482D'
Finally, let's intercept the GET request. Here, too, everything is quite simple – we look for the line “GET”.
sudo tcpdump 'tcp[(tcp[12] >>2):4] = 0x47455420'
Conclusion
In this article, we looked at using the Tcpdump utility to filter traffic with various filters to make packet sampling more intelligent.
In conclusion, I invite everyone to free webinar about creating network laboratory environments using IaC principles using the example of containerlab and netlab.
