Using tcpdump to analyze and intercept network traffic

5 min


The tcpdump utility is an excellent command-line tool that is capable of intercepting and analyzing network traffic. Can be of great help in solving network problems. Packages can be saved to a file and analyzed later. It is recommended that you run this utility from time to time to monitor your network.

Content:

  • Tcpdump output
  • Installing tcpdump
  • Tcpdump options
  • Tcpdump filters:
    • Expression filter
    • Port filter
    • Host filter
    • Combining filters
  • Saving headers to a file
  • View package details
  • Conclusion

Tcpdump output

The tcpdump utility allows you to check the TCP / IP packet headers and print one line for each packet. She will do this until she press Ctrl + C.

Let’s take a look at one line from the sample output:

20:58:26.765637 IP 10.0.0.50.80 > 10.0.0.1.53181: Flags [F.], seq 1, ack 2, win 453, options [nop,nop,TS val 3822939 ecr 249100129], length 0

Each line includes:

  • Unix timestamp (20: 58: 26.765637)
  • protocol (IP)
  • source host name or IP address and port number (10.0.0.50.80)
  • hostname or destination IP address and port number (10.0.0.1.53181)
  • TCP flags (Flags [F.]). Indicate the state of a connection and may contain more than one value:
    • o S – SYN. The first step in establishing a connection
    • F – FIN. Terminating the connection
    • – ACK. Confirmation packet received successfully
    • P – PUSH. Instructs the receiver to process packets instead of buffering them
    • R – RST. Connection lost
  • Sequence number of data in the packet. (seq 1)
  • Confirmation number. (ack 2)
  • Window size (win 453)… The number of bytes available in the receive buffer. Next are TCP options
  • Data payload length. (length 0)

Installing tcpdump

On distributions based on Debian tcpdump can be installed using the APT command:

# apt install tcpdump -y

On distributions based on RPM tcpdump can be installed using YUM:

# yum install tcpdump -y

IN RHEL 8 using DNF:

# dnf install tcpdump -y

Tcpdump options

You need to run tcpdump as root. Tcpdump includes many options and filters. Running tcpdump without any parameters will intercept all packets passing through the default interface.

List the network interfaces available to the system on which tcpdump can capture packets:

# tcpdump -D

or

# tcpdump --list-interfaces

1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.eth1
5.any (Pseudo-device that captures on all interfaces)
6.lo [Loopback]

Very useful for systems that do not have a command to list the interfaces.

To capture packets passing through a specific interface, use -i with the interface name. If you do not specify a name, then tcpdump will pick up the first network interface it finds.

# tcpdump -i eth1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
01:06:09.278817 IP vagrant-ubuntu-trusty-64 > 10.0.0.51: ICMP echo request, id 4761, seq 1, length 64
01:06:09.279374 IP 10.0.0.51 > vagrant-ubuntu-trusty-64: ICMP echo reply, id 4761, seq 1, length 64
01:06:10.281142 IP vagrant-ubuntu-trusty-64 > 10.0.0.51: ICMP echo request, id 4761, seq 2, length 64

  • -v increases the amount of information displayed about packages
  • -vv gives even more details

By default, tcpdump translates IP addresses to hostnames and also uses service names instead of port numbers.

  • -n If DNS is down or you don’t want tcpdump to do a name lookup.

# tcpdump –n

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
04:19:07.675216 IP 10.0.2.15.22 > 10.0.2.2.50422: Flags [P.], seq 2186733178:2186733278, ack 204106815, win 37232, length 100
04:19:07.675497 IP 10.0.2.2.50422 > 10.0.2.15.22: Flags [.], ack 100, win 65535, length 0
04:19:07.675747 IP 10.0.2.15.22 > 10.0.2.2.50422: Flags [P.], seq 100:136, ack 1, win 37232, length 36
04:19:07.675902 IP 10.0.2.2.50422 > 10.0.2.15.22: Flags [.], ack 136, win 65535, length 0
04:19:07.676142 IP 10.0.2.15.22 > 10.0.2.2.50422: Flags [P.], seq 136:236, ack 1, win 37232, length 100

  • -c only captures a bunch of lines, for example 5:

#tcpdump -c 5

04:19:07.675216 IP 10.0.2.15.22 > 10.0.2.2.50422: Flags [P.], seq 2186733178:2186733278, ack 204106815, win 37232, length 100
04:19:07.675497 IP 10.0.2.2.50422 > 10.0.2.15.22: Flags [.], ack 100, win 65535, length 0
04:19:07.675747 IP 10.0.2.15.22 > 10.0.2.2.50422: Flags [P.], seq 100:136, ack 1, win 37232, length 36
04:19:07.675902 IP 10.0.2.2.50422 > 10.0.2.15.22: Flags [.], ack 136, win 65535, length 0
04:19:07.676142 IP 10.0.2.15.22 > 10.0.2.2.50422: Flags [P.], seq 136:236, ack 1, win 37232, length 100
5 packets captured

  • -tttt for more convenient timestamps (defaults to Unix timestamps)

# tcpdump –tttt

2020-07-06 04:30:12.203638 IP 10.0.2.15.22 > 10.0.2.2.50422: Flags [P.], seq 2186734102:2186734138, ack 204107103, win 37232, length 36
2020-07-06 04:30:12.203910 IP 10.0.2.2.50422 > 10.0.2.15.22: Flags [.], ack 36, win 65535, length 0
2020-07-06 04:30:12.204292 IP 10.0.2.15.22 > 10.0.2.2.50422: Flags [P.], seq 36:72, ack 1, win 37232, length 36
2020-07-06 04:30:12.204524 IP 10.0.2.2.50422 > 10.0.2.15.22: Flags [.], ack 72, win 65535, length 0
2020-07-06 04:30:12.204658 IP 10.0.2.15.22 > 10.0.2.2.50422: Flags [P.], seq 72:108, ack 1, win 37232, length 36

Tcpdump filters

Expression filter

The expression filter selects which packet headers are displayed. If no filters are applied, all packet headers are displayed.

The most common filters are:

  • port
  • host
  • src
  • dst
  • tcp
  • udp
  • icmp

Port filter

Port filter is used to view packets arriving on a specific port:

# tcpdump -i eth1 -c 5 port 80

23:54:24.978612 IP 10.0.0.1.53971 > 10.0.0.50.80: Flags [SEW], seq 53967733, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 256360128 ecr 0,sackOK,eol], length 0
23:54:24.978650 IP 10.0.0.50.80 > 10.0.0.1.53971: Flags [S.E], seq 996967790, ack 53967734, win 28960, options [mss 1460,sackOK,TS val 5625522 ecr 256360128,nop,wscale 6], length 0
23:54:24.978699 IP 10.0.0.1.53972 > 10.0.0.50.80: Flags [SEW], seq 226341105, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 256360128 ecr 0,sackOK,eol], length 0
23:54:24.978711 IP 10.0.0.50.80 > 10.0.0.1.53972: Flags [S.E], seq 1363851389, ack 226341106, win 28960, options [mss 1460,sackOK,TS val 5625522 ecr 256360128,nop,wscale 6], length 0 

Host filter

For capturing packets coming in or out of a specific host. For example, the IP address is 10.0.2.15:

# tcpdump host 10.0.2.15

03:48:06.087509 IP 10.0.2.15.22 > 10.0.2.2.50225: Flags [P.], seq 3862934963:3862934999, ack 65355639, win 37232, length 36
03:48:06.087806 IP 10.0.2.2.50225 > 10.0.2.15.22: Flags [.], ack 36, win 65535, length 0
03:48:06.088087 IP 10.0.2.15.22 > 10.0.2.2.50225: Flags [P.], seq 36:72, ack 1, win 37232, length 36
03:48:06.088274 IP 10.0.2.2.50225 > 10.0.2.15.22: Flags [.], ack 72, win 65535, length 0
03:48:06.088440 IP 10.0.2.15.22 > 10.0.2.2.50225: Flags [P.], seq 72:108, ack 1, win 37232, length 36

For capturing packets of certain types of protocols. For example, icmp, on eth1:

# tcpdump -i eth1 icmp

04:03:47.408545 IP vagrant-ubuntu-trusty-64 > 10.0.0.51: ICMP echo request, id 2812, seq 75, length 64
04:03:47.408999 IP 10.0.0.51 > vagrant-ubuntu-trusty-64: ICMP echo reply, id 2812, seq 75, length 64
04:03:48.408697 IP vagrant-ubuntu-trusty-64 > 10.0.0.51: ICMP echo request, id 2812, seq 76, length 64
04:03:48.409208 IP 10.0.0.51 > vagrant-ubuntu-trusty-64: ICMP echo reply, id 2812, seq 76, length 64
04:03:49.411287 IP vagrant-ubuntu-trusty-64 > 10.0.0.51: ICMP echo request, id 2812, seq 77, length 64

Combining filters

Filters can be combined using operators:

  • AND
  • OR
  • NOT

This will allow you to write commands that can more accurately isolate packages. For example, packets from a specific IP address and for a specific port:

# tcpdump -n -i eth1 src 10.0.0.1 and dst port 80

00:18:17.155066 IP 10.0.0.1.54222 > 10.0.0.50.80: Flags [F.], seq 500773341, ack 2116767648, win 4117, options [nop,nop,TS val 257786173 ecr 5979014], length 0
00:18:17.155104 IP 10.0.0.1.54225 > 10.0.0.50.80: Flags [S], seq 904045691, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 257786173 ecr 0,sackOK,eol], length 0
00:18:17.157337 IP 10.0.0.1.54221 > 10.0.0.50.80: Flags [P.], seq 4282813257:4282813756, ack 1348066220, win 4111, options [nop,nop,TS val 257786174 ecr 5979015], length 499: HTTP: GET / HTTP/1.1
00:18:17.157366 IP 10.0.0.1.54225 > 10.0.0.50.80: Flags [.], ack 1306947508, win 4117, options [nop,nop,TS val 257786174 ecr 5983566], length 0

If you need to intercept all packets except ICMP, use the operator NOT:

# tcpdump -i eth1 not icmp

Saving headers to a file

Tcpdump output can move around the screen rather quickly. In such cases, you can save the package headers in a file with the option -w… The output is saved to files with the extension .pcap

The following command saves 10 lines of eth1 output to icmp.pcap.

# tcpdump -i eth1 -c 10 -w icmp.pcap

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel

You can read this file using the option -r

# tcpdump -i eth1 -c 10 -w icmp.pcap

reading from file icmp.pcap, link-type EN10MB (Ethernet)
05:33:20.852732 IP vagrant-ubuntu-trusty-64 > 10.0.0.51: ICMP echo request, id 3261, seq 33, length 64
05:33:20.853245 IP 10.0.0.51 > vagrant-ubuntu-trusty-64: ICMP echo reply, id 3261, seq 33, length 64
05:33:21.852586 IP vagrant-ubuntu-trusty-64 > 10.0.0.51: ICMP echo request, id 3261, seq 34, length 64
05:33:21.853104 IP 10.0.0.51 > vagrant-ubuntu-trusty-64: ICMP echo reply, id 3261, seq 34, length 64
05:33:22.852615 IP vagrant-ubuntu-trusty-64 > 10.0.0.51: ICMP echo request, id 3261, seq 35, length 64

View package details

So far we have only seen the headers of the packages, but to view the content, you need to use the parameter -A… The content will be output in ASCII format.

With option -X it is possible to display the output in hexadecimal format, however, this does not help much in cases where the connection is encrypted.

# tcpdump -c10 -i eth1 -n -A port 80

23:35:53.109306 IP 10.0.0.1.53916 > 10.0.0.50.80: Flags [P.], seq 2366590408:2366590907, ack 175457677, win 4111, options [nop,nop,TS val 255253117 ecr 5344866], length 499: HTTP: GET / HTTP/1.1
E..'..@.@.%.
...
..2...P..M.
uE............
.6.}.Q.bGET / HTTP/1.1
Host: 10.0.0.50
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-Modified-Since: Tue, 04 Mar 2014 11:46:45 GMT

Conclusion

The tcpdump utility is easy to set up and learn. You just need to understand a little with:

  • conclusion
  • filters
  • options

Then tcpdump will become an excellent helper in securing your network.

image


0 Comments

Leave a Reply