What is Tcpdump?
Tcpdump is a command line utility that allows you to capture and analyze network traffic going through your system. It is often used to help troubleshoot network issues, as well as a security tool.
It is a powerful and versatile tool that includes many options and filters, tcpdump can be used in a variety of cases. Since it's a command line tool, it is ideal to run in remote servers or devices for which a GUI is not available, to collect data that can be analyzed later. It can also be launched in the background or as a scheduled job using tools like cron.
Capturing packets with Tcpdump
To see interfaces use tcpdump -D as below:
brian11hwang@jooyoung tcpdump -D
1.teredo [Up, Running]
2.enp3s0f0 [Up, Running]
3.eno1 [Up, Running]
4.enp3s0f1 [Up, Running]
5.lo [Up, Running, Loopback]
6.any (Pseudo-device that captures on all interfaces) [Up, Running]
7.virbr0 [Up]
8.docker0 [Up]
9.bluetooth-monitor (Bluetooth Linux Monitor) [none]
10.nflog (Linux netfilter log (NFLOG) interface) [none]
11.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
12.virbr0-nic [none]To start capturing packets, use tcpdump -i interface as below:
brian11hwang@jooyoung sudo tcpdump -i any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
06:51:57.420140 IP jooyoung.ssh > 115.145.179.194.9978: Flags [P.], seq 2932275059:2932275255, ack 3391927040, win 501, options [nop,nop,TS val 1213939957 ecr 4124178965], length 196
06:51:57.420399 IP localhost.52622 > localhost.domain: 55807+ [1au] PTR? 194.179.145.115.in-addr.arpa. (57)
06:51:57.420540 IP jooyoung.36114 > one.one.one.one.domain: 30496+ [1au] PTR? 194.179.145.115.in-addr.arpa. (57)
06:51:57.421258 ARP, Request who-has 115.145.175.157 tell gate175.skku.ac.kr, length 46
06:51:57.422269 IP 115.145.179.194.9978 > jooyoung.ssh: Flags [.], ack 196, win 24571, options [nop,nop,TS val 4124178987 ecr 1213939957], length 0
06:51:57.423966 IP one.one.one.one.domain > jooyoung.36114: 30496 NXDomain 0/1/1 (120)
06:51:57.424034 IP jooyoung.36114 > one.one.one.one.domain: 30496+ PTR? 194.179.145.115.in-addr.arpa. (46)
06:51:57.432389 IP localhost.58593 > localhost.domain: 46143+ [1au] PTR? 53.0.0.127.in-addr.arpa. (52)
06:51:57.441436 IP jooyoung.ssh > 115.145.179.194.9978: Flags [P.], seq 712:1284, ack 1, win 501, options [nop,nop,TS val 1213939978 ecr 4124178998], length 572
~~
06:51:57.506879 IP jooyoung.ssh > 115.145.179.194.9978: Flags [P.], seq 99044:99248, ack 37, win 501, options [nop,nop,TS val 1213940043 ecr 4124179062], length 204
06:51:57.506934 IP jooyoung.ssh > 115.145.179.194.9978: Flags [P.], seq 99248:99452, ack 37, win 501, options [nop,nop,TS val 1213940044 ecr 4124179062], length 204
06:51:57.506988 IP jooyoung.ssh > 115.145.179.194.9978: Flags [P.], seq 99452:99656, ack 37, win 501, options [nop,nop,TS val 1213940044 ecr 4124179062], length 204
06:51:57.507043 IP jooyoung.ssh > 115.145.179.194.9978: Flags [P.], seq 99656:99860, ack 37, win 501, options [nop,nop,TS val 1213940044 ecr 4124179062], length 204
06:51:57.507097 IP jooyoung.ssh > 115.145.179.194.9978: Flags [P.], seq 99860:100064, ack 37, win 501, options [nop,nop,TS val 1213940044 ecr 4124179062], length 204
06:51:57.507151 IP jooyoung.ssh > 115.145.179.194.9978: Flags [P.], seq 100064:100268, ack 37, win 501, options [nop,nop,TS val 1213940044 ecr 4124179062], length 204
06:51:57.507203 IP jooyoung.ssh > 115.145.179.194.9978: Flags [P.], seq 100268:100472, ack 37, win 501, options [nop,nop,TS val 1213940044 ecr 4124179062], length 204
06:51:57.507256 IP 115.145.178.204.mdns > 224.0.0.251.mdns: 0*- [0q] 2/0/3 PTR HP LaserJet MFP M426fdw (3F8E62)._ipp._tcp.local., PTR HP LaserJet MFP M426fdw (3F8E62)._ipps._tcp.local. (858)
506 packets captured
636 packets received by filter
116 packets dropped by kernel(to limit the number of packets to capture, use the -c option. ex) tcpdump -i any -c5)
To filter packets, type specific protocol like tcpdump -i any icmp as below:
brian11hwang@jooyoung sudo tcpdump -i any -c5 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
09:52:54.414232 IP 115.145.179.174 > jooyoung: ICMP echo request, id 87, seq 2, length 64
09:52:54.414288 IP jooyoung > 115.145.179.174: ICMP echo reply, id 87, seq 2, length 64
09:52:55.438233 IP 115.145.179.174 > jooyoung: ICMP echo request, id 87, seq 3, length 64
09:52:55.438279 IP jooyoung > 115.145.179.174: ICMP echo reply, id 87, seq 3, length 64
09:52:56.462227 IP 115.145.179.174 > jooyoung: ICMP echo request, id 87, seq 4, length 64We can also filter packets as:
Port:tcpdump -i any -c5 -nn port 80
Source/Dest IP/hostname:tcpdump -i any -c5 -nn src 115.145.179.191
Using and/or:tcpdump -i any -c5 -nn src 115.145.179.191 and port 80
We can Check the packet content using
-Xin hex,-Ain ASCII.
We can also capture the content in .pcap file with-woption.
Understanding the output
ex)
06:51:57.506988 IP jooyoung.ssh > 115.145.179.194.9978: Flags [P.], seq 99452:99656, ack 37, win 501, options [nop,nop,TS val 1213940044 ecr 4124179062], length 20406:51:57.506988 = Timeline (local)
IP = IPv4 or IPv6 (IPv6 shows IP6)
jooyoung.ssh > 115.145.179.194.9978 = Source > Destination
Flags [P.] = Flags
seq 99452:99656 = Sequence number (99452 ~ 99656 of the flow)
ack 37 = Ack number. (Sending side =1, Recieving side = next expected byte(data) on the flow. )
win 501 = Window size, number of bytes available in the receiving buffer
options [nop,nop,TS val 1213940044 ecr 4124179062] = TCP options.
length 204 = Packet Length
Source: https://opensource.com/article/18/10/introduction-tcpdump
