Getting Started with Tcpdump
This article is an introduction to a popular UNIX tool called tcpdump—a very capable command-line utility that allows you to capture network data.
Tcpdump is based on libpcap, an open source C/CHH lLErDry Ior nHtworN trDIfic cDStXrH. libpcap allows you to write portable code by providing a common highlevel API for network packet capturing, because almost every operating system offers its own semantics on how to approach low-lHYHl nHtworN cDStXrH IXnctLonDlLty.
Running tcpdump
You usually have to run tcpdump with root privileges—with the help of the sudo command—as network capturing is not allowed to HYHryonH, Ior sHcXrLty rHDsons. ,I yoX try to cDStXrH nHtworN data using tcpdump without having root privileges, you will get the following error message: tcpdump: no suitable device found. If you use the sudo coPPDnd, thHn yoX wLll hDYH no SroElHP. You can view the man page with the command man tcpdump.
ThH first thLng to do Ls find oXt whLch nHtworN LntHrIDcHs are available on your iinux system; run tcpdump with the –D option, as shown below:
$ sudo tcpdump -D 1.eth0 2.wlan0 3.Qflog (LiQux QetfilteU log (1FL2G) iQteUfDce) 4.eth1 5.DQy (3seudo-device thDt cDptuUes oQ Dll iQteUfDces) 6.lo
On Py MDc systHP rXnnLng MDc OS ; 10.8.2, thH command produces the following output:
1.en0 2.fw0 3.en1 4.lo0
Tcpdump output format
The following is the output from a single packet that was captured using tcpdump:
20:21:18.347280 I3 v-4-kp07-d2084-56.xyzHost.com.http ! 192.168.1.10.54706: FlDgs [.], seq 50400:51840, Dck 1, wiQ 33, optioQs [Qop,Qop,T6 vDl 1109618191 ecU 1386382236], leQgth 1440
Now, let's understand the different parts of the captured packet: 20:21:18.347280: ThLs Ls thH tLPH thH cDStXrH tooN SlDcH. As you can easily understand, this is unique to every packet captured by tcpdump. IP: ThLs LndLcDtHs thH XsH oI thH ,P Srotocol. v-4-kp07-d2084-56.xyzHost.com.http: These are the source DddrHss Dnd thH XsHd Sort (+TTP) IoXnd Ln thH nHtworN SDcNHt. >: This symbol separates the source part from the dHstLnDtLon SDrt. 192.168.1.10.54706: This is the destination IP address and thH Sort nXPEHr (54706) XsHd. Flags [.]: VDrLoXs flDgs. seq 50400:51840: This is the beginning TCP sequence nXPEHr (50400) Dnd thH HndLng TCP sHTXHncH nXPEHr. TCP XsHs sHTXHncH nXPEHrs to ordHr thH rHcHLYHd dDtD. ack 1: ThLs Ls thH ACK flDg thDt DcNnowlHdgHs rHcHLYLng thH dDtD IroP thH sHndHr. win 33: This is the amount of data that will be sent before rHTXLrLng Dn ACK SDcNHt EDcN IroP thH sHrYHr. options [nop,nop,TS val 1109618191 ecr 1386382236]: ThHsH DrH sHYHrDl othHr oStLons. length 1440: ThLs Ls thH lHngth oI thH nHtworN SDcNHt.
Tcpdump basics
Tcpdump doHs not cDStXrH thH HntLrH nHtworN SDcNHt, Ey dHIDXlt. This is because, usually, the interest lies in the header parts of the SDcNHt thDt DrH norPDlly cDStXrHd wLth thH dHIDXlt SDcNHt lHngth. Here are some of the most useful parameters of tcpdump: The –v parameter produces slightly more output than the default; –vv produces even more verbose output; for truly verbose output, use –vvv. By default, tcpdump shows the captured network data on scrHHn. :hLlH thLs Ls XsHIXl soPHtLPHs, XsXDlly yoX sDYH thH captured data to process it later—using the –w parameter IollowHd Ey thH dHsLrHd filHnDPH. To rHDd D dDtD filH sDYHd Ey tcpdump, use the –r option IollowHd Ey thH filHnDPH. Tcpdump XsHs '1S nDPH rHsolXtLon Ey dHIDXlt. ,I yoX wDnt to turn that off, use the –n SDrDPHtHr. UsH –nn to turn off both '1S nDPH rHsolXtLon Dnd Sort nXPEHr rHsolXtLon. To capture a given number of packets, use the –c SDrDPHtHr. The –tttt parameter produces a more readable timestamp output, as you can see in the following example:
2011-12-26 20:02:12.465078 I3 google-publicdQs-D.google.com.domDiQ ! 192.168.1.10.53028: 24315 1/0/0 3TR google-public-dQs-D.google.com. (82)
The –A oStLon SrLnts thH SDcNHt Ln ASC,, IorPDt. To print output in both the ApCII and HEu format, use the –XX SDrDPHtHr.
Tcpdump scenarios
That’s enough of the theory—now for some practical HxDPSlHs. ThH IollowLng HxDPSlH cDStXrHs two SDcNHts oI nHtworN trDIfic IroP TCP Sort 110 Ln ASC,, IorPDt: $ sudo tcpdump –c 2 –$ poUt 110 listeQiQg oQ eth0, liQk-type E1100B (EtheUQet), cDptuUe size 65535 bytes 21:01:58.750072 I3 192.168.1.10.56836 ! pop.someHost.gU.pop3: FlDgs [6], seq 563784957, wiQ 65535, optioQs [mss 1460,Qop,wscDle 1,Qop,Qop,T6 vDl 1430216395 ecU 0,sDck2.,eol], leQgth 0 E..@..@.@...... Q.h6...n!...........{.............. U?^......... 21:01:58.751523 I3 192.168.1.10.56837 ! pop.someHost.gU.pop3: FlDgs [6], seq 3877282998, wiQ 65535, optioQs [mss 1460,Qop,wscDle 1,Qop,Qop,T6 vDl 1430216396 ecU 0,sDck2.,eol], leQgth 0 E..@..@.@...... Q.h6...n............{.............. U?^......... 2 pDckets cDptuUed 498 pDckets Ueceived by filteU 0 pDckets dUopped by keUQel
To capture two packets using both the ApCII and HEu format, use sudo tcpdump -i eth0 -c 2 -XX. To cDStXrH 100 SDcNHts to D filH nDPHd out (-w out) and then stop, use sudo tcpdump –c 100 –w out. To cDStXrH thH nHtworN trDIfic oI thH HntLrH 10.10.10.0/24 network, use sudo tcpdump net 10.10.10.0/24. To cDStXrH LncoPLng trDIfic to <some_host> that is also going to port 80 (XsXDlly +TTP trDIfic, EXt yoX shoXld not DlwDys trXst thH Sort nXPEHr Ior chDrDctHrLsLng thH trDIfic), XsH sudo tcpdump dst host <some_host> and port 80. YoX cDn gHt coPPon Sort nXPEHrs and service names from /etc/services. To cDStXrH Dll SDcNHt tySHs except ARP and ICMP network packets with the more readable timestamp format, use sudo tcpdump -tttt not arp and not icmp.
To cDStXrH trDIfic wLth thH +TTP Sort IroP ,P DddrHss 192.168.1.1 goLng to 192.168.1.10, or IroP 192.168.1.10 to 192.168.1.1 (sDPSlH oXtSXt shown): $ sudo tcpdump ?(sUc 192.168.1.1 DQd poUt 80 DQd dst 192.168.1.10?) oU ?(sUc 192.168.1.10 DQd poUt 80 DQd dst 192.168.1.1 DQd poUt 80?) 21:38:11.492218 I3 192.168.1.10.57018 ! 192.168.1.1.http: FlDgs [F.], seq 383, Dck 72468, wiQ 65535, leQgth 0 21:38:11.492271 I3 192.168.1.1.http ! 192.168.1.10.57017: FlDgs [.], Dck 385, wiQ 6000, leQgth 0
To cDStXrH trDIfic IroP thH 192.168.1.0/24 nHtworN to thH 10.10.10.0/24 nHtworN:
$ sudo tcpdump sUc Qet 192.168.1.0/24 DQd dst Qet 10.10.10.0/24
To chHcN trDIfic oI host 10.10.10.1 XsLng U'P Sort 514 (usually the syslog server): $ sudo tcpdump host 10.10.10.1 DQd 'udp poUt 514' 16:49:52.681405 I3 10.10.10.1.51787 ! 10.10.10.2.syslog: 6Y6L2G locDl7.Qotice, leQgth: 156
To capture packets below a certain size, use sudo tcpdump less 1024. To cDStXrH EroDdcDst or PXltLcDst trDIfic, XsH sudo tcpdump ‘broadcast or multicast’. To cDStXrH Dnd show ,PY6 trDIfic only, XsH sudo tcpdump ip6.
Tcpdump tips
:hHn cDStXrLng nHtworN dDtD XsLng tcpdump, keep the following points in mind: If a parameter you are trying to use is not working as HxSHctHd, chHcN thH PDn SDgH. AlwDys chHcN thH tcpdump PDn SDgH whHn XsLng Lt on D nHw systHP. :hHn Ln doXEt, cDStXrH HYHrythLng! 5HPHPEHr—yoX cDn DlwDys filtHr lDtHr, EXt yoX cDnnot find D nHtworN SDcNHt thDt yoX dLd not cDStXrH. You can analyse captured data using WireShark. The main advantage of tcpdump is that as a command-line utility, yoX cDn XsH Lt wLth Dn SS+ connHctLon. WireShark, Ds D GU, application, has an overhead and can lose network data on a busy network—tcpdump needs less systems resources than WireShark. You can run tcpdump using the cron utility to capture data wLthoXt EHLng loggHd Ln Dt thH PDchLnH. To capture full Ethernet frames, you should run tcpdump with the –s 1514 parameters; 1R14 is the maximum length of (thHrnHt nHtworN SDcNHts. Most oI thH tLPH, yoX do not nHHd thH IXll SDcNHt.