This is what I learn from geek00l today. Tcpdump is a really great tool for network security analyst, you can dump packets that flows within your networks into file for further analysis. With some filters you can capture only the interested packets, which it reduce the size of saved dump and further reduce loading and processing time of packets analysis.
This post will only covers the fundamental of tcpdump usage, bare in mind tcpdump can do much much more than what I illustrate here.
Lets start with capturing packets based on network interface, ports and protocols. Let assume I wanna capture tcp packets that flow over eth1, port 6881. The dump file with be save as test.pcap.
tcpdump -w test.pcap -i eth1 tcp port 6881
Simple right? What if at the same time I am interested on getting packets on udp port 33210 and 33220?
tcpdump -w test.pcap -i eth1 tcp port 6881 or udp \( 33210 or 33220 \)
‘\’ is an escape symbol for ‘(‘ and ‘)’. Logic OR implies PLUS (+). In plain text is I want to capture tcp packets flows over port 6881 plus udp ports 33210 and 33220.
Careful with ‘and’ in tcpdump filter expression, it means intersection. Thats why I put ‘or’ instead of and within udp port 33210 and 33220. The usage of ‘and’ in tcpdump will be illustrate later.
Ok, how about reading pcap that I saved previously?
tcpdump -nnr test.pcap
The -nn is to tell tcpdump not to resolve DNS on IP and Ports, where r is read.
Adding -tttt to makes the timestamp appears more readable format.
tcpdump -ttttnnr test.pcap
How about capture based on IP ?
You need to tell tcpdump which IP you are interested in? Destination IP? or Source IP ? Let say I wanna sniff on destination IP 10.168.28.22 tcp port 22, how should i write?
tcpdump -w test.pcap dst 10.168.28.22 and tcp port 22
So the ‘and’ makes the intersection of destination IP and port.
By default the sniff size of packets is 96 bytes, you somehow can overload that size by specified with -s.
tcpdump -w test.pcap -s 1550 dst 10.168.28.22 and tcp port 22
Some version of tcpdump allows you to define port range. You can as bellow for capturing packets based on a range of tcp port.
tcpdump tcp portrange 20-24
Bare in mind, the line above I didn’t specified -w which it won’t write to a file but i will just print the captured packets on the screen.
Wanna try out tcpdump but donno what’s the port to try on?
You can obtain a lots of packets flows while you hook up to the Internet. Search a port through lsof to practise your tcpdump and have fun. Read Monitor who runs what, listen to what ports, established what connections for lsof examples.
[tags] sniffer, pcap, network analysis, network security [/tags]