simple usage of tcpdump

May 23rd, 2007 mysurface Posted in Network, tcpdump | Hits: 568106 | 28 Comments »

This is what I learn from geek00l today. Tcpdump is a really great tool for network security analyst, you can dump packets that flows within your networks into file for further analysis. With some filters you can capture only the interested packets, which it reduce the size of saved dump and further reduce loading and processing time of packets analysis.

This post will only covers the fundamental of tcpdump usage, bare in mind tcpdump can do much much more than what I illustrate here.

Lets start with capturing packets based on network interface, ports and protocols. Let assume I wanna capture tcp packets that flow over eth1, port 6881. The dump file with be save as test.pcap.

tcpdump -w test.pcap -i eth1 tcp port 6881

Simple right? What if at the same time I am interested on getting packets on udp port 33210 and 33220?

tcpdump -w test.pcap -i eth1 tcp port 6881 or udp \( 33210 or 33220 \)


 

‘\’ is an escape symbol for ‘(‘ and ‘)’. Logic OR implies PLUS (+). In plain text is I want to capture tcp packets flows over port 6881 plus udp ports 33210 and 33220.

Careful with ‘and’ in tcpdump filter expression, it means intersection. Thats why I put ‘or’ instead of and within udp port 33210 and 33220. The usage of ‘and’ in tcpdump will be illustrate later.

Ok, how about reading pcap that I saved previously?

tcpdump -nnr test.pcap

The -nn is to tell tcpdump not to resolve DNS on IP and Ports, where r is read.

Adding -tttt to makes the timestamp appears more readable format.

tcpdump -ttttnnr test.pcap

How about capture based on IP ?
You need to tell tcpdump which IP you are interested in? Destination IP? or Source IP ? Let say I wanna sniff on destination IP 10.168.28.22 tcp port 22, how should i write?

tcpdump -w test.pcap dst 10.168.28.22 and tcp port 22

So the ‘and’ makes the intersection of destination IP and port.

By default the sniff size of packets is 96 bytes, you somehow can overload that size by specified with -s.

tcpdump -w test.pcap -s 1550 dst 10.168.28.22 and tcp port 22

Some version of tcpdump allows you to define port range. You can as bellow for capturing packets based on a range of tcp port.

tcpdump tcp portrange 20-24

Bare in mind, the line above I didn’t specified -w which it won’t write to a file but i will just print the captured packets on the screen.

Wanna try out tcpdump but donno what’s the port to try on?
You can obtain a lots of packets flows while you hook up to the Internet. Search a port through lsof to practise your tcpdump and have fun. Read Monitor who runs what, listen to what ports, established what connections for lsof examples.

[中文翻译]

[tags] sniffer, pcap, network analysis, network security [/tags]

28 Responses to “simple usage of tcpdump”

  1. How come when I run..

    sudo tcpdump -v -i wlan0 src 192.168.0.2

    it’s fine.. but when I try to specify only ICMP it gives a syntax error as such..

    sudo tcpdump -v -i wlan0 src 192.168.0.2 ip proto \\icmp

    or

    sudo tcpdump -v -i wlan0 ip proto 1 src 192.168.0.2

    :/

  2. hello

    can i save the captured file in text format or can i view .pcap file in txt format in linux

    please tell me about filter option for example if i want to capture packets from one ip address to other.

  3. Surendra:

    Any command that displays the .pcap file can be redirected to a text file, or example:

    # display a .pcap file
    tcpdump -nnr test.pcap

    # redirect .pcap file to a test file
    tcpdump -nnr test.pcap > test.pcap.txt

    -George

  4. When doing binary dumps with tcpdump, what tools do you guys use for analyzing? Having a hard time settling with Wireshark, so looking for others.

  5. any idea how to run a FIFO buffer to capture the last X number of packets or MB? I have a huge file transfer that is failing. I’d like to tcpdump or tethereal capture the date, but only save the last .. say 10 MB of the data. I know how to set up filtering, just not how to tell it to use a FIFO buffer to keep the last X amount of the transfer.

  6. can i save and view the .pcap file in excel format in linux?

  7. @lady I don’t think so, you can open with wireshark.

  8. i require a tool that will capture ethernet frames of a text file directed to a destination machine…is tcpdump gud for this purpose..i wil need the ethernet frames for further processing in my project..can anyone tel me the appropriate filters for capturing ethernet frames to a destination

    thank u in advance

  9. Hi,
    I have written TCP/IP send-receive prorams in Linux. I am able to send and receive the data correctly. But simultanoiusly when I run tcpdump, I am not able to see any tranfer details. Please share the reason if somebody knows it.
    Thanks,
    Jino

  10. @jino

    try:
    sudo tcpdump -i eth0 -X -e tcp

  11. anybody knows how to use tcpdump to check/identify opened TCP port on a host

    thanks,
    -oit-

  12. Anyone know how to extract info from the packets? Storing whole packets with tcpdump -s 0 -w etc…, but they’re in gzip format. Not sure how to remove the header info + split the packets so that they can be unzipped properly from the tcpdump output… any help appreciated.

  13. I want to analyse of Sequence Numbers(SN) of 100,000 SYN packets that I have collected. Anyone know how can I get only the packets SN?

    Thanks,

  14. when i sniff packet using pcap it give the destination ip address of next hop how do i get the orignal of final destination ip address
    please tell me
    thanks

  15. Wow! Thank you! I often wanted to publish in my web site some thing like that. Can i get component of your
    post to my weblog?

  16. Anyone know how to extract info from the packets?the packets are in gzip format. Not sure how they can be unzipped properly from the tcpdump output… any help appreciated.

  17. In answer to tux
    >tux Says:
    >July 1st, 2008 at 1:58 am
    >How come when I run..
    >sudo tcpdump -v -i wlan0 src 192.168.0.2
    >it’s fine.. but when I try to specify only ICMP it gives a >syntax error as such..
    >
    >sudo tcpdump -v -i wlan0 src 192.168.0.2 ip proto \\icmp
    >or …

    Because, your syntax is wrong, try:
    sudo tcpdump -v -i wlan0 ip proto 1 src 192.168.0.2

    tcpdump -i eth0 ip proto 1 src 192.168.133.35

  18. Oops that’s the one that’s wrong, try
    src 192.168.133.35 and ip proto 1

    Sorry paste error.

  19. hey can we print last 10 or 100 packets from a pcap file??

  20. Thank you a lot for sharing this with all people you actually understand what you’re speaking about! Bookmarked. Kindly also consult with my web site =). We will have a hyperlink trade agreement among us!

  21. Heya i’m for the first time here. I found this board and I in finding It truly useful & it helped me out a lot.
    I am hoping to give something back and help others such
    as you helped me.

  22. When some one searches for his essential thing, so he/she needs to be available that in
    detail, therefore that thing is maintained over here.

    Take a look at my blog post … Casual Sex Albuquerque (Reggie)

  23. Awesome site you have here but I was curious about if you knew of any discussion boards
    that cover the same topics discussed here?
    I’d really like to be a part of online community where I can get responses from other knowledgeable
    individuals that share the same interest. If you have any recommendations, please let
    me know. Bless you!

    Here is my page code PS+ gratuit

  24. Hi, I think your site might be having browser compatibility
    issues. When I look at your blog in Safari, it looks fine but when opening in Internet Explorer,
    it has some overlapping. I just wanted to give you
    a quick heads up! Other then that, terrific blog!

  25. Attractive ?ection of content. I just stumbled u??n yohr weblog and iin accession capital t? assert that I get in fact enjoyed account you? blog posts.
    Anyway I will b? subscribing t? ?ou? feeds and even ?
    achievement y?u access consistently rapidly.

    ?top by m? ?age: facfebook likes (virtuelogic.com)

  26. Hello! I simply want to give you a big thumbs up for the great
    info you’ve got here on this post. I’ll be returning to your web site for more soon.

  27. I was suggested this web site by my cousin. I am not sure whether this
    post is written byy him as nobody else know such dtailed about my
    problem. You are amazing! Thanks!

  28. What i do not realize is actually how you are
    not actually much more smartly-liked than you might be now.
    You’re so intelligent. You recognize therefore significantly when it comes to this matter, made me for my part
    believe it from a lot of varied angles. Its like men and
    women are not involved until it’s one thing to do with Girl gaga!
    Your individual stuffs outstanding. All
    the time take care of it up!

Leave a Reply