Mar 132013
 

Tcpdump has many options and features. Today’s blog will cover only a handful; the options and features that I use most often or find most useful.

Options

Below are some of the options that I use with tcpdump:

-n: do not resolve names (DNS), or more precisely, use numbers and not names
-nn: do not resolve names (DNS) or services/ports, or more precisely, use numbers for both names and ports
-s: followed by an integer, defines the number of bytes to collect for each packet. Default is 68.
To collect all bytes, use “0” (this is the number zero).
-i: specifies the interface to use or sniff on. For example, eth0 or tap0
-D: lists interfaces that tcpdump could use
-A: print ascii
-x: print hex
-X: print both ascii and hex. Sometimes “-A” doesn’t work, so use “-X” instead.
-v: verbose
-w: dump packets to file
-r: read packets from file
-c: followed by an integer. Captures a specific number of packets.

Protocols, Types & Directions

The protocols most often filtered on that I’ve found useful include:

  • ip
  • ip6
  • tcp
  • udp
  • arp
  • rarp
  • ether

The types include several options, most notably:

  • port
  • host
  • net

The directions of the packets can be filtered by:

  • src
  • dst

Basic Examples

Below are some examples of how to use tcpdump to filter on specific parameters:

# tcpdump -nn ip and src 192.168.1.1

# tcpdump -nnX udp and dst 192.168.1.1 and port 443

# tcpdump -nn -i tap0 host 192.168.1.1

# tcpdump –nnvv host 192.168.10.10 and port 80 –w capture_file

# tcpdump -nnvvS and src 172.25.1.1 and dst port 3389

# tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

# tcpdump -nvvXSs 1514 dst 192.168.1.1 and not icmp

# tcpdump ‘src 10.10.10.10 and (dst port 3389 or 22)’

Advanced Examples

Below are some more advanced tcpdump commands.

Show all SYN/ACK packets:

# tcpdump ‘tcp[13]=18′

Show all ACK packets:

# tcpdump ‘tcp[13] & 16!=0′

Show all SYN packets:

# tcpdump ‘tcp[13] & 2!=0′

In the above examples, the “tcp[13]” parameter tells tcpdump where to look within the tcp header.  The other parameter checks the value of the offset (i.e. 18 in the SYN/ACK example) or whether a particular bit is set to 1, or more precisely not set to 0 (i.e. 16!=0 and 2!=0 in the ACK and SYN examples).

Capture packets using the TCP Flags option:

# tcpdump ‘tcp[tcpflags] & & tcp-syn != 0′

Please let me know if you have any additional recommendations to include in the above examples.

Additional Reading

http://danielmiessler.com/study/tcpdump/

http://www.tcpdump.org/tcpdump_man.html