Tcpdump has many options and features. Today’s blog will cover only a handful; the options and features that I use most often or find most useful.
Options
Below are some of the options that I use with tcpdump:
-n: do not resolve names (DNS), or more precisely, use numbers and not names -nn: do not resolve names (DNS) or services/ports, or more precisely, use numbers for both names and ports -s: followed by an integer, defines the number of bytes to collect for each packet. Default is 68. To collect all bytes, use “0” (this is the number zero). -i: specifies the interface to use or sniff on. For example, eth0 or tap0 -D: lists interfaces that tcpdump could use -A: print ascii -x: print hex -X: print both ascii and hex. Sometimes “-A” doesn’t work, so use “-X” instead. -v: verbose -w: dump packets to file -r: read packets from file -c: followed by an integer. Captures a specific number of packets.
Protocols, Types & Directions
The protocols most often filtered on that I’ve found useful include:
- ip
- ip6
- tcp
- udp
- arp
- rarp
- ether
The types include several options, most notably:
- port
- host
- net
The directions of the packets can be filtered by:
- src
- dst
Basic Examples
Below are some examples of how to use tcpdump to filter on specific parameters:
# tcpdump -nn ip and src 192.168.1.1
# tcpdump -nnX udp and dst 192.168.1.1 and port 443
# tcpdump -nn -i tap0 host 192.168.1.1
# tcpdump –nnvv host 192.168.10.10 and port 80 –w capture_file
# tcpdump -nnvvS and src 172.25.1.1 and dst port 3389
# tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
# tcpdump -nvvXSs 1514 dst 192.168.1.1 and not icmp
# tcpdump ‘src 10.10.10.10 and (dst port 3389 or 22)’
Advanced Examples
Below are some more advanced tcpdump commands.
Show all SYN/ACK packets:
# tcpdump ‘tcp[13]=18′
Show all ACK packets:
# tcpdump ‘tcp[13] & 16!=0′
Show all SYN packets:
# tcpdump ‘tcp[13] & 2!=0′
In the above examples, the “tcp[13]” parameter tells tcpdump where to look within the tcp header. The other parameter checks the value of the offset (i.e. 18 in the SYN/ACK example) or whether a particular bit is set to 1, or more precisely not set to 0 (i.e. 16!=0 and 2!=0 in the ACK and SYN examples).
Capture packets using the TCP Flags option:
# tcpdump ‘tcp[tcpflags] & & tcp-syn != 0′
Please let me know if you have any additional recommendations to include in the above examples.