Packet analyzer: 15 tcpdump command examples

Tcpdump is also called a packet sniffer.

The tcpdump command will work on most flavors of the UNIX operating system. tcpdump allows you to save captured packets so that we can use the captured packet for further analysis. The saved file can be viewed with the same tcpdump command. We can also use open source software like Wireshark to read tcpdump PCAP files.

In this tutorial, we’ll go over some practical examples of how to use the tcpdump command.

1. Capturing packets from a specific LAN interface using tcpdump -i

When running tcpdump without any option, it will capture all packets passing through all interfaces. The -i option to the tcpdump command allows filtering on a specific Ethernet interface.

$ tcpdump -i eth1       
12:59:41.967250 ARP, Request who-has free.msk.ispsystem.net tell gw.msk.ispsystem.net, length 46
12:59:41.967257 ARP, Request who-has reserve.scoffserver.ru tell gw.msk.ispsystem.net, length 46
12:59:41.969692 IP andreyex.ru.44141 > wdc-ns1.ispsystem.net.domain: 14799+ PTR? 184.48.146.82.in-addr.arpa. (44)                                             
...

In this example, tcpdump captures all the packets of the stream on eth1 and displays them on standard output.

Note: The Editcap utility is used to select or remove specific packages from a dump file and translate them into a specified format.

2. Capture only N-th number of packets with tcpdump -c

When you run the tcpdump command, it gives you packages until you cancel the tcpdump command. Using the -c option you can specify the number of packets to capture.

$ tcpdump -c 2 -i eth0
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:01:35.165898 ARP, Request who-has 213.159.211.80 tell gw.msk.ispsystem.net, length 46
13:01:35.170637 IP andreyex.ru.35123 > wdc-ns1.ispsystem.net.domain: 7254+ PTR? 80.211.159.213.in-addr.arpa. (45)
2 packets captured          
7 packets received by filter
0 packets dropped by kernel

The tcpdump command only captured 2 packets from the eth0 interface.

Note: Mergecap and TShark: Mergecap is a package dump merging tool that will combine multiple packages into one dump file. Tshark is a powerful network packet capture tool that can be used to analyze network traffic. It comes with Wireshark Network Distribution Analyzer.

3. Display intercepted packets in ASCII using tcpdump -a

The following tcpdump syntax prints the packet in ASCII.

$ tcpdump -A -i eth0 13: 03: 06.516709 IP 213.132.93.178.25321> andreyex.ru.vlsi-lm: Flags [.], ack 3120779210, win 254, length 0 E .. ($. @. u..B ..]..... b ...%. = ... OP ...... 13:03: 06.517120 IP andreyex.ru.35313> wdc-ns1.ispsystem.net.domain: 13562+ PTR? 178.93.132.213.in-addr.arpa. (45) E..I9. @. @ ....... .x ..... 5.5[F4............178.93.132.213.in-addr.arpa.....         
13:03:06.517523 IP wdc-ns1.ispsystem.net.domain > andreyex.ru.35313: 13562 NXDomain 0/1/0 (103) 
D...ns1.?.n2.x.......

 

Примечание:Команда ifconfig используется для настройки сетевых интерфейсов

4. Вывод на дисплей перехваченных пакетов в HEX и ASCII с использованием tcpdump -xx

Некоторые пользователи могли бы анализировать пакеты в шестнадцатеричных значениях. tcpdump предоставляет возможность печатать пакеты в обоих форматах ASCII и HEX.

$tcpdump -XX -i eth0
13:04:55.671670 ARP, Request who-has ns-24.ru tell gw.msk.ispsystem.net, length 46
        0x0000:  ffff ffff ffff 288a 1cea fff0 0806 0001  ......(.........        
        0x0010:  0800 0604 0001 288a 1cea fff0 5057 c401  ......(.....PW..        
        0x0020:  0000 0000 0000 5057 c50a 0000 0000 0000  ......PW........        
        0x0030:  0000 0000 0000 0000 4af9 3265            ........J.2e            
13:04:55.673089 ARP, Request who-has free.msk.ispsystem.net tell gw.msk.ispsystem.net, length 46
        0x0000:  ffff ffff ffff 288a 1cea fff0 0806 0001  ......(.........        
        0x0010:  0800 0604 0001 288a 1cea fff0 5292 3001  ......(.....R.0.        
        0x0020:  0000 0000 0000 5292 31af 0000 0000 0000  ......R.1.......        
        0x0030:  0000 0000 0000 0000 ee11 d278

5. Захват пакетов и запись в файл с помощью tcpdump -w

tcpdump позволяет сохранить пакеты в файл, а затем вы можете использовать файл пакетов для дальнейшего анализа.

$ tcpdump -w 08232010.pcap -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes                                                                             
^C6239 packets captured                                                                                                                                       
7052 packets received by filter                                                                                                                               
811 packets dropped by kernel

 

Опция -w записывает пакеты в указанный файл. Расширение файла должно быть .pcap, который может быть прочитан любым протоколом сетевого
анализатора.

6. Чтение пакетов из сохраненного файла с помощью tcpdump -r

Вы можете прочитать захваченный файл PCAP и просматривать пакеты для анализа, как показано ниже.

$tcpdump -tttt -r 08232010.pcap
reading from file 08232010.pcap, link-type EN10MB (Ethernet)                                                                                                  
2017-04-07 13:06:28.035332 IP 213.132.93.178.25557 > andreyex.ru.vlsi-lm: Flags [.], ack 2280823022, win 252, length 0 2017-04-07 13: 06: 28.036239 IP 213.132.93.178.25558> andreyex.ru.vlsi-lm: Flags [.], ack 1395913898, win 252, length 0 2017-04-07 13: 06: 28.037210 IP 213.132.93.178.25557> andreyex.ru.vlsi-lm: Flags [.], ack 427, win 257, length 0 2017-04-07 13: 06: 28.038258 IP 213.132.93.178.25558> andreyex.ru.vlsi-lm: Flags [.], ack 149, win 252, length 0 2017-04-07 13: 06: 28.053807 IP 213.132.93.178.25558> andreyex.ru.vlsi-lm: Flags [P.], seq 0: 1056, ack 149, win 252, length 1056 2017-04-07 13: 06: 28.053850 IP andreyex.ru.vlsi-lm> 213.132.93.178.25558: Flags [.], ack 1056, win 352, length 0

7. Capturing packets from an IP address using tcpdump -n

In all the examples above, it prints packets with a DNS address, but not an IP address. The following example captures packets and displays the IP address of the participating machine.

$ tcpdump -n -i eth0
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes                                                                                      
13:09:44.819573 IP 213.132.93.178.25691 > 213.159.209.228.vlsi-lm: Flags [.], ack 1414291154, win 257, length 0                                               
13:09:44.820282 IP 213.132.93.178.25691 > 213.159.209.228.vlsi-lm: Flags [.], ack 427, win 255, length 0                                                      
13:09:44.824067 IP 213.132.93.178.25690 > 213.159.209.228.vlsi-lm: Flags [.], ack 1150807970, win 253, length 0

8.Capturing packets with proper timestamp using tcpdump -tttt read

$ tcpdump -n -tttt -i eth0
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes                                                                                      
2017-04-07 13:10:23.336752 ARP, Request who-has 213.159.210.195 tell 213.159.210.1, length 46                                                                 
2017-04-07 13:10:23.338998 ARP, Request who-has 212.109.196.195 tell 212.109.196.1, length 46                                                                 
2017-04-07 13:10:23.339009 ARP, Request who-has 80.87.202.158 tell 80.87.202.1, length 46                                                                     
2017-04-07 13:10:23.339011 ARP, Request who-has 188.120.248.196 tell 188.120.248.1, length 46                                                                 
2017-04-07 13:10:23.339013 ARP, Request who-has 212.109.197.156 tell 212.109.196.1, length 46

9. Packets read more than n bytes

You can receive more packets than n number of bytes using the “greater” filter via the tcpdump command

$ tcpdump -w g_1024.pcap greater 1024

10. Receiving packets only of a certain type of protocol

You can receive packets depending on the type of protocol. You can specify one of these protocols – fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp, and udp. The following example only captures arp packets flowing through eth0.

$ tcpdump -i eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode                                                                                    
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes                                                                                      
13:11:31.451191 ARP, Request who-has ark-hoster.ru tell gw.msk.ispsystem.net, length 46                                                                       
13:11:31.456275 ARP, Request who-has aitkblack.fvds.ru tell gw.msk.ispsystem.net, length 46                                                                   
13:11:31.463781 ARP, Request who-has e-sro.su tell gw.msk.ispsystem.net, length 46                                                                            
13:11:31.464276 ARP, Request who-has yaroslav.fvds.ru tell gw.msk.ispsystem.net, length 46

11. Reading packets less than n bytes

You can only get packets less than n bytes using the “less” filter with the tcpdump command

$ tcpdump -w l_1024.pcap  less 1024

12. Receiving packets of streams on a specific port using the tcpdump port

If you want to know all packets received on a specific port on a computer, you can use the tcpdump command as shown below.

$ tcpdump -i eth0 port 22
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes                                                                                      
^C                                                                                                                                                            
0 packets captured                                                                                                                                            
0 packets received by filter                                                                                                                                  
0 packets dropped by kernel

In this case, port 22 is disabled.

13. Capturing packets for a specific destination ip-address and port

These packets will have source and destination ip address and port numbers. Using tcpdump we can apply filters on source or destination IP and port number. The following command captures a stream of packets into eth0, from a specific destination IP and port number 22.

$ tcpdump -w xpackets.pcap -i eth0 dst 10.181.140.216 and port 22

14. Capturing TCP packets between two hosts

If two different processes from two different machines are talking over TCP, we can capture these packets using tcpdump as shown below.

$tcpdump -w comm.pcap -i eth0 dst 16.181.170.246 and port 22

You can open the comm.pcap file using any network protocol analyzer tool to debug potential problems.

15. tcpdump packet filter – capture all except arp and rarp packets

In the tcpdump command, you can specify and, or and not clauses to filter packets.

$ tcpdump -i eth0 not arp and not rarp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode                                                                                    
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes                                                                                      
13:13:42.454613 IP 213.132.93.178.25885 > andreyex.ru.vlsi-lm: Flags [.], ack 1557656178, win 253, length 0                                                   
13:13:42.455558 IP 213.132.93.178.25885 > andreyex.ru.vlsi-lm: Flags [.], ack 427, win 257, length 0                                                          
13:13:42.458275 IP andreyex.ru.https > crawl-66-249-64-254.googlebot.com.39708: Flags [.], ack 1382390548, win 252, options [nop,nop,TS val 32239888 ecr 36826
85903], length 0

Sidebar