Tcpdump Tutorial
Tcpdump is a powerful utility for analyzing network traffic. It listens on the port(s) specified and grabs information about the packets that are entering or exiting from that port. It gives information about the IP addresses that are involved in the transmission of the packet. Where the packet is going, where it came from, what port was the packet sent on. First let's start with some basic command arguments to tcpdump.
| Argument | Function |
|---|---|
| -i any | Listen for traffic on all interfaces. Can also take interface names such as eth0 |
| -n | Don't resolve hostnames |
| -nn | Don't resolve host or port names |
| -X | Show packet contents in hex and ASCII |
| -XX | -X, but also shows the Ethernet Header |
| -v | Increase packet information you get back |
| -vv | |
| -vvv | |
| -c # | Stop after # packets |
| -S | Print Sequence numbers |
| -e | Display Ethernet header |
| -q | Suppress some protocol information |
| -E | Decrypt IPSEC traffic with a provided encryption key |
| -s | Set the amount of data to be captured in bytes |
| host | Look for traffic based on the given host address |
| src | Look for traffic from the given source |
| dst | Look for traffic going to the given destination |
| net | |
| <protocol name> | Search for traffic by protocol (ICMP, ARP, etc) |
| port | See traffic from the specified port, can be filtered with src and dst |
| portrange | Look for traffic to any port in the given range |
| less/greater | See traffic above or below a certain byte size (Can use < and > symbols as well |
| -w | Write output to a file |
Almost all of these arguments can be chained using the logical expressions and, or and not. Tcpdump can even look at the flags set by the TCP stack to see if the packets coming in are SYN, ACK, RST, etc.
Using TCPdump
Now that the command line arguments are out of the way, let's look at actually starting to capture traffic. Tcpdump has to be run as root so elevate yourself to root privileges by either invoking tcpdump with sudo or actually logging in to the root account. Once that's done you need to craft some expression telling tcpdump what you're looking for. For starters, we're going to send a few ICMP (ping) packets for tcpdump to watch for.
The expression to do that is:
# tcpdump -nnvvXSs 1514 icmp
This command will show the entire icmp packet in hexadecimal with a decent amount of information about it without resolving any port or host names. It will do this for every icmp packet coming in on any interface attached to the system that you issue the command on. Now, in another terminal issue this command.
$ ping -c4 <some address>Where <some address> is replaced by the destination that you want your system to try to ping. After you hit enter on that command you should notice that the previous terminal that you left tcpdump running in came to life. Tcpdump should have grabbed the entire ping packet for each of the four pings and responses that you sent to whatever address you pinged.