Skip to content

Instantly share code, notes, and snippets.

@selfboot
Last active May 29, 2017 09:09
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save selfboot/a36338f6d0177f9397fcc3b06fa2ca70 to your computer and use it in GitHub Desktop.
Quick doc about how to use tcpdump.

Tcpdump is a network packet analyzer that runs under the command line. It is used to create "dumps" or "traces" of network traffic. It allows you to look at what is happening on the network and really can be useful for troubleshooting many types of issues including issues that aren't due to network communications. Outside of network issues I use tcpdump to troubleshoot application issues all the time; if you ever have two applications that don't seem to be working well together, tcpdump is a great way to see what is happening. This is especially true if the traffic is not encrypted as tcpdump can be used to capture and read packet data as well.

Install

Since tcpdump is not included with most base systems, you will need to install it. However, nearly all Linux distributions have tcpdump in their core repositories. For Debian based distributions, the command to install tcpdump is:

apt-get install tcpdump

For CentOS/RedHat, use the following command:

yum install tcpdump

Arguments

If you run tcpdump without any arguments, you'll be be battered with results:

2661 packets captured
2663 packets received by filter
0 packets dropped by kernel

Before going into more details on how to filter input, you should take a look at some parameters that can be passed to tcpdump:

  • -i - Specifies the interface you want to listen on, for example: tcpdump -i eth0.
  • -n - Do not try to do reverse lookups on IP addresses, for example: tcpdump -n (if you add another n tcpdump will show you port numbers instead of names).
  • -X - Show the content of the collected packets: tcpdump -X.
  • -c - Only capture x packets, x being an arbitrary number, for example tcpdump -c 10 captures exactly 10 packets.
  • -v - Increase the amount of packet information you are shown, more vs add more verbosity.

There are dozens (if not hundreds) of options in addition to those few, but they are the most common ones. Feel free to read tcpdump's manpage on your system.

Packet Filters

Now that you have a basic understanding of tcpdump, it's time to look at one of tcpdump's most awesome features: expressions. Expressions will make your life a lot easier. They are also known as BPF or Berkeley Packet Filters. Using expressions allows you to selectively display (or ignore) packets based on certain characteristics - such as origin, destination, size, or even TCP sequence number.

So far you've managed to limit your search to a certain amount of packets on a certain interface, but let's be honest here: that still leaves too much background noise to effectively work with the collected data. That's where expressions come into play. The concept is pretty straightforward, so we'll leave out the dry theory here and support the understanding with some practical examples.

The expressions that you'll probably be using the most are:

  • host - Look for traffic based on hostnames or IP addresses.
  • src or dst - Look for traffic from or to a specific host.
  • proto - Look for traffic of a certain protocol. Works for tcp, udp, icmp, and others. Omitting the proto keyword is also possible.
  • net - Look for traffic to / from a certain range of IP addresses.
  • port - Look for traffic to / from a certain port.
  • greater or less - Look for traffic bigger or smaller than a certain amount of bytes.

While the manpage for tcpdump just contains a few examples, the manpage for pcap-filter has very detailed explanations on how each filter works and can be applied.:

tcpdump -i eth0 host vultr.com     # how your communication with a certain server is going
tcpdump -i eth0 -nn greater 128    # filter out packages that are bigger or smaller than a certain number of bytes
tcpdump -i eth0 -nn less 32
tcpdump -i eth0 -X port 21         # a certain port
tcdump -i eth0 -X portrange 22-25  # port range
tcpdump tcp and dst port 80        # TCP traffic to port 80

Writing to a file

It’s often more useful to capture packets using tcpdump rather than wireshark. For example, you might want to do a remote capture and either don’t have GUI access or don’t have Wireshark installed on the remote machine.

Older versions of tcpdump truncate packets to 68 or 96 bytes. If this is the case, use -s to capture full-sized packets:

$ tcpdump -i <interface> -s 65535 -w <some-file>

You will have to specify the correct interface and the name of a file to save into. In addition, you will have to terminate the capture with ^C when you believe you have captured enough packets.

Ref

Introduction to Tcpdump

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment