tcpdump

tcpdump is a useful packet analyzer distributed under the BSD license. It is included with most Linux and Unix distros, and it’s available for Windows using the Winpcap library.

As you might imagine, tcpdump is excellent at troubleshooting problematic connections to remote systems where the cause is otherwise unclear. This is particularly useful for getting around, say, database administrators who won’t admit that their database even exists, much less that you can connect to it.

As always, man tcpdump gives you all options, as well as a good overview of network packets. An overview of network and transport layer protocols may also be of value here.

Useful Command Line Switches

Usage is tcpdump -switch

Switch Purpose
-A Print every packet in ASCII
-c x Only get x number of packets and then stop
-D Show the list of available capture interfaces; synonymous with –list-interfaces
-e Get the ethernet header as well
-E Decrypt IPSEC traffic by providing an encryption key
-i any Listen on all interfaces just to see if you’re seeing any traffic; synonymous with –interface=any
-i eth0 Listen on the eth0 interface
-n Don’t resolve host names
-nn Don’t resolve host names or port numbers
-q Print less protocol information with your output; usually easier reading
-r file Read capture data from file into tcpdump
-s Define the snaplength (size) of the capture in bytes. Use -s 1514 to get everything, unless you are intentionally capturing less
-S Print absolute sequence numbers
-t Omit the timestamp from each dump line
-v, -vv, -vvv Increase the amount of packet information you get back
-w file Write the raw packets to file rather than printing them out
-X Show the packet’s contents in both hex and ASCII
-XX Same as -X, but also shows the ethernet header

Arguments

Usage is tcpdump -switch argument

Argument Purpose
dst Only capture packets with specified destination
greater Set minimum packet size
host Specify a host, can be IP address or hostname (if not using -n); to specify origin or destination host, just use src or dst. i.e., host 192.0.0.1 captures all traffic to and from 192.0.0.1, while src 192.0.0.1 captures traffic departing from that address.
icmp/udp/tcp Only get ICMP or UDP or TCP packets
less Set maximum packet size
net Capture an entire network
port Capture traffic to or from the specified port; use src port or dst port to specify origin port or destination port
portrange Capture traffic to or from the specified port range; use src portrange or dst portrange to specify origin or destination
src Only capture packets originating from src

Examples

Note: ‘and’ and ‘not’ can be abbreviated as ‘&’ and ‘!=’.

Capture all packets arriving at or departing from thiscomp:

$ tcpdump host thiscomp

Capture packets departing from 10.0.0.2 destined for port 5432 (i.e., PostgreSQL):

$ tcpdump src 10.0.0.2 and dst port 5432

Capture TCP packets departing from thiscomp destined for port 1433 on database (i.e., MSSQL):

$ tcpdump tcp and src thiscomp and dst port 1433 and dst database

Capture traffic between thiscomp and either google or microsoft:

$ tcpdump host thiscomp and ( google or microsoft )

Capture traffic departing from network 216.58 to the SSH port, write to file:

$ tcpdump -w capture_file src net 216.58.0.0/16 and dst port 22

Capture traffic departing from network 216.58 and not to the SSH or MySQL ports:

$ tcpdump src net 216.58.0.0/16 and not (dst port 22 or 3306)

Capture SYN and FIN packets (start/end packets) departing from network 216.58, not to the SSH or MySQL ports:

$tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and src net 216.58.0.0/16 and not (dst port 22 or 3306)'

Leave a Reply

Your email address will not be published.