Jump to content

A tcpdump Tutorial with Examples


rev.dennis

134 views

Just about any appliance you receive from the Enterprise world it comes with tcpdump, especially if the host operating system is linux based.  Here are some commands that I run that have proven helpful and they may prove to help you as well.  My main use is on our F5 appliances or our linux application servers.

Below you will find different uses of tcpdump

NO DNS RESOLUTION

To disable name resolution, use the -n flag as in the following examples:

tcpdump -n
tcpdump -ni 0.0

 

CAPTURE TO FILE

To save the tcpdump output to a binary file, type the following command:

tcpdump -w dump1.pcap

Note: The tcpdump utility does not print data to the screen while it is capturing to a file. To stop the capture, press CTRL-C.

 

READ CAPTURED FILE

To read data from a binary tcpdump file (that you saved by using the tcpdump -w command), type the following command:

tcpdump -r dump1.pcap

In this mode, the tcpdump utility reads stored packets from the file, but otherwise operates just as it would if it were reading from the network interface. As a result, you can use formatting commands and filters.

 

FILTER ON HOST ADDRESS

To view all packets that are traveling to or from a specific IP address, type the following command:tcpdump

tcpdump host 10.40.89.188

To view all packets that are traveling from a specific IP address, type the following command:tcpdump src

tcpdump src host 10.40.89.188

To view all packets that are traveling to a particular IP address, type the following command:tcpdump dst

tcpdump dst host 10.40.89.188

***NOTE:  To get accurate IP Addresses on the F5, I like to check existing connections on the F5 device first so you aren’t just waiting for something that isn’t ever going to happen

Looking for connections to a member IP Address

# tmsh show sys connection | grep 10.40.89.188

10.40.89.188:48520   10.40.212.23:2075    10.40.89.188:48520   10.40.212.23:2075    tcp  37     (slot/tmm: 1/9)  none

Explanation of columns

cs-client-addr:cs-client-port | cs-server-addr:cs-server-port | ss-client-addr:ss-client-port | ss-server-addr:ss-server-port

Computer IP & PORT            | Virtual Server IP & PORT      | SNAT IP & PORT                | Server IP & PORT

 

FILTER ON PORT

To view all packets that are traveling through the BIG-IP system and are either sourced from or destined to a specific port, type the following command:tcpdump port <port number>
For example:

tcpdump port 80

To view all packets that are traveling through the BIG-IP system and sourced from a specific port, type the following command:tcpdump src port <port number>
For example:

tcpdump src port 80

To view all packets that are traveling through the BIG-IP system and destined to a specific port, type the following command:tcpdump dst port <port number>
For example:

tcpdump dst port 80

 

FILTER ON TCP Flag

To view all packets that are traveling through the BIG-IP system that contain the SYN flag, type the following command:

tcpdump 'tcp[tcpflags] & (tcp-syn) != 0'

To view all packets that are traveling through the BIG-IP system that contain the RST flag, type the following command:

tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'

 

Isolate TCP RST flags

tcpdump 'tcp[13] & 4!=0'
tcpdump 'tcp[tcpflags] == tcp-rst'

 

Isolate TCP SYN flags

tcpdump 'tcp[13] & 2!=0'
tcpdump 'tcp[tcpflags] == tcp-syn'

 

Isolate packets that have both the SYN and ACK flags set

tcpdump 'tcp[13]=18'

 

Isolate TCP URG flags

tcpdump 'tcp[13] & 32!=0'
tcpdump 'tcp[tcpflags] == tcp-urg'

 

Isolate TCP ACK flags

tcpdump 'tcp[13] & 16!=0'
tcpdump 'tcp[tcpflags] == tcp-ack'

 

Isolate TCP PSH flags

tcpdump 'tcp[13] & 8!=0'
tcpdump 'tcp[tcpflags] == tcp-psh'

 

Isolate TCP FIN flags

tcpdump 'tcp[13] & 1!=0'
tcpdump 'tcp[tcpflags] == tcp-fin'

 

COMBINING FILTERS

You can use the and operator to filter for a mixture of output.

Following are some examples of useful combinations:

tcpdump host 10.40.89.188 and port 80
tcpdump src host 172.67.134.121 and dst port 80
tcpdump src host 172.67.134.121 and dst host 10.40.89.188

 

AND

and or &&

OR

or or ||

EXCEPT

not or !

 

Let’s find all traffic from 10.40.89.188 going to any host on port 3389.

tcpdump -nnvvS src 10.40.89.188 and dst port 3389

 

Let’s look for all traffic coming from 192.168.x.x and going to the 10.x or 172.67.x.x networks, and we’re showing hex output with no hostname resolution and one level of extra verbosity.

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.67.0.0/16

 

tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

 

Find HTTP Host Headers

tcpdump -vvAls0 | grep 'Host:'

 

Find HTTP Cookies

tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'

 

Cleartext GET Requests

tcpdump -vvAls0 | grep 'GET'

As an example of Cleartext GET Requests

tcpdump -vvAls0 -i 0.0 | grep 'GET'
tcpdump: listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
(}.x.......4..ZP...Ye.."Splunk Logging"|"usfnt1slbdz02.thezah.com"|"1591809773553"|"1591809773553621"|"2.21.5.15"|"33289"|"/Production/vs.secure-prodd.thezah.com"|"192.168.8.64"|"443"|"/Production/pool.secure-prodd.thezah.com"|"10.43.197.68"|"33289"|"10.40.64.89"|"443"|"GET"|"/resources/apps/mobile/ipad/content/PersistentSectionVersions.json"|"HTTP/1.1"|""|"Mobile/1 CFNetwork/1125.2 Darwin/19.4.0"|"200"|"9"|257|"9693"
(}......$...r.gP...Y..."Splunk"

Find HTTP User Agents

tcpdump -vvAls0 | grep 'User-Agent:'

As an example of capturing User Agent

tcpdump -vvAls0 -i 0.0 | grep 'User-Agent:'
tcpdump: listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
        User-Agent: Go-http-client/1.1
User-Agent: Go-http-client/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36

Both SYN and RST Set

tcpdump 'tcp[13] = 6'

 

Find SSH Connections

This one works regardless of what port the connection comes in on, because it’s getting the banner response.

tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

 

Find DNS Traffic

tcpdump -vvAs0 port 53

 

Find FTP Traffic

tcpdump -vvAs0 port ftp or ftp-data

 

Find NTP Traffic

tcpdump -vvAs0 port 123

 

Find Cleartext Passwords

tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '

 

Find traffic with evil bit

There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled.

tcpdump 'ip[6] & 128 != 0'

 

Snarf/Snaplen

The tcpdump utility provides an option that allows you to specify the amount of each packet to capture.

You can use the -s (snarf/snaplen) option to specify the amount of each packet to capture. To capture the entire packet, use a value of 0 (zero).

For example:

tcpdump -s0 src host 172.67.134.121 and dst port 80

Alternatively, you can specify a length large enough to capture the packet data you need to examine.

For example:

tcpdump -s200 src host 172.67.134.121 and dst port 80

If you are using the tcpdump utility to examine the output on the console during capture or by reading from an input file with the -r option, you should also use the -X flag to display ASCII encoded output along with the default HEX encoded output.

For example:

tcpdump -r dump1.pcap -X src host 172.67.134.121 and dst port 80

 

Disable DNS resolution with a -n but also disable port lookups with another n so you would have -nn

For example:

tcpdump -nn src host 172.67.134.121 and dst port 80

 

STOPPING tcpdump

You can stop the tcpdump utility using the following methods:

If you run the tcpdump utility interactively from the command line, you can stop it by pressing the Ctrl + C key combination.

If you run the tcpdump utility in the background, you can return the tcpdump session to the foreground by typing the following command:fg
To stop the session, press Ctrl + C.

If you run multiple instances of tcpdump utility in the background, you can terminate all instances at the same time by typing the following command:killall tcpdump

0 Comments


Recommended Comments

There are no comments to display.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Announcements


  • Recently Browsing

    No registered users viewing this page.

  • Upcoming Events

    No upcoming events found
×
×
  • Create New...