You are on page 1of 4

Tcpdump

TCPdump is a very powerful command line interface packet sniffer.
It must be launched as root or with superuser rights because of the its use of the promiscuous mode or
to be sure to have sufficent privilileges on a network device or a socket.
Wireshark (formerly ethereal) can be used as an alternative to TCPdump but with a GUI interface.
Wireshark can be used to read the logs captured by TCPdump too.
1. TCPDUMP DOWNLOAD
2. TCPDUMP SYNTAX
3. TCPDUMP EXAMPLES
1. TCPDUMP DOWNLOAD:
To download TCPdump:
#apt-get install tcpdump
To see the TCPdump dependencies:
#apt-cache depends tcpdump
tcpdump
Depends: libc6
Depends: libpcap0.8
Depends: libssl0.9.8
To see the installed TCPdump version:
#apt-cache policy tcpdump
tcpdump:
Installed: 3.9.4-2ubuntu0.1
Candidate: 3.9.4-2ubuntu0.1
Version table:
*** 3.9.4-2ubuntu0.1 0
500 http://security.ubuntu.com dapper-security/main Packages
100 /var/lib/dpkg/status
3.9.4-2 0
500 http://ch.archive.ubuntu.com dapper/main Packages
2. TCPDUMP SYNTAX
Syntax:
Protocol
Direction
Host(s)
Value
Logical Operations
Other expression
Example:
tcp
dst
10.1.1.1
80
and
tcp dst 10.2.2.2 3128
Protocol:
Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used.
Direction:
Values: src, dst, src and dst, src or dst
If no source or destination is specified, the "src or dst" keywords are applied.
For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".
Host(s):
Values: net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used.
For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1".
Logical Operations:
Values: not, and, or.
Negation ("not") has highest precedence. Alternation ("or") and concatenation ("and") have
precedence and associate left to right.
For example,
"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port 23".
"not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp port 23)".

equal

net. id 30917.2 is-at 00:04:11:11:11:11 (oui Unknown) 22:00:29.llnw.168.168. ttl 128.27014: UDP. link-type EN10MB (Ethernet).phx3.168.2.27014: UDP. id 31026.2.1. 192.168.2. link-type EN10MB (Ethernet).168.phx3.1.llnw.64.2.2. proto: valve-68-142-64-164.230970 IP (tos 0x0.362863 22:03:57.58. offset 0.168.1.168.1.net.106515 22:02:50. length 53 22:00:21.1.2.1. use -v or -vv for full protocol decode listening on eth0.phx3.168.27014: UDP.201726 arp reply 192. length 36 To display the verbose output: #tcpdump -v tcpdump: listening on eth0. flags [none].1. proto: 192. link-type EN10MB (Ethernet).27014 > 192. capture size 96 bytes 22:00:11.1.168.2.9501: S 3275472679:3275472679(0) win 65535 To display the quick output: #tcpdump -q tcpdump: verbose output suppressed. valve-68-142-64-164.164. id 31133.net.any (Pseudo-device that captures on all interfaces) 3.27014: UDP.1034 > valve-68-142-64-164.3546 > 192. length: 64) UDP (17).2.1034 > valve-68-142-64-164.1.1.392139 22:02:54. offset 0.llnw.2.1 arp reply 192.168.1.164.1.3.27014: UDP.1034: UDP.2.phx3.1034: UDP.net.2 tell 192. length: 81) Network interfaces available for the capture: #tcpdump -D 1.net.1.228020 21:57:38.168.625995 IP (tos 0x0.393757 IP IP IP IP IP IP IP IP a213-22-130-46.168.1034 > valve-68-142-64-164.2. ttl 128.669853 22:02:41.phx3.27014 > 192.pt.706020 IP (tos 0x0.142.1034 > 68.1.2.142.1034: UDP.9501: tcp 0 192.702984 22:02:45.168.1.1034 > valve-68-142-64-164.168.068096 22:03:57.168.168.1034: UDP.1034 > 68. id 31256.lo To display numerical addresses rather than symbolic (DNS) addresses: #tcpdump -n tcpdump: verbose output suppressed.168.168.27014: UDP. flags [none].1.168.27014: UDP.cpe.1 22:00:26.netcabo.142.228013 21:57:31. length 53 IP valve-68-142-64-164.2 tell 192.2.1.cpe. ttl 114. Capture the traffic of a particular interface: tcpdump -i eth0 To capture the UDP traffic: #tcpdump udp To capture the TCP port 80 traffic: #tcpdump port http length length length length 53 36 53 53 . proto: 192. proto: 192.llnw.168. length 53 IP 125.131.phx3.27014: UDP. length 36 22:00:26.035382 21:57:38.168.168. ttl 128.2 is-at 00:04:75:22:22:22 (oui Unknown) IP 192.068088 22:03:56.2.168. length 53 IP 68.phx3.1034 > valve-68-142-64-164.1034 > valve-68-142-64-164.llnw.168.1.3546 > 192. length 36 arp who-has 192.1.201715 arp who-has 192.1.27014: UDP.168. length: 81) UDP (17).eth0 2.phx3.3608 > 192.net.3546: tcp 0 a213-22-130-46.613206 IP 192.phx3.866958 IP 192.phx3.168.1034 > valve-68-142-64-164.3546: tcp 0 192.168. TCPDUMP USE To display the Standard TCPdump output: #tcpdump tcpdump: verbose output suppressed.1.64.691903 IP (tos 0x0.1034 > 68.168.1. 192.594839 22:03:55.138: NBT UDP PACKET(138) IP 192.cpe.1.9501: tcp 0 192.2.1. length 53 UDP (17).1. offset 0.9501 > a213-22-130-46. flags [none].net.004426 21:57:31. length 53 arp who-has 192.164. length 53 22:00:20.255.964397 22:04:06. length 53 IP 192. offset 0.27014 > 192.1.net. link-type EN10MB (Ethernet).698827 22:03:56.168.168. ttl 128.27014: UDP.1 arp reply 192.1034 > valve-68-142-64-164.net.llnw. flags [none].llnw.1.1.net.139658 22:02:57.64.27014 > 192.168.net.702977 22:02:41.175.llnw.2.llnw.phx3.64.27014: UDP.pt. id 4373. flags [none]. length: 81) UDP (17).1.138 > 192. length 53 22:00:38. proto: 192.llnw. offset 0.1.168.netcabo.9501 > a213-22-130-46.pt.406521 22:04:15.1034 > valve-68-142-64-164.llnw.2.llnw.net.2.2. capture size 96 bytes 21:57:29. length: 81) UDP (17).27014: UDP.2 is-at 00:04:11:11:11:11 IP 192.1.2.111595 22:02:36.netcabo. capture size 96 bytes 22:02:36.1.cpe.751355 IP (tos 0x0.142.2. use -v or -vv for full protocol decode listening on eth0.netcabo.2 tell 192. capture size 96 bytes 22:03:55.2.phx3.164.pt. use -v or -vv for full protocol decode listening on eth0.

1.2.wikimedia..local... ...=...168.....E^PASS wakeup 20:53:29.36.40205 > 192. you have to use a special tool like TCPdump (see above) or Wireshark (Formerly Ethereal) which provides a graphical interface.031729 IP rr.Ez 20:53:31.1. link-type EN10MB (Ethernet).wikimedia...I@..I@.. capture size 96 bytes 20:53:24. 09:33:52. ack 115 win 183 ...h..ftp: ....log To read a capture file: #tcpdump -r capture...171649 IP ubuntu.2..36.168...211607 IP ubuntu.I@.034414 IP rr....40205 > 192... .ftp: P 0:10(10) ack 43 win 183.168....168..2..openmaniak..1.org.1.h..1. ..36..openmaniak.168..168.EzSYST 20:53:29....1..log.1..1.I@......168.ftp: .1.168..40205 > 192.36.log reading from file capture.1.ftp: ..2..1...40332: .. ack 43 win 183... The FTP password can be easily intercepted because it is sent in clear text to the server......168.EN 20:53:26.www: .#c..I@. link-type EN10MB (Ethernet) 09:33:51. use -v or -vv for full protocol decode listening on eth0.ftp: P 31:37(6) ack 115 win 183 ..ftp: S 4155598838:4155598838(0) win 5840 .168.40332 > rr..local..168.......Ez 20:53:29.g.local.40332 > rr.40205 > 192..2.. To display the packets having "www.ftp: P 25:31(6) ack 96 win 183 .168..1... The capture..2.40205 > 192..I@.www > 192..To capture the traffic from a filter stored in a file: #tcpdump -F file_name To create a file where the filter is configured (here the TCP 80 port) #vim file_name port 80 To stop the capture after 20 packets: #tcpdump -c 20 To send the capture output in a file instead of directly on the screen: #tcpdump -w capture.168...log file is opened with Wireshark.knams.1.ENUSER teddybear 20:53:26..2.....g.local.local.2 and port ftp To display the packets content: #tcpdump -A Packets capture during a FTP connection.1..org.?.h..knams.wikimedia...I@...168. ack 76 win 183 ...171553 IP ubuntu.. ack 1228937421 win 183 ...local.....www > 192.`$....1.. .j. .40205 > 192..com" as their source or destination address: #tcpdump host www..h...100 and dst 192..034786 IP 192.....2.403802 IP ubuntu.g.wikimedia.local.knams.40205 > 192..1.org.ftp: P 10:25(15) ack 76 win 183 ....local. P 1548302662:1548303275(613) ack ack 613 win 86 1:511(510) ack 613 win86 ack 511 win 16527 The captured data isn't stored in plain text so you cannot read it with a text editor.169036 IP ubuntu.8.1.872785 IP ubuntu.g..org. 20:53:24. ack 96 win 183 .881654 IP ubuntu....40205 > 192.100 to 192..1..2.. tcpdump: verbose output suppressed.. ..40205 > 192.. 20:53:24..E^ 20:53:29..I@...2: #tcpdump src 192.402046 IP ubuntu..com To display the FTP packets coming from 192. ..168.977522 IP 192..ftp: ...40205 > 192.knams.....40332: P 09:33:52.>.local.h..879473 IP ubuntu...168...168.local..ftp: ....367619 IP ubuntu.2..www: 148796145 win 16527 09:33:52..168..

.g... We see in this capture the FTP username (teddybear) and password (wakeup)...1....ftp: F 37:37(0) ack 156 win 183 ..I@..I@.40205 > 192..?. .168.. ...local...1....EzQUIT 20:53:31.. .40205 > 192..h..local..h........E.E....... ack 155 win 183 ..168. ...I@.369759 IP ubuntu.h........h.ftp: .. 20:53:31..2..369316 IP ubuntu...2.e...