Thursday, August 13, 2009


The following will record all raw traffic to a dump file for latter analysis. The -s 0 option specifies that the full packet should be saved without truncation; the -v option will report every 10 seconds the number of packets captured so far.
tcpdump -i eth0 -s 0 -v -w traffic.pcap
The following tcpdump example will dump raw binary Yahoo IM traffic to stdout. Note the '-w -' option to write binary to stdout.
tcpdump -i eth0 -n -l -w - "port mmcc"
This will dump Yahoo IM with filtering of unreadable binary characters. Note the -A, -q, and -s 0 options are used to filter and dump ASCII data. The -l option sets line-buffered output. You may also remove the -t option if you would like to see timestamps on each packet.
tcpdump -i eth0 -l -t -A -q -s 0 "port mmcc"
You may sometimes get a Permission denied error when working with tcpdump. This is probably caused by AppArmor. You can check by running this command:
grep tcpdump /sys/kernel/security/apparmor/profiles
If you see tcpdump in that file then you can set AppArmor to just complain instead of block by running the following:
aa-complain /usr/sbin/tcpdump
The following will dump mail traffic.
tcpdump -i eth0 -l -t -A -q -s 0 "port 25 or port 587 or port 110 or port 143"

To display the Standard TCPdump output:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

21:57:29.004426 IP > UDP, length 53
21:57:31.228013 arp who-has tell
21:57:31.228020 arp reply is-at 00:04:75:22:22:22 (oui Unknown)
21:57:38.035382 IP > UDP, length 53
21:57:38.613206 IP > UDP, length 36

To display the verbose output:

#tcpdump -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:00:11.625995 IP (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto: UDP (17), length: 81) > UDP, length 53
22:00:20.691903 IP (tos 0x0, ttl 128, id 31026, offset 0, flags [none], proto: UDP (17), length: 81) > UDP, length 53
22:00:21.230970 IP (tos 0x0, ttl 114, id 4373, offset 0, flags [none], proto: UDP (17), length: 64) > UDP, length 36
22:00:26.201715 arp who-has tell
22:00:26.201726 arp reply is-at 00:04:11:11:11:11 (oui Unknown)
22:00:29.706020 IP (tos 0x0, ttl 128, id 31133, offset 0, flags [none], proto: UDP (17), length: 81) > UDP, length 53
22:00:38.751355 IP (tos 0x0, ttl 128, id 31256, offset 0, flags [none], proto: UDP (17), length: 81) > UDP, length 53

Network interfaces available for the capture:

#tcpdump -D
2.any (Pseudo-device that captures on all interfaces)

To display numerical addresses rather than symbolic (DNS) addresses:

#tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:02:36.111595 IP > UDP, length 53
22:02:36.669853 IP > UDP, length 36
22:02:41.702977 arp who-has tell
22:02:41.702984 arp reply is-at 00:04:11:11:11:11
22:02:45.106515 IP > UDP, length 53
22:02:50.392139 IP > NBT UDP PACKET(138)
22:02:54.139658 IP > UDP, length 53
22:02:57.866958 IP > S 3275472679:3275472679(0) win 65535

To display the quick output:

#tcpdump -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:03:55.594839 IP > tcp 0
22:03:55.698827 IP > tcp 0
22:03:56.068088 IP > tcp 0
22:03:56.068096 IP > tcp 0
22:03:57.362863 IP > UDP, length 53
22:03:57.964397 IP > UDP, length 36
22:04:06.406521 IP > UDP, length 53
22:04:15.393757 IP > UDP, length 53

Capture the traffic of a particular interface:

tcpdump -i eth0
To capture the UDP traffic:

#tcpdump udp
To capture the TCP port 80 traffic:

#tcpdump port http
To capture the traffic from a filter stored in a file:

#tcpdump -F file_name
To create a file where the filter is configured (here the TCP 80 port)

#vim file_name
port 80
To stop the capture after 20 packets:

#tcpdump -c 20
To send the capture output in a file instead of directly on the screen:

#tcpdump -w capture.log
To read a capture file:

#tcpdump -r capture.log
reading from file capture.log, link-type EN10MB (Ethernet)

09:33:51.977522 IP > P 1548302662:1548303275(613) ack 148796145 win 16527
09:33:52.031729 IP > . ack 613 win 86
09:33:52.034414 IP > P 1:511(510) ack 613 win86
09:33:52.034786 IP > . ack 511 win 16527

The captured data isn't stored in plain text so you cannot read it with a text editor, you have to use a special tool like TCPdump (see above) or Wireshark (Formerly Ethereal) which provides a graphical interface.

The capture.log file is opened with Wireshark.

To display the packets having "" as their source or destination address:

#tcpdump host
To display the FTP packets coming from to

#tcpdump src and dst and port ftp
To display the packets content:

#tcpdump -A
Packets capture during a FTP connection. The FTP password can be easily intercepted because it is sent in clear text to the server.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes
20:53:24.872785 IP ubuntu.local.40205 > S 4155598838:4155598838(0) win 5840
20:53:24.879473 IP ubuntu.local.40205 > . ack 1228937421 win 183
20:53:24.881654 IP ubuntu.local.40205 > . ack 43 win 183
20:53:26.402046 IP ubuntu.local.40205 > P 0:10(10) ack 43 win 183
...=..ENUSER teddybear

20:53:26.403802 IP ubuntu.local.40205 > . ack 76 win 183
20:53:29.169036 IP ubuntu.local.40205 > P 10:25(15) ack 76 win 183
......E^PASS wakeup

20:53:29.171553 IP ubuntu.local.40205 > . ack 96 win 183
20:53:29.171649 IP ubuntu.local.40205 > P 25:31(6) ack 96 win 183

20:53:29.211607 IP ubuntu.local.40205 > . ack 115 win 183
20:53:31.367619 IP ubuntu.local.40205 > P 31:37(6) ack 115 win 183

20:53:31.369316 IP ubuntu.local.40205 > . ack 155 win 183
20:53:31.369759 IP ubuntu.local.40205 > F 37:37(0) ack 156 win 183

We see in this capture the FTP username (teddybear) and password (wakeup).


Tcpdump is the premier network analysis tool for information security and networking enthusiasts and/or professionals. In my own primer I cover tcpdump basics; if you're interested in becoming familiar with the application via an introduction, I suggest you check it out first.

Here I'm simply going to give a number of recipes that you're likely to find useful during your day to day activities. They will range from common, general captures to complex filters designed to look for a number of unique traffic types.


Below are a few options you can use when invoking tcpdump in order to control the output. The examples given will be in the basic form of tcpdump $recipe, so remember to add your own options as needed.

Basic Communication // See the basics without many options

# tcpdump -nS
Basic Communication (very verbose) // see a good amount of traffic, with verbosity and no name help

# tcpdump -nnvvS
A deeper look at the traffic // adds -X for payload but doesn't grab any more of the packet

# tcpdump -nnvvXS
Heavy packet viewing // the final "s" increases the snaplength, grabbing the whole packet

# tcpdump -nnvvXSs 1514


1. host // look for traffic based on IP address (also works with hostname if you're not using -n)
# tcpdump host

2. src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
# tcpdump src
# tcpdump dst

3. net // capture an entire network using CIDR notation
# tcpdump net

4. proto // works for tcp, udp, and icmp. Note that you don't have to type proto
# tcpdump icmp

5. port // see only traffic to or from a certain port
# tcpdump port 3389

6. src, dst port // filter based on the source or destination port
# tcpdump src port 1025
# tcpdump dst port 3389


TCP traffic from destined for port 3389:
# tcpdump tcp and src and dst port 3389

Traffic originating from the 192.168 network headed for the 10 or 172.16 networks:
# tcpdump src net and dst net or

Non-ICMP traffic destined for from the 172.16 network:
# tcpdump dst and src net and not icmp

Traffic originating from Mars or Pluto that isn't to the SSH port:
# tcpdump -vv src mars or pluto and not dst port 22

Traffic that's from AND destined for ports 3389 or 22:
# tcpdump 'src and \(dst port 3389 or 22\)'

Advanced filters can help with troubleshooting and can reveal anomalous traffic on a network that would normally go unnoticed.

Finding Flags

Hint: Use the following acronym to remember your flags: Unskilled Attackers Pester Real Security Folk

Show me all URG packets:
# tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets:
# tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets:
# tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets:
# tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets:
# tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets:
# tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets:
# tcpdump 'tcp[13] = 18'

No comments:

Post a Comment