Pages

Wednesday, December 7, 2011

tcpdump Packet Analyser some interesting commands

tcpdump command is also called as packet analyzer.


Mr. tcpdump




 tcpdump command will work on most flavors of unix operating system. tcpdump allows us to save the packets that are captured, so that we can use it for future analysis. The saved file can be viewed by the same tcpdump command. We can also use open source software like wireshark to read the tcpdump pcap files.
In this tcpdump tutorial, let us discuss some practical examples on how to use the tcpdump command.

1. Capture packets from a particular ethernet interface using tcpdump -i :

When you execute tcpdump command without any option, it will capture all the packets flowing through all the interfaces. -i option with tcpdump command, allows you to filter on a particular ethernet interface.

[root@server199 ~]# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
13:54:40.373435 IP server199.ssh > openfiler.cst-port: P 2206499536:2206499732(196) ack 474299364 win 17152
13:54:40.373602 IP server199.ssh > openfiler.cst-port: P 196:344(148) ack 1 win 17152
13:54:40.373664 IP openfiler.cst-port > server199.ssh: . ack 196 win 65183
13:54:40.383680 IP server199.ssh > openfiler.cst-port: P 344:556(212) ack 1 win 17152
13:54:40.383766 IP server199.ssh > openfiler.cst-port: P 556:688(132) ack 1 win 17152
13:54:40.383796 IP server199.ssh > openfiler.cst-port: P 688:820(132) ack 1 win 17152
13:54:40.384319 IP openfiler.cst-port > server199.ssh: . ack 556 win 64823 
Note: Editcap utility is used to select or remove specific packets from dump file and translate them into a given format

2. Capture only N number of packets using tcpdump -c :

[root@server199 ~]# tcpdump -c 2 -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
13:55:52.542557 IP server199.ssh > openfiler.cst-port: P 2206531760:2206531876(116) ack 474300768 win 17152
13:55:52.542761 IP server199.ssh > openfiler.cst-port: P 116:232(116) ack 1 win 17152
2 packets captured
2 packets received by filter
0 packets dropped by kernel
Note: Mergecap and TShark: Mergecap is a packet dump combining tool, which will combine multiple dumps into a single dump file. Tshark is a powerful tool to capture network packets, which can be used to analyze the network traffic. It comes with wireshark network analyzer distribution.

3. Display Captured Packets in ASCII using tcpdump -A :

[root@server199 ~]# tcpdump -c 2 -A -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
13:57:46.459720 IP server199.ssh > openfiler.cst-port: P 2206533564:2206533760(196) ack 474301600 win 17152
E....M@.@....................ED.P.C.....MJ.Pje. .c...-...(.....f...n.._..p.E%.b/=p
13:57:46.460333 IP openfiler.cst-port > server199.ssh: . ack 196 win 64355
E..(h.@..................ED.....P..c2.........
2 packets captured
2 packets received by filter
0 packets dropped by kernel

Note: Ifconfig command is used to configure network interfaces.

4. Display Captured Packets in HEX and ASCII using tcpdump -XX :

[root@server199 ~]# tcpdump -c 2 -XX -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
13:59:49.457052 IP server199.ssh > openfiler.cst-port: P 2206535128:2206535244(116) ack 474302276 win 17152
        0x0000:  001c c0f8 3f33 001c c0f8 3ea9 0800 4510  ....?3....>...E.
        0x0010:  009c f660 4000 4006 bdcf c0a8 02c7 c0a8  ...`@.@.........
        0x0020:  0204 0016 0e9e 8385 0dd8 1c45 4744 5018  ...........EGDP.
        0x0030:  4300 2a59 0000 c1de 4234 01e9 091c aea1  C.*Y....B4......
        0x0040:  7b6e 8ce8 a715 2061 ff71 d2ca 5c8e 0a16  {n.....a.q..\...
        0x0050:  43c5 fd43 4f92 2828 5bb5 548e e274 679d  C..CO.(([.T..tg.
13:59:49.457362 IP server199.ssh > openfiler.cst-port: P 116:232(116) ack 1 win 17152
        0x0000:  001c c0f8 3f33 001c c0f8 3ea9 0800 4510  ....?3....>...E.
        0x0010:  009c f661 4000 4006 bdce c0a8 02c7 c0a8  ...a@.@.........
        0x0020:  0204 0016 0e9e 8385 0e4c 1c45 4744 5018  .........L.EGDP.
        0x0030:  4300 f842 0000 95c8 c2ab 1ee9 e99d b7a6  C..B............
        0x0040:  87ba fa85 23c7 fb4e 9c70 dc98 0b29 0968  ....#..N.p...).h
        0x0050:  ae08 afcc 49e7 2c8b a13e f294 2d34 2f22  ....I.,..>..-4/"
2 packets captured
2 packets received by filter
0 packets dropped by kernel

5. Capture the packets and write into a file using tcpdump -w :

[root@server199 ~]# tcpdump -w test.pcap -c 2 -XX -i eth1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
2 packets captured
2 packets received by filter
0 packets dropped by kernel

6. Reading the packets from a saved file using tcpdump -r :

[root@server199 ~]# tcpdump -tttt -r test.pcap
reading from file test.pcap, link-type EN10MB (Ethernet)
2011-12-07 14:00:55.509268 IP server199.ssh > openfiler.cst-port: P 2206541352:2206541484(132) ack 474305448 win 17152
2011-12-07 14:00:55.509869 IP openfiler.cst-port > server199.ssh: . ack 132 win 65351

Here -tttt option will show output date wise.

7. Capture packets with IP address using tcpdump -n :

[root@server199 ~]# tcpdump -c 2 -n  -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
14:03:52.239579 IP 192.168.2.199.ssh > 192.168.2.4.cst-port: P 2206560936:2206561052(116) ack 474312884 win 17152
14:03:52.239638 IP 192.168.2.199.ssh > 192.168.2.4.cst-port: P 116:232(116) ack 1 win 17152
2 packets captured
2 packets received by filter
0 packets dropped by kernel


8. Capture packets with proper readable timestamp using tcpdump -tttt :

[root@server199 ~]# tcpdump -c 2 -tttt  -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
2011-12-07 14:05:11.288023 IP server199.ssh > openfiler.cst-port: P 2206563600:2206563716(116) ack 474314496 win 17152
2011-12-07 14:05:11.288165 IP server199.ssh > openfiler.cst-port: P 116:232(116) ack 1 win 17152
2 packets captured
2 packets received by filter
0 packets dropped by kernel

9. Read packets longer than or less than N bytes :

[root@server199 ~]# tcpdump -c 2 -tttt  -i eth1 greater 100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
2011-12-07 14:06:18.691421 IP server199.ssh > openfiler.cst-port: P 2206569996:2206570112(116) ack 474317356 win 17152
2011-12-07 14:06:18.691579 IP server199.ssh > openfiler.cst-port: P 116:232(116) ack 1 win 17152
2 packets captured
2 packets received by filter
0 packets dropped by kernel
 [root@server199 ~]# tcpdump -c 2 -tttt  -i eth1 less 50
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
2011-12-07 14:09:48.091340 arp reply server199 is-at 00:1c:c0:f8:3e:a9 (oui Unknown)
2011-12-07 14:10:16.094128 arp reply server199 is-at 00:1c:c0:f8:3e:a9 (oui Unknown)
2 packets captured
5 packets received by filter
0 packets dropped by kernel

10. Receive only the packets of a specific protocol type :

You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. The following example captures only arp packets flowing through the eth0 interface.

[root@server199 ~]# tcpdump -c 2 -tttt  -i eth1 udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
2011-12-07 14:08:03.755831 IP server199.43143 > 202.138.97.193.domain:  9720+ AAAA? www.desimusic.com. (35)
2011-12-07 14:08:03.776733 IP server199.35734 > 202.138.97.193.domain:  20852+ PTR? 193.97.138.202.in-addr.arpa. (45)
2 packets captured
5 packets received by filter
0 packets dropped by kernel

11. Receive packets flows on a particular port using tcpdump port :

If you want to know all the packets received by a particular port on a machine, you can use tcpdump command as shown below.

[root@server199 ~]# tcpdump -c 2 -tttt  -i eth1 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
2011-12-07 14:11:04.494260 IP server199.ssh > openfiler.cst-port: P 2206581484:2206581680(196) ack 474322660 win 17152
2011-12-07 14:11:04.494604 IP openfiler.cst-port > server199.ssh: . ack 196 win 65535
2 packets captured
6 packets received by filter
0 packets dropped by kernel 

12. Capture packets for particular destination IP and Port

The packets will have source and destination IP and port numbers. Using tcpdump we can apply filters on source or destination IP and port number. The following command captures packets flows in eth1, with a particular destination ip and port number 22.
 [root@server199 ~]# tcpdump -c 2 -n -tttt  -i eth1 dst 192.168.2.4 and port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
2011-12-07 14:12:15.542430 IP 192.168.2.199.ssh > 192.168.2.4.cst-port: P 2206587440:2206587556(116) ack 474326612 win 17152
2011-12-07 14:12:15.542499 IP 192.168.2.199.ssh > 192.168.2.4.cst-port: P 116:232(116) ack 1 win 17152
2 packets captured
2 packets received by filter
0 packets dropped by kernel

13. Capture TCP communication packets between two hosts: 

If two different process from two different machines are communicating through tcp protocol, we can capture those packets using tcpdump as shown below.

[root@server199 ~]# tcpdump -c 2 -w comm.pcap -i eth1 dst 192.168.2.4 and port 22
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
2 packets captured
4 packets received by filter
0 packets dropped by kernel 

14. tcpdump Filter Packets – Capture all the packets other than arp and rarp:

In tcpdump command, you can give “and”, “or” and “not” condition to filter the packets accordingly.
[root@server199 ~]# tcpdump -i eth1 not arp and not rarp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
14:18:45.414205 IP server199.ssh > openfiler.cst-port: P 2206634628:2206634824(196) ack 474348588 win 17152
14:18:45.414821 IP openfiler.cst-port > server199.ssh: . ack 196 win 64195
14:18:45.567644 IP server199.ssh > openfiler.cst-port: P 196:344(148) ack 1 win 17152
14:18:45.567712 IP server199.ssh > openfiler.cst-port: P 344:460(116) ack 1 win 17152
14:18:45.567781 IP server199.ssh > openfiler.cst-port: P 460:592(132) ack 1 win 17152
14:18:45.568467 IP openfiler.cst-port > server199.ssh: . ack 460 win 65535

!Enjoy working with tcpdump Packaet Analyser
A Special Thanks to The Geek Stuff Admin.
Kuldeep Sharma