Dump traffic on a network with tcpdump
- Last updated: Feb 15, 2021
tcpdump is a command line packet analyzer.
Configuration
- tcpdump : 4.9.3
Main options
-n
: don't convert addresses (disable DNS resolution)-X
: in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII.-S
: print absolute, rather than relative, TCP sequence numbers.-i
: listen on interface, -i any can be used to capture packets from all interfaces-XX
: same as-X
including its link level header-v -vv
or-vvv
: increase verbose output-c count
: exit after receiving count packets-e
: print the link level header on each dump line-q
: Print less protocol information so out‐ put lines are shorter.-E
: Use spi@ipaddr algo:secret for decrypting IPsec ESP packets.-w
: write the raw packets to file-r
: read packets from file-s
: Snarf snaplen bytes of data from each packet rather than the default of 65535 bytes. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 sets it to the default of 65535, for back-wards compatibility with recent older versions of tcpdump.
Operators
and
or&&
:
root@host:~# tcpdump -nnvvS and src 10.5.2.3 and dst port 3389
or
or||
:
root@host:~# tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
not
or!
:
root@host:~# tcpdump -vv src mars and not dst port 22
- group :
root@host:~# tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
Examples
Main examples
- Only listen a specific host (1.2.3.4)
root@host:~# tcpdump host 1.2.3.4
- src 1.2.3.4 : source address filter
- dst 1.2.3.4 : destination address filter
root@host:~# tcpdump src 1.2.3.4
- protocol filter
root@host:~# tcpdump icmp
- port filter
root@host:~# tcpdump port 443
- ports range filter
root@host:~# tcpdump portrange 443-445
- source port filter
root@host:~# tcpdump src port 443
- source port filter and port filter
root@host:~# tcpdump src port 443 and tcp
- MAC address :
root@host:~# tcpdump -i eth0 -A -n -vv ether host 0f:08:6d:6f:bb:0d
- Broadcast messages :
root@host:~# tcpdump -i eth0 -A -n -vv ether broadcast
- Quit after 50 frames :
root@host:~# tcpdump -i eno2.113 -A -vvv -n -c 50 'icmp and host 192.168.1.254'
Pcap File
- Create a capture file and rotate automatically each 3600 seconds
root@host:~# tcpdump -i eth1 -w %F_%H%M -G 3600
- Cut a sequence from a pcap file
root@host:~# apt-get install tshark
root@host:~# editcap -F libpcap -A "2015-06-02 17:10:00" -B "2015-06-02 17:20" 2015-06-02_1631 2015-06-02_1710_1720.NEW
IPsec traffic
If you tcpdump from the machine which established the ipsec tunnel you won't be able to see decapsulated traffic. You will only see ESP packets. To be able to get decapsulated traffic we will have to use netfilter/iptables with nflog.
- iptables rules :
root@host:~# iptables -t mangle -I PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
root@host:~# iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5
- Getting traffic :
root@host:~# tcpdump -s 0 -n -i nflog:5