Dump traffic on a network with tcpdump

• Last updated: Feb 15, 2021

tcpdump is a command line packet analyzer.

Configuration

• tcpdump : 4.9.3

Main options

• -n : don't convert addresses (disable DNS resolution)
• -X : in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII.
• -S : print absolute, rather than relative, TCP sequence numbers.
• -i : listen on interface, -i any can be used to capture packets from all interfaces
• -XX : same as -X including its link level header
• -v -vv or -vvv : increase verbose output
• -c count : exit after receiving count packets
• -e : print the link level header on each dump line
• -q : Print less protocol information so out‐ put lines are shorter.
• -E : Use spi@ipaddr algo:secret for decrypting IPsec ESP packets.
• -w : write the raw packets to file
• -r : read packets from file
• -s : Snarf snaplen bytes of data from each packet rather than the default of 65535 bytes. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 sets it to the default of 65535, for back-wards compatibility with recent older versions of tcpdump.

Operators

• and or && :

root@host:~# tcpdump -nnvvS and src 10.5.2.3 and dst port 3389

• or or || :

root@host:~# tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

• not or ! :

root@host:~# tcpdump -vv src mars and not dst port 22

• group :

root@host:~# tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

Examples

Main examples

• Only listen a specific host (1.2.3.4)

root@host:~# tcpdump host 1.2.3.4

• src 1.2.3.4 : source address filter
• dst 1.2.3.4 : destination address filter

root@host:~# tcpdump src 1.2.3.4

• protocol filter

root@host:~# tcpdump icmp

• port filter

root@host:~# tcpdump port 443

• ports range filter

root@host:~# tcpdump portrange 443-445

• source port filter

root@host:~# tcpdump src port 443

• source port filter and port filter

root@host:~# tcpdump src port 443 and tcp

• MAC address :

root@host:~# tcpdump -i eth0 -A -n -vv ether host 0f:08:6d:6f:bb:0d

• Broadcast messages :

root@host:~# tcpdump -i eth0 -A -n -vv ether broadcast

• Quit after 50 frames :

root@host:~# tcpdump -i eno2.113 -A -vvv -n -c 50 'icmp and host 192.168.1.254'

Pcap File

• Create a capture file and rotate automatically each 3600 seconds

root@host:~# tcpdump -i eth1 -w %F_%H%M -G 3600

• Cut a sequence from a pcap file

root@host:~# apt-get install tshark

root@host:~# editcap -F libpcap -A "2015-06-02 17:10:00" -B "2015-06-02 17:20" 2015-06-02_1631 2015-06-02_1710_1720.NEW

IPsec traffic

If you tcpdump from the machine which established the ipsec tunnel you won't be able to see decapsulated traffic. You will only see ESP packets. To be able to get decapsulated traffic we will have to use netfilter/iptables with nflog.

• iptables rules :

root@host:~# iptables -t mangle -I PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5

root@host:~# iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5

• Getting traffic :

root@host:~# tcpdump -s 0 -n -i nflog:5

References

• http://www.danielmiessler.com/study/tcpdump/
• https://wiki.strongswan.org