TCP Dump

Tcpdump
TCPdump is a very powerful command line interface packet sniffer.

It must be launched as root or with superuser rights because of the its use of the promiscuous mode or
to be sure to have sufficent privilileges on a network device or a socket.
Wireshark (formerly ethereal) can be used as an alternative to TCPdump but with a GUI interface.
Wireshark can be used to read the logs captured by TCPdump too.
1. TCPDUMP DOWNLOAD
2. TCPDUMP SYNTAX
3. TCPDUMP EXAMPLES
1. TCPDUMP DOWNLOAD:
To download TCPdump:
#apt-get install tcpdump
To see the TCPdump dependencies:
#apt-cache depends tcpdump
tcpdump
Depends: libc6
Depends: libpcap0.8
Depends: libssl0.9.8
To see the installed TCPdump version:
#apt-cache policy tcpdump
tcpdump:
Installed: 3.9.4-2ubuntu0.1
Candidate: 3.9.4-2ubuntu0.1
Version table:
*** 3.9.4-2ubuntu0.1 0
500 http://security.ubuntu.com dapper-security/main Packages
100 /var/lib/dpkg/status
3.9.4-2 0
500 http://ch.archive.ubuntu.com dapper/main Packages
2. TCPDUMP SYNTAX
Syntax:
Protocol
Direction
Host(s)
Value
Logical Operations
Other expression
Example:
tcp
dst
10.1.1.1
80
and
tcp dst 10.2.2.2 3128
Protocol:
Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used.
Direction:
Values: src, dst, src and dst, src or dst
If no source or destination is specified, the "src or dst" keywords are applied.
For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".
Host(s):
Values: net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used.
For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1".
Logical Operations:
Values: not, and, or.
Negation ("not") has highest precedence. Alternation ("or") and concatenation ("and") have
precedence and associate left to right.
For example,
"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port 23".
"not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp port 23)".
equal
3. TCPDUMP USE
To display the Standard TCPdump output:
#tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type
EN10MB (Ethernet), capture size 96 bytes
21:57:29.004426
21:57:31.228013
21:57:31.228020
21:57:38.035382
21:57:38.613206
IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53

arp who-has 192.168.1.2 tell 192.168.1.1
arp reply 192.168.1.2 is-at 00:04:75:22:22:22 (oui Unknown)
IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36
To display the verbose output:

#tcpdump -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:00:11.625995 IP (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto:
192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36
22:00:26.201715 arp who-has 192.168.1.2 tell 192.168.1.1
22:00:26.201726 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 (oui Unknown)
UDP (17), length: 81)


Network interfaces available for the capture:

#tcpdump -D
1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo
To display numerical addresses rather than symbolic (DNS) addresses:
#tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:02:36.111595
22:02:36.669853
22:02:41.702977
22:02:41.702984
22:02:45.106515
22:02:50.392139
22:02:54.139658
22:02:57.866958
IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53

IP 68.142.64.164.27014 > 192.168.1.2.1034: UDP, length 36
arp who-has 192.168.1.2 tell 192.168.1.1
arp reply 192.168.1.2 is-at 00:04:11:11:11:11
IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
IP 192.168.1.2.138 > 192.168.1.255.138: NBT UDP PACKET(138)
IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
IP 125.175.131.58.3608 > 192.168.1.2.9501: S 3275472679:3275472679(0) win 65535
To display the quick output:

#tcpdump -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:03:55.594839
22:03:55.698827
22:03:56.068088
22:03:56.068096
22:03:57.362863
22:03:57.964397
22:04:06.406521
22:04:15.393757
IP
IP
IP
IP
IP
IP
IP
IP
a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0

192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0
a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0
192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0
192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP,
valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP,
Capture the traffic of a particular interface:

tcpdump -i eth0
To capture the UDP traffic:
#tcpdump udp
To capture the TCP port 80 traffic:
#tcpdump port http
length
length
length
length
53
36
53
53
To capture the traffic from a filter stored in a file:

#tcpdump -F file_name
To create a file where the filter is configured (here the TCP 80 port)
#vim file_name
port 80
To stop the capture after 20 packets:
#tcpdump -c 20
To send the capture output in a file instead of directly on the screen:
#tcpdump -w capture.log
To read a capture file:
#tcpdump -r capture.log
reading from file capture.log, link-type EN10MB (Ethernet)
09:33:51.977522 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www:
148796145 win 16527
09:33:52.031729 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: .
09:33:52.034414 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: P
09:33:52.034786 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: .
P 1548302662:1548303275(613) ack
ack 613 win 86
1:511(510) ack 613 win86
ack 511 win 16527
The captured data isn't stored in plain text so you cannot read it with a text editor, you have to use
a special tool like TCPdump (see above) or Wireshark (Formerly Ethereal) which provides a graphical
interface.
The capture.log file is opened with Wireshark.
To display the packets having "www.openmaniak.com" as their source or destination address:
#tcpdump host www.openmaniak.com
To display the FTP packets coming from 192.168.1.100 to 192.168.1.2:
#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp
To display the packets content:
#tcpdump -A
Packets capture during a FTP connection. The FTP password can be easily intercepted because it is sent
in clear text to the server.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type
EN10MB (Ethernet), capture size 96 bytes 20:53:24.872785 IP ubuntu.local.40205 > 192.168.1.2.ftp: S
4155598838:4155598838(0) win 5840 ....g....................
............
20:53:24.879473 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 1228937421 win 183 ....g.I@..........
20:53:24.881654 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 43 win 183...g.I@...........8......EN
20:53:26.402046 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 0:10(10) ack 43 win 183.g.I@...`$.
.=..ENUSER teddybear
20:53:26.403802 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 76 win 183
....h.I@.............
...>..E^
20:53:29.169036 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 10:25(15) ack 76 win 183
....h.I@......#c.....
......E^PASS wakeup
....h.I@.,...........
......Ez
....h.I@.,...........
......EzSYST
....h.I@.?.....j.....
......Ez
....h.I@.?...........
......EzQUIT
....h.I@.g...........
......E.
20:53:31.369759 IP ubuntu.local.40205 > 192.168.1.2.ftp: F 37:37(0) ack 156 win 183
....h.I@.h.....e.....
......E.
We see in this capture the FTP username (teddybear) and password (wakeup).

TCP Dump

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TCP Dump

Uploaded by

Copyright:

Available Formats

Tcpdump

TCPdump is a very powerful command line interface packet sniffer.

IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53

To display the verbose output:

UDP (17), length: 81)

UDP (17), length: 81)

Network interfaces available for the capture:

IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53

To display the quick output:

a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0

Capture the traffic of a particular interface:

To capture the traffic from a filter stored in a file:

You might also like