Monday 30 January 2012

tcpdump command help

Tcpdump a packet analyzer. It allows us analyze the packets that are moving through our network and also to save the packets that are captured. We can use tcpdump command to read the saved packets. 

In network data travels as packets each data packets contains the
information that it needs to travell across the network. This information is contained in a TCP Header. A TCP Header will contain the destination and source address, state information, and protocol identifiers. The rest of the packet contains the data that is being sent. Devices that are responsible for routing reads the informations in these packets and send them to there correct destinations.

Execute tcpdump command without any option, it will capture all the packets flowing through all the interfaces.Let's check some of the option in tcpdump to analyze the packets in a network. 

* Packets from a particular interface using tcpdump -i 

# tcpdump -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:18:49.519284 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 228763333:228763445(112) ack 419799025 win 95 <nop,nop,timestamp 105976169 2745262019>
14:18:59.535351 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 112:224(112) ack 1 win 95 <nop,nop,timestamp 105976169 2745262019>
14:18:49.519359 IP 192.168.1.22.50959 > cloudcc.ctechz.blogspot.com.ssh: . ack 112 win 10 <nop,nop,timestamp 2745262160 105976169>
14:18:49.519375 IP 192.168.1.22.50959 > cloudcc.ctechz.blogspot.com.ssh: . ack 224 win 10 <nop,nop,timestamp 2745262160 105976169>
14:18:49.537559 IP cloudcc.ctechz.blogspot.com.47433 > 10.0.0.2.domain:  49926+ PTR? 22.1.168.192.in-addr.arpa. (43)
14:18:49.713921 802.1d unknown version

In this, tcpdump captured all the packets flows in the interface eth0 and displays in the standard output. 

* N number of packets using tcpdump -c 

# tcpdump -c 2 -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:55:00.837666 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 228769381:228769493(112) ack 419800865 win 95 <nop,nop,timestamp 108147932 2747433275>
14:55:10.836110 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 112:224(112) ack 1 win 95 <nop,nop,timestamp 108147932 2747433275>

* Captured Packets in ASCII using tcpdump -A 

# tcpdump -A -i eth0

14:59:15.281604 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 228771221:228771413(192) ack 419801777 win 95 <nop,nop,timestamp 108402428 2747687702>
.........._.............
.v....c.XAQ...?..vJ...o...1zx-........
14:59:15.281735 IP 192.168.1.22.50959 > cloudcc.ctechz.blogspot.com.ssh: . ack 192 win 26 <nop,nop,timestamp 2747687721 108402428>
..U....o...........C........
..c).v..
14:59:15.282197 IP cloudcc.ctechz.blogspot.com.50913 > 10.0.0.2.domain:  9309+ PTR? 22.1.168.192.in-addr.arpa. (43)
E..G..@.@.W....C
......5.3.1$]...........22.1.168.192.in-addr.arpa.....
14:59:15.821332 IP 192.168.100.50.23354 > 234.134.191.31.23354: UDP, length 53
......@. .....d2....[:[:.=.c..."....d2#......UDP.8....rac1pfx-cluster..PING.

* Captured Packets in HEX and ASCII using tcpdump -XX

# tcpdump -XX -i eth0

15:04:34.561281 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 228773525:228773717(192) ack 419802737 win 95 <nop,nop,timestamp 108721773 2748006955>
        0x0000:  c89c dc50 abd3 0080 4853 84c4 0800 4510  ...P....HS....E.
        0x0010:  00f4 b0c4 4000 4006 0586 c0a8 0143 c0a8  ....@.@......C..
        0x0020:  0116 0016 c70f 0da2 ce95 1905 ae71 8018  .............q..
        0x0030:  005f 8490 0000 0101 080a 067a f66d a3cb  ._.........z.m..
        0x0040:  422b 7997 8997 cac1 2559 79ad c095 4dbd  B+y.....%Yy...M.
        0x0050:  ae1c 1481 e5e6 0010 7651 d691 21f9 d955  ........vQ..!..U
15:04:34.561424 IP 192.168.1.22.50959 > cloudcc.ctechz.blogspot.com.ssh: . ack 192 win 33 <nop,nop,timestamp 2748006974 108721773>
        0x0000:  0080 4853 84c4 c89c dc50 abd3 0800 4510  ..HS.....P....E.
        0x0010:  0034 e425 4000 4006 d2e4 c0a8 0116 c0a8  .4.%@.@.........
        0x0020:  0143 c70f 0016 1905 ae71 0da2 cf55 8010  .C.......q...U..
        0x0030:  0021 a46c 0000 0101 080a a3cb 423e 067a  .!.l........B>.z
        0x0040:  f66d                                     .m
15:04:34.561880 IP cloudcc.ctechz.blogspot.com.53544 > 10.0.0.2.domain:  15625+ PTR? 22.1.168.192.in-addr.arpa. (43)
        0x0000:  c89c dc50 abd3 0080 4853 84c4 0800 4500  ...P....HS....E.
        0x0010:  0047 f66e 4000 4011 784a c0a8 0143 0a00  .G.n@.@.xJ...C..
        0x0020:  0002 d128 0035 0033 cc31 3d09 0100 0001  ...(.5.3.1=.....
        0x0030:  0000 0000 0000 0232 3201 3103 3136 3803  .......22.1.168.
        0x0040:  3139 3207 696e 2d61 6464 7204 6172 7061  192.in-addr.arpa
        0x0050:  0000 0c00 01                             .....

* Capture the packets and write into a file using tcpdump -w

-w option writes the packets into a given file. The file extension should be .pcap, which can be read by any network protocol analyzer.

# tcpdump -w dump.pcap -i eth0  
you can get a file called dump.pcap which stores the packet details... 

* Read the packets from a saved file using tcpdump -r 

# tcpdump -r dump.pcap 
You can read the captured .pcap file and view the packets for analysis.  

* Getting packets with IP address using tcpdump -n 

# tcpdump -n -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:20:10.725855 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 4047509964:4047510156(192) ack 1239501135 win 95 <nop,nop,timestamp 109658129 2748943040>
15:20:10.725959 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 192 win 19 <nop,nop,timestamp 2748943062 109658129>
15:20:10.726021 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 192:384(192) ack 1 win 95 <nop,nop,timestamp 109658129 2748943062>
15:20:10.726076 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 384:544(160) ack 1 win 95 <nop,nop,timestamp 109658129 2748943062>
15:20:10.726133 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 544:720(176) ack 1 win 95 <nop,nop,timestamp 109658130 2748943062>
15:20:10.726152 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 384 win 21 <nop,nop,timestamp 2748943062 109658129>
15:20:10.726161 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 544 win 23 <nop,nop,timestamp 2748943062 109658129>
15:20:10.726215 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 720:896(176) ack 1 win 95 <nop,nop,timestamp 109658130 2748943062>
15:20:10.726262 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 720 win 24 <nop,nop,timestamp 2748943062 109658130> 

* Capture packets with readable timestamp using tcpdump -tttt 

# tcpdump -n -tttt -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
2012-01-29 15:24:47.784713 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 4047514140:4047514332(192) ack 1239503055 win 95 <nop,nop,timestamp 109935245 2749220078>
2012-01-29 15:24:47.784854 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 192:400(208) ack 1 win 95 <nop,nop,timestamp 109935245 2749220078>
2012-01-29 15:24:47.784872 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 192 win 33 <nop,nop,timestamp 2749220098 109935245>
2012-01-29 15:24:47.784944 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 400:704(304) ack 1 win 95 <nop,nop,timestamp 109935245 2749220098>
2012-01-29 15:24:47.785001 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 400 win 34 <nop,nop,timestamp 2749220098 109935245>
2012-01-29 15:24:47.785043 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 704:880(176) ack 1 win 95 <nop,nop,timestamp 109935245 2749220098>
2012-01-29 15:24:47.785071 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 704 win 36 <nop,nop,timestamp 2749220098 109935245>

* Reading packets longer than N bytes
You can receive only the packets greater than n number of bytes using a filter ‘greater’ through tcpdump command.

$ tcpdump greater 1024 -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:32:23.030169 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 3533551345:3533552790(1445) ack 1677096811 win 3839 <nop,nop,timestamp 2749675305 110389966>
15:32:25.028568 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 1445:2890(1445) ack 866 win 3839 <nop,nop,timestamp 2749677304 110391966>
15:32:27.042511 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 2890:4335(1445) ack 1731 win 3839 <nop,nop,timestamp 2749679318 110393966>
15:32:29.035028 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.43819: P 189138042:189139487(1445) ack 3060416647 win 3839 <nop,nop,timestamp 2749681310 110395968>
15:32:31.009490 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 4866:6311(1445) ack 3515 win 3839 <nop,nop,timestamp 2749683284 110397968>
15:32:33.003763 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 6311:7756(1445) ack 4380 win 3839 <nop,nop,timestamp 2749685278 110399967> 

* Capturing the packets of a specific protocol type
You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. 

# tcpdump -i eth0 arp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:38:34.274572 arp who-has 192.168.0.54 tell 192.168.0.22
15:38:36.252219 arp who-has 192.168.1.201 tell 192.168.1.200
15:38:39.313602 arp who-has 192.168.1.201 tell 192.168.1.200
15:38:40.455837 arp who-has 192.168.0.109 tell 192.168.0.45
15:38:43.032395 arp who-has 192.168.1.201 tell 192.168.1.200
15:38:46.924282 arp who-has 192.168.0.109 tell 192.168.0.45 

* Reading packets lesser than N bytes
You can receive only the packets lesser than n number of bytes using a filter ‘less’ through tcpdump command 

# tcpdump less 1024 -i eth0
# tcpdump -w l_1024.pcap  less 1024 

* Capturing packets flows on a particular port using tcpdump port
all the packets received by a particular port on a machine. 

# tcpdump -i eth0 port 22

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:43:14.428293 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.46596: P 4050640844:4050641036(192) ack 1239514031 win 95 <nop,nop,timestamp 111042115 2750326627>
15:43:14.428486 IP 192.168.1.22.46596 > cloudcc.ctechz.blogspot.com.ssh: . ack 192 win 3811 <nop,nop,timestamp 2750326650 111042115>
15:43:24.427008 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.46596: P 192:400(208) ack 1 win 95 <nop,nop,timestamp 111052116 2750326650>
15:43:24.427064 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.46596: P 400:576(176) ack 1 win 95 <nop,nop,timestamp 111052116 2750326650>
15:43:24.427123 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.46596: P 576:768(192) ack 1 win 95 <nop,nop,timestamp 111052116 2750326650>
15:43:24.427144 IP 192.168.1.22.46596 > cloudcc.ctechz.blogspot.com.ssh: . ack 400 win 3811 <nop,nop,timestamp 2750336648 111052116> 

* Capturing packets for particular destination IP and Port
 The packets will have source and destination IP and port numbers. Using tcpdump we can apply filters on source or destination IP and port number.
The following command captures packets flows in eth0, with a particular destination ip and port number 22.
 

# tcpdump -w xpackets.pcap -i eth0 dst 192.168.1.183 and port 22
# tcpdump -i eth0 dst 192.168.1.175 and port 22

15:56:09.554572 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2643264:2643456(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554611 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2643456:2643648(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554663 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2643648:2643840(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554710 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2643840:2644032(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554749 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2644032:2644224(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554787 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2644224:2644416(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>


 * TCP communication packets between two hosts  
If two different process from two different machines are communicating through tcp protocol, we can capture those packets using tcpdump as shown below. 

# tcpdump -w comm.pcap -i eth0 dst 192.168.1.183 and port 22 

You can open the file comm.pcap using any network protocol analyzer tool to debug any potential issues. 

* Filtering Packets using tcpdump – Capture all the packets other than arp and rarp
In tcpdump command, you can give “and”, “or” and “not” condition to filter the packets accordingly. 

# tcpdump -i eth0 not arp and not rarp
# tcpdump -i eth0 not tcp and not arp


16:02:53.965566 CDPv2, ttl: 180s, Device-ID 'CochinGate'[|cdp]
16:02:54.380054 IP 192.168.100.51.23354 > 234.134.191.31.23354: UDP, length 151
16:02:54.380746 IP cloudcc.ctechz.blogspot.com.32894 > 10.0.0.2.domain:  47635+ PTR? 31.191.134.234.in-addr.arpa. (45)
16:02:54.402986 IP 192.168.100.51.23354 > 234.134.191.31.23354: UDP, length 151
16:02:54.649980 802.1d unknown version
16:02:54.954942 IP cloudcc.ctechz.blogspot.com.50001 > 10.0.0.2.domain:  21429+ A? centos.vr-zone.com. (36)
16:02:55.246120 IP 192.168.100.50.23354 > 234.134.191.31.23354: UDP, length 53
16:02:56.665126 802.1d unknown version
16:02:56.748222 IP 192.168.100.50.23354 > 234.134.191.31.23354: UDP, length 53 

* Make stdout line buffered. Useful if you want to see the data while capturing, use -l 

# tcpdump -l > dat & tail -f dat 

* Don't print domain name qualification of host names 

# tcpdump -N -i eth0

if you give this flag then tcpdump will print "ctechz'' instead of "ctechz.blogspot.com''

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:16:17.053108 IP cloudcc.ssh > 192.168.1.22.39495: P 2722677379:2722677491(112) ack 967375163 win 95 <nop,nop,timestamp 120226620 2759508498>
18:16:27.051222 IP cloudcc.ssh > 192.168.1.22.39495: P 112:224(112) ack 1 win 95 <nop,nop,timestamp 120226621 2759508498>
18:16:17.053136 IP 192.168.1.22.39495 > cloudcc.ssh: . ack 112 win 23 <nop,nop,timestamp 2759508521 120226620>
18:16:17.053221 IP 192.168.1.22.39495 > cloudcc.ssh: . ack 224 win 23 <nop,nop,timestamp 2759508521 120226621>
18:16:17.053752 IP cloudcc.46957 > 10.0.0.2.domain:  25029+ PTR? 22.1.168.192.in-addr.arpa. (43)
18:16:17.097848 IP cloudcc.52899 > 10.0.0.2.domain:  56675+ A? centos.communilink.net. (40) 

* When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex and ASCII.

# tcpdump -XX -i eth0
# tcpdump -X -i eth0

18:21:56.413767 IP cloudcc.ctechz.blogspot.com.56294 > 192.168.1.22.squid: P 1681546479:1681547345(866) ack 3540467048 win 501 <nop,nop,timestamp 120566051 2759847333>
        0x0000:  c89c dc50 abd3 0080 4853 84c4 0800 4500  ...P....HS....E.
        0x0010:  0396 985f 4000 4006 1b59 c0a8 0143 c0a8  ..._@.@..Y...C..
        0x0020:  0116 dbe6 0c38 643a 5cef d307 3d68 8018  .....8d:\...=h..
        0x0030:  01f5 8732 0000 0101 080a 072f b123 a47f  ...2......./.#..
        0x0040:  eda5 504f 5354 2068 7474 703a 2f2f 7065  ..POST.http://pe
        0x0050:  7472 6f73 6f63 6961 6c2e 6e65 742f 6477  trosocial.net/dw


 * When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex. 

# tcpdump -xx -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:27:26.350615 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.39495: P 2722709875:2722709987(112) ack 967381147 win 95 <nop,nop,timestamp 120896055 2760177744>
        0x0000:  c89c dc50 abd3 0080 4853 84c4 0800 4510
        0x0010:  00a4 e3a3 4000 4006 d2f6 c0a8 0143 c0a8
        0x0020:  0116 0016 9a47 a249 4173 39a9 109b 8018
        0x0030:  005f 8440 0000 0101 080a 0734 ba37 a484
        0x0040:  f850 c004 7673 c572 acb5 3f36 4aa9 5ab2
        0x0050:  dc3a 34b1 5abc 22d7 afde 5f51 d785 f394 

* Display the link-level header for each packet. 

# tcpdump -e -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:40:20.378413 00:80:48:53:84:c4 (oui Unknown) > c8:9c:dc:50:ab:d3 (oui Unknown), ethertype IPv4 (0x0800), length 258: cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.44043: P 4211844806:4211844998(192) ack 1868284851 win 95 <nop,nop,timestamp 121670241 2760951707>
18:40:20.378560 c8:9c:dc:50:ab:d3 (oui Unknown) > 00:80:48:53:84:c4 (oui Unknown), ethertype IPv4 (0x0800), length 66: 192.168.1.22.44043 > cloudcc.ctechz.blogspot.com.ssh: . ack 192 win 13 <nop,nop,timestamp 2760951727 121670241>
18:40:20.379052 00:80:48:53:84:c4 (oui Unknown) > c8:9c:dc:50:ab:d3 (oui Unknown), ethertype IPv4 (0x0800), length 85: cloudcc.ctechz.blogspot.com.54043 > 10.0.0.2.domain:  7182+ PTR? 22.1.168.192.in-addr.arpa. (43)
18:40:20.413456 00:80:48:53:84:c4 (oui Unknown) > c8:9c:dc:50:ab:d3 (oui Unknown), ethertype IPv4 (0x0800), length 932: cloudcc.ctechz.blogspot.com.56294 > 192.168.1.22.squid: P 1682031477:1682032343(866) ack 3541247187 win 501 <nop,nop,timestamp 121670277 2760950219>
18:40:20.413715 c8:9c:dc:50:ab:d3 (oui Unknown) > 00:80:48:53:84:c4 (oui Unknown), ethertype IPv4 (0x0800), length 66: 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: . ack 866 win 3839 <nop,nop,timestamp 2760951763 121670277>


It's also important to note that tcpdump only takes the first 96 bytes of data from a packet by default. If you would like to look at more, add the -s number option to the mix, where number is the number of bytes you want to capture. using 0 (zero) for a snaplength, which gets everything.


Useful list of the options in tcpdump

-i any : Listen on all interfaces just to see if you're seeing any traffic.
-n : Don't resolve hostnames.
-nn : Don't resolve hostnames or port names. 
-X : Show the packet's contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop. 
-s : Define the size of the capture (use -s0 unless you are intentionally capturing less.)
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
-s : Set the snaplength, i.e. the amount of data that is being captured in bytes
-c : Only capture x number of packets, e.g. 'tcpdump -c 3'









No comments:

Post a Comment