Saturday, March 12, 2016

Network Analysis with tcpdump


Tcpdump is a network analysis tool using which one can analyze inbound and outbound network traffic in a system. Tcpdump is quite a powerful tool. Using various command line options and expressions one can filter network traffic and analyze the network packets.





Tcpdump gives output in rather a raw way compared to other network analyzer tools. And, it is always better to do the analysis by humans than by some other tools. So, if someone can utilize tcpdump properly, it would prove to be much more powerful.


In this short article, I would explain how to use tcpdump in network analysis.


Installing tcpdump

tcpdump can be easily installed in a system.

For example, in Ubuntu, one can install tcpdump using :

# sudo apt-get install tcpdump



Note : Please note that one should have root privileges to run tcpdump. So, in Linux one should run tcpdump commands with 'sudo'.


Some basic tcpdump commands

tcpdump outputs contents of selected network packets. The output is typically preceded by a timestamp which is printed by default as :

<hours> : <minutes> : <seconds> . <fractions of a second>

By default, tcpdump keeps printing outputs until a SIGINT signal is received. On terminating, it prints :

  • Number of packets captured
  • Number of packets received by filter used in tcpdump command
  • Number of packets dropped by the kernel, i.e. number of packets dropped mainly because of lack of bufferspace.



1. Basic command

# sudo tcpdump -i eth0
This would output the packets captured by the interface specified (here eth0). This output is typically preceded by timestamp, source hostname, destination hostname and the port.



2. Increase verbosity of output

Verbosity of outputs of tcpdump can be increased using the command line option -v, -vv or -vvv. Typically, output is more verbose with -vv than with -v and more verbose with -vvv than with -vv. i.e. verbosity increases with number of v's.
# sudo tcpdump -v -i eth0

# sudo tcpdump -vv -i eth0

# sudo tcpdump -vvv -i eth0


3. Do not resolve hostnames

By default, tcpdump output resolves hostnames. But, it may not be convenient always. To tell tcpdump not to resolve hostnames you can use the command line option -n.

# sudo tcpdump -n -i eth0

4. Print absolute TCP sequence number of network packets

By default, tcpdump prints relative TCP sequence numbers of packets captured. To print the absolute TCP sequence number, one should use the command line option -S.
# sudo tcpdump -nS -i eth0

In the output, TCP sequence number is typically printed like “seq <numbers>” , after the source and destination hosts of the packet.

5. Do not convert port numbers

By default, tcpdump converts hostnames and port numbers wherever possible. As it is not convenient always, one can tell tcpdump not to convert these host addresses as well as port numbers.

To not to convert port numbers, one can use the option -nn.
# sudo tcpdump -nn -i eth0


6. Receive only certain number of packets
By default, tcpdump keeps printing outputs until it receives a SIGINT. But, one can limit the number of packets captured in the output of tcpdump. Command line option -c<number> or -c <number> can be used for that purpose.
# sudo tcpdump -c 5 -i eth0

# sudo tcpdump -c5 -i eth0



7. Print packet data in hex and ASCII

One can use -X command line option to print data of each packets along with the headers. -X option prints the packet data in hex as well as in ASCII.

# sudo tcpdump -X -i eth0

8. Change snapshot length of data

One can change the snapshot length of data using the command line option -s.
# sudo tcpdump -nnSXs 6000 -c5 -i eth0
The above command would output headers and data contents of 5 packets captured through interface eth0. -nnSXs indicates host names and port numbers will not be resolved, absolute TCP sequence numbers will be printed and snapshot-length will be snarfed to 6000.

Using expressions with tcpdump

One can filter the packets captured using tcpdump further using filter expressions. Filter expressions typically consists of one or more of the following qualifiers :


type :

type may indicate a host, net , port or portrange.


direction :

This qualifier may indicate a source, destination or address from which or to which the packets are received.

protocol :

This qualifier specifies packets that match a particular protocol. Possible protocols are :
ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp.

9. Capture packets to or from a certain host

# sudo tcpdump -nnSX -i eth0 host 192.123.1.10
This command would capture packets that come from host 192.123.1.10 or goes to host 192.123.1.10.

# sudo tcpdump -nnSX -i eth0 src host 192.123.1.11
The above command would capture packets coming from only the host 192.123.1.11

# sudo tcpdump -nnSX -i eth0 dst host 192.123.1.12
The above command would capture packets that goes only to host 192.123.1.12



10. Capture packets to or from a network
# sudo tcpdump -i eth0 net 192.123.1.0/24
The above command would capture only the packets that involve the network 192.123.1.0/24


# sudo tcpdump -i eth0 src net 192.123.1.0/24

The above command would capture only the packets that come from the network 192.123.1.0/24


# sudo tcpdump -i eth0 dst net 192.123.1.0/24
The above command would capture only the packets that goes to the network 192.123.1.0/24

11. Capture packets to or from a certain port

# sudo tcpdump -n -i eth0 port 36709
The above command would capture only the packets that involve port 36709.


# sudo tcpdump -n -i eth0 src port 36709
The above command would capture only the packets that come from port 36709.

# sudo tcpdump -n -i eth0 dst port 36709


The above command would capture only the packets are destined to port 36709.

12. Capture packets to or from a port range

# sudo tcpdump -n -i eth0 portrange 30000-60000
The above command would capture only the packets that involve ports ranging from port numbers 30000 to 60000.


# sudo tcpdump -n -i eth0 src portrange 30000-60000
The above command would capture only the packets that come from ports ranging from port numbers 30000 to 60000.
# sudo tcpdump -n -i eth0 dst portrange 30000-60000
The above command would capture only the packets that are destined to ports ranging from port numbers 30000 to 60000.

13. Capture packets of certain protocol type
# sudo tcpdump -n -i eth0 tcp
The above command would capture only the tcp packets.

# sudo tcpdump -n -i eth0 udp
The above command would capture only the udp packets.

# sudo tcpdump -n -i eth0 icmp


The above command would capture only the icmp packets.

Possible protocols that can be specified are:
ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp.

14. Capture packets below or above a certain size
# sudo tcpdump -n -i eth0 greater 100
The above commands would capture only the packets that have length greater than or equal to 100 bytes.

# sudo tcpdump -n -i eth0 less 1000
The above commands would capture only the packets that have length less than or equal to 100 bytes.

15. Capture output to a file

# sudo tcpdump -n -c10 -i eth0 -w tcpdump-output
The above command would capture the output of the tcpdump command in the output file tcpdump-output.

16. Capture input from a file
By default, tcpdump output file is not human readable. So, we need to use option -r to read the output already captured in a specific output file.

# sudo tcpdump -n -c10 -i eth0 less 1000 -r tcpdump-output

The above command would read tcpdump output that is already captured in the output file tcpdump-output.

More complex filter expressions

One can combine two or more of the above filter expressions with and, or, not. This enables the filtering capabilities of the packets even further.



17. TCP traffic from a network and to a certain portrange
# sudo tcpdump -n -i eth0 src net 192.123.0.0/16 and dst portrange 30000-60000

The above command would capture only the packets that are coming from the network 192.123.0.0/16 and destined to port ranging from port numbers 30000 to 60000.

18. TCP traffic destined to either of two certain ports
# sudo tcpdump -n -i eth0 dst port 443 or dst port 36709

The above command would capture only the packets that are destined to port 443 or port 36709 of the system.

19. Capturing non-TCP traffic
# sudo tcpdump -n -i eth0 not tcp
The above command would capture only the non-tcp packets from the interface eth0.

20. Capturing TCP or UDP traffic from a certain network
# sudo tcpdump -n -i eth0 tcp or udp and src net 192.123.1.0/24

The above command would capture tcp or udp packets that come from the network 192.123.1.0/24.

21. Capturing packets from a network that are not destined to a certain port

# sudo tcpdump -n -i eth0 src net 192.123.1.0/24 and not port 443

The above commands would capture the packets that are coming from the network 192.123.1.0/24 and are not destined to port number 443.

22. Capturing packets from a certain network or to a certain port

# sudo tcpdump -n -i eth0 src net 192.123.1.0/24 or not dst port 443

The above command would capture the packets that are coming from the network 192.123.1.0/24 or coming to the port number 443 of the system.



Grouping filter expressions

One can even further group the filter expressions to filter the captured packets in a better way. Typically, single quote (') and brackets are used to group the filter expressions.

23. Capturing packets from a network and to port 443 or 36709

# sudo tcpdump -n -i eth0 'src net 192.123.1.0/24 and (dst port 443 or 36709)'

The above command would capture the packets that are coming from the network 192.123.1.0/24 and are destined to either port 443 or port 36709.

24. Capturing tcp or udp traffic coming from a source and not destined to certain portrange

# sudo tcpdump -n -i eth0 'tcp or udp and (src 192.123.1.10 and not dst portrange 1000-4000)'

The above command would capture the tcp or udp packets that are coming from the host 192.123.1.10, but not destined to any port ranging from 1000 to 4000.

25. To print the TCP packets that does not involve a certain network

# sudo tcpdump -n -i eth0 'tcp and not src and dst net 192.123.1.0/24'
The above command would capture the TCP packets that do not involve the network 192.123.1.0/24.


No comments:

Post a Comment