Saturday, December 29, 2007

Fun with Tcpdump

Tcpdump is a really useful program for capturing packets that are on the wire. It can be used to view packets going through your own interface, on a network with a hub, or on a switched network (arp-cache poisoning or mirrored switch ports).

The output from tcpdump can either be sent to the screen, written to a raw file using -w and viewed with tcpdump (using -r) or the capture files can be read with a tool such as Wireshark.

Tcpdump is a tool that anyone who is interested in networks should be familiar with. It will help you understand what normal traffic looks like on your network at a packet level so you can quickly identify abnormal traffic.

The purpose of this blog post is to get a few of the commands documented to familierize myself with tool so i can quickly apply filters when needed.

For the Windows users there is a very good port of tcpdump called Windump, the syntax is very similar if not identical.


Using Tcpdump

When first running tcpdump without any filters the output can be overwhelming. Don't worry about this, as you begin to get familiar with the filters you can quickly get to the information you want.

If you have multiple interfaces that are up you may need to use the -i {interface} switch.

tcpdump -i eth1

The command can be terminated with ctrl+c.

I recommend using the -n switch to prevent name resolution whilst you are performing the capture. The name resolution can always be performed later.

tcpdump -i eth1 -n

You can also cut down the amount of data you capture by using the quiet option (-q)

tcpdump -q

Or to really cut down on what i can see I could use the following which would just display the from and to, the protocol and the packet size:

tcpdump -qt

As previously mentioned the output of tcpdump can be sent to a file using the -w switch or straight to a text file using the redirect >

I recommend writing the output to libpcap format using a command such as:

tcpdump -i eth1 -n -w capture.lpc

However, you may want to view the output on the screen as you write it to a file, this can be done by using the -l switch and piping through tee into the file:

tcpdump -l | tee mydump


You can also limit the capture to a certain amount of packets using the -c switch. To only collect 100 packets:

tcpdump -c 100


The -c switch can also be used when reading from a packet capture file:

tcpdump -n -s 1514 -r capture.lpc -c 5 tcp

The command above will read the first 5 tcp packets from the capture.lpc file.




Collecting Packets Based on Size

Usually tcpdump does not collect the entire packet. Use the snaplen option -s 0 to force it to do so:

tcpdump -s 0

Or to only collect the first 1514 bytes of a packet:

tcpdump -s 1514

1514 bytes will capture the ethernet portion without VLAN tagging. To capture the VLAN tagging information an additional 4 bytes will need to be added.


To only collect packets from a particular host:

tcpdump -i eth 1 -n -w capture.lpc host 208.68.234.113


Name Resolution

As mentioned earlier, by default tcpump will resolve network addresses into names. To disable this use the -n switch. And to disable port resolution use -nn:

tcpdump -nn

Use -f to prevent remote name resolution.


If you are on a local LAN and want to capture only traffic based on a MAC address use:

tcpdump ether host 11:22:33:44:55:66:77:00

Or if you want the Ethernet header in the output use the -e option:

tcpdump -i eth1 -e -n -s 1514-w capture.lpc

To restrict the capture to a network use:

tcpdump -i eth1 -n -w capture.lpc -s 1514 net 192.168.1

or

tcpdump -i eth1 -n -w capture.lpc -s 1514 net 192.168.1.0 mask 255.255.255.0


Using Keywords

Keywords alow you to easily filter traffic. The Keywords that can be used are ip, tcp, udp, icmp and igmp.

As an example of using keywords, to capture all IP traffic use keywords:

tcpdump -i eth1 -n -w capture.lpc -s 1514 ip

or to capture just TCP traffic:

tcpdump -i eth1 -n -w capture.lpc -s 1514 tcp

Other traffic types without keywords can be captured using the "ip proto" option:

tcpdump -i eth1 -n -w capture.lpc -s 1514 ip proto l2tp

or by its protocalnumber as found in the /etc/protocols file:

tcpdump -i eth1 -n -w capture.lpc -s 1514 ip proto 115


To capture traffic based on it's application from further up the stack such as ftp traffic specify the port:

tcpdump -i eth1 -n -w capture.lpc -s 1514 port 21

And to capture the data portion of the FTP traffic as well you could add port 20:

tcpdump -i eth1 -n -w capture.lpc -s 1514 port 21 && port 20

This could have been specified by name as detailed in the /etc/services file.

tcpdump -i eth1 -n -w capture.lpc -s 1514 port ftp && port ftp-data

In the examples above I have used && to add 2 filters together. I could have used the word 'and' instead. You can also use 'or' to idicate that i want one filter to apply or another filter to apply. || means the same as 'or' also.

tcpdump -i eth1 -n -w capture.lpc -s 1514 port http or https
tcpdump -i eth1 -n -w capture.lpc -s 1514 port 80 || 443

The above filters will capture the same data.


Filtering by Packet Size

You could create a filter to capture packets that are larger than a certain size (in bytes):

tcpdump -i eth1 -n -w capture.lpc -s 1514 greater 250

This type of filter can be useful if you are trying to locate certain types of packet based on attributes from further up the stack.




We can also tell tcpdump to leave out certain types of traffic, in this example we don't want http or https traffic but we want everything else:

tcpdump -i eth1 -n -w capture.lpc -s 1514 " (not tcp port http and not tcp port https)"



To view the output in output in ascii use -X (the verbose -v is optional):

tcpdump -i eth1 -n -w capture.lpc -s 1514 -X -v

To dump the whole packet in hex use:

tcpdump -i eth1 -n -w capture.lpc -s 1514 -x -v


Further Examples

To display a list of visited sites:

tcpdump -w dumpfile
tcpdump -r dumpfile > textfile
cat textfile /usr/bin/cut -f 8 -d ' ' /bin/grep -i www*


Looking at ICMP

Although you can capture all ICMP traffic, you could actually capture only particular types of ICMP based on attributes of the protocol. For example, if i wanted to capture just ICMP echo requests knowing that an ICMP echo request is a Type 8 i might use:

tcpdump -e -x "icmp[0]=8"

To capture just ICMP repies (Type 0) i might use:

tcpdump -e -x "icmp[0]=0"


Wireless Stuff

If i was curious about what networks wireless clients are probing for I could set my card into promiscuous mode (ifconfig -i eth1 promisc), configure my wireless settings to monitor (iwconfig eth1 mode monitor) and issue the following command:

tcpdump -i eth1 -s0 -nn -vv -t | grep -i request

This would reduce the output to just display probe requets from nearby wireless clients.




Note: I will update this blog entry with new and interesting uses for Tcpdump as I learn them.


Links

For a great book on network monitoring using Tcpdump as well as many other opensource tools try "The Tao of Network Security Monitoring" from Richard Bejtlich.

Another great book on this topic is "Practical Packet Analysis"

3 comments:

dadada said...

very helpfull, thanx.

Anonymous said...

Handy stuff here...

SynJunkie said...

Thanks


Lee