[Know your tools] Packet Capture with tcpdump
So you've got your big unknown network, you can see the blinking lights on your switch or router flashing away indicating the huge amounts of traffic zipping it's way from host to host and you want to know what that traffic is...
tcpdump is the tool for you!
On a switched network, to view all traffic on a link you may have to redirect traffic to your collection box using Cisco SPAN(or by using ARP poisoning).
In it's simplest incarnation, you can run tcpdump as follows:
tcpdump -i eth0
This will list each packet transmitted alongside some of the more useful info like windowsize and packet length.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:04:19.777614 IP freck.home.63603 > prod.home.50000: Flags [.], ack 1238793245, win 868, length 0
19:04:19.777619 IP freck.home.63603 > prod.home.50000: Flags [.], ack 1, win 16425, length 0
19:04:19.779888 IP bt.home.48929 > prod.home.domain: 20430+ PTR? 22.214.171.124.in-addr.arpa. (40)
19:04:19.780325 IP prod.home.50000 > freck.home.63603: Flags [.], seq 1:1461, ack 0, win 245, length 1460
19:04:19.780329 IP prod.home.50000 > freck.home.63603: Flags [.], seq 1461:2921, ack 0, win 245, length 1460
19:04:19.780330 IP prod.home.50000 > freck.home.63603: Flags [.], seq 2921:4381, ack 0, win 245, length 1460
The amount of information shown can be increased using -v, -vv or -vvv. -v will show flags, ttl, IP options. -vv prints even more, for example SMB and NFS responses in full. -vvv goes one step further and prints with the most verbosity.
So far, we're only seeing metadata: IP's, ports and IP/TCP headers.
To see the full take of data, use the -X flag :
tcpdump -X -i eth0
19:22:06.932069 IP freck.home.56050 > prod.home.50000: Flags [.], ack 1311081, win 730, length 0
0x0000: 4500 0028 3a6f 4000 8006 ab91 0a01 00b9 E..(:o@.........
0x0010: 0a01 0015 daf2 c350 0337 c335 1533 db8f .......P.7.5.3..
0x0020: 5010 02da 42b8 0000 0000 0000 0000 P...B.........
19:22:06.932070 IP prod.home.50000 > freck.home.56050: Flags [.], seq 1311081:1312541, ack 0, win 245, length 1460
0x0000: 4500 05dc 74e3 4000 4006 ab69 0a01 0015 E...t.@.@..i....
0x0010: 0a01 00b9 c350 daf2 1533 db8f 0337 c335 .....P...3...7.5
0x0020: 5010 00f5 b50d 0000 d9bb 4d8c 0d4e 23a5 P.........M..N#.
0x0030: b55d 7753 8a88 3256 c0d9 2b4a ba8c 0dbb .]wS..2V..+J....
0x0040: ca6b 141a d9df a187 4180 fa7d 728c 0f3e .k......A..}r..>
0x0050: ae51 11fc 59e2 23ce aeda 946d 1324 7a4a .Q..Y.#....m.$zJ
0x0060: 954d 2b68 6ba2 088f b125 2546 fa9c 3218 .M+hk....%%F..2.
Not a fan of reading output in hex? -A prints just the ascii data
Now, you've probably noticed that your terminal is scrolling past at near the speed of light and to make analysis later easier the packets can be saved to a file using the -w flag. When using this flag, verbosity flags are ignored and the entire contents of the packet are saved out to the specified file.
tcpdump -i eth0 -w output.pcap
The output file can be read in later using the -r flag or by using an analysis tool of your choice (wireshark etc).
Another alternative to writing out to a file for later analysis is pre-filtering right in tcpdump. Tcpdump employs a bpf (Berkerley Packet Filter) syntax for filtering packets, of which the full details can be found at
man pcapfilter. Filters allow for some very fine-grained control over what packets are captured, from source and destination hosts/ports to such specifics as tcp flags.
tcpdump -i eth0 -X 'host 10.1.0.1'
This will list all traffic to a specific host, to view the start of all tcp handshakes (packets with a TCP SYN) a filter like the following could be used :
tcpdump -i eth0 -X 'tcp[tcpflags] & tcp-syn !=0'
There is a lot more to tcpdump and as always the definitive source is
man tcpdump, next up in Know Your Tools will be pcap analysis in Wireshark.
Until next time,