Tcpdump – analyze your packets

packet sniffing and analysis with tcpdump

tcpdump is a powerful tool that can help detect and analyze network traffic. The command line usage is very simple and allow to use grep and other terminal utilities for match and discover ethernet packets and flows.
In this tutorial we’ll show some basic examples that allow you to discover the various options the tool offers

installation

install is very simple. Just use yum (or your distro packet manager)

# yum install tcpdump

first….we have to discover the various interfaces we can sniff just type the command tcpdump with -D options

root@raspberrypi:~# tcpdump -D

1.eth0 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.nflog (Linux netfilter log (NFLOG) interface)
5.nfqueue (Linux netfilter queue (NFQUEUE) interface)
6.usbmon1 (USB bus number 1) 

let’s sniff the first 10 packets from our eth0 interface:

# tcpdump -i eth0 -c 10

write our sniff to a pcap file (readable from wireshark too)

# tcpdump -i eth0 -w /home/pi/sniffing.pcap

we can read data from the captured file and look for arp traffic only with

# tcpdump -nn -r sniffing.pcap arp

extract from the capture traffic from and directed to one specific host (-nn means “don’t resolve hostname and port numbers”)

# tcpdump -n -r sniffing.pcap host 192.168.1.200 

extract traffic from a specific network, a specific source ip and a unique destination

# tcpdump -n net 10.0.0.0/8 
# tcpdump src 192.168.1.15
# tcpdump dst 8.8.8.8

is possible to filter src and destination port (port range too)

# tcpdump src port 4444
# tcpdump dst port 80
# tcpdump port 53
# tcpdump portrange 1000-1100

boolean operators

with the use of boolean operators is possible to obtain interesting combination of search options

# tcpdump host 192.168.1.100 and port not 22
# tcpdump src 8.8.8.8 and dst 192.168.1.50
# tcpdump not tcp

is possible to make even more complex searches by combining various options

# tcpdump 'src 192.168.1.100 and (dst port 21 or 25)'

TCP Flags filtering

is possible to make some decision on which flags consider in our sniff. In order to apply correctly this it’s important to have a basic knowledge of the ethernet packet header. Here’s the header format taken from RFC 793

TCP Header Format


    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Source Port          |       Destination Port        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Sequence Number                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Acknowledgment Number                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Data |       |C|E|U|A|P|R|S|F|                               |
   | Offset| Res.  |W|C|R|C|S|S|Y|I|            Window             |
   |       |       |R|E|G|K|H|T|N|N|                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Checksum            |         Urgent Pointer        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

tcp flags starts from byte 13 (as the image shows), from the CWR (Congestion Window Reduced) and ECE [ECN (Explicit Congestion Notification) flags.

if we want to filter only SYN-ACK packet we have to do this simple operation. Put an ‘1’ in correspondence of every flag we want to consider and convert the value to decimal:

CEUAPRSF
00010010 = 18 (decimal)

so to accomplish this filter request we have to use this option:

# tcpdump 'tcp[13]=18'

if we want to check RST packet? both requests are equivalent

# tcpdump 'tcp[13] & 4!=0'
# tcpdump 'tcp[tcpflags] == tcp-rst'

4 is the value of the ‘r’ flag inside CEUAPRSF so in the previous research we asked for packets at least with r flag active

is possible to use linux terminal tools like grep, cut, awk etc to make more specific researches.

# tcpdump -vvtt | grep 'raspberry' 

the last option is related to packet size. here’s an example:

# tcpdump -i eth0 <= 64 and dst 192.168.1.100
# tcpdump dst 10.0.0.1 or less 32
# tcpdump greater 128 and port not 22 

conclusion

tcpdump can provide information for IT troubleshooting. The syntax is quite human and after some tests you will easily remember the right option that will support you in your daily activities