Tcpdump Recipes

tcpheader

Tcpdump is the premier network analysis tool for information security and networking enthusiasts and/or professionals. In my own primer I cover tcpdump basics; if you're interested in becoming familiar with the application via an introduction, I suggest you check it out first.

Here I'm simply going to give a number of recipes that you're likely to find useful during your day to day activities. They will range from common, general captures to complex filters designed to look for a number of unique traffic types.


Basics

Below are a few options you can use when invoking tcpdump in order to control the output. The examples given will be in the basic form of tcpdump $recipe, so remember to add your own options as needed.

Basic Communication // See the basics without many options

# tcpdump -nS

Basic Communication (very verbose) // see a good amount of traffic, with verbosity and no name help

# tcpdump -nnvvS

A deeper look at the traffic // adds -X for payload but doesn't grab any more of the packet

# tcpdump -nnvvXS

Heavy packet viewing // the final "s" increases the snaplength, grabbing the whole packet

# tcpdump -nnvvXSs 1514


Recipes

  1. host // look for traffic based on IP address (also works with hostname if you're not using -n)
    # tcpdump host 1.2.3.4

  2. src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
    # tcpdump src 2.3.4.5
    # tcpdump dst 3.4.5.6

  3. net // capture an entire network using CIDR notation
    # tcpdump net 1.2.3.0/24

  4. proto // works for tcp, udp, and icmp. Note that you don't have to type proto
    # tcpdump icmp

  5. port // see only traffic to or from a certain port
    # tcpdump port 3389

  6. src, dst port // filter based on the source or destination port
    # tcpdump src port 1025
    # tcpdump dst port 3389

Combinations

TCP traffic from 10.5.2.3 destined for port 3389:
# tcpdump tcp and src 10.5.2.3 and dst port 3389

Traffic originating from the 192.168 network headed for the 10 or 172.16 networks:
# tcpdump src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network:
# tcpdump dst 192.168.0.2 and src net 172.16.0.0/16 and not icmp

Traffic originating from Mars or Pluto that isn't to the SSH port:
# tcpdump -vv src mars or pluto and not dst port 22

Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22:
# tcpdump 'src 10.0.2.4 and \(dst port 3389 or 22\)'

Advanced filters can help with troubleshooting and can reveal anomalous traffic on a network that would normally go unnoticed.

Finding Flags

Hint: Use the following acronym to remember your flags: Unskilled Attackers Pester Real Security Folk

Show me all URG packets:
# tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets:
# tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets:
# tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets:
# tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets:
# tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets:
# tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets:
# tcpdump 'tcp[13] = 18'


Specialized Traffic

Related

A Tcpdump Primer / Tutorial

How to Remember Your TCP Flags

Not All SYN Packets Are Created Equal

References

The Tcpdump Manual Page

| | More

rssicon

Twitter Microblog

twitter_icon      facebook_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives