how to use tcpdump

2021-03-21 18:31:07 浏览数 (1)

how-to-use-tcpdump

Tcpdump command is a famous network packet analyzing tool that is used to display TCP IP & other network packets being transmitted over the network attached to the system on which tcpdump has been installed. Tcpdump uses libpcap library to capture the network packets & is available on almost all Linux/Unix flavors.

Linux Tcpdump: Filter ipv6 ntp ping packets

Tcpdump: capture DHCP & DHCPv6 packets

20 Advanced Tcpdump Examples On Linux

10 Useful tcpdump command examples

TCPDUMP

README

Tcpdump is one of the best network analysis-tools ever for information security professionals.

Tcpdump is for everyone for hackers and people who have less of TCP/IP understanding.

OPTIONS

Below are some tcpdump options (with useful examples) that will help you working with the tool. They’re very easy to forget and/or confuse with other types of filters, i.e. ethereal, so hopefully this article can serve as a reference for you, as it does me:)
  • The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves.
  • The second is -X, which displays both hex and ascii content within the packet.
  • The final one is -S, which changes the display of sequence numbers to absolute rather than relative.

Show the packet’s contents in both hex and ascii.

代码语言:txt复制
tcpdump -X ....         

Same as -X, but also shows the ethernet header.

代码语言:txt复制
tcpdump -XX

Show the list of available interfaces

代码语言:txt复制
tcpdump -D

Line-readable output (for viewing as you save, or sending to other commands)

代码语言:txt复制
tcpdump -l

Be less verbose (more quiet) with your output.

代码语言:txt复制
tcpdump -q

Give human-readable timestamp output.

代码语言:txt复制
tcpdump -t :

Give maximally human-readable timestamp output.

代码语言:txt复制
tcpdump -tttt : 

Listen on the eth0 interface.

代码语言:txt复制
tcpdump -i eth0

Verbose output (more v’s gives more output).

代码语言:txt复制
tcpdump -vv 

Only get x number of packets and then stop.

代码语言:txt复制
tcpdump -c 

Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.

代码语言:txt复制
tcpdump -s 

Print absolute sequence numbers.

代码语言:txt复制
tcpdump -S 

Get the ethernet header as well.

代码语言:txt复制
tcpdump -e 

Decrypt IPSEC traffic by providing an encryption key.

代码语言:txt复制
tcpdump -E

For more options, read manual:

  • Find all options here
  • Linux Tcpdump: Filter ipv6 ntp ping packets
  • Tcpdump: capture DHCP & DHCPv6 packets
  • 20 Advanced Tcpdump Examples On Linux
  • 10 Useful tcpdump command examples

BASIC USAGE

Display Available Interfaces

代码语言:txt复制
tcpdump -D
代码语言:txt复制
tcpdump --list-interfaces

Let’s start with a basic command that will get us HTTPS traffic:

代码语言:txt复制
tcpdump -nnSX port 443

Find Traffic by IP

代码语言:txt复制
tcpdump host 1.1.1.1

Filtering by Source and/or Destination

代码语言:txt复制
tcpdump src 1.1.1.1 
代码语言:txt复制
tcpdump dst 1.0.0.1

Finding Packets by Network

代码语言:txt复制
tcpdump net 1.2.3.0/24
Low Output:
代码语言:txt复制
tcpdump -nnvvS
Medium Output:
代码语言:txt复制
tcpdump -nnvvXS
Heavy Output:
代码语言:txt复制
tcpdump -nnvvXSs 1514

Getting Creative

  • Expressions are very nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for.

There are three ways to do combination:

AND

代码语言:txt复制
and or &&

OR

代码语言:txt复制
or or ||

EXCEPT

代码语言:txt复制
not or !

Usage Example:

Traffic that’s from 192.168.1.1 AND destined for ports 3389 or 22

代码语言:txt复制
tcpdump 'src 192.168.1.1 and (dst port 3389 or 22)'

Advanced

Show me all URG packets:

代码语言:txt复制
tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets:

代码语言:txt复制
tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets:

代码语言:txt复制
tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets:

代码语言:txt复制
tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets:

代码语言:txt复制
tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets:

代码语言:txt复制
tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets:

代码语言:txt复制
tcpdump 'tcp[13] = 18'

Show all traffic with both SYN and RST flags set: (that should never happen)

代码语言:txt复制
tcpdump 'tcp[13] = 6'

Show all traffic with the “evil bit” set:

代码语言:txt复制
tcpdump 'ip[6] & 128 != 0'

Display all IPv6 Traffic:

代码语言:txt复制
tcpdump ip6

Print Captured Packets in ASCII

代码语言:txt复制
tcpdump -A -i eth0

Display Captured Packets in HEX and ASCII

代码语言:txt复制
tcpdump -XX -i eth0

Capture and Save Packets in a File

代码语言:txt复制
tcpdump -w 0001.pcap -i eth0

Read Captured Packets File

代码语言:txt复制
tcpdump -r 0001.pcap

Capture IP address Packets

代码语言:txt复制
tcpdump -n -i eth0

Capture only TCP Packets.

代码语言:txt复制
tcpdump -i eth0 tcp

Capture Packet from Specific Port

代码语言:txt复制
tcpdump -i eth0 port 22

Capture Packets from source IP

代码语言:txt复制
tcpdump -i eth0 src 192.168.0.2

Capture Packets from destination IP

代码语言:txt复制
tcpdump -i eth0 dst 50.116.66.139

Capture any packed coming from x.x.x.x

代码语言:txt复制
tcpdump -n src host x.x.x.x

Capture any packet coming from or going to x.x.x.x

代码语言:txt复制
tcpdump -n host x.x.x.x

Capture any packet going to x.x.x.x

代码语言:txt复制
tcpdump -n dst host x.x.x.x

Capture any packed coming from x.x.x.x

代码语言:txt复制
tcpdump -n src host x.x.x.x

Capture any packet going to network x.x.x.0/24

代码语言:txt复制
tcpdump -n dst net x.x.x.0/24

Capture any packet coming from network x.x.x.0/24

代码语言:txt复制
tcpdump -n src net x.x.x.0/24

Capture any packet with destination port x

代码语言:txt复制
tcpdump -n dst port x

Capture any packet coming from port x

代码语言:txt复制
tcpdump -n src port x

Capture any packets from or to port range x to y

代码语言:txt复制
tcpdump -n dst(or src) portrange x-y

Capture any tcp or udp port range x to y

代码语言:txt复制
tcpdump -n tcp(or udp) dst(or src) portrange x-y

Capture any packets with dst ip x.x.x.x and port y

代码语言:txt复制
tcpdump -n "dst host x.x.x.x and dst port y"

Capture any packets with dst ip x.x.x.x and dst ports x, z

代码语言:txt复制
tcpdump -n "dst host x.x.x.x and (dst port x or dst port z)"

Capture ICMP , ARP

代码语言:txt复制
tcpdump -v icmp(or arp)

Capture packets on interface eth0 and dump to cap.txt file

代码语言:txt复制
tcpdump -i eth0 -w cap.txt

Get Packet Contents with Hex Output

代码语言:txt复制
tcpdump -c 1 -X icmp

Show Traffic Related to a Specific Port

代码语言:txt复制
tcpdump port 3389 
代码语言:txt复制
tcpdump src port 1025

Show Traffic of One Protocol

代码语言:txt复制
tcpdump icmp

Find Traffic by IP

代码语言:txt复制
tcpdump host 1.1.1.1

Filtering by Source and/or Destination

代码语言:txt复制
tcpdump src 1.1.1.1 
代码语言:txt复制
tcpdump dst 1.0.0.1

Finding Packets by Network

代码语言:txt复制
tcpdump net 1.2.3.0/24

Get Packet Contents with Hex Output

代码语言:txt复制
tcpdump -c 1 -X icmp

Show Traffic Related to a Specific Port

代码语言:txt复制
tcpdump port 3389 
代码语言:txt复制
tcpdump src port 1025

Show Traffic of One Protocol

代码语言:txt复制
tcpdump icmp

Show only IP6 Traffic

代码语言:txt复制
tcpdump ip6

Find Traffic Using Port Ranges

代码语言:txt复制
tcpdump portrange 21-23

Find Traffic Based on Packet Size

代码语言:txt复制
 tcpdump less 32 
代码语言:txt复制
 tcpdump greater 64 
代码语言:txt复制
 tcpdump <= 128
代码语言:txt复制
 tcpdump => 128

Reading / Writing Captures to a File (pcap)

代码语言:txt复制
tcpdump port 80 -w capture_file
代码语言:txt复制
tcpdump -r capture_file

It’s All About the Combinations

Raw Output View

代码语言:txt复制
tcpdump -ttnnvvS

Here are some examples of combined commands.

From specific IP and destined for a specific Port

代码语言:txt复制
tcpdump -nnvvS src 10.5.2.3 and dst port 3389

From One Network to Another

代码语言:txt复制
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non ICMP Traffic Going to a Specific IP

代码语言:txt复制
tcpdump dst 192.168.0.2 and src net and not icmp

Traffic From a Host That Isn’t on a Specific Port

代码语言:txt复制
tcpdump -vv src mars and not dst port 22

Isolate TCP RST flags.

代码语言:txt复制
tcpdump 'tcp[13] & 4!=0'
代码语言:txt复制
tcpdump 'tcp[tcpflags] == tcp-rst'

Isolate TCP SYN flags.

代码语言:txt复制
tcpdump 'tcp[13] & 2!=0'
代码语言:txt复制
tcpdump 'tcp[tcpflags] == tcp-syn'

Isolate packets that have both the SYN and ACK flags set.

代码语言:txt复制
tcpdump 'tcp[13]=18'

Isolate TCP URG flags.

代码语言:txt复制
tcpdump 'tcp[13] & 32!=0'
代码语言:txt复制
tcpdump 'tcp[tcpflags] == tcp-urg'

Isolate TCP ACK flags.

代码语言:txt复制
tcpdump 'tcp[13] & 16!=0'
代码语言:txt复制
tcpdump 'tcp[tcpflags] == tcp-ack'

Isolate TCP PSH flags.

代码语言:txt复制
tcpdump 'tcp[13] & 8!=0'
代码语言:txt复制
tcpdump 'tcp[tcpflags] == tcp-psh'

Isolate TCP FIN flags.

代码语言:txt复制
tcpdump 'tcp[13] & 1!=0'
代码语言:txt复制
tcpdump 'tcp[tcpflags] == tcp-fin'

Commands that I using almost daily

Both SYN and RST Set

代码语言:txt复制
tcpdump 'tcp[13] = 6'

Find HTTP User Agents

代码语言:txt复制
tcpdump -vvAls0 | grep 'User-Agent:'
代码语言:txt复制
tcpdump -nn -A -s1500 -l | grep "User-Agent:"

By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request.

代码语言:txt复制
tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

Capture only HTTP GET and POST packets only packets that match GET.

代码语言:txt复制
tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
代码语言:txt复制
tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

Extract HTTP Request URL's

代码语言:txt复制
tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

Extract HTTP Passwords in POST Requests

代码语言:txt复制
tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

Capture Cookies from Server and from Client

代码语言:txt复制
tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

Capture all ICMP packets

代码语言:txt复制
tcpdump -n icmp

Show ICMP Packets that are not ECHO/REPLY (standard ping)

代码语言:txt复制
tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Capture SMTP / POP3 Email

代码语言:txt复制
tcpdump -nn -l port 25 | grep -i 'MAIL FROM|RCPT TO'

Troubleshooting NTP Query and Response

代码语言:txt复制
tcpdump dst port 123

Capture FTP Credentials and Commands

代码语言:txt复制
tcpdump -nn -v port ftp or ftp-data

Rotate Capture Files

代码语言:txt复制
tcpdump  -w /tmp/capture-%H.pcap -G 3600 -C 200

Capture IPv6 Traffic

代码语言:txt复制
tcpdump -nn ip6 proto 6

IPv6 with UDP and reading from a previously saved capture file.

代码语言:txt复制
tcpdump -nr ipv6-test.pcap ip6 proto 17

Detect Port Scan in Network Traffic

代码语言:txt复制
tcpdump -nn

USAGE EXAMPLE

Example Filter Showing Nmap NSE Script Testing

  • On Target:
代码语言:txt复制
  nmap -p 80 --script=http-enum.nse targetip
  • On Server:
代码语言:txt复制
  tcpdump -nn port 80 | grep "GET /"
代码语言:txt复制
       GET /w3perl/ HTTP/1.1
代码语言:txt复制
       GET /w-agora/ HTTP/1.1
代码语言:txt复制
       GET /way-board/ HTTP/1.1
代码语言:txt复制
       GET /web800fo/ HTTP/1.1
代码语言:txt复制
       GET /webaccess/ HTTP/1.1
代码语言:txt复制
       GET /webadmin/ HTTP/1.1
代码语言:txt复制
       GET /webAdmin/ HTTP/1.1

Capture Start and End Packets of every non-local host

代码语言:txt复制
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

Capture DNS Request and Response

Filtering DNS with Tcpdump

代码语言:txt复制
tcpdump -i wlp58s0 -s0 port 53

Capture HTTP data packets

代码语言:txt复制
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Top Hosts by Packets

代码语言:txt复制
tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

Capture all the plaintext passwords

代码语言:txt复制
tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
代码语言:txt复制
tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '

DHCP Example

代码语言:txt复制
tcpdump -v -n port 67 or 68

Cleartext GET Requests

代码语言:txt复制
tcpdump -vvAls0 | grep 'GET'

Find HTTP Host Headers

代码语言:txt复制
tcpdump -vvAls0 | grep 'Host:'

Find HTTP Cookies

代码语言:txt复制
tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'

Find SSH Connections

代码语言:txt复制
tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

Find DNS Traffic

代码语言:txt复制
tcpdump -vvAs0 port 53

Find FTP Traffic

代码语言:txt复制
tcpdump -vvAs0 port ftp or ftp-data

Find NTP Traffic

代码语言:txt复制
tcpdump -vvAs0 port 123

Capture SMTP / POP3 Email

代码语言:txt复制
tcpdump -nn -l port 25 | grep -i 'MAIL FROM|RCPT TO'

Line Buffered Mode

代码语言:txt复制
tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'

Find traffic with evil bit

代码语言:txt复制
tcpdump 'ip[6] & 128 != 0'

Filter on protocol (ICMP) and protocol-specific fields (ICMP type)

Tcpdump: Filter Packets with Tcp Flags

tcpdump -n icmp and 'icmp0 != 8 and icmp0 != 0'

Same command can be used with predefined header field offset (icmptype) and ICMP type field values (icmp-echo and icmp-echoreply):

代码语言:txt复制
tcpdump -n icmp and icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply

Filter on TOS field

代码语言:txt复制
tcpdump -v -n ip and ip[1]!=0

Filter on TTL field

代码语言:txt复制
tcpdump -v ip and 'ip[8]<2'

Filter on TCP flags (SYN/ACK)

代码语言:txt复制
tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'

In the example above, all packets with TCP SYN flag set are captured. Other flags (ACK, for example) might be set also. Packets which have only TCP SYN flags set, can be captured

代码语言:txt复制
tcpdump tcp and port 80 and 'tcp[tcpflags] == tcp-syn'

Catch TCP SYN/ACK packets (typically, responses from servers):

代码语言:txt复制
tcpdump -n tcp and 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'
代码语言:txt复制
tcpdump -n tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn' and 'tcp[tcpflags] & tcp-ack == tcp-ack'

Catch ARP packets

代码语言:txt复制
tcpdump -vv -e -nn ether proto 0x0806

Filter on IP packet length

代码语言:txt复制
tcpdump -l icmp and '(ip[2:2]>50)' -w - |tcpdump -r - -v ip and '(ip[2:2]<60)'

Remark: due to some bug in tcpdump, the following command doesn't catch packets as expected:

代码语言:txt复制
tcpdump -v -n icmp and '(ip[2:2]>50)' and '(ip[2:2]<60)'

Filter on encapsulated content (ICMP within PPPoE)

代码语言:txt复制
tcpdump -v -n icmp

Queiter

代码语言:txt复制
tcpdump -q -i eth0
代码语言:txt复制
tcpdump -t -i eth0
代码语言:txt复制
tcpdump -A -n -q -i eth0 'port 80'
代码语言:txt复制
tcpdump -A -n -q -t -i eth0 'port 80'

Print only useful packets from the HTTP traffic

代码语言:txt复制
tcpdump -A -s 0 -q -t -i eth0 'port 80 and ( ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12:2]&0xf0)>>2)) != 0)'

Dump SIP Traffic

代码语言:txt复制
tcpdump -nq -s 0 -A -vvv port 5060 and host 1.2.3.4

Checking packet content

代码语言:txt复制
tcpdump -i any -c10 -nn -A port 80

Checking packet content

代码语言:txt复制
sudo tcpdump -i any -c10 -nn -A port 80

References & Awesome wikis

Capture ICMP Packets With Tcpdump

Debugging SSH Packets with Tcpdump

Using Tcpdump to Filter DNS Packets

Learn tcpdump Quick Guide

Filtering DNS with Tcpdump

Filtering CDP LLDP packets with Tcpdump

Tcpdump Cheat Sheet (Basic Advanced Examples)

END!

0 人点赞