how-to-use-tcpdump
Tcpdump command is a famous network packet analyzing tool that is used to display TCP IP & other network packets being transmitted over the network attached to the system on which tcpdump has been installed. Tcpdump uses libpcap library to capture the network packets & is available on almost all Linux/Unix flavors.
Linux Tcpdump: Filter ipv6 ntp ping packets
Tcpdump: capture DHCP & DHCPv6 packets
20 Advanced Tcpdump Examples On Linux
10 Useful tcpdump command examples
TCPDUMP
README
Tcpdump is one of the best network analysis-tools ever for information security professionals.
Tcpdump is for everyone for hackers and people who have less of TCP/IP understanding.
OPTIONS
Below are some tcpdump options (with useful examples) that will help you working with the tool. They’re very easy to forget and/or confuse with other types of filters, i.e. ethereal, so hopefully this article can serve as a reference for you, as it does me:)
- The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves.
- The second is -X, which displays both hex and ascii content within the packet.
- The final one is -S, which changes the display of sequence numbers to absolute rather than relative.
Show the packet’s contents in both hex and ascii.
代码语言:txt复制tcpdump -X ....
Same as -X, but also shows the ethernet header.
代码语言:txt复制tcpdump -XX
Show the list of available interfaces
代码语言:txt复制tcpdump -D
Line-readable output (for viewing as you save, or sending to other commands)
代码语言:txt复制tcpdump -l
Be less verbose (more quiet) with your output.
代码语言:txt复制tcpdump -q
Give human-readable timestamp output.
代码语言:txt复制tcpdump -t :
Give maximally human-readable timestamp output.
代码语言:txt复制tcpdump -tttt :
Listen on the eth0 interface.
代码语言:txt复制tcpdump -i eth0
Verbose output (more v’s gives more output).
代码语言:txt复制tcpdump -vv
Only get x number of packets and then stop.
代码语言:txt复制tcpdump -c
Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
代码语言:txt复制tcpdump -s
Print absolute sequence numbers.
代码语言:txt复制tcpdump -S
Get the ethernet header as well.
代码语言:txt复制tcpdump -e
Decrypt IPSEC traffic by providing an encryption key.
代码语言:txt复制tcpdump -E
For more options, read manual:
- Find all options here
- Linux Tcpdump: Filter ipv6 ntp ping packets
- Tcpdump: capture DHCP & DHCPv6 packets
- 20 Advanced Tcpdump Examples On Linux
- 10 Useful tcpdump command examples
BASIC USAGE
Display Available Interfaces
代码语言:txt复制tcpdump -D
代码语言:txt复制tcpdump --list-interfaces
Let’s start with a basic command that will get us HTTPS traffic:
代码语言:txt复制tcpdump -nnSX port 443
Find Traffic by IP
Tcpdump: Filter UDP Packets
代码语言:txt复制tcpdump host 1.1.1.1
Filtering by Source and/or Destination
代码语言:txt复制tcpdump src 1.1.1.1
代码语言:txt复制tcpdump dst 1.0.0.1
Finding Packets by Network
代码语言:txt复制tcpdump net 1.2.3.0/24
Low Output:
代码语言:txt复制tcpdump -nnvvS
Medium Output:
代码语言:txt复制tcpdump -nnvvXS
Heavy Output:
代码语言:txt复制tcpdump -nnvvXSs 1514
Getting Creative
- Expressions are very nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for.
There are three ways to do combination:
AND
代码语言:txt复制and or &&
OR
代码语言:txt复制or or ||
EXCEPT
代码语言:txt复制not or !
Usage Example:
Traffic that’s from 192.168.1.1 AND destined for ports 3389 or 22
代码语言:txt复制tcpdump 'src 192.168.1.1 and (dst port 3389 or 22)'
Exploring Tcpdump Filters with Examples
Advanced
Show me all URG packets:
代码语言:txt复制tcpdump 'tcp[13] & 32 != 0'
Show me all ACK packets:
代码语言:txt复制tcpdump 'tcp[13] & 16 != 0'
Show me all PSH packets:
代码语言:txt复制tcpdump 'tcp[13] & 8 != 0'
Show me all RST packets:
代码语言:txt复制tcpdump 'tcp[13] & 4 != 0'
Show me all SYN packets:
代码语言:txt复制tcpdump 'tcp[13] & 2 != 0'
Show me all FIN packets:
代码语言:txt复制tcpdump 'tcp[13] & 1 != 0'
Show me all SYN-ACK packets:
代码语言:txt复制tcpdump 'tcp[13] = 18'
Show all traffic with both SYN and RST flags set: (that should never happen)
代码语言:txt复制tcpdump 'tcp[13] = 6'
Show all traffic with the “evil bit” set:
代码语言:txt复制tcpdump 'ip[6] & 128 != 0'
Display all IPv6 Traffic:
代码语言:txt复制tcpdump ip6
Print Captured Packets in ASCII
代码语言:txt复制tcpdump -A -i eth0
Display Captured Packets in HEX and ASCII
代码语言:txt复制tcpdump -XX -i eth0
Capture and Save Packets in a File
代码语言:txt复制tcpdump -w 0001.pcap -i eth0
Read Captured Packets File
代码语言:txt复制tcpdump -r 0001.pcap
Capture IP address Packets
代码语言:txt复制tcpdump -n -i eth0
Capture only TCP Packets.
代码语言:txt复制tcpdump -i eth0 tcp
Capture Packet from Specific Port
代码语言:txt复制tcpdump -i eth0 port 22
Capture Packets from source IP
代码语言:txt复制tcpdump -i eth0 src 192.168.0.2
Capture Packets from destination IP
代码语言:txt复制tcpdump -i eth0 dst 50.116.66.139
Capture any packed coming from x.x.x.x
代码语言:txt复制tcpdump -n src host x.x.x.x
Capture any packet coming from or going to x.x.x.x
代码语言:txt复制tcpdump -n host x.x.x.x
Capture any packet going to x.x.x.x
代码语言:txt复制tcpdump -n dst host x.x.x.x
Capture any packed coming from x.x.x.x
代码语言:txt复制tcpdump -n src host x.x.x.x
Capture any packet going to network x.x.x.0/24
代码语言:txt复制tcpdump -n dst net x.x.x.0/24
Capture any packet coming from network x.x.x.0/24
代码语言:txt复制tcpdump -n src net x.x.x.0/24
Capture any packet with destination port x
代码语言:txt复制tcpdump -n dst port x
Capture any packet coming from port x
代码语言:txt复制tcpdump -n src port x
Capture any packets from or to port range x to y
代码语言:txt复制tcpdump -n dst(or src) portrange x-y
Capture any tcp or udp port range x to y
代码语言:txt复制tcpdump -n tcp(or udp) dst(or src) portrange x-y
Capture any packets with dst ip x.x.x.x and port y
代码语言:txt复制tcpdump -n "dst host x.x.x.x and dst port y"
Capture any packets with dst ip x.x.x.x and dst ports x, z
代码语言:txt复制tcpdump -n "dst host x.x.x.x and (dst port x or dst port z)"
Capture ICMP , ARP
代码语言:txt复制tcpdump -v icmp(or arp)
Capture packets on interface eth0 and dump to cap.txt file
代码语言:txt复制tcpdump -i eth0 -w cap.txt
Get Packet Contents with Hex Output
代码语言:txt复制tcpdump -c 1 -X icmp
Show Traffic Related to a Specific Port
代码语言:txt复制tcpdump port 3389
代码语言:txt复制tcpdump src port 1025
Show Traffic of One Protocol
代码语言:txt复制tcpdump icmp
Find Traffic by IP
代码语言:txt复制tcpdump host 1.1.1.1
Filtering by Source and/or Destination
代码语言:txt复制tcpdump src 1.1.1.1
代码语言:txt复制tcpdump dst 1.0.0.1
Finding Packets by Network
代码语言:txt复制tcpdump net 1.2.3.0/24
Get Packet Contents with Hex Output
代码语言:txt复制tcpdump -c 1 -X icmp
Show Traffic Related to a Specific Port
代码语言:txt复制tcpdump port 3389
代码语言:txt复制tcpdump src port 1025
Show Traffic of One Protocol
代码语言:txt复制tcpdump icmp
Show only IP6 Traffic
代码语言:txt复制tcpdump ip6
Find Traffic Using Port Ranges
代码语言:txt复制tcpdump portrange 21-23
Find Traffic Based on Packet Size
代码语言:txt复制 tcpdump less 32
代码语言:txt复制 tcpdump greater 64
代码语言:txt复制 tcpdump <= 128
代码语言:txt复制 tcpdump => 128
Reading / Writing Captures to a File (pcap)
代码语言:txt复制tcpdump port 80 -w capture_file
代码语言:txt复制tcpdump -r capture_file
Capture ICMP Packets With Tcpdump
It’s All About the Combinations
Raw Output View
代码语言:txt复制tcpdump -ttnnvvS
Here are some examples of combined commands.
From specific IP and destined for a specific Port
代码语言:txt复制tcpdump -nnvvS src 10.5.2.3 and dst port 3389
Linux Tcpdump: Filter ipv6 ntp ping packets
From One Network to Another
代码语言:txt复制tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
Non ICMP Traffic Going to a Specific IP
代码语言:txt复制tcpdump dst 192.168.0.2 and src net and not icmp
Traffic From a Host That Isn’t on a Specific Port
代码语言:txt复制tcpdump -vv src mars and not dst port 22
Isolate TCP RST flags.
代码语言:txt复制tcpdump 'tcp[13] & 4!=0'
代码语言:txt复制tcpdump 'tcp[tcpflags] == tcp-rst'
Isolate TCP SYN flags.
代码语言:txt复制tcpdump 'tcp[13] & 2!=0'
代码语言:txt复制tcpdump 'tcp[tcpflags] == tcp-syn'
Isolate packets that have both the SYN and ACK flags set.
代码语言:txt复制tcpdump 'tcp[13]=18'
Isolate TCP URG flags.
代码语言:txt复制tcpdump 'tcp[13] & 32!=0'
代码语言:txt复制tcpdump 'tcp[tcpflags] == tcp-urg'
Isolate TCP ACK flags.
代码语言:txt复制tcpdump 'tcp[13] & 16!=0'
代码语言:txt复制tcpdump 'tcp[tcpflags] == tcp-ack'
Isolate TCP PSH flags.
代码语言:txt复制tcpdump 'tcp[13] & 8!=0'
代码语言:txt复制tcpdump 'tcp[tcpflags] == tcp-psh'
Isolate TCP FIN flags.
代码语言:txt复制tcpdump 'tcp[13] & 1!=0'
代码语言:txt复制tcpdump 'tcp[tcpflags] == tcp-fin'
Commands that I using almost daily
Both SYN and RST Set
代码语言:txt复制tcpdump 'tcp[13] = 6'
Find HTTP User Agents
代码语言:txt复制tcpdump -vvAls0 | grep 'User-Agent:'
代码语言:txt复制tcpdump -nn -A -s1500 -l | grep "User-Agent:"
Filtering CDP LLDP packets with Tcpdump
By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request.
代码语言:txt复制tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'
Capture only HTTP GET and POST packets only packets that match GET.
代码语言:txt复制tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
代码语言:txt复制tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'
Extract HTTP Request URL's
代码语言:txt复制tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"
Extract HTTP Passwords in POST Requests
代码语言:txt复制tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"
Capture Cookies from Server and from Client
代码语言:txt复制tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'
Capture all ICMP packets
代码语言:txt复制tcpdump -n icmp
Show ICMP Packets that are not ECHO/REPLY (standard ping)
代码语言:txt复制tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
Capture SMTP / POP3 Email
代码语言:txt复制tcpdump -nn -l port 25 | grep -i 'MAIL FROM|RCPT TO'
Troubleshooting NTP Query and Response
代码语言:txt复制tcpdump dst port 123
Capture FTP Credentials and Commands
代码语言:txt复制tcpdump -nn -v port ftp or ftp-data
Rotate Capture Files
代码语言:txt复制tcpdump -w /tmp/capture-%H.pcap -G 3600 -C 200
Capture IPv6 Traffic
代码语言:txt复制tcpdump -nn ip6 proto 6
IPv6 with UDP and reading from a previously saved capture file.
代码语言:txt复制tcpdump -nr ipv6-test.pcap ip6 proto 17
Detect Port Scan in Network Traffic
代码语言:txt复制tcpdump -nn
USAGE EXAMPLE
Example Filter Showing Nmap NSE Script Testing
- On Target:
nmap -p 80 --script=http-enum.nse targetip
- On Server:
tcpdump -nn port 80 | grep "GET /"
代码语言:txt复制 GET /w3perl/ HTTP/1.1
代码语言:txt复制 GET /w-agora/ HTTP/1.1
代码语言:txt复制 GET /way-board/ HTTP/1.1
代码语言:txt复制 GET /web800fo/ HTTP/1.1
代码语言:txt复制 GET /webaccess/ HTTP/1.1
代码语言:txt复制 GET /webadmin/ HTTP/1.1
代码语言:txt复制 GET /webAdmin/ HTTP/1.1
Capture Start and End Packets of every non-local host
代码语言:txt复制tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'
Capture DNS Request and Response
Filtering DNS with Tcpdump
代码语言:txt复制tcpdump -i wlp58s0 -s0 port 53
Capture HTTP data packets
代码语言:txt复制tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
Top Hosts by Packets
代码语言:txt复制tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20
Capture all the plaintext passwords
代码语言:txt复制tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
代码语言:txt复制tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '
DHCP Example
代码语言:txt复制tcpdump -v -n port 67 or 68
Cleartext GET Requests
代码语言:txt复制tcpdump -vvAls0 | grep 'GET'
Find HTTP Host Headers
代码语言:txt复制tcpdump -vvAls0 | grep 'Host:'
Find HTTP Cookies
代码语言:txt复制tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'
Find SSH Connections
代码语言:txt复制tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'
Find DNS Traffic
代码语言:txt复制tcpdump -vvAs0 port 53
Find FTP Traffic
代码语言:txt复制tcpdump -vvAs0 port ftp or ftp-data
Find NTP Traffic
代码语言:txt复制tcpdump -vvAs0 port 123
Capture SMTP / POP3 Email
代码语言:txt复制tcpdump -nn -l port 25 | grep -i 'MAIL FROM|RCPT TO'
Line Buffered Mode
代码语言:txt复制tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'
Find traffic with evil bit
代码语言:txt复制tcpdump 'ip[6] & 128 != 0'
Filter on protocol (ICMP) and protocol-specific fields (ICMP type)
Tcpdump: Filter Packets with Tcp Flags
tcpdump -n icmp and 'icmp0 != 8 and icmp0 != 0'
Same command can be used with predefined header field offset (icmptype) and ICMP type field values (icmp-echo and icmp-echoreply):
代码语言:txt复制tcpdump -n icmp and icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
Filter on TOS field
代码语言:txt复制tcpdump -v -n ip and ip[1]!=0
Filter on TTL field
代码语言:txt复制tcpdump -v ip and 'ip[8]<2'
Filter on TCP flags (SYN/ACK)
代码语言:txt复制tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'
In the example above, all packets with TCP SYN flag set are captured. Other flags (ACK, for example) might be set also. Packets which have only TCP SYN flags set, can be captured
代码语言:txt复制tcpdump tcp and port 80 and 'tcp[tcpflags] == tcp-syn'
Catch TCP SYN/ACK packets (typically, responses from servers):
代码语言:txt复制tcpdump -n tcp and 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'
代码语言:txt复制tcpdump -n tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn' and 'tcp[tcpflags] & tcp-ack == tcp-ack'
Catch ARP packets
代码语言:txt复制tcpdump -vv -e -nn ether proto 0x0806
Filter on IP packet length
代码语言:txt复制tcpdump -l icmp and '(ip[2:2]>50)' -w - |tcpdump -r - -v ip and '(ip[2:2]<60)'
Remark: due to some bug in tcpdump, the following command doesn't catch packets as expected:
代码语言:txt复制tcpdump -v -n icmp and '(ip[2:2]>50)' and '(ip[2:2]<60)'
Filter on encapsulated content (ICMP within PPPoE)
代码语言:txt复制tcpdump -v -n icmp
filter
代码语言:txt复制tcpdump -q -i eth0
代码语言:txt复制tcpdump -t -i eth0
代码语言:txt复制tcpdump -A -n -q -i eth0 'port 80'
代码语言:txt复制tcpdump -A -n -q -t -i eth0 'port 80'
Print only useful packets from the HTTP traffic
代码语言:txt复制tcpdump -A -s 0 -q -t -i eth0 'port 80 and ( ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12:2]&0xf0)>>2)) != 0)'
Dump SIP Traffic
代码语言:txt复制tcpdump -nq -s 0 -A -vvv port 5060 and host 1.2.3.4
Checking packet content
代码语言:txt复制tcpdump -i any -c10 -nn -A port 80
Checking packet content
代码语言:txt复制sudo tcpdump -i any -c10 -nn -A port 80
References & Awesome wikis
Capture ICMP Packets With Tcpdump
Debugging SSH Packets with Tcpdump
Using Tcpdump to Filter DNS Packets
Learn tcpdump Quick Guide
Filtering DNS with Tcpdump
Filtering CDP LLDP packets with Tcpdump
Tcpdump Cheat Sheet (Basic Advanced Examples)