Tcpdump

tcpdump – to dump the network traffic in Linux platforms.

Format: “tcpdump <options> <expressions>”

· By default, ‘tcpdump’ will dump traffic on first found lowest numbered interface from the list and continues to dump packets unless a stop signal is issued. (Ctr+C)

· Display all available interfaces using “tcpdump –D”

Most used options are:

-c <num> : Count option. To limit the number of packets captured by the filter

-i <iface> : to specify the Interface

-n : to suppress the Name conversion from well know addresses/DNS resolved hosts.

-q : Quick output without much protocol information.

-v / -vv : to display in Verbose

-t : without Timestamp

-r : to Read from a file

-w : to Write to a file

-e: to display link-layer (L2) Ethernet header in each line.

-A : to display full packet content in ASCII.

Expression Format:

{protocol} – {direction} – {type: with logical expression}

· Protocol: can be ether, ip, ip6, arp, tcp, udp etc

o If none specified, all protocols are included.

· Direction: src, dst, src or dst and src and dst

o If none specified, src or dst is assumed.

· Type: can be host, net , port and portrange

o If none specified, host is assumed

· Logical expressions: not, and, or

o not gets higher precedence. Both and,or take same precedence evaluating from left to right.

 Options available are:

o [src | dst] host <host> : To match src or destination with IP address matched ‘host’

o ether src [dst] <ehost> : To match src[destination] with mac-address same as ‘ehost’

o ether host <ehost> : to match either src or destination same as ‘ehost’.

o portrange port1-port2 : to match any (tcp or udp) ports in range port1 to port2

o less <length> : to match packets <= ‘length’

o greater <length> : to match packets >= ‘length’

o ip proto <protocol> : to match specific protocols/numbers. Some options are icmp,igmp,pim,vrrp,tcp,udp etc.

o ether proto <protocol> : to match specific ethertype. Some options are ip,ipv6,arp,iso

o [ether |ip ] multicast: to match L2/L3 multicast packets.

o [ether |ip] broadcast: to match L2/L3 broadcast packets.

o iso proto isis: to match ISIS PDUs

o vlan <vlan-id>: to match 802.1q packets. All vlans included if ‘vlan-id’ is not specified.

o mpls <label>: to match mpls packets.

Examples:

1. “tcpdump -t src host 10.16.151.206 && tcp 22” : To capture all SSH packets generated by a host 10.16.151.206

IP 10.16.151.206.ssh > 10.14.123.208.44248: P 940:1056(116) ack 1 win 14976
IP 10.16.151.206.ssh > 10.14.123.208.44248: P 1056:1172(116) ack 1 win 14976

2. “tcpdump -ttt -c 3 ip proto ospf” : To capture three OSPF packets with time format as delta to its previous(-ttt option). This should be useful to check whether we receive ospf packets every 10 seconds.

000000 IP 10.16.151.254 > ospf-all.mcast.net: OSPFv2, Hello, length: 44
10.000340 IP 10.16.151.254 > ospf-all.mcast.net: OSPFv2, Hello, length: 44
9. 999444 IP 10.16.151.254 > ospf-all.mcast.net: OSPFv2, Hello, length: 44

3. “tcpdump -evt -i eth0 ip src host 10.16.151.206 or ip proto ICMP and greater 2540”: To capture packet on interface “eth0” with L2 header (-e) and with verbose explanation (-v) and without timestamp (-t). Filter option is; those packets either can have SRC IP = 10.16.151.205 or ICMP packets but the size (whole packet size) should be greater than 2540 bytes. (evaluated from left to right as or,and has same precedence)

00:19:bb:2e:b7:1a (oui Unknown) > 00:01:e8:d5:9e:e2 (oui Unknown), ethertype IPv4 (0x0800), length 2543: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 2529) 
10.16.151.206 > 10.16.151.254: ICMP echo request, id 2642, seq 1, length 2509

4. “tcpdump -w capture_file dst host 10.16.151.206 and tcp dst port not 22”: To write the filtered packet capture to a file name “capture_file”. Filter option is; those packets should be destined to 10.16.151.206 and it shouldn’t be SSH packet.

5. “tcpdump -qr capture_file: To read the packet captured file “capture_file”

[root@linux-1 ~]# tcpdump -qr capture_file
reading from file capture_file, link-type EN10MB (Ethernet)
10:31:24.562468 IP 10.16.25.52.dzdaemon > 10.16.151.206.http: tcp 0
10:31:24.562651 IP 10.16.25.52.dzdaemon > 10.16.151.206.http: tcp 0
10:31:24.563159 IP 10.16.25.52.dzdaemon > 10.16.151.206.http: tcp 590

HTH