Cool Intro

Some people say that “wireshark” is good, and bla bla bla , & bla bla bla…
Yes , wireshark is a great project but when it comes to firewalls, or to real work stuff nothing is like tcpdump.

When you log in to a remote firewall, and want to check out what the hack is going on, tcpdump is your buddy.
It is old and wise, it is the Adam of sniffers, so lets see what we can do with it.

Worming Up

In this example we use eth0 as the interface of our interest

First, we wan to see what interfaces can use for capturing packets,

tcpdump -D

This will print something like:

1.wlan0
2.any (Pseudo-device that captures on all interfaces)
3.lo

Hey, wait a min, you don’t have an ethernet card?
Yes, I have it but we need to set it up:

ip link set eth0 up

Now see the following output

tcpdump -D
1.eth0
2.wlan0
3.any (Pseudo-device that captures on all interfaces)
4.lo

Ok, lets continue our tcpdump trip ,

More info about your card, and what it supports:

tcpdump -L -i wlan0
Data link types for wlan0 when not in monitor mode (use option -y to set):
DOCSIS (DOCSIS) (printing not supported)
EN10MB (Ethernet)

Ok, lets begin:

tcpdump -nvi eth0

In this case, -n tells to not convert the port numbers in names, and host addresses to names, but treat the output numerically. -v is for “verbose” output, so it prints more stuff out.

And -i is for specifying the desired interface.
Lets make a difficult example,

We have 1 firewall with 4 physical interfaces, eth0, eth1, eth2, eth3 and bridged interfaces, like br0, br1 etc.

If we want to monitor the traffic between DMZ and Blue zone we should monitor eth1 as DMZ and eth2 as Wireless /hotspot, /blue – zone interface, so we need to specify the interface for monitoring.

A common good command to use is:

tcpdump -nnvvi eth0

Protocol Specification

I want only ICMP traffic

tcpdump -nvi eth0 icmp

I want only tcp traffic:

tcpdump -nnvvi eth0 tcp

and the same is for udp, we need only to specify.

What about monitoring only ping requests?

tcpdump -nnvvi br0 icmp[0] = 8 or icmp[0] = 30

Tcpdump Recipes

host, src, dst, net, proto, port

This are the mos common used tcpdump recipes

host – specify the host address like host www.google.com will monitor only packets coming from or to www.google.com

src – specify the source ip that you are monitoring i.e tcpdump -nnvvi eth0 tcp src 192.168.0.15 (local green IP)

dst – specify the destination ip address that you want to monitor

net – capture the entire traffic of a network using CIDR like tcpdump -nnvvi eth0 net 192.168.0.1/24 will capture any packet send from or to IP-s in the /24 range, in this case from 192.168.0.1 min to 192.168.0.254 max.

proto – is the example above for specifying the protocol (icmp, tcp or udp) but don’t type it you just have to type tcpdump -nnvvi eth0 udp

port – with this we can specify the port we want to monitor and the port option have 2 more sub-options , src and dst.

if we use:

tcpdump -nvi eth0 tcp port 80 [this will monitor for one or another destination\source port 80]

So this will capture packets to or from port 80.

Destination port 80

tcpdump -nvi eth0 tcp dst port 80

This will capture only packets that have us destination port 80, this is handy when we want to see what web sites are visiting our clients.

Source port 80

tcpdump -nvi eth0 tcp src port 80

In this case, i have said to tcpdump that I want to monitor traffic passing through eth0 using tcp protocol with source port 80.

Using tcpdump

I want to specify the IP, the port and in the same time I want to see the packets in ASCII

tcpdump -nvi lo host www.host.com and port 9999 -A

Wait buddy, we are going to fare, what is that “and”?

Tcpdump, supports Boolean operations like:

and

or

not

So it’s cool to use them, especially when we are interested only in some portion of the traffic.
Lets see how we can combine this options:

tcpdump -nnvvi wlan0 udp src port 50 and host www.google.com -X

-X prints the output in hexadecimals + ASCII like -A / I prefer -A

tcpdump -nnvvi wlan0 src net 1.127.64.0/24 and dst host www.google.com or dst host www.yahoo.com -A

this is a curious packet capture dooring this command:

00:24:29.842726 IP (tos 0×0, ttl 64, id 8851, offset 0, flags [DF], proto TCP (6), length 1053)
1.127.64.205.57482 > 72.14.234.104.80: Flags [P.], cksum 0xe693 (correct), seq 0:1001, ack 1, win 92, options [nop,nop,TS val 39390568 ecr 2016401695], length 1001
E…”.@.@…..@.H..h…P../../#B…\…….
hx/..GET /csi?v=3&s=webhp&action=&e=23051,25657&ei=dYBgTOjtO8qv_QbC0MD4AQ&expi=23051,25657&imc=1&imn=1&imp=0&rt= HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.8) Gecko/20100724 Firefox/3.6.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.google.com/
Cookie: PREF=ID=840ee66f4930292e:U=4b582d1d35710b91:LD=en:CR=2:TM=12802341176:LM=12803427747:GM=1:S=zj2wIxxG3Lg_Y8gw; NID=37=WjwrG6yFHasdpeOQMhPD40IOhJlVny7KUqlmoHyVx3R54B-Gv50bzklMcAeTmrq-67U-I5xtmjpJCQWcVNfxJ5aHJTnmf3M-a9haKuS8HdEclDqAe0cKhehME6vlZqChf; rememberme=false; TZ=-120; SID=DQAAAIIAAAA8-XYkoxlfhdksFPtnDHB6XymasdBnl2dDDfJeHx8pC0uup-AbijDoYU2WzrJJVDiFJ2bg6te6EKyOj-g5eAwUYpomEq1hmE-1BgjjbAkISr2vt4f5eKcR2asdJp8-kLfct8Qh58T_f1csmPeW02DEN5bHCHzXhGFxqTC-d9OWl7099WrvUmzgUUtFyiWE3fHHu0; HSID=A-IoVh0m5t-Ijrt-8

Let’s go further..

Show all URG packets:

# tcpdump 'tcp[13] & 32 != 0'

Show all ACK packets:

# tcpdump 'tcp[13] & 16 != 0'

Show all PSH packets:

# tcpdump 'tcp[13] & 8 != 0'

Show all RST packets:

# tcpdump 'tcp[13] & 4 != 0'

Show all SYN packets:

# tcpdump 'tcp[13] & 2 != 0'

Show all FIN packets:

# tcpdump 'tcp[13] & 1 != 0'

Show all SYN-ACK packets:

# tcpdump 'tcp[13] = 18'

So in this case, if we want only a SYN-ACK view of a connection we can just type:

tcpdump -nnvvi wlan0 'tcp[13] = 18' and host www.google.com

For more advanced use, we should grep & write data, and we can use | (pipes) > < redirects, or build in commands of tcpdump.

If we have some worse with the output from 1 or more ports, i.e ssh, or http, or any other port we can easily clear the output with:

tcpdump -nnvvi wlan0 not port 22 and not port  80