tcpdump: un guide

Posted on by maxime

tcpdump is a network tool to dump traffic on the network. This post servers as a guide to some frequently used commands. For a complete guide, please refer to the man page, or man tcpdump on a linux machine.

1 Basic Usage

A help summary:

tcpdump [ -AbdDefhHIJKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
        [ -C file_size ] [ -G rotate_seconds ] [ -F file ]
        [ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
        [ -P in|out|inout ]
        [ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
        [ -W filecount ]
        [ -E spi@ipaddr algo:secret,...  ]
        [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
        [ expression ]

Running tcpdump needs root privilege, so prefix sudo for all commands in this post if you are not root user.

1.1 Capture Device

The simplest way to capture traffic on a host is to specify a device with -i option, the output may look like this:

$ sudo tcpdump -i eth0 # use CTL-C to terminate it
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:10:14.578057 IP 192.168.1.3.ssh > 192.168.1.124.53519: Flags [P.], seq 2350:2350, ack 166, win 198, length 240
18:10:14.578775 IP 192.168.1.124.53519 > 192.168.1.3.ssh: Flags [.], ack 240, win 252, length 0
18:10:14.634826 ARP, Request who-has 192.168.1.68 tell 192.168.1.81, length 46
18:10:14.670785 ARP, Request who-has 192.168.1.146 tell 192.168.1.81, length 46
^C
4 packets captured
39 packets received by filter
0 packets dropped by kernel

One tcpdump process could only capture one device, to capture multiple devices, e.g. both eth0 and eth1, you have to launch two processes:

$ tcpdump -i eth0 [OPTIONS]

$ tcpdump -i eth1 [OPTIONS]

1.2 Output Options

This section describes the options for displaying packets info on standard output.

Verbosity

  • -v verbose
  • -vv more verbose
  • -vvv even more verbose

IP, Protocol, Port

  • -n print IP instead of host name. This can be used to avoid DNS lookups
  • -nn print integer protocol/port numbers instead of protocl/port names, e.g. 22 vs ssh80 vs http

Examples:

$ tcpdump -i eth0
14:54:35.161548 IP ctn-1.example.com > ctn-2.example.com: ICMP echo request, id 29455, seq 0, length 64
14:54:35.161599 IP ctn-2.example.com > ctn-1.example.com: ICMP echo reply, id 29455, seq 0, length 64

$ tcpdump -n -i eth0
14:55:34.296206 IP 192.168.1.3 > 192.168.1.4: ICMP echo request, id 29711, seq 0, length 64
14:55:34.296259 IP 192.168.1.4 > 192.168.1.3: ICMP echo reply, id 29711, seq 0, length 64

MAC Address

  • -e also print MAC address
$ tcpdump -n -e -i eth0
15:05:12.225901 fa:16:3e:39:8c:fd > 00:22:0d:27:c2:45, ethertype IPv4 (0x0800), length 294: 192.168.1.3 > 192.168.1.124: Flags [P.], seq ...
15:05:12.226585 00:22:0d:27:c2:45 > fa:16:3e:39:8c:fd, ethertype IPv4 (0x0800), length 60: 192.168.1.124 > 192.168.1.3: Flags [.], ack ...

Packet Content

  • -x print the data of each packet (minus its link level header) in hex
  • -xx print the data of each packet, including its link level header, in hex.
  • -X print the data of each packet (minus its link level header) in hex and ASCII.
  • -XX print the data of each packet, including its link level header, in hex and ASCII.
$ tcpdump -i eth0 -x
19:33:33.724674 IP 192.168.1.3 > 192.168.1.4: ICMP echo request, id 10258, seq 0, length 64
        0x0000:  4500 0054 6e2b 4000 4001 4926 c0a8 0103
        0x0010:  c0a8 0104 0800 a20e 2812 0000 0f1c 1ec3
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000
        0x0050:  0000 0000

1.3 Save to File & Read from file

  • -w outfile.pcap save packets to file
  • -G rotate the dump file, should be used with -w option
  • -r outfile.pcap read a captured file

Captured files usually suffixed with cap or .pcap, which means packet capture file. The captured files are totally different from those generated with > outfile, which only redirects the messages on standard output (text) to a file.

# save raw packets to file
$ tcpdump -i eth0 -w test.pcap

# redirect logs to text file
$ tcpdump -i eth0 > test.txt

Captured files could be open again later:

$ tcpdump -e -nn -r test.pcap # read captured file content, print ether header, and be more numeric
15:10:40.111214 fa:16:30:a1:33:27 (oui Unknown) > fa:16:3f:e2:16:17 (oui Unknown), ethertype 802.1Q (0x8100), length 78: [|vlan]
15:10:40.111275 fa:16:30:a1:33:27 (oui Unknown) > fa:16:3f:e2:16:17 (oui Unknown), ethertype 802.1Q (0x8100), length 78: [|vlan]

Or, those files could also be opened with more professional traffic analyzing tools, e.g. Wireshark.

Split captured file

  • -C <N> write pcap file every N MB.
# read the entire file, split into 10MB chunks
$ tcpdump -r a.pcap -C 10 b.pcap
$ ls
b.pcap0 b.pcap1 b.pcap2 ...

1.4 Stop Capturing

CTL-C will stop capturing.

Besides, -c <count> will auto exit after receiving <count> packets.

$ tcpdump -i eth0 -c 2
15:00:18.129859 IP 192.168.1.3.ssh > 192.168.1.4.53519: Flags [P.], seq ...
15:00:18.130500 IP 192.168.1.4.53519 > 192.168.1.3.ssh: Flags [.], ack ...
2 packets captured

2 Match Expression

tcpdump supports filter expressions, this is where the real power comes to place. A complete guide of pcap-filter could be get from it’s man page, or through:

$ man 7 pcap-filter

If no filter expressions specified, tcpdump will capture all the packets on the device, which may be huge in mount. With filter expressions, it will only capture those that match the expressions.

$ tcpdump [OPTIONS] [expression]

2.1 Match Host

  • host <hostname or IP> – capture packets sent from and to host
  • src host <hostname or IP> – capture packets sent from host
  • dst host <hostname or IP> – capture packets sent to host

Examples:

$ tcpdump -i eth0 host baidu.com   # traffic from or to baidu.com
$ tcpdump -i eth0 host 192.168.1.3 # traffic from or to 192.168.1.3

$ tcpdump -i eth0 src host 192.168.1.3
$ tcpdump -i eth0 dst host 192.168.1.3

2.2 Match MAC Address & VLAN

  • ether host <MAC> – capture packets sent from and to <MAC>
  • ether src <MAC> – capture packets sent from <MAC>
  • ether dst <MAC> – capture packets sent to <MAC>
  • vlan <VLAN ID> – match VLAN ID

2.3 Match Network

  • net <NET> mask <MASK> – IPv4 only
  • net <NET>/<LEN> – IPv4/IPv6

May be qualified with src and dst.

Examples:

$ tcpdump -i eth0 net 192.168.1.0 mask 255.255.255.0
$ tcpdump -i eth0 net 192.168.1.0/24

2.4 Match Port

  • port <port> – packets from and to <port>
  • src port <port> – packets from <port>
  • dst port <port> – packets to <port>
  • portrange <port1>-<port2> – packets from and to <port1>-<port2>
  • src portrange <port1>-<port2> – packets from <port1>-<port2>
  • dst portrange <port1>-<port2> – packets to <port1>-<port2>

Examples:

$ tcpdump -i eth0 port 80
$ tcpdump -i eth0 dst port 80
$ tcpdump -i eth0 src portrange 8000-8080

2.5 Match Protocol

Match protocols in L3 header:

  • ip proto <PROTO> – PROTO: icmp, icmp6, igmp, igrp, pim, ah, esp, vrrp, udp, or tcp

Follow are abbreviations:

  • icmp = proto icmp
  • tcp = proto tcp
  • udp = proto udp

Match protocols in L2 header:

  • ether proto <PROTO> – PROTO: ip, ip6, arp, rarp, atalk, aarp, decnet, sca, lat, mopdl, moprc, iso, stp, ipx, or netbeui

Follow are abbreviations:

  • ip = ether proto ip
  • ip6 = ether proto ip6
  • arp = ether proto arp
  • rarp = ether proto rarp
$ tcpdump -i eth0 arp
$ tcpdump -i eth0 icmp

2.6 Match Traffic Direction (ingress/egress)

  • --direction=[in|out|inout] – note that not all platform supports this

2.7 Logical Operators

With logical operators, we could combine simple expressions into a complex one.

  • and
  • or

Examples:

# capture traffic: 192.168.1.3<->192.168.1.4:80
$ tcpdump -i eth0 'host 192.168.1.3 and (host 192.168.1.4 and port 80)'

# capture traffic: 192.168.1.3->192.168.1.4:80
$ tcpdump -i eth0 'src host 192.168.1.3 and (dst host 192.168.1.4 and port 80)'

# capture traffic: 192.168.1.0/24->10.1.1.4
$ tcpdump -i eth0 'src net 192.168.1.0/24 and dst host 10.1.1.4 -w test.pcap'

3 Misc

3.1 Truncate Packet Length

-s <LEN> truncate each packet to length LEN bytes. This could substantially reduce the resulted pcap file size.

For example, if want to capture only L2 and L3 headers, you could truncate each packet to 14 (ether header) + 2 (potential VLAN) + 20 (IP header basic part) = 36 bytes, thus:

$ tcpdump -i eth0 -s 36 -w test.pcap

 

4 Autres sources

List interfaces that tcpdump can listen on

 # tcpdump -D
1.eth0
2.eth1
3.eth1.780
4.eth1.781
5.eth1.790
6.eth2
7.eth2.10
8.eth3
9.eth4
10.any (Pseudo-device that captures on all interfaces)
11.lo

Note: “any” interface is an option only on Linux systems running kernel 2.4 onwards. Not available on *BSD, Solaris or any other Unix system.

Turn on “verbose” key in TCPDUMP to see IP and TCP header information

# tcpdump -vi eth0

Turn off hostname and port lookup in TCPDUMP

# tcpdump -vnni eth0

Tcpdump filter only icmp traffic

tcpdump -nni eth0 icmp

Tcpdump command to filter on ICMP type – capture only ICMP echo request

As shows on ICMP wiki page http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol, ICMP echo requests are ICMP type 8 ( ICMP code is not important as there is only one code for ICMP type 8 [ and 0 actually ] )

# tcpdump -nni vlan111 -e icmp[icmptype] == 8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan111, link-type EN10MB (Ethernet), capture size 65535 bytes
12:39:05.471531 00:07:e9:a5:9b:fa > 00:10:db:ff:10:02, ethertype IPv4 (0x0800), length 98: 10.1.111.10 > 10.0.0.4: ICMP echo request, id 24907, seq 307, length 64
12:39:06.472431 00:07:e9:a5:9b:fa > 00:10:db:ff:10:02, ethertype IPv4 (0x0800), length 98: 10.1.111.10 > 10.0.0.4: ICMP echo request, id 24907, seq 308, length 64

Above tcpdump filter “icmp[icmptype] == 8” will only display ip packets that have icmp payload and icmptype 8 – ICMP Echo Request.

Tcpdump command to filter on ICMP type – capture only ICMP echo reply

# tcpdump -nni vlan111 -e icmp[icmptype] == 0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan111, link-type EN10MB (Ethernet), capture size 65535 bytes
12:40:52.569668 00:10:db:ff:10:02 > 00:07:e9:a5:9b:fa, ethertype IPv4 (0x0800), length 98: 10.0.0.4 > 10.1.111.10: ICMP echo reply, id 24907, seq 414, length 64
12:40:53.570530 00:10:db:ff:10:02 > 00:07:e9:a5:9b:fa, ethertype IPv4 (0x0800), length 98: 10.0.0.4 > 10.1.111.10: ICMP echo reply, id 24907, seq 415, length 64

Notice from ICMP types and codes table that icmptype 0 is the echo reply.

Tcpdump filter packets with specified ip identification in ip header

(See https://forum.ivorde.com/tcpdump-filter-packets-with-specified-ip-identification-in-ip-header-t19601.html for more details)

# tcpdump -nr /tmp/tcpdump.pcap -v 'ip[4:2] == 24332'
reading from file /tmp/tcpdump.pcap, link-type EN10MB (Ethernet)
capability mode sandbox enabled
23:58:50.090759 IP (tos 0x10, ttl 128, id 24332, offset 0, flags [DF], proto TCP (6), length 204)
10.1.1.1.22 > 192.168.0.109.53989: Flags [P.], seq 3661036793:3661036957, ack 2364476704, win 4106, length 164

Tcpdump filtering based on DSCP field in IP header

(See https://forum.ivorde.com/tcpdump-how-to-to-capture-only-ip-packets-with-specific-dscp-class-in-ip-header-t14041.html for more details)

# tcpdump -nni eth1 -v 'ip[1] & 0xfc == 184'
12:56:49.690239 IP (tos 0xb8, ttl 63, id 44823, offset 0, flags [DF], proto TCP (6), length 40)
28.32.179.11.80 > 61.219.73.106.61244: Flags [F.], cksum 0xdac1 (correct), seq 2799324281, ack 4189664666, win 108, length 0

Tcpdump: How to to capture only ICMP Fragmentation needed notifications

(See https://forum.ivorde.com/tcpdump-how-to-to-capture-only-icmp-fragmentation-needed-notifications-t15211.html)

# tcpdump -nni vlan111 -e icmp[icmptype] == 3 && icmp[icmpcode] == 4
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan111, link-type EN10MB (Ethernet), capture size 65535 bytes
12:46:41.500646 00:10:db:ff:10:02 > 00:07:e9:a5:9b:fa, ethertype IPv4 (0x0800), length 70: 10.1.111.1 > 10.1.111.10: ICMP 10.0.0.3 unreachable - need to frag (mtu 1382), length 36

How to capture frames with specific source or destination mac address

(See https://forum.ivorde.com/tcpdump-how-to-capture-frames-with-specific-source-destination-mac-address-t19471.html)

#tcpdump -nni eth0 ether src 2c:21:72:c6:c1:88
#tcpdump -nni eth0 ether dst 2c:21:72:c6:c1:88

Capture only packets from a specific IP host or to a specific IP destination

# tcpdump -nni en0 src host 8.8.8.8.8
# tcpdump -nni en0 dst host 8.8.8.8.8

Tcpdump – capture only ARP packets

# tcpdump -nni en0 arp

Capture only IPv4 or only IPv6 traffic

# tcpdump -nni en0 ip
# tcpdump -nni en0 ip6

Capture ethernet multicast traffic based on ethernet field and on IPv4 destination

# tcpdump -nni en0 "ether[0] & 1 != 0"

(Make sure the tcpdump expression above is enclosed in double quotes otherwise the &amp; will be interpreted by the shell not by tcpdump).

# tcpdump -nni en0 dst net 224.0.0.0/4

Show ethernet / layer 2 headers

# tcpdump -nni en0 -e
21:54:03.017194 80:71:1f:39:61:c8 > 80:e6:50:07:2d:d6, ethertype IPv4 (0x0800), length 126: 64.233.166.189.443 > 192.168.3.100.57904: Flags [P.], seq 2082387620:2082387680, ack 1352514330, win 1373, options [nop,nop,TS val 1373308623 ecr 829302794], length 60

Capture only specific vlan traffic (for interfaces that terminate vlan trunks)

# tcpdump -nni em2 -e vlan 5
20:55:32.265019 f8:c0:01:d2:35:c1 > 00:26:0b:28:5e:40, ethertype 802.1Q (0x8100), length 370: vlan 5, p 0, ethertype IPv4, 12.16.11.149 > 12.250.3.6: ESP(spi=0x0f3e6725,seq=0x72f), length 332

Capture specific IPv4 protocols related traffic

# grep -E "esp|ah|gre|ospf|icmp|tcp|udp" /etc/protocols
icmp   1   ICMP      # internet control message protocol
tcp   6   TCP      # transmission control protocol
udp   17   UDP      # user datagram protocol
gre   47   GRE      # General Routing Encapsulation
esp   50   IPSEC-ESP   # Encap Security Payload [RFC2406]
ah   51   IPSEC-AH   # Authentication Header [RFC2402]
ipv6-icmp 58   IPv6-ICMP   # ICMP for IPv6
ospf   89   OSPFIGP      # Open Shortest Path First IGP
udplite   136   UDPLite      # UDP-Lite [RFC3828]
wesp   141   WESP      # Wrapped Encapsulating Security Payload

Showing below how to capture GRE traffic.

# tcpdump -nni em2 ip proto 47
tcpdump: WARNING: em2: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em2, link-type EN10MB (Ethernet), capture size 65535 bytes
21:17:32.870695 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto GRE (47), length 100)
12.16.81.123 > 82.210.283.106: GREv0, Flags [none], length 80
IP6 (class 0xc0, hlim 1, next-header OSPF (89) payload length: 36) fe80::fac0:100:d2:3580 > ff02::5: OSPFv3, Hello, length 36
Router-ID 172.16.2.2, Backbone Area
Options [V6, External, Router]
Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.2, Priority 128
Neighbor List:

Dump HTTP data as ASCII or ASCII and HEX

(See https://forum.ivorde.com/tcpdump-dump-http-headers-as-ascii-and-hex-t19591.html for more details)

# tcpdump -nni eth0 -s0 -A -l port 80
# tcpdump -nni eth0 -s0 -AX -l port 80

The output can be filtered with grep to only dump specific attribute in HTTP header or specific html tag inside the payload.

Capture only traffic related to a CIDR subnet

# tcpdump -nni eth0 net 192.168.3.96/28
02:48:33.958798 IP 10.1.22.2.22 > 192.168.3.100.61644: Flags [P.], seq 2001101694:2001101886, ack 4183269133, win 49, options [nop,nop,TS val 1422334877 ecr 843342387], length 192
02:48:33.962744 IP 10.1.22.2.22 > 192.168.3.100.61644: Flags [P.], seq 192:416, ack 1, win 49, options [nop,nop,TS val 1422334878 ecr 843342387], length 224

 

 

Source

Source