Skip to main content

TCPdump - Sniffing , Capturing and Analysing Networking Traffic


If one truly wants to discover how specific network application works, want to know where and what kind of data it sends, or where the data is coming from, than "sniffing" of netwroking packets is absolute necessity. It's a mandatory method
used by large number of information security professionals and IT enthusiasts. One such network "sniffing" and analysis tool is Tcpdump

It is a simple yet very useful command-line utility that can be used in learning process and for better understanding of TCP/IP protocol suite. It is free software originaly distributed on unix-like operating systems, but also other version or similar GUI programs are distributed for windows. One such also very popular GUI netwrok analyzer tool is Wireshark

On some Unix-like operating systems, to be able to use all features of tcpdump, a user must have superuser privileges. 



Sniffing of network traffic
To get the list of interfaces that are available for tcpdump capture we can use this command: 

linux# tcpdump -D 1.eth0 2.any (Pseudo-device that captures on all interfaces) 3.lo

Once we know interfaces, capturing traffic on specific one is easy: 

linux# tcpdump -i eth0 ... 17:17:24.672194 IP 192.168.10.102.50676 > 192.168.10.200.ssh: Flags [P.], seq 545:597, ack 92552, win 4030, length 52 17:17:24.672325 IP 192.168.10.200.ssh > 192.168.10.102.50676: Flags [P.], seq 92552:92940, ack 597, win 403, length 388 ^C 640 packets captured 640 packets received by filter 0 packets dropped by kernel
( If we wanted to get more informations from tcpdump, we could use -vv "verbos" option.) 

To sniff traffic from or to specific host we can use host option: 

linux# tcpdump -n host 192.168.10.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:25:19.438850 ARP, Request who-has 192.168.10.100 tell 192.168.10.1, length 46 17:25:20.438912 ARP, Request who-has 192.168.10.100 tell 192.168.10.1, length 46 ^C 2 packets captured 2 packets received by filter 0 packets dropped by kernel
( We can also define FQDN name instead of IP address. In that case we wolud leave out -n option.) 

To sniff all but trafic from or to specific host we can use not syntax: 

linux# tcpdump -n host not 192.168.10.1 ... 17:34:00.381012 IP 192.168.10.200.22 > 192.168.10.102.50676: Flags [P.], seq 64604:64880, ack 409, win 620, length 276 17:34:00.382733 IP 192.168.10.102.50676 > 192.168.10.200.22: Flags [P.], seq 409:461, ack 64880, win 4311, length 52 17:34:00.382829 IP 192.168.10.200.22 > 192.168.10.102.50676: Flags [P.], seq 64880:65044, ack 461, win 620, length 164 ^C 448 packets captured 449 packets received by filter 0 packets dropped by kernel

To sniff trafic from specific source to specific destination we can use src and dst options. We can even define protocol or port which we want to listen. For example to listen ssh: 

linux# tcpdump src 192.168.10.102 and dst 192.168.10.200 and port ssh tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:47:41.598663 IP 192.168.10.102.50676 > 192.168.10.200.ssh: Flags [.], ack 1104967642, win 4071, length 0 17:47:41.906519 IP 192.168.10.102.50676 > 192.168.10.200.ssh: Flags [.], ack 149, win 4034, length 0 ... ^C 11 packets captured 12 packets received by filter 0 packets dropped by kernel
( Since ssh traffic is encrypted ther is nothing much to see, but if we for example have listened to ftp traffic we could easily get users login data with password.) 

We can even send the captured data in a file that can be later used by other network analyzers to analyze the data: 

linux# tcpdump -s0 -i eth0 dst host 192.168.10.102 -w /dump.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C42 packets captured 42 packets received by filter 0 packets dropped by kernel
( This way we can save the captured data in a ".pcap" file that can later be analysed by the GUI network analyzers as Wireshark.) 

To read data from the previously captured file we can use -r option: 

linux# tcpdump -r /dump.pcap reading from file /dump.pcap, link-type EN10MB (Ethernet) 18:19:40.129134 IP 192.168.10.200.ssh > 192.168.10.102.50676: Flags [P.], seq 1104998218:1104998350, ack 3215534015, win 1009, length 132 18:19:42.093016 IP 192.168.10.200.ssh > 192.168.10.102.50676: Flags [P.], seq 132:184, ack 53, win 1009, length 52 18:19:43.077015 IP 192.168.10.200.ssh > 192.168.10.102.50676: Flags [P.], seq 184:236, ack 105, win 1009, length 52 18:19:44.397016 IP 192.168.10.200.ssh > 192.168.10.102.50676: Flags [P.], seq 236:288, ack 157, win 1009, length 52 18:19:44.885002 IP 192.168.10.200.ssh > 192.168.10.102.50676: Flags [P.], seq 288:340, ack 209, win 1009, length 52 ...

Comments

Popular posts from this blog

Cisco three-layer hierarchical model

Because networks can be extremely complicated, with multiple protocols and diverse technologies, Cisco has developed a layered hierarchical model for designing a reliable network infrastructure. This three-layer model helps you design, implement, and maintain a scalable

Access Control Lists (extended)

Access Control List  or  ACL  is a technic of controling network traffic. It is a list of rules with which traffic flow can be manipulated - permitted or denied. By default, traffic flow from the interface with the higher security level (for example "inside" interface) to interface with the lower security level (example "outside" interface) is allowed by default, but the flow of traffic from "outside" to the "inside" interface must be explicitly permited. 

Classes of IP addresses

TCP/IP defines five classes of IP addresses: class A, B, C, D, and E. Each class has a range of valid IP addresses. The value of the first octet determines the class. IP addresses