This document describes a variety of tcpdump commands to make life easier and more transparent. TCPDUMP is used on ubiquity firewalls, unix boxes and a variety of other linux- or unix-based networking equipment. The following primer covers the basics of tcpdump and most commonly used options that I have found useful.
Turn off Name Resolution:
By default, tcpdump turns on name resolution. For all layer-3 and layer-4 sources and destinations. tcpdump automatically looks up the hostname as well as commonly used ports and translates them for the viewer. Being that most folks are looking for IP addresses and ports when running a network analyzer, first thing we do is turn off name resolution.
TCPDump for Layer-2:
Ever need to grab the mac address of a device or troubleshoot an ARP problem? The -e switch is the key to your wildest layer-2 dreams:
So by default you can see ARP requests, but where is the layer-2 address?
As you can see, in addition to basic layer-3 information you also get
- Source and Destination MAC
- Frame type and layer-3 protocol info
- Layer-2 header size (in bytes)
What if you want to look at flags or checksums in an IP packet. By default you get basic TCP flags, but much of the rest is just hidden from view. TCPDump has 3 levels of verbosity all controlled with the -v setting:
|-v||Basic verbose information, also usually turns on checksum validation and number of packets captured when using the -w (write) flag.|
|-vv||Additional fields for a variety of protocols such as SMB and NFS.|
|-vvv||The most verbose output.|
Say you don’t care about the headers but the payloads of packets; to view those use the -x option to show the payload in hex and the -X option for hex with an ascii translation:
Capturing Specific Interfaces:
Here are options for capturing specific or all interfaces on a device:
|-i any||Simultaneously capture all interfaces|
|-i $int_name||Capture network traffic from $int_name only|
Capturing Conversations to or from a specific host:
If you want to capture only conversations to or from 10.222.2.201, use the following
If you want to capture only conversations going to 201, use.
If you want to capture only conversations originating from 201, use
Capturing Only ICMP Packets or specific protocols
For specific protocols you can just type certain keywords for the protocol at the begining of your filter. For instancewould only capture ICMP packets only udp packets etc…
Capturing TCP Source and Destination Ports:
Just like host, you can usefor source ports, for destination ports or for either.
Capturing certain TCP flags
Capturing just packets with certain flags set in your filters can be very handy. Here we just look for connection resets:
|tcp[tcpflags] == tcp-rst||Just connection resets|
|tcp[tcpflags] == tcp-syn||Just SYNS|
|tcp[tcpflags] == tcp-ack||Just acknowledgements|
|tcp[tcpflags] == tcp-fin||Just F|
Use these just like any other filter, at the end of any options. If you are adding to a host or any of the other filters above, put the whole thing in quotes.
Combining Different Filters:
Many instances exist where you just want to filter for just traffic to a certain host going to a particular port, using just specific flags, or maybe all traffic except from a specific port. Lucky for us, tcpdump supports ‘and’ and ‘or’ operators as well as grouping parens and not statements.
As soon as you have a space of any kind in your filter you want to encapsulate the whole thing in quotes.
For instance to look for any traffic coming from 10.222.2.201 except over port 22:
Or maybe you want to filter out port 80 traffic as well, to do this, use grouping parents and an ‘or’ operator:
Or perhaps you just want to look for RST packets not over these two ports:
There are many combinations, just remember *If there is any question on the order your statements will be applied, use grouping parens.* As soon as you have multiple filters, use quotes around the whole thing.
Looking for more content like this? Check out the Networking Section of our blog or subscribe below!