Tcpdump
From Notes_Wiki
Home > CentOS > CentOS 6.x > Network related tools > Tcpdump
About tcpdump
'tcpdump' is a very powerful command-line based packet capturing tool. It can be used to display information about captured packets on screen or capture packets in pcap file format for later analysis. Since tcpdump is command-line based tool it has very small footprint and can be used to capture packets even when there is heavy network I/O. 'tcpdump' accepts filters in kernel filter format so that only the packets we are interested in get captured very efficiently.
Useful command line options
Some very useful command line options supported by tcpdump are:
| Option | Description |
| -c | Stop capturing after count number of packets have been captured |
| -C | Do not store more then this many MBs (1,000,000 bytes) in single capture file. When file size exceeds it starts new file with suffixes .1, .2 etc. added between consecutive files. |
| -D | List interfaces available for capturing along with description. |
| -i | interface name or number (as shown by -D) on which packets should be captured. Note by default it will choose lowest numbered interface which is up and not a loopback device. |
| -n | Do not convert IP address to hostnames via reverse DNS lookup. This option is very important if we are capturing packets on heavy traffic links to avoid too many DNS lookups which may affect packet capture or generate significant DNS traffic. |
| -nn | If performance is issue or port numbers are preferred over service names then we can use -nn to avoid converting of port numbers to service names, like 22 to ssh or 80 to http. This does not generates any additional traffic as mostly file /etc/services would be used to convert port numbers to service names, but can require some small processing. |
| -p | Do not put interface in promiscuous mode. Note that interface can already be in promiscuous mode and in that case tcpdump would end up capturing packets meant for other hosts in hub like networks. |
| -r <file> | Read packets from given file and not from live interface. |
| -s <size> | Capture only first specified number of bytes of each packets. This is useful if we are interested only in protocol (TCP/IP/UDP, etc.) headers and not in application payload. To capture entire packet the size or snaplen can be specified as '0'. |
| -v | Generate verbose output. We can use -vv or -vvv to increase verbosity level |
| -q | Generate quieter (lesser) output |
| -w <file> | Write output to file. |
| -A | Print information contained in packets in ASCII format |
| -x | Print information contained in packets in hexadecimal format. |
Note:
- A pseudo-interface named all is also shown among with other interfaces. But capturing on any interface has limitation that it can be done only in non-promiscuous mode. We cant capture packets on any interface in promiscuous mode.
- If we want to capture packets only meant for current host then we can use filter 'ether host <host_mac_address> or ether broadcast'. This would work even if interface is in promiscuous mode.
- We can specify filename as '-' to -r or -w options so that input is taken from stdio or output is written to stdout.
To limit tcpdump capture based on time and not no. of packets (-c) use:
tcpdump -G 15 -W 1 -w myfile -i eth0 'port 8080'
where :
- -G
- Interval after which dump file should be rotated in seconds.
- -W
- No. of dump files to rotate
- -w
- Location of dump file
This combination would ensure that tcpdump terminates automatically after some time.
Refer:
tcpdump filter format
We can specify filters (conditions which must be satisfied) for the packets to be captured. Various filter options are:
| expression | Meaning |
| host <ip_address> | Only packets to or from the specified IP address are captured |
| src host <ip_address> | Only packets with matching source IP address are captured |
| dst host <ip_address> | Only packets with matching destination IP address are captured |
| port <number> | Only packets with source/destination TCP/UDP port specified as argument are captured. |
| src port <number> | Only packets with source TCP/UDP port specified as argument are captured. |
| dst port <number> | Only packets with destination TCP/UDP port specified as argument are captured. |
| <protocol> | Only packets of mentioned protocol will be captured. Accepted protocol names are ip, arp, rarp, tcp, udp, wlan, ip6 and ether. |
| and, or, not | We can combine multiple expressions with and, or, not |
| ether host <mac_address> | Allow only with matching source or destination mac address. |
| ether src <mac_address> | Capture packets only with specified source mac address |
| ether dst <mac_address> | Capture packets only with specified destination mac address |
| gateway <host> | Packet was sent or received via host as gateway. Note for this the information about host's MAC address must be present in /etc/ethers' file. Also host must be either resolvable by DNS or its IP information should be mentioned in '/etc/hosts' file. |
| net <network_number> | Captures packets only when source/destination IP belongs to given network. |
| net <net> mask <netmask> | Packet matches network with specified netmask specified in dotted decimal format |
| net <net>/<len> | Packet matches network with specified netmask using bit-mask length notation. |
| portrange <port1>-<port2> | Port number lies within given range. |
| src portrange <port1>-<port2> | Source port lies within given range |
| dst portrange <port1>-<port2> | Capture if destination port lies within given range |
| less <length> | Capture if packet length is less then specified length |
| greater <length> | Capture if packet length is greater then specified length |
| ether broadcast | Capture if ethernet broadcast packet |
| ip broadcast | Capture if IP broadcast packet |
| ether multicast | Capture if ethernet multicast packet |
| ip multicast | Capture if IP multicast packet |
| vlan <vlan_id> | Capture if the packet is an IEEE 802.1Q VLAN packet. If <vlan_id> is specified, only true if the packet has the specified vlan_id. Note that the first vlan keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a VLAN packet. The vlan [vlan_id] expression may be used more than once, to filter on VLAN hierarchies. Each use of that expression increments the filter offsets by 4. Read man page to understand this option properly |
Note:
- We can combine protocol (ip, tcp, etc.), direction (src, dst) and port in single expressions like 'tcp dst port 80'
- There is also very powerful indexing operation to access byte at specific location in packet which then can be compared using <, <, >=, <=, =, !=, &, | etc. C language operators with other byte or decimal constant. Complete information on this can be found in man page.
Additional information (including above mentioned information) can be found at tcpdump man page
Home > CentOS > CentOS 6.x > Network related tools > Tcpdump
