Scribd
Upload
13 views

TCP Dump Network Packet Capture

TCP

Uploaded by

Zul Tasir
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
13 views

TCP Dump Network Packet Capture

TCP

Uploaded by

Zul Tasir
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 46

Tcpdump

Michael Tchuindjang Credits to Hacking Articles

Table of Contents

Abstract................................................................................................................................................... 4
Introduction .......................................................................................................................................... 5
Basic Functionalities ............................................................................................................................ 5
Default Capture ........................................................................................................................ 6
Capturing traffic of a particular interface ..................................................................... 7
Packet count .............................................................................................................................. 8
Verbose mode ............................................................................................................................ 8
Printing each packet in ASCII............................................................................................... 9
Don’t convert address .......................................................................................................... 10
Port filter................................................................................................................................... 10
Host filter .................................................................................................................................. 11
The header of each packet ................................................................................................ 12
TCP sequence number ......................................................................................................... 13
Packet filter ............................................................................................................................. 14
Packet directions ................................................................................................................... 14
Live number count ................................................................................................................ 15
Read and write in a file ....................................................................................................... 16
Snapshot length ...................................................................................................................... 16
Dump mode .............................................................................................................................. 17
Advance Options and Data Types .................................................................................................... 18
Link Level Header .................................................................................................................. 18
Parsing and Printing .............................................................................................................. 19
User scan ................................................................................................................................... 21
Timestamp Precision............................................................................................................. 22
Force Packets .......................................................................................................................... 25
Promiscuous Mode ................................................................................................................. 32
No Promiscuous Mode........................................................................................................... 33
Advance Features ............................................................................................................................... 33
Version Information .............................................................................................................. 33
Quick Mode ............................................................................................................................... 34

Page | 2
Michael Tchuindjang Credits to Hacking Articles

Verbose Mode .......................................................................................................................... 35


HTTP Requests ........................................................................................................................ 36
User Agent ................................................................................................................................ 39
Port Range................................................................................................................................. 39
Destination................................................................................................................................ 40
Source ......................................................................................................................................... 41
Network ..................................................................................................................................... 41
TCP Packets .............................................................................................................................. 42
Tcpdump to Wireshark ......................................................................................................... 43
Conclusion ............................................................................................................................................ 46
References ........................................................................................................................................... 46

Page | 3
Michael Tchuindjang Credits to Hacking Articles

Abstract
Tcpdump is a powerful command-line tool for network packet analysis. It helps us
troubleshoot network issues and analyze the performance of security tools.

In this report, we'll learn the basic functionalities of this amazing tool. Additionally,
we will cover some advanced options and data types to help us analyze our data
traffic more efficiently.
Disclaimer: This report is provided for educational and informational
purpose only (Penetration Testing). Penetration Testing refers to legal
intrusion tests that aim to identify vulnerabilities and improve cybersecurity,
rather than for malicious purposes.

Page | 4
Michael Tchuindjang Credits to Hacking Articles

Introduction

Tcpdump was originally developed in 1988 by Van Jacobson, Sally Floyd, Vern Paxson, and
Steven McCanne. They worked at the Lawrence Berkeley Laboratory Network Research
Group.

It allows its users to display the TCP/IP and other packets being received and transmitted over
the network. It works on most of the Linux based operating systems. It uses the libpcap library
to capture packets, which is a C/C++ based library. Tcpdump has a windows equivalent as
well. It is named windump. It uses a winpcap for its library.

Basic Functionalities

Available Options

We can use the following parameter to print the Tcpdump and libpcap version strings. Also,
we can print a usage message that shows all the available options.

tcpdump -h
tcpdump --help

List of interfaces

An interface is the point of interconnection between a computer and a network. We can use the
following parameter to print the list of the network interfaces available on the system. It can
also detect interfaces on which Tcpdump can capture packets. For each network interface, a

Page | 5
Michael Tchuindjang Credits to Hacking Articles

number is assigned. This number can be used with the ‘-i’ parameter to capture packets on that
particular interface.

There might be a scenario where the machine that we are working on, is unable to list the
network interfaces it is running. This can be a compatibility issue or something else hindering
the execution of some specific commands (ifconfig -a).

tcpdump –list-interface
tcpdump -D

Default Capture

Before moving onto to advanced options and parameters of this network traffic capture tool
let’s first do a capture with the default configurations.

tcpdump

Page | 6
Michael Tchuindjang Credits to Hacking Articles

Capturing traffic of a particular interface

We will be capturing traffic using the ethernet network which is known as “eth0”. This type of
interface is usually connected to the network by a category 5 cable.

To select this interface, we need to use -i parameter.

tcpdump -i eth0

Page | 7
Michael Tchuindjang Credits to Hacking Articles

Packet count

Tcpdump has some amazing features which we can use to make our traffic analysis more
efficient. We can access some of these features using various parameters. We use the -c
parameter, it will help us to capture the exact amount of data that we need and display those. It
refines the amount of data we captured.

tcpdump -i eth0 -c10

Verbose mode

The verbose mode provides information regarding the traffic scan. For example, time to live
(TTL), identification of data, total length and available options in IP packets. It enables
additional packet integrity checks such as verifying the IP and ICMP headers.

To get extra information from our scan we need to use -v parameter.

tcpdump -i eth0 -c 5 -v

Page | 8
Michael Tchuindjang Credits to Hacking Articles

Printing each packet in ASCII

ASCII is the abbreviation of the American Standard Code for Information Interchange. It is a
character encoding standard for electronic communication. ASCII codes represent the text in
computers and other devices. Most of the modern character encoding techniques were based
on the ASCII codes. To print each packet in ASCII code we need to use -A parameter.

tcpdump -i eth0 -c 5 -A

Page | 9
Michael Tchuindjang Credits to Hacking Articles

Don’t convert address

With the help of the Tcpdump -nn parameter, we can see the actual background address without
any filters. This feature helps us to understand the data traffic better without any filters.

tcpdump -i eth0 -c 5
tcpdump -i eth0 -c 5 -nn

Port filter

Port filter helps us to analyze the data traffic of a particular port. It helps us to monitor the
destination ports of the TCP/UDP or other port-based network protocols.

tcpdump -i eth0 -c 5 -v port 80

Page | 10
Michael Tchuindjang Credits to Hacking Articles

Host filter

This filter helps us to analyze the data traffic of a particular host. It also allows us to stick to a
particular host through which further makes our analyzing better. Multiple parameters can also
be applied, such as -v, -c, -A,-n, to get extra information about that host.

tcpdump host 104.28.6.89 -c10 -A -n

Page | 11
Michael Tchuindjang Credits to Hacking Articles

The header of each packet

The header contains all the instructions given to the individual packet about the data carried by
them. These instructions can be packet length, advertisement, synchronization, ASCII code,
hex values, etc. We can use -X parameter to see this information on our data packets.

tcpdump -i eth0 -c 3 -X

Page | 12
Michael Tchuindjang Credits to Hacking Articles

TCP sequence number

All bytes in TCP connections have their sequence number which is a randomly chosen initial
sequence number (ISN). SYN packets have one sequence number, so data will begin at ISN+1.
The sequence number is the byte amount of data in the TCP packet that is sent forward. -S
parameter is used to see these data segments of captured packets.

tcpdump -i eth0 -nnXS

Page | 13
Michael Tchuindjang Credits to Hacking Articles

Packet filter

Another feature that is provided by Tcpdump is packet filtering. This helps us to see the packet
results on a particular data packet in our scan. If we want to apply this filter in our scan, we
just need to add the desired packet in our scan.

tcpdump -i eth0 icmp -c 10

Packet directions

To the direction of data flow in our traffic, we can use the following parameter:

tcpdump -i eth0 icmp -c 5 -Q in

Page | 14
Michael Tchuindjang Credits to Hacking Articles

To see all the requests which we are sending to the server following (- Q out) parameter can
be used:

tcpdump -i eth0 icmp -c 5 -Q out

Live number count

We can apply live number count feature to see how many packets were scanned or captured
during the data traffic scans. –number parameter is used to count the number of packets that
are being captured in a live scan. We also compared packet count to live number count to see
its accuracy.

Page | 15
Michael Tchuindjang Credits to Hacking Articles

Read and write in a file

In Tcpdump, we can write and read into a .pcap extension file. Write (-w) allow us to write raw
data packets that we have as an output to a standard .pcap extension file. Whereas read option
(-r) helps us to read that file. To write output in .pcap follow:

tcpdump -i eth0 icmp -c 10 -w file.pcap

To read this .pcap file we follow:

tcpdump -r file.pcap

Snapshot length

Snapshot length/snaplen is referred to as the bytes of data from each packet. It is by default set
on the 262144 bytes. With Tcpdump, we can adjust this limit to our requirement to better
understand it in each snap length. -s parameter helps us to do it just apply -s parameter along
with the length of bytes.

Page | 16
Michael Tchuindjang Credits to Hacking Articles

tcpdump -i eth0 icmp -s10 -c2


tcpdump -i eth0 icmp -s25 -c2
tcpdump -i eth0 icmp -s40 -c2
tcpdump -i eth0 icmp -s45 -c2

Dump mode

Dump mode has multiple parameters like -d, -dd, -ddd. Where -d parameter, dumps the
compiled matching code into a readable output, -dd parameter, dumps the code as a C program
fragment. -ddd parameter and dumps code as a decimal number with a count. To see these
results in our scan we need to follow:

Page | 17
Michael Tchuindjang Credits to Hacking Articles

tcpdump -i eth0 -c 5 -d
tcpdump -i eth0 -c 5 -dd
tcpdump -i eth0 -c 5 -ddd

Advance Options and Data Types

Link Level Header

Tcpdump provides us with the option to showcase link-level headers of each data packets. We
are using -e parameter to get this information in our data traffic result. Generally, by using this
parameter, we will get MAC address for protocols such as Ethernet and IEEE 802.11.

tcpdump -i eth0 -c5


tcpdump -i eth0 -c5 -e

Page | 18
Michael Tchuindjang Credits to Hacking Articles

Parsing and Printing

As we all know that, the conversation of a concrete syntax to the abstract syntax is known as
parsing. The conversation of an abstract syntax to the concrete syntax is called unparsing or
printing. Now to parse a data packet we can use -x parameter and to print the abstracted syntax,
we can use -xx parameter. In addition to printing the headers of each data packets, we can also
print the packet in hex along with its snaplen.

tcpdump -i eth0 -c 2 -x
tcpdump -i eth0 -c 2 -xx

Page | 19
Michael Tchuindjang Credits to Hacking Articles

If we want this information provided by -x parameter along with their ASCII code then we
need to use -X parameter and if we want the results of -xx parameter along with their ASCII
codes then we need to use -XX parameter. To use these parameters in our Data analysis, use
the following commands:

tcpdump -i eth0 -c 2 -X
tcpdump -i eth0 -c 2 -XX

Page | 20
Michael Tchuindjang Credits to Hacking Articles

User scan

If we are running tcpdump as root then before opening any saved file for analysis, you will
observe that it changes the user ID to the user and the group IDs to the primary group of its
users.

Tcpdump provides us -Z parameter, through which we can overcome this issue but we need to
provide the user’s name like the following:

Page | 21
Michael Tchuindjang Credits to Hacking Articles

tcpdump -i eth0 -c 2 -Z root


tcpdump -i eth0 -c 2 -Z kali

There is one more way to do this, i.e. with the help of –relinquish-privileges= parameter.

Timestamp Precision

Timestamp is the time registered to a file, log or notification that can record when data is added,
removed, modified or transmitted. In tcpdump, there are plenty of parameters that move around
timestamp values like -t, -tt, -ttt, -tttt, -ttttt, where each parameter has its unique working and
efficiency.

Page | 22
Michael Tchuindjang Credits to Hacking Articles

• -t parameter which must don’t print a timestamp on each dump line.


• -tt parameter which can print timestamp till seconds.
• -ttt parameter which can print a microsecond or nanosecond resolution depending upon the
time stamp precision between the current and previous line on each dump line. Where
microsecond is a default resolution.
• -tttt parameter which can print a timestamp as hours, minutes, seconds and fractions of
seconds since midnight.
• -ttttt parameter which is quite similar to the -ttt It can able to delta between current and first
line on each dump line.

To apply these features in our scan we need to follow these commands:

tcpdump -i eth0 -c 2
tcpdump -i eth0 -c 2 -t
tcpdump -i eth0 -c 2 -tt
tcpdump -i eth0 -c 2 -ttt
tcpdump -i eth0 -c 2 -tttt
tcpdump -i eth0 -c 2 -ttttt

Page | 23
Michael Tchuindjang Credits to Hacking Articles

Page | 24
Michael Tchuindjang Credits to Hacking Articles

Force Packets

In Tcpdump, we can force our scan of data traffic to show some particular protocol. When
using the force packet feature, defined by selected any “expression” we can interpret specified
type. With the help of the -T parameter, we can force data packets to show only the desired
protocol results.

The basic syntax of all force packets will remain the same as other parameters -T followed by
the desired protocol. Following are some protocols of force packets:

RADIUS

RADIUS stands for Remote Authentication Dial-in User Service. It is a network protocol,
which has its unique port number 1812, provides centralized authentication along with
authorization and accounting management for its users who connect and use the network
services. We can use this protocol for our scan.

tcpdump -i eth0 -c5 -T radius

AODV

Adhoc On-demand Distance Vector protocol is a routing protocol for mobile ad hoc networks
and other wireless networks. It is a routing protocol that is used for a low power and low data
rate for wireless networks. To see these results in our scan, follow.

tcpdump -i eth0 -c5 -T aodv

Page | 25
Michael Tchuindjang Credits to Hacking Articles

RPC

A remote procedure call, it is a protocol that one program can use to request service from a
program located in another computer on a network without having to understand the network
details. A procedure call is also known as a function call. For getting this protocol in our scan
use the following command:

tcpdump -i eth0 -c5 -T rpc

CNFP

Cisco NetFlow protocol, it is a network protocol developed by cisco for the collection and
monitoring of network traffic, flow data generated by NetFlow enabled routers and switches.
It exports traffic statistics as they record which are then collected by its collector. To get these
detailed scans follow this command.

tcpdump -i eth0 -c5 -T cnfp

Page | 26
Michael Tchuindjang Credits to Hacking Articles

LMP

Link Management Protocol, it is designed to ease the configuration and management of optical
network devices. To understand the working of LMP in our network, we need to apply this
protocol in our scan.

tcpdump -i eth0 -c5 -T lmp

PGM

Pragmatic general multicast, it is a reliable multicast network transport protocol. It can provide
a reliable sequence of packets to multiple recipients simultaneously. Which further makes it
suitable for a multi-receiver file-transfer. To understand its working in our data traffic follows.

tcpdump -i eth0 -c5 -T pgm

Page | 27
Michael Tchuindjang Credits to Hacking Articles

RTP

Real-time application protocol, it can code multimedia data streams such as audio or video. It
divides them into packets and transmits them over an IP network. To analyze this protocol in
our traffic we need to follow this command:

tcpdump -i eth0 -c5 -T rtp

RTCP

Real-time application control protocol, this protocol has all the capabilities of RTP along with
additional control. With the help of this feature, we can control its working in our network
environment. To understand the working of this protocol in our data traffic apply these
commands.

tcpdump -i eth0 -c5 -T rtcp

Page | 28
Michael Tchuindjang Credits to Hacking Articles

SNMP

Simple Network Management Protocol, is an Internet standard protocol for collecting and
organizing information about managed devices on IP networks for modifying that information
to change device behavior. To see its working in our traffic, apply this command.

tcpdump -i eth0 -c5 -T snmp

TFTP

Trivial File Transfer Protocol, is a simple lockstep File transfer protocol that allows its client
to get a file from a remote host. It is used in the early stages of node booting from a local area
network. To understand its traffic, follow this command.

tcpdump -i eth0 -c5 -T tftp

Page | 29
Michael Tchuindjang Credits to Hacking Articles

VAT

Visual Audio Tool, is developed by Van Jacobson and Steven McCanne. It is an electronic
media processing for both sound and a visual component. To understand its data packets in our
traffic we need to apply these commands.

tcpdump -i eth0 -c5 -T vat

WB

Distributed whiteboard, the program allows its users to draw and type the messages onto
canvas, this should be synchronized to every other user that is on the same overlay network for
the applications. New users should also receive everything that is already stored on the
whiteboard when they connect. To understand its data packets, follow this command.

tcpdump -i eth0 -c5 -T wb

Page | 30
Michael Tchuindjang Credits to Hacking Articles

VXLAN

Virtual Xtensible Local Area Network, is a network virtualization tech that attempts to address
the scalability problems associated with a large cloud computing area. It is a proposed Layer 3
encapsulation protocol that will make it easier for network engineers to scale-out cloud
computing. To understands its data traffic follows these commands.

tcpdump -i eth0 -c5 -T vxlan

These are some of the protocols which is used under forced packets parameter to get the fixed
desired data traffic from scan.

Page | 31
Michael Tchuindjang Credits to Hacking Articles

Promiscuous Mode

In computer networks, promiscuous mode is used as an interface controller that will cause
tcpdump to pass on the traffic it receives to the CPU rather than passing it to the promiscuous
mode, is normally used for packet sniffing that can take place on a part of LAN or router.

To configure promiscuous mode by following these commands.

ifconfig eth0 promisc


ifconfig eth0

After enabling the promiscuous mode in our network, let us capture some packets with the
help of this by applying these commands.

tcpdump -i eth0 -c 10

Page | 32
Michael Tchuindjang Credits to Hacking Articles

No Promiscuous Mode

In the previous parameter, we learned about the promiscuous mode that means a network
interface card will pass all frames received to the OS for processing versus the traditional
operation where only frames destined for the NIC’s MAC address or a broadcast address will
be passed up to the OS. Generally, promiscuous mode is used to “sniff” all traffic on the wire.
But if we want to switch to multicast mode against the promiscuous mode. Then we need to
use –no-promiscuous-mode parameter, which helps us to which the mode without changing
the network settings.

tcpdump -i eth0 -c 5 --no-promiscuous-mode

Advance Features

Version Information

Let’s begin with one of the simplest commands so that we can understand and relate all the
practical during the article. We can use this parameter to print the Tcpdump, libpcap and
OpenSSL version string.

tcpdump --version

Page | 33
Michael Tchuindjang Credits to Hacking Articles

Quick Mode

Arguably if the network is very quiet, performing any operation during that time will take more
time than usual. The person who developed Tcpdump thought of this conundrum and gave us
the way to speed up the process by using the “-q” parameter. It will print less information about
protocols and data packets to save time.

tcpdump -i eth0 -c 5
tcpdump -i eth0 -c 5 -q

Page | 34
Michael Tchuindjang Credits to Hacking Articles

Verbose Mode

The verbose mode is famous to provide extra information regarding operations. in Tcpdump,
verbose mode provides such the information too. For instance, time to live, identification, total
length. It can also enable additional packet integrity checks such as verifying the IP and ICMP
header checksum values.

Tcpdump provides us with plenty of parameters that are moved around this mode like -v, -vv,
-vvv, where each parameter has its unique efficiency.

• -v parameter is the traditional verbose mode.


• -vv parameter is more than the traditional verbose mode, additional fields are printed
from NFS (Network File System) reply packets and SMB packets are fully decoded.
• -vvv parameter has something more to provide like tenet options etc.

tcpdump -i eth0 -c 2
tcpdump -i eth0 -c 2 -v
tcpdump -i eth0 -c 2 -vv
tcpdump -i eth0 -c 2 -vvv

Page | 35
Michael Tchuindjang Credits to Hacking Articles

HTTP Requests

As we all know, HTTP Requests is an information message from the client to a server over the
hypertext transfer protocol (HTTP). It has various methods to deliver this information. These
methods are case-sensitive and always mentioned in the UPPERCASE. Through Tcpdump, we
can capture these requests to analyze the traffic sent over the said protocol traffic.

The method which we can capture through Tcpdump are the following:

• GET- This method is used to retrieve the information from the given server using a
given URL. Requests using GET should only retrieve data and have no other effect on
it. We can also capture this request with the help of Tcpdump.

Page | 36
Michael Tchuindjang Credits to Hacking Articles

tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

• POST- This request is used to send data to the server. Like customer information, file upload,
etc. using HTML forms. Traffic over this protocol can analyzed using the following command:

tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

Page | 37
Michael Tchuindjang Credits to Hacking Articles

• Request-URL- It is a uniform resource identifier, which identifies the resource on which we


need to apply requests. The most common form of this is used to identify a resource on a
server. If a client wants to retrieve the data directly from the server, where it originated, then
it would create a connection to port 80 of the host and send the request. These requests can
be captured using the following commands:

tcpdump -v -n -l | egrep -i "POST /|GET /|Host:"

Page | 38
Michael Tchuindjang Credits to Hacking Articles

User Agent

With Tcpdump, you can also see which traffic is generated from which application. We can
also find the user agents in our data traffic by using the following command:

tcpdump -nn -A -s150 -l | grep "User-Agent:"

Port Range

Some ordinary port filters help us to analyze the traffic on a particular port. But in Tcpdump,
we give our scan a range of ports through which it can monitor the destination of TCP/UDP or
other port-based network protocols.

tcpdump -i eth0 portrange 21-80

Page | 39
Michael Tchuindjang Credits to Hacking Articles

Destination

To check the flow of data in network traffic towards a particular destination, use the following
command for this:

tcpdump -i eth0 dst google.com

Page | 40
Michael Tchuindjang Credits to Hacking Articles

Source

To check the data traffic coming from a particular source, we can follow the command given
below:

tcpdump -i eth0 src google.com

Network

To find the packets going to or from in a particular network, we can use the following function
to analyze this traffic:

tcpdump net 192.168.0.1 -c5

Page | 41
Michael Tchuindjang Credits to Hacking Articles

TCP Packets

TCP packet is the format consists of the fields such as source port and destination port field.
Through these fields, we can identify the endpoints of the connections and can also capture
these TCP packets in its various flag format. i.e. SYN, RST and ACK.

• SYN- SYN flag is known as Synchronizes sequence numbers to initiate a TCP


connection. We can capture this particular packet from traffic with the help of Tcpdump.

tcpdump 'tcp[tcpflags] == tcp-syn'

• RST- RST flag is known as reset flag. This flag is sent from the receiver to the sender
if a packet is sent to a particular host that was expecting it. RST flag is used to re-
establish a TCP end-to-end connection. We can capture this flag from our data traffic
with the help of Tcpdump.

tcpdump 'tcp[tcpflags] == tcp-rst'

Page | 42
Michael Tchuindjang Credits to Hacking Articles

• ACK- ACK flag is known as the Acknowledgement flag. This flag is used to
acknowledge that our data packet has been successfully received. We can capture these
flags with Tcpdump to study our data traffic.

tcpdump 'tcp[tcpflags] == tcp-ack' -c5

Tcpdump to Wireshark

The only difference between the Wireshark and Tcpdump is that Wireshark is GUI while
Tcpdump is a command-line tool. But with the help of a few sources, we use a command on
Tcpdump and view our data traffic results in Wireshark which, we find is the best way to
analyze our traffic. This can be done using the following command:

Page | 43
Michael Tchuindjang Credits to Hacking Articles

ssh root@remotesystem 'tcpdump -c20 -nn -w - not port 22' | wireshark -k -i –

After running this command, it will immediately open the Wireshark and will ask a few
questions about our scan. Press OK to move further.

After this, it will ask you which network interface we want to capture the data packets. In our
case it will be eth0, so we are selecting that network interface.

Page | 44
Michael Tchuindjang Credits to Hacking Articles

After completing all the formalities our live data capture screen will appear with our captured
data packets.

Page | 45
Michael Tchuindjang Credits to Hacking Articles

By following these steps, we can run a command for Tcpdump and capture its results in
Wireshark.

Conclusion
That wraps up our complete guide to Tcpdump! We've covered the basics as well
as some more advanced features of this awesome tool.
Hence, one can make use of these commands as a cybersecurity professional to
assess vulnerabilities on systems and keep these systems away from threat.

References
• https://www.hackingarticles.in/comprehensive-guide-to-tcpdump-part-1/
• https://www.hackingarticles.in/comprehensive-guide-to-tcpdump-part-2/
• https://www.hackingarticles.in/comprehensive-guide-to-tcpdump-part-3/

Page | 46

You might also like