+ Home © Hall of fame © ‘Subscribe © Contact * About tepdump for Dummies Posted on May 18, 2008, 4:29 pm, by Alexander Sandler, under System Administrator Articles. Table of contents Introduction tcpdump uses Invocation Simple filtering Reading tepdump's output Invocation continued Choosing an interface Turing off name resolution imiting number of packets to intercept Saving captured data Changing packet size in the capture file Reading from capture file Looking into packets Seeing Ethernet header for e: Controlling time stamp ‘ontrolling verbosity Printing content of the p: Packet filtering Packet matching More qualifiers pecifying addresses ther qualifiers IntroductionBACK TO TOC In this article 1 would like to talk about one of the most useful tools in my networking toolbox and that is tepdump. Unfortunately mastering this tool completely is not an easy task. Yet stuff you do the most is relatively simple and may become a good springboard when diving into more complex topics. tcpdump usesBACK TO TOC tcpdump is a packet sniffer. It is able to capture traffic that passes through a machine. It operates on a packet level, ‘meaning that it captures the actual packets that fly in and out of your computer. It can save the packets into a file. You can save whole packets or only the headers. Later you can “play” recorded file and apply different filters on the packets, telling tepdump to ignore packets that you are not interested to see.Under the hood, tepdump understands protocols and host names. It will do all in its power to see what host sent each packet and will tell you its name instead of the IP address. Itis exceptionally useful tool for debugging what might have caused certain networking related problem. It is an excellent tool to lear new things. InvocationBACK TO TOC Invoking tepdump is easy. First thing that you have to remember is that you should either be logged in as root or be a sudoer on the computer — sudoer is someone who is entitled to gain administrator rights on computer for short period of time using sudo command. Running tepdump without any arguments makes it capture packets on first network interface (excluding lo) and print short description of each packet to output. This may bit ofa headache in case you are using network to connect to the machine. If you are connected with SSH or telnet (rlogin?), running tepdump will produce a line of text for each incoming or outgoing packet. This line of text will cause SSH daemon to send a packet with this line, thus causing tepdump to produce another line of text, And this will not stop until you do something about it Simple filteringBACK TO TOC So first thing that we will learn about tepdump is how to filter out SSH and telnet packets. We will study the basics of tepdump filtering later in this guide, but for now just remember this syntax. # tcpdump not port 22 “not port 22” is a filter specification that tells tepdump to filter out packets with IP source or destination port 22. As you know port 22 is SSH port. Basically, when you tell tepdump something like this, it will make tepdump ignore all SSH packets — exactly what we needed. Telnet on the other hand, uses port 23, So if you are connecting via telnet, you can filter that out with: # tcpdump not port 23 Clear and simple! Reading tcpdump‘s outputBACK TO TOC By default tepdump produces one line of text per every packet it intercepts. Fach line starts with a time stamp. It tells you very precise time when packet arrived. Next comes protocol name. Unfortunately, tepdump understands very limited number of protocols. It won’t tell you the difference between packets belonging to HTTP and for instance FTP stream. Instead, it will mark such packets as IP packets. It does have some limited understanding of TCP. For instance it identifies TCP synchronization packets such as SYN, ACK, FIN and others. This information printed after source and destination IP addresses (if it TP packet), Source and destination addresses follow protocol name. For IP packets, these are IP addresses. For other protocols, tcpdump does not print any identifiers unless explicitly asked to do so (see -e command line switch below). Finally, tepdump prints some information about the packet. For instance, it prints TCP sequence numbers, flags, ARP/ICMP commands, ete. Here’s an example of typical tepdump output. 17:5@:03.089893 IP 69.61.72.101.www > 212.150.66.73.48777: P 1366488174: 1366488582 (408) ack 2337505545 win 7240 This packet is part of HTTP data stream. You can see meaning of each and every field in the packet description in tepdump's manual page. Here’s another example17:58:[email protected] arp who-has 69.61.72.185 tell 69.61.72.1 This is ARP packet, It’s slightly more self explanatory than TCP in the packet description see tepdump’s manual page. cts. Again, to see exact meaning of each field Invocation continuedBACK TO TOC what Now, when we know how to invoke tepdump even when connecting to the computer over some net, let’s command line switches are available for us. Choosing an interfaceBACK TO TOC ‘We'll start with a simple one. How to dump packets that arrived and sent through a certain network interface, 212.150.66.73.48777: P 1366488174:1366488582 (408) ack 2337505545 win 7240 also can you break down exactly what this output is saying”? Reply-to this comment 5. tepdump intro « actionspeaksloudly says: ‘August 26, 2011 at L:04 am 6 Khan says: ‘August 30, 2011 at 5:33 am Can you tell me where exactly is the tepdump manual page? I dont find it in here?? a) Sey very useful article Tuse a textmode sniffer for pure hitp traffic monitoring justnif Bye v to this comment Alexander Sandler says: tember 18, 2011 at 10:08 am@Eddie J As I've written you can see what each field means in the tepdump’s manual page. Moreover, I suggest that you do it because tepdump’s output changes from version to version. This article is over two years old now and the format has changed. Information that you get from tepdump’s manual page is most up-to-date information you can get and best matches tepdump that is installed on your machine. In this particular case, first field 17:50:03.089893 stands for time when packet was received, Next comes the layer 3 (network) protocol - IP. Next, there’s source IP address and destination IP address. In both source and destination addresses, fifth number stands for port number. tepdump tties to give name to port mumber where it can, So www, means port 80, It probably takes names from /ete’services on your machine. Destination address followed by packet flags. P stands for TCP’s push flag. Finally you have TCP’s sequence numbers. Reply to this comment Alexander Sandler sys 18, 2011 at 10:09 am @Khan Ob, you just enter ‘man tepdump’ on your Linux machine. Altematively you can google for ‘man tepdump” and enter first result, Reply to this comment 10. Alexander Sandler says: September 18, 201] at 10:09 am @Kondrat Thanks. Please visit again @ Reply to this comment Thanks you so much, Very Very useful article for me Reply to this comment November 23, 2011 at 9:48 pm. how do you read the central portion of captured file, please some one tell me the first 20 bytes of the following captured ip packet 0x0000: 45c0 00c0 Mc 0000 4011 4746 e800 090a [email protected].... 0x0010: e800 O91 0208 0208 O0ac {94e 0202 0000 N, 0x0020: 0002 0000 800 0500 fff 700 0000 0000 ... 0x0030: 0000 0001 0002 0000 e800 0700 ftir fr00 0x0040: 0000 0000 0000 0001 0002 0000 800 0300 0x0050: fF eply to this comment 13 Edward says: December 21, 2011 at 1:30 pm Hello, i just wanna ask how i can get traffic on port 80 only, like received and transmitted data in bytes.Thank you, Ed, to this comment ei 14, Rishikesh says: ‘December 22, 2011 at 12:31 pm Hello, I have downloaded tepdump data set from the MIT Lincolon lab. I have analysed the most of the packets, But some packets looks as given below. I have searched a lot but I have got no information about how to analyse these data. I think it includes ethemet address. Thanks in advance 17:34:49.055471 08:00:09:611:aa:c9 (oui Hewlett-Packard) NetBeui > 08:00:09:61: Packard) Null Unnumbered, test, Flags (Command, Poll}, length 40 17:34:50.055662 08:00:09:61:aa:e9 (oui Hewlett-Packard) NetBeui > 08:00:09:61:aa:c9 (oui Hewlett- Packard) Null Unnumbered, test, Flags (Command, Poll], length 40 17:34:51.054990 08:00:09:6 1:2a:e9 (oui Hewlett-Packard) NetBeui > 08:00:09:61:aa:c9 (oui Hewlett- Packard) Null Unnumbered, test, Flags (Command, Poll], length 40 17:34:52.055437 08:00:09:611:2a:e9 (oui Hewlett-Packard) NetBeui > 08:00:09:61: Packard) Null Unnumbered, test, Flags (Command, Poll], length 40 :e9 (oui Hewlett- 9 (oui Hewlett Reply-to this comment 13, 2012 at 10:14 pm. want to generate a random-number generating program using only the traffic patterns captured by tepdump. sto this comment 16, Alexander Sandler says; February 5, 2012 at 10:55 pm @Ye Myo Thu Thank you. Please visit again. Reply to this comment 17. Alexander Sandler says: February 5, 2012 at 10:58 pm @Edward You do tcpdump tep port 80 Reply to this comment 18. z...... February 5, 2012 at L1:01 pm @Rishikesh Its NetBeui. I am not sure about the details, but this protocol used in Windows to communicate various Windows network components. tepdump won't show you the contents of these packets. Use wireshark to analyze them. Reply to this comment 19. se Tesse M says: ‘ApriL10, 2012 at 12:36 pmLam trying to analyze a file containing packets captured by tepdump. I first want to categorize the packets into flows using the 5-tuple property, Then I need to get the size of each packet in the flow and the inter- arrival time between two consecutive packets within the flow. Can you suggest any tool or script? Thank you in advance v to this comment 20. dave says ‘April 12, 2012 at 8:02. pm, Hi, very nice article!thanks. Lhave a question: if you capture a packet with tepdump, are you able to play it back on the net, maybe changing some of its pieces? (ie. changing the sender IP address with a different one) Thanks, Reply to this comment = 21 odoggz says: August 15,2012 at 9:18 pm Excellent writeup!! 6) 2. Rakesh says: August 17,2012 at 11:27 am Good artical & very helpfull. i was looking for a option in tepdump to capture any packetes if it contain’s a specific word or string, how ean that be given for eg. ifa packet contains some word like “love / hate badword,. so on ” then only it should capture 23 |jamuna says: ‘August 31,2012 at 3:11 pm Is there a way to get the size of a packet on the network with tepdump (or other program)? thanks in advance.. Reply to this comment 24, HTTP Troubleshooting with tepdumplteptrace « Chris's Blog says ‘September 20, 2012 at 12:43 am [...] limit to ports or protocols More info on filtering [...] Reply to this comment 25, Elliot Laggan says: October 16, 2012 at 9:43 am Did you know your IP address is exposed every time you visit a website? Reply to this commentOctober 24, 2012 at $:34 pm ‘Thank you for taking the time to present useful material in a succinct but accessible manner. Your lucidity and clarity are rare and much appreciated. Again, thank you. Dan Sichel ‘Reply to this comment 27. Rahul Panwar says: loveber 29, 2012 at 2:25 pm Hi Alex, also have some small tutorials on tepdump, i hope it will be useful for others. Remote packet capture using WireShark & tepdump Reply to this comment 28. fa venki says: February 11.2013 at 7:53 pm brilliant t Reply-to this comment 29. DB Optimizer » TCP Trace Analysis for NES says -bruary 26,2013 at 7:36 pm [..-] httpziwww.alexonlinux.com/tepdump-for-dummies [...] Reply to this comment 30. DCP Dump commands and basic tutorial | ishaansutaria says: jarch 22, 2013 at 2:43 am [...] hitpz//www:alexonlinux.com/tepdump-for-dummies [...] Reply to this comment é April 5,.2013 at 6:40 pm Really interesting article, Thank you! to this comment 32. = says May 9, 2013 at 7:48 am Is there any way to capture only the timestamp excluding other informaation using Tepdump????? 33. ZCPDUMP IN LINUX | Linux/Vmware Solutions says: July 2, 2013 at 1:32 pm [...] tepdump uses. [...] Reply to this comment 34, phy) RAS SL Bil po cpa! Cina Ui ge 1) | you says:August 15, 2013 at 2:40 pm. [...] “tepdump is a packet sniffer. It is able to capture traffic that passes through a machine. It operates on a packet level, meaning that it captures the actual packets that fly in and out of your computer. It can save the packets into a file, You can save whole packets or only the headers. Later you can “play” recorded file and apply different filters on the packets, telling tepdump to ignore packets that you are not interested to see.” Source: http:/www.alexonlinux.com/tepdump-for-dummies [...] Reply-to this comment 35. Kule Hailey » TCP Trace Analvsis for NES says: August 23, 2013 at 11:12 pm [...] hutps/twww.alexonlinux.com/tendump-for-dummies [..] Reply to this comment 36. HTTP request pause for one minute - Just just easy answers says: September 6, 2013 at 10:40 am [...] recommend checking that SO question and becoming familiar with Wireshark or TCPDump, as these tools will help you figure out what's happening in the server <—> client [...] pA ince Massage Tips April 16, 2014 at 5:4? pm_ When | originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get three emails with the same comment, Is there any way you can remove people from that service? ‘Many thanks! Reply to this comment ° | Alexander Sandler says April 27, 2014 at 9:3 Hi. I disabled this feature. Sorry for the inconvenience, Alex. Jann says: 2014 at 4:44 pm. hi, is it possible to use tepdump in wireless network , I wanted to measure bandwidth, RRT, jitter, delay measures. Is it possible to calculate those information using TCPDUMP | don’t think it is possible to measure these parameters of the network with tepdump. Tepdump captures packets. So it assumes to work at data link layer and above. What you are trying to do is on top of physical layer. ‘Tepdump might tell you a little about delays though — you ean have accurate time-stamp of every packel’s arrival so you can measure things Reply to this comment39, halloween unrated full movie says: ‘September 15, 2014 at 7:09 pm_ What a stuff of un-ambiguity and preserveness of precious knowledge regarding unpredicted feelings. Reply to this comment 40. Shah says: May 25, 2017 at 10:25 am Really interesting article, Thank youlif you capture a packet with tepdump, are you able to play it back on the net, maybe changing some of its pieces? (ie. changing the sender IP address with a different one) martial arts classes California 41. New installation and rewires glowcester says: ‘October 16, 2018 at 11:17 pm Gloucester Electrician blog topic Rey to this comment 42, Dan says: December 5, 2018 at 2:32 pm 1. Regarding the brackets. They need single quotes to work: ‘Jhome/admin# tepdump -penni any (port 8161 or port 161 or port 162) bash: syntax error near unexpected token “(* ‘Srome/admin# tepdump -penni any *(port 8161 or port 161 or port 162)” tepdump: verbose output suppressed, use -v or «vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes a 2, Regarding the repeating instances. I didn’t succeed to make them work: ‘shome/admin# tepdump -penni any “(port 8161 or 161 or 162)" ‘tepdump: illegal token: shome/admin# tepdump -penni any *(\port 8161 or 161 or 162)" tepdump: syntax error /home/admin‘# tepdump -penni any ‘(port $161 or port 161 or port 162)" tepdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes Rey 43. Security Guide: How to Protect Your Infrastructure Against the Basic Atacker January 10,2019 at 10:19 pm_ (ailgun says [...]dig in deeper. This guide can not give you all the ins-and-outs of tepdump, but there are a variety of resources on the internet to help you understand [...] Reply to this comment 44, How do i trouble shoot SIP trunks on Mitel Border Gateway (MBG)? | Phonesystemhelp.info says: June 8, 2021 at 11:46 am[.--] web pages 1 2 [...] to this comment Leave a Reply ‘Name (required) Mail will aot be published) equired) Website ‘Submit Comment Prove you are not a computer or die * 2x =6 « Best picture ever? + Search Alex on Linux ennanoeD By Google - Subscribe Now email or RSS + Categories Other Stuff Programmin Resources Anticles tcpdump for Dummies »+ Interesting blogs CodeBrainz.ca dmiesslezcom Evan Jones Leeek Insanely Low-Level Ivan Novick’s Code Snippets Nick Black Sparc86’s Blog tenshunet © 2007-2012 Alex on Linux. All rights reserved