About Tools Blog
Angelique Dawnbringer

Tcpdump Basics

Inspecting network traffic

tcpdump Basics

Tcpdump is the cli network analysis tool for information security and networking professionals. Having a solid grasp of this application is essential if you want to understand TCP/IP. Tcpdump allows you to analyse and troubleshoot network traffic.

Below are a few options you can use when configuring tcpdump. They are easily confused especially in conjuction with other types of filters, e.g., tshark.

Options

  • -i any : Listen on all interfaces just to see if you're seeing any traffic.
  • -i eth0 : Listen on the eth0 interface.
  • -D : List available interfaces
  • -n : Don't resolve hostnames.
  • -nn : Don't resolve hostnames nor port names.
  • -q : "less" output.
  • -t : Human-readable timestamp output.
  • -tttt : "more" Human-readable timestamp output.
  • -X : Show the packet's "contents" in both hex and ASCII.
  • -XX : Same as -X, but also lists the ethernet header.
  • -v, -vv, -vvv : Increase the verbosity of packet information listed.
  • -c : Capture only x number of packets and then stop.
  • -s : Define the snaplength (size) of the capture in bytes. Use -s0 (or -s 1514) unless looking for specific sizes.
  • -S : Print absolute sequence numbers.
  • -e : Get the ethernet header as well.
  • -q : Show less protocol information.
  • -E : Decrypt IPSEC traffic (provided you include an en-/decryption key.

Older versions of tcpdump used to truncate packets to 68 bytes or 96 bytes. While this will give you more of a packet view, it doesn't get you everything. I prefer using -s 65535 or -s 0 to get full coverage or adjust it for my exact use-case.

Filter Expressions

In tcpdump, ‘Expressions’ allow you to filter various types of traffic and find what you are looking for more easily. Mastering expressions and learning how to combine them efficiently is key to using tcpdump.

There are three main types of expression: type, dir and proto.

  • type e.g. type options are: host, net, and port.
  • dir e.g. direction lets you do src, dst filtering.
  • proto e.g. protocol lets you filter for: tcp, udp, icmp and others.

Basic usage Examples

tcpdump requires administrator privileges to capture traffic. Depending on your operating system, you might need to add your user to the correct group or use sudo/root.

sudo tcpdump [options] [filter expression]

Try out the following command to get going:

sudo tcpdump -i any

tcpdump will fill your terminal with a constant stream of text as new packets are read. To stop, press: ctrl+c

Command Examples

Basic Communication

View all traffic on any interfaces. (including local)

# tcpdump -i any

Specific Interface

Basic view of what's happening on a particular interface.

# tcpdump -i eth0

One-liner

This will print all non-truncated/non-encrypted requests and headers to http(s), ftp and mail and filter the output using grep; displaying all lines, plus previous lines, containing specific/often used keywords.

tcpdump port http or https or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B8

Raw though Readable Output with slighly higher verbosity

Verbose output, with no resolution of hostnames or port numbers, absolute sequence numbers, and human-readable timestamps.

# tcpdump -ttttnnvvS

Find Traffic by IP

One of the most common queries that will show you traffic from 1.2.3.4, regardless of it being the source or destination address.

# tcpdump host 1.2.3.4

Packet in Hex Output

Hex output is useful when debugging packet contents, and it's often used when isolating potential candidates.

# tcpdump -nnvXSs 0 -c1 icmp

Dump to file for (later) use (in WireShark)

$tcpdump -i interface -s 65535 -w some-file
Author: Angelique Dawnbringer Published: 2010-01-04 14:23:59 Keywords:
  • Security
  • Network
  • tcpdump
  • cli
Modified: 2018-04-23 09:00:01