Tcpdump

tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

Example usage

Note: In most of the following examples, I have replaced actual IP addresses with 192.x.x.x (or something similar) and domain names with example.com (or something similar). Otherwise, my example local hostname is "stine" and my example local IPv4 address is "192.168.0.14". Also, some of the output has been removed or modified for illustration purposes.

• Capture packets from a particular Ethernet interface

$ tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:40:54.940904 IP stine.local.15342 > example.com.domain: 46527+ PTR? 14.0.168.192.in-addr.arpa. (42)
13:40:54.940918 IP stine.local.15342 > example.com.domain: 46527+ PTR? 14.0.168.192.in-addr.arpa. (42)
13:40:54.963406 IP example.com.domain > stine.local.15342: 46527 NXDomain* 0/1/0 (119)
13:40:54.964613 IP example.com.domain > stine.local.15342: 46527 NXDomain* 0/1/0 (119)
13:40:54.964656 IP stine.local > example.com: ICMP stine.local udp port 15342 unreachable, length 15
...
9 packets captured
32 packets received by filter
0 packets dropped by kernel

Note: When you execute `tcpdump` without any option, it will capture all the packets flowing through all the interfaces. The "-i" option, allows one to filter on a given Ethernet interface.

• Capture only N number of packets on the eth0 interface:

$ tcpdump -c 2 -i eth0
14:05:49.749471 IP6 fe80::21a:d6ff:fe2b:4641 > ip6-allnodes: ICMP6, router advertisement, length 56
14:05:49.711275 IP stine.local.62198 > example.com.domain: 38572+ PTR? 1.4.6.4.2.6.e....0.8.e.f.ip6.arpa. (90)

• Display captured packets in ASCII:

$ tcpdump -A -i eth0

• Display captured packets in HEX and ASCII:

$ tcpdump -XX -i eth0

• Capture the packets and write output to a binary file (useful for later analysis in, for example, wireshark):

$ tcpdump -w tcpdump-20140103.pcap -i eth0

• Read the packets from a previously saved file (e.g., from the previous command):

$ tcpdump -tttt -r tcpdump-20140103.pcap

• Capture packets with their actual IP addresses (instead of the default rDNS lookup):

$ tcpdump -n -i eth0

• Capture packets with a full timestamp:

$ tcpdump -tttt -n -i eth0
2014-01-03 14:19:16.882379 IP6 fe80::21a:d6ff:fe2b:4641 > ff02::1: ICMP6, router advertisement, length 56
2014-01-03 14:19:19.882169 IP6 fe80::21a:d6ff:fe2b:4641 > ff02::1: ICMP6, router advertisement, length 56

• Capture packets with greater than N bytes:

$ tcpdump -i eth0 greater 1024

• Capture packets with less than N bytes:

$ tcpdump -i eth0 less 1024

• Capture only the packets of a specific protocol type (e.g., ip, ip6, arp, rarp, decnet, tcp, udp, fddi, tr, wlan, etc.):

$ tcpdump -i eth0 arp

• Capture packet flows on a particular port:

$ tcpdump -i eth0 port 22

• Capture packets for particular destination IP and port

$ tcpdump -i eth0 dst 192.x.x.x and port 22

• Capture all packets, but filter out given protocals (e.g, "arp" and "rarp"):

$ tcpdump -i eth0 not arp and not rarp

Note: You can pass combinations of "and", "or", and "not" conditions.

Examples derived from the tcpdump man page

• Print all packets arriving at or departing from sundown:

$ tcpdump host sundown

• Print traffic between helios and either hot or ace:

$ tcpdump host helios and \( hot or ace \)

• Print all IP packets between ace and any host except helios:

$ tcpdump ip host ace and not helios

• Print all traffic between local hosts and hosts at Berkeley:

$ tcpdump net ucb-ether

• Print all FTP traffic through Internet gateway snup (note that the expression is quoted to prevent the shell from (mis-)interpreting the parentheses):

$ tcpdump 'gateway snup and (port ftp or ftp-data)'

• Print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net):

$ tcpdump ip and not net localnet

• Print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host:

$ tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

• Print all IPv4 HTTP packets to and from port 80 (i.e., print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets; IPv6 is left as an exercise for the reader):

$ tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

• Print IP packets longer than 576 bytes sent through gateway snup:

$ tcpdump 'gateway snup and ip[2:2] > 576'

• Print IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:

$ tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

• Print all ICMP packets that are not echo requests/replies (i.e., not `ping` packets):

$ tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Filters

• TCP Header Format (TCP v4) (note: one tick mark represents one bit position)
  • Source Port (i.e, the source port number): 16 bits
  • Destination Port (i.e., the destination port number): 16 bits

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Sequence Number                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Acknowledgment Number                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Data |           |U|A|P|R|S|F|                               |
| Offset| Reserved  |R|C|S|S|Y|I|            Window             |
|       |           |G|K|H|T|N|N|                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Checksum            |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                             data                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

• Control Bits: 6 bits (from left to right):
  • URG: Urgent Pointer field significant
  • ACK: Acknowledgment field significant
  • PSH: Push Function
  • RST: Reset the connection
  • SYN: Synchronize sequence numbers
  • FIN: No more data from sender

Note the following mnemonics:

• The OSI Model: All People Seem To Need Data Processing
  • Layers: 7. Application => 6. Presentation => 5. Session => 4. Transport => 3. Network => 2. Data link => 1. Physical
• TCP flags: Unskilled Attackers Pester Real Security Folks
  • Flags:
    • Unskilled = URG (Urgent pointer valid flag)
    • Attackers = ACK (Acknowledgment number valid flag)
    • Pester = PSH (Push flag)
    • Real = RST (Reset connection flag)
    • Security = SYN (Synchronize sequence numbers flag)
    • Folks = FIN (End of data flag)

U  A  P R S F
32 16 8 4 2 1

• Find all SYN packets

$ tcpdump 'tcp[13] & 2 != 0'

Read the SYN capture `tcpdump 'tcp[13] & 2 != 0'` as: Find the 13th byte in the TCP header and only grab packets where the flag in the 2nd bit is not zero. The "2" is found by reading from right to left in the "UAPRSF" string above (i.e., SYN = S = 2). So that command only captures SYN packets.

• Filter/capture by various "U A P R S F" packets (i.e., TCP packets with the XXX flag set):

$ tcpdump 'tcp[13] & 32!=0' # OR: 'tcp[13] & 32 == 32' # Capture all URG (URGENT) packets
$ tcpdump 'tcp[13] & 16!=0' # OR: 'tcp[13] & 16 == 16' # Capture all ACK (ACKNOWLEDGE) packets
$ tcpdump 'tcp[13] & 8!=0'  # OR: 'tcp[13] & 8 == 8'   # Capture all PSH (PUSH) packets
$ tcpdump 'tcp[13] & 4!=0'  # OR: 'tcp[13] & 4 == 4'   # Capture all RST (RESET) packets
$ tcpdump 'tcp[13] & 2!=0'  # OR: 'tcp[13] & 2 == 2'   # Capture all SYN (SYNCHRONIZE) packets
$ tcpdump 'tcp[13] & 1!=0'  # OR: 'tcp[13] & 1 == 1'   # Capture all FIN (FINISH) packets
$ tcpdump 'tcp[13]=18'      # OR: 'tcp[13] == 18'      # Capture all SYNACK (SYNCHRONIZE/ACKNOWLEDGE) packets

• Other common filters:

'ether host 00:00:00:00:00:00'  # (replace with your MAC) Traffic to or from your MAC address
'!ether host 00:00:00:00:00:00' # (replace with your MAC) Traffic not to or from your MAC address
'broadcast'                     # Broadcast traffic only
icmp                            # ICMP traffic
'icmp[0:2] == 0x0301'           #  ICMP destination unreachable, host unreachable
ip                              # IPv4 traffic only
ip6                             # IPv6 traffic only
udp                             # UDP traffic only

• Find all packets with both the RST and SYN flags set (R+S = 4+2 = 6):

$ tcpdump 'tcp[13] = 6'

• Capture TCP Flags:

$ tcpdump 'tcp[tcpflags] & tcp-syn != 0'

Note: Instead of using bits/bytes, one could also filter by name, as follows.

• Show all packets that have tcp flags, where the tcp-rst bit is set (i.e., all TCP RST packets):

$ tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'

• Filter expressions (note: not complete):
  • host A.B.C.D — any IP packet with either a source or destination address of A.B.C.D
  • net A.B.C/n — any IP packet with either a source or destination address from the network A.B.C with "n" network bits
  • port X — any TCP or UDP packet with either a source or destination port X
  • ether broadcast — any packet with an Ethernet broadcast as its destination
  • tcp — any TCP packet
  • udp — any UDP packet
  • icmp — any ICMP packet
  • arp — any ARP packet

See also

• ethtool
• ngrep
• wireshark / tshark

External links

• Official website
• A good intro/primer to tcpdump
• How to Remember Your TCP Flags
• TCP, Transmission Control Protocol