Description:
This document describes a variety of tcpdump commands to make life easier and more transparent. TCPDUMP is used on ubiquity firewalls, unix boxes and a variety of other linux- or unix-based networking equipment. The following primer covers the basics of tcpdump and most commonly used options that I have found useful.
Turn off Name Resolution:
By default, tcpdump turns on name resolution. For all layer-3 and layer-4 sources and destinations. tcpdump automatically looks up the hostname as well as commonly used ports and translates them for the viewer. Being that most folks are looking for IP addresses and ports when running a network analyzer, first thing we do is turn off name resolution.
tcpdump -n
Without:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:13:42.141905 IP nms.pei.com.ssh > 10.222.4.72.58556: Flags [P.], seq 1283693935:1283694143, ack 810551499, win 303, length 208
14:13:42.183105 IP 10.222.4.72.58556 > nms.pei.com.ssh: Flags [.], ack 208, win 2050, length 0
With:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:12:28.661455 IP 10.222.2.201.22 > 10.222.4.72.58556: Flags [P.], seq 1283685695:1283685903, ack 810550795, win 303, length 208
14:12:28.702988 IP 10.222.4.72.58556 > 10.222.2.201.22: Flags [.], ack 208, win 2050, length 0
TCPDump for Layer-2:
Ever need to grab the mac address of a device or troubleshoot an ARP problem? The -e switch is the key to your wildest layer-2 dreams:
Without:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes13:57:17.401135 ARP, Request who-has 10.222.2.13 tell 10.222.2.19, length 46
13:57:17.541179 ARP, Request who-has 10.222.2.10 tell 10.222.2.1, length 46
13:57:18.097167 IP 10.222.2.201.22 > 10.222.4.72.58556: Flags [P.], seq 1600368:1600880, ack 2561, win 303, length 512
13:57:18.139280 IP 10.222.4.72.58556 > 10.222.2.201.22: Flags [.], ack 1600880, win 2051, length 0
13:57:18.372246 ARP, Request who-has 10.222.2.13 tell 10.222.2.19, length 46
13:57:18.697240 ARP, Request who-has 10.222.2.13 tell 10.222.2.11, length 46
13:57:19.097212 IP 10.222.2.201.22 > 10.222.4.72.58556: Flags [P.], seq 1600880:1601312, ack 2561, win 303, length 432
13:57:19.138245 IP 10.222.4.72.58556 > 10.222.2.201.22: Flags [.], ack 1601312, win 2049, length 0
13:57:19.214025 ARP, Request who-has 10.222.2.21 tell 10.222.2.1, length 46
13:57:19.232230 ARP, Request who-has 10.222.2.13 tell 10.222.2.11, length 46
13:57:19.295322 ARP, Request who-has 10.222.2.212 tell 10.222.2.128, length 46
13:57:19.377992 ARP, Request who-has 10.222.2.13 tell 10.222.2.19, length 46
13:57:19.873497 ARP, Request who-has 10.222.2.212 tell 10.222.2.128, length 46
13:57:19.998512 ARP, Request who-has 10.222.2.212 tell 10.222.2.213, length 46
13:57:20.097294 IP 10.222.2.201.22 > 10.222.4.72.58556: Flags [P.], seq 1601312:1602064, ack 2561, win 303, length 752
With:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:59:36.390962 00:50:56:aa:70:51 > 00:1d:e6:62:4c:43, ethertype IPv4 (0x0800), length 262: 10.222.2.201.22 > 10.222.4.72.58556: Flags [P.], seq 1283292703:1283292911, ack 810544395, win 303, length 208
13:59:36.433730 00:1d:e6:62:4c:43 > 00:50:56:aa:70:51, ethertype IPv4 (0x0800), length 60: 10.222.4.72.58556 > 10.222.2.201.22: Flags [.], ack 208, win 2049, length 0
13:59:36.806872 00:50:56:aa:20:2d > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.222.2.13 tell 10.222.2.213, length 46
13:59:37.385207 00:50:56:aa:70:51 > 00:1d:e6:62:4c:43, ethertype IPv4 (0x0800), length 630: 10.222.2.201.22 > 10.222.4.72.58556: Flags [P.], seq 208:784, ack 1, win 303, length 576
13:59:37.426981 00:1d:e6:62:4c:43 > 00:50:56:aa:70:51, ethertype IPv4 (0x0800), length 60: 10.222.4.72.58556 > 10.222.2.201.22: Flags [.], ack 784, win 2053, length 0
13:59:37.686468 00:1d:e6:62:4c:43 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.222.2.21 tell 10.222.2.1, length 46
13:59:37.744468 00:50:56:aa:20:2d > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.222.2.212 tell 10.222.2.213, length 46
13:59:37.760079 00:50:56:aa:a4:2c > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.222.2.212 tell 10.222.2.128, length 46
13:59:37.806887 00:50:56:aa:20:2d > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.222.2.13 tell 10.222.2.213, length 46
13:59:38.306952 00:50:56:aa:20:2d > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.222.2.212 tell 10.222.2.213, length 46
13:59:38.385033 00:50:56:aa:a4:2c > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.222.2.212 tell 10.222.2.128, length 46
So by default you can see ARP requests, but where is the layer-2 address?
As you can see, in addition to basic layer-3 information you also get
- Source and Destination MAC
- Frame type and layer-3 protocol info
- Layer-2 header size (in bytes)
Setting Verbosity:
What if you want to look at flags or checksums in an IP packet. By default you get basic TCP flags, but much of the rest is just hidden from view. TCPDump has 3 levels of verbosity all controlled with the -v setting:
| Flag | Description |
| -v | Basic verbose information, also usually turns on checksum validation and number of packets captured when using the -w (write) flag. |
| -vv | Additional fields for a variety of protocols such as SMB and NFS. |
| -vvv | The most verbose output. |
Say you don’t care about the headers but the payloads of packets; to view those use the -x option to show the payload in hex and the -X option for hex with an ascii translation:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:37:33.657282 IP 10.222.2.201.22 > 10.222.4.72.58556: Flags [P.], seq 1287503711:1287503919, ack 810561643, win 303, length 208
0x0000: 4510 00f8 9e44 4000 4006 7edf 0ade 02c9 E….D@.@.~…..
Capturing Specific Interfaces:
Here are options for capturing specific or all interfaces on a device:
| Option | Description |
| -i any | Simultaneously capture all interfaces |
| -i $int_name | Capture network traffic from $int_name only |
Simple stuff.
Capturing Conversations to or from a specific host:
If you want to capture only conversations to or from 10.222.2.201, use the following
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:21:20.453495 IP 10.222.2.201.22 > 10.222.4.72.60121: Flags [P.], seq 591082067:591082275, ack 409633518, win 269, length 208
15:21:20.453553 IP 10.222.2.201.22 > 10.222.4.72.60121: Flags [P.], seq 208:272, ack 1, win 269, length 64
15:21:20.454108 IP 10.222.4.72.60121 > 10.222.2.201.22: Flags [.], ack 272, win 2053, length 0
If you want to capture only conversations going to 201, use dest host $IP.
If you want to capture only conversations originating from 201, use src host $IP
Capturing Only ICMP Packets or specific protocols
For specific protocols you can just type certain keywords for the protocol at the begining of your filter. For instance tcpdump icmp would only capture ICMP packets tcpdump udp only udp packets etc…
Capturing TCP Source and Destination Ports:
Just like host, you can use tcpdump src port $port for source ports, tcpdump dest port $port for destination ports or tcpdump port $port for either.
Capturing certain TCP flags
Capturing just packets with certain flags set in your filters can be very handy. Here we just look for connection resets:
| Filter | Description |
| tcp[tcpflags] == tcp-rst | Just connection resets |
| tcp[tcpflags] == tcp-syn | Just SYNS |
| tcp[tcpflags] == tcp-ack | Just acknowledgements |
| tcp[tcpflags] == tcp-fin | Just F |
Use these just like any other filter, at the end of any options. If you are adding to a host or any of the other filters above, put the whole thing in quotes.
Combining Different Filters:
Many instances exist where you just want to filter for just traffic to a certain host going to a particular port, using just specific flags, or maybe all traffic except from a specific port. Lucky for us, tcpdump supports ‘and’ and ‘or’ operators as well as grouping parens and not statements.
As soon as you have a space of any kind in your filter you want to encapsulate the whole thing in quotes.
For instance to look for any traffic coming from 10.222.2.201 except over port 22: tcpdump “host 10.222.2.201 and not port 22”
Or maybe you want to filter out port 80 traffic as well, to do this, use grouping parents and an ‘or’ operator: tcpdump “host 10.222.2.201 and not (port 22 or port 80)”
Or perhaps you just want to look for RST packets not over these two ports: tcpdump “host 10.222.2.201 and not (port 22 or port 80) and tcp[tcpflags] == tcp-rst”
There are many combinations, just remember *If there is any question on the order your statements will be applied, use grouping parens.* As soon as you have multiple filters, use quotes around the whole thing.
mfuller, PEI
Looking for more content like this? Check out the Networking Section of our blog or subscribe below!
