tcpdump is the premier network analysis tool for information securityprofessionals. Having a solid grasp of this über-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. Many prefer to use higher level analysis tools such as EtherealWireshark, but I believe this to usually be a mistake.
In a discipline so dependent on a true understanding of concepts vs.rote learning, it's important to stay fluent in the underlying mechanics of the TCP/IP suite. A thorough grasp of these protocols allows one to troubleshoot at a level far beyond the average analyst, but mastery of the protocols is only possible through continued exposure to them.
It's also important to note that tcpdump only takes the first 68 96 bytes of data from a packet by default. If you would like to look at more, add the -s number option to the mix, where number is the number of bytes you want to capture. I recommend using 0 (zero) for a snaplength, which gets everything. Here's a short list of the options I use most:
- -i any : Listen on all interfaces just to see if you're seeing any traffic.
- -n : Don't resolve hostnames.
- -nn : Don't resolve hostnames or port names.
- -X : Show the packet's contents in both hex and ASCII.
- -XX : Same as -X, but also shows the ethernet header.
- -v, -vv, -vvv : Increase the amount of packet information you get back.
- -c : Only get x number of packets and then stop.
- -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
- -S : Print absolute sequence numbers.
- -e : Get the ethernet header as well.
- -q : Show less protocol information.
- -E : Decrypt IPSEC traffic by providing an encryption key.
Basic Usage
So, based on the kind of traffic I'm looking for, I use a different combination of options to tcpdump, as can be seen below:
Basic communication // see the basics without many options
# tcpdump -nS
Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
# tcpdump -nnvvS
A deeper look at the traffic // adds -X for payload but doesn't grab any more of the packet
# tcpdump -nnvvXS
Heavy packet viewing // the final "s" increases the snaplength, grabbing the whole packet
# tcpdump -nnvvXSs 1514
Useful Examples
- host look for traffic based on IP address (also works with hostname if you're not using -n)# tcpdump host 1.2.3.4
- src, dst find traffic from only a source or destination (eliminates one side of a host conversation)# tcpdump src 2.3.4.5# tcpdump dst 3.4.5.6
- net capture an entire network using CIDR notation# tcpdump net 1.2.3.0/24
- proto : works for tcp, udp, and icmp. Note that you don't have to type proto# tcpdump icmp
- port : see only traffic to or from a certain port # tcpdump port 3389
- src, dst port : filter based on the source or destination port# tcpdump src port 1025# tcpdump dst port 389
- src/dst, port, protocol : combine all three# tcpdump src port 1025 and tcp# tcpdump udp and src port 53
- You also have the option to filter by a range of ports instead of declaring them individually, and to only see packets that are above or below a certain size.Port Ranges : see traffic to any port in a range#tcpdump portrange 100-250
- Packet Size Filter : only see packets below or above a certain size (in bytes)#tcpdump less 32#tcpdump greater 128[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]
Writing to a File
Capture all Port 80 Traffic to a File# tcpdump -s 1514 port 80 -w capture_file
Read Captured Traffic back into tcpdump
# tcpdump -r capture_file
We can use expressions as well.
- AND
- and or &&
- OR
- or or ||
- EXCEPT
- not or !
# TCP traffic from 10.5.2.3 destined for port 3389
tcpdump -nnvvS and src 10.5.2.3 and dst port 3389
# Traffic originating from the 192.168 network headed for the 10 or 172.16 networks
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or172.16.0.0/16
# Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network
tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net and not icmp
# Traffic originating from Mars or Pluto that isn't to the SSH port
tcpdump -vv src mars and not dst port 22
# Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22(incorrect)
tcpdump src 10.0.2.4 and (dst port 3389 or 22)
tcpdump src 10.0.2.4 and (dst port 3389 or 22)
# Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22(correct)
tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
Extra Ordinary
You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former is useful when looking for only SYNs or RSTs, for example, and the latter for even more advanced traffic isolation.
[ Hint: An anagram for the TCP flags: Unskilled Attackers Pester RealSecurity Folk ]
All URGENT (URG) packets
# tcpdump 'tcp[13] & 32!=0'
All ACKNOWLEDGE (ACK) packets
# tcpdump 'tcp[13] & 16!=0'
All PUSH (PSH) packets
You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former is useful when looking for only SYNs or RSTs, for example, and the latter for even more advanced traffic isolation.
[ Hint: An anagram for the TCP flags: Unskilled Attackers Pester RealSecurity Folk ]
All URGENT (URG) packets
# tcpdump 'tcp[13] & 32!=0'
All ACKNOWLEDGE (ACK) packets
# tcpdump 'tcp[13] & 16!=0'
All PUSH (PSH) packets
# tcpdump 'tcp[13] & 8!=0'
All RESET (RST) packets
All RESET (RST) packets
# tcpdump 'tcp[13] & 4!=0'
All SYNCHRONIZE (SYN) packets
# tcpdump 'tcp[13] & 2!=0'
All FINISH (FIN) packets
# tcpdump 'tcp[13] & 1!=0'
All SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets
# tcpdump 'tcp[13]=18'
All SYNCHRONIZE (SYN) packets
# tcpdump 'tcp[13] & 2!=0'
All FINISH (FIN) packets
# tcpdump 'tcp[13] & 1!=0'
All SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets
# tcpdump 'tcp[13]=18'
No comments:
Post a Comment