tcpdump - usage – Dhval Mudawal

My quick usage notes on tcpdump utility for capturing network traffic.

tcpdump (man-pages)

Uses the libpcap library to capture packets, which is used by nmap among others.
WinDump, tcpdump port for windows uses WinPcap, which is a port of libpcap to Windows.

Heavy packet viewing // the final “s” increases the snaplength, grabbing the whole packet

tcpdump -nnvvXSs 1514

tcpdump basic options

-i eth0	Listen on all interfaces just to see if you’re seeing any traffic. Interface : lo , eth0 , venet0 (virtual machin)
-n -nn	Don’t resolve hostnames. Don’t resolve hostnames or port names.
-v, -vv, -vvv	Increase the amount of packet information you get back.
-c	Only get x number of packets and then stop.
-s	Set the amount of data that is being captured in bytes
-A, -X	Ascii
-q	Show less protocol information.
-w / -r	Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Stan- dard output is used if file is “-”.
dst	watch only traffic destined to a net , host or port
src	watch only traffic whose src is a net , host or port
host	specifies a host IP or domain name
port /portrange	specidies a port or port-rang vs 22-80
proto	protocol ie tcp , udp , icmp

1. AND and or &&
2. OR or or ||
3. EXCEPT not or !

 tcpdump -q src 192.168.1.13 and not dst net 192.168.1.0/24 and not ( dst port 443 or dst port 80 )

Capture packet in OSX

sudo tcpdump -i en4 -s 0 -B 524288 -w ~/Desktop/DumpFile01.pcap dst 10.1.26.48

Press ctrl-c to save an exit terminal. Use following command to view file or use UI like Cocoa Packet Analyzer

tcpdump -s 0 -n -e -x -vvv -r ~/Desktop/DumpFile01.pcap

TCPDUMP Format: time-stamp src > dst: flags data-seqno ack window urgent options

Src, dst and flags are always present. The other fields depend on the contents of the packet’s tcp protocol header
Flags are some combination of
- S (SYN) : This bit is used at the start of the TCP handshake to establish the connection
- A (ACK) : Acknowledgement –used to indicate that data has been successfully received . Also used when establishing and tearing down TCP connections . In many cases , every packet in a TCP connection has this flag checked after the initial SYN.
- F (FIN) : Used to gracefully tear connections down . Each side of the connection sends a FIN , followed by an ACK , then the connection is finished
- P (PUSH) : Often set at the end of a block of data , signaling the receiver to process the block of data . This bit can be used to monitor the application blocks on the sending application .
- R (RST) : This bit is used to inform the receiver that the sender has shut this connection down. A reset is an abrupt way to do this , but may be legitimately seen at the end of some TCP connections . Watch for these when experiencing application disconnects .
- W (ECN CWR) or E (ECN-Echo) : Only used in TCP connections where Explicit Congestion Notification is used . Rarely seen in most TCP conversations.
- or a single <span style="margin: 0px; padding: 0px; color: rgb(255, 0, 0);"><strong style="margin: 0px; padding: 0px;">.</strong></span>‘ (no flags)</li> </ul> </li> <li style="margin: 0px; padding: 0px; color: rgb(102, 102, 102);">Data-seqno describes the portion of sequence space covered by the data in this packet (see example below).</li> <li style="margin: 0px; padding: 0px; color: rgb(102, 102, 102);">Ack is sequence number of the next data expected the other direction on this connection.</li> <li style="margin: 0px; padding: 0px; color: rgb(102, 102, 102);">Window is the number of bytes of receive buffer space available the other direction on this connection.</li> <li style="margin: 0px; padding: 0px; color: rgb(102, 102, 102);">Urg indicates there isurgent’ data in the packet.
- Options are tcp options enclosed in angle brackets (e.g., <mss 1024>).

Promiscuous mode or promisc mode is used for packet sniffing, a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive. Takes place on a computer connected to a hub (instead of a switch) or part of a WLAN.

sudo tcpdump -A -s0 -In -i en0 host 192.168.1.101

-A ASCII,-s<n> n=0, makes it capture entire packets not just the headers (1st 96 bytes)

-I Put the interface in "monitor mode"; this is supported only on IEEE 802.11 Wi-Fi interfaces, and supported only on some operating systems.

-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names. ( name on one interface may be different than other )

-i Capture on interface en0

http://wiki.wireshark.org/CaptureFilters

http://www.tcpdump.org/tcpdump_man.html

https://sites.google.com/site/christians310/tcpdump

http://superuser.com/questions/541728/tcpdump-promiscuous-mode-on-osx-10-8

http://stackoverflow.com/questions/17698366/tcpdump-monitor-mode-on-os-x-does-not-show-other-machines-packets