Tcpdump

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

Tcpdump is commandline based packet capturing utility, it allows to sniff, capture and monitor any type of traffic on a network. Tcpdump allows you from almost all OSI layers Since it is a commandline based utility it is important to understand the syntax. Tcpdump allows to store the captured packets in order to be able to analyze them later. Tcpdump is a utility used to capture and analyze packets on network interfaces. Details about these packets can either be displayed to the screen or they can be saved to a file for later analysis. Tcpdump utilizes the libpcap library for packet capturing. For troubleshooting or investigation network condition tcpdump is usable.

Requirements

  • Tcpdump is native to Linux/UNIX systems and does not run on other OS. By default, the installation is already performed on a large number of Linux/UNIX systems.

Functionality

Check Version

Start: After opening the terminal, see figure 'Check Version', you can check the actual version of tcpdump via tcpdump -h. This way you can find out the list of features supported by this version. Additionaly you can make a first view about the syntax. Running tcpdump requires super user privileges, therefor all commands are prefaced with sudo keyword.


Capture and Analysis

Show available interfaces

To run tcpdump the available interfaces for packet captures needs to be determined. If these are not already known, they can be checked with tcpdump -D, on my VM 'bitsf' ens33, loopback, any, bluetooth-monitor, nflog and nfqueue interfaces are available, as shown in figure 'Show available interfaces'.

Capture without packet limit
Capture limit 5 packets

Capturing packets on all interfaces by using the 'any' option. Now we see in figure 'Capture without packet limit' packets are moving by way too fast to read. Tcpdump will not stop without an interrupt signal, so to stop the capture you can use ctrl + c.

Instead of letting tcpdump run until interrupted, you can use the -c option, this option instructs the utility to stop after the specified number of packets are captured, for example see figure 'Capture limit 5 packets'. In the output we can see host names are being used instead of IP addresses (e.g. 'bitsf'), also commonly known ports are replaced with application names. Usually however it is easier to work with IP addresses and port numbers instead of these names.

Show IP addresses instead host names

With the -n option output shows IP addresses and port numbers, as shown in figure 'Show IP addresses instead host names'. When tcpdump is run without the -n option the utility will trigger reverse or PTR DNS lookups to find host names for IP addresses as it captures them. This means that tcpdump is itself triggering DNS traffic as it captures if the -n option is not used.

Altered capture size 96 bytes

Capture packet size: In the second line you can see it says the capture size is 262144 bytes, this means that for every packet tcpdump will keep 262144 bytes for analysis. This is much larger than the typical packet size, so essentially this is saying tcpdump is capturing full packets. It's important to note the default capture size. Some versions of tcpdump default to much smaller capture sizes, for example 96 bytes. This would mean just the first 96 bytes of every packet is captured and the rest is thrown away. The capture size can be altered with the -s option, in figure 'Altered capture size 96 bytes' it is requested just 96 bytes for each packet instead of the default of 262144 bytes.

References