Tcpdump

Summary

Tcpdump is commandline based packet capturing utility, it allows to sniff, capture and monitor any type of traffic on a network. Tcpdump allows you from almost all OSI layers Since it is a commandline based utility it is important to understand the syntax. Tcpdump allows to store the captured packets in order to be able to analyze them later. Tcpdump is a utility used to capture and analyze packets on network interfaces. Details about these packets can either be displayed to the screen or they can be saved to a file for later analysis. Tcpdump utilizes the libpcap library for packet capturing. For troubleshooting or investigation network condition tcpdump is usable.

Requirements

• Tcpdump is native to Linux/UNIX systems and does not run on other OS. By default, the installation is already performed on a large number of Linux/UNIX systems.

Functionality

Start screen

After opening the terminal, you can check the actual version of tcpdump via tcpdump -h. This way you can find out the list of features supported by this version. Additionaly you can make a first view about the syntax. Running tcpdump requires super user privileges, therefor all commands are prefaced with sudo keyword. To run tcpdump the available interfaces for packet captures needs to be determined. If these are not already known, they can be checked with tcpdump -d. On my VM ens33, loopback, any, bluetooth-monitor, nflog and nfqueue interfaces are available.

By clicking on 'Aufzeichnen' or 'Capture' above the interface list, the interface menu opens. The first tab shows the interfaces including their MAC Addresses, which helps identifying the right one. Also Pipes and remote interfaces can be configured. The second tab shows the output options. Here you can save the captures automatically in files, according to different rules. The third tab offers additional options for display and name resolution.

Capture and Display Filter

The capture process starts by double clicking a interface or select one and click on the blue fin icon in the menu bar.

[[|thumb|Capture Filter]] The Capture Filter is set before starting a packet capture and cannot be modified during the capture. It is more limited than the display filter and used to reduce the size of raw capture data. The filter can be entered in the text-field above the interfaces before the capturing is started. The Capture Filter has an own syntax described below. It only supports combinations of the listed primitives. An example is shown in figure 'Capture Filter'. The filter captures only packets which source IP address is 192.168.0.1 and the TCP port 23

Protocol selection  [tcp|udp] 
IP address          [src|dst] [host] 
Port number         [port]
Operations          [and|or] [less|greater] [not]

[[|thumb|Display Filter]] [[|thumb|Packet List]] [[|thumb|Packet Details]] [[|thumb|Full Screen]] The Display Filter only filters the output on the screen. But can be modified during the capture process and also when analysing a saved capturing. So it's more flexible and can be adjusted to current needs. It's entered during a capturing in the above text field as shown in figure 'Display Filter'.

The Display Filter has a different syntax than the Capture Filter. Probably, because Wireshark is developed by many different developers, who add single features. The filter displays only packets which source IP address is 192.168.8.109 and the TCP port 443. As shown below, the Display Filter offers more possibilities to filter packets.

MAC address         [eth]
L3 Protocol         [ip|ipv6]
L4 Protocol         [tcp|udp] 
IP address          [src|dst] [host] 
Port number         [port]
Operations          [and|or|xor] []not|in]
Comparison Operator [==|!=|<|<=|>=|>]
Slices              [x:y]
Function            [upper|lower|len|count|string]

A more detailed list with possible filter expressions can be found in the Wireshark User Guide.

Analyze

During the capture, a list of all incoming packets is displayed and you can start investigating traffic while it is in the process of capturing. In Figure 'Packet List', you see Wireshark in the middle of a capture. Three panes are worth looking at in the Wireshark window, thus are shown in figures 'Packet List' and 'Packet Details'. The top is for operation, such as starting/stoping capture process. The middle is the list of headers and the bottom pane shows the raw data, this includes a hexadecimal dump of each byte as well as an ASCII decode of those bytes on the right-hand side. Not all of the bytes can be decoded to a printable ASCII value, which is why you may see a lot of dots (.), that just indicates that there is a byte there but it can't be printed, see in Figure 'Packet Details'. The columns are described as follows:

• No. stands for the packet number, which Wireshark starts at zero, to make it more readable.
• Time shows the seconds since the capture started.
• Source is the packet source IP- or MAC-address.
• Destination is the packet destination IP- or MAC-address.
• Protocol stands for the used transport protocol.
• Length is the packet length in Bytes.
• Info shows the packet information, which Wireshark extracts automatically.

In the packet details, shown in figure 'Packet Details', you can see all headers from the different OSI Layers. In this example the TLS Application Data is encrypted and unreadable. From the TCP header you can read the source and destination port, sequence and ACK numbers, set flags, the size and the checksum. From the IP header you can read the version, length, flags, the TTL, the encapsulated protocol (TCP), checksum and source and destination IP address. From the Ethernet Header you can read the source and destination MAC address, the frame number and lengtha and the encapsualted protocols.

Below the packet details, is the packet shown in Bytes. Mostly not very human friendly to read. To change that, the configuration and other tips are shown in the next paragraph.

Not so well known Features

Here are some configurations listed to make Wireshark easier and clearer to read.

• Wide Screen - The default view of Wireshark is not adjusted for wide screen. To make a better use of the whole screen change the following. In the menu Edit/Preferences/Appearance/Layout use the fourth Pane order. For the third pane choose Packet Diagram, instead of Packet Bytes. The result is shown in figure 'Full Screen'. In the Packet Diagram, you can click on any field and the corresponding value is shown in the Packet Details.
• Time - By default the Time in the Packet List is set to seconds since the capture started. To make it easier to find specific packages, under View/Display Time Format, you can change it to Time of Day.
• Name Resolution - Also by default, DNS is not activated. Under View/Name Resoultion you can activate name resolution for phyiscal, network and transport addresses. The name resolution is the only active action, which is performed by Wireshark in an observed network.
• Open Connections - In the Statistics menu, under Conversations, you can see all open connections at once. Separated in the different Layers: Data Link (Ethernet), Network (IP) and Transport (TCP/UDP).
• ACL Rule Creation - In the Tools menu, under Firewall ACL Rules, you can create different ACL Rules. Dependent of the selected packet in the Packet List, it shows a combination of outbound/inbound allow/deny rules. And also for different systems like Cisco IOS, IP Filter, IP Tables and Windows Firewall.
• Credentials - Also in the Tools menu, under Credentials, Wireshark shows all credentials, which could be read automatically, and in which packet they were sent. This only works with unencrypted traffic, like Open Authentication.
• Follow traffic stream - The traffic you are interested in will often be spread across a number of incoming and outgoing packets. This can be quite frustrating when trying to view sensitive HTTP Request/Response pairs and most application level data in general. Fortunately Wireshark allows you to select a packet and view the entire TCP stream it belongs to. Inbound and outbound traffic will be highlighted in red and blue to show the application layer communication without packet headers.
• Statistics - This menu contains items to display various statistics windows, including a summary of recorded packets, a display of protocol hierarchy statistics and more. For example, the tab Protocol hierarchy displays descriptive statistics per log. This is useful for determining the types, amounts, and relative proportions of protocols within a trace. The tab Conversations generates descriptive statistics about each conversation for each protocol in the trace. And most importanly the tab Flow Graph. The Flow Graph Generates a sequence graph for the selected traffic. This is useful for understanding seq. and ack. calculations.

Description

Step 1

Enter these commands in the shell

echo foo
echo bar

Step 2

Make sure to read

• War and Peace
• Lord of the Rings
• The Baroque Cycle

Used Hardware

Device to be used with this documentation Maybe another device to be used with this documentation

Courses

• A course where this documentation was used (2017, 2018)
• Another one (2018)

References

• https://tcpdump.org
• https://google.com