Tcpdump
Summary
Tcpdump is commandline based packet capturing utility, it allows to sniff, capture and monitor any type of traffic on a network. Tcpdump allows you from almost all OSI layers Since it is a commandline based utility it is important to understand the syntax. Tcpdump allows to store the captured packets in order to be able to analyze them later. Tcpdump is a utility used to capture and analyze packets on network interfaces. Details about these packets can either be displayed to the screen or they can be saved to a file for later analysis. Tcpdump utilizes the libpcap library for packet capturing. For troubleshooting or investigation network condition tcpdump is usable.
Requirements
- Tcpdump is native to Linux/UNIX systems and does not run on other OS. By default, the installation is already performed on a large number of Linux/UNIX systems.
Functionality
Start: After opening the terminal, see figure 'Check Version', you can check the actual version of tcpdump via
tcpdump -h
This way you can find out the list of features supported by this version. Additionaly you can make a first view about the syntax. Running tcpdump requires super user privileges, therefor all commands are prefaced with sudo keyword.
Capture
To run tcpdump the available interfaces for packet captures needs to be determined. If these are not already known, they can be checked with
tcpdump -D
see figure 'Show available interfaces'. On my VM 'bitsf' ens33, loopback, any, bluetooth-monitor, nflog and nfqueue interfaces are available.
Capturing packets on all interfaces by using the 'any' option. Now we see in figure 'Capture without packet limit' packets are moving by way too fast to read. Tcpdump will not stop without an interrupt signal, so to stop the capture you can use ctrl + c. Instead of letting tcpdump run until interrupted, you can use the '-c' option, this option instructs the utility to stop after the specified number of packets are captured, for example see figure 'Capture limit 5 packets'. In the output we can see host names are being used instead of IP addresses (e.g. 'bitsf'), also commonly known ports are replaced with application names. Usually however it is easier to work with IP addresses and port numbers instead of these names.
With the '-n' option output shows IP addresses and port numbers, as shown in figure 'Show IP addresses instead host names'. When tcpdump is run without the '-n' option the utility will trigger reverse or PTR DNS lookups to find host names for IP addresses as it captures them. This means that tcpdump is itself triggering DNS traffic as it captures if the '-n' option is not used.
Capture packet size: In the second line you can see it says the capture size is 262144 bytes, this means that for every packet tcpdump will keep 262144 bytes for analysis. This is much larger than the typical packet size, so essentially this is saying tcpdump is capturing full packets. It's important to note the default capture size. Some versions of tcpdump default to much smaller capture sizes, for example 96 bytes. This would mean just the first 96 bytes of every packet is captured and the rest is thrown away. The capture size can be altered with the '-s' option, in figure 'Altered capture size 96 bytes' it is requested just 96 bytes for each packet instead of the default of 262144 bytes. Specifying '0' with the '-s' option means maximum size. When performing captures it's importnant to think about the goal when deciding the packet size to set for, for example if you are just looking for evidence of lost or out of order packets on a large file transfer, you probably don't need much more than 64 or 96 bytes of each packet. Alternatively if you are troubleshooting problems at the application layer you may require having full packets with nothing thrown out, in that case the maximum size of 262144 bytes should be plenty.
Tcpdump output: Here is at the fields displayed in the tcpdump output for some TCP packets. First there is a timestamp for in lid libpcap picked up the packet. On my VM you can see values down to milliseconds and even to microseconds. Next, the protocol is specified, after this is the source IP of the packet a dot and then source port of the packet. After the souce IP and port is the destination IP important. These addresses are followed by TCP flags, which could be SYN, ACK, RESET, FIN, URGENT and PUSH. All the flags are represented by the first letter with the exception of ACK which is represented by simply a dot. For an example a second VM (aitsf) is started to generate some traffic over ens33 interface to another VM. First to a closed port on the other VM and then to an open port. When connecting to the closed port we can see a SYn packet from my VM an immediately we see a reset from the other VM. Then, when connecting to port 22 through SSH which is open we see the normal three-way handshake. First the SYN and then the SYN ACK and return and finally the ACK.
Analyze
During the capture, a list of all incoming packets is displayed and you can start investigating traffic while it is in the process of capturing. In Figure 'Packet List', you see Wireshark in the middle of a capture. Three panes are worth looking at in the Wireshark window, thus are shown in figures 'Packet List' and 'Packet Details'. The top is for operation, such as starting/stoping capture process. The middle is the list of headers and the bottom pane shows the raw data, this includes a hexadecimal dump of each byte as well as an ASCII decode of those bytes on the right-hand side. Not all of the bytes can be decoded to a printable ASCII value, which is why you may see a lot of dots (.), that just indicates that there is a byte there but it can't be printed, see in Figure 'Packet Details'. The columns are described as follows:
- No. stands for the packet number, which Wireshark starts at zero, to make it more readable.
- Time shows the seconds since the capture started.
- Source is the packet source IP- or MAC-address.
- Destination is the packet destination IP- or MAC-address.
- Protocol stands for the used transport protocol.
- Length is the packet length in Bytes.
- Info shows the packet information, which Wireshark extracts automatically.
In the packet details, shown in figure 'Packet Details', you can see all headers from the different OSI Layers. In this example the TLS Application Data is encrypted and unreadable. From the TCP header you can read the source and destination port, sequence and ACK numbers, set flags, the size and the checksum. From the IP header you can read the version, length, flags, the TTL, the encapsulated protocol (TCP), checksum and source and destination IP address. From the Ethernet Header you can read the source and destination MAC address, the frame number and lengtha and the encapsualted protocols.
Below the packet details, is the packet shown in Bytes. Mostly not very human friendly to read. To change that, the configuration and other tips are shown in the next paragraph.
Not so well known Features
Here are some configurations listed to make Wireshark easier and clearer to read.
- Wide Screen - The default view of Wireshark is not adjusted for wide screen. To make a better use of the whole screen change the following. In the menu Edit/Preferences/Appearance/Layout use the fourth Pane order. For the third pane choose Packet Diagram, instead of Packet Bytes. The result is shown in figure 'Full Screen'. In the Packet Diagram, you can click on any field and the corresponding value is shown in the Packet Details.
- Time - By default the Time in the Packet List is set to seconds since the capture started. To make it easier to find specific packages, under View/Display Time Format, you can change it to Time of Day.
- Name Resolution - Also by default, DNS is not activated. Under View/Name Resoultion you can activate name resolution for phyiscal, network and transport addresses. The name resolution is the only active action, which is performed by Wireshark in an observed network.
- Open Connections - In the Statistics menu, under Conversations, you can see all open connections at once. Separated in the different Layers: Data Link (Ethernet), Network (IP) and Transport (TCP/UDP).
- ACL Rule Creation - In the Tools menu, under Firewall ACL Rules, you can create different ACL Rules. Dependent of the selected packet in the Packet List, it shows a combination of outbound/inbound allow/deny rules. And also for different systems like Cisco IOS, IP Filter, IP Tables and Windows Firewall.
- Credentials - Also in the Tools menu, under Credentials, Wireshark shows all credentials, which could be read automatically, and in which packet they were sent. This only works with unencrypted traffic, like Open Authentication.
- Follow traffic stream - The traffic you are interested in will often be spread across a number of incoming and outgoing packets. This can be quite frustrating when trying to view sensitive HTTP Request/Response pairs and most application level data in general. Fortunately Wireshark allows you to select a packet and view the entire TCP stream it belongs to. Inbound and outbound traffic will be highlighted in red and blue to show the application layer communication without packet headers.
- Statistics - This menu contains items to display various statistics windows, including a summary of recorded packets, a display of protocol hierarchy statistics and more. For example, the tab Protocol hierarchy displays descriptive statistics per log. This is useful for determining the types, amounts, and relative proportions of protocols within a trace. The tab Conversations generates descriptive statistics about each conversation for each protocol in the trace. And most importanly the tab Flow Graph. The Flow Graph Generates a sequence graph for the selected traffic. This is useful for understanding seq. and ack. calculations.
Description
Step 1
Enter these commands in the shell
echo foo echo bar
Step 2
Make sure to read
- War and Peace
- Lord of the Rings
- The Baroque Cycle
Used Hardware
Device to be used with this documentation Maybe another device to be used with this documentation
Courses
- A course where this documentation was used (2017, 2018)
- Another one (2018)