Some people say that “wireshark” is good, and bla bla bla , & bla bla bla…
Yes , wireshark is a great project but when it comes to firewalls, or to real work stuff nothing is like tcpdump.
When you log in to a remote firewall, and want to check out what the hack is going on, tcpdump is your buddy.
It is old and wise, it is the Adam of sniffers, so lets see what we can do with it.
- # tcpdump -D
- 1.em0
- 2.pflog0
- 3.lo0
Ok, lets continue our tcpdump trip !
- -i any : Listen on all interfaces just to see if you're seeing any traffic.
- -n : Don't resolve hostnames.
- -nn : Don't resolve hostnames or port names.
- -X : Show the packet's contents in both hex and ASCII.
- -XX : Same as -X, but also shows the ethernet header.
- -v, -vv, -vvv : Increase the amount of packet information you get back.
- -c : Only get x number of packets and then stop, e.g. 'tcpdump -c 3'
- -s : The amount of data that is being captured in bytes
- (Use -s 1514 to get full coverage, The default snaplength as of tcpdump 4.0 is 96 bytes
- PS: Use -s 0 for a snaplength, which gets everything!)
- -S : Print absolute sequence numbers.
- -e : Get the ethernet header as well.
- -q : Show less protocol information.
- -E : Decrypt IPSEC traffic by providing an encryption key.
Basic Usage
- # tcpdump -nS
- # tcpdump -nnvvS
- # tcpdump -nnvvXS
- # tcpdump -nnvvXSs 1514
- # tcpdump -nnvvXSs 0 -c2 icmp (Use -s 0 for a snaplength, which gets everything!)
- HOST SRC DST NET ETHER
- # tcpdump host 1.2.3.4
- # tcpdump src 2.3.4.5
- # tcpdump dst 3.4.5.6
- # tcpdump net 1.2.3.0/24
- # tcpdump ether src host 0:a0:3b:3:e1:1d
- PROTO PORT
- # tcpdump icmp
- # tcpdump port 80
- # tcpdump src port 1024
- # tcpdump sdt port 1024
- # tcpdump tcp and src port 80
- # tcpdump proto 1
- or:
- # tcpdump icmp
- or:
- SYNTAX ==> tcpdump '{protocol}[bypass n bytes]={number}'
- The available protocols are: ip, tcp, udp, icmp, ether, arp, rarp, and fddi ..
- # tcpdump 'ip[9]=1' (IP Header 第10 字节是:协议号ip[9] , icmp协议号为:1 grep icmp /etc/protocols)
- PORT RANGES
- # tcpdump portrange 21-23
- PACKET SIZE FILTER
- # tcpdump less 32
- # tcpdump greater 128
- # tcpdump > 32
- # tcpdump <= 128
- WRITING TO A FILE / READ
- # tcpdump -s 1514 port 80 -w capture_file.pcap
- # tcpdump -r capture_file.pcap
- GETTING CREATIVE
- 1.AND and or &&
- 2.OR or or ||
- 3.EXCEPT not or !
- MORE EXAMPLES
- # tcpdump -nnvvS and src 10.5.2.3 and dst port 80
- # tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
- # tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net 192.168.1.0/24 and not icmp
- # tcpdump -vv src mars and not dst port 22
- # tcpdump -ttttnvX not '(port 22 and host spider and host ant)'
- GROUPING
- # tcpdump 'src 192.168.1.11 and (dst port 80 or 22)'
- SPECIALIZED TRAFFIC
- # tcpdump ip6 (IPV6 Traffic)
- # tcpdump 'tcp[13] = 6' (Packets with both the RST and SYN flags set,WHY?)
- # tcpdump 'ip[6] & 128 != 0' (Traffic with the 'Evil Bit' Set!)
- # tcpdump 'icmp[0] == 8 or icmp[0] == 0'
- or:
- # tcpdump 'icmp[icmptype] == icmp-echo or icmp[icmptype] == icmp-echoreply'
- Keyword Value
- icmp-echoreply 0
- icmp-unreach 3
- icmp-sourcequench 4
- icmp-redirect 5
- icmp-echo 8
- icmp-routeradvert 9
- icmp-routersolicit 10
- icmp-timxceed 11
- icmp-paramprob 12
- icmp-tstamp 13
- icmp-tstampreply 14
- icmp-ireq 15
- icmp-ireqreply 16
- icmp-maskreq 17
- icmp-maskreply 18
- what bastards are bombarding my firewall with junk ?
- # tcpdump -i em0 -nq \
- not '(port 22 and host spider)' \
- and not '(port 53 or 80 or 110 or 119 or 443)' \ (排除对外开放的port)
- and dst host 216.209.50.188
- what my firewall is actually sending out onto the internet ?
- # tcpdump -i em0 -nq \
- and not port '(20 or 21 or 25 or 53 or 80 or 110 or 119 or 123 or 443)' \
- and not icmp \ (排除对外开放的port)
- and src host 216.209.50.188
- So as you read the SYN capture tcpdump 'tcp[13] & 2 != 0', you're saying find the 13th
- offset in the TCP header, and only grab packets where the flag in the 2nd bit is not zero.
- Capture TCP Flags Using the tcpflags Option...
- # tcpdump 'tcp[tcpflags] && tcp-syn != 0'
Timestamps
By default, all output lines are preceded by a timestamp. The timestamp is the current clock time
in the form e.g.,
11:16:02.911079 is the timestamp, in hh:mm:ss:fraction format.
HH :MM :SS :Fraction (分数)
To denote "14 hours, 30 and one half minutes", do not include a seconds figure. Represent it as "14:30,5", "1430,5", "14:30.5", or "1430.5".
14:30.5 -- 0.5=1/2 分钟
HH :MM :SS :Fraction (分数)
To denote "14 hours, 30 and one half minutes", do not include a seconds figure. Represent it as "14:30,5", "1430,5", "14:30.5", or "1430.5".
14:30.5 -- 0.5=1/2 分钟
Protocol Specification
I want only ICMP traffic:
- # tcpdump -tttt -nvi em0 icmp (-n:numeric -v:verbose -tttt:readable timestamp)
I want only tcp traffic:
- # tcpdump -nnvvi em0 tcp (-nn : Don't resolve hostnames or port names.)
Tcpdump Recipes
Host Names and Addresses: host net port
src dst dst or src dst and src
host 192.168.1.1 src net 192.168.100.0/24 udp dst port 53
src 192.168.1.1 dst host 192.168.255.255 tcp src port http
Hardware Addresses: ether dst host ff:ff:ff:ff:ff:ff ether src host 00:f9:06:aa:01:03
Protocols: ip ip6 igmp icmp arp rarp tcp udp
Logical Operations: not is equivalent to ! and is equivalent to && or is equivalent to ||
Other Keywords: gateway broadcast less greater
Using tcpdump:
- # tcpdump -Annvvi em0 src net 192.168.1.0/24 and dst host or dst host (检测网站登入情况 -A: ASCII)
Display Captured Packets in HEX and ASCII using tcpdump -XX
- # tcpdump -i em0 -XX
Capture only N number of packets using tcpdump -c
- # tcpdump -i em0 -c 2
Capture the packets and write into a file using tcpdump -w
- # tcpdump -i em0 -w 20110101.pcap
Reading the packets from a saved file using tcpdump -r
- # tcpdump -tttt -r 20110101.pcap
Read packets longer/lesser than N bytes
- # tcpdump -w l_1024.pcap less 1024
- # tcpdump -w g_1024.pcap greater 1024
Feel free to contact me if you have a question, a comment, or if you just want to say hello. Until then, I hope you find something here worth your time.