TCP Dump Notes

Source

These are notes I made while surfing the web looking into TCP Dump. You will most likely need to use sudo to run most of the commands, but I'm leaving it off to make it shorter.

About TCP Dump

  • It has more filtering capabilities and can filter while capturing packets, but it doesn't have the analytical tools that something like wireshark has1.

Some Examples

Listing interfaces

You can ask tcpdump which interfaces it is able to listen to2.

tcpdump -D

Capture packets on an interface

To capture packets on an interface you pass its name to the -i flag2 (here the interface I'll use is eno1).

tcpdump -i eno1

Save the packet capture to a file

The default behavior is for tcpdump to send the output to standard output, to have it save the packets to a files use the -w flag2 (you can call it anything, I'll call it dump.pcap).

tcpdump -i eno1 -w dump.pcap

Increase the verbosity of the capture

To increase the amount if information that's captured, pass multiple v arguments2 (in this case I'll use -vvv).

tcpdump -i eno1 -vvv -w dump.pcap

Filtering

By IP address

You can get all the packets being sent or received by a host using the host argument3.

tcpdump host 192.168.1.12

By Sender IP Address

You can filter out all the packets except those that are being sent by a host using the src host argument2.

tcpdump -i eno1 src host 192.168.1.12

You can leave off the host argument and just use src3

By Target IP Address

To filter out all the packets except those that are going to a specific target use the dst host argument2.

tcpdump -i eno1 dst host 192.168.1.1

Sender and Target IP Addresses

You can combine parameters using the logical operators and, or, and not3.

tcpdump 'src 192.168.1.1 and dst 192.168.1.12'

The single quotes are optional and are just used to group the arguments together.

By Subnet

You can grab all the packets on a network or subnet using the net argument and CIDR notation3. This example grabs all the packets on the 192.168.1.* subnet.

tcpdump net 192.168.1.0/24

By port and/or protocol

If you want to only catch activity on a certain port and by a certain protocol then you use the port argument and the name of the protocol (e.g. udp)3. This would catch all the tcp traffic over SSH.

tcpdump tcp port 22

You can use tcp, udp, or icmp for the protocols and add multiple ports using a comma4.

tcpdump tcp port 22,80

Turn off hostname and port translation

The default behavior for tcpdump is to translate the hostnames and ports to something human-readable if possible. To turn this off you pass in the -n argument3. Since this stops having to look things up it will reduce the amount of overhead needed by tcpdump.

tcpdump -n -i eno1 port 22

Links

Sources

Footnotes:

1

Diogenes, Y. & Ozkaya, E. (2018). Cybersecurity, Attack and Defense Strategies : infrastructure security with Red Team and Blue Team tactics. Birmingham, UK: Packt Publishing.]

2

Johansen, G. (2017). Digital forensics and incident response : an intelligent way to respond to attacks. Birmingham, UK: Packt Publishing.

3

Beltrame, J. (2017). Penetration testing bootcamp : quickly get up and running with pentesting techniques. Birmingham, UK: Packt Publishing.

4

McPhee. & Beltrame, J. (2016). Penetration testing with Raspberry Pi : learn the art of building a low-cost, portable hacking arsenal using Raspberry Pi 3 and Kali Linux 2. Birmingham, UK: Packt Publishing.

5

Baxter, J., Orzach, Y. & Mishra, C. (2017). Wireshark revealed : essential skills for IT professionals : get up and running with Wireshark to analyze your network effectively. Birmingham, UK: Packt Publishing.