In this blog post, I assume that tcpdump is already installed since the installation method can vary from system to system, and basic Linux and CLI skills already exist. I'll try to keep it as short as possible while providing all the necessary information.
tcpdump is a CLI tool to capture network traffic to help you troubleshoot specific issues. I'll use a Linux system as a reference system.
To start a packet capture, simply type sudo tcpdump in your terminal. This will show you all packets from and to all interfaces, but it won't be saved anywhere. You can end the capture by pressing CTRL + C.
You can get more help with the -h / --help or get the current version of tcpdump with --version.
The following sections show you how to filter the traffic and save your packet captures to disk. For more advanced filters, you can use logical operators to combine filters.
There are many ways to filter the packets you want to capture, and we are going to start with the host and network filters. Here are some examples:
sudo tcpdump host 10.10.20.1Results for a simple ping:
kuser@pleasejustwork:~/9_temp/tcpdump$ sudo tcpdump host 10.10.20.1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp9s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:51:24.396399 IP pleasejustwork > _gateway: ICMP echo request, id 15, seq 4, length 64
17:51:24.402897 IP _gateway > pleasejustwork: ICMP echo reply, id 15, seq 4, length 64
17:51:25.398088 IP pleasejustwork > _gateway: ICMP echo request, id 15, seq 5, length 64
17:51:25.404880 IP _gateway > pleasejustwork: ICMP echo reply, id 15, seq 5, length 64
17:51:26.400067 IP pleasejustwork > _gateway: ICMP echo request, id 15, seq 6, length 64
17:51:26.404658 IP _gateway > pleasejustwork: ICMP echo reply, id 15, seq 6, length 64
17:51:27.401819 IP pleasejustwork > _gateway: ICMP echo request, id 15, seq 7, length 64
17:51:27.408093 IP _gateway > pleasejustwork: ICMP echo reply, id 15, seq 7, length 64
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
Side note: In this example, I've pinked my gateway. If you don't want to resolve hostnames, simply use the -n flag.
src or dst:sudo tcpdump src 10.10.10.10sudo tcpdump dst 10.10.10.10Use logical operators to filter for more than one host.
If you want to traffic for a specific network, you can use the net option together with the network address and CIDR notation.
sudo tcpdump net 10.10.10.0/24src or dst to see only the incoming or outgoing traffic:sudo tcpdump src net 10.10.10.0/24sudo tcpdump dst net 10.10.10.0/24If you need to filter captures for a specific MAC address, you simply could use the previous filters with ether.
sudo tcpdump ether host aa:aa:aa:bb:bb:bb # bi-directionalsudo tcpdump ether src aa:aa:aa:bb:bb:bb # sourcesudo tcpdump ether dst aa:aa:aa:bb:bb:bb # destinationtcpdump supports the most common formats and maybe even more:aaaaaabbbbbbaa-aa-aa-bb-bb-bbaa:aa:aa:bb:bb:bbaaaa.aabb.bbbb-Q / --direction options:sudo tcpdump -Q in / sudo tcpdump --direction=in # all incoming trafficsudo tcpdump -Q out / sudo tcpdump --direction=out # all outgoing trafficsudo tcpdump port 53 # source or destination portsudo tcpdump src port 53 # source portsudo tcpdump dst port 53 # destination portsudo tcpdump port 80 or port 443portrange instead if you want to filter a range of ports:sudo tcpdump portrange 53 # source or destination portsrc and dst can be used too!tcpudpicmpipip6arpChoosing the proper interface is one of my most used options to keep the pcap file as small as possible. Most servers have multiple NICs, and many troubleshooting sessions require me to be connected to multiple networks. Choosing a single interface keeps things sorted.
Since most servers have multiple network interfaces and my troubleshooting sessions with my laptop usually required me to select a specific interface, this might be one of the most used filters for me.
You can list the available interfaces with the -D / --list-interfaces options.
Example of tcpdump -D:
kuser@pleasejustwork:~/9_temp/tcpdump$ tcpdump -D
1.eth0 [Up, Running, Connected]
2.wg-mullvad [Up, Running]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.lo [Up, Running, Loopback]
[...]
To choose an interface, you could use the name of the interface or the number in front of it in the list.
-i / --interface like this:sudo tcpdump -i 1 orsudo tcpdump --interface=eth0You could use any as an interface for all interfaces, which is the current default anyway.
These are just some filters that are important to know.
tcpdump not to resolve hostnames:-ntcpdump not to resolve host or port names:-nn-c NUMBER-S / --absolute-tcp-sequence-numbers-F FILENAMEsudo tcpdump -i 2 -F filterfile # examplekuser@pleasejustwork:~/9_temp/tcpdump$ cat filterfile
net 10.10.20.0/24 and port 53
Important: Some options - like the choice of the interface - can not be put into this file, and the tcpdump user must be an owner or in the owner group of the file with the filters to get it working. Additional filters provided in the CLI will be ignored!
As mentioned before, filters can be combined, and logical operators can be used for more advanced filter combinations.
and / &&or / ||not / !<>tcpdump with more options could look like this:sudo tcpdump -n -i 2 "host 10.10.21.1 and (port 80 or port 443)"Side note: You need to place the filters in quotes if you want to use parentheses.
You've got various options to adjust the display of the captured packets in the terminal. This won't affect the raw packet capture that you would write to disk.
-v / -vv / -vvv-q-# / --number20:03:46.735488-t # no timestamp-tt # as seconds since Jan 1, 1970, 00:00:00, UTC > 1686506678.821116-ttt # print the delta to the previous packet in microseconds per default > 00:00:00.006491-tttt # human readable with date and time > 2023-06-11 20:11:56.431621-ttttt # delta between current and the first packet of this capture in microseconds per default > 00:00:04.013707Before we start, tcpdump overwrites files and does not append existing files. There is no option to change that, to my knowledge.
-w flag to write the raw packets to disk:-w traffic.pcap # saves file to the current directory-w - # sends output to stdoutSide note: The file will contain the raw binary packet data and won't be human-readable. To change that, you can import the data with the -r option that I will explain later in this post.
The default owner and group of the file will be tcpdump but can be changed with the -Z USERNAME option. This drops the ownership, and the provided user will be the new owner of this file.
When you write the raw information to a file, tcpdump won't show any packets in the terminal. This can be changed with the --print option. That said, in the older version, --print is not available, and the same can be achieved with the following oneliner.
--print replacement for older versions:sudo tcpdump -w - -U | tee traffic.pcap | tcpdump -r --w - # sends binary data to stdout-U # no buffering between packetstee traffic.pcap # write binary data to file and its own stdout-r - # reads binary data from stdin and presents it in a human-readable formSometimes it is necessary to capture a lot of packets. There are some options on how to handle large pcap files.
-C NUMBER # default unit is 1.000.000 bytes or 1 MB. According to the docs, it can be changed to kilo- and gigabyte by adding k/K and g/G, respectively, after the number, but it did not work in my tests.tcpdump will just add a number behind the filename and count up.Side note: If you encounter the Permission denied error, make sure that the user tcpdump is the owner or part of the owner group of the directory or use the -Z USERNAME option to choose another user for the file!
Example:
kuser@pleasejustwork:~/9_temp/tcpdump$ sudo tcpdump -n -w traffic.pcap -C 1 -Z kuser
tcpdump: listening on wlp9s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C3040 packets captured
3040 packets received by filter
0 packets dropped by kernel
kuser@pleasejustwork:~/9_temp/tcpdump$ ls -l
total 3096
-rw-r--r-- 1 kuser kuser 1000460 Jun 11 21:18 traffic.pcap
-rw-r--r-- 1 kuser kuser 1000708 Jun 11 21:18 traffic.pcap1
-rw-r--r-- 1 kuser kuser 1000574 Jun 11 21:18 traffic.pcap2
-rw-r--r-- 1 kuser kuser 157610 Jun 11 21:18 traffic.pcap3
If you want to limit the number of files, you can create a rotating buffer with -W NUMBER. If the chosen number of files is reached, tcpdump starts to overwrite the first file again. It must be combined with the -C option.
As mentioned before, tcpdump saves everything raw in binary in a file that is not human readable. You can read this file again, make it human readable again, and apply new filters again.
-r flag to read the pcap file:-r traffic.pcap # saves file to the current directory-r - # sends output to stdinAlmost all filters that are mentioned in this post can be applied to already existing pcap files.
I'll keep this blog post up to date. Feedback and tips are welcome.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。