Working with TCPDump | SpaceCore WIKI

This utility is a useful tool for interception and collection of packets coming to and from the server.

TCPDump installation

For Ubuntu/Debian:

apt install tcpdump

For Red Hat / CentOS:

sudo yum install tcpdump

Argument for the command

-c — completes packet collection after the set amount is reached.

-C —allows you to set the maximum size of the dump file after which a new file will be created.

-e — displays connection level information for each packet processed.

-F — package output from the specified file, not the interface.

-f — displays the domain name for each IP address.

-G — creates a new dump file after the specified time.

-H —creates a constraint that only 802.11s headers will be processed by TCPDump.

-i —the name of the interface from which the packages will be collected. To use all interfaces of the server, specify any value.

-I — Enables the monitoring mode for the specified interface (to detect all passing packets).

-E — is used to decrypt IPSEC traffic (you must specify a key for decryption).

-K — disables check of packet checksums.

-L — displays supported connection protocols for the specified interface.

-n — dump pass.

-nn — output of addresses together with their ports.

-q — minimization of output information about packages.

-tttt — displays the time stamps for each package in the standard format.

-v, -vv, -vvv — more detailed display of package information.

-Z — более подробное отображение информации о пакете.

-w — the name of the file in which the dump will be saved (by default without this argument the dump is displayed in real time without writing to the file).

Using

In order not to clog our dump with extra packages, you should choose a specific interface from which we want to collect information, not all. You can view a list of all interfaces by using this command:

tcpdump -D

On our virtual servers (VDS), the main network interface is ens3.

To display the logs of our network interface in real time, use the command:

tcpdump -i ens3

Don’t forget that TCPDump requires root rights, so you should run these commands as root or by using sudo.

After using the command we will see many running lines, to stop the dump use the key combination Ctrl + C

The collected data packets are about this type:

22:31:56.330185 IP fsn.spacecore.network.65383 > fsn.spacecore.network.ssh: Flags [P.], seq 7841:7905, ack 10730080, win 6145, length 64

But when using different protocols, the package may have different inside features.

Try to see more information about packages using the argument -v

tcpdump -i ens3 -v

Now our packages have a more massive structure of type:

22:36:42.254306 IP (tos 0x0, ttl 122, id 61139, offset 0, flags [DF], proto TCP (6), length 104) fsn.spacecore.network.65383 > fsn.spacecore.network.ssh: Flags [P.], cksum 0x2699 (correct), seq 321:385, ack 1027616, win 6141, length 64

In this case, you can see more information about the IP address protocol

P (tos 0x0, ttl 122, id 61139, offset 0, flags [DF], proto TCP (6)

Filtering argument

An equally powerful feature is the additional argument that allows us to filter out different types of packages according to the following parameters:

host — host name.

ip — IP-address.

port — port.

proto — protocol.

net — network or subnet address.

src — source.

dst — the recipient.

Available protocols: tcp, udp, icmp, arp, rarp, decnet etc

These arguments can also be combined.

For example, we can view all packets that go from our server to the final address:

tcpdump dst 192.168.1.1

Conversely, all packets that are sent to our server from the source subnet (you can also use a specific IP address, as in the example above):

tcpdump src net 192.168.1.1/24

You can use arguments to find packages of the required size

tcpdump less 48 // пакеты меньше 48 бит
tcpdump greater 128 // пакеты больше 128 бит

Let’s say you have several Garry’s Mod servers on different ports and you want to check if they are currently running a DDoS attack. For this we will fit a team:

tcpdump -nnv udp src portrange 27015-27025 -w garrysmod.dump

Note the specified port range.

The -w dump will be compiled into the garrysmod.dump file

Extended operators

In addition, TCPDump has operators for creating different combinations of arguments.

AND whether && (operator «AND»)

OR whether || (operator «OR»)

EXCEPT whether ! (operator «EXCEPT»)

Suppose we want to print out all the traffic of MySQL queries, which sends 192.168.1.1 to port 3306 (to any addresses).

tcpdump -nnv src 192.168.1.1 and tcp dst port 3306

Completion

Thanks for reading it! We have familiarized ourselves in detail with TCPDump, which is a very useful tool that is an integral part of the work of network engineers, as well as necessarily useful for ordinary users.

You can use the program to read packages on Windows WireShark.

PreviousNo interaction with private networks NextChange MTU Value

Last updated 10 months ago

This utility is a useful tool for interception and collection of packets coming to and from the server.

TCPDump installation

For Ubuntu/Debian:

apt install tcpdump

For Red Hat / CentOS:

sudo yum install tcpdump

Argument for the command

-c — completes packet collection after the set amount is reached.

-C —allows you to set the maximum size of the dump file after which a new file will be created.

-e — displays connection level information for each packet processed.

-F — package output from the specified file, not the interface.

-f — displays the domain name for each IP address.

-G — creates a new dump file after the specified time.

-H —creates a constraint that only 802.11s headers will be processed by TCPDump.

-i —the name of the interface from which the packages will be collected. To use all interfaces of the server, specify any value.

-I — Enables the monitoring mode for the specified interface (to detect all passing packets).

-E — is used to decrypt IPSEC traffic (you must specify a key for decryption).

-K — disables check of packet checksums.

-L — displays supported connection protocols for the specified interface.

-n — dump pass.

-nn — output of addresses together with their ports.

-q — minimization of output information about packages.

-tttt — displays the time stamps for each package in the standard format.

-v, -vv, -vvv — more detailed display of package information.

-Z — более подробное отображение информации о пакете.

-w — the name of the file in which the dump will be saved (by default without this argument the dump is displayed in real time without writing to the file).

Using

tcpdump -D

On our virtual servers (VDS), the main network interface is ens3.

To display the logs of our network interface in real time, use the command:

tcpdump -i ens3

Don’t forget that TCPDump requires root rights, so you should run these commands as root or by using sudo.

After using the command we will see many running lines, to stop the dump use the key combination Ctrl + C

The collected data packets are about this type:

22:31:56.330185 IP fsn.spacecore.network.65383 > fsn.spacecore.network.ssh: Flags [P.], seq 7841:7905, ack 10730080, win 6145, length 64

But when using different protocols, the package may have different inside features.

Try to see more information about packages using the argument -v

tcpdump -i ens3 -v

Now our packages have a more massive structure of type:

In this case, you can see more information about the IP address protocol

P (tos 0x0, ttl 122, id 61139, offset 0, flags [DF], proto TCP (6)

Filtering argument

An equally powerful feature is the additional argument that allows us to filter out different types of packages according to the following parameters:

host — host name.

ip — IP-address.

port — port.

proto — protocol.

net — network or subnet address.

src — source.

dst — the recipient.

Available protocols: tcp, udp, icmp, arp, rarp, decnet etc

These arguments can also be combined.

For example, we can view all packets that go from our server to the final address:

tcpdump dst 192.168.1.1

Conversely, all packets that are sent to our server from the source subnet (you can also use a specific IP address, as in the example above):

tcpdump src net 192.168.1.1/24

You can use arguments to find packages of the required size

tcpdump less 48 // пакеты меньше 48 бит
tcpdump greater 128 // пакеты больше 128 бит

Let’s say you have several Garry’s Mod servers on different ports and you want to check if they are currently running a DDoS attack. For this we will fit a team:

tcpdump -nnv udp src portrange 27015-27025 -w garrysmod.dump

Note the specified port range.

The -w dump will be compiled into the garrysmod.dump file

Extended operators

In addition, TCPDump has operators for creating different combinations of arguments.

AND whether && (operator «AND»)

OR whether || (operator «OR»)

EXCEPT whether ! (operator «EXCEPT»)

Suppose we want to print out all the traffic of MySQL queries, which sends 192.168.1.1 to port 3306 (to any addresses).

tcpdump -nnv src 192.168.1.1 and tcp dst port 3306

Completion

You can use the program to read packages on Windows WireShark.

PreviousNo interaction with private networks NextChange MTU Value

Last updated 10 months ago