Saturday, April 5, 2014

Tcpdump - Packet Analysing.

Tcpdump

tcpdump command is also called as packet analyzer.

tcpdump command will work on most flavors of unix operating system. tcpdump allows us to save the packets that are captured, so that we can use it for future analysis. The saved file can be viewed by the same tcpdump command. We can also use open source software like wireshark to read the tcpdump pcap files.

 

Display Available Interfaces

tcpdump -D

root@server [~]# tcpdump -D
1.venet0
2.any (Pseudo-device that captures on all interfaces)
3.lo
root@server [~]#

Capture Packets from Specific Interface

root@server [~]# tcpdump -i venet0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:00:42.331707 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735409106:3735409314, ack 2338129367, win 245, options [nop,nop,TS val 585670560 ecr 6439886], length 208
17:00:42.332608 IP server.ambazhathinkal.in.51256 > google-public-dns-a.google.com.domain: 9961+ PTR? 142.105.229.117.in-addr.arpa. (46)
17:00:42.366150 IP google-public-dns-a.google.com.domain > server.ambazhathinkal.in.51256: 9961 NXDomain 0/1/0 (135)
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@server [~]#

Capture Only N Number of Packets
root@server [~]# tcpdump -c 2 -i venet0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:03:14.203134 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735412498:3735412706, ack 2338129623, win 245, options [nop,nop,TS val 585822432 ecr 6591730], length 208
17:03:14.203745 IP server.ambazhathinkal.in.54248 > google-public-dns-a.google.com.domain: 58709+ PTR? 142.105.229.117.in-addr.arpa. (46)
2 packets captured
6 packets received by filter
0 packets dropped by kernel
root@server [~]#

Print Captured Packets in ASCII
root@server [~]# tcpdump -c 2 -A -i venet0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:04:06.388115 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735414290:3735414498, ack 2338130631, win 245, options [nop,nop,TS val 585874617 ecr 6643936], length 208
E.....@.@......Ju.i..........]
.....N3.....
"....e`.......{.jx.o....._../.......!#.[L.y..A.8.S.......P..c.....M.u^.......m.....i...: .........".Z/7.)M.@..s.
crU.#......c..u.xr2.5..R..-..Ge....d$~$.nHSQ^..4.5.9H.B%2N1..u..+......Kd...nUe...v.bF.C|V...\6.:..
17:04:06.391171 IP server.ambazhathinkal.in.40493 > google-public-dns-a.google.com.domain: 21091+ PTR? 142.105.229.117.in-addr.arpa. (46)
E..J..@.@......J.....-.5.6j.Rc...........142.105.229.117.in-addr.arpa.....
2 packets captured
6 packets received by filter
0 packets dropped by kernel
root@server [~]#

Display Captured Packets in HEX and ASCII

root@server [~]# tcpdump -c 2 -XX -i venet0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:05:08.618109 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735416610:3735416818, ack 2338132071, win 264, options [nop,nop,TS val 585936847 ecr 6706171], length 208
0x0000: 0004 ffff 0000 0000 0000 0000 0000 0800 ................
0x0010: 4510 0104 a8ce 4000 4006 066c 17ec 934a E.....@.@..l...J
0x0020: 75e5 698e 0016 cba6 dea5 ef22 8b5d 1067 u.i........".].g
0x0030: 8018 0108 dbb6 0000 0101 080a 22ec afcf ............"...
0x0040: 0066 53fb 78bd e9bd 17f8 ff6d f6e4 3fa9 .fS.x......m..?.
0x0050: e9a0 25b1 67f1 7440 ccc8 7e9c 30e4 dd9d ..%.g.t@..~.0...
0x0060: e5b0 c36a 615c 3c8f 9c37 e2a4 d023 5ddb ...ja\<..7...#].
0x0070: fa1c 4e11 8718 823e ca5e 0c8d 02f6 14c4 ..N....>.^......
0x0080: 1c5d 3d13 6dfa a241 4108 0eed 4aae 4ba2 .]=.m..AA...J.K.
0x0090: 3f87 78c6 0d0d d5fc dccb aed2 164e b06f ?.x..........N.o
0x00a0: 3f64 023d 5ad2 3782 578e 677d 53d5 2282 ?d.=Z.7.W.g}S.".
0x00b0: 7691 6e26 8766 1712 dd94 bac6 5f32 8127 v.n&.f......_2.'
0x00c0: c25e 39fa 1ae8 8590 8b2c 5c66 a72e ae6f .^9......,\f...o
0x00d0: e565 1885 b34a 8fb6 7831 7f53 03cb a124 .e...J..x1.S...$
0x00e0: ac09 cfe6 79fb 32b1 47f4 fc1e 815b d658 ....y.2.G....[.X
0x00f0: fb1d eaa4 193a 0aea c91a 0979 e60e 8f81 .....:.....y....
0x0100: b1f5 75e5 9ce9 0098 4b78 88e3 5c9f 6548 ..u.....Kx..\.eH
0x0110: 2400 f7d2 $...
17:05:08.618451 IP server.ambazhathinkal.in.41925 > google-public-dns-a.google.com.domain: 40716+ PTR? 142.105.229.117.in-addr.arpa. (46)
0x0000: 0004 ffff 0000 0000 0000 0000 0000 0800 ................
0x0010: 4500 004a afcf 4000 4011 cf8d 17ec 934a E..J..@.@......J
0x0020: 0808 0808 a3c5 0035 0036 184b 9f0c 0100 .......5.6.K....
0x0030: 0001 0000 0000 0000 0331 3432 0331 3035 .........142.105
0x0040: 0332 3239 0331 3137 0769 6e2d 6164 6472 .229.117.in-addr
0x0050: 0461 7270 6100 000c 0001 .arpa.....
2 packets captured
7 packets received by filter
0 packets dropped by kernel
root@server [~]#
Capture and Save Packets in a File
That tcpdump has a feature to capture and save the file in a .pcap format, to do this just execute command with -w option.

root@server [~]# tcpdump -w capture.pcap -i venet0 -c 2
tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@server [~]#

Read Captured Packets File
reading from file capture.pcap, link-type LINUX_SLL (Linux cooked)
17:08:38.806091 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735422754:3735422882, ack 2338135191, win 301, options [nop,nop,TS val 586147035 ecr 6916384], length 128
17:08:39.017626 IP 117.229.105.142.52134 > server.ambazhathinkal.in.ssh: Flags [.], ack 4294967248, win 350, options [nop,nop,TS val 6916625 ecr 586146889], length 0
root@server [~]#

Capture IP address Packets
root@server [~]# tcpdump -n -i venet0 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:10:08.004118 IP 23.236.147.74.ssh > 117.229.105.142.52134: Flags [P.], seq 3735427426:3735427634, ack 2338139127, win 320, options [nop,nop,TS val 586236233 ecr 7005529], length 208
17:10:08.005101 IP 23.236.147.74.ssh > 117.229.105.142.52134: Flags [P.], seq 208:432, ack 1, win 320, options [nop,nop,TS val 586236234 ecr 7005529], length 224
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@server [~]#

Receive only the packets of a specific protocol type
You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp.
Capture only TCP Packets.
root@server [~]# tcpdump tcp -n -i venet0 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:11:07.476977 IP 23.236.147.74.ssh > 117.229.105.142.52134: Flags [P.], seq 3735429474:3735429682, ack 2338140615, win 339, options [nop,nop,TS val 586295706 ecr 7065032], length 208
17:11:07.478077 IP 23.236.147.74.ssh > 117.229.105.142.52134: Flags [P.], seq 208:432, ack 1, win 339, options [nop,nop,TS val 586295707 ecr 7065032], length 224
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@server [~]#
Capture Packet from Specific Port
root@server [~]# tcpdump -i venet0 -c 2 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:13:27.897094 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735436786:3735436994, ack 2338145415, win 376, options [nop,nop,TS val 586436126 ecr 7205457], length 208
17:13:27.931104 IP 117.229.105.142.52134 > server.ambazhathinkal.in.ssh: Flags [.], ack 4294967200, win 350, options [nop,nop,TS val 7205530 ecr 586435792], length 0
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@server [~]#

Capture Packets from source IP
root@server [~]# tcpdump -i venet0 -c 2 src 117.229.105.142
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:14:30.811557 IP 117.229.105.142.52134 > server.ambazhathinkal.in.ssh: Flags [.], ack 3735438258, win 350, options [nop,nop,TS val 7268377 ecr 586498643], length 0
17:14:30.821445 IP 117.229.105.142.52134 > server.ambazhathinkal.in.ssh: Flags [.], ack 209, win 349, options [nop,nop,TS val 7268418 ecr 586498679], length 0
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@server [~]#

Capture Packets from destination IP
root@server [~]# tcpdump -i venet0 -c 2 dst 117.229.105.142
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:15:21.742231 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735440594:3735440802, ack 2338147527, win 376, options [nop,nop,TS val 586549971 ecr 7319311], length 208
17:15:21.780917 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 208:448, ack 1, win 376, options [nop,nop,TS val 586550009 ecr 7319311], length 240
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@server [~]#
Capture packets with proper readable timestamp using tcpdump -tttt

root@server [~]# tcpdump -i venet0 -c 2 -tttt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
2014-04-05 17:16:45.037856 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735441874:3735442082, ack 2338147959, win 376, options [nop,nop,TS val 586633266 ecr 7402589], length 208
2014-04-05 17:16:45.038158 IP server.ambazhathinkal.in.46789 > google-public-dns-a.google.com.domain: 39807+ PTR? 142.105.229.117.in-addr.arpa. (46)
2 packets captured
6 packets received by filter
0 packets dropped by kernel
root@server [~]#

Read packets longer than N bytes
root@server [~]# tcpdump -i venet0 greater 10 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:19:20.122230 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735948930:3735949138, ack 2338151511, win 376, options [nop,nop,TS val 586788351 ecr 7557672], length 208
17:19:20.122730 IP server.ambazhathinkal.in.59146 > google-public-dns-a.google.com.domain: 31990+ PTR? 142.105.229.117.in-addr.arpa. (46)
2 packets captured
6 packets received by filter
0 packets dropped by kernel
root@server [~]#

tcpdump Filter Packets – Capture all the packets other than arp and rarp

root@server [~]# tcpdump -i venet0 not arp and not rarp -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:30:41.794859 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3736055922:3736056130, ack 2338154311, win 395, options [nop,nop,TS val 587470023 ecr 8239360], length 208
17:30:41.795163 IP server.ambazhathinkal.in.56375 > google-public-dns-a.google.com.domain: 62843+ PTR? 142.105.229.117.in-addr.arpa. (46)
2 packets captured
6 packets received by filter
0 packets dropped by kernel
root@server [~]#

tcpdump -D
tcpdump -i venet0
tcpdump -i venet0 -c 2
tcpdump -i venet0 -c 5 -vv
tcpdump -c 2 -A -i venet0
tcpdump -c 2 -XX -i venet0
tcpdump -w capture.pcap -i venet0 -c 2
tcpdump -r capture.pcap
tcpdump -n -i venet0 -c 2
tcpdump tcp -n -i venet0 -c 2
tcpdump -i venet0 -c 2 port 22
tcpdump -i venet0 -c 2 src 117.229.105.142
tcpdump -i venet0 -c 2 dst 117.229.105.142
tcpdump -i venet0 -c 2 -tttt
tcpdump -i venet0 greater 10 -c 2
tcpdump -i venet0 not arp and not rarp -c 2

No comments:

Post a Comment