EXAMPLES OF TCPDUMP

If you are a new to tcpdump then see the manual of tcpdump by simply type the following commnd from your shell.

root@debian:/home/anupam#man tcpdump

It will display the different options to capture the network traffic using tcpdump.

Let us take some simple example.

Examples:

root@debian:/home/anupam#tcpdump -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

14:21:11.209796 IP 10.10.127.3.3128 > debian-5.local.46572: Flags [.], seq 468:1916, ack 1, win 446, options [nop,nop,TS val 45540201 ecr 3263108], length 1448

14:21:11.209803 IP 10.10.127.3.3128 > debian-5.local.46572: Flags [P.], seq 1916:1924, ack 1, win 446, options [nop,nop,TS val 45540201 ecr 3263108], length 8

It prints the packet header information on interface card named as eth0. The option -i is used to captured the network traffic lisen on the interface card .If it is not specified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback). Ties are broken by choosing the earliest match.

root@debian:/home/anupam#tcpdump -vv -i eth0

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

4:34:30.989603 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto UDP (17), length 188)

debian.local.mdns > 224.0.0.251.mdns: [udp sum ok] 0*- [0q] 5/0/0 _workstation._tcp.local. PTR debian [00:24:81:1e:ac:d2]._workstation._tcp.local., debian [00:24:81:1e:ac:d2]._workstation._tcp.local. (Cache flush) TXT "", debian [00:24:81:1e:ac:d2]._workstation._tcp.local. (Cache flush) SRV debian.local.:9 0 0, debian.local. (Cache flush) AAAA fe80::224:81ff:fe1e:acd2, debian.local. (Cache flush) A 10.10.127.77 (160)

14:34:30.998522 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto UDP (17), length 190)

istlab3.local.mdns > 224.0.0.251.mdns: [udp sum ok] 0*- [0q] 5/0/0 _workstation._tcp.local. PTR istlab3 [00:26:18:08:af:69]._workstation._tcp.local., istlab3 [00:26:18:08:af:69]._workstation._tcp.local. (Cache flush) TXT "", istlab3 [00:26:18:08:af:69]._workstation._tcp.local. (Cache flush) SRV istlab3.local.:9 0 0, istlab3.local. (Cache flush) AAAA fe80::226:18ff:fe08:af69, istlab3.local. (Cache flush) A 10.10.154.104 (162)

14:34:30.999021 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto UDP (17), length 192)

debian-3.local.mdns > 224.0.0.251.mdns: [udp sum ok] 0*- [0q] 5/0/0 _workstation._tcp.local. PTR debian-3 [00:24:8c:fb:46:da]._workstation._tcp.local., debian-3 [00:24:8c:fb:46:da]._workstation._tcp.local. (Cache flush) TXT "", debian-3 [00:24:8c:fb:46:da]._workstation._tcp.local. (Cache flush) SRV debian-3.local.:9 0 0, debian-3.local. (Cache flush) AAAA fe80::224:8cff:fefb:46da, debian-3.local. (Cache flush) A 192.168.0.71 (164)

14:34:40.350743 IPX 00000000.00:26:18:08:b0:c8.0453 > 00000000.ff:ff:ff:ff:ff:ff.0453: ipx-rip-resp 1142348611/1.2

14:34:40.384519 IP6 (hlim 255, n

The above output prited more additional fields as here -vv option is used. The -vv option prints more verbose output.For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.

root@debian:/home/anupam#tcpdump -tttt -vv -i eth0

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

2011-02-07 14:42:00.078577 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.249 tell 192.168.0.91, length 46

2011-02-07 14:42:00.158131 IP6 (hlim 255, next-header UDP (17) payload length: 52) fe80::a800:4ff:fe00:a04.mdns > ff02::fb.mdns: [udp sum ok] 0 PTR (QM)? 255.127.10.10.in-addr.arpa. (44)

2011-02-07 14:42:00.158175 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto UDP (17), length 72)

debian-5.local.mdns > 224.0.0.251.mdns: [bad udp cksum ed1b!] 0 PTR (QM)? 255.127.10.10.in-addr.arpa. (44)

2011-02-07 14:42:00.274237 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.10.154.11 tell 10.10.154.10, length 46

2011-02-07 14:42:00.375244 IP (tos 0x0, ttl 128, id 6988, offset 0, flags [none], proto UDP (17), length 78)

192.168.0.55.netbios-ns > 192.168.0.255.netbios-ns: [udp sum ok]

The above command prints the packet header information along with the date. The -tttt option print a timestamp in default format proceeded by date on each dump line as shown above in bold character.

root@debian:/home/anupam#tcpdump -tttt -vv -x -i eth0

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

2011-02-07 16:26:30.741460 IP6 (hlim 255, next-header UDP (17) payload length: 51) fe80::a800:4ff:fe00:a04.mdns > ff02::fb.mdns: [udp sum ok] 0 PTR (QM)? 43.127.10.10.in-addr.arpa. (43)

0x0000: 6000 0000 0033 11ff fe80 0000 0000 0000

0x0010: a800 04ff fe00 0a04 ff02 0000 0000 0000

0x0020: 0000 0000 0000 00fb 14e9 14e9 0033 d551

0x0030: 0000 0000 0001 0000 0000 0000 0234 3303

0x0040: 3132 3702 3130 0231 3007 696e 2d61 6464

0x0050: 7204 6172 7061 0000 0c00 01

2011-02-07 16:26:34.700849 STP 802.1d, Config, Flags [none], bridge-id 807f.00:26:98:62:5f:80.8007, length 43

message-age 1.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s

root-id 807f.00:26:98:48:07:80, root-pathcost 4

0x0000: 4242 0300 0000 0000 807f 0026 9848 0780

0x0010: 0000 0004 807f 0026 9862 5f80 8007 0100

0x0020: 1400 0200 0f00 0000 0000 0000 0000

2011-02-07 16:26:34.743606 IP6 (hlim 255, next-header UDP (17) payload length: 52) fe80::a800:4ff:fe00:a04.mdns > ff02::fb.mdns: [udp sum ok] 0 PTR (QM)? 109.127.10.10.in-addr.arpa. (44)

0x0000: 6000 0000 0034 11ff fe80 0000 0000 0000

0x0010: a800 04ff fe00 0a04 ff02 0000 0000 0000

0x0020: 0000 0000 0000 00fb 14e9 14e9 0034 42ae

0x0030: 0000 0000 0001 0000 0000 0000 0331 3039

0x0040: 0331

The above will print the same except the the bold part.The -x option print the data of each packet (minus its link level header) in hex when parsing and printing the headers of each packet. If you would like to print specific size of packet bytes than default use -s option.

Now all the above example will simply prints the header information on shell. If you interested to save the raw packets to file rather than parsing and printing them out that can later be printed with the -r option. Standard output formatting extension is as filename.pcap. Lets see the next example.

root@debian:/home/anupam#tcpdump -tttt -w /tmp/traffic.pcap -vv -i eth0

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

Got 179

The above command will save the raw packets in traffic.pcap file in the /tmp directories.The displyed line Got 179 gives the total number of captured packets in the file. To print the contents of the file in terminal use the -r option as shown bellow

root@debian:/home/anupam#tcpdump -r /tmp/traffic.pcap

reading from file /tmp/traffic.pcap, link-type EN10MB (Ethernet)

13:54:16.875669 IP 10.10.127.125.netbios-ns > 10.10.127.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

13:54:17.272831 STP 802.1d, Config, Flags [none], bridge-id 807f.00:26:98:62:5f:80.8007, length 43

13:54:17.640135 IP 10.10.127.125.netbios-ns > 10.10.127.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

13:54:18.406881 IP6 fe80::e8f6:fb68:8dc8:ab1d.53442 > ff02::1:3.hostmon: UDP, length 24

13:54:18.407328 IP 10.10.127.125.59017 > 224.0.0.252.hostmon: UDP, length 24

13:54:18.513823 IP6 fe80::e8f6:fb68:8dc8:ab1d.53442 > ff02::1:3.hostmon: UDP, length 24

13:54:18.513896 IP 10.10.127.125.59017 > 224.0.0.252.hostmon: UDP, length 24

13:54:18.716979 IP 10.10.127.125.netbios-ns > 10.10.127.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

Now the above example will capture traffic for one file. If you would like to capture the network taffic header information continuously then tcpdump provides an option -W to used in conjunction with the -C option. This will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files,allowing them to sort correctly.