Tcpdump

From Leo's Notes
Last edited on 14 June 2020, at 23:41.

Some quick notes on tcpdump.

Quick Usage

When using tcpdump, common flags you want to use are:

  • -i interface specify the interface (use any to use any interface)
  • -n to not resolve hostnames
  • -nn to not resolve hostnames and port names
  • -t human readable timestamp
  • -v verbosity 1 for a bit more information

Expressions

I think of expressions as filters which limits what tcpdump outputs.

Type

  • host x.x.x.x to limit traffic to/from the given IP
  • port xxx to limit by port
  • net xxx to limit by network
  • portrange xxx-yyy to limit by ports xxx to yyy

Direction

  • dst - destined for. eg. dst host X is traffic destined to X
  • src - sourced from.

Protocol

  • tcp - TCP traffic
  • udp - UDP traffic
  • icmp - ICMP traffic (eg. pings. But filter ECHO using TCP flags)

Combining

To use more than one of these expressions, use

  • and, &&
  • or, ||
  • not, !

Examples

tcpdump host 1.2.3.4 and net 10.0.0.0/8 and (port 53 or port 80)

Monitor DNS Traffic

To monitor DNS traffic, useful flags are:

  • -s 0 so request outputs aren't truncated.
  • -l enables line buffering which is useful when piping to something like grep.
# tcpdump -v -s 0 -i bond0 -nn port 53
    52.30.117.55.46664 > 136.159.2.4.53: 34037% [1au] A? fsa.cpsc.ucalgary.ca. (49)
    52.30.117.55.53231 > 136.159.2.4.53: 29149% [1au] AAAA? ns1.cpsc.ucalgary.ca. (49)
    52.30.117.55.17318 > 136.159.2.1.53: 31363% [1au] A? itnet.ucalgary.ca. (46)
    64.59.128.112.27377 > 136.159.2.1.53: 36014 [1au] A? www.ucalgary.ca. (44)
    64.59.128.120.20922 > 136.159.2.1.53: 49303 [1au] A? cumming.ucalgary.ca. (48)
    105.187.251.76.45369 > 136.159.2.4.53: 50235% [1au] AAAA? Ns1.cPsc.UCaLgarY.Ca. (49)
    105.187.251.76.45372 > 136.159.2.1.53: 44724% [1au] AAAA? FSa.CPSc.ucaLGAry.CA. (49)


# tcpdump -vv -s 0  -i bond0 -nn port 53
    136.159.2.13.17377 > 136.159.1.21.53: [udp sum ok] 35357 [1au] SOA? commons.ucalgary.ca. ar: . OPT UDPsize=2048 (48)
    136.159.1.21.53 > 136.159.2.13.17377: [udp sum ok] 35357* q: SOA? commons.ucalgary.ca. 1/2/3 commons.ucalgary.ca. SOA ucnet.ucalgary.ca. dns-g.ucalgary.ca. 2014122701 3600 900 604800 86400 ns: commons.ucalgary.ca. NS itnet.ucalgary.ca., commons.ucalgary.ca. NS ucnet.ucalgary.ca. ar: itnet.ucalgary.ca. A 136.159.34.201, ucnet.ucalgary.ca. A 136.159.1.21, . OPT UDPsize=4096 (162)
    188.135.0.26.54094 > 136.159.2.4.53: [udp sum ok] 20057% [1au] AAAA? fSA.cpSc.ucAlGARy.cA. ar: . OPT UDPsize=4096 OK (49)
    136.159.2.4.53 > 188.135.0.26.54094: [udp sum ok] 20057*- q: AAAA? fSA.cpSc.ucAlGARy.cA. 0/1/1 ns: cpSc.ucAlGARy.cA. SOA ns1.cpSc.ucAlGARy.cA. cpschelp.ucAlGARy.cA. 2015062350 3600 600 86400 86400 ar: . OPT UDPsize=4096 OK (98)
    188.135.0.26.61263 > 136.159.2.1.53: [udp sum ok] 4720% [1au] AAAA? Ns2.CPsC.uCALGArY.Ca. ar: . OPT UDPsize=4096 OK (49)
    136.159.2.1.53 > 188.135.0.26.61263: [udp sum ok] 4720*- q: AAAA? Ns2.CPsC.uCALGArY.Ca. 0/1/1 ns: CPsC.uCALGArY.Ca. SOA ns1.CPsC.uCALGArY.Ca. cpschelp.uCALGArY.Ca. 2015062350 3600 600 86400 86400 ar: . OPT UDPsize=4096 OK (98)


# tcpdump -vvv -s 0  -i bond0 -nn port 53
    136.159.34.201.53 > 136.159.2.13.58508: [udp sum ok] 50513* q: SOA? stratnet.ucalgary.ca. 1/2/3 stratnet.ucalgary.ca. [1d] SOA ucnet.ucalgary.ca. nsmaint.ucalgary.ca. 2014122701 900 720 604800 86400 ns: stratnet.ucalgary.ca. [1d] NS ucnet.ucalgary.ca., stratnet.ucalgary.ca. [1d] NS itnet.ucalgary.ca. ar: itnet.ucalgary.ca. [1d] A 136.159.34.201, ucnet.ucalgary.ca. [1d] A 136.159.1.21, . OPT UDPsize=4096 (165)
    194.228.92.58.59206 > 136.159.2.1.53: [udp sum ok] 11603 [1au] A? Subitaneous.CPsC.ucALGary.cA. ar: . OPT UDPsize=4000 OK (57)
    136.159.2.1.53 > 194.228.92.58.59206: [udp sum ok] 11603*- q: A? Subitaneous.CPsC.ucALGary.cA. 1/0/1 Subitaneous.CPsC.ucALGary.cA. [4h] CNAME pool.ntp.org. ar: . OPT UDPsize=4096 OK (83)
    200.185.97.69.18264 > 136.159.2.1.53: [udp sum ok] 19045% [1au] AAAA? mirror.cpsc.ucalgary.ca. ar: . OPT UDPsize=4096 OK (52)
    136.159.2.1.53 > 200.185.97.69.18264: [udp sum ok] 19045*- q: AAAA? mirror.cpsc.ucalgary.ca. 0/1/1 ns: cpsc.ucalgary.ca. [1d] SOA ns1.cpsc.ucalgary.ca. cpschelp.ucalgary.ca. 2015062350 3600 600 86400 86400 ar: . OPT UDPsize=4096 OK (101)

Monitor HTTP Requests

To monitor HTTP traffic, useful flags are:

  • -A for ASCII output and
  • -s 0 so request outputs aren't truncated.
  • A (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) filter which restricts requests that have data.

The filter basically is (IP total length - IP header length - TCP header length) != 0. See this page on more information on advanced filters.

To see all requests and responses: 

# tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

To see all requests and responses for a particular host: 

tcpdump -A -s 0 'src example.com and tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

See Also

Various Linux Notes
Linux Tools and Utilites
Package Management
Linux Distributions
Networking
Containers