This Masterclass article series aimes to provide in-depth technical information on the installation, usage and operation of the classic and supremely popular tcpdump network traffic analysis program including alternatives, running tcpdump as a process, building expressions, understanding output and more. I’ve covered the Basics previously, will cover Parameters here, then filter Expressions and finally Interpreting Output.
Writing To a File
Warning: Writing to a file you may exhaust the host’s disk space if a great deal of traffic is being captured. To avoid this issue ensure you do one of the following;
- Test your capture first, without saving to a file and ensure your expression(s) are specific enough that an excessive amount of traffic is not being captured
- Monitor the size of the specified file
- Use the -c parameter to restrict the capture to a specific number of packets, as detailed in the next section
- The file format used is libpcap
- If you specify the name of an existing file it will be overwritten without warning!
- If two or more instances of tcpdump specify the same output file, only the output of the last instance started will be recorded to the file
- You can suffix your file name with:
date +%Y_%m_%d (note ` is found just under the [Esc] key) to ensure it’s appended with the current date in the format YYYY_MM_DD
Restricting The Number Of Packets Captured
tcpdump will restrict the packets captured to the number specified by nn. Using this option is particularly sensible to avoid issues when;
- You expect a great deal of output (and may be unable to stop the capture)
- You are writing the capture to a file and want to be sure you do not exhaust the host’s disk space
- You are running an unattended capture
Reading From a File
tcpdump will display the entire contents of the file, without pause, so you may want to use the more or less commands to control and ‘browse’ the output in an orderly way.
tcpdump will display only time, source address and port, destination address and port, protocol (tcp/udp,) data (not packet) length and whether the DF bit is set or not. This parameter is very good at ensuring all data for a packet displays on a single line of output, as shown below;
14:04:10.381763 10.68.5.122.10050 > 10.68.5.9.49702: tcp 0 (DF)
Here’s what you would get without quick mode;
14:04:17.370776 10.68.5.122.10050 > 10.68.5.9.49761: S 3293224573:3293224573(0) ack 1427800123 win 16384 <mss 1460,nop,
wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
tcpdump will display additional fields including flags (such as DF,) TTL and packet length, as this example output shows;
14:05:04.395870 10.68.5.122.10050 > 10.68.5.9.50187: P 1449:1700(251) ack 23 win 65513 <nop,nop,timestamp 5953631 522357663>
(DF) (ttl 128, id 7979, len 303)
-vv will display additional protocol and application specific fields.
-vvv will display even more protocol and application specific fields.
Capturing Link Level (Layer 2 – Data Link) Headers
tcpdump will display link level information not displayed by default, such as source and destination MAC addresses, layer 3 protocol and frame size. Below are two example captures, the first without this option specified, the second with;
- tcpdump -i vlan2 host 10.68.5.9 and icmp;
12:39:08.589829 10.68.5.9 > 10.68.5.121: icmp: echo request (DF)
12:39:08.590352 10.68.5.121 > 10.68.5.9: icmp: echo reply (DF)
- tcpdump -i vlan2 -e host 10.68.5.9 and icmp;
12:38:53.660102 0:1:d7:57:3:c8 0:21:5a:45:57:42 ip 54: 10.68.5.9 > 10.68.5.121: icmp: echo request (DF)
12:38:53.660629 0:21:5a:45:57:42 0:1:d7:57:3:c8 ip 60: 10.68.5.121 > 10.68.5.9: icmp: echo reply (DF)
Capturing Packet Contents – Format
-x will display packet contents in Hex.
-X will display packet contents in both Hex and ASCII.
Below are two example captures, the first with -x specified, the second with -X;
- tcpdump -i vlan28 -x host 10.68.5.9 and icmp;
12:52:03.577960 10.68.5.9 > 10.68.5: icmp: echo request (DF)
4500 0028 0000 4000 4001 4902 c0a8 3809
c0a8 3879 0800 7f87 effd ed06 4001 c71f
c0a8 3828 7078 2b09
12:52:03.578493 10.68.5.121 > 10.68.5.9: icmp: echo reply (DF)
4500 0028 42db 4000 8001 c626 c0a8 3879
c0a8 3809 0000 8787 effd ed06 4001 c71f
c0a8 3828 7078 2b09 0000 0000 0000
- tcpdump -i vlan28 -X host 10.68.5.9 and icmp;
12:52:13.577833 10.68.5.9 > 10.68.5.121: icmp: echo request (DF)
0x0000 4500 0028 0000 4000 4001 4902 c0a8 3809 E..(..@.@.I...8.
0x0010 c0a8 3879 0800 3683 3904 ed06 4001 c71d ..8y..6.9...@...
0x0020 c0a8 3828 7078 2b09 ..8(px+.
12:52:13.578348 10.68.5.121 > 10.68.5.9: icmp: echo reply (DF)
0x0000 4500 0028 44bb 4000 8001 c446 c0a8 3879 E..(D.@....F..8y
0x0010 c0a8 3809 0000 3e83 3904 ed06 4001 c71d ..8...>.9...@...
0x0020 c0a8 3828 7078 2b09 0000 0000 0000 ..8(px+.......
Both these options display the first 68 Bytes of each packet only by default unless the -s option is used, see below;
Note: This option is not necessary if you are writing the capture to a file, this option only applies when using tcpdump to display packets in real time or from a capture file.
Capturing Packet Contents – How Much?
tcpdump will capture the specified number of Bytes of each packet (the default is 96 from v4 and was previously 68.)
Note: Use -s 0 to capture the entirety of every packet, regardless of size.
Disabling DNS Lookups
tcpdump will not translate host addresses to host names, thus disabling DNS lookups. Not using this option could potentially result in a huge amount of DNS requests and create unnecessary load on DNS servers.
Also Disabling Service Name Lookups
tcpdump will not translate port and protocol to service names, (port 80 to http for example,) as well as not translate host addresses to host names.
Disabling Checksum Verification
This is very useful when NIC hardware offload features are enabled and tcpdump incorrectly reports bad checksum errors for outbound packets because it reads the packets before the checksum is calculated by the NIC;
The Strings Trick
When troubleshooting text-based protocols such as HTTP, using a syntax like this allows you to strip out binary data (packet headers and such like,) using the Linux strings command, allowing you to focus your attention on the protocol data only;
-l -s 0 -w – ‘expression’ | strings
For more information, see this article by James Nelson; thanks James.