TCPDUMP

Tcpdump is a packet sniffer or packet analyzer tool, which is used to intercept and display packets transmitted or received on a network. Sniffing is a process that passively monitors and captures the network packets. Tcpdump uses libpcap library which is a core library used for packet sniffing.Author: Van Jacobson, Sally Floyd, Vern Paxson and Steven McCanne
Year: 1988
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
        [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
        [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
        [ -Q in|out|inout ]
        [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
        [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
        [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
        [ -Z user ] [ expression ]
Packets captured: This is the number of packets that tcpdump has received and processed.
Packets received by filter: A filter can be specified on the command line and only those packets that match the defined filter are processed by tcpdump and counted.
Packets dropped by kernel: his is the number of packets that were dropped due to a lack of buffer space. Use the -B option to set the buffer size.

Experiments:buffer
tcpdump -h --> help

tcpdump -D --> list interface

tcpdump -i eno16777736 -c 2 -n → choosing interface eno with capturing only 2 packets with numeric

tcpdump -i eno16777736 -c 2 -n -s 38 → Adding snap length

-s: snapshot length is the amount of data for each frame that is actually captured

tcpdump -i eno16777736 -c 2 -n -s 68 -S tcp → Absolute sequence number with timestamp
-S: print absolute TCP sequence number

tcpdump -i eno16777736 -c 2 -n -s 68 -S tcp -t → Absolute sequence number without timestamp

-t : don't print timestamp on each dump line

tcpdump -i eno16777736 -c 2 -n -s 68 -w root/capture.pcap

-w: write raw packets to file rather than parsing and printing them out

tcpdump -r /root/capture.pcap

-r: read packets from file

tcpdump -i eno16777736 -w /root/capture.pcap -v

-v: when writing to a file with the -w option, report, once per second, the number of packets captured

tcpdump -r root/capture.pcap | less

less: reading file with option less

tcpdump -i eno16777736 -c 2 icmp

icmp: filtering packets with protocol icmp

tcpdump -i eno16777736 -c 2 udp

udp: filtering packets with protocol udp

tcpdump -i eno16777736 -c 2 tcp

tcp: filtering packets with protocol tcp

cat /root/capture.pcap | tcpdump -nr- -c 2

another method of reading a file

tcpdump -i eno16777736 -n -w /root/rotate.%H:%M:%S.pcap -G 2

-G: writing files with every 2 seconds

tcpdump -i eno16777736 -c 2 -A

-A: print each packet in ASCII

tcpdump -i eno16777736 -c 2 -e

-e: print link layer (MAC) addresses

tcpdump –version

--version: tell the version of tcpdump and libpcap

tcpdump -L (or) --list-data-link-types

-L: List the known data link types

tcpdump -i eno16777736 -c 2 -Q in

--direction=in: capture only incoming packets

tcpdump -i eno16777736 -c 2 –direction=out

-Q=out: capture only outgoing packets

tcpdump -i eno16777736 -c 2 -q

-q: quick output. Print less protocol information

tcpdump -i eno16777736 -c 2 -x

-x: print the data of each packet in hex minus its link level header

tcpdump -i eno16777736 -c 2 -xx

-xx: print the data of each packet in hex including its link level header

tcpdump -i eno16777736 -c 2 -X

-X: print the data of each packet in hex and ASCII minus link level header

tcpdump -i eno16777736 -c 2 -XX

-XX: print the data of each packet in hex and ASCII including link level header

tcpdump -i eno16777736 host 192.168.93.129 -c 2

host: filtering by ipaddress

tcpdump -i eno16777736 src 192.168.93.129 -c 2

src: filtering by source ipaddress

tcpdump -i eno16777736 dst 192.168.93.129 -c 2

dst: filtering by destination ipaddress

tcpdump -i eno16777736 port 22 -c 2

port: filtering by port 22

tcpdump -i eno16777736 portrange 22–25

portrange: filtering by port 22 to 25

tcpdump -i eno16777736 src port 22 -c 2

src port: filtering by source port 22

tcpdump -i eno16777736 dst port 22 -c 2

dst port: filtering by destination port 22

tcpdump -i eno16777736 -c 2 src 192.168.93.129 and port 22

Filtering by source ipaddress with source port

tcpdump -i eno16777736 -c 2 src 192.168.93.1 and dst port 22

Filtering by source ipaddress with destination port 22

tcpdump -i eno16777736 -c 2 dst 192.168.93.129 and port 22 or 25

Filtering by destination with port 22 or port 25

tcpdump -i eno16777736 -c 2 dst 192.168.93.129 or 192.168.93.1 and port 22

Filtering by ipaddress 192.168.93.129 or 192.168.93.1 with port 22

tcpdump -i eno16777736 -c 2 net 192.168.93.0/24

net: filtering by network 192.168.93.0/24 and it can be used with src net and dst net as well

tcpdump -i eno16777736 less 68 -c 2

less: prints each packets which is less than 68

tcpdump -i eno16777736 greater 68 -c 2

greater: prints each packets which is greater than 68

tcpdump -i eno16777736 -c 2 'src 192.168.93.129 and (dst port 60800 or 22)'

Filtering with host and port

tcpdump -i eno16777736 -c 2 'tcp[tcpflags] == tcp-ack'

Filtering with tcp-ack bit

like wise we can use,

tcpdump 'tcp[tcpflags] == tcp-rst'

tcpdump 'tcp[tcpflags] == tcp-fin'

tcpdump -i eno16777736 -c 2 'tcp[13] & 8!=0'

Another way to filter with tcp flag – PSH bit

like wise we can use,

tcpdump -i eno16777736 -c 2 'tcp[13] & 32!=0' → URG

tcpdump -i eno16777736 -c 2 'tcp[13] & 16!=0' → ACK

tcpdump -i eno16777736 -c 2 'tcp[13] & 8!=0' → PUH

tcpdump -i eno16777736 -c 2 'tcp[13] & 4!=0' → RST

tcpdump -i eno16777736 -c 2 'tcp[13] & 2!=0' → SYN

tcpdump -i eno16777736 -c 2 'tcp[13] & 1!=0' → FIN