Tcpdump: Difference between revisions
From charlesreid1
| (22 intermediate revisions by the same user not shown) | |||
| Line 29: | Line 29: | ||
Pick out which ones you want to listen to. | Pick out which ones you want to listen to. | ||
== | =Basic Usage= | ||
You may need to run tcpdump as sudo to access certain information from the hardware. | |||
Tcpdump options can vary from platform to platform (e.g. mac vs linux) but this guide will cover some universal usage. | |||
The simplest way to use tcpdump is to do an unfiltered packet capture - no filters on packets, so everything is captured. | The simplest way to use tcpdump is to do an unfiltered packet capture - no filters on packets, so everything is captured. | ||
To | The bare minimum you'll have to specify is a network interface. You may want to specify a file, too. | ||
==The -i and -w flags== | |||
To specify a network device you want to listen to, use the <code>-i</code> flag (for interface). Also specify an output file with the <code>-w</code> flag: | |||
<pre> | <pre> | ||
| Line 45: | Line 51: | ||
<code>-w</code> prevents your computer from having a meltdown trying to print every single packet in a busy place. | <code>-w</code> prevents your computer from having a meltdown trying to print every single packet in a busy place. | ||
You can | You can monitor multiple interfaces by specifying a list: <code>-i en0,en1</code> | ||
If you are using wireless, you'll need to use additional commands to control the channel your wireless card is listening to. | |||
==Controlling Output== | |||
To control output, you can have tcpdump create a new pcap file every N seconds, or every N megabytes. | |||
===G flag=== | |||
Use the G flag to create a new pcap file every N seconds: | |||
<pre> | |||
-G [seconds] | |||
</pre> | |||
If you | If you use the G flag without the C flag (see below), you specify new filenames with strftime date/time format when you pass the filename to the -w flag. | ||
This command makes a new pcap file every 100 seconds: | |||
<pre> | |||
tcpdump -G 100 -w filename_%H-%M-%S.pcap | |||
</pre> | |||
===C flag=== | |||
The | The C flag sets the maximum pcap file size, in millions of bytes. New files will have a common name with an incrementing number at the end. From the man page: | ||
<pre> | |||
-C | |||
Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes). | |||
</pre> | |||
=== | ===W flag=== | ||
The W flag will limit the number of output files, so that tcpdump will begin to overwrite the first file once it has finished writing to the Nth file: | |||
<pre> | <pre> | ||
-W Used in conjunction with the -C option, this will limit the | |||
number of files created to the specified number, and begin | |||
overwriting files from the beginning, thus creating a 'rotat- | |||
ing' buffer. In addition, it will name the files with enough | |||
leading 0s to support the maximum number of files, allowing | |||
them to sort correctly. | |||
Used in conjunction with the -G option, this will limit the | |||
number of rotated dump files that get created, exiting with | |||
status 0 when reaching the limit. If used with -C as well, the | |||
behavior will result in cyclical files per timeslice. | |||
</pre> | </pre> | ||
=Wireless Tcpdump= | |||
More instructions on capturing wireless packets with Tcpdump: [[Tcpdump/Wireless]] | |||
[[Tcpdump/Wireless/Linux]] | |||
[[Tcpdump/Wireless/Mac]] | |||
=More Flags= | |||
==Faster Packet Capture== | |||
To minimize overhead processing packets and maximize the number of packets captured, you can turn off host name resolution with the <code>-n</code> flag. This also makes things slightly more readable. | |||
<pre> | <pre> | ||
tcpdump -I -n -i wlan1 -w output_pcap_file.pcap | |||
</pre> | </pre> | ||
==Writing Packets To File== | |||
If you want to force tcpdump to write every packet to the output file as it is received, rather than waiting until its input buffer is full, you can use the U flag. Note that this will be slower and should only be done when traffic is light - otherwise excessive disk writes will bog things down. | |||
From the man page: | |||
<pre> | <pre> | ||
-U If the -w option is not specified, make the printed packet output ` | |||
`packet-buffered''; i.e., as the description of the contents of each packet is | |||
printed, it will be written to the standard output, rather than, when not writing | |||
to a terminal, being written only when the output buffer fills. | |||
If the -w option is specified, make the saved raw packet output | |||
``packet-buffered''; i.e., as each packet is saved, it will be written | |||
to the output file, rather than being written only when the output | |||
buffer fills. | |||
The -U flag will not be supported if tcpdump was built with an | |||
older version of libpcap that lacks the pcap_dump_flush() function. | |||
</pre> | </pre> | ||
=== | =Analysis= | ||
You can also use tcpdump to analyze a pcap file. | |||
==Reading Packets== | |||
To read packet data, run tcpdump with the <code>-r</code> flag (for read): | |||
<pre> | <pre> | ||
$ tcpdump -r output.pcap | |||
</pre> | </pre> | ||
==Counting Packets== | |||
Not sure if this will work: | |||
<pre> | <pre> | ||
$ tcpdump -n -r output.pcap | wc -l | |||
</pre> | </pre> | ||
== | This will give you a count of the total number of packets in the pcap file. | ||
==Parsing Information== | |||
You can parse information by column using the cut utility. | |||
<pre> | |||
$ tcpdump -n -r output.pcap | |||
</pre> | |||
The output has the fields: | |||
<pre> | <pre> | ||
[timestamp] [network protocol] [source IP] . [source port] > [destination IP] . [destination port] | |||
</pre> | </pre> | ||
[https://www.sans.org/reading-room/whitepapers/protocols/analyzing-network-traffic-basic-linux-tools-34037] | |||
{{NetworkingFlag}} | |||
Latest revision as of 22:31, 30 June 2016
Installing
Linux
tcpdump should come with your distro, but if it doesn't, use aptitude or your package manager to install:
apt-get install tcpdump
Once you've done that, you can list your network devices:
iwconfig
Pick out which ones you want to listen to.
Mac
tcpdump comes with Mac. Man page for tcpdump: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/tcpdump.1.html
List your network devices:
ifconfig
Pick out which ones you want to listen to.
Basic Usage
You may need to run tcpdump as sudo to access certain information from the hardware.
Tcpdump options can vary from platform to platform (e.g. mac vs linux) but this guide will cover some universal usage.
The simplest way to use tcpdump is to do an unfiltered packet capture - no filters on packets, so everything is captured.
The bare minimum you'll have to specify is a network interface. You may want to specify a file, too.
The -i and -w flags
To specify a network device you want to listen to, use the -i flag (for interface). Also specify an output file with the -w flag:
tcpdump -i en0 -w output_file.pcap
-w prevents your computer from having a meltdown trying to print every single packet in a busy place.
You can monitor multiple interfaces by specifying a list: -i en0,en1
If you are using wireless, you'll need to use additional commands to control the channel your wireless card is listening to.
Controlling Output
To control output, you can have tcpdump create a new pcap file every N seconds, or every N megabytes.
G flag
Use the G flag to create a new pcap file every N seconds:
-G [seconds]
If you use the G flag without the C flag (see below), you specify new filenames with strftime date/time format when you pass the filename to the -w flag.
This command makes a new pcap file every 100 seconds:
tcpdump -G 100 -w filename_%H-%M-%S.pcap
C flag
The C flag sets the maximum pcap file size, in millions of bytes. New files will have a common name with an incrementing number at the end. From the man page:
-C Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
W flag
The W flag will limit the number of output files, so that tcpdump will begin to overwrite the first file once it has finished writing to the Nth file:
-W Used in conjunction with the -C option, this will limit the
number of files created to the specified number, and begin
overwriting files from the beginning, thus creating a 'rotat-
ing' buffer. In addition, it will name the files with enough
leading 0s to support the maximum number of files, allowing
them to sort correctly.
Used in conjunction with the -G option, this will limit the
number of rotated dump files that get created, exiting with
status 0 when reaching the limit. If used with -C as well, the
behavior will result in cyclical files per timeslice.
Wireless Tcpdump
More instructions on capturing wireless packets with Tcpdump: Tcpdump/Wireless
More Flags
Faster Packet Capture
To minimize overhead processing packets and maximize the number of packets captured, you can turn off host name resolution with the -n flag. This also makes things slightly more readable.
tcpdump -I -n -i wlan1 -w output_pcap_file.pcap
Writing Packets To File
If you want to force tcpdump to write every packet to the output file as it is received, rather than waiting until its input buffer is full, you can use the U flag. Note that this will be slower and should only be done when traffic is light - otherwise excessive disk writes will bog things down.
From the man page:
-U If the -w option is not specified, make the printed packet output `
`packet-buffered''; i.e., as the description of the contents of each packet is
printed, it will be written to the standard output, rather than, when not writing
to a terminal, being written only when the output buffer fills.
If the -w option is specified, make the saved raw packet output
``packet-buffered''; i.e., as each packet is saved, it will be written
to the output file, rather than being written only when the output
buffer fills.
The -U flag will not be supported if tcpdump was built with an
older version of libpcap that lacks the pcap_dump_flush() function.
Analysis
You can also use tcpdump to analyze a pcap file.
Reading Packets
To read packet data, run tcpdump with the -r flag (for read):
$ tcpdump -r output.pcap
Counting Packets
Not sure if this will work:
$ tcpdump -n -r output.pcap | wc -l
This will give you a count of the total number of packets in the pcap file.
Parsing Information
You can parse information by column using the cut utility.
$ tcpdump -n -r output.pcap
The output has the fields:
[timestamp] [network protocol] [source IP] . [source port] > [destination IP] . [destination port]
 |
Networking pages and notes about computer networks.
Man in the Middle attack vectors on wired networks: Man in the Middle/Wired Packet analysis with Wireshark: Wireshark Packet Analysis Linux networking: Linux/Networking
Using Aircrack: Aircrack Many Ways to Crack a Wifi: Cracking Wifi
Linux/Networking · Linux/SSH · Linux/File Server
Notes on OpenVPN: OpenVPN Setting Up a Static Key VPN: OpenVPN/Static Key
Domain Name Servers: DNS · Linux/DNS IP Version 6: IPv6
Wireshark · SSH · Stunnel · Tor · Ettercap · Aircrack · Tcpdump
Tunnels · HTTP and HTTPS · SSH Tunnels · Linux/SSH
|