Tcpdump

From charlesreid1

Revision as of 01:55, 24 January 2016 by Admin (talk | contribs) (→‎W flag)

Installing

Linux

tcpdump should come with your distro, but if it doesn't, use aptitude or your package manager to install: 

apt-get install tcpdump

Once you've done that, you can list your network devices: 

iwconfig

Pick out which ones you want to listen to.

Mac

tcpdump comes with Mac. Man page for tcpdump: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/tcpdump.1.html

List your network devices: 

ifconfig

Pick out which ones you want to listen to.


Basic Usage

You may need to run tcpdump as sudo to access certain information from the hardware.

Tcpdump options can vary from platform to platform (e.g. mac vs linux) but this guide will cover some universal usage.

The simplest way to use tcpdump is to do an unfiltered packet capture - no filters on packets, so everything is captured.

The bare minimum you'll have to specify is a network interface. You may want to specify a file, too.

The -i and -w flags

To specify a network device you want to listen to, use the -i flag (for interface). Also specify an output file with the -w flag: 

tcpdump -i en0 -w output_file.pcap

-w prevents your computer from having a meltdown trying to print every single packet in a busy place.

You can monitor multiple interfaces by specifying a list: -i en0,en1

If you are using wireless, you'll need to use additional commands to control the channel your wireless card is listening to.


Controlling Output

To control output, you can have tcpdump create a new pcap file every N seconds, or every N megabytes.

G flag

Use the G flag to create a new pcap file every N seconds: 

-G [seconds]

If you use the G flag without the C flag (see below), you specify new filenames with strftime date/time format when you pass the filename to the -w flag. Like this: 

tcpdump -G 100 -w filename_%H-%M-%S.pcap

C flag

The C flag sets the maximum pcap file size, in millions of bytes. New files will have a common name with an incrementing number at the end. From the man page: 

-C

Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

W flag

The W flag will limit the number of output files, so that tcpdump will begin to overwrite the first file once it has finished writing to the Nth file: 

-W     Used  in  conjunction  with the -C option, this will limit the
          number of files created to the  specified  number,  and  begin
          overwriting  files from the beginning, thus creating a 'rotat-
          ing' buffer.  In addition, it will name the files with  enough
          leading  0s  to  support the maximum number of files, allowing
          them to sort correctly.

          Used in conjunction with the -G option, this  will  limit  the
          number  of  rotated  dump files that get created, exiting with
          status 0 when reaching the limit. If used with -C as well, the
          behavior will result in cyclical files per timeslice.

Wireless Tcpdump

If you want to capture wireless packets, you need to know a bit more about a few things.

First is channels.

The 802.11 protocol allocates 12 channels for wireless (in the US), and your wireless card can only listen to one channel at a time. To listen to twelve channels, you need twelve wireless cards - or you need to hop from channel to channel with your single wireless card.

If it is critical to capture all traffic, you will want to use multiple wireless cards - if you're hopping from channel 5 to channel 6, and traffic shows up on channel 4, you won't see it.

Second is monitor mode. If your wireless card is not in monitor mode, your wireless card will be throwing away any packets that are not intended for itself, meaning you'll only be creating a pcap file of your own traffic.

Faster Packet Capture

To minimize overhead processing packets and maximize the number of packets captured, you can turn off host name resolution with the -n flag. This also makes things slightly more readable. 

tcpdump -I -n -i wlan1 -w output_pcap_file.pcap

Further, if you're running tcpdump for a long period of time, you can use the -G flag to create a new .pcap file every N seconds (e.g., 3600 seconds or 1 file hourly) 

tcpdump -G 3600 -I -n -i wlan1 -w output_pcap_file_%H.pcap

Link with more info:

http://stackoverflow.com/questions/16084699/scapy-how-to-get-the-statistics

Analysis

You can also use tcpdump to analyze a pcap file.

Counting Packets

$ tcpdump -nn -r output.pcap | wc -l

This will give you a count of the total number of packets in the pcap file.

Parsing Information

You can parse information by column using the cut utility. 

$ tcpdump -n -r output.pcap

The output has the fields: 

[timestamp] [network protocol] [source IP] . [source port] > [destination IP] . [destination port]


[1]



Defcon.png
Networking
pages and notes about computer networks.


Category:Networking


Wired Networks:

Man in the Middle attack vectors on wired networks: Man in the Middle/Wired

Packet analysis with Wireshark: Wireshark Packet Analysis

Linux networking: Linux/Networking


Wireless Networks:

Using Aircrack: Aircrack

Many Ways to Crack a Wifi: Cracking Wifi


Linux Networking

Linux/Networking  · Linux/SSH  · Linux/File Server


Virtual Networks:

Notes on OpenVPN: OpenVPN

Setting Up a Static Key VPN: OpenVPN/Static Key


Settings, Services, and Protocols:

Domain Name Servers: DNS  · Linux/DNS

IP Version 6: IPv6


Tools:

Wireshark  · SSH  · Stunnel  · Tor  · Ettercap  · Aircrack  · Tcpdump


Tunnels:

Tunnels  · HTTP and HTTPS  · SSH Tunnels  · Linux/SSH


Flags  · Template:NetworkingFlag  · e



Retrieved from "https://charlesreid1.com/w/index.php?title=Tcpdump&oldid=9066"