02/12/12

(2009-09-10, SimonLeinen)

TcpdumpExamples < PERTKB < TWiki

TWiki > PERTKB Web > PacketTraceTools > TcpDump > TcpdumpExamples

t c p d u m p( e x a m p l e s )
Here are some more
t c p d u m pexamples

for some more advanced use cases. For simple usage examples, see the main

t c p d u m ptopic.

Filter on protocol (ICMP) and protocol-specific fields (ICMP type)

Capture all ICMP with some exceptions. For example, if a host runs lots of pings (SmokePing for example), it is useful to suppress ICMP echo requests and replies from dumped packets:
:r o o t @ m y h o s t : ~ #t c p d u m pni c m pa n d' i c m p [ 0 ]! =8a n di c m p [ 0 ]! =0 ' t c p d u m p :v e r b o s eo u t p u ts u p p r e s s e d ,u s evo rv vf o rf u l lp r o t o c o ld e c o d e l i s t e n i n go ne t h 0 ,l i n k t y p eE N 1 0 M B( E t h e r n e t ) ,c a p t u r es i z e9 6b y t e s 1 0 : 0 5 : 0 2 . 3 3 8 8 2 6I P1 0 . 1 0 . 3 3 . 3 4>1 0 . 1 0 . 1 2 1 . 2 :i c m p3 6 :t i m ee x c e e d e di n t r a n s i t 1 0 : 0 5 : 0 2 . 5 8 7 4 9 4I P1 0 . 1 0 . 1 4 4 . 6 6>1 0 . 1 0 . 1 2 1 . 2 :i c m p3 6 :h o s t1 0 . 1 0 . 1 4 4 . 6 9u n r e a c h a b l e-a d m i np r o h i b i t e df i l t e r 1 0 : 0 5 : 0 2 . 6 9 9 1 1 0I P1 0 . 1 0 . 1 5 3 . 1 1 8>1 0 . 1 0 . 1 2 1 . 2 :i c m p3 6 :h o s t1 0 . 1 0 . 1 5 3 . 1 2 2u n r e a c h a b l e-a d m i np r o h i b i t e df i l t e r 1 0 : 0 5 : 0 4 . 3 1 9 4 5 1I P1 0 . 1 0 . 3 3 . 3 4>1 0 . 1 0 . 1 2 1 . 2 :i c m p3 6 :t i m ee x c e e d e di n t r a n s i t 1 0 : 0 5 : 0 7 . 3 6 3 2 7 8I P1 0 . 1 0 . 1 4 8 . 1 3 8>1 0 . 1 0 . 1 2 1 . 2 :i c m p3 6 :h o s t1 0 . 1 0 . 1 4 8 . 1 3 8u n r e a c h a b l e-a d m i np r o h i b i t e df i l t e r 1 0 : 0 5 : 1 0 . 2 2 0 4 9 1I P1 0 . 1 0 . 3 3 . 3 4>1 0 . 1 0 . 1 2 1 . 2 :i c m p3 6 :t i m ee x c e e d e di n t r a n s i t 1 0 : 0 5 : 1 0 . 4 7 6 0 8 2I P1 0 . 1 0 . 1 4 4 . 6 6>1 0 . 1 0 . 1 2 1 . 2 :i c m p3 6 :h o s t1 0 . 1 0 . 1 4 4 . 6 9u n r e a c h a b l e-a d m i np r o h i b i t e df i l t e r 1 0 : 0 5 : 1 0 . 6 3 8 6 1 1I P1 0 . 1 0 . 1 5 3 . 1 1 8>1 0 . 1 0 . 1 2 1 . 2 :i c m p3 6 :h o s t1 0 . 1 0 . 1 5 3 . 1 2 2u n r e a c h a b l e-a d m i np r o h i b i t e df i l t e r

8p a c k e t sc a p t u r e d 8p a c k e t sr e c e i v e db yf i l t e r 0p a c k e t sd r o p p e db yk e r n e l

Same command can be used with predefined header field offset (i c m p t y p e ) and ICMP type field values (i c m p e c h oand
:r o o t @ m y h o s t : ~ #t c p d u m pni c m pa n di c m p [ i c m p t y p e ]! =i c m p e c h oa n di c m p [ i c m p t y p e ]! =i c m p e c h o r e p l y

i c m p e c h o r e p l y ):

Filter on TOS field

Capture all IP packets with a non-zero TOS field (one byte TOS field is at offset 1 in IP header):
:r o o t @ m y h o s t : ~ #t c p d u m pvni pa n di p [ 1 ] ! = 0 t c p d u m p :l i s t e n i n go ne t h 0 ,l i n k t y p eE N 1 0 M B( E t h e r n e t ) ,c a p t u r es i z e9 6b y t e s 1 0 : 4 0 : 0 3 . 4 2 2 0 5 2I P( t o s0 x 1 0 ,t t l 6 4 ,i d5 8 5 3 4 ,o f f s e t0 ,f l a g s[ D F ] ,p r o t o6 ,l e n g t h :1 0 0 )1 0 . 1 0 . 1 2 1 . 2 . s s h>1 0 . 1 0 . 1 . 2 4 0 . 3 3 0 0 6 :P1 6 6 7 4 5 0 1 4 : 1 6 6 7 4 5 0 6 1 0 : 4 0 : 0 3 . 4 2 2 1 8 9I P( t o s0 x 1 0 ,t t l 6 4 ,i d5 8 5 3 6 ,o f f s e t0 ,f l a g s[ D F ] ,p r o t o6 ,l e n g t h :1 6 4 )1 0 . 1 0 . 1 2 1 . 2 . s s h>1 0 . 1 0 . 1 . 2 4 0 . 3 3 0 0 6 :P4 8 : 1 6 0 ( 1 1 2 )a c k1 1 0 : 4 0 : 0 3 . 4 2 2 3 2 5I P( t o s0 x 1 0 ,t t l 6 4 ,i d5 8 5 3 8 ,o f f s e t0 ,f l a g s[ D F ] ,p r o t o6 ,l e n g t h :3 0 8 )1 0 . 1 0 . 1 2 1 . 2 . s s h>1 0 . 1 0 . 1 . 2 4 0 . 3 3 0 0 6 :P1 6 0 : 4 1 6 ( 2 5 6 )a c k1 1 0 : 4 0 : 0 3 . 4 2 2 9 0 6I P( t o s0 x 1 0 ,t t l 6 2 ,i d2 9 1 6 7 ,o f f s e t0 ,f l a g s[ D F ] ,p r o t o6 ,l e n g t h :5 2 )1 0 . 1 0 . 1 . 2 4 0 . 3 3 0 0 6>1 0 . 1 0 . 1 2 1 . 2 . s s h :.[ t c ps u mo k ]a c k4 8 . . .

Filter on TTL field

Capture all IP packets with TTL less than some value (on byte TTL field is at offset 8 in IP header):
:r o o t @ m y h o s t : ~ #t c p d u m pvi pa n d' i p [ 8 ] < 2 ' t c p d u m p :l i s t e n i n go ne t h 0 ,l i n k t y p eE N 1 0 M B( E t h e r n e t ) ,c a p t u r es i z e9 6b y t e s 1 0 : 3 0 : 5 1 . 0 1 3 6 2 0I P( t o s0 x c 0 ,t t l 1 0 : 3 0 : 5 4 . 0 3 5 1 2 4I P( t o s0 x c 0 ,t t l 1 0 : 3 0 : 5 6 . 0 4 9 0 4 6I P( t o s0 x c 0 ,t t l 1 0 : 3 0 : 5 6 . 0 5 1 2 4 2I P( t o s0 x c 0 ,t t l 1 ,i d4 4 1 1 9 ,o f f s e t0 ,f l a g s[ n o n e ] ,p r o t o2 ,l e n g t h :2 8 )l t e s t 1 . a r n e s . s i>2 3 9 . 2 5 5 . 2 5 5 . 2 5 5 :i g m pv 2r e p o r t2 3 9 . 2 5 1 ,i d4 4 1 2 0 ,o f f s e t0 ,f l a g s[ n o n e ] ,p r o t o2 ,l e n g t h :2 8 )l t e s t 1 . a r n e s . s i>C I S C O R P D I S C O V E R Y . M C A S T . N E T :i g m pv 2 1 ,i d4 4 1 2 1 ,o f f s e t0 ,f l a g s[ n o n e ] ,p r o t o2 ,l e n g t h :2 8 )l t e s t 1 . a r n e s . s i>S A P . M C A S T . N E T :i g m pv 2r e p o r tS A P . M C A S 1 ,i d4 4 1 2 2 ,o f f s e t0 ,f l a g s[ n o n e ] ,p r o t o1 0 3 ,l e n g t h :7 2 6 )l t e s t 1 . a r n e s . s i>P I M R O U T E R S . M C A S T . N E T :P I M v 2 ,l e n g t

J o i n/P r u n e( 3 ) ,u p s t r e a m n e i g h b o r :r a r n e s 1 3 F 2 0 x 2 0 0 . a r n e s . s i 1g r o u p ( s ) ,h o l d t i m e :3 m 3 0 s g r o u p# 1 :S A P . M C A S T . N E T ,j o i n e ds o u r c e s :8 5 ,p r u n e ds o u r c e s :0 j o i n e ds o u r c e# 1 :h a y a k a w a . l a v a . n e t ( S ) j o i n e ds o u r c e# 2 :6 4 . 2 5 1 . 6 2 . 3 4 ( S ) j o i n e ds o u r c e# 3 :6 4 . 2 5 1 . 6 2 . 3 5 ( S ) j o i n e ds o u r c e# 4 :6 4 . 2 5 1 . 6 2 . 3 6 ( S ) j o i n e ds o u r c e# 5 :. . . )

4p a c k e t sc a p t u r e d 4p a c k e t sr e c e i v e db yf i l t e r 0p a c k e t sd r o p p e db yk e r n e l

Filter on TCP flags (SYN/ACK)

Catch TCP SYN packets:
:r o o t @ m y h o s t : ~ #t c p d u m pnt c pa n dp o r t8 0a n d' t c p [ t c p f l a g s ]&t c p s y n= =t c p s y n ' t c p d u m p :v e r b o s eo u t p u ts u p p r e s s e d ,u s evo rv vf o rf u l lp r o t o c o ld e c o d e l i s t e n i n go ne t h 0 ,l i n k t y p eE N 1 0 M B( E t h e r n e t ) ,c a p t u r es i z e9 6b y t e s 1 3 : 1 5 : 0 0 . 3 0 2 2 1 9I P1 0 . 1 0 . 1 . 2 4 0 . 3 3 1 1 1>1 0 . 1 0 . 1 2 1 . 2 . h t t p :S3 2 8 4 5 5 6 4 5 2 : 3 2 8 4 5 5 6 4 5 2 ( 0 )w i n5 8 4 0< m s s1 4 6 0 , s a c k O K , t i m e s t a m p1 6 2 6 1 2 7 90 , n o p , w s c a l e1 0 > 1 3 : 1 5 : 0 0 . 3 0 2 2 7 2I P1 0 . 1 0 . 1 2 1 . 2 . h t t p>1 0 . 1 0 . 1 . 2 4 0 . 3 3 1 1 1 :S9 7 5 1 0 7 3 4 1 : 9 7 5 1 0 7 3 4 1 ( 0 )a c k3 2 8 4 5 5 6 4 5 3w i n3 2 7 6 7< m s s1 4 6 0 , s a c k O K , t i m e s t a m p2 4 3 2 5 5 0 8 2 51 6 2 6 1

In the example above, all packets with TCP SYN flag set are captured. Other flags (ACK, for example) might be set also. Packets which have only TCP SYN flags set, can be captured like this:

kb.pert.geant.net/PERTKB/TcpdumpExamples

1/3

02/12/12

TcpdumpExamples < PERTKB < TWiki

:r o o t @ m y h o s t : ~ #t c p d u m pt c pa n dp o r t8 0a n d' t c p [ t c p f l a g s ]= =t c p s y n '

Catch TCP SYN/ACK packets (typically, responses from servers):

:r o o t @ m y h o s t : ~ #t c p d u m pnt c pa n d' t c p [ t c p f l a g s ]&( t c p s y n | t c p a c k )= =( t c p s y n | t c p a c k ) ' t c p d u m p :v e r b o s eo u t p u ts u p p r e s s e d ,u s evo rv vf o rf u l lp r o t o c o ld e c o d e l i s t e n i n go ne t h 0 ,l i n k t y p eE N 1 0 M B( E t h e r n e t ) ,c a p t u r es i z e9 6b y t e s 1 3 : 3 0 : 1 9 . 5 0 1 8 1 6I P1 0 . 1 0 . 1 2 1 . 2 . s s h>1 0 . 1 0 . 1 . 2 4 0 . 3 3 1 1 4 :S1 9 4 0 7 6 3 7 7 2 : 1 9 4 0 7 6 3 7 7 2 ( 0 )a c k4 2 5 0 4 8 5 5 7 2w i n3 2 7 6 7< m s s1 4 6 0 , s a c k O K , t i m e s t a m p2 4 3 3 4 7 0 2 5 71 7 1 8

Same thing:
:r o o t @ m y h o s t : ~ #t c p d u m pnt c pa n d' t c p [ t c p f l a g s ]&t c p s y n= =t c p s y n 'a n d' t c p [ t c p f l a g s ]&t c p a c k= =t c p a c k '

Catch ARP packets

:r o o t @ m y h o s t : ~ #t c p d u m pv ven ne t h e rp r o t o0 x 0 8 0 6 t c p d u m p :l i s t e n i n go ne t h 0 ,l i n k t y p eE N 1 0 M B( E t h e r n e t ) ,c a p t u r es i z e9 6b y t e s 0 8 : 5 0 : 3 5 . 8 4 2 9 9 90 0 : 3 0 : 4 8 : 2 7 : x x : f f>f f : f f : f f : f f : f f : f f ,e t h e r t y p eA R P( 0 x 0 8 0 6 ) ,l e n g t h6 0 :a r pw h o h a s1 9 3 . 2 . x . yt e l l1 9 3 . 2 . x . w 0 8 : 5 0 : 3 6 . 8 4 1 8 1 40 0 : 3 0 : 4 8 : 2 7 : x x : f f>f f : f f : f f : f f : f f : f f ,e t h e r t y p eA R P( 0 x 0 8 0 6 ) ,l e n g t h6 0 :a r pw h o h a s1 9 3 . 2 . x . yt e l l1 9 3 . 2 . x . w 0 8 : 5 0 : 3 7 . 8 4 1 3 9 60 0 : 3 0 : 4 8 : 2 7 : x x : f f>f f : f f : f f : f f : f f : f f ,e t h e r t y p eA R P( 0 x 0 8 0 6 ) ,l e n g t h6 0 :a r pw h o h a s1 9 3 . 2 . x . yt e l l1 9 3 . 2 . x . w . . . 0 8 : 5 3 : 1 8 . 9 1 3 9 6 80 0 : 1 4 : 3 8 : 0 0 : e 7 : d 7>0 0 : 3 0 : 4 8 : 2 7 : 6 a : f f ,e t h e r t y p eA R P( 0 x 0 8 0 6 ) ,l e n g t h4 2 :a r pr e p l y1 9 3 . 2 . x . zi s a t0 0 : 1 4 : 3 8 : 0 0 : x x : y y

Filter on IP packet length

Catch packets of a specified length (IP packet length (16 bits) is located at offset 2 in IP header):
:r o o t @ m y h o s t : ~ #t c p d u m pli c m pa n d' ( i p [ 2 : 2 ] > 5 0 ) 'w-| t c p d u m pr-vi pa n d' ( i p [ 2 : 2 ] < 6 0 ) ' t c p d u m p :l i s t e n i n go ne t h 0 ,l i n k t y p eE N 1 0 M B( E t h e r n e t ) ,c a p t u r es i z e9 6b y t e s r e a d i n gf r o mf i l e,l i n k t y p eE N 1 0 M B( E t h e r n e t ) 1 1 : 0 3 : 5 9 . 4 2 0 8 5 6I P( t o s0 x 0 ,t t l2 4 9 ,i d0 ,o f f s e t0 ,f l a g s[ n o n e ] ,p r o t o1 ,l e n g t h :5 6 )l p t t l j 3 t k . a r n e s . s i>m y h o s t . a r n e s . s i :i c m p3 6 :t i m ee x c e e d e d 1 1 : 0 4 : 0 2 . 2 7 4 1 3 5I P( t o s0 x 0 ,t t l2 5 1 ,i d1 7 0 9 5 ,o f f s e t0 ,f l a g s[ n o n e ] ,p r o t o1 ,l e n g t h :5 6 )r s i k o r m . a r n e s . s i>m y h o s t . a r n e s . s i :i c m p3 6 :h o s tr s i k o 1 1 : 0 4 : 0 5 . 4 5 2 8 0 2I P( t o s0 x 0 ,t t l2 4 9 ,i d3 4 0 2 1 ,o f f s e t0 ,f l a g s[ n o n e ] ,p r o t o1 ,l e n g t h :5 6 )1 0 . 1 0 . 1 4 4 . 6 6>m y h o s t . a r n e s . s i :i c m p3 6 :h o s tr o m i s l i n j a 1 1 : 0 4 : 0 5 . 4 9 6 3 8 4I P( t o s0 x 0 ,t t l2 5 1 ,i d4 0 7 1 ,o f f s e t0 ,f l a g s[ n o n e ] ,p r o t o1 ,l e n g t h :5 6 )r s s b m b . a r n e s . s i>m y h o s t . a r n e s . s i :i c m p3 6 :h o s ts s s b m < ^ C > 8 1 4p a c k e t sc a p t u r e d 8 1 4p a c k e t sr e c e i v e db yf i l t e r 0p a c k e t sd r o p p e db yk e r n e l t c p d u m p :p c a p _ l o o p :e r r o rr e a d i n gd u m pf i l e :I n t e r r u p t e ds y s t e mc a l l

Remark: due to some bug in tcpdump, the following command doesn't catch packets as expected:
:r o o t @ m y h o s t : ~ #t c p d u m pvni c m pa n d' ( i p [ 2 : 2 ] > 5 0 ) 'a n d' ( i p [ 2 : 2 ] < 6 0 ) ' t c p d u m p :l i s t e n i n go ne t h 0 ,l i n k t y p eE N 1 0 M B( E t h e r n e t ) ,c a p t u r es i z e9 6b y t e s [ n oo u t p u t ]

Because of this, two

t c p d u m p swere

used in the example above (t c p d u m pl. . .w-| t c p d u m pr. . . ). Option

lis

needed to force first t c p d u m pprogram to output

captured data imeadiately to the second program.

Filter on encapsulated content (ICMP within PPPoE)

Capturing packets from PPPoE session. For example: we mirror a link that connects xDSL modem and home PC or router. Mirrored packets are ethernet frames with PPPoE/IP packets encapsulated. In the following example, we are looking for ICMP packets in PPPoE frames. A simple command like
:r o o t @ m y h o s t : ~ #t c p d u m pvni c m p

will not produce expected results, because packets that we monitor are being encapsulated into a PPPoE frames. Of course, tcpdump can't locate IP protocol == ICMP at normal offset in an ethernet frame. We must therefore take into account the additional headers: 14 bytes for ethernet and 8 bytes for PPPoE. IP protocol is located at offset 9 in the IP header, which gives us offset 31 in the mirrored ethernet frame. Therefore, ICMP packets (protokol 1) are captured with
:r o o t @ m y h o s t : ~ #t c p d u m pvne t h e r [ 3 1 ]=1

Simultaneous output to dump file and (decoded) standard output

You may want to dump packets to a file, but still see the decoded headers "live" on your terminal. While this is not supported directly by t c p d u m pyou can use the powerful pipe mechanism to obtain this effect:

kb.pert.geant.net/PERTKB/TcpdumpExamples

2/3

02/12/12

TcpdumpExamples < PERTKB < TWiki

:l e i n e n @ b o n a d e a [ l e i n e n ] ;s u d ot c p d u m ps0it u n 0c1 0w-U|t e ef o o . p c a p|t c p d u m pnrt c p d u m p :W A R N I N G :a r p t y p e6 5 5 3 4n o ts u p p o r t e db yl i b p c a p-f a l l i n gb a c kt oc o o k e ds o c k e t t c p d u m p :l i s t e n i n go nt u n 0 ,l i n k t y p eL I N U X _ S L L( L i n u xc o o k e d ) ,c a p t u r es i z e6 5 5 3 5b y t e s r e a d i n gf r o mf i l e,l i n k t y p eL I N U X _ S L L( L i n u xc o o k e d ) 1 1 : 0 4 : 1 9 . 9 8 0 1 6 0I P1 3 0 . 5 9 . 2 8 . 1 8>1 3 0 . 5 9 . 1 0 . 3 6 :I C M Pe c h or e q u e s t ,i d3 2 8 7 2 ,s e q6 5 ,l e n g t h6 4 1 1 : 0 4 : 1 9 . 9 8 4 5 3 6I P1 3 0 . 5 9 . 1 0 . 3 6>1 3 0 . 5 9 . 2 8 . 1 8 :I C M Pe c h or e p l y ,i d3 2 8 7 2 ,s e q6 5 ,l e n g t h6 4 1 1 : 0 4 : 2 0 . 9 8 4 1 0 4I P1 3 0 . 5 9 . 2 8 . 1 8>1 3 0 . 5 9 . 1 0 . 3 6 :I C M Pe c h or e q u e s t ,i d3 2 8 7 2 ,s e q6 6 ,l e n g t h6 4 1 1 : 0 4 : 2 0 . 9 8 7 5 7 1I P1 3 0 . 5 9 . 1 0 . 3 6>1 3 0 . 5 9 . 2 8 . 1 8 :I C M Pe c h or e p l y ,i d3 2 8 7 2 ,s e q6 6 ,l e n g t h6 4 1 1 : 0 4 : 2 1 . 9 9 2 1 0 2I P1 3 0 . 5 9 . 2 8 . 1 8>1 3 0 . 5 9 . 1 0 . 3 6 :I C M Pe c h or e q u e s t ,i d3 2 8 7 2 ,s e q6 7 ,l e n g t h6 4 1 1 : 0 4 : 2 1 . 9 9 5 6 7 6I P1 3 0 . 5 9 . 1 0 . 3 6>1 3 0 . 5 9 . 2 8 . 1 8 :I C M Pe c h or e p l y ,i d3 2 8 7 2 ,s e q6 7 ,l e n g t h6 4 1 1 : 0 4 : 2 2 . 9 9 6 1 0 9I P1 3 0 . 5 9 . 2 8 . 1 8>1 3 0 . 5 9 . 1 0 . 3 6 :I C M Pe c h or e q u e s t ,i d3 2 8 7 2 ,s e q6 8 ,l e n g t h6 4 1 1 : 0 4 : 2 2 . 9 9 9 7 1 4I P1 3 0 . 5 9 . 1 0 . 3 6>1 3 0 . 5 9 . 2 8 . 1 8 :I C M Pe c h or e p l y ,i d3 2 8 7 2 ,s e q6 8 ,l e n g t h6 4 1 1 : 0 4 : 2 4 . 0 0 4 1 7 6I P1 3 0 . 5 9 . 2 8 . 1 8>1 3 0 . 5 9 . 1 0 . 3 6 :I C M Pe c h or e q u e s t ,i d3 2 8 7 2 ,s e q6 9 ,l e n g t h6 4 1 0p a c k e t sc a p t u r e d 1 0p a c k e t sr e c e i v e db yf i l t e r 0p a c k e t sd r o p p e db yk e r n e l 1 1 : 0 4 : 2 4 . 0 0 7 0 8 3I P1 3 0 . 5 9 . 1 0 . 3 6>1 3 0 . 5 9 . 2 8 . 1 8 :I C M Pe c h or e p l y ,i d3 2 8 7 2 ,s e q6 9 ,l e n g t h6 4 :l e i n e n @ b o n a d e a [ l e i n e n ] ;l slf o o . p c a p r w r r -1l e i n e nl e i n e n1 1 8 42 0 0 8 1 1 2 81 1 : 0 4f o o . p c a p

Explanation: The first t c p d u m pcall captures the packets, and dumps the (binary) data to standard output ( w). The U(unbuffered) flag causes each packet to be written out immediately, circumventing the normal output buffering. This preserves the real-time characteristics better. The binary packets are piped to the t e e command, which writes them to a file (f o o . p c a p ) and at the same time outputs them again on standard output. From there, they are decoded using -- MatjazStraus - 01 Oct 2007 -- SimonLeinen - 28 Nov 2008
t c p d u m pr.

Topic revision: r6 - 2009-09-10 - SimonLeinen

Copyright 2004-2009 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.

kb.pert.geant.net/PERTKB/TcpdumpExamples

3/3