A Quick and Practical Reference For Tcpdump

A Quick and Practical Reference for tcpdump
1 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
tcpdump
tcpdump
tcpdump
5/25/2015 12:17 PM
2 of 27
tcpdump
tcpdump
tcpdump
tcpdump
tcpdump
tcpdump
tcpdump
# tcpdump -n
5/25/2015 12:17 PM
3 of 27
tcpdump
# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:15:05.051896 IP blog.ssh > 10.0.3.1.32855: Flags [P.], seq 2546456553:2546456749, ack 1824683693, win 3
55, options [nop,nop,TS val 620879437 ecr 620879348], length 196
-n
tcpdump
# tcpdump -n
16:23:47.934665 IP 10.0.3.246.22 > 10.0.3.1.32855: Flags [P.], seq 2546457621:2546457817, ack 1824684201,
win 355, options [nop,nop,TS val 621010158 ecr 621010055], length 196
# tcpdump -v
-v
5/25/2015 12:17 PM
4 of 27
# tcpdump
tcpdump
v
tcpdump
# tcpdump -vvv -c 1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:36:13.873456 IP (tos 0x10, ttl 64, id 121, offset 0, flags [DF], proto TCP (6), length 184)
blog.ssh > 10.0.3.1.32855: Flags [P.], cksum 0x1ba1 (incorrect -> 0x0dfd), seq 2546458841:2546458973,
ack 1824684869, win 355, options [nop,nop,TS val 621196643 ecr 621196379], length 132
# tcpdump -i eth0
tcpdump
eth0
5/25/2015 12:17 PM
5 of 27
# tcpdump
-i
any
tcpdump
# tcpdump -i any
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
# tcpdump -w /path/to/file
tcpdump
5/25/2015 12:17 PM
6 of 27
# tcpdump
tcpdump
-w
# tcpdump -w /var/tmp/tcpdata.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
1 packet captured
2 packets received by filter
0 packets dropped by kernel
CTRL+C
tcpdump
# tcpdump -r /path/to/file
5/25/2015 12:17 PM
7 of 27
-r
# tcpdump -r /var/tmp/tcpdata.pcap
reading from file /var/tmp/tcpdata.pcap, link-type EN10MB (Ethernet)
tcpdump
# tcpdump -s 100
tcpdump
-s
tcpdump
# tcpdump -c 10
tcpdump
CTRL+C
5/25/2015 12:17 PM
8 of 27
# tcpdump host google.com

^C
0 packets captured
tcpdump
-c
tcpdump
# tcpdump -nvvv -i any -c 100 -s 100
5/25/2015 12:17 PM
9 of 27
# tcpdump -w /var/tmp/tcpdata.pcap -i any -c 10 -vvv

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
10 packets captured
# tcpdump -r /var/tmp/tcpdata.pcap -nvvv -c 5
reading from file /var/tmp/tcpdata.pcap, link-type LINUX_SLL (Linux cooked)
10.0.3.246.22 > 10.0.3.1.32855: Flags [P.], cksum 0x1b51 (incorrect -> 0x72bc), seq 2547781277:2547781
329, ack 1824703573, win 355, options [nop,nop,TS val 622081791 ecr 622081775], length 52
10.0.3.1.32855 > 10.0.3.246.22: Flags [.], cksum 0x1b1d (incorrect -> 0x4950), seq 1, ack 52, win 541,
options [nop,nop,TS val 622081791 ecr 622081791], length 0
10.0.3.246.22 > 10.0.3.1.32855: Flags [P.], cksum 0x1b91 (incorrect -> 0x98c3), seq 52:168, ack 1, win
10.0.3.1.32855 > 10.0.3.246.22: Flags [.], cksum 0x1b1d (incorrect -> 0x48da), seq 1, ack 168, win 541
, options [nop,nop,TS val 622081792 ecr 622081792], length 0
10.0.3.246.22 > 10.0.3.1.32855: Flags [P.], cksum 0x1b51 (incorrect -> 0xc3ba), seq 168:220, ack 1, wi
n 355, options [nop,nop,TS val 622082040 ecr 622081792], length 52
tcpdump
tcpdump
5/25/2015 12:17 PM
10 of 27
# tcpdump -nvvv -i any -c 3 host 10.0.3.1
tcpdump
source
10.0.3.1
destination
host 10.0.3.1
10.0.3.1
# tcpdump -nvvv -i any -c 3 host 10.0.3.1

10.0.3.246.22 > 10.0.3.1.32855: Flags [P.], cksum 0x1ba1 (incorrect -> 0x9f75), seq 2547785621:2547785
10.0.3.1.32855 > 10.0.3.246.22: Flags [.], cksum 0x1b1d (incorrect -> 0x7c34), seq 1, ack 132, win 540
10.0.3.246.22 > 10.0.3.1.32855: Flags [P.], cksum 0x1d71 (incorrect -> 0x3443), seq 132:728, ack 1, wi
# tcpdump -nvvv -i any -c 3 src host 10.0.3.1
10.0.3.1
10.0.3.1
src
host
5/25/2015 12:17 PM
11 of 27
tcpdump
dst
# tcpdump -nvvv -i any -c 3 src host 10.0.3.1

10.0.3.1.32855 > 10.0.3.246.22: Flags [.], cksum 0x1b1d (incorrect -> 0x1707), seq 1824706545, ack 254
7787717, win 540, options [nop,nop,TS val 622411223 ecr 622411223], length 0
10.0.3.1.32855 > 10.0.3.246.22: Flags [.], cksum 0x1b1d (incorrect -> 0x15c5), seq 0, ack 325, win 538
10.0.3.1.32855 > 10.0.3.246.22: Flags [.], cksum 0x1b1d (incorrect -> 0x1491), seq 0, ack 633, win 536
# tcpdump -nvvv -i any -c 3 dst host 10.0.3.1
10.0.3.246.22 > 10.0.3.1.32855: Flags [P.], cksum 0x1ba1 (incorrect -> 0x586d), seq 2547789725:2547789
10.0.3.246.22 > 10.0.3.1.32855: Flags [P.], cksum 0x1c71 (incorrect -> 0x462e), seq 132:472, ack 1, wi
10.0.3.246.22 > 10.0.3.1.32855: Flags [P.], cksum 0x1c51 (incorrect -> 0xf469), seq 472:780, ack 1, wi
# tcpdump -nvvv -i any -c 3 port 22 and port 60738
tcpdump
5/25/2015 12:17 PM
12 of 27
and
and
22
tcpdump
60738
# tcpdump -nvvv -i any -c 3 port 22 and port 60738

10.0.3.1.60738 > 10.0.3.246.22: Flags [P.], cksum 0x1b51 (incorrect -> 0x5b3c), seq 917414532:91741458
10.0.3.246.22 > 10.0.3.1.60738: Flags [P.], cksum 0x1ba1 (incorrect -> 0xb0b1), seq 1:133, ack 52, win
10.0.3.1.60738 > 10.0.3.246.22: Flags [.], cksum 0x1b1d (incorrect -> 0x1e3b), seq 52, ack 133, win 35
and
and
&&
&&
&&
5/25/2015 12:17 PM
13 of 27
# tcpdump -nvvv -i any -c 3 'port 22 && port 60738'

10.0.3.1.60738 > 10.0.3.246.22: Flags [P.], cksum 0x1b41 (incorrect -> 0x776c), seq 917414636:91741467
10.0.3.246.22 > 10.0.3.1.60738: Flags [P.], cksum 0x1b61 (incorrect -> 0xaf2d), seq 1:69, ack 36, win
10.0.3.1.60738 > 10.0.3.246.22: Flags [.], cksum 0x1b1d (incorrect -> 0xf264), seq 36, ack 69, win 353
# tcpdump -nvvv -i any -c 20 'port 80 or port 443'
or
||
or
tcpdump
80
443
80
http
443
https
5/25/2015 12:17 PM
14 of 27
# tcpdump -nvvv -i any -c 20 'port 80 or port 443'

10.0.3.1.50524 > 10.0.3.246.443: Flags [S], cksum 0x1b25 (incorrect -> 0x8611), seq 3836995553, win 29
200, options [mss 1460,sackOK,TS val 622820379 ecr 0,nop,wscale 7], length 0
10.0.3.246.443 > 10.0.3.1.50524: Flags [R.], cksum 0x012c (correct), seq 0, ack 3836995554, win 0, len
gth 0
10.0.3.1.60374 > 10.0.3.246.80: Flags [P.], cksum 0x1cc4 (incorrect -> 0x3a4e), seq 580573019:58057344
10.0.3.246.80 > 10.0.3.1.60374: Flags [.], cksum 0x1b1d (incorrect -> 0x45d7), seq 1, ack 423, win 243
10.0.3.246.80 > 10.0.3.1.60374: Flags [P.], cksum 0x1bda (incorrect -> 0x855c), seq 1:190, ack 423, wi
10.0.3.1.60374 > 10.0.3.246.80: Flags [.], cksum 0x1b1d (incorrect -> 0x4517), seq 423, ack 190, win 2
# tcpdump -nvvv -i any -c 20 '(port 80 or port 443) and host 10.0.3.169'
tcpdump
host
or
or
5/25/2015 12:17 PM
15 of 27
# tcpdump -nvvv -i any -c 20 '(port 80 or port 443) and host 10.0.3.169'

10.0.3.169.33786 > 10.0.3.246.443: Flags [S], cksum 0x1bcd (incorrect -> 0x0d96), seq 4173164403, win
10.0.3.246.443 > 10.0.3.169.33786: Flags [R.], cksum 0xa64a (correct), seq 0, ack 4173164404, win 0, l
ength 0
10.0.3.169.35629 > 10.0.3.246.80: Flags [S], cksum 0x1bcd (incorrect -> 0xdf7c), seq 1068257453, win 2
10.0.3.246.80 > 10.0.3.169.35629: Flags [S.], cksum 0x1bcd (incorrect -> 0xed80), seq 2992472447, ack
1068257454, win 28960, options [mss 1460,sackOK,TS val 623024603 ecr 623024603,nop,wscale 7], length 0
10.0.3.169.35629 > 10.0.3.246.80: Flags [.], cksum 0x1bc5 (incorrect -> 0x8c87), seq 1, ack 1, win 229
80
443
10.0.3.169
10.0.3.1
10.0.3.246
5/25/2015 12:17 PM
16 of 27
# tcpdump -nvvv -i any -c 20 '((port 80 or port 443) and (host 10.0.3.169 or host 10.0.3.1)) and dst host
10.0.3.246'
10.0.3.1.35407 > 10.0.3.246.80: Flags [S], cksum 0x1b25 (incorrect -> 0x4890), seq 3026316656, win 292
10.0.3.1.35407 > 10.0.3.246.80: Flags [.], cksum 0x1b1d (incorrect -> 0x3454), seq 3026316657, ack 365
7995297, win 229, options [nop,nop,TS val 623255762 ecr 623255762], length 0
10.0.3.1.35407 > 10.0.3.246.80: Flags [P.], cksum 0x1cc4 (incorrect -> 0x10c2), seq 0:423, ack 1, win
10.0.3.1.35407 > 10.0.3.246.80: Flags [.], cksum 0x1b1d (incorrect -> 0x31e6), seq 423, ack 190, win 2
tcpdump
tcpdump
tcpdump
5/25/2015 12:17 PM
17 of 27
10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect -> 0x0388), seq 682725222, win 2920
10.0.3.246
56894
192.168.0.92
22
tcpdump
src-ip.src-port >
dest-ip.dest-port: Flags[S]
>
>
10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect -> 0x0388), seq 682725222, win 2920
SYN
Flags [S]
tcpdump
[S]
5/25/2015 12:17 PM
18 of 27
[.]
[P]
[F]
[R]
[S.]
SYN-ACK
15:15:43.323412 IP (tos 0x0, ttl 64, id 51051, offset 0, flags [DF], proto TCP (6), length
10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect -> 0x0388), seq
10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect -> 0x028e), seq
10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect -> 0x009a), seq
10.0.3.246
SYN
60)
682725222, win
60)
682725222, win
60)
682725222, win
192.168.0.92
192.168.0.92
5/25/2015 12:17 PM
19 of 27
10.0.3.246.34908 > 192.168.0.110.22: Flags [S], cksum 0xcf3a (incorrect -> 0xc838), seq 1943877315, wi
n 29200, options [mss 1460,sackOK,TS val 620029603 ecr 0,nop,wscale 7], length 0
192.168.0.110.22 > 10.0.3.246.34908: Flags [S.], cksum 0x594a (correct), seq 4001145915, ack 194387731
6, win 5792, options [mss 1460,sackOK,TS val 18495104 ecr 620029603,nop,wscale 2], length 0
10.0.3.246.34908 > 192.168.0.110.22: Flags [.], cksum 0xcf32 (incorrect -> 0x9dcc), ack 1, win 229, op
tions [nop,nop,TS val 620029603 ecr 18495104], length 0
SYN
192.168.0.110
10.0.3.246
SYN-ACK
SYN
ACK
10.0.3.246
192.168.0.110
SYN-ACK-ACK
SYN-ACK
# tcpdump -nvvv -i any -c 1 -XX 'port 80 and host 10.0.3.1'
tcpdump
-XX
5/25/2015 12:17 PM
20 of 27
5/25/2015 12:17 PM
21 of 27
# tcpdump -nvvv -i any -c 1 -XX 'port 80 and host 10.0.3.1'

10.0.3.1.45732 > 10.0.3.246.80: Flags [P.], cksum 0x1ccc (incorrect -> 0x2ce8), seq 3920159713:3920160
0x0000: 0000 0001 0006 fe0a e2d1 8785 0000 0800 ................
0x0010: 4500 01e3 d429 4000 4006 49f5 0a00 0301 E....)@.@.I.....
0x0020: 0a00 03f6 b2a4 0050 e9a8 e3e1 39ce d0a4 .......P....9...
0x0030: 8018 00f5 1ccc 0000 0101 080a 2533 58f3 ............%3X.
0x0040: 2533 4656 4745 5420 2f73 6f6d 6570 6167 %3FVGET./somepag
0x0050: 6520 4854 5450 2f31 2e31 0d0a 486f 7374 e.HTTP/1.1..Host
0x0060: 3a20 3130 2e30 2e33 2e32 3436 0d0a 436f :.10.0.3.246..Co
0x0070: 6e6e 6563 7469 6f6e 3a20 6b65 6570 2d61 nnection:.keep-a
0x0080: 6c69 7665 0d0a 4361 6368 652d 436f 6e74 live..Cache-Cont
0x0090: 726f 6c3a 206d 6178 2d61 6765 3d30 0d0a rol:.max-age=0..
0x00a0: 4163 6365 7074 3a20 7465 7874 2f68 746d Accept:.text/htm
0x00b0: 6c2c 6170 706c 6963 6174 696f 6e2f 7868 l,application/xh
0x00c0: 746d 6c2b 786d 6c2c 6170 706c 6963 6174 tml+xml,applicat
0x00d0: 696f 6e2f 786d 6c3b 713d 302e 392c 696d ion/xml;q=0.9,im
0x00e0: 6167 652f 7765 6270 2c2a 2f2a 3b71 3d30 age/webp,*/*;q=0
0x00f0: 2e38 0d0a 5573 6572 2d41 6765 6e74 3a20 .8..User-Agent:.
0x0100: 4d6f 7a69 6c6c 612f 352e 3020 284d 6163 Mozilla/5.0.(Mac
0x0110: 696e 746f 7368 3b20 496e 7465 6c20 4d61 intosh;.Intel.Ma
0x0120: 6320 4f53 2058 2031 305f 395f 3529 2041 c.OS.X.10_9_5).A
0x0130: 7070 6c65 5765 624b 6974 2f35 3337 2e33 ppleWebKit/537.3
0x0140: 3620 284b 4854 4d4c 2c20 6c69 6b65 2047 6.(KHTML,.like.G
0x0150: 6563 6b6f 2920 4368 726f 6d65 2f33 382e ecko).Chrome/38.
0x0160: 302e 3231 3235 2e31 3031 2053 6166 6172 0.2125.101.Safar
0x0170: 692f 3533 372e 3336 0d0a 4163 6365 7074 i/537.36..Accept
0x0180: 2d45 6e63 6f64 696e 673a 2067 7a69 702c -Encoding:.gzip,
0x0190: 6465 666c 6174 652c 7364 6368 0d0a 4163 deflate,sdch..Ac
0x01a0: 6365 7074 2d4c 616e 6775 6167 653a 2065 cept-Language:.e
0x01b0: 6e2d 5553 2c65 6e3b 713d 302e 380d 0a49 n-US,en;q=0.8..I
0x01c0: 662d 4d6f 6469 6669 6564 2d53 696e 6365 f-Modified-Since
0x01d0: 3a20 5375 6e2c 2031 3220 4f63 7420 3230 :.Sun,.12.Oct.20
0x01e0: 3134 2031 393a 3430 3a32 3020 474d 540d 14.19:40:20.GMT.
5/25/2015 12:17 PM
22 of 27
0x01f0:
0a0d 0a
...
# tcpdump -nvvv -i any -c 1 -A 'port 80 and host 10.0.3.1'
-A
# tcpdump -nvvv -i any -c 1 -A 'port 80 and host 10.0.3.1'

10.0.3.1.46172 > 10.0.3.246.80: Flags [P.], cksum 0x1c7f (incorrect -> 0xead1), seq 1552520173:1552520
E.....@.@.Ln
...
....\.P\.....I'...........
%5Q)%5C.GET /newpage HTTP/1.1
Host: 10.0.3.246
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/3
8.0.2125.101 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
GET
5/25/2015 12:17 PM
23 of 27
ssldump
wireshark
tcpdump
tcpdump
# tcpdump -nvvv -i any -c 2 icmp

20:11:24.627824 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
10.0.3.169 > 10.0.3.246: ICMP echo request, id 15683, seq 1, length 64
20:11:24.627926 IP (tos 0x0, ttl 64, id 31312, offset 0, flags [none], proto ICMP (1), length 84)
10.0.3.246 > 10.0.3.169: ICMP echo reply, id 15683, seq 1, length 64
5/25/2015 12:17 PM
24 of 27
# tcpdump -nvvv -i any -c 2 udp

20:12:41.726355 IP (tos 0xc0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 76)
10.0.3.246.123 > 198.55.111.50.123: [bad udp cksum 0x43a9 -> 0x7043!] NTPv4, length 48
Client, Leap indicator: clock unsynchronized (192), Stratum 2 (secondary reference), poll 6 (64s),
precision -22
Root Delay: 0.085678, Root dispersion: 57.141830, Reference-ID: 199.102.46.75
Reference Timestamp: 3622133515.811991035 (2014/10/12 20:11:55)
Originator Timestamp: 3622133553.828614115 (2014/10/12 20:12:33)
Receive Timestamp:
3622133496.748308420 (2014/10/12 20:11:36)
Transmit Timestamp:
3622133561.726278364 (2014/10/12 20:12:41)
Originator - Receive Timestamp: -57.080305658
Originator - Transmit Timestamp: +7.897664248
20:12:41.748948 IP (tos 0x0, ttl 54, id 9285, offset 0, flags [none], proto UDP (17), length 76)
198.55.111.50.123 > 10.0.3.246.123: [udp sum ok] NTPv4, length 48
Server, Leap indicator: (0), Stratum 3 (secondary reference), poll 6 (64s), precision -20
Root Delay: 0.054077, Root dispersion: 0.058944, Reference-ID: 216.229.0.50
Reference Timestamp: 3622132887.136984840 (2014/10/12 20:01:27)
Originator Timestamp: 3622133561.726278364 (2014/10/12 20:12:41)
Receive Timestamp:
3622133618.830113530 (2014/10/12 20:13:38)
Transmit Timestamp:
3622133618.830129086 (2014/10/12 20:13:38)
Originator - Receive Timestamp: +57.103835195
Originator - Transmit Timestamp: +57.103850722
tcpdump
5/25/2015 12:17 PM
25 of 27
1 Comment
anon.coder
thanks, this is also pretty good - http://danielmiessler.com/stud...
[BENJAMIN CANE]
Remote Command Execution with SaltStack
Awesome article!
Getting around the Linux directory structure with

the cd command
Doh! I totally meant to throw `cd -` in there.

I'll add it later. :)
Understanding the kill command, and how to

terminate processes in Linux
A couple of nitpicky Unixbeard

comments: I realize that this article is for Linux, but you
can greatly improve the portability of the commands you
Understanding a little more about /etc/profile and

/etc/bashrc
This is an important point and should be fixed.

Also RedHat is sourcing /etc/profile.d/*.sh in /etc/bashrc
explicitly ONLY for interactive,non-login shells as for
5/25/2015 12:17 PM
26 of 27
5/25/2015 12:17 PM
27 of 27
5/25/2015 12:17 PM

A Quick and Practical Reference For Tcpdump

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

A Quick and Practical Reference For Tcpdump

Încărcat de

Drepturi de autor:

Formate disponibile

A Quick and Practical Reference for tcpdump