Tcpdump Zero to Hero, Part1 Commands & Options

Defensive

Tcpdump Zero to Hero, Part1 Commands & Options

June 27, 2024
Tags: linux, Networks, soc, tcpdump

In this article, I will delve into one of the most indispensable tools in my networking arsenal: tcpdump. While mastering this tool entirely is a complex endeavor, understanding the basic functionalities is straightforward and can serve as a solid foundation for exploring more intricate aspects of network analysis.

This article will be divided into two parts. In this first part, I will cover the most used commands and options. The second part will focus on advanced tcpdump filtering.

Please don’t hesitate to reach out with comments, suggestions, or to report any mistakes. If something isn’t clear, let me know! I aim to regularly update this document with helpful new rules.

Unveiling the Secrets of Your Network: A Guide to tcpdump

For network administrators and security professionals, understanding the intricacies of network traffic is paramount. tcpdump emerges as a powerful tool in this realm, offering unparalleled visibility into the data packets that traverse your network.

tcpdump functions as a packet sniffer, meticulously capturing and analyzing the individual packets that constitute network communication. Imagine it as a microscopic lens, magnifying the flow of information to and from your computer. This captured data can be saved for later examination, allowing for in-depth analysis and troubleshooting.

Beyond mere capture, tcpdump possesses the remarkable ability to decipher the languages (protocols) employed by these packets. Cryptic IP addresses are transformed into readily identifiable hostnames, akin to translating a foreign text into your native tongue. This level of detail paints a clear picture of the network conversations taking place, empowering informed decision-making.

The practical applications of tcpdump are extensive:

Network Troubleshooting: When network performance suffers, tcpdump acts as a diagnostic champion. By meticulously scrutinizing traffic flow, bottlenecks or anomalous activity that impede performance can be identified and rectified.
Network Security Analysis: In the realm of network security, tcpdump plays a vital role. It allows for the detection of suspicious communication patterns, potentially revealing unauthorized access attempts or malware activity.
Network Protocol Education: For those seeking to delve into the inner workings of network communication, tcpdump serves as an invaluable educational tool. By capturing real-world traffic, users can gain firsthand insights into the protocols and processes that govern data transmission.

Unlocking the power of tcpdump is a straightforward process. Most operating systems, particularly Linux, provide readily accessible help documentation. This documentation acts as a comprehensive guide, detailing the syntax, options, and functionalities of tcpdump. To access this information, simply execute the command tcpdump --help or tcpdump -h within your terminal window.

The following sections will delve deeper into the specific commands that unleash the full potential of tcpdump, empowering you to become a network traffic master.

tcpdump --help

tcpdump -h

Running either of these commands will display a usage statement similar to the following:

Usage: tcpdump [options] [expression]
Options:
  -a              : Attempt to convert network and broadcast addresses to names
  -A              : Print each packet (minus its link level header) in ASCII
  -b              : Print the AS number in BGP packets in ASDOT notation
  -B buffer_size  : Set the operating system capture buffer size to buffer_size, in units of 1,024 bytes
  -c count        : Exit after receiving count packets
  -C file_size    : Before writing a raw packet to a savefile, check whether the file is larger than file_size and, if so, close the current savefile and open a new one
  -d              : Dump the compiled packet-matching code in a human-readable form to standard output and stop
  -dd             : Dump packet-matching code as a C program fragment
  -ddd            : Dump packet-matching code as decimal numbers (preceded with a count)
  -D              : Print the list of the network interfaces available on the system and on which tcpdump 
  can capture packets
  -e              : Print the link-level header on each dump line
  -E spi@ipaddr algo:secret
                  : Use the specified algorithm and secret for decrypting IPsec ESP packets
  -f              : Print `foreign' IPv4 addresses numerically

Understanding tcpdump’s Output

When you run tcpdump without any options to write to a file, it outputs captured packet information directly to the terminal. The default output of tcpdump provides a summary of each packet it captures as following:

16:32:41.508855 IP 192.168.1.100.57891 > 93.184.216.34.http: Flags [S], seq 3787255693, win 64240, options [mss 1460,sackOK,TS val 1924858400 ecr 0,nop,wscale 7], length 0
16:32:41.509045 IP 93.184.216.34.http > 192.168.1.100.57891: Flags [S.], seq 1978293252, ack 3787255694, win 28960, options [mss 1460,sackOK,TS val 240953111 ecr 1924858400,nop,wscale 6], length 0
16:32:41.509081 IP 192.168.1.100.57891 > 93.184.216.34.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1924858401 ecr 240953111], length 0
16:32:41.510995 IP 192.168.1.100.57891 > 93.184.216.34.http: Flags [P.], seq 1:51, ack 1, win 502, options [nop,nop,TS val 1924858403 ecr 240953111], length 50
16:32:41.511181 IP 93.184.216.34.http > 192.168.1.100.57891: Flags [.], ack 51, win 453, options [nop,nop,TS val 240953114 ecr 1924858403], length 0
16:32:41.512340 IP 93.184.216.34.http > 192.168.1.100.57891: Flags [P.], seq 1:1461, ack 51, win 453, options [nop,nop,TS val 240953115 ecr 1924858403], length 1460
16:32:41.512370 IP 192.168.1.100.57891 > 93.184.216.34.http: Flags [.], ack 1461, win 489, options [nop,nop,TS val 1924858405 ecr 240953115], length 0

Each line of tcpdump output represents a captured network packet, providing detailed information such as:

Timestamp: When the packet was captured.
Protocol: Type of network protocol used (e.g., IP, ARP).
Source and destination addresses: IP addresses and port numbers of the sending and receiving endpoints.
TCP flags: Indicate the status of a TCP connection (e.g., SYN, ACK, FIN).
Sequence and acknowledgment numbers: Track the order of packets and acknowledgements.
Window size: The amount of data a recipient can handle.
TCP options: Additional data about the TCP connection (e.g., maximum segment size, selective acknowledgment, timestamps).
Payload length: Size of the data carried within the packet.

By examining these elements, network administrators can analyze traffic patterns, troubleshoot connection issues, and gain insights into network behavior. For example, a line with the SYN flag indicates the start of a TCP connection setup, while sequence and acknowledgment numbers help ensure correct packet delivery.

This table provides a clear and concise overview of the different fields in tcpdump’s output and their respective descriptions and example values.

Field	Description	Example Value
Timestamp	The time when the packet was captured.	16:32:41.508855
Protocol	The protocol used for the packet (e.g., IP, ARP).	IP
Source Address	The IP address and port number of the packet’s sender.	192.168.1.100.57891
Destination Address	The IP address and port number of the packet’s recipient.	93.184.216.34.http
Flags	TCP flags indicating the state of the connection (e.g., SYN, ACK, FIN, RST, PUSH).	Flags [S]
Sequence Number	The sequence number for tracking the order of packets.	seq 3787255693
Acknowledgment Number	The acknowledgment number for tracking the order of packets.	ack 3787255694
Window Size	The size of the sender’s receive window.	win 64240
Options	Various TCP options, such as Maximum Segment Size (MSS), Selective Acknowledgment (SACK), and Timestamps.	options [mss 1460,sackOK,TS val 1924858400 ecr 0]
Payload Length	The length of the packet’s payload.	length 0

Most Commonly Used tcpdump Command Parameters

Tcpdump is a versatile command-line utility employed for capturing and analyzing network packets. While offering a comprehensive set of options, a subset of parameters is particularly useful for routine network troubleshooting and analysis. This article will explore these essential parameters, providing clear explanations and practical examples to aid in their effective application:

Command Line Parameter	Explanation
-n	Don’t resolve hostnames or well-known port numbers to their service.
-r file	Specify an existing pcap file to read from instead of a network interface.
-i interface	Specify from which network interface you would like tcpdump to sniff. This generally requires administrative permissions.
-D	Display interfaces.
-w file	Specify a new pcap file to place filtered packets in.
-s snaplen	Snapshot length, or the number of bytes to capture per packet. Default is 262,144 bytes but this may vary across platforms.
-c count	Number of packets to capture before tcpdump automatically exits.
-X	Show packet contents in hexadecimal and ASCII.
-A	Prints each packet (minus its link-level header) in ASCII format.
-e	Display Ethernet header data.
-v	Display verbose output (Levels: -v, -vv. -vvv).
-G	Rotating the Output File.
-W	Limit the number of rotated files.
-B	Set the operating system capture buffer size.
-E	Encrypt the packets using ESP.
-p	Do not put the network interface into promiscuous mode.
-I	Make stdout line buffered.
-U	Print a packet immediately after it is received.
-K	Disable checksums validation.
-q	Be less verbose in the output.
-#	Display line/packet number.
expressions	Specify a Berkeley Packet Filter ( BPF ) statement to filter traffic (Soon, Part 2).

Note: Some commands needs sudo privileges to be preformed

Using tcpdump for Packet Capture and Analysis -i, -r, -w

Tcpdump’s primary function is to capture live network traffic from specified network interfaces. This captured data is invaluable for diagnosing network issues, monitoring traffic for security purposes, and investigating potential breaches. Additionally, tcpdump can save captured data into a pcap file for later analysis or share with other analysts.

For instance, to capture packets from a specific interface and save them to a file, the following command is used:

tcpdump -i eth0 -w capture.pcap

This command instructs tcpdump to capture packets from the eth0 interface and write them to a file named capture.pcap.

also, we can read a pre-capture pcap file using the following command:

tcpdump -r capture.pcap

Limiting the Number of Packets to Capture with tcpdump -c

tcpdump is a powerful tool for capturing network traffic, but sometimes you might not need everything it throws at you.The -c option comes to the rescue!

Imagine a filter for your network capture, with -c you can tell tcpdump to stop capturing packets after it reaches a specific number. This is handy for:

Keeping things manageable: Avoid generating huge files when you only need to see a short burst of activity.
Focusing on a specific event: Capture traffic related to a particular action without extra noise.

By setting a limit, you get the data you need without the information overload.

tcpdump -i eth0 -c 25

Preventing Address Name Resolution with the -n Option in tcpdump

The -n option in tcpdump is used to prevent the conversion of IP addresses and port numbers into hostnames and service names. By default, tcpdump attempts to resolve these addresses to make the output more readable, but this can introduce delays and may not always be necessary or desired.

tcpdump -i eth0 -n

Here is an output example:

Without the -n option, tcpdump might display output like this

16:32:41.508855 IP mypc.local.57891 > example.com.http: Flags [S], seq 3787255693, win 64240, options [mss 1460,sackOK,TS val 1924858400 ecr 0,nop,wscale 7], length 0

With the -n option, the same packet would be displayed without resolving the addresses:

16:32:41.508855 IP 192.168.1.100.57891 > 93.184.216.34.80: Flags [S], seq 3787255693, win 64240, options [mss 1460,sackOK,TS val 1924858400 ecr 0,nop,wscale 7], length 0

Another common option is -nn, this option prevents tcpdump from converting protocol and port numbers to names:

tcpdump -i eth0 -nn

Verbose Output With The -v Option In Tcpdump

Tcpdump is a great tool for capturing network traffic, but sometimes the basic view might not be enough. This is where the -v option, short for “verbose,” comes on stage. Adding -v to your tcpdump command unlocks a treasure trove of additional details about each packet it captures.

Imagine you’re watching a movie, and the -v option is like adding a director’s commentary. You get insights into what’s happening behind the scenes, like timestamps, flags, and protocols involved in each network exchange.

Need even more detail? tcpdump lets you crank up the verbosity by adding more vs (like -vv or -vvv). Each additional "v“adds another layer of information, useful for network experts who need to dissect every aspect of a packet.

Levels of Verbosity

Tcpdump provides different levels of verbosity to control the amount of detail in the output. Here are the levels:

Default (No -v Option)

Basic output with minimal details.
Shows source and destination IP addresses and ports, protocol, and a summary of the packet.

Single -v

Provides basic verbose output, showing additional details such as the IP header, TTL (Time to Live), and total packet length.

tcpdump -i eth0 -v

16:32:41.508855 IP (tos 0x0, ttl 64, id 45012, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.57891 > 93.184.216.34.http: Flags [S], seq 3787255693, win 64240, options [mss 1460,sackOK,TS val 1924858400 ecr 0,nop,wscale 7], length 0

This includes:

Type of Service (tos)
Time to Live (ttl)
Packet ID (id)
Fragment offset (offset)
Flags (DF – Don’t Fragment)
Protocol (proto)
Total length of the packet

Double -vv

Further increases verbosity, including additional details like the TCP options (MSS, SACK, etc.) and more.

tcpdump -i eth0 -vv

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:32:41.508855 IP (tos 0x0, ttl 64, id 45012, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.100.57891 > 93.184.216.34.http: Flags [S], seq 3787255693, win 64240, options [mss 1460,sackOK,TS val 1924858400 ecr 0,nop,wscale 7], length 0
        0x0000:  4500 003c afcc 4000 4006 b1e6 c0a8 0164  E..<..@.@......d
        0x0010:  5db8 d822 e1a3 0050 e1a3 96ad 0000 0000  ].."...P........
        0x0020:  a002 fff0 fe30 0000 0204 05b4 0402 080a  .....0..........
        0x0030:  72f4 12a0 0000 0000 0103 0307            r...........
16:32:41.509045 IP (tos 0x0, ttl 64, id 45013, offset 0, flags [DF], proto TCP (6), length 60)
	93.184.216.34.http > 192.168.1.100.57891: Flags [S.], seq 1978293252, ack 3787255694, win 28960, options [mss 		1460,sackOK,TS val 240953111 ecr 1924858400,nop,wscale 6], length 0
        0x0000:  4500 003c afcd 4000 4006 b1e5 5db8 d822  E..<..@.@...].."
        0x0010:  c0a8 0164 0050 e1a3 761a 30e4 e1a3 96ae  ...d.P..v.0.....
        0x0020:  a012 7120 fe30 0000 0204 05b4 0402 080a  ..q..0..........
        0x0030:  e634 3bb7 72f4 12a0 0103 0306            .4;.r.......

This output includes:

Hexadecimal and ASCII representations of the packet’s data
Detailed breakdown of the TCP header and options

Triple -vvv

Maximum verbosity, including comprehensive details about each packet, such as full decoding of various protocols, additional header information, and detailed flag settings.

tcpdump -i eth0 -vvv

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:32:41.508855 IP (tos 0x0, ttl 64, id 45012, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.100.57891 > 93.184.216.34.http: Flags [S], seq 3787255693, win 64240, options [mss 1460,sackOK,TS val 1924858400 ecr 0,nop,wscale 7], length 0
        0x0000:  4500 003c afcc 4000 4006 b1e6 c0a8 0164  E..<..@.@......d
        0x0010:  5db8 d822 e1a3 0050 e1a3 96ad 0000 0000  ].."...P........
        0x0020:  a002 fff0 fe30 0000 0204 05b4 0402 080a  .....0..........
        0x0030:  72f4 12a0 0000 0000 0103 0307            r...........
16:32:41.509045 IP (tos 0x0, ttl 64, id 45013, offset 0, flags [DF], proto TCP (6), length 60)
    93.184.216.34.http > 192.168.1.100.57891: Flags [S.], seq 1978293252, ack 3787255694, win 28960, options [mss 1460,sackOK,TS val 240953111 ecr 1924858400,nop,wscale 6], length 0
        0x0000:  4500 003c afcd 4000 4006 b1e5 5db8 d822  E..<..@.@...].."
        0x0010:  c0a8 0164 0050 e1a3 761a 30e4 e1a3 96ae  ...d.P..v.0.....
        0x0020:  a012 7120 fe30 0000 0204 05b4 0402 080a  ..q..0..........
        0x0030:  e634 3bb7 72f4 12a0 0103 0306            .4;.r.......
16:32:41.509081 IP (tos 0x0, ttl 64, id 45014, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.100.57891 > 93.184.216.34.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1924858401 ecr 240953111], length 0
        0x0000:  4500 0034 afce 4000 4006 b1ec c0a8 0164  E..4..@.@......d
        0x0010:  5db8 d822 e1a3 0050 e1a3 96ae 761a 30e5  ].."...P....v.0.
        0x0020:  8010 01f6 fe28 0000 0101 080a 72f4 12a1  .....(......r...
        0x0030:  e634 3bb7                                .4;.

This output includes:

IP Header Information:
- Type of Service (tos): Default service (0x0).
- Time to Live (ttl): Maximum hops (64).
- Packet ID (id): Identification number (45012).
- Fragment offset: Indicates no fragmentation (0).
- Flags: Don’t Fragment ([DF]).
- Protocol (proto): TCP (protocol number 6).
- Total length: Packet length (60 bytes).
Packet Route and Flags:
- Source IP and port: 192.168.1.100.57891.
- Destination IP and port: 93.184.216.34.http (http indicating port 80).
- Flags: TCP SYN flag ([S]), indicating the start of a handshake.
- Sequence number (seq): 3787255693.
- Window size (win): Flow control size (64240).
- TCP options: MSS, SACK, Timestamps, etc.
- Payload length: Length of packet payload (0 bytes).
Hex and ASCII Representation of Packet Data:
- Hexadecimal and ASCII representation of the packet’s IP header, TCP header, and data payload.
TCP Options Details:
- MSS option: Maximum Segment Size (1460 bytes).
- SACK option: Selective Acknowledgment permitted.
- Timestamps: Value (1924858400) and Echo Reply (0).
- Window scale: Scale factor (7).

Displaying Available Interfaces with the -D Option in tcpdump

Using -D tells tcpdump to list all the available network interfaces on your system. These interfaces will have names like “eth0”, “wlan0”, etc. Think of them as different doorways to the network world.

By seeing this list, you can easily identify the specific interface you want to capture traffic from. No more guessing or searching through cryptic names! Once you have the interface name, you can use it with your tcpdump command to start capturing data from the right network connection.

tcpdump -D

1.eth0 [Up, Running]
2.lo [Up, Running, Loopback]
3.bluetooth-monitor [Bluetooth Linux Monitor]

Before starting a packet capture, you can use the -D option to determine the available interfaces and their names, this option can be usfeul to ensures that you select the correct interface for packet capturing, especially in environments with multiple network interfaces. This option simplifies the process of setting up a packet capture session, making it an essential feature for effective network analysis and troubleshooting.

Specifying Snapshot Length with the -s Option in tcpdump

The -s option in tcpdump allows you to specify the snapshot length, which is the number of bytes to capture from each packet. By default, tcpdump captures up to 262144 bytes of each packet, but you can adjust this length based on your needs. The snapshot length determines how much of the packet’s data is captured and stored.

tcpdump -i eth0 -s 128

Explanation and Practical Uses of -s option

Default Behavior:

By default, tcpdump captures up to 262144 bytes of each packet. This is usually sufficient to capture entire packets, including their payloads.

Reducing Snapshot Length:

Reducing the snapshot length can be useful when you are only interested in capturing the packet headers and not the payload. This can save storage space and reduce the amount of data you need to process.

Increasing Snapshot Length:

In some cases, you might need to capture more than the default length, especially if you are dealing with large packets. Increasing the snapshot length ensures that you capture the entire packet.

tcpdump -i eth0 -s 1024

Ofcourse we can compile -s with other options to capture with Increased Snapshot Length and get more detailed analysis

tcpdump -i eth0 -s 2048 -c 1000

Printing Packets in ASCII Format with the -A Option in tcpdump

The -A option in tcpdump is used to print each packet’s contents in ASCII format, excluding the link-level header. This is particularly useful for analyzing the payload of packets, especially when dealing with text-based protocols such as HTTP, SMTP, or DNS.

tcpdump -A -i eth0

Note: superuser privileges are required.

The output of this command will display the packet data in ASCII format, which can include HTTP headers, data, and other human-readable content transmitted over the network, and ofcourse we can filter the output.

tcpdump -A -i eth0

14:01:13.123456 IP (tos 0x0, ttl 64, id 54321, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.2.12345 > 192.168.1.1.http: Flags [S], cksum 0x1234 (correct), seq 123456789, win 65535, options [mss 1460,sackOK,TS val 123456789 ecr 0,nop,wscale 7], length 0
    ...
    GET / HTTP/1.1
    Host: www.example.com
    User-Agent: curl/7.68.0
    Accept: */*
    ...

tcpdump -A -i eth0 'tcp port 80'

Using -A option is very helpful for debugging HTTP traffic, it allows you to see the HTTP requests and responses being sent and received, providing visibility into the HTTP headers and content. This is crucial for web application debugging.

Additionally, for inspecting unencrypted traffic, tcpdump -A can directly display the data for protocols that transmit data in plain text, such as HTTP and FTP. This feature is useful for examining the actual content of these transmissions.

Lastly, for network troubleshooting, understanding the data being sent over the network helps diagnose issues related to application behavior, network performance, and security incidents. The ability to read packet contents in ASCII format aids in identifying and resolving these problems efficiently.

Analyzing Network Packets with -e option

The tcpdump command is a powerful tool for network packet analysis, and the -e option is one of its many useful features. The -e option instructs tcpdump to include the link-layer header in the output. This can provide additional information about the packet that can be crucial for certain types of network troubleshooting and analysis.

Usage of tcpdump -e

When you use tcpdump -e, it captures packets on a network interface and includes the link-layer header in the output. The link-layer header contains information specific to the data link layer, which is the layer in the OSI model that handles communication between devices on the same network segment.

tcpdump -e -i eth0

14:01:13.123456 00:1a:2b:3c:4d:5e > 00:1a:2b:3c:4d:5f, ethertype IPv4 (0x0800), length 66: 192.168.1.2.12345 > 192.168.1.1.http: Flags [S], seq 123456789, win 65535, options [mss 1460,sackOK,TS val 123456789 ecr 0,nop,wscale 7], length 0

Note: superuser privileges are required.

Use Cases

MAC Address Analysis: Including the link-layer header allows you to see the MAC addresses of the source and destination devices. This is useful for identifying devices on the same network segment and understanding the traffic flow.
Protocol Identification: The link-layer header can indicate the protocol type encapsulated in the Ethernet frame (e.g., IPv4, IPv6, ARP). This helps in analyzing different types of network traffic.
Network Troubleshooting: The additional link-layer information can be essential for diagnosing issues at the data link layer, such as problems with MAC address resolution, Ethernet frame issues, or VLAN tagging.

Capturing ARP Packets with Link-Layer Information

You can combine -e with other tcpdump options to filter the traffic more precisely. For example, to capture only ARP traffic and include the link-layer header, you can use:

Using the command sudo tcpdump -e -i eth0 arp, you can capture ARP packets on the eth0 interface and include the link-layer header information in the output. This command is useful for analyzing MAC address resolution issues and understanding ARP traffic on your network.

tcpdump -e -i eth0 arp

14:01:13.123456 00:1a:2b:3c:4d:5e > 00:1a:2b:3c:4d:5f, ethertype ARP (0x0806), length 42: arp who-has 192.168.1.1 tell 192.168.1.2

In this output:

00:1a:2b:3c:4d:5e > 00:1a:2b:3c:4d:5f shows the MAC addresses of the source and destination devices.
ethertype ARP (0x0806) indicates that the packet is an ARP packet.
length 42 specifies the length of the Ethernet frame.
The rest of the line provides details of the ARP request, showing the IP addresses involved in the ARP query.

This information can help in diagnosing issues at the data link layer, such as problems with MAC address resolution and understanding the flow of ARP traffic within your network.

Rotating Output Files with `tcpdump -G`

The -G option is used by tcpdump for the rotation of the output file based on time internals. This feature comes in very handy when doing continuous packet capture for long periods, for it usually results in huge files of output. Combine it with -G and the number of seconds; at each interval, tcpdump will create a new file.

For instance, this command: sudo tcpdump -G 3600 -w capture-%Y-%m-%d_%H:%M:%S.pcap -i eth0 creates a new capture file every hour —that is, 3600 seconds— and each file is time-stamped.

tcpdump -i eth0 -G 3600 -w capture_%Y%m%d%H%M%S.pcap

Note: superuser privileges are required.

-G 3600 will rotate the output files every 3600 seconds.
-w capture_%Y-%m-%d_%H:%M:%S.pcap—informs about the pattern of the file name with timestamping so that files are easily identifiable.
-i eth0` specifies the network interface one is listening on.

The final output file name will be like: capture_20240717143045.pcap

This helps in managing huge capture files and the analysis of network traffic is easier for long periods since the data gets divided into smaller time-stamped files, and reduce the risk of data loss.

Limiting the Number of Rotated Files with the -w Option

The -W option is used to limit the number of rotated output files. When combined with the -G option, which specifies the time interval for file rotation, the -W option helps manage disk space by ensuring that only a specified number of files are kept. Once the limit is reached, the oldest file is overwritten with new data.

tcpdump -i eth0 -G 3600 -W 10 -w capture_%Y%m%d%H%M%S.pcap

Note: superuser privileges are required.

What Happens During Execution

Initial Capture: When the command starts, tcpdump creates a file named based on the current time (e.g., capture_20240717143045.pcap).
First Rotation: After 1 hour, tcpdump closes the current file and opens a new one with the next timestamp (e.g., capture_20240717153045.pcap).
Subsequent Rotations: This process repeats every 1 hour, producing new files until 10 files have been created.
File Limit Reached: Once the limit of 10 files is reached, the oldest file is overwritten by new data.

Benefits of Using the -w Option

Disk Space Management:

Prevents disk space from being consumed indefinitely by limiting the number of capture files.
Ensures that old data is periodically purged and replaced with new data.

Automated File Management:

Automates the process of managing capture files, eliminating the need for manual deletion of old files.
Simplifies the process of long-term monitoring by keeping a rolling window of the most recent capture data.

Efficient Data Analysis:

By keeping a fixed number of recent files, you can focus on analyzing the most current data without worrying about older data consuming resources.

Practical Use Cases

Continuous Monitoring:

Ideal for scenarios where continuous network monitoring is required, but with a limit on the amount of stored data.
Example: Monitoring a web server’s network traffic to identify and respond to potential security incidents in real-time.

Resource-Constrained Environments:

Useful in environments with limited storage capacity, ensuring that capture files do not exceed available space.
Example: Capturing network traffic on a small embedded device with limited storage.

Controlling Packet Capture and Buffer with the -B Option in tcpdump

Capturing network traffic with tcpdump can be a valuable tool for network analysis. However, during periods of high network activity, the default capture buffer size might not be sufficient, leading to dropped packets and incomplete data. The -B option in tcpdump empowers you to take control of this buffer size, ensuring you capture the critical network information you need.

Imagine the capture buffer as a temporary holding area where tcpdump stores captured packets before writing them to a file or displaying them on your screen. When the buffer fills up, new packets arriving from the network can be dropped,resulting in incomplete data capture.

The -B option allows you to specify the size of this capture buffer in kilobytes (KB). By including -B followed by your desired buffer size (in KB) in your tcpdump command, you can adjust the amount of data tcpdump can hold before needing to write it out.

tcpdump -i eth0 -B 4096

Explanation and Practical Uses

Default Buffer Size:
By default, tcpdump sets a buffer size that normally is sufficient in regular capture situations. For larger and busy networks, this might prove too small, and packets may be lost.
Increasing Buffer Size:
Note that raising the buffer size can avoid packet drops in case of high traffic. This comes in very handy to avoid losing packets while capturing data from busy networks or during peak-use hours.
Reducing Buffer Size:
Sometimes, you might want to reduce the buffer size to consume less system memory; this especially holds for systems that do not have so many resources available.

Example: Keeping the buffer size at 8192 KB, or 8 MB, to keep up with heavy traffic:

tcpdump -i eth0 -B 8192

Example: To set a 1024 KB buffer size in resource-constrained settings, use the following:

tcpdump -i eth0 -B 1024

Practical Scenario

Suppose you are capturing traffic on a highly used web server. You should want to be sure there are no packets missed because of buffer overflows. You can increase the buffer size in your high volume of traffic for assurance. This example will capture packets on the eth0 interface with an increased buffer of 8192 KB, avoiding the miss of packets in heavy traffic times.

tcpdump -i eth0 -B 8192 -w high_traffic_capture.pcap

Combining with Other Options

The -B option is really useful when combined with other tcpdump options since it allows personalization of your packet capture.

Capture specific traffic with increased buffer size:

tcpdump -i eth0 -B 8192 'tcp port 80' -w http_traffic_capture.pcap

Demystifying the -E Option in tcpdump: Decrypting Secure Network Traffic

Network analysis often involves delving into the encrypted world of secure communication protocols like IPsec. While tools like tcpdump are invaluable for capturing network traffic, their ability to unveil the contents of those packets can be limited. This section explores the -E option in tcpdump and its role in decrypting IPsec traffic for deeper network analysis.

To use the -E option, include it in your tcpdump command followed by the decryption key. The key is typically provided in the format <spi>@<key>, where <spi> is the Security Parameters Index and <key> is the decryption key.

tcpdump -i eth0 -E 0x200@0xdeadbeef12345678

13:45:23.456789 IP 192.168.1.100 > 93.184.216.34: ESP(spi=0x200,seq=0x1), length 92
    IP 192.168.1.100.12345 > 93.184.216.34.80: Flags [S], seq 123456789, win 65535, options [mss 1460], length 0
13:45:23.789012 IP 192.168.1.100 > 93.184.216.34: ESP(spi=0x200,seq=0x2), length 124
    IP 192.168.1.100.12345 > 93.184.216.34.80: Flags [P.], seq 123456790, ack 123456789, win 65535, length 50
    0x0000:  4500 0034 1c46 4000 4006 b1e6 c0a8 0164  E..4.F@.@......d
    0x0010:  5db8 d822 3039 0050 1b1b a6d5 0000 0000  ]..".09.P........
    0x0020:  5018 ffff aaaa 0000 4854 5450 2f31 2e31  P.......HTTP/1.1
    0x0030:  0d0a 0d0a                                ....

ESP(spi=0x200,seq=0x1): Indicates an ESP packet with SPI 0x200 and sequence number 0x1.
length 92: Length of the encrypted packet.
IP 192.168.1.100.12345 > 93.184.216.34.80: Source and destination IP addresses and ports.
Flags [S]: TCP SYN flag, indicating the start of a TCP handshake.
seq 123456789: Sequence number.
win 65535: Window size.
options [mss 1460]: TCP options.
length 0: Payload length (0 bytes).
Decrypted HTTP Request: The decrypted payload includes an HTTP request, shown in ASCII and hexadecimal format.

-p Option and Promiscuous Mode

By default, tcpdump operates in promiscuous mode when capturing network traffic. This means the network interface captures all packets traversing the network segment, regardless of their destination. This can be useful for comprehensive traffic analysis, but it also raises privacy concerns.

The -p option allows you to disable promiscuous mode. When used with tcpdump, it instructs the network interface to only capture packets specifically addressed to the host where tcpdump is running.

Benefits of Disabling Promiscuous Mode

Reduced network overhead, promiscuous mode can increase network traffic on your machine as it processes all packets, not just those intended for it. Disabling it reduces this overhead.
Enhanced privacy, capturing all traffic on the network segment can be a privacy concern. Disabling promiscuous mode ensures tcpdump only captures traffic relevant to your host.

Drawbacks of Disabling Promiscuous Mode

Disabling promiscuous mode with the -p option means that tcpdump will only capture packets addressed to the host machine.
This can reduce the amount of captured data and focus the capture on traffic relevant to the host.
It is also useful in environments where promiscuous mode is restricted or could cause security concerns.

tcpdump -i eth0 -p 'tcp port 80' -w http_host_traffic.pcap

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

Since the command writes the captured packets to a file (http_host_traffic.pcap), no detailed packet information is displayed in the terminal. The output indicates that tcpdump is capturing packets on the eth0 interface, listening for TCP traffic on port 80, with promiscuous mode disabled, and writing the packets to the specified file.

Using the -U Option in tcpdump: Ensuring Real-Time Packet Capture

tcpdump is a powerful tool for capturing and analyzing network traffic. By default, it employs a buffering mechanism for its output file. This means captured packets are temporarily stored in memory before being written to disk. While efficient, this buffering can introduce a slight delay in the capture process.

The -U option in tcpdump allows you to bypass this buffering strategy, offering several advantages for specific network analysis scenarios.

tcpdump -i eth0 -vv -w verbose_capture.pcap -U

Demystifying Buffering in tcpdump

Imagine a temporary holding area within tcpdump‘s memory. Captured packets are placed in this buffer until it reaches a certain size or a set time interval elapses. Once the buffer is full or the timer triggers, the accumulated packets are written to the output file. This buffering approach improves efficiency by minimizing frequent disk writes.

The Power of `-U`: Real-Time Capture and Guaranteed Writes

The -U option instructs tcpdump to write each captured packet directly to the output file after processing, effectively disabling the buffering mechanism. This offers distinct benefits:

Real-Time Analysis: With -U, captured packets are written to the output file immediately. This allows for near real-time analysis of network traffic. You can see packets appear in the output file or monitoring tool almost instantaneously, making it ideal for troubleshooting network issues or monitoring live network activity.
Guaranteed Capture: Using -U ensures that every captured packet is written to the output file without delay. This eliminates the risk of losing packets due to a full buffer or other factors that might interrupt the buffering process.This is crucial for scenarios where data integrity is paramount, such as for logging or forensic analysis.

When to Leverage -U

Consider incorporating the -U option in the following situations:

Real-Time Network Monitoring: If you need to analyze network traffic as it occurs, -U allows for near real-time visibility into packet flow. This is valuable for identifying and resolving network problems as they arise.
Critical Data Capture: When capturing sensitive information or for forensic analysis, -U ensures all packets are written immediately, minimizing the risk of data loss. This guarantees a complete record of captured network activity.

Diving into -K: Disabling Checksum Validation in tcpdump

One of its default functionalities involves checksum validation for captured packets. These checksums, often used in protocols like IP, TCP, UDP, and ICMP, act as a quick verification tool to ensure data integrity during transmission. tcpdump verifies these checksums to identify potential data corruption during capture.

The -K option in tcpdump allows you to disable this checksum validation process. While it might seem counterintuitive to bypass this check, there are specific situations where -K becomes a valuable tool.

tcpdump -i eth0 -K

13:45:23.456789 IP 192.168.1.100.12345 > 93.184.216.34.http: Flags [S], seq 123456789, win 65535, options [mss 1460], length 0
13:45:23.789012 IP 93.184.216.34.http > 192.168.1.100.12345: Flags [S.], seq 987654321, ack 123456790, win 65535, options [mss 1460], length 0

Breakdown of tcpdump Output:

This is an excellent breakdown of a captured packet using tcpdump. Here’s a deeper dive into each section:

Timestamp:

13:45:23.456789 – This represents the exact time (down to nanoseconds) when tcpdump captured the packet. This timestamp is crucial for ordering and analyzing the sequence of events within captured network traffic.

IP Header:

IP 192.168.1.100.12345 > 93.184.216.34.http – This line decodes the source and destination information from the packet’s IP header. Let’s break it down further:
- 192.168.1.100: This is the IP address of the sender (source) of the packet. In this case, it’s a device on a private network (likely a home network).
- 12345: This is the source port number on the sender’s machine. Port numbers are used to identify different applications or services running on a device. The specific meaning of port 12345 depends on the context, but it’s not commonly used.
- > (separator): This symbol indicates the direction of the packet flow.
- 93.184.216.34: This is the IP address of the receiver (destination) of the packet. It appears to be a public IP address.
- http: This likely indicates the destination port number (port 80), which is the default port for HTTP traffic.However, tcpdump might not perform full port number resolution in all cases, and “http” could be a symbolic name for port 80 configured on your system.

TCP Flags and Sequence:

Flags [S], seq 123456789, win 65535, options [mss 1460], length 0 – This line decodes important information from the packet’s TCP header:
- Flags [S]: This indicates that the SYN flag is set. The SYN flag is used during the initial handshake process to establish a TCP connection between two devices. This packet likely represents the beginning of a new TCP connection.
- seq 123456789: This is the sequence number of the packet. TCP uses sequence numbers to ensure all data segments arrive in the correct order at the receiver. This is the initial sequence number chosen by the sender for this connection.
- win 65535: This represents the window size advertised by the sender. The window size specifies the amount of data (in bytes) that the sender is prepared to receive from the other party without needing an acknowledgement. Here, 65535 signifies the maximum theoretical window size.
- options [mss 1460]: This indicates that a TCP option is present, specifying the Maximum Segment Size (MSS) of 1460 bytes. MSS is the largest amount of data that the sender is willing to include in a single TCP segment.
- length 0: This signifies that the packet has no data payload. This is because it’s only the SYN flag being sent during the initial handshake to initiate the connection.

Why Validate Checksums?

Checksums are calculated based on the packet’s header information. During transmission, the sender calculates a checksum and includes it in the packet header. The receiver performs the same calculation on the received data and compares it to the received checksum. If they match, it’s likely the data arrived intact.

tcpdump validates these checksums to catch potential errors introduced during the capture process. A mismatch might indicate corrupted data, alerting you to potential issues.

When to Use -K

While checksum validation offers a safety net, there are scenarios where -K can be beneficial:

Offloaded Network Traffic: Modern network interface cards (NICs) can offload tasks like checksum calculation from the CPU. This improves performance, but the reported checksums in captured packets might not match the original values due to offloading mechanisms. Disabling validation with -K ensures you capture the packets as they are received by the NIC, even if the checksums differ from the original calculations.
Custom Encapsulation: If you’re working with custom protocols or encapsulation methods that modify packet headers after the checksum calculation, the original checksum might become invalid. Disabling validation with -Kallows you to capture and analyze these packets without checksum mismatch errors.
Performance Optimization: In scenarios where capturing a very high volume of traffic is paramount, and checksum validation becomes a bottleneck, -K can potentially improve capture performance by eliminating the validation step. However, use this approach cautiously as it might mask actual data corruption.

Cautions and Considerations

Disabling checksum validation with -K comes with some caveats:

Missed Errors: Bypassing validation can lead you to miss genuine data corruption that might have been flagged by checksum mismatch. Use -K judiciously and only when you understand the potential implications.
Debugging Complexity: When troubleshooting network issues, checksum validation can provide valuable clues.Disabling it might make it more challenging to pinpoint the source of errors.

-q Option: Embracing Conciseness in tcpdump Output

By default, tcpdump provides a detailed breakdown of captured packets, including timestamps, IP headers, TCP headers,and potentially even data payloads. While informative, this level of detail can be overwhelming when dealing with high-volume traffic capture.

tcpdump -i eth0 -q

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:45:23.456789 IP 192.168.1.100.12345 > 93.184.216.34.80: tcp 0
13:45:23.789012 IP 93.184.216.34.80 > 192.168.1.100.12345: tcp 52

The -q option, also known as “quick” mode, addresses this by offering a more concise output format. Here’s what you can expect with -q:

Minimal Information: tcpdump will only display essential information about each captured packet. This typically includes the timestamp, source and destination IP addresses (and ports if available), and possibly a brief indication of the protocol used (e.g., TCP, UDP).
Reduced Verbosity: Gone are the detailed breakdowns of TCP flags, sequence numbers, window sizes, and other header specifics. -q focuses on the core information needed to identify the origin, destination, and nature of the network traffic.

Benefits of Using `-q`:

Improved Readability: With less detail, -q output is easier to scan through, especially when capturing a large amount of traffic.
Faster Processing: Displaying less information can improve processing speed, especially on slower machines.
Targeted Analysis: When you’re primarily interested in high-level traffic flow and don’t need intricate packet details, -q allows you to focus on the bigger picture.

When to Consider -q:

High-Volume Traffic Capture: If you’re capturing a large amount of network traffic, -q can significantly reduce the output size, making it easier to manage and analyze.
Initial Traffic Overview: When you need a quick grasp of the overall network activity, -q can provide a concise snapshot of traffic flow without getting bogged down in specifics.
Filtering in Combination: You can combine -q with filtering expressions in tcpdump to focus on specific types of traffic while maintaining a concise output format.

Make it easer to read with -#

The tcpdump -# command instructs tcpdump to capture network traffic and display an optional packet number at the beginning of each line in the output.

tcpdump -i eth0 -#

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
1  13:45:23.456789 IP 192.168.1.100.12345 > 93.184.216.34.80: Flags [S], seq 123456789, win 65535, options [mss 1460], length 0
2  13:45:23.789012 IP 93.184.216.34.80 > 192.168.1.100.12345: Flags [S.], seq 987654321, ack 123456790, win 65535, options [mss 1460], length 0
3  13:45:24.123456 IP 192.168.1.100.12345 > 93.184.216.34.80: Flags [P.], seq 123456790, ack 987654322, win 65535, length 52

References

SANS Institute. (2023). SANS SEC401: Security Essentials, Workbook 1. SANS Institute.
tcpdump offical website
- https://www.tcpdump.org/index.html#documentation
A tcpdump Tutorial with Examples, Unsupervised Learning
- https://danielmiessler.com/p/tcpdump/
tcpdump advanced filters, Sebastien Wains
- https://blog.wains.be/2007/2007-10-01-tcpdump-advanced-filters/
Wireshark, Wireshark-users: Re: [Wireshark-users) Hex Offset Needed
- https://www.wireshark.org/lists/wireshark-users/201003/msg00024.html

Share This Article