Originally, it was written in 1988 by four Network Research Group workers at Lawrence Berkeley Laboratory in California. It was organized eleven years later by Micheal Richardson and Bill Fenner in 1999, who created the tcpdump site. Tcpdump works on all Unix-like operating systems. The windows version of Tcpdump is called WinDump and uses WinPcap, the windows alternative for libpcap.
Use the snap to install tcpdump:
Use your package manager to install tcpdump:
$ sudo dnf install tcpdump (CentOS/RHEL 6&7)
$ sudo yum install tcpdump (Fedora/CentOS/RHEL 8)
Let’s see different usages and outputs as we explore tcpdump!
UDP
Tcpdump can dump UDP packets as well. We will use a netcat (nc) tool to send a UDP packet and then dump it.
In the above-given command, we send a UDP packet consisting of the string “tcpdumper” to the UDP port 1337 via localhost. Tcpdump captures the packet being sent over UDP port 1337 and will display it.
We will now dump this packet using tcpdump.
This command will capture and show the captured data from the packets in ASCII as well as hex form.
04:39:39.072802 IP (tos 0x0, ttl 64, id 32650, offset 0, flags [DF], proto UDP (17), length 37)
localhost.54574 > localhost.1337: [bad udp cksum 0xfe24 -> 0xeac6!] UDP, length 9
0x0000: 4500 0025 7f8a 4000 4011 bd3b 7f00 0001 E..%..@.@..;....
0x0010: 7f00 0001 d52e 0539 0011 fe24 7463 7064 .......9...$tcpd
0x0020: 756d 7065 72 umper
As we can see, the packet was sent to port 1337, and the length was 9 as the string tcpdumper is 9 bytes. We can also see that the packet has been displayed in hex format.
DHCP
Tcpdump can also carry out investigations on DHCP packets over the network. DHCP uses UDP port no 67 or 68, so we will define and limit tcpdump for only DHCP packets. Assume we are using a wifi network interface.
The command used here will be:
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:52:04.004356 00:11:22:33:44:55 > 00:11:22:33:44:66, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 39781, offset 0, flags [DF], proto UDP (17), length 328)
192.168.10.21.68 > 192.168.10.1.67: [udp sum ok] BOOTP/DHCP, Request from 00:11:22:33:44:55, length 300, xid 0xfeab2d67, Flags [none] (0x0000)
Client-IP 192.168.10.16
Client-Ethernet-Address 00:11:22:33:44:55
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Release
Server-ID (54), length 4: 192.168.10.1
Hostname (12), length 6: "parrot"
END (255), length 0
PAD (0), length 0, occurs 42
DNS
DNS, also known as Domain Name System, confirms to provide you with what you are looking for by matching the Domain name with the domain address. To inspect your device’s DNS level communication over the internet, you can use tcpdump in the following way. DNS uses UDP port 53 for communication.
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
04:23:48.516616 IP (tos 0x0, ttl 64, id 31445, offset 0, flags [DF], proto UDP (17), length 72)
192.168.10.16.45899 > one.one.one.one.domain: [udp sum ok] 20852+ A? mozilla.cloudflare-dns.com. (44)
04:23:48.551556 IP (tos 0x0, ttl 60, id 56385, offset 0, flags [DF], proto UDP (17), length 104)
one.one.one.one.domain > 192.168.10.16.45899: [udp sum ok] 20852 q: A? mozilla.cloudflare-dns.com. 2/0/0 mozilla.cloudflare-dns.com. [24s] A 104.16.249.249, mozilla.cloudflare-dns.com. [24s] A 104.16.248.249 (76)
04:23:48.648477 IP (tos 0x0, ttl 64, id 31446, offset 0, flags [DF], proto UDP (17), length 66)
192.168.10.16.34043 > one.one.one.one.domain: [udp sum ok] 40757+ PTR? 1.1.1.1.in-addr.arpa. (38)
04:23:48.688731 IP (tos 0x0, ttl 60, id 56387, offset 0, flags [DF], proto UDP (17), length 95)
one.one.one.one.domain > 192.168.10.16.34043: [udp sum ok] 40757 q: PTR? 1.1.1.1.in-addr.arpa. 1/0/0 1.1.1.1.in-addr.arpa. [26m53s] PTR one.one.one.one. (67)
ARP
Address Resolution Protocol is used for discovering the link-layer address, such as a MAC address. It is associated with a given internet layer address, typically an IPv4 address.
We are using tcpdump to capture and read the data carried in the arp packets. The command is as simple as:
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:44:12.023668 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.1 tell 192.168.10.2, length 28
03:44:17.140259 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.21 tell 192.168.10.1, length 28
03:44:17.140276 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.10.21 is-at 00:11:22:33:44:55 (oui Unknown), length 28
03:44:42.026393 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.1 tell 192.168.10.2, length 28
ICMP
ICMP, also known as the Internet Control Message Protocol, is a supporting protocol in the Internet protocol suite. ICMP is used as an informational protocol.
To view all the ICMP packets on an interface, we can use this command:
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
04:26:42.123902 IP (tos 0x0, ttl 64, id 14831, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.10.16 > 192.168.10.1: ICMP echo request, id 47363, seq 1, length 64
04:26:42.128429 IP (tos 0x0, ttl 64, id 32915, offset 0, flags [none], proto ICMP (1), length 84)
192.168.10.1 > 192.168.10.16: ICMP echo reply, id 47363, seq 1, length 64
04:26:43.125599 IP (tos 0x0, ttl 64, id 14888, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.10.16 > 192.168.10.1: ICMP echo request, id 47363, seq 2, length 64
04:26:43.128055 IP (tos 0x0, ttl 64, id 32916, offset 0, flags [none], proto ICMP (1), length 84)
192.168.10.1 > 192.168.10.16: ICMP echo reply, id 47363, seq 2, length 64
NTP
NTP is a networking protocol designed specifically to synchronize the time on a network of machines. To capture traffic on ntp:
04:31:05.547856 IP (tos 0x0, ttl 64, id 34474, offset 0, flags [DF], proto UDP (17), length 76)
192.168.10.16.ntp > time-b-wwv.nist.gov.ntp: [udp sum ok] NTPv4, Client, length 48
Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 3 (8s), precision -6
Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
Reference Timestamp: 0.000000000
Originator Timestamp: 0.000000000
Receive Timestamp: 0.000000000
Transmit Timestamp: 3825358265.547764155 (2021-03-21T23:31:05Z)
Originator - Receive Timestamp: 0.000000000
Originator - Transmit Timestamp: 3825358265.547764155 (2021-03-21T23:31:05Z)
04:31:05.841696 IP (tos 0x0, ttl 56, id 234, offset 0, flags [none], proto UDP (17), length 76)
time-b-wwv.nist.gov.ntp > 192.168.10.16.ntp: [udp sum ok] NTPv3, Server, length 48
Leap indicator: (0), Stratum 1 (primary reference), poll 13 (8192s), precision -29
Root Delay: 0.000244, Root dispersion: 0.000488, Reference-ID: NIST
Reference Timestamp: 3825358208.000000000 (2021-03-21T23:30:08Z)
Originator Timestamp: 3825358265.547764155 (2021-03-21T23:31:05Z)
Receive Timestamp: 3825358275.028660181 (2021-03-21T23:31:15Z)
Transmit Timestamp: 3825358275.028661296 (2021-03-21T23:31:15Z)
Originator - Receive Timestamp: +9.480896026
Originator - Transmit Timestamp: +9.480897141
SMTP
SMTP or Simple Mail Transfer Protocol is mainly used for emails. Tcpdump can use this to extract useful email information. For example, to extract email recipients/senders:
IPv6
IPv6 is the “next generation” of IP, providing a wide range of IP addresses. IPv6 helps achieve the long-term health of the Internet.
To capture IPv6 traffic, use the ip6 filter specifying the TCP and UDP protocols using proto 6 and proto-17.
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
04:34:31.847359 lo In IP6 (flowlabel 0xc7cb6, hlim 64, next-header UDP (17) payload length: 40) ::1.49395 > ::1.49395: [bad udp cksum 0x003b -> 0x3587!] UDP, length 32
04:34:31.859082 lo In IP6 (flowlabel 0xc7cb6, hlim 64, next-header UDP (17) payload length: 32) ::1.49395 > ::1.49395: [bad udp cksum 0x0033 -> 0xeaef!] UDP, length 24
04:34:31.860361 lo In IP6 (flowlabel 0xc7cb6, hlim 64, next-header UDP (17) payload length: 40) ::1.49395 > ::1.49395: [bad udp cksum 0x003b -> 0x7267!] UDP, length 32
04:34:31.871100 lo In IP6 (flowlabel 0xc7cb6, hlim 64, next-header UDP (17) payload length: 944) ::1.49395 > ::1.49395: [bad udp cksum 0x03c3 -> 0xf890!] UDP, length 936
4 packets captured
12 packets received by filter
0 packets dropped by kernel
The ‘-c 4’ provides a packet count of up to 4 packets only. We can specify the number of packets to n and capture n packets.
HTTP
Hypertext Transfer Protocol is used for transferring data from a web server to a browser to view web pages. HTTP uses TCP form communication. Specifically, TCP port 80 is used.
To print all IPv4 HTTP packets to and from port 80:
03:36:00.602104 IP (tos 0x0, ttl 64, id 722, offset 0, flags [DF], proto TCP (6), length 60)
192.168.10.21.33586 > 192.168.10.1.http: Flags [S], cksum 0xa22b (correct), seq 2736960993, win 64240, options [mss 1460,sackOK,TS val 389882294 ecr 0,nop,wscale 10], length 0
03:36:00.604830 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.10.1.http > 192.168.10.21.33586: Flags [S.], cksum 0x2dcc (correct), seq 4089727666, ack 2736960994, win 14480, options [mss 1460,sackOK,TS val 30996070 ecr 389882294,nop,wscale 3], length 0
03:36:00.604893 IP (tos 0x0, ttl 64, id 723, offset 0, flags [DF], proto TCP (6), length 52)
192.168.10.21.33586 > 192.168.10.1.http: Flags [.], cksum 0x94e2 (correct), seq 1, ack 1, win 63, options [nop,nop,TS val 389882297 ecr 30996070], length 0
03:36:00.605054 IP (tos 0x0, ttl 64, id 724, offset 0, flags [DF], proto TCP (6), length 481)
HTTP Requests…
GET / HTTP/1.1
Host: 192.168.10.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: _TESTCOOKIESUPPORT=1; SID=c7ccfa31cfe06065717d24fb544a5cd588760f0cdc5ae2739e746f84c469b5fd
Upgrade-Insecure-Requests: 1
And responses are captured too
HTTP/1.1 200 OK
Server: ZTE web server 1.0 ZTE corp 2015.
Accept-Ranges: bytes
Connection: close
X-Frame-Options: SAMEORIGIN
Cache-Control: no-cache,no-store
Content-Length: 138098
Set-Cookie: _TESTCOOKIESUPPORT=1; PATH=/; HttpOnly
Content-Type: text/html; charset=utf-8
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self' 'unsafe-inline' 'unsafe-eval';img-src 'self' data:;
X-XSS-Protection: 1; mode=block
Set-Cookie: SID=;expires=Thu, 01-Jan-1970 00:00:00 GMT;path=/; HttpOnly
TCP
To capture TCP-only packets, this command will do all the good:
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
04:35:48.892037 IP (tos 0x0, ttl 60, id 23987, offset 0, flags [none], proto TCP (6), length 104)
tl-in-f189.1e100.net.https > 192.168.10.16.50272: Flags [P.], cksum 0xc924 (correct), seq 1377740065:1377740117, ack 1546363399, win 300, options [nop,nop,TS val 13149401 ecr 3051434098], length 52
04:35:48.892080 IP (tos 0x0, ttl 64, id 20577, offset 0, flags [DF], proto TCP (6), length 52)
192.168.10.16.50272 > tl-in-f189.1e100.net.https: Flags [.], cksum 0xf898 (correct), seq 1, ack 52, win 63, options [nop,nop,TS val 3051461952 ecr 13149401], length 0
04:35:50.199754 IP (tos 0x0, ttl 64, id 20578, offset 0, flags [DF], proto TCP (6), length 88)
192.168.10.16.50272 > tl-in-f189.1e100.net.https: Flags [P.], cksum 0x2531 (correct), seq 1:37, ack 52, win 63, options [nop,nop,TS val 3051463260 ecr 13149401], length 36
04:35:50.199809 IP (tos 0x0, ttl 64, id 7014, offset 0, flags [DF], proto TCP (6), length 88)
192.168.10.16.50434 > hkg12s18-in-f14.1e100.net.https: Flags [P.], cksum 0xb21e (correct), seq 328391782:328391818, ack 3599854191, win 63, options [nop,nop,TS val 3656137742 ecr 2564108387], length 36
4 packets captured
4 packets received by filter
0 packets dropped by kernel
Normally TCP packet capture results in a lot of traffic; you can specify in detail your requirements by adding filters to the capture, such as:
Port
Specifies the port to monitor
Source IP
To view packets from a specified source
Destination IP
To view packets to a specified destination
Saving packet capture into files
To save the packet capture for doing analysis later, we can use the -w option of tcpdump that requires a filename parameter. These files are saved in a pcap (packet capture) file format, which can be used to save or send packet captures.
For example:
We can add filters as to if we want to capture TCP, UDP, or ICMP packets, etc.
Reading packet capture from files
Unfortunately, you cannot read the saved file via common ‘read file’ commands like cat, etc. The output is all but gibberish, and it is hard to tell what is in the file. ‘-r’ is used to read the packets saved in the .pcap file, stored earlier by ‘-w’ or other software storing pcaps:
This prints the data collected from captured packets on the terminal screen in a readable format.
Tcpdump cheatsheet
Tcpdump can be used with other Linux commands such as grep, sed, etc., to extract useful information. Here are some useful combinations and keywords amalgamated in use with tcpdump to get valuable information.
Extract HTTP User Agents:
The URLs requested over HTTP can be monitored using tcpdump such as:
You can also Extract HTTP Passwords in POST Requests
Server or Client-side cookies can be extracted using:
Capture DNS requests and responses by using:
Print all plain text passwords:
Common Tcpdump filters
- -A Shows packets in ASCII Format.
- -c Number of packets to capture.
- –count Print packet count only when reading a captured file.
- -e Print MAC addresses and link-level headers.
- -h or –help Prints version and usage information.
- –version Show the version information only.
- -i Specify the network interface to capture on.
- -K Prevent attempts to verify checksums of any packet. Adds speed.
- -m <module> Specify Module to use.
- -n Don’t convert addresses (i.e., host addresses, port numbers, etc.) to names.
- –number Print an optional packet number at the beginning of each line.
- -p Prohibit the interface from going into promiscuous mode.
- -Q Choose direction for the packets to be captured. Send or receive.
- -q Quiet/Quick Output. Prints Less information. Outputs are shorter.
- -r <file> Used to read packets from a pcap .
- -t Don’t print a timestamp on each dump line.
- -v Prints out more information regarding output.
- -w <file> Write the raw packets to file.
- -x Prints ASCII output.
- -X Prints ASCII with hex.
- –list-interfaces Shows all the network interfaces available where packets can be captured by tcpdump.
Cessation
Tcpdump has been a very widely used tool used in the research and applications of Security/Networking. The only drawback tcpdump has ‘No GUI,’ but it is too good to be kept out of the top charts. As Daniel Miessler writes, “Protocol Analyzers like Wireshark is great, but if you want to truly master packet-fu, you must become one with tcpdump first.”
