TCPDUMP Beginner Guide

Tcpdump is a free and open-source wireless data-network packet analyzer that works on the command-line interface. It is the most commonly used CLI tool to analyze network traffic. Tcpdump allows users to see, read, or capture network traffic transmitted over a network attached to the computer. It is useful in System Administration, Monitoring Network Traffic (for issues or otherwise).

Originally, it was written in 1988 by four Network Research Group workers at Lawrence Berkeley Laboratory in California. It was organized eleven years later by Micheal Richardson and Bill Fenner in 1999, who created the tcpdump site. Tcpdump works on all Unix-like operating systems. The windows version of Tcpdump is called WinDump and uses WinPcap, the windows alternative for libpcap.

Use the snap to install tcpdump:

$ sudo snap install tcpdump

Use your package manager to install tcpdump:

$ sudo apt-get install tcpdump (Debian/Ubuntu)
$ sudo dnf install tcpdump (CentOS/RHEL 6&7)
$ sudo yum install tcpdump (Fedora/CentOS/RHEL 8)

Let's see different usages and outputs as we explore tcpdump!

UDP

Tcpdump can dump UDP packets as well. We will use a netcat (nc) tool to send a UDP packet and then dump it.

$ echo -n "tcpdumper" | nc -w 1 -u localhost 1337

In the above-given command, we send a UDP packet consisting of the string “tcpdumper” to the UDP port 1337 via localhost. Tcpdump captures the packet being sent over UDP port 1337 and will display it.

We will now dump this packet using tcpdump.

$ sudo tcpdump -i lo udp port 1337 -vvv -X

This command will capture and show the captured data from the packets in ASCII as well as hex form.

tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
04:39:39.072802 IP (tos 0x0, ttl 64, id 32650, offset 0, flags [DF], proto UDP (17), length 37)
localhost.54574 > localhost.1337: [bad udp cksum 0xfe24 -> 0xeac6!] UDP, length 9
0x0000: 4500 0025 7f8a 4000 4011 bd3b 7f00 0001 E… %… @.@… ;…
0x0010: 7f00 0001 d52e 0539 0011 fe24 7463 7064… 9… $tcpd
0x0020: 756d 7065 72 umper

As we can see, the packet was sent to port 1337, and the length was 9 as the string tcpdumper is 9 bytes. We can also see that the packet has been displayed in hex format.

DHCP

Tcpdump can also carry out investigations on DHCP packets over the network. DHCP uses UDP port no 67 or 68, so we will define and limit tcpdump for only DHCP packets. Assume we are using a wifi network interface.
The command used here will be:

$ sudo tcpdump -i wlan0 port 67 or port 68 -e -n -vvv
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:52:04.004356 00:11:22:33:44:55 > 00:11:22:33:44:66, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 39781, offset 0, flags [DF], proto UDP (17), length 328)
192.168.10.21.68 > 192.168.10.1.67: [udp sum ok] BOOTP/DHCP, Request from 00:11:22:33:44:55, length 300, xid 0xfeab2d67, Flags [none] (0x0000)
Client-IP 192.168.10.16
Client-Ethernet-Address 00:11:22:33:44:55
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Release
Server-ID (54), length 4: 192.168.10.1
Hostname (12), length 6: "parrot"
END (255), length 0
PAD (0), length 0, occurs 42

DNS

DNS, also known as Domain Name System, confirms to provide you with what you are looking for by matching the Domain name with the domain address. To inspect your device's DNS level communication over the internet, you can use tcpdump in the following way. DNS uses UDP port 53 for communication.

$ sudo tcpdump -i wlan0 udp port 53
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
04:23:48.516616 IP (tos 0x0, ttl 64, id 31445, offset 0, flags [DF], proto UDP (17), length 72)
192.168.10.16.45899 > one.one.one.one.domain: [udp sum ok] 20852+ A? mozilla.cloudflare-dns.com. (44)
04:23:48.551556 IP (tos 0x0, ttl 60, id 56385, offset 0, flags [DF], proto UDP (17), length 104)
one.one.one.one.domain > 192.168.10.16.45899: [udp sum ok] 20852 q: A? mozilla.cloudflare-dns.com. 2/0/0 mozilla.cloudflare-dns.com. [24s] A 104.16.249.249, mozilla.cloudflare-dns.com. [24s] A 104.16.248.249 (76)
04:23:48.648477 IP (tos 0x0, ttl 64, id 31446, offset 0, flags [DF], proto UDP (17), length 66)
192.168.10.16.34043 > one.one.one.one.domain: [udp sum ok] 40757+ PTR? 1.1.1.1.in-addr.arpa. (38)
04:23:48.688731 IP (tos 0x0, ttl 60, id 56387, offset 0, flags [DF], proto UDP (17), length 95)
one.one.one.one.domain > 192.168.10.16.34043: [udp sum ok] 40757 q: PTR? 1.1.1.1.in-addr.arpa. 1/0/0 1.1.1.1.in-addr.arpa. [26m53s] PTR one.one.one.one. (67)

ARP

Address Resolution Protocol is used for discovering the link-layer address, such as a MAC address. It is associated with a given internet layer address, typically an IPv4 address.

We are using tcpdump to capture and read the data carried in the arp packets. The command is as simple as:

$ sudo tcpdump -i wlan0 arp -vvv
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:44:12.023668 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.1 tell 192.168.10.2, length 28
03:44:17.140259 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.21 tell 192.168.10.1, length 28
03:44:17.140276 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.10.21 is-at 00:11:22:33:44:55 (oui Unknown), length 28
03:44:42.026393 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.1 tell 192.168.10.2, length 28

ICMP

ICMP, also known as the Internet Control Message Protocol, is a supporting protocol in the Internet protocol suite. ICMP is used as an informational protocol.

To view all the ICMP packets on an interface, we can use this command:

$ sudo tcpdump icmp -vvv
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
04:26:42.123902 IP (tos 0x0, ttl 64, id 14831, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.10.16 > 192.168.10.1: ICMP echo request, id 47363, seq 1, length 64
04:26:42.128429 IP (tos 0x0, ttl 64, id 32915, offset 0, flags [none], proto ICMP (1), length 84)
192.168.10.1 > 192.168.10.16: ICMP echo reply, id 47363, seq 1, length 64
04:26:43.125599 IP (tos 0x0, ttl 64, id 14888, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.10.16 > 192.168.10.1: ICMP echo request, id 47363, seq 2, length 64
04:26:43.128055 IP (tos 0x0, ttl 64, id 32916, offset 0, flags [none], proto ICMP (1), length 84)
192.168.10.1 > 192.168.10.16: ICMP echo reply, id 47363, seq 2, length 64

NTP

NTP is a networking protocol designed specifically to synchronize the time on a network of machines. To capture traffic on ntp:

$ sudo tcpdump dst port 123
04:31:05.547856 IP (tos 0x0, ttl 64, id 34474, offset 0, flags [DF], proto UDP (17), length 76)
192.168.10.16.ntp > time-b-wwv.nist.gov.ntp: [udp sum ok] NTPv4, Client, length 48
Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 3 (8s), precision -6
Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
Reference Timestamp: 0.000000000
Originator Timestamp: 0.000000000
Receive Timestamp: 0.000000000
Transmit Timestamp: 3825358265.547764155 (2021-03-21T23:31:05Z)
Originator - Receive Timestamp: 0.000000000
Originator - Transmit Timestamp: 3825358265.547764155 (2021-03-21T23:31:05Z)
04:31:05.841696 IP (tos 0x0, ttl 56, id 234, offset 0, flags [none], proto UDP (17), length 76)
time-b-wwv.nist.gov.ntp > 192.168.10.16.ntp: [udp sum ok] NTPv3, Server, length 48
Leap indicator: (0), Stratum 1 (primary reference), poll 13 (8192s), precision -29
Root Delay: 0.000244, Root dispersion: 0.000488, Reference-ID: NIST
Reference Timestamp: 3825358208.000000000 (2021-03-21T23:30:08Z)
Originator Timestamp: 3825358265.547764155 (2021-03-21T23:31:05Z)
Receive Timestamp: 3825358275.028660181 (2021-03-21T23:31:15Z)
Transmit Timestamp: 3825358275.028661296 (2021-03-21T23:31:15Z)
Originator - Receive Timestamp: +9.480896026
Originator - Transmit Timestamp: +9.480897141

SMTP

SMTP or Simple Mail Transfer Protocol is mainly used for emails. Tcpdump can use this to extract useful email information. For example, to extract email recipients/senders:

$ sudo tcpdump -n -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

IPv6

IPv6 is the “next generation” of IP, providing a wide range of IP addresses. IPv6 helps achieve the long-term health of the Internet.

To capture IPv6 traffic, use the ip6 filter specifying the TCP and UDP protocols using proto 6 and proto-17.

$ sudo tcpdump -n -i any ip6 -vvv
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
04:34:31.847359 lo In IP6 (flowlabel 0xc7cb6, hlim 64, next-header UDP (17) payload length: 40) ::1.49395 > ::1.49395: [bad udp cksum 0x003b -> 0x3587!] UDP, length 32
04:34:31.859082 lo In IP6 (flowlabel 0xc7cb6, hlim 64, next-header UDP (17) payload length: 32) ::1.49395 > ::1.49395: [bad udp cksum 0x0033 -> 0xeaef!] UDP, length 24
04:34:31.860361 lo In IP6 (flowlabel 0xc7cb6, hlim 64, next-header UDP (17) payload length: 40) ::1.49395 > ::1.49395: [bad udp cksum 0x003b -> 0x7267!] UDP, length 32
04:34:31.871100 lo In IP6 (flowlabel 0xc7cb6, hlim 64, next-header UDP (17) payload length: 944) ::1.49395 > ::1.49395: [bad udp cksum 0x03c3 -> 0xf890!] UDP, length 936
4 packets captured
12 packets received by filter
0 packets dropped by kernel

The '-c 4' provides a packet count of up to 4 packets only. We can specify the number of packets to n and capture n packets.

HTTP

Hypertext Transfer Protocol is used for transferring data from a web server to a browser to view web pages. HTTP uses TCP form communication. Specifically, TCP port 80 is used.

To print all IPv4 HTTP packets to and from port 80:

tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
03:36:00.602104 IP (tos 0x0, ttl 64, id 722, offset 0, flags [DF], proto TCP (6), length 60)
192.168.10.21.33586 > 192.168.10.1.http: Flags [S], cksum 0xa22b (correct), seq 2736960993, win 64240, options [mss 1460,sackOK,TS val 389882294 ecr 0,nop,wscale 10], length 0
03:36:00.604830 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.10.1.http > 192.168.10.21.33586: Flags [S.], cksum 0x2dcc (correct), seq 4089727666, ack 2736960994, win 14480, options [mss 1460,sackOK,TS val 30996070 ecr 389882294,nop,wscale 3], length 0
03:36:00.604893 IP (tos 0x0, ttl 64, id 723, offset 0, flags [DF], proto TCP (6), length 52)
192.168.10.21.33586 > 192.168.10.1.http: Flags [.], cksum 0x94e2 (correct), seq 1, ack 1, win 63, options [nop,nop,TS val 389882297 ecr 30996070], length 0
03:36:00.605054 IP (tos 0x0, ttl 64, id 724, offset 0, flags [DF], proto TCP (6), length 481)

HTTP Requests…

192.168.10.21.33586 > 192.168.10.1.http: Flags [P.], cksum 0x9e5d (correct), seq 1:430, ack 1, win 63, options [nop,nop,TS val 389882297 ecr 30996070], length 429: HTTP, length: 429
GET / HTTP/1.1
Host: 192.168.10.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: _TESTCOOKIESUPPORT=1; SID=c7ccfa31cfe06065717d24fb544a5cd588760f0cdc5ae2739e746f84c469b5fd
Upgrade-Insecure-Requests: 1

And responses are captured too

192.168.10.1.http > 192.168.10.21.33586: Flags [P.], cksum 0x84f8 (correct), seq 1:523, ack 430, win 1944, options [nop,nop,TS val 30996179 ecr 389882297], length 522: HTTP, length: 522
HTTP/1.1 200 OK
Server: ZTE web server 1.0 ZTE corp 2015.
Accept-Ranges: bytes
Connection: close
X-Frame-Options: SAMEORIGIN
Cache-Control: no-cache,no-store
Content-Length: 138098
Set-Cookie: _TESTCOOKIESUPPORT=1; PATH=/; HttpOnly
Content-Type: text/html; charset=utf-8
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self' 'unsafe-inline' 'unsafe-eval';img-src 'self' data:;
X-XSS-Protection: 1; mode=block
Set-Cookie: SID=;expires=Thu, 01-Jan-1970 00:00:00 GMT;path=/; HttpOnly

TCP

To capture TCP-only packets, this command will do all the good:

$ sudo tcpdump -i wlan0 tcp
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
04:35:48.892037 IP (tos 0x0, ttl 60, id 23987, offset 0, flags [none], proto TCP (6), length 104)
tl-in-f189.1e100.net.https > 192.168.10.16.50272: Flags [P.], cksum 0xc924 (correct), seq 1377740065:1377740117, ack 1546363399, win 300, options [nop,nop,TS val 13149401 ecr 3051434098], length 52
04:35:48.892080 IP (tos 0x0, ttl 64, id 20577, offset 0, flags [DF], proto TCP (6), length 52)
192.168.10.16.50272 > tl-in-f189.1e100.net.https: Flags [.], cksum 0xf898 (correct), seq 1, ack 52, win 63, options [nop,nop,TS val 3051461952 ecr 13149401], length 0
04:35:50.199754 IP (tos 0x0, ttl 64, id 20578, offset 0, flags [DF], proto TCP (6), length 88)
192.168.10.16.50272 > tl-in-f189.1e100.net.https: Flags [P.], cksum 0x2531 (correct), seq 1:37, ack 52, win 63, options [nop,nop,TS val 3051463260 ecr 13149401], length 36
04:35:50.199809 IP (tos 0x0, ttl 64, id 7014, offset 0, flags [DF], proto TCP (6), length 88)
192.168.10.16.50434 > hkg12s18-in-f14.1e100.net.https: Flags [P.], cksum 0xb21e (correct), seq 328391782:328391818, ack 3599854191, win 63, options [nop,nop,TS val 3656137742 ecr 2564108387], length 36
4 packets captured
4 packets received by filter
0 packets dropped by kernel

Normally TCP packet capture results in a lot of traffic; you can specify in detail your requirements by adding filters to the capture, such as:

Port
Specifies the port to monitor

$ sudo tcpdump -i wlan0 tcp port 2222

Source IP
To view packets from a specified source

$ sudo tcpdump -i wlan0 tcp src 192.168.10.2

Destination IP
To view packets to a specified destination

$ sudo tcpdump -i wlan0 tcp dst 192.168.10.2

Saving packet capture into files

To save the packet capture for doing analysis later, we can use the -w option of tcpdump that requires a filename parameter. These files are saved in a pcap (packet capture) file format, which can be used to save or send packet captures.

For example:

$ sudo tcpdump -w /captured.pcap

We can add filters as to if we want to capture TCP, UDP, or ICMP packets, etc.

Reading packet capture from files

Unfortunately, you cannot read the saved file via common 'read file' commands like cat, etc. The output is all but gibberish, and it is hard to tell what is in the file. '-r' is used to read the packets saved in the .pcap file, stored earlier by '-w' or other software storing pcaps:

$ sudo tcpdump -r /outputs.pcap

This prints the data collected from captured packets on the terminal screen in a readable format.

Tcpdump cheatsheet

Tcpdump can be used with other Linux commands such as grep, sed, etc., to extract useful information. Here are some useful combinations and keywords amalgamated in use with tcpdump to get valuable information.

Extract HTTP User Agents:

$ sudo tcpdump -n | grep "User-Agent:"

The URLs requested over HTTP can be monitored using tcpdump such as:

$ sudo tcpdump -v -n | egrep -i "POST / |GET / |Host:"

You can also Extract HTTP Passwords in POST Requests

$ sudo tcpdump -nn -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

Server or Client-side cookies can be extracted using:

$ sudo tcpdump -n | egrep -i 'Set-Cookie|Host:|Cookie:'

Capture DNS requests and responses by using:

$ sudo tcpdump -i wlp58s0 -s0 port 53

Print all plain text passwords:

$ sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|user |username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass '

Common Tcpdump filters

• -A Shows packets in ASCII Format.
• -c Number of packets to capture.
• -count Print packet count only when reading a captured file.
• -e Print MAC addresses and link-level headers.
• -h or -help Prints version and usage information.
• -version Show the version information only.
• -i Specify the network interface to capture on.
• -K Prevent attempts to verify checksums of any packet. Adds speed.
• -m Specify Module to use.
• -n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
• -number Print an optional packet number at the beginning of each line.
• -p Prohibit the interface from going into promiscuous mode.
• -Q Choose direction for the packets to be captured. Send or receive.
• -q Quiet/Quick Output. Prints Less information. Outputs are shorter.
• -r Used to read packets from a pcap .
• -t Don't print a timestamp on each dump line.
• -v Prints out more information regarding output.
• -w Write the raw packets to file.
• -x Prints ASCII output.
• -X Prints ASCII with hex.
• -list-interfaces Shows all the network interfaces available where packets can be captured by tcpdump.

Cessation

Tcpdump has been a very widely used tool used in the research and applications of Security/Networking. The only drawback tcpdump has 'No GUI,' but it is too good to be kept out of the top charts. As Daniel Miessler writes, “Protocol Analyzers like Wireshark is great, but if you want to truly master packet-fu, you must become one with tcpdump first.”