How to monitor packet flow using the TCPDUMP

How to monitor packet flow using the TCPDUMP

Overview
The packet capture tool tcpdump allows the interception and capture of packets passing through a network interface. This makes it useful for understanding and troubleshooting network layer problems. It helps in monitoring packet flow coming from the interface, the response for each packet, packet drop, and ARP information. tcpdump prints out the headers of packets on a network interface that match the boolean expression

Can see the packet in TCPDUMP

  • problem exists with service (check service status and log files for that service)
  • problem exists with iptables firewall (check connectivity with firewall disabled or with different/custom firewall rules)

Can NOT see the packet in TCPDUMP

  • Check status of NIC (ethtool, ifconfig config and errors)
  • Check driver of NIC (dmesg or kernel messages in logs)
  • Check hops between NIC and source (troubleshoot by eliminating switches and connecting directly with crossover cable)

We’ve identified that tcpdump can be quite useful, so let’s give some examples.

tcpdump Filters

This section is for informative value and nothing will be done in the lab environment.

When running tcpdump capture from the F5 you should always use a filter to limit the volume of traffic you will gather.

  1. Host Filters
  2. tcpdump host 192.168.2.5 This will filter the packet capture to only gather packets going to or coming from the host 192.168.2.5.
  3. tcpdump src host 192.168.2.5 This will filter the packet capture to only gather packets coming from 192.168.2.5.
  4. tcpdump dst host 192.168.2.5 This will filter the packet capture to only gather packets going to 192.168.2.5.
  5. Port Filters
  6. tcpdump port 443 This will filter the packet capture to only gather packets with a source or destination of port 443.
  7. tcpdump src port 1055 This will capture traffic being sourced from port 1055.
  8. tcpdump dst port 443 This will capture traffic destined for port 443.

Basics

Below are a few options you can use when configuring tcpdump. They’re easy to forget and/or confuse with other types of filters, e.g., Wireshark, so hopefully this page can serve as a reference for you, as it does me. here are the main ones I like to keep in mind depending on what I’m looking at.

Options

  • **-i any** : Listen on all interfaces just to see if you’re seeing any traffic.
  • **-i eth0** : Listen on the eth0 interface.
  • **-D** : Show the list of available interfaces
  • **-n** : Don’t resolve hostnames.
  • **-nn** : Don’t resolve hostnames or port names.
  • **-q** : Be less verbose (more quiet) with your output.
  • **-t** : Give human-readable timestamp output.
  • **-tttt** : Give maximally human-readable timestamp output.
  • **-X** : Show the packet’s contents in both hex and ASCII.
  • **-XX** : Same as **-X**, but also shows the ethernet header.
  • **-v, -vv, -vvv** : Increase the amount of packet information you get back.
  • **-c** : Only get x number of packets and then stop.
  • **-s** : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
  • **-S** : Print absolute sequence numbers.
  • **-e** : Get the ethernet header as well.
  • **-q** : Show less protocol information.
  • **-E** : Decrypt IPSEC traffic by providing an encryption key.

The default snaplength as of tcpdump 4.0 has changed from 68 bytes to 96 bytes. While this will give you more of a packet to see, it still won’t get everything. Use -s 1514 or -s 0 to get full coverage.

Expressions

In tcpdump, Expressions allow you to trim out various types of traffic and find exactly what you’re looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump.

There are three main types of expression: type, dir, and proto.

  • Type options are: host, net, and port.
  • Direction lets you do src, dst, and combinations thereof.
  • Proto(col) lets you designate: tcp, udp, icmp, ah, and many more.

Basics

1.1 BASIC COMMUNICATION

Just see what’s going on, by looking at all interfaces.

tcpdump -i any

1.2 SPECIFIC INTERFACE

Basic view of what’s happening on a particular interface.

tcpdump -i eth0

1.3 RAW OUTPUT VIEW

Verbose output (-vv), with no resolution of hostnames or port numbers (-nn), absolute sequence numbers (-S), and human-readable timestamps (-tttt).

tcpdump -ttttnnvvS

1.4 FIND TRAFFIC BY IP

One of the most common queries, this will show you traffic from 1.2.3.4, whether it’s the source or the destination.

tcpdump host 1.2.3.4

1.5 SEEING MORE OF THE PACKET WITH HEX OUTPUT

Hex output is useful when you want to see the content of the packets in question, and it’s often best used when you’re isolating a few candiates for closer scrutiny.

tcpdump -nnvXSs0 icmp

1.6 FILTERING BY SOURCE AND DESTINATION

It’s quite easy to isolate traffic based on either source or destination using src and dst.

tcpdump src 2.3.4.5  
tcpdump dst 3.4.5.6

1.7 FINDING PACKETS BY NETWORK

To find packets going to or from a particular network, use the net option. You can combine this with the src or dst options as well.

tcpdump net 1.2.3.0/24

You can find specific port traffic by using the port option followed by the port number.

tcpdump port 3389  
tcpdump src port 3389

1.9 SHOW TRAFFIC OF ONE PROTOCOL

If you’re looking one particular kind of traffic, you can use tcp (or proto 6), udp (or proto 17) and many others as well.

tcpdump tcp *# same as tcpdump proto 6*

1.10 SHOW ONLY IP6 TRAFFIC

You can also find all IPv6 traffic using the protocol option.

tcpdump ip6

1.11 FIND TRAFFIC USING PORT RANGES

You can also use a range of ports to find traffic.

tcpdump portrange 21-23

1.12 FIND TRAFFIC BASED ON PACKET SIZE

If you’re looking for packets of a particular size you can use these options. You can use less, greater, or their associated symbols that you would expect from mathmatics.

tcpdump less 32  
tcpdump greater 64  
tcpdump <=128

1.13 READING / WRITING CAPTURES TO A FILE

It’s often useful to save packet captures into a file for analysis in the future. These files are known as PACAP (PEE-cap) files, and they can be processed by hundreds of different applications (e.g. Wireshark), including network analyzers, intrusion detection systems, and of course by tcpdump itself.

tcpdump port 80 -w capture_file.pcap

You can read PACAP files by using the -r switch. Note that you can use all the regular commands within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already.

tcpdump -r capture_file.pcap

Advanced

2.1 FROM SPECIFIC IP AND DESTINED FOR A SPECIFIC PORT

Let’s find all traffic form 10.5.2.3 going to any host on port 3389.

tcpdump -nnvvS src 10.5.2.3 and dst port 3389

2.2 FIND ONE NETWORK TO ANOTHER

Let’s look for all traffic comming from 192.168.x.x and goning to the 10.x or 172.16.x.x networks, and we’re showing hex output with no hostname resolution and one level of extra verbosity.

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

2.3 NON ICMP TRAFFIC GOING TO A SPECIFIC IP

This will show us all traffic goning to 192.168.0.2 that is not ICMP.

tcpdump dst 192.168.0.2 and not icmp

2.4 TRAFFIC FROM A HOST THAT ISN’T ON A SPECIFIC PORT

This will show us all traffic from a host and isn’t SSH traffic (assuming default port usage).

tcpdump -vv src mars and not dst port 22

Keep in mind that when you’re building complex queries you minght have to group your options using single quotes. Single quotes are used in order to tell tcpdump to ignore certain special characters—in this case below the “()” brackets. The same technique can be used to group using other expressions such as host, port, net, etc.

tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

2.5 ISOLATE TCP FLAGS

You can also use filters to isolate packets with specific TCP flags set.

2.5.1 Isolate TCP RST flags.

tcpdump 'tcp[13] & 4 != 0'  
tcpdump 'tcp[tcpflags] == tcp-rst'

2.5.2 Isolate TCP SYNC flags.

tcpdump 'tcp[13] & 2 != 0'  
tcpdump 'tcp[tcpflags] == tcp-syn'

2.5.3 Isolate packets that have both SYN and ACK flags set.

tcpdump 'tcp[13] = 18'

2.5.4 Isolate TCP URG flags.

tcpdump 'tcp[13] & 32 != 0'  
tcpdump 'tcp[tcpflags] == tcp-urg'

2.5.5 Isolate TCP ACK flags.

tcpdump 'tcp[13] & 16!=0'  
tcpdump 'tcp[tcpflags] == tcp-ack'

2.5.6 Isolate TCP PSH flags.

tcpdump 'tcp[13] & 8!=0'  
tcpdump 'tcp[tcpflags] == tcp-psh'

2.5.7 Isolate TCP FIN flags.

tcpdump 'tcp[13] & 1!=0'  
tcpdump 'tcp[tcpflags] == tcp-fin'

2.5.8 Isolate packets that have both SYN and RST flags set.

tcpdump 'tcp[13] = 6'

2.6 FIND HTTP USER AGENTS

tcpdump -vvAls0 | grep 'User-Agent:'

2.7 CLEARTEXT GET REQUESTS

tcpdump -vvAls0 | grep 'GET'

2.8 FIND HTTP HOST HEADERS

tcpdump -vvAls0 | grep 'Host:'

2.9 FIND HTTP COOKIES

tcpdump -vvAls0 | egrep 'Set-Cookie:|Cookie:'

2.10 FIND DNS TRAFFIC

tcpdump -vvAs0 port 53

2.11 FIND FTP TRAFFIC

tcpdump -vvAs0 port ftp or ftp-data

2.12 FIND NTP TRAFFIC

tcpdump -vvAs0 port 123

2.13 FIND CLEARTEXT PASSWORDS

tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

Did you find this article valuable?

Support Cyber Security by becoming a sponsor. Any amount is appreciated!