Packet capturing tools are utilised licitly in networks today for network troubleshooting and traffic psychotherapy. One such way is tcpdump, a release, mighty, CLI-based puppet for capturing and analyzing packet information. As a text-based secondary, tcpdump can be run exclusive from the tell connection of a machine. It can construe whippy interchange from interfaces and prerecorded reciprocation from PCAP files, and it allows you to demonstration TCP, IP, and different packets state transmitted or conventional over the meshing to which the machine is committed.
Packet capturing tool : tcpdump
Packet capturing tools are precious tools for certificate analysts. Still, analysts should be awake of the fact that packet capturing tools are also invaluable tools for attackers. Textile management protocols (such as Telnet, FTP, HTTP, and SNMPv1and SNMPv2) transport assemblage in cleartext. If an attacker can getting such direction interchange, tender aggregation specified as usernames and passwords can be easily revealed.
Tcpdump is extremely public on Linux and UNIX hosts and on textile fund devices that are supported on these operative systems. On the rarified occasion that tcpdump does not travel preinstalled, it is usually cushy to download and pose.
Windump, a Microsoft Windows var. of tcpdump, is also purchasable. Tcpdump and windump can seize and communicate living fabric interchange from any direct connected interfaces, including interchange that is not addressed to the localised organization. To captivate traffic that is not sure for the anaesthetic organization, the textile salutation moldiness be set into a primary style, referred to as “promiscuous fashion,” which causes the textile correspondence to construe all interchange that it sees. Administrative or superuser permissions within the operative grouping are required to preserve promiscuous norm. For this present, tcpdump (and windump) moldiness be run as the stabilise soul (or administrator somebody).
Tcpdump has machine-dependent limitations, which are based on the class of packets that it can treat per position. If interchange arrives too apace and cannot be blessed in clip, it is dropped by the meat. Also, as with most boat get software, tcpdump does not show aggregation nexus stratum accumulation before the goal MAC.
In the succeeding tcpdump lively assume model, two tcpdump compel options were utilized. The -i option defines the port, which is eth0 in this happening. The -n choice specifies that addresses are displayed as IP addresses rather than as host names. Using the -n alternative is human for elastic captures. Without the -n alternative, the scheme attempts to await up the jargon of the host throng DNS.
control+c to stop the traffic capture.
root@Kali:~# tcpdump -i eth0 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 10:06:57.246670 IP 192.168.28.1.137 > 192.168.28.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 10:06:57.665021 ARP, Request who-has 192.168.28.128 (00:0c:29:66:4d:29) tell 192.168.28.1, length 46 10:06:57.665041 ARP, Reply 192.168.28.128 is-at 00:0c:29:66:4d:29, length 28 10:06:57.996116 IP 192.168.28.1.137 > 192.168.28.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 10:06:58.746225 IP 192.168.28.1.137 > 192.168.28.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 5 packets captured 5 packets received by filter 0 packets dropped by kernel root@Kali:~#
(information source: cisco )
The figure below shows the different parts of the tcpdump output.
tcpdump command options:
-w option specifies that tcpdump will write the network traffic to a PCAP file, specified here as “sample.pcap.” No output will occur while tcpdump is capturing to a file.
root@Kali:~# tcpdump -i eth0 -w sample.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 7 packets captured 7 packets received by filter 0 packets dropped by kernel root@Kali:~#
-r option commands tcpdump to read from the same PCAP file that was created in the example here. In addition, the
-xoption is used to output the hexadecimal representation.
root@Kali:~# tcpdump -x -r sample.pcap reading from file sample.pcap, link-type EN10MB (Ethernet) 06:52:39.152387 IP 192.168.28.1.137 > 192.168.28.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 0x0000: 4500 004e 7195 0000 8011 0eb9 c0a8 1c01 0x0010: c0a8 1cff 0089 0089 003a d504 e499 0110 0x0020: 0001 0000 0000 0000 2046 4445 4c46 4a45 0x0030: 4f45 4646 4543 4e45 4345 4d43 4143 4143 0x0040: 4143 4143 4143 4142 4d00 0020 0001 root@Kali:~#
-XX option outputs both the hexadecimal and ASCII representations. The ASCII representation is extremely useful when working with plaintext or human-readable data.
root@Kali:~# tcpdump -i eth0 -XX tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:00:34.494200 IP 192.168.28.1 > 192.168.28.129: ICMP echo request, id 1, seq 5, length 40 0x0000: 000c 2966 4d29 0050 56c0 0008 0800 4500 ..)fM).PV.....E. 0x0010: 003c 691d 0000 8001 17d1 c0a8 1c01 c0a8 .<i............. 0x0020: 1c81 0800 4d56 0001 0005 6162 6364 6566 ....MV....abcdef 0x0030: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv 0x0040: 7761 6263 6465 6667 6869 wabcdefghi 1 packets captured 1 packets received by filter 0 packets dropped by kernel root@Kali:~#
Tcpdump uses the PCAP library, or libpcap, to capture and filter network traffic. Similarly, windump requires the WinPcap libraries to capture and filter network traffic. Libpcap (and its Windows counterpart) uses a unique language to describe protocols and fields within the packets that it sees. This language is referred to as BPF syntax and has become the de facto standard in many network utilities.
BPF syntax allows you to combine criteria to form a capture filter to be used within the
host: Defines a specific host
net: Defines a network, classful or classless, and can be combined with
.0 mask 255.255.255.0
port: Specifies a specific port
src: Source, can be combined with any type
dst: Destination, can be combined with any type
and: Combines two filters; both must be true
or: Combines two filters; either must be true
not: Negates a filter (useful for ignoring designated traffic)
ip: Filters, based on IPv4 packets
ip6: Filters, based on IPv6 packets
arp: Filters, based on ARP traffic
icmp: Filters, based on ICMP messages
tcp: Filters, based on TCP segments
udp: Filters, based on UDP datagrams
In the following example, the
tcpdump command will capture traffic on the eth0 interface that matches IP address 10.1.1.2 and port 80 traffic. Examining the first three packets, you can see the TCP three-way handshake, where the first packet has the SYN flag, the second packet has the SYN and ACK flags, and the third packet has the ACK flag.
root@Kali:~# tcpdump -i eth0 port 80 and host 10.1.1.2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:42:18.923345 IP 172.16.1.2.54769 > 10.1.1.2.80: Flags [S], seq 2471859586, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 18:42:19.022097 IP 10.1.1.2.80 > 172.16.1.2.54769: Flags [S.], seq 2637141512, ack 2471859587, win 8190, options [mss 1460], length 0 18:42:19.022326 IP 172.16.1.2.54769 > 10.1.1.2.80: Flags [.], ack 1, win 64240, length 0 18:42:19.425546 IP 172.16.1.2.54769 > 10.1.1.2.80: Flags [P.], ack 1, win 64240, length 461 18:42:19.510902 IP 10.1.1.2.80 > 172.16.1.2.54769: Flags [.], ack 462, win 10649, length 0 <output omitted>
||Captures packets from or to host mail server|
||Captures packets between mail server and web server|
||Captures TCP packets to or from port 80|
||Captures TCP packets to or from port 80 or the http port number as defined in the /etc/services file|
||Captures all ICMP packets that are not echo requests or replies (that is, not ping packets)|
||Captures traffic between 192.168.0.1 and either 192.168.0.2 or 192.168.0.3
Note: The parentheses are escaped out (using a backslash) to prevent misinterpretation by the shell environment.
Tcpdump is a powerful utility with a great deal of potential. Many resources are available to provide more detailed examples, and a more thorough explanation of the numerous command-line options.