Packet capturing tool : tcpdump

You are most welcome to this post.

Really thanks to you for your interest in this topics. :)

Packet capturing tools are utilised licitly in networks today for network troubleshooting and traffic psychotherapy. One such way is tcpdump, a release, mighty, CLI-based puppet for capturing and analyzing packet information. As a text-based secondary, tcpdump can be run exclusive from the tell connection of a machine. It can construe whippy interchange from interfaces and prerecorded reciprocation from PCAP files, and it allows you to demonstration TCP, IP, and different packets state transmitted or conventional over the meshing to which the machine is committed.

Packet capturing tool : tcpdump

Packet capturing tools are precious tools for certificate analysts. Still, analysts should be awake of the fact that packet capturing tools are also invaluable tools for attackers. Textile management protocols (such as Telnet, FTP, HTTP, and SNMPv1and SNMPv2) transport assemblage in cleartext. If an attacker can getting such direction interchange, tender aggregation specified as usernames and passwords can be easily revealed.
Tcpdump is extremely public on Linux and UNIX hosts and on textile fund devices that are supported on these operative systems. On the rarified occasion that tcpdump does not travel preinstalled, it is usually cushy to download and pose.
Windump, a Microsoft Windows var. of tcpdump, is also purchasable. Tcpdump and windump can seize and communicate living fabric interchange from any direct connected interfaces, including interchange that is not addressed to the localised organization. To captivate traffic that is not sure for the anaesthetic organization, the textile salutation moldiness be set into a primary style, referred to as “promiscuous fashion,” which causes the textile correspondence to construe all interchange that it sees. Administrative or superuser permissions within the operative grouping are required to preserve promiscuous norm. For this present, tcpdump (and windump) moldiness be run as the stabilise soul (or administrator somebody).
Tcpdump has machine-dependent limitations, which are based on the class of packets that it can treat per position. If interchange arrives too apace and cannot be blessed in clip, it is dropped by the meat. Also, as with most boat get software, tcpdump does not show aggregation nexus stratum accumulation before the goal MAC.
In the succeeding tcpdump lively assume model, two tcpdump compel options were utilized. The -i option defines the port, which is eth0 in this happening. The -n choice specifies that addresses are displayed as IP addresses rather than as host names. Using the -n alternative is human for elastic captures. Without the -n alternative, the scheme attempts to await up the jargon of the host throng  DNS.

Use control+c to stop the traffic capture.

root@Kali:~# tcpdump -i eth0 -n

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:06:57.246670 IP 192.168.28.1.137 > 192.168.28.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
10:06:57.665021 ARP, Request who-has 192.168.28.128 (00:0c:29:66:4d:29) tell 192.168.28.1, length 46
10:06:57.665041 ARP, Reply 192.168.28.128 is-at 00:0c:29:66:4d:29, length 28
10:06:57.996116 IP 192.168.28.1.137 > 192.168.28.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
10:06:58.746225 IP 192.168.28.1.137 > 192.168.28.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
5 packets captured
5 packets received by filter
0 packets dropped by kernel

root@Kali:~#

(information source: cisco )

The figure below shows the different parts of the tcpdump output.

Other tcpdump command options:

The -w option specifies that tcpdump will write the network traffic to a PCAP file, specified here as “sample.pcap.” No output will occur while tcpdump is capturing to a file.

root@Kali:~# tcpdump -i eth0 -w sample.pcap 

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
7 packets captured
7 packets received by filter
0 packets dropped by kernel

root@Kali:~#

The -r option commands tcpdump to read from the same PCAP file that was created in the example here. In addition, the -xoption is used to output the hexadecimal representation.

root@Kali:~# tcpdump -x -r sample.pcap

reading from file sample.pcap, link-type EN10MB (Ethernet)
06:52:39.152387 IP 192.168.28.1.137 > 192.168.28.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
        0x0000:  4500 004e 7195 0000 8011 0eb9 c0a8 1c01
        0x0010:  c0a8 1cff 0089 0089 003a d504 e499 0110
        0x0020:  0001 0000 0000 0000 2046 4445 4c46 4a45
        0x0030:  4f45 4646 4543 4e45 4345 4d43 4143 4143
        0x0040:  4143 4143 4143 4142 4d00 0020 0001

root@Kali:~#

The -XX option outputs both the hexadecimal and ASCII representations. The ASCII representation is extremely useful when working with plaintext or human-readable data.

root@Kali:~# tcpdump -i eth0 -XX 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:00:34.494200 IP 192.168.28.1 > 192.168.28.129: ICMP echo request, id 1, seq 5, length 40
        0x0000:  000c 2966 4d29 0050 56c0 0008 0800 4500  ..)fM).PV.....E.
        0x0010:  003c 691d 0000 8001 17d1 c0a8 1c01 c0a8  .<i.............
        0x0020:  1c81 0800 4d56 0001 0005 6162 6364 6566  ....MV....abcdef
        0x0030:  6768 696a 6b6c 6d6e 6f70 7172 7374 7576  ghijklmnopqrstuv
        0x0040:  7761 6263 6465 6667 6869                 wabcdefghi
1 packets captured
1 packets received by filter
0 packets dropped by kernel

root@Kali:~#

Tcpdump uses the PCAP library, or libpcap, to capture and filter network traffic. Similarly, windump requires the WinPcap libraries to capture and filter network traffic. Libpcap (and its Windows counterpart) uses a unique language to describe protocols and fields within the packets that it sees. This language is referred to as BPF syntax and has become the de facto standard in many network utilities.

BPF syntax allows you to combine criteria to form a capture filter to be used within the tcpdump command:

• host: Defines a specific host
• net: Defines a network, classful or classless, and can be combined with mask
  1. net 192.168.1.0
  2. net 192.168.1.0 mask 255.255.255.0
  3. net 192.168.1.0/24
• port: Specifies a specific port
• src: Source, can be combined with any type
• dst: Destination, can be combined with any type
• and: Combines two filters; both must be true
• or: Combines two filters; either must be true
• not: Negates a filter (useful for ignoring designated traffic)
• ip: Filters, based on IPv4 packets
• ip6: Filters, based on IPv6 packets
• arp: Filters, based on ARP traffic
• icmp: Filters, based on ICMP messages
• tcp: Filters, based on TCP segments
• udp: Filters, based on UDP datagrams

In the following example, the tcpdump command will capture traffic on the eth0 interface that matches IP address 10.1.1.2 and port 80 traffic. Examining the first three packets, you can see the TCP three-way handshake, where the first packet has the SYN flag, the second packet has the SYN and ACK flags, and the third packet has the ACK flag.

root@Kali:~# tcpdump -i eth0 port 80 and host 10.1.1.2

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:42:18.923345 IP 172.16.1.2.54769 > 10.1.1.2.80: Flags [S], seq 2471859586, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:42:19.022097 IP 10.1.1.2.80 > 172.16.1.2.54769: Flags [S.], seq 2637141512, ack 2471859587, win 8190, options [mss 1460], length 0
18:42:19.022326 IP 172.16.1.2.54769 > 10.1.1.2.80: Flags [.], ack 1, win 64240, length 0
18:42:19.425546 IP 172.16.1.2.54769 > 10.1.1.2.80: Flags [P.], ack 1, win 64240, length 461
18:42:19.510902 IP 10.1.1.2.80 > 172.16.1.2.54769: Flags [.], ack 462, win 10649, length 0
 
<output omitted>

BPF Syntax Examples

Parameter	Description
host mailserver	Captures packets from or to host mail server
host mailserver and webserver	Captures packets between mail server and web server
tcp port 80	Captures TCP packets to or from port 80
tcp port http	Captures TCP packets to or from port 80 or the http port number as defined in the /etc/services file
icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply	Captures all ICMP packets that are not echo requests or replies (that is, not ping packets)
host 192.168.0.1 and \(192.168.0.2 or 192.168.0.3\)	Captures traffic between 192.168.0.1 and either 192.168.0.2 or 192.168.0.3 Note: The parentheses are escaped out (using a backslash) to prevent misinterpretation by the shell environment.

Tcpdump is a powerful utility with a great deal of potential. Many resources are available to provide more detailed examples, and a more thorough explanation of the numerous command-line options.