Monday, June 20, 2011

Quick tcpdump tutorial

tcpdump is  undoubtedly a Swiss knife when debugging a complicated network issue.
This command line application includes dozens of features and allows you to monitor network traffic on a very detailed level.
Also, it may be your only option in situations when you don't have access to GUI based tools such as "wireshark" (former ethereal) .Another plus is the huge popularity the tool gained as  almost every modern Linux distro. supports it and comes with the tool installed.

In this short tutorial I will show some basic usage of this tool, lets get busy:

The utility is "kind-of intuitive" in terms of usage, the general syntax goes like this:
  |protocol|  |direction|  |address|  |port|  |logical expression| 

















Example #1:
#tcpdump tcp dst 10.1.1.1 443 and tcp dst 10.1.1.20 23

In this command we are "sniffing" for traffic destined for host 10.1.1.1 with destination port of 443 (https) and for host 10.1.1.20 with destination port of 23 (telnet).

Example #2:
#tcpdump src 192.168.0.100 and port 80


Here we are "sniffing" for traffic coming from 192.168.0.100 destined to port 80 (http).
Easy? However these are just the basics... let's see some more advanced usage of this tool:



Example #3:
#tcpdump -i eth1 -A src 192.168.0.100 and port 80

In this example we are running the command on a machine with more than one NIC, here the interface eth1 is used for sniffing (specified with -i eth1).
The -A flag presents the captured packets as ASCII data - this is useful for capturing web pages or text in general.


Example #4:
#tcpdump -e not port 22

In the following example we are listening to any traffic except port 22 (ssh), the -e flag specifies that tcpdump should look into the link level of captured packets.


Well these were just some of the basics to get you "on-track"...
Happy sniffing ;)

No comments: