Tcpdump

Posted: 19 Jul 2011 — Security

Notable flags:

-i eth1       : Specify the interface
-c 10         : Limit capture to 10 packets
-s            : Snap length, how many bytes of the frame to capture
-v, -vv, -vvv : Level of verbosity
-n            : Don't resolve host names
-nn           : Don't resolve host names or port names
-S            : Display absolute sequence numbers
-e            : Display the Ethernet header
-q            : Display less protocol information
-E            : Decrypt IPSEC traffic using the supplied key
-X            : Display the packet payload in both hex and ASCII
-XX           : Same as -X, but includes the ethernet header

Basic decoded information: root@localhost:~# tcpdump -nnvvS

Full Ethernet frame using a full snaplen -s 1514: root@localhost:~# tcpdump -ennvvSXqs 1514 port 53

Capture to a file with -w: root@localhost:~# tcpdump -s 1514 port 53 -w capture_file

Grouping requires parenthesis: root@localhost:~# tcpdump ’dst 8.8.8.8 and (dst port 80 or 53)’

Dump each packet in ASCII using -A, or in HEX and ASCII using -XX tcpdump -nqtA -s 1514 port 5060

Capture using -n to print packet IP addresses, and not resolve the hostnames tcpdump -n -i eth0

One of the most important lessons I’ve learnt using tcpdump is that the interface ‘lo’ is virtual. Packets sent to the localhost interface are not treated in the same way as packets sent to non-localhost interfaces such as eth0 by the kernel. That said, tcpdump will helpfully display such packets as if they were normal.

The lesson is that packet injection to localhost will fail, but tcpdump will make it look as if it is not failing. Instead, injecting packets onto the localhost interface is best achieved using raw sockets.

See seclists.org for more information.

comments powered by Disqus