Advertisement
D0cEvil

tcpdump - howto

Sep 19th, 2022
97
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 7.99 KB | Cybersecurity | 0 0
  1. #Basic communication
  2. #Just see what’s going on, by looking at what’s hitting your inteface.
  3. #Or get all interfaces with -i any.
  4.  
  5. tcpdump -i eth0
  6.  
  7. #Expression Types:
  8. #host, net, and port.
  9. #Directions:
  10. #src and dst.
  11. #Types:
  12. #host, net, and port.
  13. #Protocols:
  14. #tcp, udp, icmp, and many more.
  15.  
  16. #find traffic by ip
  17. #One of the most common queries, using host, you can see traffic that’s going to or from 1.1.1.1.
  18.  
  19. tcpdump host 1.1.1.1
  20.  
  21. #ONE PACKET TO 1.1.1.1
  22.  
  23. #filtering by source and/or destination
  24. #If you only want to see traffic in one direction or the other, you can use src and dst.
  25.  
  26. tcpdump src 1.1.1.1
  27. tcpdump dst 1.0.0.1
  28.  
  29. #finding packets by network
  30. #To find packets going to or from a particular network or subnet, use the net option.
  31.  
  32. #You can combine this with the src and dst options as well.
  33. tcpdump net 1.2.3.0/24
  34.  
  35. #get packet contents with hex output
  36. #Hex output is useful when you want to see the content of the packets in question, and it’s often best used when you’re isolating a few #candidates for closer scrutiny.
  37.  
  38. tcpdump -c 1 -X icmp
  39.  
  40. #A SINGLE ICMP PACKET VISIBLE IN HEX
  41.  
  42. #show traffic related to a specific port
  43. #You can find specific port traffic by using the port option followed by the port number.
  44.  
  45. tcpdump port 3389
  46. tcpdump src port 1025
  47.  
  48. #show traffic of one protocol
  49. #If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well.
  50.  
  51. tcpdump icmp
  52.  
  53. #show only ip6 traffic
  54. #You can also find all IP6 traffic using the protocol option.
  55.  
  56. tcpdump ip6
  57.  
  58. #find traffic using port ranges
  59. #You can also use a range of ports to find traffic.
  60.  
  61. tcpdump portrange 21-23
  62.  
  63. #find traffic based on packet size
  64. #If you’re looking for packets of a particular size you can use these options. You can use less, greater, or their associated symbols #that you would expect from mathematics.
  65.  
  66. tcpdump less 32
  67. tcpdump greater 64
  68. tcpdump <= 128
  69.  
  70. #reading / writing captures to a file
  71. #It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and #they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course #by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.
  72.  
  73. tcpdump port 80 -w capture_file
  74.  
  75. #You can read PCAP files by using the -r switch. Note that you can use all the regular commands within tcpdump while reading in a file; #you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already.
  76.  
  77. tcpdump -r capture_file
  78.  
  79. #Advanced
  80. #Now that we’ve seen what we can do with the basics through some examples, let’s look at some more advanced stuff.
  81.  
  82. #More options
  83. #Here are some additional ways to tweak how you call tcpdump.
  84.  
  85. #-X : Show the packet’s contents in both hex and ascii.
  86. #-XX : Same as -X, but also shows the ethernet header.
  87. #-D : Show the list of available interfaces
  88. #-l : Line-readable output (for viewing as you save, or sending to other commands)
  89. #-q : Be less verbose (more quiet) with your output.
  90. #-t : Give human-readable timestamp output.
  91. #-tttt : Give maximally human-readable timestamp output.
  92. #-i eth0 : Listen on the eth0 interface.
  93. #-vv : Verbose output (more v’s gives more output).
  94. #-c : Only get x number of packets and then stop.
  95. #-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
  96. #-S : Print absolute sequence numbers.
  97. #-e : Get the ethernet header as well.
  98. #-q : Show less protocol information.
  99. #-E : Decrypt IPSEC traffic by providing an encryption key.
  100.  
  101. #AND
  102. #and or &&
  103. #OR
  104. #or or ||
  105. #EXCEPT
  106. #not or !
  107.  
  108. #raw output view
  109. #Use this combination to see verbose output, with no resolution of hostnames or port numbers, using absolute sequence numbers, and #showing human-readable timestamps.
  110.  
  111. tcpdump -ttnnvvS
  112.  
  113. #from specific ip and destined for a specific port
  114. #Let’s find all traffic from 10.5.2.3 going to any host on port 3389.
  115.  
  116. tcpdump -nnvvS src 10.5.2.3 and dst port 3389
  117.  
  118. #from one network to another
  119. #Let’s look for all traffic coming from 192.168.x.x and going to the 10.x or 172.16.x.x networks, and we’re showing hex output with no #hostname resolution and one level of extra verbosity.
  120.  
  121. tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
  122.  
  123. #non icmp traffic going to a specific ip
  124. #This will show us all traffic going to 192.168.0.2 that is not ICMP.
  125.  
  126. tcpdump dst 192.168.0.2 and src net and not icmp
  127.  
  128. #traffic from a host that isn’t on a specific port
  129. #This will show us all traffic from a host that isn’t SSH traffic (assuming default port usage).
  130.  
  131. tcpdump -vv src mars and not dst port 22
  132.  
  133. #As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you’re #looking for and then to build the syntax to isolate that specific type of traffic.
  134.  
  135. #Keep in mind that when you’re building complex queries you might have to group your options using single quotes. Single quotes are #used in order to tell tcpdump to ignore certain special characters—in this case below the “( )” brackets. This same technique can be #used to group using other expressions such as host, port, net, etc.
  136.  
  137. tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
  138.  
  139. #isolate tcp flags
  140. #You can also use filters to isolate packets with specific TCP flags set.
  141.  
  142. #Isolate TCP RST flags.
  143. #The filters below find these various packets because tcp[13] looks at offset 13 in the TCP header, the number represents the location #within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.
  144. tcpdump 'tcp[13] & 4!=0'
  145. tcpdump 'tcp[tcpflags] == tcp-rst'
  146.  
  147. #Isolate TCP SYN flags.
  148. tcpdump 'tcp[13] & 2!=0'
  149. tcpdump 'tcp[tcpflags] == tcp-syn'
  150.  
  151. #Isolate packets that have both the SYN and ACK flags set.
  152. tcpdump 'tcp[13]=18'
  153.  
  154. #Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump‘s flag field output. URGs and ACKs are displayed, but they are shown #elsewhere in the output rather than in the flags field.
  155. #Isolate TCP URG flags.
  156. tcpdump 'tcp[13] & 32!=0'
  157. tcpdump 'tcp[tcpflags] == tcp-urg'
  158.  
  159. #Isolate TCP ACK flags.
  160. tcpdump 'tcp[13] & 16!=0'
  161. tcpdump 'tcp[tcpflags] == tcp-ack'
  162.  
  163. #Isolate TCP PSH flags.
  164. tcpdump 'tcp[13] & 8!=0'
  165. tcpdump 'tcp[tcpflags] == tcp-psh'
  166.  
  167. #Isolate TCP FIN flags.
  168. tcpdump 'tcp[13] & 1!=0'
  169. tcpdump 'tcp[tcpflags] == tcp-fin'
  170.  
  171. #Everyday Recipe Examples
  172. #Because tcpdump can output content in ASCII, you can use it to search for cleartext content using other command-line tools like grep.
  173. #Finally, now that we the theory out of the way, here are a number of quick recipes you can use for catching various kinds of traffic.
  174.  
  175. both syn and rst set
  176. tcpdump 'tcp[13] = 6'
  177.  
  178. #find http user agents
  179. #The -l switch lets you see the traffic as you’re capturing it, and helps when sending to commands like grep.
  180. tcpdump -vvAls0 | grep 'User-Agent:'
  181.  
  182. #cleartext get requests
  183. tcpdump -vvAls0 | grep 'GET'
  184.  
  185. #find http host headers
  186. tcpdump -vvAls0 | grep 'Host:'
  187.  
  188. #find http cookies
  189. tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'
  190.  
  191. #find ssh connections
  192. #This one works regardless of what port the connection comes in on, because it’s getting the banner response.
  193.  
  194. tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'
  195.  
  196. #find dns traffic
  197. tcpdump -vvAs0 port 53
  198.  
  199. #find ftp traffic
  200. tcpdump -vvAs0 port ftp or ftp-data
  201.  
  202. #find ntp traffic
  203. tcpdump -vvAs0 port 123
  204.  
  205. #find cleartext passwords
  206. tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
  207.  
  208. #find traffic with evil bit
  209. #There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to #find packets where it’s been toggled.
  210.  
  211. tcpdump 'ip[6] & 128 != 0'
Tags: howto tcpdump
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement