TCPDump Quick Intro Quide By: magikh0e http://www.IHTB.org ################ # 0x1 Contents # ################ I WTF is tcpdump & why would I use it II TCPDump Explained Usage Basic Usage Examples III Expressions Expression Usage Advanced Expressions Advanced Expression Usage TCP flags & expressions oh my ------------------------------------------------. 0xI WTF is tcpdump & why would I use it. / -----------------------------------------------' Tcpdump is a network debugging tool that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It was originally written by Van Jacobson, Craig Leres and Steven McCanne who were, at the time, working in the Lawrence Berkeley Laboratory Network Research Group. Tcpdump works on most Unix-like platforms: Linux, Solaris, BSD, Mac OS X, HP-UX and AIX among others. In those systems, tcpdump is built upon the libpcap packet capture library. On Windows, the tcpdump equivelant is called WinDump. You will also need WinPcap. - Ok cool, so why would you use it: * to debug applications one is writing which utilize the network for communications * to debug the network setup itself, by determining whether all necessary routing is or is not occurring properly, allowing the user to further isolate the source of a problem * to intercept and display the communications of another user or computer. Some protocols, such as telnet and HTTP, transmit information unencrypted over the network. A user with control of a router or gateway through which other computers' unencrypted traffic passes can use tcpdump to view login IDs, passwords, the URLs and content of websites being viewed, or any other information. * to stream packets from any machine with tcpdump and SSH to a machine running OmniPeek or EtherPeek with the TCPDump Remote Adapter. The TCPDump Remote Adapter is freely available at http://www.omnipeek.com ------------------------------. 0xII TCPDump Explained / -----------------------------' Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -Z user ] [ 'expression' ] -e Display the datalink/etheret header layer. -F Filter expression in file. -i Listen on specific interface only -n Don't resolve DNS names -nn Don't resolve DNS names or Port names -r Read packets from file -s Get snaplen bytes from each packet -S Print sbsolute sequence numbers -t No timestamp -v, -vv, -vvv Verbosity (can me used multiple times for increased verbosity) -w Write captured packets to a file -x Display packets in hex -X Display packets in ascii & hex Running tcpdump by it's self will begin recording traffic that is seen on the wire printing the output to the screen. By default tcpdump will ONLY capture the first 68 bytes of each packet it sees on the wire. If you would like to view more you can use the -s SIZE option. SIZE should be a number specified in bytes, using -s0 will capture the ENTIRE packet. A size of 1514 is usually good enough for most captures. See example below: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 12:42:49.861865 IP t0peka.ssh > 192.168.2.20.34069: P 1681019935:1681020051(116) ack 541908079 win 12236 12:42:50.211371 IP t0peka.ssh > 192.168.2.20.34069: P 116:232(116) ack 1 win 12236 12:42:49.862004 IP 192.168.2.20.34069 > t0peka.ssh: . ack 232 win 64819 12:42:49.907619 IP t0peka.22931 > cumin.apnic.net.domain: 17249 A? blackhole-2.iana.org. (38) 12:42:50.177954 IP cumin.apnic.net.domain > t0peka.22931: 17249*- 1/0/0 A blackhole-2.iana.org (54) 12:42:50.178055 IP t0peka.11585 > blackhole-1.iana.org.domain: 32216 PTR? 20.2.168.192.in-addr.arpa. (43) 12:42:50.210992 IP blackhole-1.iana.org.domain > t0peka.11585: 32216 NXDomain*- 0/1/0 (98) 12:42:50.211649 IP t0peka.ssh > 192.168.2.20.34069: P 232:540(308) ack 1 win 12236 12:42:50.211916 IP t0peka.8280 > g.gtld-servers.net.domain: 20004 A? NS3.APNIC.NET. (31) Basic Usage Examples: View Basic Network communication tcpdump -nS (Don't resolve DNS names, print the absolute sequence numbers) View Basic Network communication, with added verbosity tcpdump -nnvvS (Don't resolve DNS or Port names, be more verbose when printing info, print the absolute sequence numbers) View Network Communication Payloads in HEX tcpdump -nnvvXS (Same as above, but this time prints the packets payload in HEX) View Detailed Packet Information tcpdmp -nnvvXSs 1514 (Same as above, this time we are specifying a packet length with -s 1514) As you can see running the above on a busy network will produce loads of network traffic information. This can be close to impossible to interpret as-is.. Tcpdump has a wonderfull thing called 'expressions'. Using the tcpdump expressions we can remove all of the traffic we do not wish to see andonly view exactly what we are looking for. --------------------------------------. 0xIII TCPDump Expression: / ------------------------------------' The true network ninja will have mastered these expressions to unleash the true power of tcpdump. Tcpdump expressions come in three main types, those are as follows: type, dir and proto. The type options beloging to these types are as follows: host, net and port. The packet direction is specified by using dir, with this directive you can use the src, dst, src or dst and src and dst options. Below are some examples of using each of these. host - Looks for traffic based on the specified IP address, this can also be a valid dns name if the -n options is not specified. tcpdump host 192.168.1.1 src,dst - Looks for traffic from a specific source or destination. tcpdump src 192.168.1.2 tcpdump dst 192.168.1.3 net - Looks for traffic from an entire CIDR range. tcpdump net 192.168.1.0/24 proto - Looks for the type of traffic specified. proto does not need to be specified. tcpdump tcp tcpdump udp tcpdump icmp port - Looks for traffic to or from specified port. Port names can be specified by there name or numeric value. tcpdump port 22 or tcpdump port ssh src port, dst port - Looks for traffic based on the source or destination ports. tcpdump src port 1025 tcpdump dst port 22 As you can see tcpdump expressions are fairly powerfull in breaking down the types of traffic we would like to see. Now we will look into the real funky comadema that lies within tcpdump. Tcpdump has some cool features that will allow you to combine these expresions to create even more detailed, and specific information related to traffic on the wire. Tcpdump supports three different combinations to perform these advanced expressions, if your are a c0de m0nkey then these will be nothing new to see... move along .... ### ## Tcpdump Advanced Expressions: ### 1. AND - and, && 2. OR - or, || 3. EXCEPT - not, ! Kick ass!, lets capture some network traffic! ### ## Advanced Expression Usage: ### Capture TCP traffic to SSH(port 22) from the host 192.168.2.20 tcpdump -nnvvSc 2 tcp and src 192.168.2.20 and dst port ssh tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 16:17:33.917187 IP (tos 0x0, ttl 128, id 55757, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.2.20.34069 > 192.168.2.51.22: ., cksum 0x9c8f (correct), 541916307:541916307(0) ack 1681034071 win 64535 Capture TCP traffic that is not to SSH(port 22) from the host 192.168.2.20 tcpdump -vv src 192.168.2.20 and not dst port 22 Capture TCP traffic coming from 192.168.2.0/24 going to 192.168.1.0/24 tcpdump -nvX src net 192.168.2.0/24 and dst net 192.168.1.0/24 Capture TCP traffic coming from 192.168.2.0/24 going to 192.168.1.0/24 or 192.168.3.0/24 tcpdump -nvX src net 192.168.2.0/24 and dst net 192.168.1.0/24 or 192.168.3.0/24 -----------------------------------------. 0xIIII TCP flags & expressions oh my.. / -----------------------------------------' Using tcpdump to capture packets with TCP specific flags set. Remembering al of the TCP flags is quite simple. Here is an easy mnemonic I found online to use for remembering TCP flags. ############################################################ ### Unskilled Attackers Pester Real Security Folks ### ### URG ARG PSH RST SYN FYN ### ############################################################ URG: tcpdump 'tcp[13] & 32 != 0' ACK: tcpdump 'tcp[13] & 16 != 0' PSH: tcpdump 'tcp[13] & 8 != 0' RST: tcpdump 'tcp[13] & 4 != 0' SYN: tcpdump 'tcp[13] & 2 != 0' FIN: tcpdump 'tcp[13] & 1 != 0' IPv6: tcpdump ip6 SYN-ACK: tcpdump 'tcp[13] = 18' SYN and RST: tcpdump 'tcp[13] = 6' Evil Bit: tcpdump 'ip[6] & 128 != 0'