`Tcpdump` Recipes

Tcpdump is the premier network analysis tool for information security and networking enthusiasts and/or professionals. In my own primer I cover tcpdump basics; if you're interested in becoming familiar with the application via an introduction, I suggest you check it out first.

Here I'm simply going to give a number of recipes that you're likely to find useful during your day to day activities. They will range from common, general captures to complex filters designed to look for a number of unique traffic types.

Basics

Below are a few options you can use when invoking tcpdump in order to control the output. The examples given will be in the basic form of tcpdump $recipe, so remember to add your own options as needed.

Basic communication // see the basics without many options
# tcpdump -nS
Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
# tcpdump -nnvvS
A deeper look at the traffic // adds -X for payload but doesn't grab any more of the packet
# tcpdump -nnvvXS
Heavy packet viewing // the final "s" increases the snaplength, grabbing the whole packet
# tcpdump -nnvvXSs 1514

Recipes

host // look for traffic based on IP address (also works with hostname if you're not using -n)
# tcpdump host 1.2.3.4
src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6
net // capture an entire network using CIDR notation
# tcpdump net 1.2.3.0/24
proto // works for tcp, udp, and icmp. Note that you don't have to type proto
# tcpdump icmp
port // see only traffic to or from a certain port
# tcpdump port 3389
src, dst port // filter based on the source or destination port
# tcpdump src port 1025
# tcpdump dst port 3389

Combinations

TCP traffic from 10.5.2.3 destined for port 3389:
# tcpdump tcp and src 10.5.2.3 and dst port 3389

Traffic originating from the 192.168 network headed for the 10 or 172.16 networks:
# tcpdump src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network:
# tcpdump dst 192.168.0.2 and src net 172.16.0.0/16 and not icmp

Traffic originating from Mars or Pluto that isn't to the SSH port:
# tcpdump -vv src mars or pluto and not dst port 22

Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22:
# tcpdump 'src 10.0.2.4 and $dst port 3389 or 22$'

Advanced filters can help with troubleshooting and can reveal anomalous traffic on a network that would normally go unnoticed.

Finding Flags

*Hint: Unskilled Attackers Pester Real Security Folk

Show me all URG packets:
# tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets:
# tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets:
# tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets:
# tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets:
# tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets:
# tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets:
# tcpdump 'tcp[13] = 18'

Specialized Traffic

Display all IPv6 Traffic:

# tcpdump ip6
Show all traffic with both SYN and RST flags set: (should never happen)

# tcpdump 'tcp[13] = 6'
Show all traffic with the "evil bit" set:

# tcpdump 'ip[6] & 128 != 0'

My Tcpdump Primer
http://dmiessler.com/study/tcpdump/

How To Remember Your TCP Flags
http://dmiessler.com/study/tcpflags/

Not All SYN Packets Are Created Equal
http://dmiessler.com/study/synpackets/

References

Tcpdump Manual Page
http://www.tcpdump.org/tcpdump_man.html