Use tcpdump for traffic analysis

The tcpdump tool is powerful and flexible, but compared with graphical tools like Wireshark its effective use may appear to be a dark art. It really isn’t that difficult to use once you pick up the basics, though.

The tcpdump tool is an old mainstay of network debugging and security monitoring, and security experts all over the world swear by its usefulness. It is a command line tool that eschews all the makeup and jewelry of other traffic analysis tools such as Ettercap and Wireshark, both of which provide packet sniffing functionality with a convenient captive interface. In contrast to such tools, tcpdump takes a command at the shell, with options specified at that time, and dumps the results to standard output. This may seem primitive to some users, but it provides power and flexibility that isn’t available with the common captive interface alternatives.

Options

The tcpdump utility provides dozens of options, but I’ll just cover a few of them here:

• -A: Print each packet in ASCII.
• -c N: Where the letter N is a number, this option tells tcpdump to exit after N packets.
• -i interface: Capture packets on the specified network interface.
• -n: Don’t resolve addresses to names.
• -q: Provide less verbose (”quiet”) output so output lines are shorter.
• -r filename: Read packets from the specified file rather than a network interface. This is usually used after raw packets have been logged to a file with the -w option.
• -t: Don’t print a timestamp on each line of output.
• -v: Provide more verbose output. Verbosity can be increased more with -vv, and even more than that with -vvv.
• -w filename: Write raw packets to the specified file.

Expressions

The tcpdump utility also supports command-line expressions, used to define filtering rules so that you get exactly the traffic you want to see, ignoring “uninteresting” packets. Expressions consist of a number of primitives and, optionally, modifier terms. The following primitives and modifiers do not constitute a comprehensive list, but they are among the most commonly useful.

Primitives

• dst foo: Specify an address or hostname to limit captured packets to traffic sent to a particular host.
• host foo: Specify an address or hostname to limit captured packets to traffic to and from a particular host.
• net foo: Specify a network or network segment using CIDR notation to limit packet capture.
• proto foo: Specify a protocol to limit captured packets to network traffic using that protocol.
• src foo: Specify an address or hostname to limit captured packets to traffic sent by a particular host.

Modifiers

• and: Use this to chain together primitives when you want to limit captured packets to those that meet the requirements of the expressions on both sides of the and.
• not: Use this modifier just before a primitive when you want to limit captured packets to those that do not meet the requirements of the following expresssion.
• or: Use this to chain together primitives when you want to limit captured packets to those that meet the requirements of one or more of the expressions on either side of the or.

Examples

All of these options and expression primitives and modifiers, along with others listed in the tcpdump manpage, can be used to construct very specific commands that produce very precise output.

• tcpdump -c 50 dst foo can give you information that may help identify the source of heavy incoming traffic targeting an overloaded server with hostname “foo”, dumping the first 50 packets as output.
• tcpdump -c 500 -w `date +"%Y%j%T"`.log dumps 500 packets to a file named with a current time/date stamp (e.g. 200820715:16:31.log) so that they can later be filtered according to the information you want to see. I have the command date +"%Y %j%T" aliased to stamp in my shell’s rc file, so I can shorten a command like this to tcpdump -c 500 -w `stamp`.log, saving me from having to remember all the formatting options for the date command off the top of my head.
• tcpdump port 22 src or dst foo and src and dst not bar produces ongoing output that shows all port 22 (presumably SSH protocol) activity originating from or targeting host “foo” unless it is originating from or targeting host “bar”. If foo is only supposed to be accessed via SSH by bar, this command will allow ongoing monitoring of unauthorized SSH traffic to and from foo. You could even start a number of persistent monitoring processes with tcpdump like this within a tmux session on a dedicated monitoring server.

As you can no doubt see, tcpdump’s expressions capabilities are roughly equivalent to a simple domain specific programming language that is extremely easy to understand. With that kind of power and flexibility at my fingertips, there’s little need to use anything else for general traffic analysis tasks.