TCPdump is a very powerful command line interface packet sniffer
| url: | http://openmaniak.com/tcpdump.php |
|---|
It must be launched as root or with superuser rights because of the its use of the promiscuous mode or to be sure to have sufficent privilileges on a network device or a socket.
Wireshark (formerly ethereal) can be used as an alternative to TCPdump but with a GUI interface. Wireshark can be used to read the logs captured by TCPdump too.
- TCPDUMP DOWNLOAD 2. TCPDUMP USE
- TCPDUMP DOWNLOAD:
To download TCPdump:
#apt-get install tcpdump To see the TCPdump dependencies:
#apt-cache depends tcpdump tcpdump
Depends: libc6 Depends: libpcap0.8 Depends: libssl0.9.8
To see the installed TCPdump version:
#apt-cache policy tcpdump tcpdump:
Installed: 3.9.4-2ubuntu0.1 Candidate: 3.9.4-2ubuntu0.1 Version table:
- *** 3.9.4-2ubuntu0.1 0
- 3.9.4-2 0
- 500 http://ch.archive.ubuntu.com dapper/main Packages
- TCPDUMP USE
To display the Standard TCPdump output:
#tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
21:57:29.004426 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 21:57:31.228013 arp who-has 192.168.1.2 tell 192.168.1.1 21:57:31.228020 arp reply 192.168.1.2 is-at 00:04:75:22:22:22 (oui Unknown) 21:57:38.035382 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 21:57:38.613206 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36
To display the verbose output:
#tcpdump -v tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:00:11.625995 IP (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:00:20.691903 IP (tos 0x0, ttl 128, id 31026, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:00:21.230970 IP (tos 0x0, ttl 114, id 4373, offset 0, flags [none], proto: UDP (17), length: 64) valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36 22:00:26.201715 arp who-has 192.168.1.2 tell 192.168.1.1 22:00:26.201726 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 (oui Unknown) 22:00:29.706020 IP (tos 0x0, ttl 128, id 31133, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:00:38.751355 IP (tos 0x0, ttl 128, id 31256, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
Network interfaces available for the capture:
#tcpdump -D 1.eth0 2.any (Pseudo-device that captures on all interfaces) 3.lo
To display numerical addresses rather than symbolic (DNS) addresses:
#tcpdump -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:02:36.111595 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53 22:02:36.669853 IP 68.142.64.164.27014 > 192.168.1.2.1034: UDP, length 36 22:02:41.702977 arp who-has 192.168.1.2 tell 192.168.1.1 22:02:41.702984 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 22:02:45.106515 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53 22:02:50.392139 IP 192.168.1.2.138 > 192.168.1.255.138: NBT UDP PACKET(138) 22:02:54.139658 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53 22:02:57.866958 IP 125.175.131.58.3608 > 192.168.1.2.9501: S 3275472679:3275472679(0) win 65535
To display the quick output:
#tcpdump -q tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:03:55.594839 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0 22:03:55.698827 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0 22:03:56.068088 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0 22:03:56.068096 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0 22:03:57.362863 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:03:57.964397 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36 22:04:06.406521 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:04:15.393757 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
Capture the traffic of a particular interface:
tcpdump -i eth0 To capture the UDP traffic:
#tcpdump udp To capture the TCP port 80 traffic:
#tcpdump port http To capture the traffic from a filter stored in a file:
#tcpdump -F file_name To create a file where the filter is configured (here the TCP 80 port)
#vim file_name port 80 To stop the capture after 20 packets:
#tcpdump -c 20 To send the capture output in a file instead of directly on the screen:
#tcpdump -w capture.log To read a capture file:
#tcpdump -r capture.log reading from file capture.log, link-type EN10MB (Ethernet)
09:33:51.977522 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: P 1548302662:1548303275(613) ack 148796145 win 16527 09:33:52.031729 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: . ack 613 win 86 09:33:52.034414 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: P 1:511(510) ack 613 win86 09:33:52.034786 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: . ack 511 win 16527
The captured data isn't stored in plain text so you cannot read it with a text editor, you have to use a special tool like TCPdump (see above) or Wireshark (Formerly Ethereal) which provides a graphical interface.
The capture.log file is opened with Wireshark.
To display the packets having "www.openmaniak.com" as their source or destination address:
#tcpdump host www.openmaniak.com To display the FTP packets coming from 192.168.1.100 to 192.168.1.2:
#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp To display the packets content:
#tcpdump -A Packets capture during a FTP connection. The FTP password can be easily intercepted because it is sent in clear text to the server.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes 20:53:24.872785 IP ubuntu.local.40205 > 192.168.1.2.ftp: S 4155598838:4155598838(0) win 5840 ....g.................... ............ 20:53:24.879473 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 1228937421 win 183 ....g.I@............. ........ 20:53:24.881654 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 43 win 183 ....g.I@.......8..... ......EN 20:53:26.402046 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 0:10(10) ack 43 win 183 ....g.I@......`$..... ...=..ENUSER teddybear
20:53:26.403802 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 76 win 183 ....h.I@............. ...>..E^ 20:53:29.169036 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 10:25(15) ack 76 win 183 ....h.I@......#c..... ......E^PASS wakeup
20:53:29.171553 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 96 win 183 ....h.I@.,........... ......Ez 20:53:29.171649 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 25:31(6) ack 96 win 183 ....h.I@.,........... ......EzSYST
20:53:29.211607 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 115 win 183 ....h.I@.?.....j..... ......Ez 20:53:31.367619 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 31:37(6) ack 115 win 183 ....h.I@.?........... ......EzQUIT
20:53:31.369316 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 155 win 183 ....h.I@.g........... ......E. 20:53:31.369759 IP ubuntu.local.40205 > 192.168.1.2.ftp: F 37:37(0) ack 156 win 183 ....h.I@.h.....e..... ......E.
We see in this capture the FTP username (teddybear) and password (wakeup).