The best thing I like about tcpdump is the power of expressions you can benefit from.
what port, host, interface or network and protocol to capture. tcpdump is so powerful and handy that even IBM could not resist to deliver it in AIX systems and through oem_setup_env in VIO. Cisco have not been able to make a better alternative and is happily offering tcpdump in Nexus NX-OS Linux based environments and promoting this as a feature of their devices.
All and all because of a powerful library named:
[root@localhost local]# ldd /usr/sbin/tcpdump
linux-gate.so.1 => (0x00317000)
libcrypto.so.10 => /usr/lib/libcrypto.so.10 (0x00b27000)
libpcap.so.1 => /usr/lib/libpcap.so.1 (0x00dde000)
libc.so.6 => /lib/libc.so.6 (0x004ba000)
libdl.so.2 => /lib/libdl.so.2 (0x00414000)
libz.so.1 => /lib/libz.so.1 (0x008c9000)
/lib/ld-linux.so.2 (0x0074d000)
[root@localhost local]#
The libpcap project
libpcap is a system-independent interface for user-level packet capture. libpcap provides a portable framework for low-level network monitoring. Applications include network statistics collection, security monitoring, network debugging, etc.
Oh, Just have a look at the projects benefiting from libpcap and you'll be surprised:
http://en.wikipedia.org/wiki/Pcap
What are you doing in my blog ?! ... uhhh .. looking for a nice cheat-sheet ( In Unix manual terminology it's called examples ) on tcpdump ? How to use freely available libpcap in your projects and sell it to people and you work for Oracle ? Just found this blog by coincidence and you haven't seen any computers in you life ?
Easy ..
First, you need to be the root user to Listen on an interface or in other words, set the interface to promiscuous mode.
Jan 14 23:03:04 localhost kernel: device eth0 entered promiscuous mode
Jan 14 23:30:04 localhost kernel: device eth0 left promiscuous mode
I personally always use tcpdump with -n to stop it from reversing IP's to names, you can even do -nn to see real port numbers and I have the habit of mentioning exactly what interface to listen on as I used to work on servers with at least 5-6 Ethernet ports and maybe tens of ppp interfaces with -i <interface name>. If your interface is really a busy one, always mention -c <number> to limit the number of the packets you want to capture. So up to here your command may looks like this:
# tcpdump -n -c 100 -i eth0
Well, if you are running the tcpdump command on a remote system and you've logged in to that system via the interface you are listening on, you probably don't want to be overwhelmed buy your own SSH packets and overflow your screen by useless encrypted ssh packets.
# tcpdump -n -c 100 -i eth0 port not ssh
Woww, going so fast? A little description. We all know what the yellow part is. The second part says that I'm not interested in packets sourcing from or destined to port 22 and the not is the negating phrase.
So If I just want to see the web traffic, I would write:
# tcpdump -n -c 100 -i eth0 port not ssh and port http
hmm, can we have more logical expressions ? Sure. a little reminder from basic logic in school:
A and ( B or C ) = ( A and B ) or ( A and C )
A or ( B and C ) = ( A or B ) and ( A or C )
not ( A or C ) = not A and not C
The magic:
# tcpdump -n -i eth0 -c 100 port not ssh and not \( port nrpe or https \) and tcp
Means that I want to see all tcp traffics that are not about ssh, nrpe and https.
Remember that you can see the known port number in /etc/services and you are always able to add whatever you want to that file although you can use port numbers instead of mentioning its name like ssh, http or etc.
Well, another interesting option is to see what's inside your packets. if you are sniffing Web traffic or passwords out of telnet sessions, you can simply use following command:
# tcpdump -n -i eth0 -c 100 -A -s 0 port 80
-A option is to print the packets in ASCII so you can see the content of the packets and -s 0 means that you want to see as much as possible, no matter how big the packet is ( 0 means 65535 bytes ).
if you want to see the bytes in HEX just use -X instead of -A
I guess it's enough for now. You are always welcome to check the manual of tcpdump command.
Go and read your package's documents !
what port, host, interface or network and protocol to capture. tcpdump is so powerful and handy that even IBM could not resist to deliver it in AIX systems and through oem_setup_env in VIO. Cisco have not been able to make a better alternative and is happily offering tcpdump in Nexus NX-OS Linux based environments and promoting this as a feature of their devices.
All and all because of a powerful library named:
[root@localhost local]# ldd /usr/sbin/tcpdump
linux-gate.so.1 => (0x00317000)
libcrypto.so.10 => /usr/lib/libcrypto.so.10 (0x00b27000)
libpcap.so.1 => /usr/lib/libpcap.so.1 (0x00dde000)
libc.so.6 => /lib/libc.so.6 (0x004ba000)
libdl.so.2 => /lib/libdl.so.2 (0x00414000)
libz.so.1 => /lib/libz.so.1 (0x008c9000)
/lib/ld-linux.so.2 (0x0074d000)
[root@localhost local]#
The libpcap project
libpcap is a system-independent interface for user-level packet capture. libpcap provides a portable framework for low-level network monitoring. Applications include network statistics collection, security monitoring, network debugging, etc.
Oh, Just have a look at the projects benefiting from libpcap and you'll be surprised:
http://en.wikipedia.org/wiki/Pcap
Programs that use libpcap/WinPcap
- tcpdump, a tool for capturing and dumping packets for further analysis, and WinDump, the Windows port of tcpdump.
- ngrep, aka "network grep", isolate strings in packets, show packet data in human-friendly output.
- Wireshark (formerly Ethereal), a graphical packet-capture and protocol-analysis tool.
- Snort, a network-intrusion-detection system.
- Nmap, a port-scanning and fingerprinting network utility
- the Bro IDS and network-monitoring platform.
- URL Snooper, locate the URLs of audio and video files in order to allow recording them.
- Kismet, for 802.11 wireless LANs
- L0phtCrack, a password auditing and recovery application.
- iftop, a tool for displaying bandwidth usage (like top for network traffic)
- EtherApe, a graphical tool for monitoring network traffic and bandwidth usage in real time.
- Bit-Twist, a libpcap-based Ethernet packet generator and editor for BSD, Linux, and Windows.
- Pirni, a network security tool for jailbroken iOS devices.
- McAfee ePolicy Orchestrator, Rogue System Detection feature
- XLink Kai Software that allows various LAN console games to be played online
- Firesheep, an extension for the Firefox web browser, that intercepts unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities.
- Suricata, a network intrusion prevention and analysis platform.
- WhatPulse, a statistical (input, network, uptime) measuring application.
- Xplico, a network forensics analysis tool (NFAT).
What are you doing in my blog ?! ... uhhh .. looking for a nice cheat-sheet ( In Unix manual terminology it's called examples ) on tcpdump ? How to use freely available libpcap in your projects and sell it to people and you work for Oracle ? Just found this blog by coincidence and you haven't seen any computers in you life ?
Easy ..
First, you need to be the root user to Listen on an interface or in other words, set the interface to promiscuous mode.
Jan 14 23:03:04 localhost kernel: device eth0 entered promiscuous mode
Jan 14 23:30:04 localhost kernel: device eth0 left promiscuous mode
I personally always use tcpdump with -n to stop it from reversing IP's to names, you can even do -nn to see real port numbers and I have the habit of mentioning exactly what interface to listen on as I used to work on servers with at least 5-6 Ethernet ports and maybe tens of ppp interfaces with -i <interface name>. If your interface is really a busy one, always mention -c <number> to limit the number of the packets you want to capture. So up to here your command may looks like this:
# tcpdump -n -c 100 -i eth0
Well, if you are running the tcpdump command on a remote system and you've logged in to that system via the interface you are listening on, you probably don't want to be overwhelmed buy your own SSH packets and overflow your screen by useless encrypted ssh packets.
# tcpdump -n -c 100 -i eth0 port not ssh
Woww, going so fast? A little description. We all know what the yellow part is. The second part says that I'm not interested in packets sourcing from or destined to port 22 and the not is the negating phrase.
So If I just want to see the web traffic, I would write:
# tcpdump -n -c 100 -i eth0 port not ssh and port http
hmm, can we have more logical expressions ? Sure. a little reminder from basic logic in school:
A and ( B or C ) = ( A and B ) or ( A and C )
A or ( B and C ) = ( A or B ) and ( A or C )
not ( A or C ) = not A and not C
The magic:
# tcpdump -n -i eth0 -c 100 port not ssh and not \( port nrpe or https \) and tcp
Means that I want to see all tcp traffics that are not about ssh, nrpe and https.
Remember that you can see the known port number in /etc/services and you are always able to add whatever you want to that file although you can use port numbers instead of mentioning its name like ssh, http or etc.
Well, another interesting option is to see what's inside your packets. if you are sniffing Web traffic or passwords out of telnet sessions, you can simply use following command:
# tcpdump -n -i eth0 -c 100 -A -s 0 port 80
-A option is to print the packets in ASCII so you can see the content of the packets and -s 0 means that you want to see as much as possible, no matter how big the packet is ( 0 means 65535 bytes ).
if you want to see the bytes in HEX just use -X instead of -A
I guess it's enough for now. You are always welcome to check the manual of tcpdump command.
Using libpcap in your applications
In every major language and some not popular programing languages you can find the library interface. the following is from the wikipedia page of pcap project:Wrapper libraries for libpcap/WinPcap
- Perl: Net::Pcap
- Python: python-libpcap, Pcapy
- Ruby: PacketFu
- Tcl: tclpcap, tcap, pktsrc
- Java: jpcap, jNetPcap, Jpcap, Pcap4j
- .NET: WinPcapNET, SharpPcap, Pcap.Net
- Haskell: pcap
- Objective Caml: mlpcap
- Chicken Scheme: pcap
- Common Lisp: PLOKAMI
- Go: pcap by Andreas Krennmair, pcap fork of the previous by Miek Gieben, pcap developed as part of the gopacket package
Go and read your package's documents !
