Ubuntu: Using tcpdump for analysis of network traffic and port usage

tcpdump comes standard on Ubuntu servers and is an invaluable tool in determining traffic coming in and out of a host.

As network infrastructures have become more complex and security conscious, validating network flow from client hosts through potentially multiple proxies and ultimately to a destination host and port has become more important than ever.

Let me list a few of the more common use cases.

Basic Invocation

As a basic filter, we will always specify which network interface we want to capture traffic on, so the first command you usually want to run is a listing of all the available network interfaces.

# tcpdump -D

The most basic invocation would then be to capture all traffic coming from one of those interfaces (let’s say eth0), like:

# tcpdump -i eth0

Note that tcpdump only takes the first 96 bytes of the packet by default.  If you want to take it all use the ‘-s0’ switch. And if you want to print the packet in ASCII or HEX, then you can use the -A or -X switch.

For example, just like the example above, this will capture all eth0 traffic, but this time in verbose mode with hex display of the full packet contents.

# tcpdump -i eth0 -vvXX -s0

Expressions

In addition to the various switches, tcpdump allows an evaluated expression as the final parameter that provides rich flexibility to filter the packets being captured.  This expression is directly passed to the underlying libpcap library which does the actual packet capture.

# tcpdump [switches] [expression]

Using this expression, you can filter on various values including: source host, destination host, network CIDR, port, protocol type, tcp flags, and vlan.  Let’s go through a few basic expressions below.

Packets between a remote host

If you are logged into a client host and want to validate both the incoming and outgoing packets from a remote host:

# tcpdump -i <interface> host <remoteAddress>

Packets coming from a remote host

If you are logged into a host, and want to validate the packets coming in from a remote host:

# tcpdump -i <interface> src host <remoteHost>

Packets coming into port

If you need to see all the packets coming into a particular port:

# tcpdump -i <interface> port <port>

Using the BPF syntax, these filter can even be combined to filter based on remote host and port (and,or,not):

# tcpdump -i <interface> src host <remoteHost> and port <port>

Packets sent to remote host and port

If we have a specific client communication to a remote host that we are trying to troubleshoot, we can capture that as well:

# tcpdump -i <interface> host <remoteHost> and port <destPort>

Advanced Filters

The filter syntax even allows looking at flags within the TCP packet for those who require it, such as showing only the ACK packets:

# tcpdump -i <interface> 'tcp[13] &16!=0'

Wireshark compatible

If you want to analyze the capture later with Wireshark, make sure to use the “-w” switch.

# tcpdump -i <interface> -s 65535 -w wireshark.cap

Problems capturing packets

If you do not see all the traffic you expect, read the FAQ here.

 

REFERENCES

http://www.tcpdump.org/

http://www.tcpdump.org/faq.html

http://manpages.ubuntu.com/manpages/zesty/man8/tcpdump.8.html

http://linux-circles.blogspot.com/2012/11/how-to-capture-packets-with-tcpdump.html

http://www.tcpdump.org/manpages/pcap-filter.7.html

http://www.workrobot.com/sysadmin/security/tcpdump_expressions.html

https://support.rackspace.com/how-to/capturing-packets-with-tcpdump/

https://danielmiessler.com/study/tcpdump/#gs.1PiGzW4

vlan filter issues; https://www.snellman.net/blog/archive/2015-05-18-whats-wrong-with-pcap-filters/

http://www.slashroot.in/packet-capturing-tcpdump-command-linux

http://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/

Wireshark compatible tcpdump capture

middlewareinventory.com, how to capture GET and POST from tcpdump