Practical Tcpdump examples?

Question

I want to collect tcpdump examples, as many as possible!

E.g.: how to filter FTP passwords on eth0; OR how to filter HTTP 404 errors, etc.

Answer 1

It doesn't do any filtering, but this example creates a handy continuous packet sniffer:

tcpdump -n -C 128 -W 100 -z /home/user/compress_logs.pl -i br0 -w /home/user/packetlogs/packetlog.pcap &

• -n don't do reverse lookup on IPs, don't convert port numbers to text descriptions, don't convert MAC addesses to names, etc..
• -C 128 rotate capture files every 128,000,000 bytes
• -W 100 limit the number of capture files being rotated (see -C) to 100
• -z /home/user/compress_logs.pl run script compress_logs.pl on each rotated capture file
• -i br0 capture on interface br0
• -w /home/user/packetlogs/packetlog.pcap use file name /home/user/packetlogs/packetlog.pcap
• & this is parsed by bash; indicates that the command should be run in the background (asynchronously)

Put it in /etc/rc.local to run on boot. It captures all packets on interface br0, which could be two interfaces in-line as a tap or two interfaces hooked to a passive tap, or one interface hooked to a mirrored switch port (I've used all three in practice)

It writes ~128MB files and will automatically rotate up to 100 of them. When it captures 128MB of data, it will close the file, open a new one, and fork the specified command with the old filename as an argument - in this case a little Perl script that compresses the previous capture file for quicker transfer off the IDS server.

I use this when I have to monitor a connection for a long time (like a day or two) and need to go back and find an event that occurred at a specific time. The small files are much easier to handle in Wireshark than one huge pcap file.

Answer 2

Capture only HTTP POST data:

tcpdump tcp[2:2] = 80 and \(tcp[20:4] = 1347375956 
or tcp[24:4] = 1347375956 
or tcp[28:4] = 1347375956 
or tcp[32:4] = 1347375956 
or tcp[36:4] = 1347375956 
or tcp[40:4] = 1347375956 
or tcp[44:4] = 1347375956 
or tcp[48:4] = 1347375956 
or tcp[52:4] = 1347375956 
or tcp[56:4] = 1347375956 
or tcp[60:4] = 1347375956\)

A bit unwieldly but certainly useful. tcp[2:2] captures, starting from position 2 of the TCP header, 2 bytes (which are the port, port 80 being for HTTP traffic).

Then we want to compare the first 4 bytes of TCP data to 'POST'. The TCP header is minimum 20 (decimal) bytes, but since the TCP options are variable length, from 0 to 40 bytes (padded to a 32-bit boundary and starting at ), we have to test every 4 bytes from 20 to 60 (decimal). Finally, 1347375956 is the base10 big-endian binary representation of the ASCII text 'POST'. Use the values below for other HTTP types:

• GET 1195725856 (includes the space after 'GET' which is needed because we are comparing with 4 bytes)
• POST 1347375956
• PUT 1347769376 (includes space)
• DELETE 1145392197 (just 'DELE', actually)

For other types, convert the 4 ASCII characters to hex (you must use 4 characters exactly), then treat the hex bytes as one number and convert it to decimal. For example, POST is 50 4f 53 54. 504f5354 converted to decimal is 1347375956.

Answer 3

Capture everything to a file (so you can analyze it later with Wireshark or something):

sudo tcpdump -i en0 -s0 -w ~/capture.pcap

• -i en0 capture on interface en0
• -s0 use the whole packet (don't truncate -- snarf 0)
• -w ~/capture.pcap write to packet capture file ~/capture.pcap

Answer 4

Filter-making cheat sheet:

http://staff.washington.edu/dittrich/talks/core02/tools/tcpdump-filters.txt

Answer 5

If you want to monitor clients DNS requests on an OpenWRT router:

tcpdump -n -i br-lan dst port 53

• -n don't do reverse lookup on IPs, don't convert port numbers to text descriptions, don't convert MAC addesses to names, etc..
• -i br-lan capture on interface br-lan
• dst port 53 filter destination port 53, the port for DNS service