DESCRIPTION
Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression will be processed by tcpdump.
- We connected two machines B2B and will use ICMP as a test protocol.
- We will ping from (malaa-NOOR.local) to (debian-test2-3.local) and will use Tcpdump on (debian-test2-3.local).
| root@malaa-NOOR:~# ping 192.168.0.227 -c 2 PING 192.168.0.227 (192.168.0.227) 56(84) bytes of data. 64 bytes from 192.168.0.227: icmp_req=1 ttl=64 time=0.421 ms 64 bytes from 192.168.0.227: icmp_req=2 ttl=64 time=0.385 ms--- 192.168.0.227 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.385/0.403/0.421/0.018 ms root@malaa-NOOR:~# |
-i Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback).
| root@debian-test2:~# tcpdump icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:59:50.828717 IP malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7558, seq 1, length 64 16:59:50.828749 IP debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7558, seq 1, length 64 16:59:51.828315 IP malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7558, seq 2, length 64 16:59:51.828344 IP debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7558, seq 2, length 64 ^C 4 packets captured 6 packets received by filter 0 packets dropped by kernel root@debian-test2:~# root@debian-test2:~# tcpdump icmp -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:24:58.714197 IP malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7392, seq 1, length 64 16:24:58.714223 IP debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7392, seq 1, length 64 16:24:59.713493 IP malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7392, seq 2, length 64 16:24:59.713517 IP debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7392, seq 2, length 64 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel root@debian-test2:~# |
-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
| root@debian-test2:~# tcpdump -n icmp -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:26:46.171804 IP 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7404, seq 1, length 64 16:26:46.171846 IP 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7404, seq 1, length 64 16:26:47.171981 IP 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7404, seq 2, length 64 16:26:47.172009 IP 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7404, seq 2, length 64 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel root@debian-test2:~# |
-v When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification,total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.
| root@debian-test2:~# tcpdump -n -v icmp -i eth0 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:31:50.043213 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7430, seq 1, length 64 16:31:50.043242 IP (tos 0x0, ttl 64, id 60673, offset 0, flags [none], proto ICMP (1), length 84) 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7430, seq 1, length 64 16:31:51.043532 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7430, seq 2, length 64 16:31:51.043561 IP (tos 0x0, ttl 64, id 60674, offset 0, flags [none], proto ICMP (1), length 84) 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7430, seq 2, length 64 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel root@debian-test2:~# |
-vv Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.
-vvv Even more verbose output. For example, telnet SB ... SE options are printed in full. With -X Telnet options are printed in hex as well.
| root@debian-test2:~# tcpdump -n -vv icmp -i eth0 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:34:11.322908 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7439, seq 1, length 64 16:34:11.322941 IP (tos 0x0, ttl 64, id 60677, offset 0, flags [none], proto ICMP (1), length 84) 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7439, seq 1, length 64 16:34:12.322131 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7439, seq 2, length 64 16:34:12.322164 IP (tos 0x0, ttl 64, id 60678, offset 0, flags [none], proto ICMP (1), length 84) 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7439, seq 2, length 64 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel root@debian-test2:~# |
-e Print the link-level header on each dump line.
| root@debian-test2:~# tcpdump -n -vv -e icmp -i eth0 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:35:49.567369 44:37:e6:6d:0d:f0 > 08:00:27:66:75:b7, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7455, seq 1, length 64 16:35:49.567404 08:00:27:66:75:b7 > 44:37:e6:6d:0d:f0, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60679, offset 0, flags [none], proto ICMP (1), length 84) 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7455, seq 1, length 64 16:35:50.566665 44:37:e6:6d:0d:f0 > 08:00:27:66:75:b7, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7455, seq 2, length 64 16:35:50.566696 08:00:27:66:75:b7 > 44:37:e6:6d:0d:f0, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60680, offset 0, flags [none], proto ICMP (1), length 84) 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7455, seq 2, length 64 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel root@debian-test2:~# |
-c Exit after receiving count packets.
| root@debian-test2:~# tcpdump -vv -n icmp -i eth0 -c 2 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:23:12.175875 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7387, seq 1, length 64 16:23:12.175920 IP (tos 0x0, ttl 64, id 60664, offset 0, flags [none], proto ICMP (1), length 84) 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7387, seq 1, length 64 2 packets captured 2 packets received by filter 0 packets dropped by kernel root@debian-test2:~# |
-w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -roption. Standard output is used if file is ``-''.
| root@debian-test2:~# tcpdump -vv -n icmp -i eth0 -w malaa.cap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C8 packets captured 9 packets received by filter 0 packets dropped by kernel root@debian-test2:~# |
- You can find below the output file.
| root@debian-test2:~# ls -l | grep malaa -rw-r--r-- 1 root root 936 Aug 28 15:39 malaa.cap root@debian-test2:~# |
-C Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the-w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
| root@debian-test2:~# tcpdump -vv -n icmp -i eth0 -w malaa.cap -C 20 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C4 packets captured 4 packets received by filter 0 packets dropped by kernel root@debian-test2:~# |
-F Use file as input for the filter expression. An additional expression given on the command line is ignored.
- we created the below file using nano and added exact MACs addresses we need to sniff or monitoring.
| ------------------------------------------------------------------------------------------------------ GNU nano 2.2.4 File: MAC-Filter.txt Modified # you can add as many "or ether host MAC-ADDRESS" as needed ether host 44:37:e6:6d:0d:f0 or ether host 08:00:27:66:75:b7 root@debian-test2:~# cat MAC-Filter.txt ether host 44:37:e6:6d:0d:f0 or ether host 08:00:27:66:75:b7 root@debian-test2:~# tcpdump -vv -n icmp -i eth0 -w malaa.cap -F MAC-Filter.txt |
-r Read packets from file (which was created with the -w option). Standard input is used if file is ``-''.
| root@debian-test2:~# tcpdump -r malaa.cap reading from file malaa.cap, link-type EN10MB (Ethernet) 16:56:33.129501 IP malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7545, seq 1, length 64 16:56:33.129547 IP debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7545, seq 1, length 64 16:56:34.128615 IP malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7545, seq 2, length 64 16:56:34.128650 IP debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7545, seq 2, length 64 root@debian-test2:~#root@debian-test2:~# tcpdump -n -r malaa.cap reading from file malaa.cap, link-type EN10MB (Ethernet) 16:56:33.129501 IP 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7545, seq 1, length 64 16:56:33.129547 IP 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7545, seq 1, length 64 16:56:34.128615 IP 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7545, seq 2, length 64 16:56:34.128650 IP 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7545, seq 2, length 64 root@debian-test2:~# root@debian-test2:~# tcpdump -e -r malaa.cap reading from file malaa.cap, link-type EN10MB (Ethernet) 15:38:59.054832 44:37:e6:6d:0d:f0 (oui Unknown) > 08:00:27:66:75:b7 (oui Unknown), ethertype IPv4 (0x0800), length 98: malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7174, seq 1, length 64 15:38:59.054872 08:00:27:66:75:b7 (oui Unknown) > 44:37:e6:6d:0d:f0 (oui Unknown), ethertype IPv4 (0x0800), length 98: debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7174, seq 1, length 64 15:39:00.053514 44:37:e6:6d:0d:f0 (oui Unknown) > 08:00:27:66:75:b7 (oui Unknown), ethertype IPv4 (0x0800), length 98: malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7174, seq 2, length 64 15:39:00.053538 08:00:27:66:75:b7 (oui Unknown) > 44:37:e6:6d:0d:f0 (oui Unknown), ethertype IPv4 (0x0800), length 98: debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7174, seq 2, length 64 root@debian-test2:~# root@debian-test2:~# tcpdump -n -e -r malaa.cap root@debian-test2:~# tcpdump -e -n ether host 44:37:e6:6d:0d:f0 -r malaa.cap |
#############################################################################################
######## Sniffing PPPoE layer 2 packets like LCP frames ########
EtherType is a two-octet field in an Ethernet frame. It is used to indicate which protocol is encapsulated in the PayLoad of an Ethernet Frame. This field was first defined by the Ethernet II framing networking standard, and later adapted for the IEEE 802.3 Ethernet networking standard.
EtherType numbering generally starts from 0x0800. In modern implementations of Ethernet, the field within the Ethernet frame used to describe the EtherType also can be used to represent the size of the payload of the Ethernet Frame.
0x8863 PPPoE Discovery Stage
0x8864 PPPoE Session Stage
If you want to watch the PPPoE packets, use the following tcpdump commands:
> tcpdump -i eth0 -n ether proto 0x8863 '||' ether proto 0x8864
We will run tcpdump on eth0 to look at PADI,PADO,PADR,PADS and PADT and should see the below result.
| root@debian-test2:~# tcpdump -i eth0 -n ether proto 0x8863 '||' ether proto 0x8864 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:47:25.173507 PPPoE PADI [Service-Name] [Host-Uniq 0xCF0A0000] 12:47:25.173609 PPPoE PADO [AC-Name "nzhmlbld06l"] [Service-Name] [AC-Cookie 0x18F0FDB21859639108D61444C8A611F4D2080000] [Host-Uniq 0xCF0A0000] 12:47:25.173661 PPPoE PADO [AC-Name "isp"] [Service-Name] [AC-Cookie 0xF07AE7E13B3BDFACCCE03C14A0A60C7D49090000] [Host-Uniq 0xCF0A0000] 12:47:25.173777 PPPoE PADR [Service-Name] [Host-Uniq 0xCF0A0000] [AC-Cookie 0x18F0FDB21859639108D61444C8A611F4D2080000] 12:47:25.174239 PPPoE PADS [ses 0xa] [Service-Name] [Host-Uniq 0xCF0A0000] 12:47:25.174929 PPPoE [ses 0xa] LCP, Conf-Request (0x01), id 1, length 21 12:47:26.180431 PPPoE [ses 0xa] LCP, Conf-Request (0x01), id 1, length 16 12:47:26.180676 PPPoE [ses 0xa] LCP, Conf-Ack (0x02), id 1, length 16 12:47:28.177393 PPPoE [ses 0xa] LCP, Conf-Request (0x01), id 1, length 21 12:47:28.179020 PPPoE [ses 0xa] LCP, Conf-Reject (0x04), id 1, length 11 12:47:28.179295 PPPoE [ses 0xa] LCP, Conf-Request (0x01), id 2, length 16 12:47:28.181036 PPPoE [ses 0xa] LCP, Conf-Ack (0x02), id 2, length 16 12:47:28.181045 PPPoE [ses 0xa] LCP, Echo-Request (0x09), id 0, length 10 12:47:28.181464 PPPoE [ses 0xa] LCP, Echo-Request (0x09), id 0, length 10 12:47:28.181638 PPPoE [ses 0xa] LCP, Term-Request (0x05), id 3, length 34 12:47:28.182984 PPPoE [ses 0xa] LCP, Echo-Reply (0x0a), id 0, length 10 12:47:28.182992 PPPoE [ses 0xa] LCP, Term-Ack (0x06), id 3, length 6 12:47:31.217784 PPPoE PADT [ses 0xa] [Generic-Error "RP-PPPoE: Child pppd process terminated"]> tcpdump -i eth0 ether[0x0c:2] == 0x8863 or ether[0x0c:2] == 0x8864 |
Will show you PPPoE packets. 8863 is the ether type for Active Discovery and 8864 is the ether type for PPPoE sessions.
| root@malaa-NOOR:~# tcpdump -i eth0 ether[0x0c:2] == 0x8863 or ether[0x0c:2] == 0x8864 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel root@malaa-NOOR:~#root@debian-test2:~# tcpdump pppoes -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytesPPPoE [ses 0xd5f] LCP, Conf-Request (0x01), id 1, length 16 PPPoE [ses 0xd5f] LCP, Conf-Request (0x01), id 233, length 21 PPPoE [ses 0xd5f] LCP, Conf-Ack (0x02), id 1, length 16 PPPoE [ses 0xd5f] LCP, Conf-Ack (0x02), id 233, length 21 PPPoE [ses 0xd5f] LCP, Echo-Request (0x09), id 0, length 10 PPPoE [ses 0xd5f] CHAP, Challenge (0x01), id 1, Value 596b047f0ae432c659d3fa87664b9876, Name a919-arb01 PPPoE [ses 0xd5f] CHAP, Response (0x02), id 1, Value c9cf76a0089b655f54fd5433ad34420b, Name EXAMPLE@example PPPoE [ses 0xd5f] LCP, Echo-Reply (0x0a), id 0, length 10 PPPoE [ses 0xd5f] CHAP, Success (0x03), id 1, Msg CHAP authentication success, unit 8020 PPPoE [ses 0xd5f] IPCP, Conf-Request (0x01), id 29, length 12 PPPoE [ses 0xd5f] IPCP, Conf-Request (0x01), id 1, length 12 PPPoE [ses 0xd5f] IPCP, Conf-Ack (0x02), id 29, length 12 PPPoE [ses 0xd5f] IPCP, Conf-Nack (0x03), id 1, length 12 PPPoE [ses 0xd5f] IPCP, Conf-Request (0x01), id 2, length 12 PPPoE [ses 0xd5f] IPCP, Conf-Ack (0x02), id 2, length 12 PPPoE [ses 0xd5f] LCP, Echo-Request (0x09), id 0, length 10 PPPoE [ses 0xd5f] LCP, Echo-Reply (0x0a), id 0, length 10 root@malaa-NOOR:~# tcpdump -vv -n -e pppoes -i eth0 |
#############################################################################################
Filter on encapsulated content (ICMP within PPPoE)
Capturing packets from PPPoE session. For example: we mirror a link that connects xDSL modem and home PC or router. Mirrored packets are ethernet frames with PPPoE/IP packets encapsulated. In the following example, we are looking for ICMP packets in PPPoE frames. A simple command like
# tcpdump -v -n icmp
will not produce expected results, because packets that we monitor are being encapsulated into a PPPoE frames. Of course, tcpdump can't locate IP protocol == ICMP at normal offset in an ethernet frame. We must therefore take intoaccount the additional headers: 14 bytes for ethernet and 8 bytes for PPPoE. IP protocol is located at offset 9 in the IP header, which gives us offset 31 in the mirrored ethernet frame. Therefore, ICMP packets (protocol 1) are captured with
# tcpdump -v -n ether[31] = 1
| root@debian-test2:~# tcpdump -v -n ether[31] = 1 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:42:33.751713 unknown STP version, length 67 12:42:36.884914 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.0.1 is-at 00:21:55d:29:e0, length 46 12:42:46.607865 unknown STP version, length 67 12:42:59.864181 unknown STP version, length 67 12:43:12.570469 unknown STP version, length 67 ^C 5 packets captured 6 packets received by filter 0 packets dropped by kernel root@debian-test2:~# root@malaa-NOOR:~# tcpdump -vv -e -n ether[31] = 1 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 23:33:57.782950 00:21:55d:29:e0 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.69 tell 192.168.0.1, length 46 23:33:59.621120 00:21:55d:29:e0 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.174 tell 192.168.0.1, length 46 23:34:00.995243 00:21:55d:29:e0 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.210 tell 192.168.0.1, length 46 23:34:01.788132 2c:41:383:3d:14 > 01:80:c2:00:00:21, 802.3, length 84: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: unknown STP version, length 67 23:34:02.782481 00:21:55d:29:e0 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.69 tell 192.168.0.1, length 46 ^C 5 packets captured 5 packets received by filter 0 packets dropped by kernel root@malaa-NOOR:~# |
