“tcpdump”: Installation and Options

TCPDump is a de facto packet capturing tool for Linux, Unix etc. Its usage is outlined below.

Installation is very often not required as it is bundled with most operating systems; if not then there are various ways to install using apt-get install, yum install, etc or you can download the source and compile accordingly.

To run tcpdump, you simple need to run the command “tcpdump” from CLI as such:

root@SRM-TAC-2010:~# tcpdump

There are many TCP dump flags which are useful operators; a list of which can be found here [13].

Normal usage would be:

1. List all interfaces we are able to listen on, using the command:

root@SRM-TAC-2010:~# tcpdump -D

This will give you an output such as:

root@SRM-TAC-2010:~# tcpdump -D
1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo

As above, the NIC we want to listen to is “eth0” as the other 2 are “all NIC’s” and the loopback interface. As such, we will note the integer on the far left, in this example “1”.

2. Now we know we want to listen on interface “1”, we run the command:

root@SRM-TAC-2010:~# tcpdump -i 1

This will kick off the windump capture on interface 3, giving an output like so:

root@SRM-TAC-2010:~# tcpdump -i 1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

[traffic removed for blog]

10 packets captured
13 packets received by filter
0 packets dropped by kernel

3. Obviously, we dont want to output it to CMD as its very hard to process in tools such as Wireshark and we dont want to be copying and pasting etc. So we run the command using the -w switch which tells the program to write (-w) to the file specified directly after (parameter), as such:

root@SRM-TAC-2010:~# tcpdump -i 1 -w outputfile.txt

This will write the packets to the file “outputfile.txt” to where you are running the program FROM i.e. in my example here, i am in the directory /root running the command “tcpdump” therefore my “outputfile.txt” is saved in /root/outputfile.txt. If i wanted to, i could create “/root/files/”, change directory there “cd /root/files/” and then run the command and the logs would be saved there.

If you try and open the “outputfile.txt” in vi, cat, etc you will see something along the lines of:

Ôò¡???*?½?E :#&à–›#P?úð€`

However, if you change it from “outputfile.txt” to “outputfile.cap” – you can then open it in Wireshark no problem at all for analysis.

4. However, in Wireshark if you run the command above, you may see the following packet header errors:

14	0.001629	10.1.1.102	10.1.3.42
SMB	NT Trans Response, <unknown>[Packet size limited during capture]

This is regarding the “Snarf” (-s) operator for the program. If the packet size is left at default (96) it should be ok for IP/TCP/ICMP/UDP, but may provide errors on things such as SMB, etc. You may need to increase the snarf (snaplen) to avoid seeing this error message; using “-s 150” i havent ran into any errors so far. To use the -s flag, use the following:

root@SRM-TAC-2010:~# tcpdump -i 1 -s 150 -w outputfile.txt

This will result in packet captures being actually usable in Wireshark as below:

14	0.001500	10.1.1.102	10.1.3.42
SMB	NT Trans Response, NT NOTIFY

5. We may be inclined to use the option “-vvv” (“even more, even more verbose”) – this will give us more in-depth information in the packets i.e. printing telnet options in Hex etc – the command syntax as below:

root@SRM-TAC-2010:~# tcpdump -i 1 -s 150 -w outputfile.txt -vvv

This should give a very readable, useful packet capture. Finally, we may wish to limit the amount of packets we capture, we can do this using the -c (small c) flag, as such:

root@SRM-TAC-2010:~# tcpdump -i 1 -s 150 -w outputfile.txt -vvv -c 15000

This will limit the # of packets captured to 15000.

Hope this helps!

Sam