GSEC Labs - bconklin-champlain/Tech-Journal GitHub Wiki
Lab 1.1 TCPDUMP
Common Commands for Tcpdump
| Command Line Parameter | Explanation |
|---|---|
| -n | Don't resolve hostnames or well-known port numbers to their service. |
| -r file | Specify an existing pcap file to read from instead of a network interface. |
| -i interface | Specify from which network interface you would like tcpdump to sniff. This generally requires administrative permissions. |
| -D | Display interfaces |
| -w file | Specify a new pcap file to place filtered packets in. |
| -s snaplen | Snapshot length, or the number of bytes to capture per packet. Default is 262,144 bytes but this may vary across platforms. |
| -c count | Number of packets to capture before tcpdump automatically exits. |
| -X | Show packet contents in hexadecimal and ASCII. |
| -e | Display Ethernet header data. |
| -v | Display verbose output |
| -# | Display line/packet number |
| expression | Specify a Berkeley Packet Filter (BPF) statement to filter traffic. |
Example Output of Tcpdump
1 21:23:57.196268 IP 10.130.8.94.57810 > 10.130.8.2.53: 44934+ [1au] PTR? 94.8.130.10.in-addr.arpa. (53)
| Example Field Output | Description |
|---|---|
| 1 | Line/Packet number |
| 21:23:57.196268 | Timestamp |
| IP | Layer 3 protocol |
| 10.130.8.94 | Source IP address |
| 57810 | Source port |
| > | Directionality indicator |
| 10.130.8.2 | Destination IP address |
| 53 | Destination port |
| 44934+ [1au] PTR? 94.8.130.10.in-addr.arpa. (53) | Domain Name System (DNS) payload information |
Finding the first TCP/IP dump
The first time tcpdump sees a TCP conversation', it prints the sequence number from the packet. On subsequent packets of the conversation, the difference between the current packet's sequence number and this initial sequence number is printed. This means that sequence numbers after the first can be interpreted as relative byte positions in the conversation's data stream (with the first data byte each direction being 1'). -S' will override this feature, causing the original sequence numbers to be output.
Common BPF Privatives and Examples
| Protocol (O) | Direction (O) | Type (O) | Value (O) | Example | Description |
|---|---|---|---|---|---|
| src | dst | host | IP address | src host 10.130.8.94 | All packets with source address of 10.130.8.94 | |
| src | dst | net | IP subnet | net 10.130.8.0/24 | All packets with source or destination address in 10.130.8.0/24 subnet | |
| tcp | udp | src | dst | port | port number | udp port 53 | All packets that are protocol UDP with source or destination port 53 |
| arp | ip | ip6 tcp | udp | icmp | icmp | All packets that are protocol icmp |