TcpDump - hpaluch/hpaluch.github.io GitHub Wiki
TcpDump and friends
Here are random tips using tcpdump.
To list capture devices:
tcpdump -D
Watch everything except SSH connection (required when you are running tcpdump from ssh connections:
# CARD - monitored network card from "tcpdump -D"
# -n - disable name/service resolution
# -p - disable promiscuous mode
tcpdump -np -i CARD not tcp port 22
My favorite - monitor tcp SYN (connection attempt) requests
tcpdump -np -i enp0s8 'tcp[13] & 31 == 2'
- see https://en.wikipedia.org/wiki/Transmission_Control_Protocol for header description. Offset 13 is offset of so-called "flags". Where 2 is SYN flag.
You can also use nice utility called tcpick
(install package of same name)
that will show nice coloured TCP packets. It uses same filters as tcpdump
.
Here vmbr2
is NAT bridge under Proxmox VE - to see all TCP connection
attempts from VM running on vmbr2
bridge:
tcpick -i vmbr2 -C -a '(tcp[13] & 31) == 2'
WARNING! -a
will do reverse DNS lookup to assign name to IP addresses. Use it only on low volume
node to avoid DoS attack.
Example output when booting up Ubuntu 23 desktop:
Starting tcpick 0.2.1 at 2024-04-09 17:46 CEST
Timeout for connections is 600
tcpick: listening on vmbr2
setting filter: "(tcp[13] & 31) == 2"
2 SYN-SENT 10.10.10.130:56132 > ubuntu-content-cache-1.ps5.canonical.com:http
3 SYN-SENT 10.10.10.130:56644 > api.snapcraft.io:https
4 SYN-SENT 10.10.10.130:57926 > api.snapcraft.io:https
5 SYN-SENT 10.10.10.130:42902 > 162.213.33.48:https
Last unresolveable IP address (162.213.33.48:) is metrics.ubuntu.com
- you can find it with
below tcpdump
command... Also every 90 seconds there is DNS request to connectivity-check.ubuntu.com
Please be aware that another information leak is through DNS (udp or tcp port 53 - both are allowed), or NTP (udp 123). Example to show packets that match any of:
- TCP connection attempt (SYN)
- DNS on port 53 (both udp and tcp)
- NTP on udp port 123
tcpdump -np -i vmbr2 '((tcp[13] & 31) == 2) or (port 53) or (udp port 123)'
Please note that are still many other protocols and ways to evade this tcpdump - for example multicast (mDNS and others)...