18.12.2024

Tcpdump: how to use and examples

When working with many different devices in an infrastructure, it is necessary to ensure their correct and secure functioning. One source of potential threats is network traffic, both external and internal. Without proper systems in place to analyse and monitor it, many attacks or system problems can go unnoticed or cause significant damage when working!

In this article, we will look at how to collect and more effectively analyse network traffic on a machine using the tcpdump + wireshark toolkit on Linux and Windows.

How is traffic sniffing done?

To sniff or intercept network connections on a device, tcpdump uses the sniffing technique. In which, the pcap library accesses the network adapter driver to gather information about the connections. After all, it is in the buffer used by the driver that the original and unchanged network packets are found!

Screenshot №1 - Schema

And Wireshark in this connection can additionally analyse them and provide analytics for each of them, as well as provide a convenient panel for searching and filtering the necessary connections!

Collecting and analysing network traffic

Let's determine the layout of our infrastructure and the machines from which we will intercept connections:

We will need only the standard set of distribution packages and additionally installed tcpdump, Wireshark.

Use Wireshark for workstation analytics and tcpdump for server analytics!

In most cases it is already there, however, you can install it with the Linux command for deb-like systems:

apt update && apt install tcpdump wireshark -y

For rpm-like solutions, the command will look like this:

dnf install tcpdump wireshark -y

Let's look at the main features and examples of using tcpdump: filters, options and modes of operation. Let's define a pool of interfaces:

ip a

Screenshot №2 - List of ip

In order to intercept traffic from a specific interface, let's specify the -i option:

sudo tcpdump -i enp0s5

Screenshot №3 - Raw traffic

There is a lot of traffic and the output on the screen will be just as voluminous, so it is almost impossible to analyse almost anything in this view. Let's specify with the -w option the file to which we will record, as well as filters to search for a specific connection:

All these filters must be linked by the operators:

For example, I am interested in my SSH connection, hence the command will look like this:

tcpdump -i enp0s5 host tcp port 22

Screenshot №4 - Filtering

Instead of a thousand packets, there are already a few! But sometimes we need all the traffic to analyse the picture, so we record it from all interfaces with the command with the option -i any, where any is a pseudo-interface that listens to traffic from all sources. To view the recorded traffic on the same machine we open the command:

tcpdump -r /path-to-file

Screenshot №5 - Read traffic

We can then open it via WireShark by passing the file to the primary device:

Screenshot №6 - Read traffic in Wireshark

The filters on Wireshark have the same filtering logic where we specify:

((!(ip.addr == 46.191.184.42)) && !(ip.addr == 172.23.0.2)) && !(ip.addr == 172.23.0.3)

It is important that each of the expressions be in separate brackets! To view the payload in Wireshark software, select the desired packet, and for tcpdump, add the -A option when reading it:

tcpdump -A -r /path-to-file

Screenshot №7 - Read traffic information

In a similar way, you can check for connectivity to different devices and the information they are transmitting. Intruders often modify packets or protocol algorithms, this formulations allows you to identify this immediately! In that article, we learned how to utilize packet analyzer or network packet capture tools!

As a result of executing these commands you should get a list of parameters of the requested objects. If you don't have sufficient resources than you can perform actions on powerful cloud servers. Serverspace provides isolated VPS / VDS servers for common and virtualize usage.

Screenshot №9 — Create Server