Download as PDF, PPTX
![What is tcpdump?
Capture
[Save]
Filter
Show and explain](https://image.slidesharecdn.com/echo-tcpdump-120814224838-phpapp02/85/Introduction-to-tcpdump-2-320.jpg)
![Timestamp L3 protocol
(-tt, -ttt, -tttt) Output (IP, GRE, etc)
Relative TCP
ack number
src host src port dst host & port
TCP Flags Relative TCP Advertised TCP
(S, F, R) sequence number
1343949078.196214 IP window size
216.218.215.245.61966 > 50.18.0.102.80:
Flags [P.], seq 1:473, ack 1, win 8265,
options [nop,nop,TS val 808617737 ecr
1091126708], length 472
List of TCP Payload length
options (e.g. wscale)](https://image.slidesharecdn.com/echo-tcpdump-120814224838-phpapp02/85/Introduction-to-tcpdump-11-320.jpg)
![What is tcpdump?
Capture
[Save]
Filter
Show and explain](https://image.slidesharecdn.com/echo-tcpdump-120814224838-phpapp02/75/Introduction-to-tcpdump-2-2048.jpg)
![Timestamp L3 protocol
(-tt, -ttt, -tttt) Output (IP, GRE, etc)
Relative TCP
ack number
src host src port dst host & port
TCP Flags Relative TCP Advertised TCP
(S, F, R) sequence number
1343949078.196214 IP window size
216.218.215.245.61966 > 50.18.0.102.80:
Flags [P.], seq 1:473, ack 1, win 8265,
options [nop,nop,TS val 808617737 ecr
1091126708], length 472
List of TCP Payload length
options (e.g. wscale)](https://image.slidesharecdn.com/echo-tcpdump-120814224838-phpapp02/75/Introduction-to-tcpdump-11-2048.jpg)
Uploaded byLev Walkin
Introduction to tcpdump
This document provides an overview of the tcpdump network traffic analysis tool. It discusses how tcpdump can be used to capture and filter network packets, highlights some common workflows and options, describes the underlying Berkeley Packet Filter (BPF) architecture, and addresses some common issues and questions. The key points are: - Tcpdump allows users to capture and filter live network traffic or read from saved packet capture (pcap) files. - Common options include -n to disable DNS resolution for faster display, -s1500 to set the snapshot length, -X to print packets in hex/ascii, and various filters like port 80. - Workflows include online analysis of live traffic or offline analysis of saved captures
More Related Content
Introduction to tcpdump
- 1. tcpdump capturing network traffic Lev Walkin @levwalkin
- 2. What is tcpdump? Capture [Save] Filter Showand explain
- 3. Why tcpdump? Universal fileformat (.pcap) Universal filter expression Can work on remote hosts
- 4. Quick start “No DNS” “Hex dump” faster display display payload tcpdump -n -s 1500 -X “Packet size” fuller capture
- 5. Header tcpdump -Xns0 HEX ASCII (-X) (-A) ...next
- 6. Workflow 1: Online analysis Fast (-n), full (-s0), with dump (-X), ...and filter: tcpdump -Xns0 port 80
- 7. Workflow 2: Offline analysis Full (-s0), write to a file (-w), then read: tcpdump -s0 -w abc.pcap port 80 tcpdump -nXr abc.pcap host nweb30
- 8. Architecture tcpdump tcpdump.exe libpcap.so BPF libpcap.a /dev/bpf0 ??? BPF BSD Kernel $OS Kernel
- 9. BPF: Berkeley PacketFilter The human readable filter is converted to a bytecode (-d), sent to kernel. Efficient. http://www.tcpdump.org/ papers/bpf-usenix93.pdf
- 10. Filter language and, or port80 host nweb30 ‘src host localhost and dst port 80’
- 11. Timestamp L3 protocol (-tt, -ttt, -tttt) Output (IP, GRE, etc) Relative TCP ack number src host src port dst host & port TCP Flags Relative TCP Advertised TCP (S, F, R) sequence number 1343949078.196214 IP window size 216.218.215.245.61966 > 50.18.0.102.80: Flags [P.], seq 1:473, ack 1, win 8265, options [nop,nop,TS val 808617737 ecr 1091126708], length 472 List of TCP Payload length options (e.g. wscale)
- 12. WTFs (0/3) tcpdump: nosuitable device found Use sudo or check /dev/bpf* permissions
- 13. WTFs (1/3) Output islaggy? Disable DNS resolution (-n) Or save to a file (-w)
- 14. WTFs (2/3) Nothing happens? Selecta proper interface (-i ppp0)
- 15. WTFs (3/3) Want tocut-n-paste HTML? Use ASCII output (-A), or save to .pcap (-r) and fire up vim.
- 16. RFCs IP: RFC791 TCP: RFC793,1122 DNS: RFC1034, 1035 Many short overviews exist!
- 17. See also WireShark (GUI) SSLdump(decrypt HTTPS) tcpflow (split by TCP flow) libpcap (C interface) lionet.info/ipcad
- 18. RTFM man pcap-filter man tcpdump manpcap man bpf
- 19.