tcpdump (examples)

More tcpdump examples

Capture all ICMP with some exceptions. For example, if a host runs lots of pings (SmokePing for example), it is useful to suppress ICMP echo requests and replies from dumped packets:

: root@myhost:~# tcpdump -n icmp and 'icmp[0] != 8 and icmp[0] != 0'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:05:02.338826 IP 10.10.33.34 > 10.10.121.2: icmp 36: time exceeded in-transit
10:05:02.587494 IP 10.10.144.66 > 10.10.121.2: icmp 36: host 10.10.144.69 unreachable - admin prohibited filter
10:05:02.699110 IP 10.10.153.118 > 10.10.121.2: icmp 36: host 10.10.153.122 unreachable - admin prohibited filter
10:05:04.319451 IP 10.10.33.34 > 10.10.121.2: icmp 36: time exceeded in-transit
10:05:07.363278 IP 10.10.148.138 > 10.10.121.2: icmp 36: host 10.10.148.138 unreachable - admin prohibited filter
10:05:10.220491 IP 10.10.33.34 > 10.10.121.2: icmp 36: time exceeded in-transit
10:05:10.476082 IP 10.10.144.66 > 10.10.121.2: icmp 36: host 10.10.144.69 unreachable - admin prohibited filter
10:05:10.638611 IP 10.10.153.118 > 10.10.121.2: icmp 36: host 10.10.153.122 unreachable - admin prohibited filter

8 packets captured
8 packets received by filter
0 packets dropped by kernel

Same command can be used with predefined header field offset (icmptype) and ICMP type field values (icmp-echo and icmp-echoreply):

: root@myhost:~# tcpdump -n icmp and icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply

Capture all IP packets with a non-zero TOS field (one byte TOS field is at offset 1 in IP header):

: root@myhost:~# tcpdump -v -n ip and ip[1]!=0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:40:03.422052 IP (tos 0x10, ttl  64, id 58534, offset 0, flags [DF], proto 6, length: 100) 10.10.121.2.ssh > 10.10.1.240.33006: P 166745014:16674506
10:40:03.422189 IP (tos 0x10, ttl  64, id 58536, offset 0, flags [DF], proto 6, length: 164) 10.10.121.2.ssh > 10.10.1.240.33006: P 48:160(112) ack 1
10:40:03.422325 IP (tos 0x10, ttl  64, id 58538, offset 0, flags [DF], proto 6, length: 308) 10.10.121.2.ssh > 10.10.1.240.33006: P 160:416(256) ack 1
10:40:03.422906 IP (tos 0x10, ttl  62, id 29167, offset 0, flags [DF], proto 6, length: 52) 10.10.1.240.33006 > 10.10.121.2.ssh: . [tcp sum ok] ack 48
...

Capture all IP packets with TTL less than some value (on byte TTL field is at offset 8 in IP header):

: root@myhost:~# tcpdump -v ip and 'ip[8]<2'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:30:51.013620 IP (tos 0xc0, ttl   1, id 44119, offset 0, flags [none], proto 2, length: 28) ltest1.arnes.si > 239.255.255.255: igmp v2 report 239.25
10:30:54.035124 IP (tos 0xc0, ttl   1, id 44120, offset 0, flags [none], proto 2, length: 28) ltest1.arnes.si > CISCO-RP-DISCOVERY.MCAST.NET: igmp v2
10:30:56.049046 IP (tos 0xc0, ttl   1, id 44121, offset 0, flags [none], proto 2, length: 28) ltest1.arnes.si > SAP.MCAST.NET: igmp v2 report SAP.MCAS
10:30:56.051242 IP (tos 0xc0, ttl   1, id 44122, offset 0, flags [none], proto 103, length: 726) ltest1.arnes.si > PIM-ROUTERS.MCAST.NET: PIMv2, lengt
        Join / Prune (3), upstream-neighbor: rarnes13-F2-0x200.arnes.si
          1 group(s), holdtime: 3m30s
            group #1: SAP.MCAST.NET, joined sources: 85, pruned sources: 0
              joined source #1: hayakawa.lava.net(S)
              joined source #2: 64.251.62.34(S)
              joined source #3: 64.251.62.35(S)
              joined source #4: 64.251.62.36(S)
              joined source #5: ...)

4 packets captured
4 packets received by filter
0 packets dropped by kernel

Catch TCP SYN packets:

: root@myhost:~# tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:15:00.302219 IP 10.10.1.240.33111 > 10.10.121.2.http: S 3284556452:3284556452(0) win 5840 <mss 1460,sackOK,timestamp 16261279 0,nop,wscale 10>
13:15:00.302272 IP 10.10.121.2.http > 10.10.1.240.33111: S 975107341:975107341(0) ack 3284556453 win 32767 <mss 1460,sackOK,timestamp 2432550825 16261
In the example above, all packets with TCP SYN flag set are captured. Other flags (ACK, for example) might be set also. Packets which have only TCP SYN flags set, can be captured like this:
: root@myhost:~# tcpdump tcp and port 80 and 'tcp[tcpflags] == tcp-syn'

Catch TCP SYN/ACK packets (tipically, responces from servers):

: root@myhost:~# tcpdump -n tcp and 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:30:19.501816 IP 10.10.121.2.ssh > 10.10.1.240.33114: S 1940763772:1940763772(0) ack 4250485572 win 32767 <mss 1460,sackOK,timestamp 2433470257 1718
Same thing:
: root@myhost:~# tcpdump -n tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn' and 'tcp[tcpflags] & tcp-ack == tcp-ack'

Catch packets of a specified length (IP packet length (16 bits) is located at offset 2 in IP header):

: root@myhost:~# tcpdump -l icmp and '(ip[2:2]>50)' -w - |tcpdump -r - -v ip and '(ip[2:2]<60)'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
reading from file -, link-type EN10MB (Ethernet)
11:03:59.420856 IP (tos 0x0, ttl 249, id 0, offset 0, flags [none], proto 1, length: 56) lpttlj3-tk.arnes.si > myhost.arnes.si: icmp 36: time exceeded
11:04:02.274135 IP (tos 0x0, ttl 251, id 17095, offset 0, flags [none], proto 1, length: 56) rsik-orm.arnes.si > myhost.arnes.si: icmp 36: host rsik-o
11:04:05.452802 IP (tos 0x0, ttl 249, id 34021, offset 0, flags [none], proto 1, length: 56) 10.10.144.66 > myhost.arnes.si: icmp 36: host ro-mislinja
11:04:05.496384 IP (tos 0x0, ttl 251, id 4071, offset 0, flags [none], proto 1, length: 56) rs-sb-mb.arnes.si > myhost.arnes.si: icmp 36: host ss-sb-m
<^C>
814 packets captured
814 packets received by filter
0 packets dropped by kernel
tcpdump: pcap_loop: error reading dump file: Interrupted system call

Remark: due to some bug in tcpdump, the following command doesn't catch packets as expected:

: root@myhost:~# tcpdump -v -n icmp and '(ip[2:2]>50)' and '(ip[2:2]<60)'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
[no output]
Because of this, two tcpdumps were used in the example above (tcpdump -l ... -w - |tcpdump -r -...). Option -l is needed to force first tcpdump program to output captured data imeadiately to the second program.

Capturing packets from PPPoE session. For example: we mirror a link that connects xDSL modem and home PC or router. Mirrored packets are ethernet frames with PPPoE/IP packets encapsulated. In the following example, we are looking for ICMP packets in PPPoE frames. A simple command like

: root@myhost:~# tcpdump -v -n icmp
will not produce expected results, because packets that we monitor are being encapsulated into a PPPoE frames. Of course, tcpdump can't locate IP protocol == ICMP at normal offset in an ethernet frame. We must therefore take into account the additional headers: 14 bytes for ethernet and 8 bytes for PPPoE. IP protocol is located at offset 9 in the IP header, which gives us offset 31 in the mirrored ethernet frame. Therefore, ICMP packets (protokol 1) are captured with
: root@myhost:~# tcpdump -v -n ether[31] = 1

-- MatjazStraus - 01 Oct 2007

Edit | Attach | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r3 - 2007-10-01 - MatjazStraus
 
GÉANT
Copyright © 2004-2009 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.