Practical Tcpdump examples?

It doesn't do any filtering, but this example creates a handy continuous packet sniffer:

tcpdump -n -C 128 -W 100 -z /home/user/compress_logs.pl -i br0 -w /home/user/packetlogs/packetlog.pcap &
  • -n don't do reverse lookup on IPs, don't convert port numbers to text descriptions, don't convert MAC addesses to names, etc..
  • -C 128 rotate capture files every 128,000,000 bytes
  • -W 100 limit the number of capture files being rotated (see -C) to 100
  • -z /home/user/compress_logs.pl run script compress_logs.pl on each rotated capture file
  • -i br0 capture on interface br0
  • -w /home/user/packetlogs/packetlog.pcap use file name /home/user/packetlogs/packetlog.pcap
  • & this is parsed by bash; indicates that the command should be run in the background (asynchronously)

Put it in /etc/rc.local to run on boot. It captures all packets on interface br0, which could be two interfaces in-line as a tap or two interfaces hooked to a passive tap, or one interface hooked to a mirrored switch port (I've used all three in practice)

It writes ~128MB files and will automatically rotate up to 100 of them. When it captures 128MB of data, it will close the file, open a new one, and fork the specified command with the old filename as an argument - in this case a little Perl script that compresses the previous capture file for quicker transfer off the IDS server.

I use this when I have to monitor a connection for a long time (like a day or two) and need to go back and find an event that occurred at a specific time. The small files are much easier to handle in Wireshark than one huge pcap file.


Capture only HTTP POST data:

tcpdump tcp[2:2] = 80 and \(tcp[20:4] = 1347375956 
or tcp[24:4] = 1347375956 
or tcp[28:4] = 1347375956 
or tcp[32:4] = 1347375956 
or tcp[36:4] = 1347375956 
or tcp[40:4] = 1347375956 
or tcp[44:4] = 1347375956 
or tcp[48:4] = 1347375956 
or tcp[52:4] = 1347375956 
or tcp[56:4] = 1347375956 
or tcp[60:4] = 1347375956\)

A bit unwieldly but certainly useful. tcp[2:2] captures, starting from position 2 of the TCP header, 2 bytes (which are the port, port 80 being for HTTP traffic).

Then we want to compare the first 4 bytes of TCP data to 'POST'. The TCP header is minimum 20 (decimal) bytes, but since the TCP options are variable length, from 0 to 40 bytes (padded to a 32-bit boundary and starting at ), we have to test every 4 bytes from 20 to 60 (decimal). Finally, 1347375956 is the base10 big-endian binary representation of the ASCII text 'POST'. Use the values below for other HTTP types:

  • GET 1195725856 (includes the space after 'GET' which is needed because we are comparing with 4 bytes)
  • POST 1347375956
  • PUT 1347769376 (includes space)
  • DELETE 1145392197 (just 'DELE', actually)

For other types, convert the 4 ASCII characters to hex (you must use 4 characters exactly), then treat the hex bytes as one number and convert it to decimal. For example, POST is 50 4f 53 54. 504f5354 converted to decimal is 1347375956.

Tags:

Tcpdump

Recent Posts