Thursday, 2 October 2014

Tcpdump for troubleshooting

Tcpdump has helped me a lot in finding out unwanted traffic in a server. It is really a basic tool that every sysadmin should know in detail.

Understanding and keeping a reference of various options of tcpdump will be very useful in critical troubleshooting.


List 1:  CAPTURE ALL PACKETS TO A PARTICULAR INTERFACE
====
tcpdump -i eth1

The above command captures all packets to the interface eth1.
====

List 2: CAPTURE CERTAIN NUMBER OF PACKETS
=====
tcpdump -c 10 -i eth1

The above command captures 10 packets to port eth1
======

List 3: Display interfaces
=====
 tcpdump -D

The above command will display all available interfaces.

Sample Output:
--------------------
root@newserver [~]# tcpdump -D
1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.eth1
5.usbmon1 (USB bus number 1)
6.usbmon2 (USB bus number 2)
7.usbmon3 (USB bus number 3)
8.usbmon4 (USB bus number 4)
9.usbmon5 (USB bus number 5)
10.usbmon6 (USB bus number 6)
11.any (Pseudo-device that captures on all interfaces)
12.lo
-----------------------


List 4:  DISABLE NAME LOOKUP
====
 -n option in tcpdump

if you do not use tcpdump with -n option, all the sender and destination host address will be in "name" format, which means all ip's will be displayed with hostnames.

Using -n option with tcpdump will disable name lookup. This will display all the output in sender and reciever's IP address format.
====

LIST 5: TO CAPTURE WHOLE PACKET
=====
By default tcpdump only captures the first 96bytes of a packet. But, you may need to capture packets in its full size, then you need to pass the size option -s with its argument.


Command: tcpdump -s0 -i eth1 p'ort 53'

Sample o/p:
====
root@newserver [~]# tcpdump -s0 -i eth1 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
02:16:43.493603 IP 121.236.64.59.21446 > newserver.r24.s8.domain: Flags [S], seq 3833935265, win 29200, options [mss 1400,sackOK,TS val 1726349 ecr 0,nop,wscale 7], length 0
====

As you can see from the sample output the size is "65535 bytes".

LIST 6: TO GET THE MAC ADDRESS OF SOURCE AND DESTINATION
=====
-e option in tcpdump

Command: tcpdump -s0 -e -n -c 2 -i eth1

Sample o/p:
=====
root@newserver [~]# tcpdump -s0 -e -n -c 2 -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
02:23:32.338785 00:30:48:d3:82:bb > 00:1b:0c:0c:97:7f, ethertype IPv4 (0x0800), length 258: 67.222.109.115.ssh > 72.34.37.72.35443: Flags [P.], seq 312540242:312540434, ack 2077914406, win 233, options [nop,nop,TS val 2863443784 ecr 3109361732], length 192
02:23:32.339545 00:1b:0c:0c:97:7f > 00:30:48:d3:82:bb, ethertype IPv4 (0x0800), length 66: 72.34.37.72.35443 > 67.222.109.115.ssh: Flags [.], ack 192, win 500, options [nop,nop,TS val 3109361754 ecr 2863443784], length 0
2 packets captured
2 packets received by filter
0 packets dropped by kernel
=====

The above command will display the MAC address of source and destination.

LIST 7: -vvv OPTION TO GET THE MORE VERBOSE OUTPUT
=====

Command:  tcpdump -S -s0 -vvv -e -n -c 2 -i eth0

Sample Output:
=========
root@newserver [~]# tcpdump -S -s0 -vvv -e -n -c 2 -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
02:29:13.476507 00:19:b9:a3:02:92 > 01:80:c2:00:00:00, 802.3, length 60: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:19:b9:a3:02:90.8018, length 43
message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 8000.00:19:b9:a3:02:90, root-pathcost 0, port-role Designated
02:29:15.476483 00:19:b9:a3:02:92 > 01:80:c2:00:00:00, 802.3, length 60: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:19:b9:a3:02:90.8018, length 43
message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 8000.00:19:b9:a3:02:90, root-pathcost 0, port-role Designated
2 packets captured
=========

LIST 8: WRITE THE OUTPUT TO A FILE:
========
-w option

Command : tcpdump -w tcpdump.pcap -s0 -vvv -e -n -c 2 -i eth1
========

The above command will write the output to the file "tcpdump.pcap"
=========

LIST 9: TO READ THE OUTPUT USING TCPDUMP
====
-r option

Command: tcpdump -r tcpdump.pcap

List 10: CAPTURE ALL PACKETS TO A PARTICULAR PORT
======
tcpdump -i eth1 port 53

The above command will display the incoming packets to interface eth1 and port 53.

======

LIST 11: TO IGNORE THE PACKETS TO A PARTICULAR PORT 
=====
Command : tcpdump -i eth0 -n -c 5 'port !80'
=====

LIST 12: Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers
======
Command: tcpdump -n dst host 192.168.1.1 
=======

LIST 13: Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:
=====
Command: tcpdump -n src host 192.168.1.1
=====

LIST 14: Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port number
======
Command: tcpdump -n host 192.168.1.1
======


ALL OTHER COMMON COMMANDS:
=====

LIST 1: Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n dst net 192.168.1.0/24

LIST 2: Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:

 tcpdump -n src net 192.168.1.0/24

LIST 3:Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n net 192.168.1.0/24

LIST 4:Capture any packets where the destination port is 23. Display IP addresses and port numbers:

tcpdump -n dst port 23

LIST 5:Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n dst portrange 1-1023

LIST 6: Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n tcp dst portrange 1-1023

LIST 7:Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n udp dst portrange 1-1023

LIST 8: Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and dst port 23"

LIST 9: Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

LIST 10: Capture any ICMP packets:

tcpdump -v icmp

LIST 11:Capture any ARP packets:

tcpdump -v arp

LIST 12: Capture either ICMP or ARP packets:

tcpdump -v "icmp or arp"

LIST 13:Capture any packets that are broadcast or multicast:

tcpdump -n "broadcast or multicast"

LIST 14: Capture 500 bytes of data for each packet rather than the default of 68 bytes:

tcpdump -s 500

LIST 15:Capture all bytes of data within the packet:

tcpdump -s 0

LIST 16: tcpdump Filter Packets – Capture all the packets other than arp and rarp

tcpdump -i eth0 not arp and not rarp

LIST 17: You can skip additional ports too

tcpdump -i eth1  -s 1500 port not 22 and port not 53

LIST 18: To Avoid port 22

 tcpdump -i eth1  -s 1500 port not 22





No comments:

Post a comment

Note: only a member of this blog may post a comment.