packet sniffing

There are a multitude of tools to perform packet sniffing for Linux but we shall get an overview of only tcpdump as that is the only one that comes by default with RHEL/CentOS/SL version 7.

tcpdump prints out a description of the contents of packets that match one or more conditions. To get a sense of how it works let's see a few examples.

The first example prints a description of all the packets sent/received on interface wlo1:

root:/home/marc> tcpdump -­i wlo1
tcpdump: verbose output suppressed, use ­v or ­vv for full protocol decode
listening on wlo1, link­type EN10MB (Ethernet), capture size 262144 bytes
15:19:11.649781 IP lhr14s27­in­f14.1e100.net.https > 24­240­25­220.dhcp.gwnt.ga.charter.com.18460:
Flags [.], ack 2712700207, win 2068, length 0
15:19:11.649823 IP 24­240­25­220.dhcp.gwnt.ga.charter.com.18460 > lhr14s27­in­f14.1e100.net.https:
Flags [.], ack 1, win 361, options [nop,nop,TS val 58749403 ecr 2324054008], length 0
15:19:11.650403 IP 24­240­25­220.dhcp.gwnt.ga.charter.com.53128 > 141.228.16.34.domain: 32166+ PTR?
220.25.240.24.in­addr.arpa. (44)
15:19:11.673150 IP 141.228.16.34.domain > 24­240­25­220.dhcp.gwnt.ga.charter.com.53128: 32166 1/0/0
PTR 24­240­25­220.dhcp.gwnt.ga.charter.com. (96)
15:19:11.673552 IP 24­240­25­220.dhcp.gwnt.ga.charter.com.31868 > 141.228.16.34.domain: 10897+ PTR?
78.208.58.216.in­addr.arpa. (44)
15:19:11.697917 IP 141.228.16.34.domain > 24­240­25­220.dhcp.gwnt.ga.charter.com.31868: 10897 4/0/0
PTR lhr14s27­in­f14.1e100.net., PTR lhr14s27­in­f14.1e100.net., PTR lhr14s27­in­f78.1e100.net., PTR
lhr14s27­in­f78.1e100.net. (141)
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

We can use the -t flag to not show the timestamp:

root:/home/marc> tcpdump ­-i wlo1 ­-t
tcpdump: verbose output suppressed, use ­v or ­vv for full protocol decode
listening on wlo1, link­type EN10MB (Ethernet), capture size 262144 bytes
IP 24­240­25­220.dhcp.gwnt.ga.charter.com.12930 > wj­in­f189.1e100.net.https: UDP, length 24
IP 24­240­25­220.dhcp.gwnt.ga.charter.com.25070 > 141.228.16.34.domain: 40562+ PTR?
189.195.125.74.in­addr.arpa. (45)
IP 141.228.16.34.domain > 24­240­25­220.dhcp.gwnt.ga.charter.com.25070: 40562 1/0/0 PTR wj­in­
f189.1e100.net. (79)
IP 24­240­25­220.dhcp.gwnt.ga.charter.com.32546 > 141.228.16.34.domain: 39024+ PTR?
220.25.240.24.in­addr.arpa. (44)

And if we want yet a bit less verbosity ("-q") and without resolving DNSes into IPs ("-n")...

root:/home/marc> tcpdump ­-i wlo1 -­t -­q -­n
tcpdump: verbose output suppressed, use ­-v or --­vv for full protocol decode
listening on wlo1, link­type EN10MB (Ethernet), capture size 262144 bytes
IP 52.10.88.168.http > 24.240.181.255.41532: tcp 0
IP 74.125.195.189.https > 24.240.25.220.12930: UDP, length 41
IP 24.240.25.220.12930 > 74.125.195.189.https: UDP, length 41
IP 24.240.25.220.64266 > 216.58.210.69.https: tcp 0
IP 216.58.210.69.https > 24.240.25.220.64266: tcp 0
IP 52.68.185.105.http > 24.240.41.10.42819: tcp 0

If we want more verbosity we can use -v, -vv or -vvv:

root:/home/marc> tcpdump -­i wlo1 -­t -­vvv ­-n
tcpdump: listening on wlo1, link­type EN10MB (Ethernet), capture size 262144 bytes
IP (tos 0x0, ttl 61, id 54393, offset 0, flags [DF], proto TCP (6), length 40)
194.132.162.37.http > 24.240.181.255.32884: Flags [.], cksum 0x05f5 (correct), seq 2253186430,
ack 453011106, win 2068, length 0
IP (tos 0x0, ttl 61, id 19590, offset 0, flags [DF], proto TCP (6), length 115)
216.58.208.78.https > 24.240.25.220.18460: Flags [P.], cksum 0xdd0e (correct), seq
2626820879:2626820942, ack 2712706993, win 2068, options [nop,nop,TS val 2324133294 ecr 59379469], length 63
IP (tos 0x0, ttl 64, id 63388, offset 0, flags [DF], proto TCP (6), length 52)
24.240.25.220.18460 > 216.58.208.78.https: Flags [F.], cksum 0xc05c (correct), seq 1, ack 63,
win 466, options [nop,nop,TS val 59413086 ecr 2324133294], length 0
IP (tos 0x0, ttl 61, id 19592, offset 0, flags [DF], proto TCP (6), length 52)
216.58.208.78.https > 24.240.25.220.18460: Flags [F.], cksum 0x3d6c (correct), seq 63, ack 1,
win 2068, options [nop,nop,TS val 2324133294 ecr 59379469], length 0
IP (tos 0x0, ttl 64, id 63389, offset 0, flags [DF], proto TCP (6), length 52)
24.240.25.220.18460 > 216.58.208.78.https: Flags [.], cksum 0xc05b (correct), seq 2, ack 64, win
466, options [nop,nop,TS val 59413086 ecr 2324133294], length 0

We won't show the ouput anymore for the sake of space efficiency. Now we want traffic for interface wlo1 and from/to port 80:

root:/home/marc> tcpdump -­i wlo1 'port 80'

Now we want only traffic where the source port is 80:

root:/home/marc> tcpdump ­-i wlo1 'src port 80'

Now we want only traffic where the destination port is within the specified range:

root:/home/marc> tcpdump ­-i wlo1 'dst portrange 50000­-65000'

Now we want only traffic from a certain host:

root:/home/marc> tcpdump -­i wlo1 'src host 183.65.65.78'

And now we want only traffic from a certain network:

root:/home/marc> tcpdump -­i wlo1 'src net 183.65'

Now we want only tcp/udp traffic from a certain network:

root:/home/marc> tcpdump -­i wlo1 '(tcp or udp) and src net 183.65'

And finally we want all traffic from a certain network that is not an ICMP echo/reply type:

root:/home/marc> tcpdump -­i wlo1 '(src net 183.65) and (icmp[icmptype] != icmp­-echo) and
(icmp[icmptype] != icmp­-echoreply)'

There are many more filters/conditions/expressions that can be used to filter packets. Furthermore, packets can be dumped to a file and then read from it. Check the man pages tcpdump and pcap-filter for a more thorough explanation.

 

 

<< tracing routes                 netcat >>