Friday, February 11, 2011

TCPDUMP

To display the Standard TCPdump output: 

#tcpdump 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

21:57:29.004426 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 
21:57:31.228013 arp who-has 192.168.1.2 tell 192.168.1.1 
21:57:31.228020 arp reply 192.168.1.2 is-at 00:04:75:22:22:22 (oui Unknown) 
21:57:38.035382 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 
21:57:38.613206 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36

To display the verbose output: 

#tcpdump -v 

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 

22:00:11.625995 IP (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 
22:00:20.691903 IP (tos 0x0, ttl 128, id 31026, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 
22:00:21.230970 IP (tos 0x0, ttl 114, id 4373, offset 0, flags [none], proto: UDP (17), length: 64) valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36 
22:00:26.201715 arp who-has 192.168.1.2 tell 192.168.1.1 
22:00:26.201726 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 (oui Unknown) 
22:00:29.706020 IP (tos 0x0, ttl 128, id 31133, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 
22:00:38.751355 IP (tos 0x0, ttl 128, id 31256, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53

Network interfaces available for the capture: 
#tcpdump -D

1.eth0 
2.any (Pseudo-device that captures on all interfaces) 
3.lo 

To display numerical addresses rather than symbolic (DNS) addresses: 

#tcpdump -n 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 

22:02:36.111595 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53 
22:02:36.669853 IP 68.142.64.164.27014 > 192.168.1.2.1034: UDP, length 36 
22:02:41.702977 arp who-has 192.168.1.2 tell 192.168.1.1 
22:02:41.702984 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 
22:02:45.106515 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53 
22:02:50.392139 IP 192.168.1.2.138 > 192.168.1.255.138: NBT UDP PACKET(138) 
22:02:54.139658 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53 
22:02:57.866958 IP 125.175.131.58.3608 > 192.168.1.2.9501: S 3275472679:3275472679(0) win 65535 

To display the quick output: 

#tcpdump -q 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 

22:03:55.594839 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0 
22:03:55.698827 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0 
22:03:56.068088 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0 
22:03:56.068096 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0 
22:03:57.362863 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 
22:03:57.964397 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36 
22:04:06.406521 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 
22:04:15.393757 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 

Capture the traffic of a particular interface: 

#tcpdump -i eth0

To capture the UDP traffic: 

#tcpdump udp 

To capture the TCP port 80 traffic: 

#tcpdump port http 

To capture the traffic from a filter stored in a file: 

#tcpdump -F file_name

To create a file where the filter is configured (here the TCP 80 port) 

#vim file_name 
port 80 

To stop the capture after 20 packets: 

#tcpdump -c 20

To send the capture output in a file instead of directly on the screen: 

#tcpdump -w capture.log 

To read a capture file: 

#tcpdump -r capture.log

Reading from file capture.log, link-type EN10MB (Ethernet) 

09:33:51.977522 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: P 1548302662:1548303275(613) ack 148796145 win 16527 
09:33:52.031729 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: . ack 613 win 86 
09:33:52.034414 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: P 1:511(510) ack 613 win86 
09:33:52.034786 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: . ack 511 win 16527 

The captured data isn't stored in plain text so you cannot read it with a text editor, you have to use a special tool like TCPdump (see above) or Wireshark(Formerly Ethereal) which provides a graphical interface.

The capture.log file is opened with Wireshark. 

To display the packets having "www.openmaniak.com" as their source or destination address: 

#tcpdump host www.openmaniak.com

To display the FTP packets coming from 192.168.1.100 to 192.168.1.2: 

#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp

To display the packets content: 

#tcpdump -A 

Packets capture during a FTP connection. The FTP password can be easily intercepted because it is sent in clear text to the server.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes 
20:53:24.872785 IP ubuntu.local.40205 > 192.168.1.2.ftp: S 4155598838:4155598838(0) win 5840 
....g.................... 
............ 
20:53:24.879473 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 1228937421 win 183 
....g.I@............. 
........ 
20:53:24.881654 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 43 win 183 
....g.I@.......8..... 
......EN 
20:53:26.402046 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 0:10(10) ack 43 win 183 
....g.I@......`$..... 
...=..ENUSER teddybear 

20:53:26.403802 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 76 win 183 
....h.I@............. 
...>..E^ 
20:53:29.169036 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 10:25(15) ack 76 win 183 
....h.I@......#c..... 
......E^PASS wakeup 

20:53:29.171553 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 96 win 183 
....h.I@.,........... 
......Ez 
20:53:29.171649 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 25:31(6) ack 96 win 183 
....h.I@.,........... 
......EzSYST 

20:53:29.211607 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 115 win 183 
....h.I@.?.....j..... 
......Ez 
20:53:31.367619 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 31:37(6) ack 115 win 183 
....h.I@.?........... 
......EzQUIT 

20:53:31.369316 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 155 win 183 
....h.I@.g........... 
......E. 
20:53:31.369759 IP ubuntu.local.40205 > 192.168.1.2.ftp: F 37:37(0) ack 156 win 183 
....h.I@.h.....e..... 
......E. 

We see in this capture the FTP username (teddybear) and password (wakeup).

No comments:

Post a Comment