Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Top 10 Things you may not know about tcpdump InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Top 10 Things you may not know about tcpdump

Published: 2010-06-03
Last Updated: 2010-06-03 14:57:45 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

"tcpdump" is one of those utilities we take for granted. Ask in any networking class, and more or less everybody has used it before and knows how to use it. tcpdump was first written in 1987 as a research project. Since then, the library behind it (libpcap) and the tool itself have been ported to more or less any operating system out there and have been incorporated into too many tools to count (Bill Stearn tried [1]).

What is often overlooked: tcpdump is still actively developed. Right now, the latest version is 4.1.1 with libpcap version 1.1.1 [2]. Many operating systems use version 4.0 now by default.

So what changed? What are the things you may not know about tcpdump? Here are some of the favorite items I ran into and please fill free to submit more.

  1. snaplength: it is no longer 68 bytes! New versions of tcpdump (>= 4.0) default to a snaplength of 64k. No more need to use -s 0 (but it doesn't hurt).
  2. IPv6 support: the ip[] filter works for all versions of IP BUT IPv6. Also, tcpdump will happily treat packets as IPv4 if the first 4 bits are anything but '6'. If you want to filter for IPv6, use 'ip6'.
  3. The -E option will decrypt IPSEC traffic. You need to know the shared secret or secret key of course and not all algorithms are supported.
  4. -Z username will drop root privileges and run tcpdump as "username" after it started. (many versions now do this by default using a "pcap" user).
  5. portrange: a macro that can be used to filter a range of ports (e.g. portrange 0-1023).
  6. less/greater: filter packets by length.
  7. new versions of tcpdump will print more then one line if the '-v' switch is used (breaks a lot of old shell scripts that use grep and such to filter)
  8. there are now a number of macros for common offsets. For example tcp[tcpflags] is equivalent to tcp[13].
  9. the "proto" macro will only match the next header field in the IPv6 header, which may not be the transport layer protocol that you expect from IPv4.
  10. the -C option can be used to rotate files after they reach a number of mbytes (don't confuse with lower case -c).

Know any more "hidden and forgotten features"?  Let us know....


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: tcpdump
4 comment(s)
Diary Archives