Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Top 10 Things you may not know about tcpdump - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Top 10 Things you may not know about tcpdump

"tcpdump" is one of those utilities we take for granted. Ask in any networking class, and more or less everybody has used it before and knows how to use it. tcpdump was first written in 1987 as a research project. Since then, the library behind it (libpcap) and the tool itself have been ported to more or less any operating system out there and have been incorporated into too many tools to count (Bill Stearn tried [1]).

What is often overlooked: tcpdump is still actively developed. Right now, the latest version is 4.1.1 with libpcap version 1.1.1 [2]. Many operating systems use version 4.0 now by default.

So what changed? What are the things you may not know about tcpdump? Here are some of the favorite items I ran into and please fill free to submit more.

  1. snaplength: it is no longer 68 bytes! New versions of tcpdump (>= 4.0) default to a snaplength of 64k. No more need to use -s 0 (but it doesn't hurt).
  2. IPv6 support: the ip[] filter works for all versions of IP BUT IPv6. Also, tcpdump will happily treat packets as IPv4 if the first 4 bits are anything but '6'. If you want to filter for IPv6, use 'ip6'.
  3. The -E option will decrypt IPSEC traffic. You need to know the shared secret or secret key of course and not all algorithms are supported.
  4. -Z username will drop root privileges and run tcpdump as "username" after it started. (many versions now do this by default using a "pcap" user).
  5. portrange: a macro that can be used to filter a range of ports (e.g. portrange 0-1023).
  6. less/greater: filter packets by length.
  7. new versions of tcpdump will print more then one line if the '-v' switch is used (breaks a lot of old shell scripts that use grep and such to filter)
  8. there are now a number of macros for common offsets. For example tcp[tcpflags] is equivalent to tcp[13].
  9. the "proto" macro will only match the next header field in the IPv6 header, which may not be the transport layer protocol that you expect from IPv4.
  10. the -C option can be used to rotate files after they reach a number of mbytes (don't confuse with lower case -c).

Know any more "hidden and forgotten features"?  Let us know....


[1] http://www.stearns.org/doc/pcap-apps.html
[2] http://www.tcpdump.org

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019

Johannes

3628 Posts
ISC Handler
Hi Johannes, it seems that my copy of tcpdump (4.0 on Ubuntu Server) gives a default capture size of 96 bytes.
Daniel M.

4 Posts
Here's a good one:

tcpdump 'tcp[13] = 6'

...to find all packets with both the SYN and RST flags set.
Daniel M.

4 Posts
And all the traffic with the evil bit set:

tcpdump 'ip[6] & 128 != 0'
Daniel M.

4 Posts
interesting about the 96 bytes. I just checked the Ubuntu man page for tcpdump, and it actually states it is 64 bytes but "with SunOSs NIT, the minimum is actually 96". Will research this a bit more.

For everybody else: a nice tcpdump intro from Daniel: danielmiessler.com/study/tcpdump/
Johannes

3628 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!