TCPDump. If you want to capture traffic you need to be using this tool. TCPDump is small lightweight and really easy to understand once you learn the basic syntax. It’s the perfect tool to gather info off the wired or wireless network. If you’re running it on a computer with dsniff installed you can use dsniff to route traffic through your computer and see everything your target is doing even on a switched network (See the article on How-To spy on other users on the local network from back in August )
The first thing we need to do is tell TCPDump what exactly we want out of the capture. There are for basic levels of verbosity
which just shows us just the basics
you can add 1 to 3 ‘v’ characters to increase the displayed output.
-X adds the full payload (minus its link level header) of the packet
tcpdump -vXs 1500
-s increases the snaplen bytes of the packets the default of 68 bytes is adequate for most IP, ICMP, TCP and UDP packets but can truncate some other protocols.
The real power of TCPDump comes in some of the ways you can filter the traffic you’re capturing. For example if you only want to capture all traffic to or from a specific IP you would use the “host” argument so say we wanted to capture all traffic to or from 192.168.1.1 we would use
tcpdump host 192.168.1.1
But we don’t need to capture all of that say we only want to capture traffic from or to that host well we can get more specific using the “src” and “dst” arguments like so
Capture all traffic going to 192.168.1.1
tcpdump dst 192.168.1.1
Capture all traffic coming from 192.168.1.1
tcpdump src 192.168.1.1
This is all well and good but this is capturing a whole lot of traffic I’m not interested in like HTTP (port 80) traffic and FTP (port 21) traffic I only want to capture SMTP (port 25) traffic. well I can do that as well.
tcpdump port 25
This will capture all the traffic over port 25
If you need to capture traffic to/from an entire subnet instead of to/from a single host there’s a “net” argument that can be used interchangeably with the “host” argument. You do need to supply a network in CIDR notation ( eg, 192.168.1.0/24 ) instead of a single IP address
So the following would capture all traffic to or from the 192.168.1.0 (subnet 255.255.255.0 ) network
tcpdump net 192.168.1.0/24
Now all the arguments above can be combined using the operators “and”, “or”, “not” and “\(\)”
So here’s some examples
Capture all traffic from the host at 10.0.0.254 and destined for the network 192.168.1.0/24 on port 25
tcpdump src host 10.0.0.254 and dst net 192.168.1.0/24 and dst port 25
Capture all traffic destined for 192.168.1.0/24 or 10.0.0.0/24 and not on port 80
tcpdump \(dst net 192.168.1.0/24 or 10.0.0.0/24\) and not port 80
One of the most useful features is writing your capture to a file so you can analyze it later (possibly using something like WireShark, TcpReplay or other security tools that support pcap files. The “-w” argument accepts a name of a file to save your capture to.
tcpdump -w mycapfile.pcap
You can then use the resulting capture file in any other tool that accepts pcap format files.
As always if you have any questions, comments or suggestions please post them in the comment section below.
More info on TCPDump filters can be found at the following links.