There is absolutely no doubt that TCPDump is the easiest way to identify traffic on any Unix or Linux host. It’s lightweight, easy and does not require a GUI. TCPDump provides power with simplicity in analyzing network traffic. I have been implementing SIEM and other log collection mechanisms, and TCPDump is the first-hand tool, that gives me visibility whether I am receiving data in my collection servers. Tcpdump is one of the best network analysis tools for information security professionals.
What is TCPDump
For those, who are new and don’t know about TCPDump, it is a handy tool for verifying network packets on a Linux box. You can view information about traffic coming and going from a given network interface using TCPDump. This diagnostic tool allows you to see packet information, that is where incoming packets come from and where outgoing packets are heading to on an interface, with some extra information. You can even save the output to a file to inspect later on.
Here is how you can get TCPDump on your Linux box
apt install tcpdump
CentOS / RedHat
yum install tcpdump
TCPDump – Dump everything on the network
Let us start understanding some examples that you are likely to need during your job in networking, security, or as any type of Infrastructure requirements. Remember, you must change the name of the interface in below commands as, set on your Linux. You can fetch names of your network interfaces by just running:
TCPDump – See all the Traffic on an Interface
If you want to look at everything that is happening on your network interface, you can use the interface option. This will print all the traffic passing over your network.
tcpdump -i <interface-name>
TCPDump – Find Traffic by host / IP
To see traffic that’s going to or from a particular host, you may use the Host option
tcpdump host 192.168.1.1
Filtering by Source
If you want to see traffic generated by only one source address, you will need to use the src option
tcpdump src 192.168.1.1
Filtering by Destination
Similar to the previous, you need to use dst to check all the traffic going towards a destination IP
tcpdump dst 192.168.1.1
Filtering Packets by Network
To find packets going to or from a particular network or subnet, we use net option.
tcpdump net 192.168.1.0/24
Filter Traffic to a Specific Port
You can find traffic travelling to a specific port, you may use the port option. This is helpful for monitoring traffic to services that use custom ports.
tcpdump port 8089
Filter Traffic to a Port Range
Suppose a service uses a range of ports to forward or receives it’s traffic, you can use the portrange option to monitor the traffic to that port range.
tcpdump portrange 8000-8100
Filter Traffic by Protocol
if you get a requirement of monitoring traffic using only one protocol, you can directly write the name of the protocol.
TCPDump – Print Each Packet
To understand the contents of each packet, you can print the contents using the A option.
TCPDump – Writing Captures to a pcap file
It is always useful to write the output of the capture to a PCAP file for later use. This method is very useful in case you don’t have a GUI on your Linux box and you want to visualize the traffic. You can create a pcap file and later read it using any of the packet analyzers such as Wireshark.
tcpdump port 514 -w capture_file
These were some basic examples that can be helpful for a primary analysis of network traffic. There are many advanced options and tweaks available with TCPDump. The TCPDump Man page is the best way to refer to the advanced options.
TCPDump is very lightweight yet a very powerful tool, working only with the basic options isn’t making justice to it, soon I will writing a post on how you can use TCPDump with advanced options, the Real Hacker way.