Today, I would like to introduce you to some of tcpdump’s advanced options. If you’ve ever used tcpdump you’ve probably captured traffic off a network interface, or examined the contents of an existing pcap file. In it’s most basic use (sudo tcpdump), all visible network traffic is dumped off the primary interface to stdout. While this is the making of a great screen saver, it’s not very useful. This is the moment at which you began reading the man page, and discovered Berkley Packet Filters (bpf). BPF statements can range from something as broad as # tcpdump ‘port 80′ or # tcpdump ‘host and/or host’. There are times where a very specific level of detail is needed. This is where Berkley Packet Filters become your best friend.

First off, tcpdump and bpf, can be used for much more then just simple host statements, you can look for specific types of network traffic. Let’s say you’ve been asked to identify all network packets with a specific TCP flag like SYN, SYN-ACK, ACK or FIN.

SYN-ACK packets: tcpdump ‘tcp[13] & 18 !=0′
URG packets: tcpdump ‘tcp[13] & 32 != 0′
ACK packets: tcpdump ‘tcp[13] & 16 != 0′
PSH packets: tcpdump ‘tcp[13] & 8 != 0′
RST packets: tcpdump ‘tcp[13] & 4 != 0′
SYN packets: tcpdump ‘tcp[13] & 2 != 0′
FIN packets: tcpdump ‘tcp[13] & 1 != 0′

What if you wanted to look ICMP echo requests or replys?

ICMP echo requests: tcpdump ‘ icmp[0]=8′
ICMP echo replys: tcpdump ‘ icmp[0]=0′
ICMP Time Exceeded (in transit): tcpdump ‘icmp[0]=11′

As you can see, bpf let’s you look for way more just hosts and ports. Although, looking at all traffic with certain TCP flags, or of a specific ICMP type; is really no more useful then tcpdump ‘port 80′. You really must combine everything to begin getting useful traffic captures. So how about a few ‘real world’ examples …
Try looking for the beginning and end packets (SYN and FIN) of all TCP conversations that involve a non-local host:

tcpdump ‘tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet’ (replace localnet with the correct value.)

Now take that even further and look for a specific non-local hosts and ports:

tcpdump ‘tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 && not src && dst host x.x.x.x and port xx’

Now let’s use tcpdump and bpf to look at all network traffic, except a specific type. In this example we are going to look at all ICMP traffic except for pings (echo/reply):

tcpdump ‘icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply’

Taking in everything covered in this post, you should have a decent overview of the breadth of the things you can do with tcpdump and bpf. As always I hope you learned something, experiment and have fun nerding it up.

This entry was posted on Monday, November 12th, 2007 at 7:50 pm and is filed under geek stuff, tcpdump. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.