Network sniffer with tcpdump – example commands
Network sniffer with tcpdump – example commands
The other day while I was inspecting my network traffic usage, I noticed a slitght increase in the incoming traffic. At first I really thought someone was just uploading something on the server using php or FTP, haven’t really put much thought since the increase it was just 1 Mbps. However after a few hours of continuosly using the same amount of traffic, just to be sure, I checked the logs for any FTP activity and the Webserver logs for any web uploading, my surprise came when I didn’t found anything. My only option then was to only scan the entire network traffic. This is what I’m going to write about, I’ll be showing you some simple commands on how to use a network sniffer like tcpdump.
So yeah, any network tool used for sniffing the traffic will not really interpret the traffic for you, however there are tools that can help you do that more easily. In my case, I wrote the output of the tcpdump to a file and imported the file inside wireshark.
What I noticed then, there were a lot of incoming SMTP connection from one single IP address, I then checked the IP address inside my mail server log and noticed there were a lot of incoming emails dropped for having a large attachment to the email, hence the increase in traffic. So yeah, it help me find out what caused the increase, I really didn’t thought at the time that the increase could have come from the mail server, it was a constant usage for over 4 hours …
How to install tcpdump
Well anyway, back to our main topic. First we should install tcpdump if its not already installed, commands used are:
- CentOS, Redhat, Fedora
1 |
yum install tcpdump |
- Debain, Ubuntu
1 |
apt-get install tcpdump |
I just noticed that on my laptop where I have Ubuntu installed, tcpdump is already there by default.
Find network interface
Then you would normally know which interface you plan to sniff packets, but you do have the option to view all interfaces that you are able to sniff packets from:
1 |
tcpdump -D |
The output would be similar to:
1 2 3 4 5 |
tcpdump -D 1.eth0 2.eth2 3.any (Pseudo-device that captures on all interfaces) 4.lo |
Capture packets from your network
So in my case I know I’m using eth2 as my network connection, so my command would be
1 |
tcpdump -i eth2 |
Then for example I do not wish to scan port 22 since its used for ssh by me:
1 |
tcpdump -i eth2 not port 22 |
You can also have this output written on a file for later inspection:
1 |
tcpdump -i eth2 not port 22 -w tcpdump.txt |
If you wish to capture traffic only from one source IP, then you use:
1 |
tcpdump -i eth2 src 192.168.1.23 |
The ouput would be similar to the one bellow, I’m only going to show you the output from the first command:
1 2 3 4 5 6 7 |
tcpdump -i eth2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes 04:46:36.123543 IP sv2.domain.com.imaps > Studio-XPS-1645.local.35984: Flags [P.], seq 2726694117:2726694170, ack 2042144999, win 62, options [nop,nop,TS val 2545387018 ecr 2539891], length 53 04:46:36.124244 IP Studio-XPS-1645.local.35984 > sv2.domain.com.imaps: Flags [P.], seq 1:75, ack 53, win 331, options [nop,nop,TS val 2539897 ecr 2545387018], length 74 04:46:36.132209 IP Studio-XPS-1645.local.17067 > G.ROOT-SERVERS.NET.domain: 42015% [1au] PTR? 103.1.168.192.in-addr.arpa. (55) 04:46:36.132266 IP Studio-XPS-1645.local.63287 > G.ROOT-SERVERS.NET.domain: 42% [1au] NS? . (28) |
The command I personally used in my little test was the one to write in a file for later inspection in wireshark.