Tcpdump

From ISI Support Wiki
Revision as of 17:20, 14 January 2020 by Isiadmin (talk | contribs) (Monitoring Remote Traffic over SSH with Wireshark)
Jump to: navigation, search


About

From the tcpdump man page: 

Tcpdump  prints  out a description of the contents of packets on a network interface that match the boolean expression;  the description  is preceded  by a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight.  It  can  also  be  run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to read a list  of saved  packet  files.  In all cases, only packets that match expression will be processed by tcpdump.

The information provided on this page only covers a small portion of the things you can do with tcpdump and it is recommended that you read more about it via the man page or otherwise.

Required Client Software

Linux/Unix/macOS

OpenSSH is typically available as a package with most unix and linux variants, which includes macOS. You can determine whether or not tcpdump is installed by opening a terminal and running the following command: 

   $ tcpdump --version

If it is not installed, please consult your distribution's package manager for instructions.

Using tcpdump

More here soon!

Cookbook

Here are some useful ways to use tcpdump.

Monitoring Remote Traffic over SSH with Wireshark

You can use tcpdump to forward packets over SSH to a local wireshark instance for monitoring.

Lets say we want to connect to example.host and monitor eth0 using wireshark on our local system. To do that, we would run: 

   $ ssh root@example.host tcpdump -i eth0 -w - not tcp port 22 | wireshark -i -

Note the not tcp port 22 line. This is to prevent chatter from the SSH connection piping packets. If you want to monitor port 22, you're going to have to include a more specific expression.

Capture CDP

The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol developed by Cisco Systems. It is used to share information about directly connected Cisco equipment, such as the operating system version and IP address. CDP can also be used for On-Demand Routing, which is a method of including routing information in CDP announcements so that dynamic routing protocols do not need to be used in simple networks.

This information is extremely useful, for example, to determine which device and port number a system is connected to.

To capture this information on eth0, we would use the following command: 

   $ tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'

This will listen on the interface until a CDP packet is returned. It will display the packet data and exit.

Credit goes to Steve Kehlet for this.

Additional Resources

Retrieved from "https://wiki.isi.jhu.edu/index.php?title=Tcpdump&oldid=231"