tcpdump Tutorial

Find network problems, virus infested computers and bandwidth hogs with tcpdump.

tcpdump is a command line utility for viewing packets coming through a network interface. It comes preinstalled on IPCop. You can run tcpdump on the IPCop machine using putty and watch all the traffic on a particular interface go by. It can filter the traffic by  IP number or port number and a lot of other things. You can dump the output to a file if it whizzes by too fast to read.

You can read the long and ugly manual page here:
http://www.tcpdump.org/tcpdump_man.html

A fairly thorough tutorial is here:
http://danielmiessler.com/study/tcpdump/

Here's an example of how you could use it to troubleshoot a firewall issue. Suppose there seems to be no traffic flowing through the firewall. You can get a raw summary of all the packets going in and out of IPCop's green interface (eth0) by logging in at the console or with putty as root. Type:

tcpdump

note:  hit <ctrl> c to quit

If you're using putty, there'll be a continuous stream of traffic since you'll be watching the traffic between your putty terminal and IPCop. Every line it sends generates another packet like a dog chasing its tail. If you're using putty try the same thing, but exclude port 222 which is the SSH port putty talks on. Like so:

tcpdump port ! 222

At this point you should be seeing Internet traffic going to and from your IPCop box. Maybe there's no traffic. Maybe there's traffic going to IPCop, but nothing returning. Maybe it's going by so fast you can't read it. Dump 400 packets to a file like so:

tcpdump -c 400 port ! 222 > testdump

View the file like so:

less testdump

Sort the file by column 2 (the source IP number) like so:

sort -k 2 testdump | less

If you've got a worm or virus saturating your link and making the internet unusable, it should be obvious which machine is causing the trouble. You can also see if traffic is going to weird port numbers etc.

For example, if you want to see all the email smtp traffic on port 25 you can do this:

tcpdump -i eth0 port 25

You can also look at traffic on your red interface. It's either eth1 for a NIC or ppp0 for a serial or USB modem. Try:

tcpdump -i eth1

Up to this point we've been looking at tcpdump's summary of the packets, not the actual raw data. Sometimes you want to capture a copy of the raw data for later analysis.

It's possible to do a large tcpdump to a file and then copy it to your windows PC and use ethereal to do some analysis on it.

To do a raw capture of all traffic to a file for playback later or analysis with wireshark do this:

tcpdump -i eth0 -s 0 -w capture01

The -s 0 (That's a zero) tells tcpdump not to truncate the packets like it normally would, and the -w captur01 tells it to write the raw data to a file named "captur01" You won't see any output on your screen as it copies all the network traffic to a file. After letting it run a while you can hit ctrl-C to quit.

Use WinSCP to copy the file capture01 (or whatever name you used) to your workstation. There you  can open it with wireshark and analyze to your heart's content.

You can also use tcpdump directly to analyze the capture file. You just tell tcpdump to use the file for input instead of one of your network interfaces with the -r switch. If you want to search the captured data for all http traffic on port 80 do this:

tcpdump -r capture01 port 80

This should get you going. See the sites linked at the top for more information.