1
00:00:00,320 --> 00:00:07,160
Tcpdump is a free open source, very common and fast packet analyzer that runs under the command line.

2
00:00:08,050 --> 00:00:13,900
It prints out a description of the contents of packets on a network interface that match the Boolean

3
00:00:13,900 --> 00:00:15,970
expression given as a parameter.

4
00:00:17,050 --> 00:00:20,180
Tcpdump has a lot of filtering options.

5
00:00:20,200 --> 00:00:22,930
We'll discuss some of them in the next slide.

6
00:00:24,130 --> 00:00:29,800
It can be preferred to the other packet analyzers such as Wireshark because it's so fast.

7
00:00:31,060 --> 00:00:36,070
It also supports some of the most common network traffic capturing format pcap.

8
00:00:36,190 --> 00:00:41,410
You can save the results as raw Ascii text in a document as well.

9
00:00:42,780 --> 00:00:44,450
So have a look at this.

10
00:00:44,460 --> 00:00:52,080
These are some of the parameters you can use with the Tcpdump Command D or list interfaces.

11
00:00:52,320 --> 00:00:59,280
Prints the list of the network interfaces available on the system and on which tcpdump can capture packets.

12
00:01:00,030 --> 00:01:04,800
I or interface listens in on the interface.

13
00:01:05,489 --> 00:01:06,660
If unspecified.

14
00:01:06,690 --> 00:01:14,520
Tcpdump searches the system interface list for the lowest numbered configured interface excluding loopback,

15
00:01:14,520 --> 00:01:18,000
which may turn out to be, for example, Eth0.

16
00:01:19,460 --> 00:01:22,680
N means do not convert addresses.

17
00:01:22,700 --> 00:01:27,950
That is, host addresses, port numbers, etcetera to names.

18
00:01:29,370 --> 00:01:36,090
V produces verbose output when parsing and printing, the more V, the more details.

19
00:01:36,390 --> 00:01:42,480
W writes the raw packets to specified file rather than parsing and printing them out.

20
00:01:43,410 --> 00:01:51,690
Are reads packets from the file which was created with the W option or by other tools that write pcap

21
00:01:51,720 --> 00:01:53,820
or pcap files.

22
00:01:54,930 --> 00:01:57,660
A prince each packet in Ascii.

23
00:01:58,560 --> 00:02:02,850
Handy for capturing web pages when parsing and printing.

24
00:02:03,120 --> 00:02:05,820
In addition to printing the headers of each packet.

25
00:02:06,090 --> 00:02:10,919
Capital X prints the data of each packet in hex and Ascii.

26
00:02:11,770 --> 00:02:14,530
This is very handy for analyzing new protocols.

27
00:02:15,100 --> 00:02:20,860
So if you use the X option, the data of each packet is printed in hex.

28
00:02:21,910 --> 00:02:26,050
In addition to these options, you can filter the results in several ways.

29
00:02:26,890 --> 00:02:33,520
If you would like to monitor a specific protocol such as TCP, you can use its name as the filter.

30
00:02:34,570 --> 00:02:43,420
You can capture packets to or from an endpoint residing in the network using netfilter or use host filter

31
00:02:43,420 --> 00:02:48,370
to see the packets of a host as a source destination or either one.

32
00:02:49,670 --> 00:02:56,480
Use the port to filter TCP or UDP packets sent to or from a specified port.

33
00:02:56,810 --> 00:03:01,520
Use port range to listen to ports in any given range.

34
00:03:02,730 --> 00:03:09,690
Now, if you use the SRC option, you can see only the packets where the target system is the source

35
00:03:09,690 --> 00:03:10,680
of the packets.

36
00:03:10,710 --> 00:03:16,140
Similarly, DST is used to specify the destination system.

37
00:03:16,880 --> 00:03:24,530
So of course you can use more than one filter in a command and set up the relation using and and or

38
00:03:24,560 --> 00:03:25,760
as logical operators.

39
00:03:25,760 --> 00:03:31,970
For example, host is 1.1.1.1 and port is 80.

40
00:03:33,060 --> 00:03:41,730
Now, before running several Tcpdump commands, let's examine the fields of a typical tcpdump output

41
00:03:41,730 --> 00:03:42,330
row.

42
00:03:42,660 --> 00:03:46,590
The row is shown in the slide is a TCP packet.

43
00:03:47,600 --> 00:03:55,970
The first field is the time when the packet arrived with the time stamp as our minute second and well,

44
00:03:55,970 --> 00:03:57,320
the fractions of a second.

45
00:03:58,590 --> 00:04:05,100
So the second field is a protocol running atop the link layer in this case IPV four.

46
00:04:05,910 --> 00:04:07,430
Now for IP packets.

47
00:04:07,440 --> 00:04:14,610
The third field is the IP address or host name of the host sending the packet along with for TCP and

48
00:04:14,610 --> 00:04:15,600
UDP packets.

49
00:04:15,600 --> 00:04:16,769
The source port.

50
00:04:17,880 --> 00:04:21,329
The packet on the slide came from Port 80 of the system.

51
00:04:21,329 --> 00:04:26,010
172.16.99.139.

52
00:04:26,700 --> 00:04:33,810
Now the fourth field is the IP address or hostname of the host receiving the packet along with for TCP

53
00:04:33,810 --> 00:04:36,960
and UDP packets the destination port.

54
00:04:37,610 --> 00:04:40,980
Flags is the TCP segment flag.

55
00:04:41,000 --> 00:04:49,130
The packet on the slide doesn't have any flags set other than ack ack is the acknowledgement number

56
00:04:49,130 --> 00:04:50,060
in the packet.

57
00:04:50,180 --> 00:04:57,680
Tcpdump shows sequence and acknowledgement numbers relative to the initial sequence number by default.

58
00:04:58,490 --> 00:05:04,280
When is the source hosts TCP window and you see the options.

59
00:05:04,280 --> 00:05:09,830
Field length is the length of the data in the TCP segment.

60
00:05:10,130 --> 00:05:12,110
Length here is zero.

61
00:05:12,140 --> 00:05:15,230
So that means that no data is exchanged yet.

62
00:05:16,130 --> 00:05:18,090
So that's enough for now.

63
00:05:18,110 --> 00:05:19,190
Let's see.

64
00:05:19,220 --> 00:05:20,810
Tcpdump in action.

65
00:05:21,080 --> 00:05:22,220
Time for Hands on.