TCP Dump

What is tcpdump?

Tcpdump is considered a great security tool to depend on whenever connecting a computer or a device to a particular network that permits packets of type Transmission Control Protocol/Internet Protocol (TCP/IP). Besides being a free software due to the Berkeley Software Distribution (BSD) licenses it follows, Network packets can be captured and analyzed through Tcpdump along with its command line interface.

A great deal of Unix-like operating systems is supported to get tcpdump installed and run on them. For instance, it could run on the following operating systems perfectly. However, in order for such operating systems to recognize tcpdump and its functions, it depends on the library of packet capture (pcap).

  • Android
  • Linux
  • Mac OS
  • Sun Solaris
  • IBM Advanced Interactive eXecutive (AIX)
  • BSD
  • Hewlett Packard Unix (HP-UX)

On the other hand, Microsoft Windows operating system can run what is referred to as Windump, the Windows version of tcpdump, by utilizing the library of WinPcap on Windows port.


It is really vital now to get a historical background about tcpdump and its evolution over time. Well, it is really an old tool which is aged back to 1987. Who developed it then? Actually, they were three: Van Jacobson, Craig Leres, and Steven McCanne. The development of tcpdump is actually attributed to their Network Research Group at Lawrence Berkeley Laboratory where they all worked back then.

In 1990, several versions of tcpdump got released and became supported to run on a plenty of operating systems. Moreover, a lot of patches got distributed at that time although no perfect coordination occurred to such patches.

In 1999, the official website got published to work. It was both Michael Richardson and Bill Fenner who were responsible for such important deed in the product’s history.

What can tcpdump be used for?


A great popped question up on one’s mind now is the natural question of the importance of using such security tool. Let’s pull out some of the main and common aspects where tcpdump can be utilized!

  • Network packets’ compositions can be displayed using tcpdump
  • Packet files which are readable by tcpdump are both those residing in a current Network Interface Card (NIC) or another saved file which was created previously.
  • Networks packets can be also written to a file or even a standard output.
  • The interactions or connections of another user or a computer device can be displayed or even intercepted by tcpdump 🙂
  • As soon as a user manages to gain all the required privileges to start operating to the network as if the device is the router or the gateway of the network, tcpdump can intervene very effectively at this point. Any unencrypted network traffic passing through such router or gateway could easily be read and captured. Such packets come in a format of HTTP or Telnet and they could be something like users’ credentials: IDs and passwords, users’ browsing information: URLs they use and even the content of such websites used, and all other important information passing without any means of encryption.
  • The number of captured or read network packets by tcpdump is up to any limitations imposed on their numbers. A maximum number could be set to such packets. Following this methodology, the output becomes much more useful and readable especially if there is so much of traffic passing through the network.
Does tcpdump have to be granted specific privileges?tcpdump

A good point now is to discuss the security policies that have to be imposed upon tcpdump. Well in fact and by default there are specific privileges that have to be given specifically to a user in order to be able to utilize tcpdump.

Only superusers, according to some Unix like operating systems, are allowed to use it hence thereafter they could simply do the critically important capturing data process. Nonetheless, this could be overcome using the -Z option; this could help granting some ordinary users privileges that they never had before capturing has been performed.

The reason for such required privileges is attributed to the critical packet capturing mechanism forbidden by some Unix like operating systems and only allowed for superusers. Still, this is not the real case because this mechanism could be manually allowed or in other words configured to some specific users according to other Unix like operating systems.

Examples on how to use tcpdump in real life


Throughout the rest of this article, I will go through several basic commands that could be used in tcpdump for accomplishing certain tasks.

  • All the interfaces could be looked at using the following command line
  • Or maybe we need to look at a particular interface through this command
  • It can view the raw output with a verbose output. It is important to see that there is no need for any port numbers or even hostname’s resolution. This applies also to absolute sequence numbers and human-readable timestamps. The following command does that.
  • We are usually in need of getting to know the passing traffic through a specific IP whether such traffic is going to or from the device of such IP. In other words, this device could be the source or the destination. Following is an example considering the IP is
  • Moreover, Transmitted and received data inside network packets are displayed in a hexadecimal format via the following command. This feature allows for isolating a few candidates for the sake of reaching a closer scrutiny at the end of the day.
  • One of the good features allowed through tcpdump is to filter traffic and isolate it. A particular IP, again whether it is a source or a destination in the network. For sources, “src” is used while “dst” is for destination IPs. The following screenshot illustrates the idea.
  • In the same regard, a traffic going through a specific network can be spotted and found through the “net” option. Furthermore, “src” and “dst” can simply be combined with this option as well. The usage of “net” is shown in the following image
  • If we need to know a particular port number and need to display its traffic, then the solution for this is to use “port” which can also be combined with the “src” option. These two points are displayed in the following commands as well.
  • We can also specify a range of values to the port number. Then, “port range” is used at this time for finding the passing traffic through these ports residing within a given range.
  • On the other hand, if we are interested in the type of passing network following a particular network protocol, then we are left with a plenty of options for this sake. For instance, we can use “tcp” or “udp”. The following command uses “icmp” which is also supported.
  • Also, the traffic of IP4 or IP6 could be found alone. The following command specifies IP6 regardless of the others.
  • For the sake of simplicity and more of functionality, the size of targeted packets could be specified. This could be performed through “less”, “greater”, “<=”, “>=”, and their similar symbols.
  • Captured data could be exported to a file created as a pcap file. This could be done using “capture_file” along with -w switch.
  • Finally, pcap files could be imported a pcap file to be processed. This could be handled with the same “capture_file” command but with -r option now. Note that capturing new data and processing the already captured files cannot be performed simultaneously.



 What is Snort?

One of the most important open source projects in the field of network security is Snort. It has proved itself as one of the best network security tools for years now. It specializes as a Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS). Additionally, it has proved itself as the de facto standard for intrusion detection and prevention systems for years. In the meanwhile, Snort is a free software which is perfect for many.

In case you didn’t know and in order to get a little bit of more insight about the subject, I will elaborate what NIDS is in a nutshell. Fundamentally, monitoring of all network happens by use of such a software. This is just to make sure that everything is on track and under great control.

As long as there are any abnormal or malicious activities or if there is a violation of security policies for some reason, NIDS monitors these cases accordingly and reports to the security administrator.

Practically, there is what we call a Security Information and Event Management (SIEM) system. It acquires data –often known as logs—from diverse sources like Snort for instance. Depending on some predefined filters, this SIEM has the capability to trigger an alarm/alert message if any violations occur. Among such violations are definitely those malicious activities that Snort records and sends to SIEM.

Let’s know Snort’s History


It is often a great idea to know the history of successful figures in any field of interest. I perceived discussing the history of a highly proven successful security software tool as a must. This is because this really enriches our knowledge about the beginnings of such amazing projects.

In fact, Snort has witnessed several turning points in its history since its creation. Snort was initially developed back in 1998 by Martin Roesch. He later founded a technology company by the name Sourcefire in 2001. He became the Chief Technology Officer at this corporation he established.

In 2005, Check Point Software Technologies acquired Sourcefire for a deal worth $225 million. To be noted, the information technology media business InfoWorld named Snort as one of the “greatest [pieces of] open source software of all time,” reaching its famousness peak to be remembered at all the times since then.

A European organization specialized in testing network security called NSS Group compared Snort in practice with other IDS products created by other vendors such as Computer Associates, and Symantec. Snort outstandingly out-performed all of the other products in 2005.

When 2013 came, it was the start of a new era of Snort and Sourcefire in general, since the large company of Cisco systems owned it. Several versions of Snort got released, and a self-tuning engine was injected inside the versions starting in 2005. Such self-tuning engine aimed to achieve the maximum efficiency whilst keeping a minimum error.

What is the benefit of Snort?

Roesch divides the stages which Threat-centric Security should go through into three main chronological events:

  • Before the attack: a defender ought to hard the assets, build the biggest and thickest castle, such that an attacker or a hacker never even attempt to get in.
  • During the attack: The last point never works, so this stage is of a great importance. On the launch of an attack, detecting the attack and further blocking it should be the greatest aim at this critical time. Utilization of some technologies and techniques occurs in order to stop such attack as much as possible.
  • After the attack: However, sometimes these technologies may fail to detect and block the attack. Then, the attack managed to get through the system. Several stages represent a great threat from the perspective of a defender who may lose control over their own network.

Therefore, scoping and containing the attack has to occur first so that the attack cannot spread any further through the network. Once this is achieved, a defender has to get rid of the attack which has to get remediated at this point. That is mainly the core of Snort.


The idea beyond Snort is to monitor a network traffic in real time, in order to scrutinize each packet of the network traffic closely. Analyzing such packets in this manner detects any payloads or anomalies.

Accordingly, there are three main fields where its role shines the best

  • An ordinary packet sniffer such as tcpdump
  • A packet logger, which debugs network traffic
  • A full methodology and platform for the sake of network intrusion prevention system.

Get into more details


A library packet capture called libpcap is what Snort fundamentally relies on to sniff network traffic and analyze it thereafter. Most similar sniffers that work with Transmission Control Protocol/Internet Protocol (TCP/IP) use such library and harness it for their packet monitoring and detection purposes.

The role of Snort does not merely stop at the detection phase. Besides that, Snort has the ability to analyze such packets and search for some patterns to spot any suspiciously malicious packet. Whenever this happens, an alert is sent automatically to a pop-up window indicating the alert to Windows clients. This happens by utilizing Samba’s smbclient, a UNIX socket or just send it to syslog, where alerts of several other sources are fetched as well.

If we are into defining some types of attacks that are identifiable by Snort, mentioning of a list of attacks has to occur in this regard:

  • Denial of service attack where legitimate users are prevented their basic privilege of accessing their computers, devices, or any other resources of the network.
  • Attacks which target Common Gateway Interface (CGI), where data requested by a user from a web application could be captured and collected before sending it back to the user
  • Stealth port scans which basically search for open ports to exploit and add any malware and apply their payloads through them.
  • Attacks that depend on buffer overflow, where an attacker attempts to send a largely sized network packet when the network will not be able to withstand such big size.
  • Server Message Block (SMB) probes attacks
Should I use Snort for my business?


One of the questions that a business owner has to be thinking of right now is a question of the uniqueness of Snort. What would drive him/her to utilize this Snort over all other NIDS or NIPS products? Throughout the few lines remaining for this article, I will propose three main reasons from my main point of view:

  1. Rapid response: Snort can protect the system from any new threats or malware through its real-time protection techniques. One of the best points about Snort is that Cisco Talos Security Intelligence and Research Group (Talos); they are able to spot any brand-new threats by updating Snort with any new threats every hour.
  2. Greater accuracy: Since Snort is an open source project, there is always a continual work on improving it and changing some of its features for the better. Several security teams improve the program through the Snort Community which is spread world wide.
  3. High adaptability: adding more functions to Snort through accessing its own source code is grants Snort a great privilege against its counterparts. This way could allow Snort to deal with any network security solutions.



Finally, take a look at my next post on Netcat and let me know your thoughts.