What is tcpdump?
Tcpdump is considered a great security tool to depend on whenever connecting a computer or a device to a particular network that permits packets of type Transmission Control Protocol/Internet Protocol (TCP/IP). Besides being a free software due to the Berkeley Software Distribution (BSD) licenses it follows, Network packets can be captured and analyzed through Tcpdump along with its command line interface.
A great deal of Unix-like operating systems is supported to get tcpdump installed and run on them. For instance, it could run on the following operating systems perfectly. However, in order for such operating systems to recognize tcpdump and its functions, it depends on the library of packet capture (pcap).
- Mac OS
- Sun Solaris
- IBM Advanced Interactive eXecutive (AIX)
- Hewlett Packard Unix (HP-UX)
On the other hand, Microsoft Windows operating system can run what is referred to as Windump, the Windows version of tcpdump, by utilizing the library of WinPcap on Windows port.
It is really vital now to get a historical background about tcpdump and its evolution over time. Well, it is really an old tool which is aged back to 1987. Who developed it then? Actually, they were three: Van Jacobson, Craig Leres, and Steven McCanne. The development of tcpdump is actually attributed to their Network Research Group at Lawrence Berkeley Laboratory where they all worked back then.
In 1990, several versions of tcpdump got released and became supported to run on a plenty of operating systems. Moreover, a lot of patches got distributed at that time although no perfect coordination occurred to such patches.
In 1999, the official website www.tcpdump.org got published to work. It was both Michael Richardson and Bill Fenner who were responsible for such important deed in the product’s history.
What can tcpdump be used for?
A great popped question up on one’s mind now is the natural question of the importance of using such security tool. Let’s pull out some of the main and common aspects where tcpdump can be utilized!
- Network packets’ compositions can be displayed using tcpdump
- Packet files which are readable by tcpdump are both those residing in a current Network Interface Card (NIC) or another saved file which was created previously.
- Networks packets can be also written to a file or even a standard output.
- The interactions or connections of another user or a computer device can be displayed or even intercepted by tcpdump 🙂
- As soon as a user manages to gain all the required privileges to start operating to the network as if the device is the router or the gateway of the network, tcpdump can intervene very effectively at this point. Any unencrypted network traffic passing through such router or gateway could easily be read and captured. Such packets come in a format of HTTP or Telnet and they could be something like users’ credentials: IDs and passwords, users’ browsing information: URLs they use and even the content of such websites used, and all other important information passing without any means of encryption.
- The number of captured or read network packets by tcpdump is up to any limitations imposed on their numbers. A maximum number could be set to such packets. Following this methodology, the output becomes much more useful and readable especially if there is so much of traffic passing through the network.
Does tcpdump have to be granted specific privileges?
A good point now is to discuss the security policies that have to be imposed upon tcpdump. Well in fact and by default there are specific privileges that have to be given specifically to a user in order to be able to utilize tcpdump.
Only superusers, according to some Unix like operating systems, are allowed to use it hence thereafter they could simply do the critically important capturing data process. Nonetheless, this could be overcome using the -Z option; this could help granting some ordinary users privileges that they never had before capturing has been performed.
The reason for such required privileges is attributed to the critical packet capturing mechanism forbidden by some Unix like operating systems and only allowed for superusers. Still, this is not the real case because this mechanism could be manually allowed or in other words configured to some specific users according to other Unix like operating systems.
Examples on how to use tcpdump in real life
Throughout the rest of this article, I will go through several basic commands that could be used in tcpdump for accomplishing certain tasks.
- All the interfaces could be looked at using the following command line
- Or maybe we need to look at a particular interface through this command
- It can view the raw output with a verbose output. It is important to see that there is no need for any port numbers or even hostname’s resolution. This applies also to absolute sequence numbers and human-readable timestamps. The following command does that.
- We are usually in need of getting to know the passing traffic through a specific IP whether such traffic is going to or from the device of such IP. In other words, this device could be the source or the destination. Following is an example considering the IP is 22.214.171.124
- Moreover, Transmitted and received data inside network packets are displayed in a hexadecimal format via the following command. This feature allows for isolating a few candidates for the sake of reaching a closer scrutiny at the end of the day.
- One of the good features allowed through tcpdump is to filter traffic and isolate it. A particular IP, again whether it is a source or a destination in the network. For sources, “src” is used while “dst” is for destination IPs. The following screenshot illustrates the idea.
- In the same regard, a traffic going through a specific network can be spotted and found through the “net” option. Furthermore, “src” and “dst” can simply be combined with this option as well. The usage of “net” is shown in the following image
- If we need to know a particular port number and need to display its traffic, then the solution for this is to use “port” which can also be combined with the “src” option. These two points are displayed in the following commands as well.
- We can also specify a range of values to the port number. Then, “port range” is used at this time for finding the passing traffic through these ports residing within a given range.
- On the other hand, if we are interested in the type of passing network following a particular network protocol, then we are left with a plenty of options for this sake. For instance, we can use “tcp” or “udp”. The following command uses “icmp” which is also supported.
- Also, the traffic of IP4 or IP6 could be found alone. The following command specifies IP6 regardless of the others.
- For the sake of simplicity and more of functionality, the size of targeted packets could be specified. This could be performed through “less”, “greater”, “<=”, “>=”, and their similar symbols.
- Captured data could be exported to a file created as a pcap file. This could be done using “capture_file” along with -w switch.
- Finally, pcap files could be imported a pcap file to be processed. This could be handled with the same “capture_file” command but with -r option now. Note that capturing new data and processing the already captured files cannot be performed simultaneously.