I want to collect tcpdump examples, as many as possible!
E.g.: how to filter FTP passwords on eth0; OR how to filter HTTP 404 errors, etc.
5 Answers
It doesn't do any filtering, but this example creates a handy continuous packet sniffer:
tcpdump -n -C 128 -W 100 -z /home/user/compress_logs.pl -i br0 -w /home/user/packetlogs/packetlog.pcap &
-ndon't do reverse lookup on IPs, don't convert port numbers to text descriptions, don't convert MAC addesses to names, etc..-C 128rotate capture files every 128,000,000 bytes-W 100limit the number of capture files being rotated (see-C) to 100-z /home/user/compress_logs.plrun scriptcompress_logs.plon each rotated capture file-i br0capture on interfacebr0-w /home/user/packetlogs/packetlog.pcapuse file name/home/user/packetlogs/packetlog.pcap&this is parsed by bash; indicates that the command should be run in the background (asynchronously)
Put it in /etc/rc.local to run on boot. It captures all packets on interface br0, which could be two interfaces in-line as a tap or two interfaces hooked to a passive tap, or one interface hooked to a mirrored switch port (I've used all three in practice)
It writes ~128MB files and will automatically rotate up to 100 of them. When it captures 128MB of data, it will close the file, open a new one, and fork the specified command with the old filename as an argument - in this case a little Perl script that compresses the previous capture file for quicker transfer off the IDS server.
I use this when I have to monitor a connection for a long time (like a day or two) and need to go back and find an event that occurred at a specific time. The small files are much easier to handle in Wireshark than one huge pcap file.
Capture only HTTP POST data:
tcpdump tcp[2:2] = 80 and \(tcp[20:4] = 1347375956
or tcp[24:4] = 1347375956
or tcp[28:4] = 1347375956
or tcp[32:4] = 1347375956
or tcp[36:4] = 1347375956
or tcp[40:4] = 1347375956
or tcp[44:4] = 1347375956
or tcp[48:4] = 1347375956
or tcp[52:4] = 1347375956
or tcp[56:4] = 1347375956
or tcp[60:4] = 1347375956\)
A bit unwieldly but certainly useful. tcp[2:2] captures, starting from position 2 of the TCP header, 2 bytes (which are the port, port 80 being for HTTP traffic).
Then we want to compare the first 4 bytes of TCP data to 'POST'. The TCP header is minimum 20 (decimal) bytes, but since the TCP options are variable length, from 0 to 40 bytes (padded to a 32-bit boundary and starting at ), we have to test every 4 bytes from 20 to 60 (decimal). Finally, 1347375956 is the base10 big-endian binary representation of the ASCII text 'POST'. Use the values below for other HTTP types:
- GET
1195725856(includes the space after 'GET' which is needed because we are comparing with 4 bytes) - POST
1347375956 - PUT
1347769376(includes space) - DELETE
1145392197(just 'DELE', actually)
For other types, convert the 4 ASCII characters to hex (you must use 4 characters exactly), then treat the hex bytes as one number and convert it to decimal. For example, POST is 50 4f 53 54. 504f5354 converted to decimal is 1347375956.
Capture everything to a file (so you can analyze it later with Wireshark or something):
sudo tcpdump -i en0 -s0 -w ~/capture.pcap
-i en0capture on interfaceen0-s0use the whole packet (don't truncate -- snarf 0)-w ~/capture.pcapwrite to packet capture file~/capture.pcap
Filter-making cheat sheet:
http://staff.washington.edu/dittrich/talks/core02/tools/tcpdump-filters.txt
-
Wireshark has provided a very useful tool for creating filters: wireshark.org/tools/string-cf.html Commented Sep 29, 2015 at 13:57
If you want to monitor clients DNS requests on an OpenWRT router:
tcpdump -n -i br-lan dst port 53
-ndon't do reverse lookup on IPs, don't convert port numbers to text descriptions, don't convert MAC addesses to names, etc..-i br-lancapture on interfacebr-landst port 53filter destination port 53, the port for DNS service