Willard C. Smith
University of Alaska Anchorage
CS-413 Computer & Hardware Security
Semester Project Report - TCPDUMP
5
CS-413 Computer & Hardware Security
Semester Project Report - Tcpdump
Introduction
The tcpdump utility is a network “packet sniffer” that captures packets from a network interface using the packet capture (pcap.h) C library. By default the captured packets are displayed in the terminal or can optionally be saved to a file for later processing.
A network sniffer captures packets within a network collision domain by placing the local network interface in promiscuous mode. A network interface normally only accepts packets that contain it's hardware address or the broadcast address in the destination address header field. A network interface in promiscuous mode accepts all packets on the local network.
A system administrator can use this utility to: analyze network connection problems; monitor the network for a noisy network interface; or to catch an intruder trying to access a networked host. A developer can use the utility to debug an application that uses a network connection. A malicious user can capture packets containing any sensitive information transmitted over a network, such as a user name and the related password sent in plain text.
This document will cover the installation of tcpdump on a UNIX/Linux platform. It will also cover the default behavior of tcpdump, and the options available to override the defaults. Then it will go over some of the basic expressions for filtering packets captured by tcpdump. Finally, it will include some complex expressions for additional filtering of packets captured.
Installation
To install the tcpdump utility you must have the following required software.
1. A platform based on UNIX or Linux.
2. The GNU Unzip utility gunzip, to uncompress the source code files.
3. A C-compiler to compile the source code into executable code.
4. The latest tcpdump source code from the tcpdump web site.
5. The latest libpcap source code from the tcpdump web site.
Build Software Distributions
To build the libpcap and tcpdump software you need to change your present working directory to the location where you downloaded the compressed source code.
Change present working director to /tmp:
# /bin/su -
# cd /tmp
Before you can build the software, you need to uncompress the libpcap and tcpdump distribution under the same parent directory.
Uncompress the software with gunzip:
# /usr/local/sbin/gunzip -c libpcap-0.9.0.tar.gz | /usr/sbin/tar xf –
# /usr/local/sbin/gunzip -c tcpdump-3.9.0.tar.gz | /usr/sbin/tar xf -
This creates directories named libpcap-version and tcpdump-version, libpcap-0.9.0 and tcpdump-3.9.0 respectively.Now we are ready to build the software distribution. Begin building the distribution for the libpcap library, by changing your present working directory to the newly created libpcap-version directory. Then run the configure script in the libpcap distribution directory. After the configuration script is finished, compile the source code with the make utility.
Enter the libpcap directory and build the distribution:
# cd libpcap-version
# ./configure
# /usr/ccs/bin/make
Next build the distribution for the tcpdump software by changing your present working directory to the newly created tcpdump-version directory. Then run the configure script in the tcpdump distribution directory. After the configuration script is finished, compile the source code with the make utility.
Enter the tcpdump directory and build the distribution:
# cd ../tcpdump-version
# ./configure
# /usr/ccs/bin/make
Install Software Distribution
To install the tcpdump distribution in the default location /usr/local/sbin, execute the make utility with the install argument as the root user.
Enter the tcpdump directory and build the distribution:
# cd ../tcpdump-version
# /usr/ccs/bin/make install
Default Behavior
To execute the tcpdump utility you must have root user level privilege. To begin capturing packets enter the tcpdump command at the shell prompt.
A system with multiple network interfaces available may require you to specify the interface to use when capturing packets. Use tcpdump with the -i option to select the network interface used to capture packets.
Specify the network interface to capture packets from:
# tcpdump –i eth0
# tcpdump –i 1
To list the network interfaces available on the system, the tcpdump utility provides the -D option. If the network interface is not specified, tcpdump will search the system interface list for the lowest numbered interface configured with status 'up'.
List the network interfaces available to capture packets from:
# tcpdump -D
The default output for tcpdump lists host names resolved by DNS lookup, instead of IP addresses. If you want to see IP addresses listed instead of host names, you can use the -n option.
List IP Addresses in output, instead of host names:
# tcpdump -n
The tcpdump utility will continuously print out packet headers as the default. To stop the packet capture press the keyboard chord Ctrl+C. If you would like to specify the number of packets to capture, use the -c option followed by the number of packets to capture.
Specify the number of packets to capture:
# tcpdump –c 100
The tcpdump utility will capture 68 bytes of data from each packet, which is adequate for IP, ICMP, TCP and UDP header information but may truncate protocol information from domain name server and NFS packets. Packets truncated because of a limited snapshot are indicated in the output with “[|proto]”, where proto is the name of the protocol level at which the truncation has occurred. To increase the numbers of bytes of data to capture use the –s option followed by the number of bytes to capture.
Note that capturing larger packets increases both the amount of time it takes to process packets and, decreases the amount of packet buffering. This may cause packets to be lost. You should limit packet captures to the smallest number that will capture the protocol information you're interested in.
Basic Packet Capture Expressions
To begin capturing packets with the tcpdump utility, enter the tcpdump command at the shell prompt with root user level privileges. This will set the network interface in promiscuous mode and capture all packets entering or leaving the network interface.
Although, occasionally it may be necessary to capture all packets on the network, normally you will want to limit the packets captured to the source or destination of a specific network host. With the tcpdump utility you can limit the packets captured to those containing a specific host name or IP Address by using the host argument followed by the host name or IP Address of a network host.
Limit the type of packets captured to a specific host or IP Address:
# tcpdump host hostfoo
# tcpdump host 10.1.100.50
The packets captured by tcpdump can be additionally filtered for the source and destination IP Address header fields using the src or dst arguments respectively.
Limit the type of packets captured to a specific destination host or IP Address:
# tcpdump dst host hostfoo
# tcpdump dst host 10.1.100.50
Limit the type of packets captured to a specific source host or IP Address:
# tcpdump src host hostfoo
# tcpdump src host 10.1.100.50
The protocol port may additionally be specified to filter packets captured by tcpdump, using the port argument followed by the port number.
Limit the type of packets captured to a specific network protocol port:
# tcpdump port 80
Complex Packet Capture Expressions
The ability of tcpdump to accept combinations of expressions using and/or conjunctions provides the user almost limitless power to view the exact packets desired from the thousands of packets available every minute.
Using complex expression filters with tcpdump it is possible to capture packets containing telnet sessions between two hosts.
Limit the type of packets captured to a telnet session between two hosts:
# tcpdump -n "tcp port telnet and host linux1 and host linux2"
Using complex expression filters to capture setup or teardown packets for a TCP connection requires a mask to select specific bits. The bit mask is specified using the syntax & followed by a hexadecimal bit mask. The filter needs to extract the flag byte by excluding the first 13 bytes in the TCP header. The mask 0x03 selects the first and second bits, which are the FIN and SYN bits respectively.
Limit the type of packets captured to a TCP connection setup and teardown:
# tcpdump -n "tcp[13] & 0x03 != 0"
To filter packets destined for a web server the complex expression will need to contain the host name or IP Address of the web server and TCP port 80.
Limit the type of packets captured to a host running a web server:
# tcpdump dst host 192.168.0.1 and tcp port 80
Conclusion
This document covered the installation of tcpdump on a UNIX/Linux platform. It also covered the default behavior of tcpdump, and the options available to override the defaults. Then it included some of the basic expressions for filtering packets captured by tcpdump. Finally, it included some complex expressions for additional filtering of packets captured.
Using a packet sniffer for network security provides a system administrator the ability to monitor messages as they traverse the network. This provides the important capability to identify intrusive activity at the time it is occurring. By catching suspicious activity as early as possible, you can immediately begin to investigate the activity and possibly minimize or contain damage to systems.
A packet sniffer should be a well-used tool for a security conscious system administrator. This document provided an overview of the capabilities for the tcpdump packet sniffer utility. To get a better understanding of the available features in tcpdump consult the manual pages. However, the best way to really understand the tools capabilities is to practice using it on a regular basis.
References
The tcpdump main home page:
http://www.tcpdump.org
The tcpdump online manual page:
http://www.tcpdump.org/tcpdump_man.html
The packet capture C library online manual page:
http://www.tcpdump.org/pcap3_man.html
5