Category: Packet_Inspection

Posted on

TCPdump commands and parameter

Today we will cover tcpdump tool. Tcpdump is a packet analyzer tool just like wireshark.
It run under command line interface. It help you to capture data packets on low level to understand what is going on inside the packet.
You can run tcpdump on linux/unix based operating systems.

Syntax for tcpdump
tcpdump <paramter>

e.g tcpdump -i eth0

Basic parameter of tcpdump
-i : Specify the network interface to listen on
-c : Number of packets which needs to be captured.
-w : Write the captured packets to a file for later analysis
-r : Read packets from a file instead of capturing from a network interface
-n: Do not resolve hostnames, display IP addresses only
-X: Display both hexadecimal and ASCII representations of packet data
-v: Increase verbosity level
-e: Print the link-level header on each dump line
-q: Quiet output, print less information

Operators in tcpdump:
– and ,&& —–This is used to concatenate two parameter
– or, ||         —–This is or operator used to match any one of the mentioned parameter
– not, !        —–This negate the mentioned parameter
– < – >          —-Less than ,greater then parameter

Let’s take some example
Lets capture packets for eth0 interface for count of 4 packet in default mode.
I will now use any parameter
1. tcpdump -i eth0

You can see we don’t have any header details here, lets add switch -e parameter to display link layer header.

Now you can see the header details, mac address and ether type. Let’s add parameter -n this will show the host name as ip address in out packet capture.

Now we see the source and destination as ip address instead of hostname. To get more details about the header we can add -v parameter

If you want to see more details about the header, then keep adding more verbose -v parameter.

Now I want to write these packet details into file, so that I can read later or I can open in wireshark. Let’s use -w parameter to write file of tcpdump packet. I will save these files with name test.pcap

Read this file test.pcap by using -r parameter.

By default, read parameter do not show all packet header details. Use verbose parameter and other parameter to see details.

Few examples for different combination

1.Capture using mac address filter.

2.Capture all packet with ip address 192.168.110.70

3.Capture packet with ip address 192.168.110.70 & 192.168.110.70. Here anyone can be source or destination.

4.Capture packet with source ip address

5.Capture packet with destination ip address

6.Capture packet of source and destination IP address

7.Capture packet by ports

8.Capture packet on ip and ports

9.Capture using or operator or combination of or and operator

10.Capture using protocol address

11.Using not operator to filter traffic

12.Capture the packets for range of ports

13.Capture packets of specific networks

Posted on

IPv4 Header Format

IPv4 Packet

The header fields are discussed below:

  • Version (always set to the value 4 in the current version of IP)
  • IP Header Length (number of 32 -bit words forming the header, usually five)
  • Type of Service (ToS), now known as Differentiated Services Code Point (DSCP) (usually set to 0, but may indicate particular Quality of Service needs from the network, the DSCP defines the way routers should queue packets while they are waiting to be forwarded).
  • Total Length: Length of entire IP Packet (including IP header and IP Payload).
  • Identification ( 16-bit number which together with the source address uniquely identifies this packet – used during reassembly of fragmented datagrams)
  • Flags (a sequence of three flags (one of the 4 bits is unused) used to control whether routers are allowed to fragment a packet (i.e. the Don’t Fragment, DF, flag), and to indicate the parts of a packet to the receiver)
  • Fragmentation Offset (a byte count from the start of the original sent packet, set by any router which performs IP router fragmentation)
  • Time To Live (Number of hops /links which the packet may be routed over, decremented by most routers – used to prevent accidental routing loops)
  • Protocol (Service Access Point (SAP) which indicates the type of transport packet being carried (e.g. 1 = ICMP; 2= IGMP; 6 = TCP; 17= UDP).
  • Header Checksum (A 1’s complement checksum inserted by the sender and updated whenever the packet header is modified by a router – Used to detect processing errors introduced into the packet inside a router or bridge where the packet is not protected by a link layer cyclic redundancy check. Packets with an invalid checksum are discarded by all nodes in an IP network)
  • Source Address (the IP address of the original sender of the packet)
  • Destination Address (the IP address of the final destination of the packet)
  • This is optional field, which is used if the value of IHL is greater than 5. These options may contain values for options such as Security, Record Route, Time Stamp, etc.
  • Padding is basically used to make sure that the IP packet header has a length that is a multiple of 32 bits. It is needed because of the varying length of the options field in the IP header

IPV4 header is flexible in size and can vary from 20 bytes to 60 bytes. Usually it is 20 bytes in length.

Te Internet Protocol (IP) is defined in RFC 791. The RFC specifies the format of the IP header. In the header there is the IHL (Internet Header Length) field which is 4 bits long and specifies the header length in 32 bit words. The IHL field can hold values from 0 (Binary 0000) to 15 (Binary 1111).

So the longest Internet Header (IP header) size can be 15*32 Bits = 480 Bits = 60 Bytes. This is why the header has a maximum size of 60 Bytes.

The shortest header size is 20 bytes, where the IHL field has the value 5 (0101). This is because all the required fields in the header need 20 Bytes of space. So while in theory you could set the IHL to a value < 5 this would always be an incorrect value and thus an invalid packet header.

Total field in IPv4 is 13 and you can remember these by using the phrase as below.

VIT TIF FTP HSDO

V I T T I F F T P H S D O
ver IHL TOS TL Indentifier Flag Fragment TTL Protocol Checksum SIP DIP Option