--- title: Introduction to TCPdump image: https://i.imgur.com/CprwbVr.png --- :::warning # <center><i class="fa fa-book"></i> Introduction to TCPdump </center> ::: ###### tags: `study` `TCPdump` ![](https://i.imgur.com/CprwbVr.png) :::success **🎯 Goals:** - [x] - <a href="">A brief introduction to TCPdump</a> - [x] - <a href="#Moudle-2-Compare-with-tshark">Compare with tshark</a> - [ ] - <a href="">Summary </a> ::: :::info :bookmark: **Reference:** - [Analyze operation process reference](https://www.796t.com/content/1542998772.html) ::: [toc] # Module 1: Introduction &emsp;&emsp;&emsp;![](https://i.imgur.com/L27g8f3.png =300x) - **Tcpdump** is a command line utility that allows you to capture and **analyze network** traffic going through your system. It is often used to help troubleshoot network issues, as well as a security tool. - A powerful and versatile tool that includes **many options and filters**, tcpdump can be used in a variety of cases. Since it's a command line tool, it is ideal to run in remote servers or devices for which a GUI is not available, to collect data that can be analyzed later. ## 1.1 Install ```cmd= sudo dnf install -y tcpdump ``` ## 1.2 List interfaces - see which interfaces are available for capture: ```cmd= sudo tcpdump --list-interfaces // or sudo tcpdump -D ``` ## 1.3 Capture ```cmd= tcpdump -i ens3 -c 20 ``` `-i` : Select the interface to capture `-c` : To limit the number of packets captured and stop tcpdump `-n` : disable name resolution `-nn` : disable port resolution `-v` : Output a **slightly** more detailed information `-vv` : Output **detailed** message information - To capture packets related to a **specific IP** address: ```cmd= sudo tcpdump -i any -c5 -nn host <IP_Address> ``` - To capture packets from **host IP** address ```cmd= sudo tcpdump -i any -c5 -nn src <IP_Address> ``` - To captured packets with **source IP** address ```cmd= sudo tcpdump -i any -c5 -nn dst <IP_Address> ``` ## 1.4 Understanding the output format - Tcpdump is capable of capturing and decoding many different protocols, such as `TCP`, `UDP`, `ICMP`, and many more. - **Output Demo :** ```cmd= 08:41:13.729687 IP 192.168.64.28.22 > 192.168.64.1.41916: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 117964079 ecr 816509256], length 372 ``` - ==08:41:13.729687== : the timestamp of the received packet as per the local clock. - ==IP== is IPv4, ==IP6== is for IPv6 packets - **src > dst**: - ==192.168.64.28.22== is the **source** IP address and port. - ==192.168.64.1.41916== is the **destination** IP address and port. - Flags ==[P.]== : Typical values for this field include: | Value | Flag Type | Description | | ----- | --------- | ----------------- | | S | SYN | Connection Start | | F | FIN | Connection Finish | | P | PUSH | Data push | | R | RST | Connection reset | | . | ACK | Acknowledgment | ## 1.5 Saving captures to a file ```cmd= sudo tcpdump -i any -c10 -nn -w getData.pcap ``` `-w` : write and saves the output in a file named `getData.pcap` `-r` : read file (You can also use the filter command) ## 1.6 Use wireshark - Use wireshark with UI interface to read further **analysis data** ![](https://i.imgur.com/cEHst9p.png) # Moudle 2: Compare with tshark ![](https://i.imgur.com/UQYMxrT.png =450x) - **`Wireshark`** is a graphical application. - **`tshark`** is that application without the GUI. (i.e. command line.) dumpcap, per Wireshark's documentation, is "a small program whose only purpose is to capture network traffic. - **`tcpdump`** is a different, older, traffic capture application. It never had a GUI. And has a very different filter syntax, and capture packet format. (Recommended by someone on the web...he used `tcpdump` on the command line and used to **capture files**. Then used `Wireshark` to **see the traffic in detail**.) # Module End: Summary ---- <!-- >**Name**: `名稱` --> <style> /* 僅指定連結的圖片去背且靠右模擬置中 */ img[src^="https://i.imgur.com/CprwbVr.png"]{ position: relative; left: 28%; background-color: #fff0; } .title { color: #009933; font-weight:bold; } .highlight { color: #ff4d4d; font-weight:bold; border-bottom:2px red solid; padding-bottom:2px; } </style> <!-- <font class="highlight"> --> <!-- <font class="title"> --> <!-- 縮寫提示 --> <!-- *[O-RAN]:Open Radio Access Network -->