Introduction
In this lab, you will discover how to use the versatile tcpdump command for network traffic capture and analysis on a Linux system. The tcpdump command is a widely recognized network packet analyzer, allowing you to monitor and examine network packets in real-time. This makes it a valuable asset for network troubleshooting, security assessments, and gaining insights into network behavior. This lab will cover the fundamentals of using tcpdump, including capturing network traffic and refining the output to concentrate on particular network activities.
Introduction to tcpdump Command
This section will introduce you to the tcpdump command, a robust network packet analyzer employed to capture and analyze network traffic on Linux systems. Mastering tcpdump is an essential skill for any systemadmin.
With the tcpdump command, you can monitor and analyze network packets in real-time. This makes it an invaluable tool for diagnosing network issues, conducting security evaluations, and gaining a deeper understanding of network behavior. System administrators and security professionals frequently rely on tcpdump.
Let's begin by installing the tcpdump package on our Ubuntu 22.04 Docker container:
sudo apt-get update
sudo apt-get install -y tcpdumpExample output:
Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Get:2 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [114 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [99.8 kB]
Get:5 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [2,276 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [2,644 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [11.3 kB]
Fetched 5,255 kB in 2s (2,627 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libpcap-dev libpcap0.8 tcpdump
Suggested packages:
tcpdump-dbg
The following NEW packages will be installed:
libpcap-dev libpcap0.8 tcpdump
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 521 kB of archives.
After this operation, 1,455 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.ubuntu.com/ubuntu jammy/main amd64 libpcap0.8 amd64 1.10.1-5ubuntu1 [146 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy/main amd64 libpcap-dev amd64 1.10.1-5ubuntu1 [185 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy/main amd64 tcpdump amd64 4.99.1-3ubuntu1 [190 kB]
Fetched 521 kB in 0s (3,837 kB/s)
Selecting previously unselected package libpcap0.8:amd64.
(Reading database ... 14289 files and directories currently installed.)
Preparing to unpack .../libpcap0.8_1.10.1-5ubuntu1_amd64.deb ...
Unpacking libpcap0.8:amd64 (1.10.1-5ubuntu1) ...
Selecting previously unselected package libpcap-dev:amd64.
Preparing to unpack .../libpcap-dev_1.10.1-5ubuntu1_amd64.deb ...
Unpacking libpcap-dev:amd64 (1.10.1-5ubuntu1) ...
Selecting previously unselected package tcpdump.
Preparing to unpack .../tcpdump_4.99.1-3ubuntu1_amd64.deb ...
Unpacking tcpdump (4.99.1-3ubuntu1) ...
Setting up libpcap0.8:amd64 (1.10.1-5ubuntu1) ...
Setting up libpcap-dev:amd64 (1.10.1-5ubuntu1) ...
Setting up tcpdump (4.99.1-3ubuntu1) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...With tcpdump now installed, let's examine some fundamental usage examples:
sudo tcpdump -i any -nExample output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:32.792941 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 1, length 64
16:25:32.793005 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 1, length 64
16:25:33.792998 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 2, length 64
16:25:33.793058 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 2, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernelThe -i any option instructs tcpdump to capture traffic across all available network interfaces. The -n option disables DNS resolution of IP addresses, which can expedite the capturing process.
Executing this command will initiate the capture of network traffic, displaying the captured packets in real-time. To halt the capture, press Ctrl+C.
Capturing Network Traffic with tcpdump
In this section, you'll learn how to employ the tcpdump command to capture network traffic and subsequently analyze the acquired packets. Effective network analysis begins with capturing the right data.
We'll start by capturing all network traffic on the default network interface:
sudo tcpdump -i any -c 10Example output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:29:56.832591 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 3, length 64
16:29:56.832648 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 3, length 64
16:29:57.832607 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 4, length 64
16:29:57.832663 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 4, length 64
16:29:58.832617 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 5, length 64
16:29:58.832673 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 5, length 64
16:29:59.832628 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 6, length 64
16:29:59.832684 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 6, length 64
17:00:00.832638 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 7, length 64
17:00:00.832694 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 7, length 64
10 packets captured
10 packets received by filter
0 packets dropped by kernelThe -c 10 option limits tcpdump to capturing a maximum of 10 packets before exiting.
You also have the option to capture packets and save them to a file for subsequent analysis:
sudo tcpdump -i any -w network_capture.pcapThis command will initiate the capture of network traffic, saving it to a file named network_capture.pcap. Press Ctrl+C to terminate the capture.
To examine the captured packets, you can employ a network protocol analyzer such as Wireshark. Alternatively, you can utilize the tcpdump command to analyze the captured file:
sudo tcpdump -r network_capture.pcapThis will display the content of the network_capture.pcap file.
Filtering Network Traffic with tcpdump
In this section, you'll learn to use tcpdump to selectively capture network traffic based on criteria such as IP addresses, port numbers, and protocols. Filtering is critical for isolating relevant data and reducing noise.
Let's begin by capturing only HTTP traffic:
sudo tcpdump -i any -c 10 tcp port 80Example output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:04:01.832648 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [S], seq 3569349168, win 64240, options [mss 1460,sackOK,TS val 1000 ecr 0,nop,wscale 7], length 0
17:04:01.832702 IP 172.17.0.1.80 > 172.17.0.2.49154: Flags [S.], seq 2662318800, ack 3569349169, win 65160, options [mss 1460,sackOK,TS val 1000 ecr 1000,nop,wscale 7], length 0
17:04:01.832736 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [.], ack 1, win 502, length 0
17:04:01.832747 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [P.], seq 1:74, ack 1, win 502, length 73
17:04:01.832766 IP 172.17.0.1.80 > 172.17.0.2.49154: Flags [.], ack 74, win 512, length 0
17:04:01.832774 IP 172.17.0.1.80 > 172.17.0.2.49154: Flags [P.], seq 1:1449, ack 74, win 512, length 1448
17:04:01.832785 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [.], ack 1449, win 502, length 0
17:04:01.832793 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [F.], seq 74, ack 1449, win 502, length 0
17:04:01.832807 IP 172.17.0.1.80 > 172.17.0.2.49154: Flags [F.], seq 1449, ack 75, win 512, length 0
17:04:01.832815 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [.], ack 1450, win 502, length 0
10 packets captured
10 packets received by filter
0 packets dropped by kernelThe tcp port 80 filter instructs tcpdump to capture only packets on TCP port 80, which is the designated port for HTTP traffic. This is a fundamental filtering technique.
You can also filter by IP addresses:
sudo tcpdump -i any -c 10 host 172.17.0.2This captures the initial 10 packets originating from or destined for the IP address 172.17.0.2. This is helpful for monitoring communication with a specific host.
Furthermore, you can combine multiple filters to refine your capture:
sudo tcpdump -i any -c 10 tcp port 80 and host 172.17.0.2This captures the first 10 packets that are HTTP traffic originating from or destined for the IP address 172.17.0.2. Complex filters allow for targeted traffic analysis, a common task for a root user when investigating network security.
Summary
This lab provides a comprehensive guide to using the tcpdump command, a powerful network packet analyzer, to capture and analyze network traffic on Linux systems. You'll begin by installing the tcpdump package on an Ubuntu 22.04 Docker container. Next, you'll learn how to capture network traffic using tcpdump, including filtering the captured data according to criteria such as source and destination IP addresses, port numbers, and protocols. By the conclusion of this lab, you'll possess a firm grasp of how to leverage tcpdump for network troubleshooting, security analysis, and general network understanding. This is a crucial skill for any aspiring Linux systemadmin.