A Guide to Network Traffic Analysis Utility: TCPDUMP

Tcpdump is a network packet sniffing command-line utility. It is most commonly used for troubleshooting networks and testing security issues. Despite the absence of a graphical user interface, it’s the most popular, powerful, and versatile command-line utility.

It is native to Linux such that most of the Linux distributions install it as a part of the standard OS. Tcpdump is a libpcap interfaced program, which is a library for network datagram capture.

This article will demystify tcpdump by showing how to capture, read, and analyze captured network traffic in this utility. We will later use our understanding to inspect data packets with the advanced TCP flag filters.

Tcpdump Installation

Tcpdump default installation in your distro depends on the options selected during the installation process. In the case of custom installation, it’s possible that the package is not available. You can check tcpdump installation by using the dpkg command with the “-s” option.

Or use the command “sudo apt-get install tcpdump” to install tcpdump in the Ubuntu Linux.

Capturing Packets in Tcpdump:

To begin the capture process, we first need to find our working interface using the “ifconfig” command. Or we can list all the available interfaces using the tcpdump command with the “-D” option.

To begin the capture process, you can use the syntax;

For instance, in the command below, we use the “-i” option to capture traffic on the “enp0s3” interface, with a “-c” flag to limit the captured packets and write “-w” it to a test_capture.pcap file.

Similarly, you can use various filter combinations to isolate traffic as per your requirement. One such example includes capturing network data leaving and arriving at the host using the host command for a specific port. Moreover, I have used the “-n” flag to prevent tcpdump from capturing DNS lookups. This flag is very helpful in saturating traffic while troubleshooting the network.

We use the “and” command to only capture packets containing host 10.0.2.15 and destination port 80. Similarly, various other filters can be applied to ease troubleshooting tasks.

If you do not want to use the “-c” flag to limit capture traffic, you can use an interrupt signal, i.e., Ctrl C, to stop the isolation process.

Reading Tcpdump Files

Reading tcpdump captured files can be a lot overwhelming. By default, tcp assigns names to IP addresses and ports. We will use the “-r” flag to read our already captured file test_capture.pcap saved in the /tmp folder. We will pipe the output to awk command to only output the source IP address and ports and pipe it to the command head to only display the first 5 entries.

However, it is recommended to use IP addresses and ports in numbers to resolve networking issues. We will disable IP name resolution with the “-n” flag and port names with “-nn“.

Understanding Captured Output

Tcpdump captures many protocols, including UDP, TCP, ICMP, etc. It isn’t easy to cover all of them here. However, it’s important to understand how the information is displayed and what parameters it includes.

Tcpdump displays each packet in a line, with a timestamp and information with respect to the protocol. Generally, the format of a TCP protocol is as follows:

Let’s explain one of the captured packet fields by field:

• 20:08:22.146354: Timestamp of the captured packet
• IP: Network layer protocol.
• 10.0.2.15.54080: This field contains the source IP address and source port.
• 172.67.39.148.443: This field represents the destination IP address and port number.
• Flags[P.]/: The flags represent the connection state. In this case, [P.] indicates the PUSH acknowledgment packet. The flag field also includes some other values like:
  1. S: SYN
  2. P: PUSH
  3. [.]: ACK
  4. F: FIN
  5. [S.]: SYN_ACK
  6. R: RST
• seq 1276027591:1276027630: The sequence number in the first: the last format denotes the number of data in the packet. Excluding the first packet where the numbers are in absolute, the subsequent packets have relative numbers. In this case, the numbers here mean that the packet contains data bytes from  1276027591 to 1276027630.
• ack 544039114: The acknowledgment number depicts the next expected data sequence number.
• win 63900: The window size depicts the number of available bytes in the received buffer.
• length 39: Length of payload data, in bytes.

Advanced Filters

Now we can use some advanced heading filter options to display and analyze only data packets. In any TCP packet, the TCP flags begin from the 14th byte such that  PSH and ACK are represented by 4th and 5th bits.

We can use this information by turning on these bits 00011000 or 24 to display data packets with only PSH and ACK flags. We pass this number to tcpdump with the filter “tcp[13]=24“, note that the array index in TCP begins at zero.

We will filter out this packet from our text_capture.pcap file and use the -A option to display all the packet details for you.

Similarly, you can filter out some other flag packets using “tcp[13]=8” and “tcp[13]=2” for only PSH and SYN flags, etc.

Conclusion

In this article, we have introduced you to some of the most important topics of tcpdump. Tcpdump, combined with the power of CLI, can be of great help in network troubleshooting, automation, and security management. Once studied and combined, its filters and command line options can contribute a lot to your day-to-day troubleshooting and automation tasks and overall understanding of the network.