WEBVTT

0
00:01.380 --> 00:08.910
When it comes to sniffing traffic using a command line tool tcpdump is the tool of choice for both


1
00:09.000 --> 00:17.360
its power and simplicity. It’s compatible with wireshark and that means that you can save the captured 


2
00:17.370 --> 00:20.350
packets to a file and later open 

3
00:20.370 --> 00:26.070
that file in wireshark on the same or another machine for a visual inspection.

4
00:26.110 --> 00:35.760
Let’s see how it works! Tcpdump is installed by default on any Linux distribution. The following commands

5
00:35.820 --> 00:38.500
will be executed as root.

6
00:38.520 --> 00:44.500
If you want to see what’s hitting your interface you execute: tcpdump -i 

7
00:44.520 --> 00:47.370
and the name of the interface

8
00:47.370 --> 00:53.460
In this case eth0. Let's generate some traffic!

9
01:00.490 --> 01:08.450
These are the captured packets. I'm stopping the capture by pressing on control

10
01:08.470 --> 01:20.590
+c. If you want to see only the packets to or from an IP address you add the host option tcpdump

11
01:20.650 --> 01:26.560
-i and the interface host and an IP address

12
01:26.590 --> 01:34.060
let's say 8.8.8.8 and in another terminal all I'm going to ping that IP address.

13
01:39.060 --> 01:48.470
It's capturing only the packets to or from the IP address.

14
01:48.660 --> 01:57.640
And if you only want to see traffic in one direction or the other you can use a src or dst like this

15
02:00.680 --> 02:11.860
dst medium.com -n option is used not to convert addresses to names, you can use an IP

16
02:11.860 --> 02:17.710
address or a domain name that will be translated to an IP address by your DNS server.

17
02:23.450 --> 02:32.400
And these are the packets to medium.com; to capture packets going to or from a particular network

18
02:32.520 --> 02:33.870
or subnet

19
02:33.900 --> 02:35.220
use the Net option:

20
02:39.160 --> 02:42.040
net and the sumnet address

21
02:48.630 --> 02:54.090
and if you want to see packets of a specific application use the port option.

22
02:54.090 --> 02:58.110
For example I want to see only https packets

23
03:01.620 --> 03:14.340
port443 -vv -n
To produce more verbose output and print additional

24
03:14.340 --> 03:15.240
files

25
03:15.240 --> 03:26.520
I’ve used the -vv . This is https traffic. If you want to see traffic going to or coming from

26
03:26.520 --> 03:28.000
a specific port

27
03:28.030 --> 03:34.650
use src port or dst port options. For example

28
03:34.680 --> 03:41.130
I'll sniff only DNS queries and that means udp packets going to port 53:

29
03:45.960 --> 03:50.450
dst port 53 -vv -n


30
03:54.360 --> 03:57.120
You see, these are DNS queries!

31
03:58.780 --> 04:05.860
Adding -A  option will have the output include ascii strings from the capture.  

32
04:05.860 --> 04:13.630
This allows easy reading and the ability to parse the output using using grep or other commands.

33
04:13.720 --> 04:23.080
Let's try this filter: dst port80 -a -n (-n is optional)

34
04:25.850 --> 04:30.630
and I'll visit an http site, for example

35
04:30.710 --> 04:34.100
Info.cern.sch

36
04:38.950 --> 04:39.670
By the way

37
04:39.670 --> 04:42.250
this is the home of the first website!

38
04:48.050 --> 05:00.790
See the capture! If you use -x  instead -a you'll see both ASCII and hexadecimal data. I'm

39
05:00.800 --> 05:02.840
reloading the page.

40
05:03.410 --> 05:12.100
This is the captured packet, its contents as a string and here on the left side as hexadecimal data.

41
05:15.260 --> 05:23.390
Let's go ahead and see how to save the capture data to a file.It's often useful to save packets

42
05:23.390 --> 05:33.040
captures into a file for analyses in the future. These files are known as PCAP (PEE-cap) files and can be opened in 


43
05:33.160 --> 05:41.680
Wireshark or other packet analysis tools including tcpdump itself. To write to a file use


44
05:41.710 --> 05:51.920
-w option, like this! In the next example I want to save all http packets to a file so tcpdump -

45
05:51.920 --> 05:52.200
i

46
05:52.210 --> 06:04.710
the name of the interface - etho port80 cern.ch -w and the name of the file

47
06:05.760 --> 06:19.640
cern.ch.pacp It will save the packets to this file;and I 'm generating some traffic, some

48
06:19.700 --> 06:31.530
http traffic. When you want to stop the capture you simply press on control +c. 27 packets

49
06:31.650 --> 06:41.680
have been captured and saved to that file. To read the file at a later time with tcpdump use -r

50
06:41.770 --> 06:42.430
like this

51
06:49.700 --> 06:59.520
I've read the file! Note that when reading the file all options we have seen are still available for

52
06:59.520 --> 07:05.640
example -n -w an - X (an uppercase X).

53
07:12.810 --> 07:19.660
At the the end of this lecture I want to show you some more advanced features of tcpdump which are

54
07:19.680 --> 07:25.340
a logical end and or operators. Let's

55
07:25.350 --> 07:34.450
suppose you want to capture only icmp packets going to a specific IP address, for example tcpdump -

56
07:34.450 --> 07:47.490
eth0 icmp - the protocol - and host and the IP address; it will capture only icmp packets to or

57
07:47.490 --> 07:49.040
from this IP address.

58
07:51.750 --> 07:52.430
okay!

59
07:52.570 --> 07:55.340
A ping was running in the background.

60
07:55.540 --> 08:04.890
These are the packets; but if I ping another IP address, let's say stackoverflow.com,

61
08:05.210 --> 08:11.660
you'll notice that the packets are not captured. And a last example,

62
08:11.790 --> 08:16.710
I'll captere http or https traffic. For that

63
08:16.740 --> 08:26.640
I have to use the logical or operator, like this: port 80 or port 443.