Monitoring Traffic with tcpdump


Monitoring Traffic with tcpdump

The first utility that we'll look at for monitoring network traffic is tcpdump . tcpdump outputs the headers of all packets seen by your network interface. It features a sophisticated filter language for limiting the output to a specific host, source, destination, subnet, or any combination thereof.

The most simple use of tcpdump is to start it (as root or with sudo) via the command line with no arguments:

[View full width]
[View full width]
# tcpdump 1: tcpdump: listening on en1 2: 15:42:28.853450 > graphics/ccc.gif 51668+ CNAME? (29) 3: 15:42:28.869908 > graphics/ccc.gif 51668* 1/4/4 CNAME (217) 4: 15:42:28.870331 > graphics/ccc.gif 30577+ A? (29) 5: 15:42:28.913477 > 30577 graphics/ccc.gif 9/4/4 CNAME[domain] 6: 15:42:28.914158 > graphics/ccc.gif 48116+ AAAA? (29) 7: 15:42:28.940969 > 48116 graphics/ccc.gif 1/1/0 CNAME (124) ... 8: 15:42:33.440973 > S 4139514020: graphics/ccc.gif 4139514020(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 34160 0> (DF) [tos 0x10] 9: 15:42:33.494618 > S 1497469520: graphics/ccc.gif 1497469520(0) ack 4139514021 win 5840 <mss 1460> 10: 15:42:33.494767 > . ack 1 win 33580 ( graphics/ccc.gif DF) [tos 0x10] 11: 15:42:33.525710 > P 1:8(7) ack 1 win graphics/ccc.gif 33580 (DF) [tos 0x10] 12: 15:42:34.497076 > graphics/ccc.gif 56757+ PTR? (39) 13: 15:42:34.499827 > graphics/ccc.gif 56757* 1/1/1 PTR[domain] 14: 15:42:34.687262 > P 1:13(12) ack 1 graphics/ccc.gif win 33580 (DF) [tos 0x10] 15: 15:42:34.734041 > . ack 13 win 5840 16: 15:42:36.568825 > FP 1:148(147) ack graphics/ccc.gif 13 win 5

For TCP packets (most of what you'll see), the output of the tcpdump can be read as

[View full width]
[View full width]
Time Source-IP.Port > Destination-IP.Port TCP-Flags Segment-Number ack window(receive graphics/ccc.gif buffer) <tcp options>

UDP traffic, including name server resolution, is slightly different, as are other transport layer protocols. The tcpdump man page defines the output format for several different protocols and is required reading if you want to fully exploit the software.

In the example output, tcpdump shows a connection between and , where client0 is requesting a DNS lookup on the domain (lines 2-7). After receiving a response, client0 proceeds to open a connection with and begin communicating (lines 8-16). Note that the port is shown as the actual protocol being used, such as http instead of 80 . This substitution is made automatically by tcpdump when possible.

A more useful example of how tcpdump can be used is with a filter to limit the traffic to a specific type. For example, rather than viewing everything on the network, how about simply watching all HTTP communications coming from a given host (in this case )? You do this by adding the filter expression src host and dst port 80 to the command. This example also introduces the “q flag to hide extraneous protocol information:

[View full width]
[View full width]
# tcpdump q src host and dst port 80 tcpdump: listening on en1 18:29:54.063689 > tcp 0 (DF) 18:29:54.114376 > tcp 0 (DF) 18:29:54.120766 > tcp 518 (DF) 18:32:54.259702 > tcp 0 (DF) 18:29:54.459999 > tcp 0 (DF) 18:29:54.660246 > tcp 0 (DF) 18:29:54.860469 > tcp 0 (DF) ... 18:30:41.777607 > tcp 0 (DF) 18:30:41.783227 > tcp 267 (DF) 18:30:41.919682 > tcp 0 (DF) 18:30:42.088209 > tcp 0 (DF) 18:30:42.097456 > tcp 0 (DF) 18:30:44.857696 > tcp 0 (DF) 18:30:44.987351 > tcp 0 (DF) ... 18:30:50.089552 > a209-249-123-244.deploy. graphics/ccc.gif tcp 0 (DF) 18:30:50.141997 > a209-249-123-244.deploy. graphics/ccc.gif tcp 0 (DF) 18:30:50.204663 > a209-249-123-244.deploy. graphics/ccc.gif tcp 445 (DF) 18:30:50.415602 > a209-249-123-244.deploy. graphics/ccc.gif tcp 0 (DF)

Here, tcpdump reports that HTTP requests originating from have been made to the hosts , , and .

The Boolean expression to filter traffic can be built using and ( && ), or ( ), and not ( ! ) and the constructs given in the tcpdump man page. The most useful of these expression primitives are reproduced for your reference in Table 7.1.

Table 7.1. tcpdump Expression Primitives



dst host <host/ip>

Match packets headed to a hostname or IP.

src host <host/ip>

Match packets to or from a hostname or IP.

host <host/ip>

Match packets to or from a given hostname or IP.

ether dst <ethernet address>

Match packets to a given ethernet address.

ether src <ethernet address>

Match packets from an ethernet address.

ether host <ethernet address>

Match packets to or from an ethernet address.

gateway <host/ip>

Match packets by using the given host or IP as a gateway.

dst net <network>

Match packets headed to a given network.

src net <network>

Match packets from a specified network.

net <network>

Match packets to or from a specified network.

net <network> mask < netmask >

Specifies a network by using an address and a 4-octet netmask.

net <network/mask>

Specifies a network by using an address followed by a / and the number of bits in the netmask.

dst port <port>

Match packets to a specific port.

src port <port>

Match packets from a specific port.

port <port>

Match packets to or from a specific port.

less <length>

Match packets less than the given size .

greater <length>

Match packets greater than a given size.

ip proto <name/number>

Match packets of IP named or numbered (as in /etc/protocols ), such as tcp , udp , icmp , and so on.

ether broadcast

Match ethernet broadcast packets.

ip broadcast

Match IP broadcast packets.

ether multicast

Match ethernet multicast packets.

The capability to create custom filter expressions is one of the most powerful features of tcpdump and other utilities that use libpcap . You may find a number of additional flags and switches useful, all accessed via the tcpdump syntax: tcpdump [options] [expression] . The common switches are provided in Table 7.2.

Table 7.2. Common tcpdump Switches




Convert network numbers to names .

-c <packet count>

Exit after receiving the specified number of packets.


Don't convert numbers to names.

-F <filter file>

Use the contents of the named file as the filter expression.

-i <interface>

Listen on the named network interface.


Buffer standard out.


Quick/Quiet output. Leave out most extra information beyond source, destination, and ports.

-r <filename>

Read packets from file (see -w ).


Don't print a timestamp on each line.

-v , -vv , -vvv

Increasingly verbose output.

-w <filename>

Write packets to a file for later analysis (see -r ). This is better than trying to analyze a high-bandwidth/high-activity network in real time, which is likely to result in packet loss.

As you've seen, tcpdump can provide extremely targeted or very general information about your network traffic. It fits the definition of a sniffer but does provide tools for attacking a network; its purpose is to help you uncover activity that may violate your network policy or diagnose unusual network communication problems. A Mac OS X GUI for tcpdump (MacSniffer) can be downloaded from


If you'd like to try a somewhat fun use for tcpdump , download TrafGraf from This is a simple network traffic graphing that will present a visual snapshot of the communications on your network and help identify high-volume hosts. I wrote it almost four years ago, but, as long as you install the Perl modules mentioned in the readme, it will work fine on Mac OS X 10.2.


Sadly, it is next to impossible to detect sniffers on a modern network because they are designed to be completely passive. Errors existed in earlier versions of Linux and Windows that allowed administrators to probe for interfaces in promiscuous mode. Unfortunately, these are long gone. (See http://www. securiteam .com/tools/AntiSniff_-_find_sniffers_on_your_local_network.html for details.)

To test to see whether your machine may be running a sniffer (and is thus compromised), use ifconfig to display the information for your active network interface. For example:

[View full width]
[View full width]
% /sbin/ifconfig en1 en1: flags=8963<UP,BROADCAST,SMART,RUNNING, PROMISC ,SIMPLEX,MULTICAST> mtu 1500 inet6 fe80::230:65ff:fe12:f215%en1 prefixlen 64 scopeid graphics/ccc.gif 0x5 inet netmask 0xffffff00 broadcast ether 00:30:65:12:f2:15 media: autoselect status: active supported media: autoselect

Here you can see the PROMISC flag for en1 , indicating that this interface is in promiscuous mode.

Although sniffers are tough to find and remove, the use of secure protocols (SSL, IPSec, etc) can foil most sniffers easily.


Mac OS X Maximum Security
Maximum Mac OS X Security
ISBN: 0672323818
EAN: 2147483647
Year: 2003
Pages: 158 © 2008-2017.
If you may any questions please contact us: