All of our digital activity like messaging friends via FB, watching Netflix, sending emails, or uploading our precious cat photos to Instagram is just the tip of what’s happening. Beneath these surface-level interactions is an entire world of activity where machines are talking constantly, ensuring we humans can easily do what humans do… watch Netflix…
This underworld of machine interaction revolves around the sending and receiving of “packets”, which are basically little packages of information going from one machine to the next. We humans luckily have a way of peering into this world of packets through a “packet analyzer” (or sniffer).
A packet sniffer is a modern-day version of the wiretap, you know the thing used in the Watergate Scandal. Like any tool, this packet sniffer is neutral and can be used for good or evil, depending on who’s using it.
The main goal of any packet sniffer is to “sniff” or “capture” the packets of information flowing in between our machines in the underground world of `machine communication. The kind of packet sniffers available come in two different flavored interfaces, command-line and graphical.
The more well-known packet sniffers are Wireshark (GUI), Tshark (CLI version of Wireshark), and tcpdump (CLI). Today we’re going to focus on tcpdump, but I’m sure we’ll run into the other two packet sniffers down the road.
Using the “right” lens
Remember, we’re looking into the underground world of machines, not humans, so we’ll need a special way to access this world. For simplicity, I’m only mentioning two here, but feel free to Google until you’re heart’s content with the others. 😉
Our two methods of accessing this underground world are TAPs and Promiscuous Mode.
Promiscuous Mode – Every machine has this called a NIC, otherwise known as a “Network Interface Card”, which is basically our machine’s portal to the outside world. Every packet that’s sent across our network can be seen by this NIC but usually is ignored by the NIC if it’s not specifically intended for our machine (e.g. our MAC address). But… We can configure our NIC to “promiscuous mode”, convincing our machine to play the field, not being so strict on which packets are worthy of interacting with our machine, and allowing all packets within our network into our machine. By doing this we’re able to peer into this underground with just our computer and the network we’re using.
Network Taps – Taps are today’s version of wiretapping but via networks. When these taps are placed in just the right spot, we’re able to observe all the traffic going in and out of our network. A tap simply mirrors all the traffic on your network into a packet analyzer allowing you to dig through all this traffic without interfering with the packets while they’re in transit. In the wild, you’re most likely going to run across a tap, instead of a NIC being used in promiscuous mode, but without a tap that’s our only option.
Note: The placement of your tap is crucial to actually see the packets in all their glory. I won’t dive into the details, but the trick with taps is to ensure you’re avoiding any obfuscation via network address translation (NAT), port address translation (PAT), or proxies.
The “why” behind packet sniffers
Every tutorial I’ve come across on tcpdump focused solely on the technology, with very little explanation as to why this is useful. This is a common occurrence in most tech-centric industries because the people that are attracted to these industries love tech for the sake of tech. This technology obsession is good, but it’s not always the best when teaching or learning the importance of a certain technology.
As many have said before me, technology is not an end in itself, but a means to an end.
To understand the purpose of tcpdump we’ll first need to understand a little history behind tcpdump. In 1988 tcpdump was created by a few developers at the Lawrence Berkeley National Laboratory, these developers wanted this whole packet sniffing thing to become widely adopted, so they created an open-source library available via an API called libcap. Libcap’s technology sits at the center of most packet sniffers being used today such as Wireshark, Snort, Bro IDS, McAfee, Firesheep, and many more.
So the origins of packet sniffing come back to tcpdump. Over time packet sniffers have become more advanced in their ability to filter, display, and correlate different types of packet traffic, leaving our tcpdump ancestor with very little utility for the everyday cyber geek.
I’m not saying tcpdump is useless, but its utility has decreased as time passes due to other packet sniffers taking tcpdumps core tech (e.g. libcap) and piling additional features on top of it.
Even though the uses for tcpdump are minimal, they’re still important, so let’s look at the common use cases I’ve discovered.
- Learning – First and foremost tcpdump is a great learning tool. When learning how to use and interpret the packets within tcpdump you’re getting a better understanding of two important skills, which are filtering and reading packets. The beautiful thing about learning via tcpdump is that you’re looking at the heart of what every other packet sniffing tool is using, so transitioning from one to the next is much easier.
- Automation – As mentioned above many newer packet sniffers leverage libcap, but some directly integrate tcpdump. Specifically, when working with a remote or headless (e.g. no GUI) machine, creating a script that periodically sniffs traffic from this device, while writing it into a file that can later be analyzed is a huge time saver.
- Detailed Investigation – Whenever a network is attacked there are multiple steps taken by a security analyst to drill down into exactly what happened, who was involved, and what the overall impact is on the organization. During this investigation process, you’ll find yourself drilling down into specific types of packet traffic uncovering the details of an attack and tcpdump is perfect for this (along with other packet sniffers).
What are we “sniffing”
We understand the why, but now let’s look at the “what”. What exactly are we sniffing?
Packet sniffers capture all kinds of traffic and tcpdumps name is a little deceiving because it sniffs much more than TCP traffic. There is no single format to rule them all due to the different types of traffic being captured, but most of the time you’ll see TCP-related traffic.
Here’s an example of what you might see and the general format…
08:41:13.729687 IP 192.168.64.28.22 > 192.168.64.1.41916: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 117964079 ecr 816509256], length 372
Timestamp – Time of when the packet was sent or received by the hour (08), minute (41), second (13), and that’s followed by fractions of a second since midnight (729687)
Network Layer Protocol – The network layer protocol being used (internet protocol – IP)
Src IP/Port > Dst IP/port – Source IP address (192.168.64.28) and port number (22) + Destination IP address (192.168.64.1) and port number (41916)
TCP Flags – Flag used to describe what’s happening between the two machines (P. – Push & Acknowledgement). There are many different types of flags, below are the ones you’ll see for TCP traffic.
Sequence Number – This number is used to track the sequence of packets. The first sequence number will be absolute, but all the following sequence numbers will be relative, so you’re able to see where one packet ends and the other begins. For this example, we start at 196 and end at 568.
Acknowledgment (sending) or next expected byte (receiving) – When sending a packet your “Acknowledgment number” (ack number – ack 1) will always be one, but when receiving a packet it shows the expected starting byte. The receiving machine of this packet will have an “ack number” of 568.
Window size – This is an advertisement of how much data (in bytes) the receiving machine is willing to take. The window size (309) is used to control the flow of data.
Other TCP Options – This section is optional and is used for additional TCP options like window scaling or maximum segment size (MSS)
Packet Length – Last we have the length of our packet (372) in bytes, which is the difference between our sequence numbers (568 – 196 = 372).
As you can see, this format can be overwhelming in the beginning, but once you’ve seen it a few times and worked through some tutorials it’s not too intimidating.
How do we “sniff”?
We have the “what” and “why” out of the way, so let’s not jump into the “how”.
Like many other command-line tools tcpdump is made up of commands, “switches” (e.g. options), and filters. Also, like any other command-line tool tcpdump can be endlessly complicated, so we’ll stick with simplicity.
First off, before writing any commands we’ll need to make sure we’re root (e.g. admin) to get anything done. Also, we’ll want traffic to watch, so if you only have access to your home network like me, then you’ll want to create some traffic once tcpdump is sniffing (e.g. open a browser and go to some random sites).
Let’s start with a basic command.
sudo tcpdump -i eth0 -nn -s0 -v port 80
Tcpdump: this is our trusty command we’ll type every single time.
-i: Remember the promiscuous NIC we talked about earlier? Well, here it is… “-i” means “interface” and the interface we’re looking through is “eth0”, which is what most Linux users will use.
-nn: Whenever you’re sniffing traffic it sometimes takes a while for the sniffer to map every IP address to a hostname or every port to a service name and many cyber geeks use this “n” switch to prevent that from happening. A single “-n” prevents the hostname mapping and a double “-nn” prevents port name mapping.
-s0: “-s” represents the “snap length”, which sets the size of the packet we want to capture. “-s0” sets the size to unlimited, capturing all the traffic.
-v: “-v” represents “verbose”. This switch is used when we want extra info about the packets we’re sniffing and by using double “-vv” we increase the amount of detail.
port 80: “port” is one of the many filters we can add to our command, narrowing down our search, especially when there are large amounts of traffic.
There are many other filters and switches that can be used with tcpdump, so if you’re interested check out here, here, and here.
Solutions > Tools
As you can see tcpdump is useful and powerful, but when you’re out there in the wild you’ll see more modern packet sniffers like Wireshark. But remember… it all stems from mother tcpdump.
When continuing on your learning journey never settle for just the “how” and “what” of technology, but always seek out the “why”… Even when everyone else seems to be avoiding it. The fundamental “why” is what helps future you make better decisions when faced with an actual issue and thinking critically, instead of just following the crowd.