version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=Mozilla/5.0 (X11; OpenBSD amd64; rv:82.0) Gecko/20100101 Firefox/82.0 author=jrmu charset=UTF-8 csum= ctime=1597225574 host=198.251.81.119 name=Openbsd.Tcpdump rev=18 targets=Openbsd.RSTFlood,Openbsd.SYNFlood,Openbsd.SYNACKFlood text=(:title tcpdump:)%0a%0a[[https://man.openbsd.org/tcpdump|tcpdump]] is a tool you will often use to troubleshoot networking problems. It's much more convenient than wireshark because you can use it on a server without a GUI. It can process enormous files very quickly and input and output can be processed using standard UNIX utilities.%0a%0a!! Basics%0a%0aThe simplest way to log network traffic is to run:%0a%0a[@%0a$ doas tcpdump -w YYYYMMDDSS.pcap%0a@]%0a%0aThis will log all network packets into the file @@YYYYMMDDSS.pcap@@. Replace YYYY with the year, MM with the month, DD with the day, and SS with the serial number.%0a%0a'''NOTE''': tcpdump requires you to run as root (use doas) when you are logging network traffic because normal users should not have permission to view this sensitive data.%0a%0aYou can choose which network interface to log by including the option -i:%0a%0a[@%0a$ doas tcpdump -i vio0 -w YYYYMMDDSS.pcap%0a@]%0a%0aThis logs only packets from vio0.%0a%0aTo stop collection, type [ctrl]+c, @@^C@@.%0a%0aTo read a pcap file, you use tcpdump with the -r option. I recommend also using -n to avoid doing hostname lookup (this dramatically speeds up tcpdump):%0a%0a[@%0a$ doas tcpdump -n -r YYYYMMDDSS.pcap%0a@]%0a%0aTo get more verbose output, use -v. This will include the time to live (TTL) and type of service (ToS) of the packet:%0a%0a[@%0a$ doas tcpdump -n -v -r YYYYMMDDSS.pcap%0a@]%0a%0aTo see the first 1500 bytes of data in ASCII format, add -s 1500 -A:%0a%0a[@%0a$ doas tcpdump -n -v -s 1500 -A -r YYYYMMDDSS.pcap%0a@]%0a%0a!! Filtering%0a%0aThe power of tcpdump lies in the ability to filter packets easily using english-like syntax:%0a%0aTo show only packets that are coming from or going to IP 10.0.0.1:%0a%0a[@%0a$ doas tcpdump 'host 10.0.0.1'%0a@]%0a%0aTo show only packets that have source IP 192.168.0.1, then to show only packets with destination IP 172.16.0.1:%0a[@%0a$ doas tcpdump 'src 192.168.0.1'%0a$ doas tcpdump 'dst 172.16.0.1'%0a@]%0a%0aYou can combine these with @@and &&@@, @@or ||@@, and @@not !@@.%0a%0aTo show only packets that have source IP 192.168.0.1 '''and''' destination IP 172.16.0.1%0a%0a[@%0a$ doas tcpdump 'src 192.168.0.1 && dst 172.16.0.1'%0a@]%0a%0aTo show only packets from network 192.168.0.0/24 headed for destination network 172.16.0.1/16 but no packets going to or from port 22:%0a%0a[@%0a$ doas tcpdump '(src net 192.168.0.0/24 and dst net 172.16.0.1/16) and !port 22'%0a@]%0a%0aThe keyword @@net@@ is used for specifying subnets and parentheses @@()@@ are used for grouping.%0a%0aTo show only traffic from certain protocols, use keywords like icmp or ip6. For example:%0a%0a[@%0a$ doas tcpdump '(udp || tcp) && portrange 6667-7000'%0a@]%0a%0aThis shows UDP and TCP packets that involve ports 6667 to 7000 (port ranges used for IRC).%0a%0aHere are two different ways for finding RST (reset) packets (see [[openbsd/RSTFlood|TCP RST flood]]):%0a%0a[@%0a$ doas tcpdump 'tcp[13]&4 != 0'%0a$ doas tcpdump 'tcp[tcpflags] == tcp-rst'%0a@]%0a%0aHere are two different ways for finding SYN packets (see [[openbsd/SYNFlood|SYN flood]]):%0a%0a[@%0a$ doas tcpdump 'tcp[13]&2 != 0'%0a$ doas tcpdump 'tcp[tcpflags] == tcp-syn'%0a@]%0a%0aHere's how to find SYN-ACK packets (see [[openbsd/SYNACKFlood|SYN-ACK flood]]):%0a%0a[@%0a$ doas tcpdump 'tcp[13] = 18'%0a@]%0a%0aHere's how to find ACK packets:%0a%0a[@%0a$ doas tcpdump 'tcp[13]&16 != 0'%0a$ doas tcpdump 'tcp[tcpflags] == tcp-ack'%0a@]%0a%0aAnd FIN packets:%0a%0a[@%0a$ doas tcpdump 'tcp[13]&1 != 0'%0a$ doas tcpdump 'tcp[tcpflags] == tcp-fin'%0a@]%0a%0aFind the evil bit, which is always malicious:%0a%0a[@%0a$ doas tcpdump 'ip[6]&128 != 0'%0a@]%0a%0a!! External Links%0a%0aMuch of this content was adapted from [[https://danielmiessler.com/study/tcpdump/|Daniel Miessler's TCPDump Guide]]%0a%0a!! See Also%0a%0a[[https://man.openbsd.org/tcpdump|tcpdump(8)]] time=1608282725 title=tcpdump author:1608282725=jrmu diff:1608282725:1608218414:=129,131c129%0a%3c !! See Also%0a%3c %0a%3c [[https://man.openbsd.org/tcpdump|tcpdump(8)]]%0a\ No newline at end of file%0a---%0a> !! See Also%0a\ No newline at end of file%0a host:1608282725=198.251.81.119 author:1608218414=jrmu diff:1608218414:1608218227:=119,124d118%0a%3c Find the evil bit, which is always malicious:%0a%3c %0a%3c [@%0a%3c $ doas tcpdump 'ip[6]&128 != 0'%0a%3c @]%0a%3c %0a127c121%0a%3c Much of this content was adapted from [[https://danielmiessler.com/study/tcpdump/|Daniel Miessler's TCPDump Guide]]%0a---%0a> [[https://danielmiessler.com/study/tcpdump/|Daniel Miessler's TCPDump Guide]]%0a host:1608218414=198.251.81.119 author:1608218227=jrmu diff:1608218227:1608216888:=105,106c105,106%0a%3c Here's how to find ACK packets:%0a%3c %0a---%0a> Here's how to find FIN packets:%0a> %0a108,116c108%0a%3c $ doas tcpdump 'tcp[13]&16 != 0'%0a%3c $ doas tcpdump 'tcp[tcpflags] == tcp-ack'%0a%3c @]%0a%3c %0a%3c And FIN packets:%0a%3c %0a%3c [@%0a%3c $ doas tcpdump 'tcp[13]&1 != 0'%0a%3c $ doas tcpdump 'tcp[tcpflags] == tcp-fin'%0a---%0a> $ doas tcpdump 'tcp[13]&8 != 0'%0a host:1608218227=198.251.81.119 author:1608216888=jrmu diff:1608216888:1608216286:=84,109d83%0a%3c %0a%3c Here are two different ways for finding RST (reset) packets (see [[openbsd/RSTFlood|TCP RST flood]]):%0a%3c %0a%3c [@%0a%3c $ doas tcpdump 'tcp[13]&4 != 0'%0a%3c $ doas tcpdump 'tcp[tcpflags] == tcp-rst'%0a%3c @]%0a%3c %0a%3c Here are two different ways for finding SYN packets (see [[openbsd/SYNFlood|SYN flood]]):%0a%3c %0a%3c [@%0a%3c $ doas tcpdump 'tcp[13]&2 != 0'%0a%3c $ doas tcpdump 'tcp[tcpflags] == tcp-syn'%0a%3c @]%0a%3c %0a%3c Here's how to find SYN-ACK packets (see [[openbsd/SYNACKFlood|SYN-ACK flood]]):%0a%3c %0a%3c [@%0a%3c $ doas tcpdump 'tcp[13] = 18'%0a%3c @]%0a%3c %0a%3c Here's how to find FIN packets:%0a%3c %0a%3c [@%0a%3c $ doas tcpdump 'tcp[13]&8 != 0'%0a%3c @]%0a host:1608216888=198.251.81.119 author:1608216286=jrmu diff:1608216286:1608216023:=77,78c77,78%0a%3c To show only traffic from certain protocols, use keywords like icmp or ip6. For example:%0a%3c %0a---%0a> To show only traffic from a single protocol:%0a> %0a80c80,81%0a%3c $ doas tcpdump '(udp || tcp) && portrange 6667-7000'%0a---%0a> $ doas tcpdump icmp%0a> $ doas tcpdump ip6%0a83c84,86%0a%3c This shows UDP and TCP packets that involve ports 6667 to 7000 (port ranges used for IRC).%0a---%0a> The first line shows only ICMP packets and the second only IPv6.%0a> %0a> %0a host:1608216286=198.251.81.119 author:1608216023=jrmu diff:1608216023:1608215901:=75,86c75%0a%3c The keyword @@net@@ is used for specifying subnets and parentheses @@()@@ are used for grouping.%0a%3c %0a%3c To show only traffic from a single protocol:%0a%3c %0a%3c [@%0a%3c $ doas tcpdump icmp%0a%3c $ doas tcpdump ip6%0a%3c @]%0a%3c %0a%3c The first line shows only ICMP packets and the second only IPv6.%0a%3c %0a%3c %0a---%0a> The keyword net is used for specifying subnets and parentheses @@()@@ are used for grouping.%0a host:1608216023=198.251.81.119 author:1608215901=jrmu diff:1608215901:1608213875:=68,75d67%0a%3c %0a%3c To show only packets from network 192.168.0.0/24 headed for destination network 172.16.0.1/16 but no packets going to or from port 22:%0a%3c %0a%3c [@%0a%3c $ doas tcpdump '(src net 192.168.0.0/24 and dst net 172.16.0.1/16) and !port 22'%0a%3c @]%0a%3c %0a%3c The keyword net is used for specifying subnets and parentheses @@()@@ are used for grouping.%0a host:1608215901=198.251.81.119 author:1608213875=jrmu diff:1608213875:1608213864:= host:1608213875=198.251.81.119 author:1608213864=jrmu diff:1608213864:1608206767:=49,50d48%0a%3c To show only packets that are coming from or going to IP 10.0.0.1:%0a%3c %0a52c50%0a%3c $ doas tcpdump 'host 10.0.0.1'%0a---%0a> $ doas tcpdump host 1.1.1.1%0a54,68d51%0a%3c %0a%3c To show only packets that have source IP 192.168.0.1, then to show only packets with destination IP 172.16.0.1:%0a%3c [@%0a%3c $ doas tcpdump 'src 192.168.0.1'%0a%3c $ doas tcpdump 'dst 172.16.0.1'%0a%3c @]%0a%3c %0a%3c You can combine these with @@and &&@@, @@or ||@@, and @@not !@@.%0a%3c %0a%3c To show only packets that have source IP 192.168.0.1 '''and''' destination IP 172.16.0.1%0a%3c %0a%3c [@%0a%3c $ doas tcpdump 'src 192.168.0.1 && dst 172.16.0.1'%0a%3c @]%0a%3c %0a host:1608213864=198.251.81.119 author:1608206767=jrmu diff:1608206767:1608204841:=49,51c49,50%0a%3c [@%0a%3c $ doas tcpdump host 1.1.1.1%0a%3c @]%0a---%0a> %0a> %0a host:1608206767=125.231.22.25 author:1608204841=jrmu diff:1608204841:1608204707:= host:1608204841=198.251.81.119 author:1608204707=jrmu diff:1608204707:1608204574:= host:1608204707=198.251.81.119 author:1608204574=jrmu diff:1608204574:1608204366:=45,49c45,60%0a%3c !! Filtering%0a%3c %0a%3c The power of tcpdump lies in the ability to filter packets easily using english-like syntax:%0a%3c %0a%3c %0a---%0a> %0a> To read the pcap, you can transfer the pcap to your desktop using [[openbsd/scp|scp]] or [[openbsd/sftp|sftp]]. Or, more quickly, you can analyze it on the server itself using tcpdump. Use the same options but replace -w with -r:%0a> %0a> [@%0a> $ doas tcpdump -r YYYYMMDDSS.pcap%0a> @]%0a> %0a> or%0a> %0a> [@%0a> $ doas tcpdump -i vio0 -s 1500 -A -v -n -r YYYYMMDDSS.pcap%0a> @]%0a> %0a> If you want to inspect packets going through interface if0 going to or from example.com, then run:%0a> %0a> $ doas tcpdump -v -n -i if0 'host example.com'%0a host:1608204574=198.251.81.119 author:1608204366=jrmu diff:1608204366:1608202897:=25,28c25,26%0a%3c To stop collection, type [ctrl]+c, @@^C@@.%0a%3c %0a%3c To read a pcap file, you use tcpdump with the -r option. I recommend also using -n to avoid doing hostname lookup (this dramatically speeds up tcpdump):%0a%3c %0a---%0a> I highly recommend %0a> %0a30c28%0a%3c $ doas tcpdump -n -r YYYYMMDDSS.pcap%0a---%0a> $ doas tcpdump -i vio0 -s 1500 -A -v -n -w YYYYMMDDSS.pcap%0a33,44c31,36%0a%3c To get more verbose output, use -v. This will include the time to live (TTL) and type of service (ToS) of the packet:%0a%3c %0a%3c [@%0a%3c $ doas tcpdump -n -v -r YYYYMMDDSS.pcap%0a%3c @]%0a%3c %0a%3c To see the first 1500 bytes of data in ASCII format, add -s 1500 -A:%0a%3c %0a%3c [@%0a%3c $ doas tcpdump -n -v -s 1500 -A -r YYYYMMDDSS.pcap%0a%3c @]%0a%3c %0a---%0a> In the above command, the argument -i specifies the interface @@vio0@@, -s 1500 analyzes the first 1500 bytes, -A prints each packet in ASCII, -v provides more verbose output, and -n avoids address conversion. Make sure to read up on [[openbsd/tcpdump|tcpdump]].%0a> %0a> To stop collection, type [ctrl]+c, @@^C@@. If you log for a few seconds and only receive a few hundred packets, perhaps you are '''not''' under attack. If, however, you see millions of packets arriving within a few seconds, you are certainly under attack. Save the pcap file because it is very useful for forensics. We will use it for reporting the attacker and for blocking his attacks.%0a> %0a> To read the pcap, you can transfer the pcap to your desktop using [[openbsd/scp|scp]] or [[openbsd/sftp|sftp]]. Or, more quickly, you can analyze it on the server itself using tcpdump. Use the same options but replace -w with -r:%0a> %0a host:1608204366=198.251.81.119 author:1608202897=jrmu diff:1608202897:1608201702:=3,4c3,4%0a%3c [[https://man.openbsd.org/tcpdump|tcpdump]] is a tool you will often use to troubleshoot networking problems. It's much more convenient than wireshark because you can use it on a server without a GUI. It can process enormous files very quickly and input and output can be processed using standard UNIX utilities.%0a%3c %0a---%0a> tcpdump is a tool you will often use to troubleshoot networking problems. It's much more convenient than wireshark because you can use it on a server without a GUI. It can process enormous files very quickly and input and output can be processed using standard UNIX utilities.%0a> %0a7,8c7,9%0a%3c The simplest way to log network traffic is to run:%0a%3c %0a---%0a> %0a> If you suspect an attack, you should log the packets that are coming in:%0a> %0a13,25c14,17%0a%3c This will log all network packets into the file @@YYYYMMDDSS.pcap@@. Replace YYYY with the year, MM with the month, DD with the day, and SS with the serial number.%0a%3c %0a%3c '''NOTE''': tcpdump requires you to run as root (use doas) when you are logging network traffic because normal users should not have permission to view this sensitive data.%0a%3c %0a%3c You can choose which network interface to log by including the option -i:%0a%3c %0a%3c [@%0a%3c $ doas tcpdump -i vio0 -w YYYYMMDDSS.pcap%0a%3c @]%0a%3c %0a%3c This logs only packets from vio0.%0a%3c %0a%3c I highly recommend %0a---%0a> This will log the packets onto the file @@YYYYMMDDSS.pcap@@, where YYYY is the year, MM is the month, DD is the day, and SS is the serial number.%0a> %0a> You can fine-tune this:%0a> %0a host:1608202897=198.251.81.119 author:1608201702=jrmu diff:1608201702:1607945928:=1,36c1%0a%3c (:title tcpdump:)%0a%3c %0a%3c tcpdump is a tool you will often use to troubleshoot networking problems. It's much more convenient than wireshark because you can use it on a server without a GUI. It can process enormous files very quickly and input and output can be processed using standard UNIX utilities.%0a%3c %0a%3c !! Basics%0a%3c %0a%3c %0a%3c If you suspect an attack, you should log the packets that are coming in:%0a%3c %0a%3c [@%0a%3c $ doas tcpdump -w YYYYMMDDSS.pcap%0a%3c @]%0a%3c %0a%3c This will log the packets onto the file @@YYYYMMDDSS.pcap@@, where YYYY is the year, MM is the month, DD is the day, and SS is the serial number.%0a%3c %0a%3c You can fine-tune this:%0a%3c %0a%3c [@%0a%3c $ doas tcpdump -i vio0 -s 1500 -A -v -n -w YYYYMMDDSS.pcap%0a%3c @]%0a%3c %0a%3c In the above command, the argument -i specifies the interface @@vio0@@, -s 1500 analyzes the first 1500 bytes, -A prints each packet in ASCII, -v provides more verbose output, and -n avoids address conversion. Make sure to read up on [[openbsd/tcpdump|tcpdump]].%0a%3c %0a%3c To stop collection, type [ctrl]+c, @@^C@@. If you log for a few seconds and only receive a few hundred packets, perhaps you are '''not''' under attack. If, however, you see millions of packets arriving within a few seconds, you are certainly under attack. Save the pcap file because it is very useful for forensics. We will use it for reporting the attacker and for blocking his attacks.%0a%3c %0a%3c To read the pcap, you can transfer the pcap to your desktop using [[openbsd/scp|scp]] or [[openbsd/sftp|sftp]]. Or, more quickly, you can analyze it on the server itself using tcpdump. Use the same options but replace -w with -r:%0a%3c %0a%3c [@%0a%3c $ doas tcpdump -r YYYYMMDDSS.pcap%0a%3c @]%0a%3c %0a%3c or%0a%3c %0a%3c [@%0a%3c $ doas tcpdump -i vio0 -s 1500 -A -v -n -r YYYYMMDDSS.pcap%0a%3c @]%0a---%0a> tcpdump is invaluable for troubleshooting networking.%0a host:1608201702=198.251.81.119 author:1607945928=jrmu diff:1607945928:1597225574:=5,11c5%0a%3c $ doas tcpdump -v -n -i if0 'host example.com'%0a%3c %0a%3c !! External Links%0a%3c %0a%3c [[https://danielmiessler.com/study/tcpdump/|Daniel Miessler's TCPDump Guide]]%0a%3c %0a%3c !! See Also%0a\ No newline at end of file%0a---%0a> $ doas tcpdump -v -n -i if0 'host example.com'%0a\ No newline at end of file%0a host:1607945928=198.251.81.119 author:1597225574=jrmu diff:1597225574:1597225574:=1,5d0%0a%3c tcpdump is invaluable for troubleshooting networking.%0a%3c %0a%3c If you want to inspect packets going through interface if0 going to or from example.com, then run:%0a%3c %0a%3c $ doas tcpdump -v -n -i if0 'host example.com'%0a\ No newline at end of file%0a host:1597225574=38.81.163.143