play with tcp(dump) ~ post 2

Here, we shall explore few different ways of capturing traffic

Let's check interface eth0's details
cumulus@server01:~$ ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 44:38:39:00:08:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.31/16 brd 192.168.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::4638:39ff:fe00:800/64 scope link
valid_lft forever preferred_lft forever

There are alternative ways of capturing traffic such as by using the network or host ip address, instead of mentioning the interface name

Let's capture traffic associated with a network(example 192.168.0.0/16)
cumulus@server01:~$ sudo tcpdump net 192.168.0.0/16 -w eth0-network.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C2 packets captured
4 packets received by filter
0 packets dropped by kernel

Another way is by mentioning the host IP, which is the IP address assigned to eth0
cumulus@server01:~$ sudo tcpdump host 192.168.0.31 -w eth0-host.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C6 packets captured
8 packets received by filter
0 packets dropped by kernel

Let's check the files' content
cumulus@server01:~$ sudo tcpdump -r eth0-network.cap
reading from file eth0-network.cap, link-type EN10MB (Ethernet)
13:42:34.063714 IP 192.168.0.31.ssh > 192.168.0.254.50286: Flags [P.], seq 967908862:967908986, ack 1490256537, win 303, options [nop,nop,TS val 29968 ecr 100514], length 124
13:42:34.064503 IP 192.168.0.254.50286 > 192.168.0.31.ssh: Flags [.], ack 124, win 692, options [nop,nop,TS val 100838 ecr 29968], length 0

cumulus@server01:~$ sudo tcpdump -r eth0-host.cap
reading from file eth0-host.cap, link-type EN10MB (Ethernet)
13:52:38.300836 IP 192.168.0.31.ssh > 192.168.0.254.50286: Flags [P.], seq 967924842:967924886, ack 149
0267165, win 303, options [nop,nop,TS val 181027 ecr 704755], length 44
13:52:38.300954 IP 192.168.0.31.ssh > 192.168.0.254.50286: Flags [P.], seq 44:152, ack 1, win 303, opti
ons [nop,nop,TS val 181027 ecr 704755], length 108
13:52:38.300973 IP 192.168.0.31.ssh > 192.168.0.254.50286: Flags [P.], seq 152:180, ack 1, win 303, opt
ions [nop,nop,TS val 181027 ecr 704755], length 28
13:52:38.301925 IP 192.168.0.254.50286 > 192.168.0.31.ssh: Flags [.], ack 44, win 692, options [nop,nop
,TS val 705042 ecr 181027], length 0
13:52:38.302314 IP 192.168.0.254.50286 > 192.168.0.31.ssh: Flags [.], ack 152, win 692, options [nop,no
p,TS val 705042 ecr 181027], length 0
13:52:38.302446 IP 192.168.0.254.50286 > 192.168.0.31.ssh: Flags [.], ack 180, win 692, options [nop,no
p,TS val 705042 ecr 181027], length 0

The contents of both the captures are similar, it's evident that these are just different ways of capturing the same traffic

Let's capture and read only the outgoing traffic
cumulus@server01:~$ sudo tcpdump src 192.168.0.31 -w eth0-out.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C1 packet captured
2 packets received by filter
0 packets dropped by kernel
cumulus@server01:~$ sudo tcpdump -r eth0-out.cap
reading from file eth0-out.cap, link-type EN10MB (Ethernet)
13:58:30.909768 IP 192.168.0.31.ssh > 192.168.0.254.50286: Flags [P.], seq 967929190:967929314, ack 149
0269517, win 303, options [nop,nop,TS val 269179 ecr 1057385], length 124

Similarly to capture and read the incoming traffic
cumulus@server01:~$ sudo tcpdump dst 192.168.0.31 -w eth0-in.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^X^C5 packets captured
6 packets received by filter
0 packets dropped by kernel
cumulus@server01:~$ sudo tcpdump -r eth0-in.cap
reading from file eth0-in.cap, link-type EN10MB (Ethernet)
14:01:06.318138 IP 192.168.0.254.50286 > 192.168.0.31.ssh: Flags [.], ack 967937126, win 692, options [
nop,nop,TS val 1213121 ecr 308031], length 0
14:01:06.318345 IP 192.168.0.254.50286 > 192.168.0.31.ssh: Flags [.], ack 109, win 692, options [nop,no
p,TS val 1213121 ecr 308031], length 0
14:01:06.318667 IP 192.168.0.254.50286 > 192.168.0.31.ssh: Flags [.], ack 137, win 692, options [nop,no
p,TS val 1213122 ecr 308031], length 0
14:01:07.199087 IP 192.168.0.254.50286 > 192.168.0.31.ssh: Flags [P.], seq 0:28, ack 137, win 692, opti
ons [nop,nop,TS val 1214002 ecr 308031], length 28
14:01:07.200126 IP 192.168.0.254.50286 > 192.168.0.31.ssh: Flags [.], ack 165, win 692, options [nop,no
p,TS val 1214003 ecr 308252], length 0

We have seen so far that the traffic we are capturing is only SSH, this is because I have logged into server01 through the management server, and there is no other traffic on eth0

To capture traffic based on port(example 22 for SSH) and then read it
cumulus@server01:~$ sudo tcpdump port 22 -w ssh.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C6 packets captured
8 packets received by filter
0 packets dropped by kernel
cumulus@server01:~$ sudo tcpdump -r ssh.cap
reading from file ssh.cap, link-type EN10MB (Ethernet)
14:03:11.600825 IP 192.168.0.31.ssh > 192.168.0.254.50286: Flags [P.], seq 967943402:967943446, ack 149
0278705, win 303, options [nop,nop,TS val 339352 ecr 1338131], length 44
14:03:11.600938 IP 192.168.0.31.ssh > 192.168.0.254.50286: Flags [P.], seq 44:152, ack 1, win 303, opti
ons [nop,nop,TS val 339352 ecr 1338131], length 108
14:03:11.600956 IP 192.168.0.31.ssh > 192.168.0.254.50286: Flags [P.], seq 152:180, ack 1, win 303, opt
ions [nop,nop,TS val 339352 ecr 1338131], length 28
14:03:11.601698 IP 192.168.0.254.50286 > 192.168.0.31.ssh: Flags [.], ack 44, win 692, options [nop,nop
,TS val 1338411 ecr 339352], length 0
14:03:11.601897 IP 192.168.0.254.50286 > 192.168.0.31.ssh: Flags [.], ack 152, win 692, options [nop,no
p,TS val 1338411 ecr 339352], length 0
14:03:11.602183 IP 192.168.0.254.50286 > 192.168.0.31.ssh: Flags [.], ack 180, win 692, options [nop,no
p,TS val 1338411 ecr 339352], length 0

--end-of-post--