Skip to content

TcpDump

Jump to bottom Edit New page
Henryk Paluch edited this page Apr 11, 2024 · 1 revision

TcpDump and friends

Here are random tips using tcpdump.

To list capture devices:

tcpdump -D

Watch everything except SSH connection (required when you are running tcpdump from ssh connections:

# CARD - monitored network card from "tcpdump -D"
# -n - disable name/service resolution
# -p - disable promiscuous mode
tcpdump -np -i CARD not tcp port 22

My favorite - monitor tcp SYN (connection attempt) requests

tcpdump -np -i enp0s8 'tcp[13] & 31 == 2'

You can also use nice utility called tcpick (install package of same name) that will show nice coloured TCP packets. It uses same filters as tcpdump. Here vmbr2 is NAT bridge under Proxmox VE - to see all TCP connection attempts from VM running on vmbr2 bridge:

tcpick -i vmbr2 -C -a '(tcp[13] & 31) == 2'

WARNING! -a will do reverse DNS lookup to assign name to IP addresses. Use it only on low volume node to avoid DoS attack.

Example output when booting up Ubuntu 23 desktop:

Starting tcpick 0.2.1 at 2024-04-09 17:46 CEST
Timeout for connections is 600
tcpick: listening on vmbr2
setting filter: "(tcp[13] & 31) == 2"
2      SYN-SENT       10.10.10.130:56132 > ubuntu-content-cache-1.ps5.canonical.com:http
3      SYN-SENT       10.10.10.130:56644 > api.snapcraft.io:https
4      SYN-SENT       10.10.10.130:57926 > api.snapcraft.io:https
5      SYN-SENT       10.10.10.130:42902 > 162.213.33.48:https

Last unresolveable IP address (162.213.33.48:) is metrics.ubuntu.com - you can find it with below tcpdump command... Also every 90 seconds there is DNS request to connectivity-check.ubuntu.com

Please be aware that another information leak is through DNS (udp or tcp port 53 - both are allowed), or NTP (udp 123). Example to show packets that match any of:

  • TCP connection attempt (SYN)
  • DNS on port 53 (both udp and tcp)
  • NTP on udp port 123
tcpdump -np -i vmbr2 '((tcp[13] & 31) == 2) or (port 53) or (udp port 123)'

Please note that are still many other protocols and ways to evade this tcpdump - for example multicast (mDNS and others)...

Copyright © Henryk Paluch. All rights reserved.

Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License

Add a custom sidebar
Clone this wiki locally