What Tcpdump Command Can Be Used To Filter Out All Traffic Except Ssh Traffic?

ip header 2021

An IP Header

tcpdump is the world's premier network assay tool—combining both ability and simplicity into a unmarried command-line interface.

This guide will show you lot how to isolate traffic in multiple ways—including by IP, port, protocol, or application to assist you discover what you're looking for.

Traffic isolation examples

Basic Communication
Find Traffic by IP
Filter by Source and/or Destination
Show Traffic by Network
Prove Traffic by Port
Show Traffic by Protocol
Evidence IPv6 Traffic
Notice Traffic Using Port Ranges
Find Traffic Based on Package Size
Writing to a File

Isolate TCP Flags
Find HTTP User Agents
Notice Cleartext HTTP GETs
Find HTTP Hosts
Notice HTTP Cookies
Find SSH Connections
Observe DNS Traffic
Find FTP Traffic
Detect Cleartext Passwords
Find Packets With Evil Bit

Install:

apt install tcpdump (Ubuntu)

yum install tcpdump (Redhat/Centos)

Let's start with a basic command that will go us HTTPS traffic:

tcpdump -nn S X port 443

                      04:45:40.573686 IP              78.149.209.110.27782              >              172.30.0.144.443: Flags [.], ack  278239097, win 28, options [nop,nop,TS val 939752277 ecr 1208058112], length 0     0x0000:              4500 0034 0014 0000 2e06 c005 4e8e d16e  Eastward..4........N..due north              0x0010:              ac1e 0090 6c86 01bb 8e0a b73e 1095 9779  ....l......>...y              0x0020:              8010 001c d202 0000 0101 080a 3803 7b55  ............8.{U              0x0030:              4801 8100

You can go a unmarried packet with -c one , or northward number with -c n .

This showed some HTTPS traffic, with a hex display visible on the right portion of the output (alas, it's encrypted). Just remember—when in doubt, run the command higher up with the port you're interested in, and you should be on your mode.

Examples

PacketWizard™ isn't really trademarked, but information technology should be.

Now that you are able to get bones traffic, let's step through numerous examples that you lot are likely to need during your task in networking, security, or as whatsoever type of PacketWizard™.

Everything on an interface

Just see what'south going on, by looking at what's hitting your interface.

Or go all interfaces with -i any .

tcpdump -i eth0

Find Traffic by IP

One of the most mutual queries, using host, yous can come across traffic that's going to or from 1.one.1.one.

Expression Types:

host , net , and port .

Directions:

src and dst .

Types:

host , internet , and port .

Protocols:

tcp , udp , icmp , and many more.

tcpdump host 1.1.1.1

                      06:20:25.593207 IP 172.30.0.144.39270 >              one.1.one.one.domain:  12790+ A? google.com.  (28) 06:xx:25.594510 IP              one.one.ane.1.domain              > 172.30.0.144.39270:  12790 1/0/0 A 172.217.15.78 (44)

Filtering past Source and/or Destination

If you only desire to see traffic in 1 direction or the other, you can apply src and dst.

tcpdump src 1.1.1.1
tcpdump dst 1.0.0.1

Finding Packets by Network

To find packets going to or from a particular network or subnet, apply the net option.

You can combine this with the src and dst options as well.

tcpdump net ane.2.3.0/24

Get Packet Contents with Hex Output

Hex output is useful when you want to see the content of the packets in question, and information technology's often best used when y'all're isolating a few candidates for closer scrutiny.

tcpdump -c ane -X icmp

single icmp

A single ICMP parcel captured by tcpdump

tcpdump is the tool everyone should learn as their base for packet analysis.

Show Traffic Related to a Specific Port

You lot tin detect specific port traffic by using the port selection followed past the port number.

tcpdump port 3389
tcpdump src port 1025

Common Options:

-nn : Don't resolve hostnames or port names.

-S : Go the entire package.

-X : Get hex output.

Show Traffic of One Protocol

If y'all're looking for one item kind of traffic, y'all can use tcp, udp, icmp, and many others equally well.

tcpdump icmp

Show only IP6 Traffic

Yous tin too detect all IP6 traffic using the protocol option.

tcpdump ip6

Find Traffic Using Port Ranges

You can also use a range of ports to find traffic.

tcpdump portrange 21-23

Discover Traffic Based on Packet Size

If you're looking for packets of a item size you tin use these options. Yous can use less, greater, or their associated symbols that you lot would expect from mathematics.

tcpdump less 32
tcpdump greater 64
tcpdump <= 128

Reading / Writing Captures to a File (pcap)

It's often useful to save package captures into a file for assay in the future. These files are known as PCAP (PEE-cap) files, and they can be candy by hundreds of dissimilar applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Hither we're writing to a file called capture_file using the -w switch.

tcpdump port fourscore -due west capture_file

You can read PCAP files by using the -r switch. Annotation that you can utilize all the regular commands within tcpdump while reading in a file; y'all're only limited by the fact that you lot can't capture and process what doesn't exist in the file already.

tcpdump -r capture_file

Advanced

At present that we've seen what nosotros tin can do with the nuts through some examples, let's look at some more than advanced stuff.

More than options

Here are some boosted ways to tweak how yous call tcpdump.

-X : Show the packet'due south contents in both hex and ASCII.
-Xx : Aforementioned as -Ten , just too shows the ethernet header.
-D : Show the listing of available interfaces
-50 : Line-readable output (for viewing as you salvage, or sending to other commands)
-q : Be less verbose (more quiet) with your output.
-t : Give human being-readable timestamp output.
-tttt : Give maximally human being-readable timestamp output.
-i eth0 : Listen on the eth0 interface.
-vv : Verbose output (more 5's gives more output).
-c : But get x number of packets and then stop.
-south : Define the snaplength (size) of the capture in bytes. Employ -s0 to get everything, unless you are intentionally capturing less.
-S : Impress absolute sequence numbers.
-east : Get the ethernet header too.
-q : Bear witness less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.

Information technology's All About the Combinations

Browse
my other
tutorials

Being able to do these various things individually is powerful, simply the real magic of tcpdump comes from the ability to combine options in creative ways in guild to isolate exactly what you're looking for. There are three ways to do combinations, and if y'all've studied programming at all they'll exist pretty familiar to you.

AND
and or &&
OR
or or ||
EXCEPT
non or !

Raw Output View

Employ this combination to see verbose output, with no resolution of hostnames or port numbers, using absolute sequence numbers, and showing human-readable timestamps.

tcpdump -tt nn vv S

Here are some examples of combined commands.

From specific IP and destined for a specific Port

Permit's find all traffic from 10.5.two.3 going to whatsoever host on port 3389.

tcpdump -nnvvS src 10.5.2.3 and dst port 3389

From One Network to Another

Let'south look for all traffic coming from 192.168.x.x and going to the 10.ten or 172.16.x.x networks, and we're showing hex output with no hostname resolution and 1 level of extra verbosity.

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/eight or 172.sixteen.0.0/16

Not ICMP Traffic Going to a Specific IP

This will show us all traffic going to 192.168.0.ii that is not ICMP.

tcpdump dst 192.168.0.2 and src net and non icmp

Traffic From a Host That Isn't on a Specific Port

This will show us all traffic from a host that isn't SSH traffic (bold default port usage).

tcpdump -vv src mars and not dst port 22

Equally you lot can see, you tin can build queries to find merely about annihilation yous need. The key is to starting time figure out precisely what yous're looking for and then to build the syntax to isolate that specific type of traffic.

Keep in listen that when you're edifice complex queries you lot might have to group your options using unmarried quotes. Unmarried quotes are used in order to tell tcpdump to ignore certain special characters—in this case beneath the "( )" brackets. This same technique can be used to group using other expressions such every bit host, port, net, etc.

tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

Isolate TCP Flags

Yous can also utilise filters to isolate packets with specific TCP flags prepare.

Isolate TCP RST flags.

The filters below find these various packets considering tcp[13] looks at outset 13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is gear up to i, i.due east. it'due south on.

tcpdump 'tcp[13] & 4!=0'
tcpdump 'tcp[tcpflags] == tcp-rst'

Isolate TCP SYN flags.

tcpdump 'tcp[13] & 2!=0'
tcpdump 'tcp[tcpflags] == tcp-syn'

Isolate packets that have both the SYN and ACK flags prepare.

tcpdump 'tcp[thirteen] =18'

Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump'southward flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field.

Isolate TCP URG flags.

tcpdump 'tcp[13] & 32!=0'
tcpdump 'tcp[tcpflags] == tcp-urg'

Isolate TCP ACK flags.

tcpdump 'tcp[thirteen] & 16!=0'
tcpdump 'tcp[tcpflags] == tcp-ack'

Isolate TCP PSH flags.

tcpdump 'tcp[13] & 8!=0'
tcpdump 'tcp[tcpflags] == tcp-push'

Isolate TCP FIN flags.

tcpdump 'tcp[13] & 1!=0'
tcpdump 'tcp[tcpflags] == tcp-fin'

Everyday Recipe Examples

Because tcpdump tin output content in ASCII, you lot tin apply it to search for cleartext content using other command-line tools like grep.

Finally, now that we the theory out of the style, here are a number of quick recipes y'all can apply for catching various kinds of traffic.

Both SYN and RST Ready

tcpdump 'tcp[thirteen] = 6'

Find HTTP User Agents

The -l switch lets y'all run across the traffic equally you're capturing it, and helps when sending to commands like grep.

tcpdump -vvAls0 | grep 'User-Agent:'

Cleartext GET Requests

tcpdump -vvAls0 | grep 'GET'

Discover HTTP Host Headers

tcpdump -vvAls0 | grep 'Host:'

Discover HTTP Cookies

tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'

Observe SSH Connections

This ane works regardless of what port the connection comes in on, considering it's getting the banner response.

tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

Find DNS Traffic

tcpdump -vvAs0 port 53

Find FTP Traffic

tcpdump -vvAs0 port ftp or ftp-data

Discover NTP Traffic

tcpdump -vvAs0 port 123

Find Cleartext Passwords

Find Traffic With Evil Flake

There's a bit in the IP header that never gets gear up by legitimate applications, which we call the "Evil Chip". Here's a fun filter to find packets where it's been toggled.

tcpdump 'ip[6] & 128 != 0'

Check out Scan
my other
tutorials as well.

Summary

Here are the takeaways.

tcpdump is a valuable tool for anyone looking to go into networking or information security.
The raw manner it interfaces with traffic, combined with the precision it offers in inspecting packets go far the all-time possible tool for learning TCP/IP.
Protocol Analyzers like Wireshark are neat, but if you want to truly main parcel-fu, you must go one with tcpdump kickoff.

Well, this primer should become you going potent, but the man page should always exist handy for the nigh advanced and i-off usage scenarios. I truly hope this has been useful to you lot, and feel gratuitous to contact me if y'all have whatsoever questions.

Notes

I'one thousand currently (sort of) writing a book on tcpdump for No Starch Press.
The leading image is from SecurityWizardry.com.
Some of the isolation filters borrowed from Sébastien Wains.
Cheers to Peter at hackertarget.com for inspiration on the new table of contents (simplified), and besides for some additional college-level protocol filters added in July 2018.
An anagram for the TCP flags is: Unskilled Attackers Pester Real Security Folk.