Scanning all incoming traffic. Proper use of tcpdump

I had to do some strange listening stuff with even more strange Chineese GPS locator, that was weird enough to use UDP protocol only. Since there was absolutely no technical guide for these devices (at least, when I was looking for them), I had to listen for everything on every port of my local server to see, what this damn box is actually sending.

Since I'm kind of Linux newbie, I asked this Unix & Linux question and got answer enough worth for me, that I decided to put some summary of them to my own blog.

Since, I'm using very limited version of Linux on my NAS, there was no tcpdump there. But simple call to ipkg install tcpdump solved the problem (hopefully I've installed Optware before, as it was also missing).

For this particular problem (listening for UDP packets on ports 3333 or 7777) command to execute is:

tcpdump -i eth0 -n udp port ( 3333 or 7777 )

where:

  • -i tells tcpdump to listen only eth0 interface only (execute tcpdump -D to see all adapters available for tcpdump on particular machine) and
  • -n forces tcpdump to not translate source addresses of intercepted packets and to display them as pure IPs.

To test, if my localizer isn't changing ports, I could call:

tcpdump -i eth0 -n udp

which cause tcpdump to listen for anything (any port) in UDP protocol.

An alternative of:

tcpdump -i eth0 -n port ( 3333 or 7777 )

will cause tcpdump to intercept any traffic on port 3333 or 7777, no matter, which protocol is used.

Running tcpdump with only interface parameter:

tcpdump -i eth0

or even calling it without any parameters will capture all the traffic coming to machine that runs tcpdump.

However, this is useful, if you have physical access to it and can run program manually. If you have remote only access and must run tcpdump via SSH, you might not be that lucky. SSH itself sends so many packets, that even with all other services down, you probably won't be unable to see anything in this "noise".

This could be partially solved, if you know source IP address (i.e. remote address of the machine, which will be sending traffic you want to capture).

With this, you can limit tcpdump like that:

tcpdump -i eth0 -n src 83.220.106.3

This is one-way listener that will capture all the traffic that is coming from that particular IP to your machine.

An alternative version:

tcpdump -i eth0 -n dst 83.220.106.3

lets you check all the "answers" that are sent from your machine to specified IP address.

Finally, executing this command:

tcpdump -i eth0 -n host 83.220.106.3

will show you all the traffic that is being exchanged between computer, where you run tcpdump and mentioned IP, which is both source and destination in this case, so you see both "questions" and "answers".

You can also use tcpdump on your machine to listen traffic exchanged between two other machines, connected to the same network. Since this is too off-topic and is using program as a really sniffer, maybe to do some bad things, I won't give you correct command to execute. Refer to sources I used or search the Internet.

Sources and some future readings:

Leave a Reply