Friday, April 13, 2012

tcpdump - when no other tools are available to filter a packet

I am fairly used to using tcpdump to capture network data.  However, I really gained the ability to review and understand the captures via Ethereal, later renamed to Wireshark (as it was spun off and the original trademark owner wanted to keep the trademark).  As a systems admin, I have to be familiar with reading the capture file from a network, but not always are the tools available.  As an example, I recently had to filter a packet capture for a partner as we did some troubleshooting, because policies require not exposing internal network structures, layouts, or organization.

So, I found myself one day sitting at my Linux box (without Wireshark installed) having the results of four tcpdumps from separate hosts in separate files.  I needed to combine the captures together and then filter out the partner-specific traffic.  Took me a while to remember the filtering options, so I thought I'd post the process here in the form of a journal - I can't even remember how old I am sometimes.

First, you have to combine the packet capture files together.  You cannot just cat the files together as you might have an incomplete packet from when you started.  The later versions of tcpdump actually have a tool to facilitate this :
mergecap -w silverhawk.cap host1.cap host2.cap host3.cap

After merging the captures together, you will want to remove the stuff not related to your current problem (to prevent the prying eyes from seeing inside of your network).  To do this, take the combined packet capture, and write another one, feeding it through a filter.  Your filters can be complex or simple.  I prefer the simple filters :

tcpdump -r silverhawk.cap -w silverhawk-filtered.cap -n "port 443"
The above would grab all of the TCP port 443 traffic, or the SSL-encrypted traffic (for HTTPS connections).  For most concerns, that alone would be enough (decrypting the SSL traffic would require the SSL certificate keys for the traffic streams you need to see).  However, if you have multiple connections to different port 443 traffic and you would prefer the partner doesn't see whom else you are connecting to, you can do it via IP address :

tcpdump -r silverhawk.cap -w silverhawk-filtered.cap -n "host"
Those are fairly simple filters, and should definitely assist in restricting who sees what.  I'd strongly suggest looking at those, and then adjusting as necessary (e.g. adding other, fancier filters by merging them together).

No comments:

Post a Comment