Posted: . At: 8:10 AM. This was 2 years ago. Post ID: 16237
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.



Sponsored



Get information about network connections with tcpdump on Linux.

by

Getting information about network connections with tcpdump is very easy. In the example below I am looking for connections to/from 192.168.1.5. The result is I get information about the current SSH session on port 22.

jason@jason-Lenovo-H50-55:~$ sudo tcpdump -i any -c5 -nn host 192.168.1.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
05:55:14.592053 IP 192.168.1.2.22 > 192.168.1.5.49360: Flags [P.], seq 3579182045:3579182241, ack 1274452714, win 501, options [nop,nop,TS val 3756719200 ecr 2269762149], length 196
05:55:14.592189 IP 192.168.1.2.22 > 192.168.1.5.49360: Flags [P.], seq 196:416, ack 1, win 501, options [nop,nop,TS val 3756719200 ecr 2269762149], length 220
05:55:14.592259 IP 192.168.1.2.22 > 192.168.1.5.49360: Flags [P.], seq 416:612, ack 1, win 501, options [nop,nop,TS val 3756719200 ecr 2269762149], length 196
05:55:14.592315 IP 192.168.1.2.22 > 192.168.1.5.49360: Flags [P.], seq 612:808, ack 1, win 501, options [nop,nop,TS val 3756719200 ecr 2269762149], length 196
05:55:14.592361 IP 192.168.1.5.49360 > 192.168.1.2.22: Flags [.], ack 196, win 9150, options [nop,nop,TS val 2269762181 ecr 3756719200], length 0
5 packets captured
5 packets received by filter
0 packets dropped by kernel

Here is another example, this lists only packets containing data. This is meant to be used with HTTP packets, but this also works for SSH packets over port 22 as well.

jason@jason-Lenovo-H50-55:~$ sudo tcpdump -c5 'tcp port 22 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s25, link-type EN10MB (Ethernet), capture size 262144 bytes
06:24:48.513622 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 3584238861:3584239049, ack 1274477390, win 501, options [nop,nop,TS val 3758493121 ecr 2271536054], length 188
06:24:48.518531 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 188:416, ack 1, win 501, options [nop,nop,TS val 3758493126 ecr 2271536132], length 228
06:24:48.518651 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 416:620, ack 1, win 501, options [nop,nop,TS val 3758493126 ecr 2271536132], length 204
06:24:48.518878 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 620:824, ack 1, win 501, options [nop,nop,TS val 3758493126 ecr 2271536137], length 204
06:24:48.518972 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 824:1028, ack 1, win 501, options [nop,nop,TS val 3758493126 ecr 2271536137], length 204
5 packets captured
6 packets received by filter
0 packets dropped by kernel

This example below is looking for all packets over 200 bytes in size that are on port 22.

jason@jason-Lenovo-H50-55:~$ sudo tcpdump -c20 'tcp port 22 and ip[2:2] > 200'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s25, link-type EN10MB (Ethernet), capture size 262144 bytes
06:51:16.313363 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 3584589481:3584589669, ack 1274520426, win 501, options [nop,nop,TS val 3760080921 ecr 2273123892], length 188
06:51:16.318296 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 188:416, ack 1, win 501, options [nop,nop,TS val 3760080926 ecr 2273123960], length 228
06:51:16.318412 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 416:620, ack 1, win 501, options [nop,nop,TS val 3760080926 ecr 2273123960], length 204
06:51:16.318494 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 620:824, ack 1, win 501, options [nop,nop,TS val 3760080926 ecr 2273123960], length 204
06:51:16.318594 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 824:1028, ack 1, win 501, options [nop,nop,TS val 3760080926 ecr 2273123960], length 204
06:51:16.318673 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 1028:1232, ack 1, win 501, options [nop,nop,TS val 3760080926 ecr 2273123965], length 204
06:51:16.318745 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 1232:1444, ack 1, win 501, options [nop,nop,TS val 3760080926 ecr 2273123965], length 212
06:51:16.318794 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 1444:1656, ack 1, win 501, options [nop,nop,TS val 3760080926 ecr 2273123965], length 212
06:51:16.318850 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 1656:1868, ack 1, win 501, options [nop,nop,TS val 3760080926 ecr 2273123965], length 212
06:51:16.318905 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 1868:2080, ack 1, win 501, options [nop,nop,TS val 3760080926 ecr 2273123965], length 212
06:51:16.318983 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 1028:1232, ack 1, win 501, options [nop,nop,TS val 3760080926 ecr 2273123965], length 204
06:51:16.319037 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 1444:1656, ack 1, win 501, options [nop,nop,TS val 3760080927 ecr 2273123965], length 212
06:51:16.319169 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 2080:2716, ack 1, win 501, options [nop,nop,TS val 3760080927 ecr 2273123965], length 636
06:51:16.319230 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 2716:2928, ack 1, win 501, options [nop,nop,TS val 3760080927 ecr 2273123965], length 212
06:51:16.319283 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 2928:3140, ack 1, win 501, options [nop,nop,TS val 3760080927 ecr 2273123965], length 212
06:51:16.319336 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 3140:3352, ack 1, win 501, options [nop,nop,TS val 3760080927 ecr 2273123965], length 212
06:51:16.319392 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 3352:3564, ack 1, win 501, options [nop,nop,TS val 3760080927 ecr 2273123965], length 212
06:51:16.319501 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 3564:3776, ack 1, win 501, options [nop,nop,TS val 3760080927 ecr 2273123965], length 212
06:51:16.319612 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 2928:3140, ack 1, win 501, options [nop,nop,TS val 3760080927 ecr 2273123965], length 212
06:51:16.319670 IP jason-Lenovo-H50-55.ssh > 192.168.1.5.49360: Flags [P.], seq 3352:3564, ack 1, win 501, options [nop,nop,TS val 3760080927 ecr 2273123966], length 212
20 packets captured
20 packets received by filter
0 packets dropped by kernel

The maximum real size of a packet on Ethernet is 1500 bytes, but if you use a starting size of 200 bytes this is pretty reliable. You can see SSH traffic packets, but not the content of the network packets. Still, this is a very useful tip to find such traffic.

This command will capture only the SYN and FIN packets and may help in analyzing the lifecycle of a TCP connection.

jason@jason-Lenovo-H50-55:~$ sudo tcpdump -c20 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s25, link-type EN10MB (Ethernet), capture size 262144 bytes
07:37:27.122670 IP jason-Lenovo-H50-55.34332 > 84.170.224.35.bc.googleusercontent.com.http: Flags [S], seq 1306506024, win 64240, options [mss 1460,sackOK,TS val 3662538487 ecr 0,nop,wscale 7], length 0
07:37:27.314251 IP 84.170.224.35.bc.googleusercontent.com.http > jason-Lenovo-H50-55.34332: Flags [S.], seq 3370168263, ack 1306506025, win 64768, options [mss 1412,sackOK,TS val 1153744138 ecr 3662538487,nop,wscale 7], length 0
07:37:27.506632 IP jason-Lenovo-H50-55.34332 > 84.170.224.35.bc.googleusercontent.com.http: Flags [F.], seq 88, ack 149, win 501, options [nop,nop,TS val 3662538871 ecr 1153744363], length 0
07:37:27.507019 IP 84.170.224.35.bc.googleusercontent.com.http > jason-Lenovo-H50-55.34332: Flags [F.], seq 149, ack 88, win 508, options [nop,nop,TS val 1153744363 ecr 3662538679], length 0
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

Another way to see an SSH connection on a Linux machine.

jason@jason-Lenovo-H50-55:~$ netstat | grep ssh
tcp        0      0 jason-Lenovo-H50-55:ssh 192.168.1.5:49360       ESTABLISHED

Furthermore, I can use this example to see that my user is logged into an SSH connection.

jason@jason-Lenovo-H50-55:~$ pgrep -af "sshd: $LOGNAME"
918 sshd: jason [priv]  
1072 sshd: jason@pts/0

or this version. This works better.

jason@jason-Lenovo-H50-55:~$ pgrep -af "sshd: $LOGNAME@"
1072 sshd: jason@pts/0

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.