Capturing the Right Packets with tcpdump: Filters

Imagine this scenario:

You’re an analyst for a large organization, and you suspect there’s an infected box.

You decide to analyze the outbound network traffic. You SSH to the firewall and do a packet capture with tcpdump.

This is a 10.0.0.0/24 network with 200 subnets traveling through the firewall. With a 24 bit subnet mask, there are 254 assignable IPs in just one subnet.

Remember: 200 subnets are routing through that firewall. This means you could potentially capture traffic from over 50,000 IPs!

Wireshark is a great tool, but files over 1gb often crash it. It’s just too much data.

The solution? Use filters to get smaller pcap files. You’ll get relevant information faster, and there will be less unnecessary data to sort through while analyzing.

First, let’s see what occurs when we run tcpdump with only the interface as an argument:

image.png

It’s not much. IPs, ports, and some protocol information.

You can use the “very verbose” (-vv) switch to get more information:

image.png

This provides the same information available in Wireshark, but in the terminal and without data analytics. If there is a lot of information, it will be too much to decipher- that’s why we’ll use filters to only capture the right packets.

Check out the image below. By adding the words “ip host 192.168.254.67” (my Kali box’s local IP), we’re capturing only the traffic from the box.

image.png

When you want to capture packets from a single IP, whether it’s the source or the destination, you’ll use that filter.

If you want to write the results to a file, just add “-w filename.pcap” to the end of the statement. Like this:

image.png

How about capturing packets with more than one IP? You have 2 methods:

Method 1: ip src and ip dst filters.

Imagine that we know the IPs of the C2 server and the infected machine. You can use the filters like this:

“ip src <ip> and dst <ip>”

image.png

Notice the third filter: “and tcp port 80.” This tells tcpdump to capture traffic from the source IP to the destination IP AND only on port 80.

Method 2: ip host

Imagine that we know the IPs of the C2 server and the infected machine, but we want a bidirectional pcap. That means collecting between the c2 and the infected box, regardless of who’s sending and who’s receiving.

Rather than using ip scr and ip dst, you can just replace both arguments with ip host. Like this:

image.png

That’s it! Thanks for reading this short (but sweet) post on increasing efficiency with filters!