Using tcpdump to capture packets with a wireless connected computer.

Posted: April 29, 2014. At: 12:32 PM. This was 4 years ago. Post ID: 7208
Page permalink: http://securitronlinux.com/bejiitaswrath/using-tcpdump-to-capture-packets-with-a-wireless-connected-computer/

Now, we must convince Congress to stop the FCC. Can you display an alert?

Use this command to capture packets with the tcpdump command. This will output to STDOUT, but you may use redirection to divert it to a text file.

[root@deusexmachina homer]# tcpdump -i wlp2s0

This is the output that you get when you are capturing packets. This is on my home network, so there are not many other computers on the same network. At a more populated location, this would capture a LOT of data.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp2s0, link-type EN10MB (Ethernet), capture size 65535 bytes
06:31:08.889345 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8
06:31:09.427050 IP deusexmachina.localdomain.60287 > 192.168.1.1.domain: 64077+ PTR? 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa. (90)
06:31:09.497527 IP 192.168.1.1.domain > deusexmachina.localdomain.60287: 64077 NXDomain 0/1/0 (160)
06:31:09.499456 IP deusexmachina.localdomain.37873 > 192.168.1.1.domain: 34380+ PTR? 5.2.1.e.d.5.e.f.f.f.e.6.f.0.e.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
06:31:09.573778 IP 192.168.1.1.domain > deusexmachina.localdomain.37873: 34380 NXDomain* 0/1/0 (125)
06:31:10.575373 IP deusexmachina.localdomain.58963 > 192.168.1.1.domain: 23729+ PTR? 1.1.168.192.in-addr.arpa. (42)
06:31:10.658433 IP 192.168.1.1.domain > deusexmachina.localdomain.58963: 23729 NXDomain* 0/1/0 (92)
06:31:10.658732 IP deusexmachina.localdomain.52069 > 192.168.1.1.domain: 43760+ PTR? 5.1.168.192.in-addr.arpa. (42)
06:31:10.736590 IP 192.168.1.1.domain > deusexmachina.localdomain.52069: 43760 NXDomain* 0/1/0 (92)
06:31:14.496885 ARP, Request who-has deusexmachina.localdomain tell 192.168.1.1, length 28
06:31:14.496913 ARP, Reply deusexmachina.localdomain is-at 4c:0f:6e:5d:e1:25 (oui Unknown), length 28
06:31:18.892497 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8
06:31:28.891639 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8
06:31:38.889904 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8
06:31:39.190064 IP deusexmachina.localdomain.ntp > ns2.unico.com.au.ntp: NTPv3, Client, length 48
06:31:39.265043 IP ns2.unico.com.au.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48
06:31:39.332124 IP deusexmachina.localdomain.ntp > ns30.alltraders.com.ntp: NTPv3, Client, length 48
06:31:39.414742 IP ns30.alltraders.com.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48
06:31:39.524972 IP deusexmachina.localdomain.54937 > 192.168.1.1.domain: 60515+ PTR? 37.210.127.202.in-addr.arpa. (45)
06:31:39.532514 IP deusexmachina.localdomain.ntp > y.ns.gin.ntt.net.ntp: NTPv3, Client, length 48
06:31:39.651244 IP 192.168.1.1.domain > deusexmachina.localdomain.54937: 60515 1/2/2 PTR ns2.unico.com.au. (139)
06:31:39.651509 IP deusexmachina.localdomain.35904 > 192.168.1.1.domain: 23254+ PTR? 240.128.16.103.in-addr.arpa. (45)
06:31:39.734574 IP deusexmachina.localdomain.ntp > node01.au.verbnetworks.net.ntp: NTPv3, Client, length 48
06:31:39.739958 IP y.ns.gin.ntt.net.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48
06:31:39.784433 IP 192.168.1.1.domain > deusexmachina.localdomain.35904: 23254 1/3/2 PTR ns30.alltraders.com. (194)
06:31:39.794888 IP node01.au.verbnetworks.net.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48
06:31:40.785931 IP deusexmachina.localdomain.40890 > 192.168.1.1.domain: 9817+ PTR? 251.35.250.129.in-addr.arpa. (45)
06:31:41.027748 IP 192.168.1.1.domain > deusexmachina.localdomain.40890: 9817 1/5/0 PTR y.ns.gin.ntt.net. (180)
06:31:41.028003 IP deusexmachina.localdomain.45882 > 192.168.1.1.domain: 10491+ PTR? 186.129.252.54.in-addr.arpa. (45)
06:31:41.100866 IP 192.168.1.1.domain > deusexmachina.localdomain.45882: 10491 1/6/11 PTR node01.au.verbnetworks.net. (489)
06:31:44.199907 ARP, Request who-has 192.168.1.1 tell deusexmachina.localdomain, length 28
06:31:44.200980 ARP, Reply 192.168.1.1 is-at 84:c9:b2:bd:c2:e7 (oui Unknown), length 28
06:31:48.893605 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8
06:31:58.891079 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8
06:32:08.889305 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8
06:32:18.893922 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8
06:32:26.847033 IP 192.168.1.1 > all-systems.mcast.net: igmp query v3
06:32:27.848514 IP deusexmachina.localdomain.56886 > 192.168.1.1.domain: 20559+ PTR? 1.0.0.224.in-addr.arpa. (40)
06:32:27.948456 IP 192.168.1.1.domain > deusexmachina.localdomain.56886: 20559 1/4/3 PTR all-systems.mcast.net. (210)
06:32:28.891123 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8
06:32:29.501413 IP 192.168.1.2 > igmp.mcast.net: igmp v3 report, 1 group record(s)
06:32:29.892569 IP deusexmachina.localdomain.51849 > 192.168.1.1.domain: 26273+ PTR? 22.0.0.224.in-addr.arpa. (41)
06:32:29.970603 IP 192.168.1.1.domain > deusexmachina.localdomain.51849: 26273 1/4/4 PTR igmp.mcast.net. (220)
06:32:29.970954 IP deusexmachina.localdomain.39871 > 192.168.1.1.domain: 37618+ PTR? 2.1.168.192.in-addr.arpa. (42)
06:32:30.049533 IP 192.168.1.1.domain > deusexmachina.localdomain.39871: 37618 NXDomain* 0/1/0 (92)
06:32:32.855903 ARP, Request who-has 192.168.1.1 tell deusexmachina.localdomain, length 28
06:32:32.868403 ARP, Reply 192.168.1.1 is-at 84:c9:b2:bd:c2:e7 (oui Unknown), length 28
06:32:33.500459 IP 192.168.1.2 > igmp.mcast.net: igmp v3 report, 1 group record(s)
06:32:38.889236 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8
06:32:44.354538 IP deusexmachina.localdomain.ntp > ns2.unico.com.au.ntp: NTPv3, Client, length 48
06:32:44.423527 IP ns2.unico.com.au.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48
06:32:44.492615 IP deusexmachina.localdomain.ntp > ns30.alltraders.com.ntp: NTPv3, Client, length 48
06:32:44.566973 IP ns30.alltraders.com.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48
06:32:44.694187 IP deusexmachina.localdomain.ntp > node01.au.verbnetworks.net.ntp: NTPv3, Client, length 48
06:32:44.765280 IP node01.au.verbnetworks.net.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48
06:32:44.896585 IP deusexmachina.localdomain.ntp > y.ns.gin.ntt.net.ntp: NTPv3, Client, length 48
06:32:45.106108 IP y.ns.gin.ntt.net.ntp > deusexmachina.localdomain.ntp: NTPv3, Server, length 48
06:32:48.893175 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8
06:32:49.423055 ARP, Request who-has deusexmachina.localdomain tell 192.168.1.1, length 28
06:32:49.423075 ARP, Reply deusexmachina.localdomain is-at 4c:0f:6e:5d:e1:25 (oui Unknown), length 28
06:32:58.891247 IP6 deusexmachina.localdomain > ff02::2: ICMP6, router solicitation, length 8
^C
61 packets captured
62 packets received by filter
0 packets dropped by kernel

You may also listen on the Ethernet device, this is another good way to monitor web traffic.

homer@deusexmachina ~ $ sudo tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:26:14.991992 IP 192.168.1.2.netbios-dgm > 192.168.1.255.netbios-dgm: NBT UDP PACKET(138)
12:26:14.992043 IP 192.168.1.2.netbios-dgm > 192.168.1.255.netbios-dgm: NBT UDP PACKET(138)
12:26:14.993119 IP 192.168.1.2.30729 > 192.168.1.1.domain: 6476+ PTR? 255.1.168.192.in-addr.arpa. (44)
12:26:15.038836 IP 192.168.1.1.domain > 192.168.1.2.30729: 6476 NXDomain* 0/1/0 (94)
12:26:15.054252 IP 192.168.1.2.54819 > 192.168.1.1.domain: 45679+ PTR? 2.1.168.192.in-addr.arpa. (42)
12:26:15.095084 IP 192.168.1.1.domain > 192.168.1.2.54819: 45679 NXDomain* 0/1/0 (92)
12:26:15.095771 IP 192.168.1.2.63376 > 192.168.1.1.domain: 55165+ PTR? 1.1.168.192.in-addr.arpa. (42)
12:26:15.138827 IP 192.168.1.1.domain > 192.168.1.2.63376: 55165 NXDomain* 0/1/0 (92)
12:26:20.038689 ARP, Request who-has 192.168.1.2 tell 192.168.1.1, length 46
12:26:20.038719 ARP, Reply 192.168.1.2 is-at 00:13:46:3a:02:83 (oui Unknown), length 28
12:26:24.270335 IP 192.168.1.2.39333 > 190.93.244.26.http: Flags [S], seq 2202183540, win 29200, options [mss 1460,sackOK,TS val 353142 ecr 0,nop,wscale 7], length 0
12:26:24.270699 IP 192.168.1.2.40975 > 192.168.1.1.domain: 45075+ PTR? 26.244.93.190.in-addr.arpa. (44)
12:26:24.300344 IP 190.93.244.26.http > 192.168.1.2.39333: Flags [S.], seq 3377563395, ack 2202183541, win 14480, options [mss 1452,sackOK,TS val 46025457 ecr 353142,nop,wscale 10], length 0
12:26:24.300472 IP 192.168.1.2.39333 > 190.93.244.26.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 353150 ecr 46025457], length 0
12:26:24.647092 IP 192.168.1.1.domain > 192.168.1.2.40975: 45075 NXDomain 0/1/0 (104)
12:26:29.300623 IP 192.168.1.2.39333 > 190.93.244.26.http: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 354400 ecr 46025457], length 0
12:26:29.330133 IP 190.93.244.26.http > 192.168.1.2.39333: Flags [F.], seq 1, ack 2, win 15, options [nop,nop,TS val 46025960 ecr 354400], length 0
12:26:29.330204 IP 192.168.1.2.39333 > 190.93.244.26.http: Flags [.], ack 2, win 229, options [nop,nop,TS val 354407 ecr 46025960], length 0
12:26:34.606031 IP 192.168.1.2.50950 > 162.159.250.151.http: Flags [S], seq 3057776350, win 29200, options [mss 1460,sackOK,TS val 355726 ecr 0,nop,wscale 7], length 0
12:26:34.606304 IP 192.168.1.2.16494 > 192.168.1.1.domain: 40835+ PTR? 151.250.159.162.in-addr.arpa. (46)
12:26:34.636348 IP 162.159.250.151.http > 192.168.1.2.50950: Flags [S.], seq 3222561782, ack 3057776351, win 14480, options [mss 1452,sackOK,TS val 46045306 ecr 355726,nop,wscale 10], length 0
12:26:34.636412 IP 192.168.1.2.50950 > 162.159.250.151.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 355734 ecr 46045306], length 0
12:26:34.664086 IP 192.168.1.1.domain > 192.168.1.2.16494: 40835 NXDomain 0/1/0 (100)
^C
23 packets captured
23 packets received by filter
0 packets dropped by kernel

So try this command out for yourself, this is a good way to learn about the traffic that is sent over your network.

No comments have been made. Use this form to start the conversation :)

Leave a Reply