Tcpdump can be used to capture network packets for many protocols like UDP, TCP, ICMP, etc. We are going to review how to filter UDP packets with tcpdump.
UDP is a connectionless protocol. This means that there is no three-way handshake carried out before data is transmitted. The sending device literally sends the data out on the wire and hopes it is received by the destination device. It is often referred to as a best-effort protocol; it doesn't matter if the data gets there or not.
Sending UDP packets with Python Code
We don't need to create a connection before we send data to the other end for UDP. The following example will send 'hello I am client' to port 1013 on localhost. After we run this command, we can see that the packet is sent out successfully.
python -c "import socket ; s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.sendto('hello I am client',('127.0.0.1', 1013));
Capturing UDP packets with Tcpdump
We can use this command to filter this UDP packet with tcpdump.
# tcpdump -i lo0 udp port 1013 -XAvvv
To briefly explain the options we passed to it:
-i lo only captures packets on the local loopback i.e. packets sent to localhost
udp means that only UDP packets will be captured. Other types of packets we might capture could be tcp or icmp for example.
-vvv just gives us more verbose output
-X prints out the data in the UDP packets in ASCII as well as hex. If we just wanted the latter we could use the -x option
We can get more details about this packet from the output. The local port is 63128. The remote port is 1013.
tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes 17:17:55.687703 IP (tos 0x0, ttl 64, id 43620, offset 0, flags [none], proto UDP (17), length 45, bad cksum 0 (->d259)!) localhost.63128 > localhost.1013: [bad udp cksum 0xfe2c -> 0xb270!] UDP, length 17 0x0000: 4500 002d aa64 0000 4011 0000 7f00 0001 E..-.d..@....... 0x0010: 7f00 0001 f698 03f5 0019 fe2c 6865 6c6c ...........,hell 0x0020: 6f20 4920 616d 2063 6c69 656e 74 o.I.am.client
Capturing UDP packets and other filters with Tcpdump
One of the best features of tcpdump is that we can filter out exactly the traffic we want to see.
tcpdump -i interface udp and host 10.1.1.1
tcpdump -i interface udp and port 53
tcpdump -i interface udp or dst host 10.1.1.1
tcpdump -i interface udp or src port 53
tcpdump -n 'dst host 10.10.150.20 and (tcp port 80 or tcp port 443)'
Tcpdump command options summary
Tcpdump provides several options that enhance or modify its output. The following are the commonly used options for tcpdump command.
-i <interface>: Listen on the specified interface.
-n: Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.
-t: Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.
-X: Show the packet’s contents in both hex and ascii.
-v, -vv, -vvv: Increase the amount of packet information you get back.
-c N: Only get N number of packets and then stop.
-s: Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S: Print absolute sequence numbers.
-q: Show less protocol information.
-w <file name>: Write the raw packets to file rather