Click here to close now.


Microsoft Cloud Authors: Jayaram Krishnaswamy, Elizabeth White, Andreas Grabner, Jim Kaskade, Pat Romanski

Related Topics: IoT User Interface, Microsoft Cloud, Cloud Security

IoT User Interface: Tutorial

Intruder Detection with tcpdump

tcpdump tool

To capture, parse, and analyze traffic tcpdump is a very powerful tool. To begin a basic capture uses the following syntax.

tcpdump -n –i <interface> -s <snaplen>

-n      tells tcpdump to not resolve IP addresses to domain names and port numbers to service names.
-I       <interface> tells tcpdump which interface to use.
-s      <snaplen> tells tcpdump how much of the packet to record. I used 1515 but 1514 is sufficient for most cases. If you don’t specify a size then it will only capture the first 68 bytes of each packet. A snaplen value of 0 which will use the required length to catch whole packets can be used except for older versions of tcpdump.

Below is an example output of a dump, although it only contains a few lines it holds much information.

12:24:51.517451  IP >  54517 A?  (34)

12:24:51:517451                              represent the time                          Source address and port
>                                                          Traffic direction                                 Destination address and port
54517                                                 ID number that is shared by both the DNS server and
A?                                               asks a question regarding the A record for
(34)                                                     The entire packet is 34 bytes long.

More tcpdump capture options

Here are some examples of options to use when capturing data and why to use them:

-I        specify an interface; this will ensure that you are sniffing where you expect to sniff.
-n       tells tcpdump not to resolve IP addresses to domain names and port numbers to service names
-nn    don’t resolve hostnames or port names
-X      Show packet’s contents in both hex and ASCII
-XX    Include Ethernet header
-v       Increase verbose –vv –vvv more info back
-c       Only get x number of packets and stop
-s       tell tcpdump how much of the packet to record
-S       print absolute sequence numbers
-e       get Ethernet header
-q       show less protocol info
-E       Decrypt IPSEC traffic by providing an encryption key

Packet, Segment, and Datagram
TCP accepts data from a data stream, segments it into chucks, and adds a TCP header creating a TCP segment. UDP sends messages referred to as a datagram to other hosts on an Internet Protocol (IP) network without requiring prior communications to set up special transmission channels or data paths. Internet Protocol then creates its own datagram out of what it receives from TCP or UDP. If the TCP segment or UDP datagram plus IP’s headers are small enough to send in a single package on the wire then IP creates a packet. If they are too large and exceed the maximum transmission unit (MTU) of the media, IP will fragment the datagram into smaller packets suitable to the MTU. The fragmented packets are then reassembled by the destination.

Tcpdump read and write to/from a file
Tcpdump allows you to write data to a file using the –w option and to read from a file with the –r option.

$ sudo tcpdump -i wlan0 -w dumpfile001

$ sudo tcpdump -r dumpfile.pcap

Some people like to see the files as they are captured and have them saved to a file. Use the following options: tcpdump –n –I eth1 –s 1515 –l | tee output.txt
This option tells tcpdump to make its output line-buffered, while piping the output to the tee utility sends output to the screen and the output.txt simultaneously. This command will display packets on the screen while writing data to an output file output.txt it will not be in binary libpcap format. The best way to do this is run a second instance of tcpdump.

When tcpdump captures packets in libpcap format, it adds a timestamp entry to the record in each packet in the capture file. We can augment that data with the –tttt flag, which adds a date to the timestamp (See Figure #1).

Figure 1

You can use the –tt flag to report the number of seconds and microseconds since the UNIX epoch of 00:00:00 UTC on January 1, 1970. If you are not sure you understand the time difference and need to be absolutely sure of time use the –tt option to show seconds and microseconds since the UNIX epoch (See Figure #2).

Figure 2

Useful syntax
Being able to cut the amount of traffic down to just what you are looking for is useful. Here are some useful expressions that can be helpful in tcpdump.

Net – This will capture the traffic on a block of IPs ex
# tcpdump net
Src, dst – This will only capture packets form a source or destination.
# tcpdump src
# tcpdump dst

Host – Capture only traffic based on the IP address
# tcpdump host
Proto – Capture works for tcp, udp, and icmp
# tcpdump tcp
Port – Capture packets coming from or going to a port.
# tcpdump port 21
Port ranges – capture packets
# tcpdump port 20-25
Using expressions such as AND [&&], OR [||], & EXCEPT [!]
# tcpdump –n –I eth1 host and host
# tcpdump –n –I eht1 src net and dst net or
# tcpdump –n –I eth1 src net and not icmp

Searching for info on packets with tcpdump
If you want to search for information in the packet you have to know where to look. Tcpdump starts counting bytes of header information at byte 0 and the 13th byte contains the TCP flags shown in Table #1


Talbe #1

Now looking at byte 13 and if the SYN and ACK are set then your binary value would be 00010010 which are the same as decimal 18. We can search for packets looking for this type of data inside byte 13 shown here.

# tcpdump –n –r dumpfile.lpc –c 10 ‘tcp[13] == 18’ and host

Here is a sample of what this command will return shown in Figure #3

Figure #3

When capturing data using tcpdump one way to ignore the arp traffic is to put in a filter like so.

# tcpdump –n –s 1515 –c 5 –I eth1 tcp or udp or icmp

This will catch only tcp, udp, or icmp.

If you want to find all the TCP packets with the SYN ACK flag set or other flags set take a look at Table #2 & tcpdump filter syntax shown below.

flag           Binary           Decimal
URG         00100000          32
ACK          00010000          16
PSH          00001000           8
RST          00000100           4
SYN          00000010           2
FIN            00000001           1
SYNACK  00010010         18

Table #2

Tcpdump filter syntax

Show all URGENT (URG) packets
# tcpdump ‘tcp[13] == 32’
Show all ACKNOWLEDGE (ACK) packets
# tcpdump ‘tcp[13] == 16’
Show all PUSH (PSH) packets
# tcpdump ‘tcp[13] == 8’
Show all RESET (RST) packets
# tcpdump ‘tcp[13] == 4’
Show all SYNCHRONIZE (SYN) packets
# tcpdump ‘tcp[13] ==2’
Show all FINISH (FIN) packets
# tcpdump ‘tcp[13] == 1’
# tcpdump ‘tcp[13] == 18’

Using tcpdump in Incident Response

When doing analysis on network traffic using a tool like tcpdump is critical. Below are some examples of using tcpdump to view a couple of different dump files to learn more about network problems or possible attack scenarios. The first is a binary dump file of a snort log and we are given the following information. The IP address of the Linux system is and an attacker got in using a WU-FTPD vulnerability and deployed a backdoor. What can we find out about how the attack happened and what he did?

First we will take a look at the file

# tcpdump –xX –r snort001.log
The log appears long at this point you may want to run the file in snort
# snort –r snort001.log –A full –c /etc/snort/snort.conf
This will give you some info like total packets processed, protocol breakdown, any alerts, etc. See Figure #4 & #5

Figure #4                                                                               Figure #5

Next extract the full snort log file for analysis

# tcpdump –nxX –s 1515 –r snort001.log > tcpdump-full.dat

This will give us a readable file to parse through. After looking through it we find ip-proto-11, which is Network Voice Protocol (NVP) traffic. Now we will search through the file looking for ip-proto-11.

# tcpdump –r snort001.log –w NVP-traffic.log proto 11
This command will read the snort001.log file and look for ‘log proto 11’ and writes the contents to the file NVP-traffic.log. Next we need to be able to view the file because it is a binary file.

# tcpdump –nxX –s 1515 –r NVP-traffic.log > nvp-traffic_log.dat
This will be a file of both hex and ASCII, which is nice but we just want the IP address. Try this.

# tcpdump –r NVP-traffic.log > nvp-traffic_log01.dat
This will give us a list of IP address that were communicating using the Network Voice Protocol (NVP) (See Figure #6).

Figure #6

Next we look at another snort dump file from a compromised windows box that was communicating with an IRC server. What IRC servers did the server at communicate with?

Look for TCP connections originating from the server toward the outside and we can use tcpdump with a filtering expression to capture SYN/ACK packets incoming from outside servers.

# tcpdump -n -nn -r snort_log 'tcp and dst host and tcp[13]==18'

This produces a long list of connections going from to outside connections. (see Figure #7).

Figure #7

Now we know that IRC communicate on port 6666 to 6669 so let’s add that and narrow down the search with the following command.
# tcpdump -n -nn -r snort_log 'tcp and dst host and tcp[13]==18' and portrange 6666-6669 (See output in Figure #8 below)

Figure #8

Now we have narrowed the list down to 3 IP’s that were communicating with the server using IRC.

Tcpdump is a wonderful, general-purpose packet sniffer and incident response tool that should be in your tool shed.

More Stories By David Dodd

David J. Dodd is currently in the United States and holds a current 'Top Secret' DoD Clearance and is available for consulting on various Information Assurance projects. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference and SDISSA, is a member of InfraGard, and contributes to Secure our eCity He works for Xerox as Information Security Officer City of San Diego & pbnetworks Inc. a Service Disabled Veteran Owned Small Business (SDVOSB) located in San Diego, CA and can be contacted by emailing: dave at

@ThingsExpo Stories
Today air travel is a minefield of delays, hassles and customer disappointment. Airlines struggle to revitalize the experience. GE and M2Mi will demonstrate practical examples of how IoT solutions are helping airlines bring back personalization, reduce trip time and improve reliability. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Dr. Sarah Cooper, M2Mi's VP Business Development and Engineering, will explore the IoT cloud-based platform technologies driving this change including privacy controls, data transparency and integration of real time context w...
There will be 20 billion IoT devices connected to the Internet soon. What if we could control these devices with our voice, mind, or gestures? What if we could teach these devices how to talk to each other? What if these devices could learn how to interact with us (and each other) to make our lives better? What if Jarvis was real? How can I gain these super powers? In his session at 17th Cloud Expo, Chris Matthieu, co-founder and CTO of Octoblu, will show you!
Developing software for the Internet of Things (IoT) comes with its own set of challenges. Security, privacy, and unified standards are a few key issues. In addition, each IoT product is comprised of at least three separate application components: the software embedded in the device, the backend big-data service, and the mobile application for the end user's controls. Each component is developed by a different team, using different technologies and practices, and deployed to a different stack/target - this makes the integration of these separate pipelines and the coordination of software upd...
As a company adopts a DevOps approach to software development, what are key things that both the Dev and Ops side of the business must keep in mind to ensure effective continuous delivery? In his session at DevOps Summit, Mark Hydar, Head of DevOps, Ericsson TV Platforms, will share best practices and provide helpful tips for Ops teams to adopt an open line of communication with the development side of the house to ensure success between the two sides.
Mobile messaging has been a popular communication channel for more than 20 years. Finnish engineer Matti Makkonen invented the idea for SMS (Short Message Service) in 1984, making his vision a reality on December 3, 1992 by sending the first message ("Happy Christmas") from a PC to a cell phone. Since then, the technology has evolved immensely, from both a technology standpoint, and in our everyday uses for it. Originally used for person-to-person (P2P) communication, i.e., Sally sends a text message to Betty – mobile messaging now offers tremendous value to businesses for customer and empl...
SYS-CON Events announced today that Sandy Carter, IBM General Manager Cloud Ecosystem and Developers, and a Social Business Evangelist, will keynote at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
The IoT market is on track to hit $7.1 trillion in 2020. The reality is that only a handful of companies are ready for this massive demand. There are a lot of barriers, paint points, traps, and hidden roadblocks. How can we deal with these issues and challenges? The paradigm has changed. Old-style ad-hoc trial-and-error ways will certainly lead you to the dead end. What is mandatory is an overarching and adaptive approach to effectively handle the rapid changes and exponential growth.
The IoT is upon us, but today’s databases, built on 30-year-old math, require multiple platforms to create a single solution. Data demands of the IoT require Big Data systems that can handle ingest, transactions and analytics concurrently adapting to varied situations as they occur, with speed at scale. In his session at @ThingsExpo, Chad Jones, chief strategy officer at Deep Information Sciences, will look differently at IoT data so enterprises can fully leverage their IoT potential. He’ll share tips on how to speed up business initiatives, harness Big Data and remain one step ahead by apply...
WebRTC converts the entire network into a ubiquitous communications cloud thereby connecting anytime, anywhere through any point. In his session at WebRTC Summit,, Mark Castleman, EIR at Bell Labs and Head of Future X Labs, will discuss how the transformational nature of communications is achieved through the democratizing force of WebRTC. WebRTC is doing for voice what HTML did for web content.
"Matrix is an ambitious open standard and implementation that's set up to break down the fragmentation problems that exist in IP messaging and VoIP communication," explained John Woolf, Technical Evangelist at Matrix, in this interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
Nowadays, a large number of sensors and devices are connected to the network. Leading-edge IoT technologies integrate various types of sensor data to create a new value for several business decision scenarios. The transparent cloud is a model of a new IoT emergence service platform. Many service providers store and access various types of sensor data in order to create and find out new business values by integrating such data.
The broad selection of hardware, the rapid evolution of operating systems and the time-to-market for mobile apps has been so rapid that new challenges for developers and engineers arise every day. Security, testing, hosting, and other metrics have to be considered through the process. In his session at Big Data Expo, Walter Maguire, Chief Field Technologist, HP Big Data Group, at Hewlett-Packard, will discuss the challenges faced by developers and a composite Big Data applications builder, focusing on how to help solve the problems that developers are continuously battling.
There are so many tools and techniques for data analytics that even for a data scientist the choices, possible systems, and even the types of data can be daunting. In his session at @ThingsExpo, Chris Harrold, Global CTO for Big Data Solutions for EMC Corporation, will show how to perform a simple, but meaningful analysis of social sentiment data using freely available tools that take only minutes to download and install. Participants will get the download information, scripts, and complete end-to-end walkthrough of the analysis from start to finish. Participants will also be given the pract...
WebRTC: together these advances have created a perfect storm of technologies that are disrupting and transforming classic communications models and ecosystems. In his session at WebRTC Summit, Cary Bran, VP of Innovation and New Ventures at Plantronics and PLT Labs, will provide an overview of this technological shift, including associated business and consumer communications impacts, and opportunities it may enable, complement or entirely transform.
SYS-CON Events announced today that Dyn, the worldwide leader in Internet Performance, will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Through a world-class network and unrivaled, objective intelligence into Internet conditions, Dyn ensures traffic gets delivered faster, safer, and more reliably than ever.
WebRTC services have already permeated corporate communications in the form of videoconferencing solutions. However, WebRTC has the potential of going beyond and catalyzing a new class of services providing more than calls with capabilities such as mass-scale real-time media broadcasting, enriched and augmented video, person-to-machine and machine-to-machine communications. In his session at @ThingsExpo, Luis Lopez, CEO of Kurento, will introduce the technologies required for implementing these ideas and some early experiments performed in the Kurento open source software community in areas ...
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome,” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
Who are you? How do you introduce yourself? Do you use a name, or do you greet a friend by the last four digits of his social security number? Assuming you don’t, why are we content to associate our identity with 10 random digits assigned by our phone company? Identity is an issue that affects everyone, but as individuals we don’t spend a lot of time thinking about it. In his session at @ThingsExpo, Ben Klang, Founder & President of Mojo Lingo, will discuss the impact of technology on identity. Should we federate, or not? How should identity be secured? Who owns the identity? How is identity ...
The buzz continues for cloud, data analytics and the Internet of Things (IoT) and their collective impact across all industries. But a new conversation is emerging - how do companies use industry disruption and technology enablers to lead in markets undergoing change, uncertainty and ambiguity? Organizations of all sizes need to evolve and transform, often under massive pressure, as industry lines blur and merge and traditional business models are assaulted and turned upside down. In this new data-driven world, marketplaces reign supreme while interoperability, APIs and applications deliver un...