tcpdump, a Stethoscope for Network Activity

Dec. 14, 2022 [technology] [privacy-security] [guides] [libre]

When I was devising my DNS solution (DNS as a standard is still so broken for privacy as of 2022, shame on root name server operators for brushing away cryptography efforts!) and some other traffic concealment solutions, I found myself relying on the traffic capture tool tcpdump. Prior to cutting my teeth with tcpdump, I had only experience with Wireshark. And I don’t think I’ll be using Wireshark very much anymore.

Here’s a decent cheat sheet.

Since network interfaces will be different across different machines, they can be checked with:

tcpdump -D

If we want to watch for traffic bound to a certain port:

tcpdump -n -i enp1s0 port 5061

Which reveals, on a test environment with a SIP client open, a check every few seconds over SIP service.

tcpdump: verbose output suppressed, use -v[v]… for full protocol decode listening on enp1s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 17:51:08.294212 IP > SIP 17:51:18.294091 IP > SIP 17:51:24.249671 IP > SIP 17:51:28.313744 IP > SIP 17:51:38.313755 IP > SIP

tcpdump -n -i interface port 9001

For example, can show us how talkative Tor is.

Or if you have daemons pointing to servers on the local host, specify loopback:

tcpdump -i lo port 443

It’s a good way to catch configurations which might be leaking requests, and stand as a call to revisit the .conf file. What it’s not so good at is looking holistically at an individual application’s network requests. For that, one might want to investigate mitmproxy with which many programs, after a bit of work, can be monitored for network requests.

tcpdump is sort of like oldschool non-application aware firewalls in this respect. It just looks at everything passing through a given port or protocol or otherwise, without any correlation made to the program from which it originates. Which can be desireable in scenarios where we simply want to find any unsolicited traffic among the wider system configuration.