Using tcpdump to capture packages on the server

I come to a request to capture all out-going network connections to be sure no sensitive data will be transferred outside by any current scripts. We do all know that there is a simple tcpdump tool that can do this requirement. So in this short entry, I will note necessary commands to do that.

  • To capture packages on the server while running your server-side scripts (such as PHP script on Apache/Nginx) and write it to a pcap file:
tcpdump -vv -s0 tcp port 80 -w /tmp/php_outgoing.pcap
  • Some other options regarding tcpdump commands
    • If we want to sniff only POST methods, we can easily sniff all and filter with Wireshark with http.request.method == POST
    • To capture only coming traffic from / going to A.B.C.D, we can simply use src host A.B.C.D and dst host A.B.C.D
tcpdump -vv -s0 tcp port 80 and src host A.B.C.D
tcpdump -vv -s0 tcp port 80 and dst host A.B.C.D
  • In order to view the pcap file directly on the server in a pretty format, we can use tcpick
tcpick -C -yP -r /tmp/php_outgoing.pcap
  • A sample tcpick output is as follows
Starting tcpick 0.2.1 at 2019-04-26 03:59 UTC
Timeout for connections is 600
tcpick: reading from /tmp/php_outgoing.pcap
1      SYN-SENT       MY.IP.ADD.RESS:37890 > DEST.IP.ADD.RES:http
1      SYN-RECEIVED   MY.IP.ADD.RESS:37890 > DEST.IP.ADD.RES:http
1      ESTABLISHED    MY.IP.ADD.RESS:37890 > DEST.IP.ADD.RES:http
GET /sub-path/my-domain.com/MY_LICENSE/MY.IP.ADD.RESS/https:|s||s|my-domain.com/4.0.2/2112245134/ HTTP/1.1
Host: A.B.C.D
Accept: */*

HTTP/1.1 200 OK
Date: Fri, 26 Apr 2019 09:19:03 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/7.0.0
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

1      FIN-WAIT-1     MY.IP.ADD.RESS:37890 > DEST.IP.ADD.RES:http
1      TIME-WAIT      MY.IP.ADD.RESS:37890 > DEST.IP.ADD.RES:http
1      CLOSED         MY.IP.ADD.RESS:37890 > DEST.IP.ADD.RES:http
2      SYN-SENT       MY.IP.ADD.RESS:37892 > DEST.IP.ADD.RES:http
2      SYN-RECEIVED   MY.IP.ADD.RESS:37892 > DEST.IP.ADD.RES:http
2      ESTABLISHED    MY.IP.ADD.RESS:37892 > DEST.IP.ADD.RES:http
GET /sub-path-2/MY_LICENSE HTTP/1.1
Host: E.F.G.H
Accept: */*

HTTP/1.1 200 OK
Date: Fri, 26 Apr 2019 09:19:03 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/7.0.0
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

1
2      FIN-WAIT-1     MY.IP.ADD.RESS:37892 > DEST.IP.ADD.RES:http
2      TIME-WAIT      MY.IP.ADD.RESS:37892 > DEST.IP.ADD.RES:http
2      CLOSED         MY.IP.ADD.RESS:37892 > DEST.IP.ADD.RES:http
tcpick: done reading from /tmp/php_outgoing.pcap

22 packets captured
2 tcp sessions detected

Leave a Reply