TCPdump
Filters
Filters are written in BPF (Berkley Packet Filter).
CDP, VTP, PAgP, DTP, RSTP
'ether dst 01:00:0c:cc:cc:cd'
EIGRP
'ether dst 01:00:5e:00:00:0a'
'host 224.0.0.10'
Spanning-Tree
'stp'
VLANs / 802.1q
'vlan'
Show Only TLS Handshake Type: Client Hello's
'(tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16) and (tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01)'
Show Only TLS Handshake Type: Server Hello's
'(tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16) and (tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x02)'
Show Only TLS 1.2 Record Layer: Handshake
'tcp[((tcp[12:1] & 0xf0) >> 2):4] & 0xffffff00 = 0x16030300'
0x160303 can be buried. Using this filter only can result in missed packets.
Troubleshooting
Continuous capture failing to write to new file
sudo tcpdump -i ens160 -C 100 -w web_traffic.pcap
When tcpdump writes continuous files it appends a number to the file name.
If you wanted to continuously capture traffic and write it to disks in approximately 100MB files using the base filename full_capture.pcap. Once the first ~100MB is written, tcpdump will create a new file with the name: full_capture.pcap1. This will continue, increasing the numeric value appended to the end.
The conflict with the apparmor policy happens because apparmor will only allow tcpdump to write files with extensions: .pcap or .cap (in any combination of upper- and lowercase).
The problem is this section of the apparmor policy: /etc/apparmor.d/usr.bin.tcpdump
# for -r, -F and -w
/**.[pP][cC][aA][pP] rw,
/**.[cC][aA][pP] rw,
We can modify the policy to allow the continuous writing of files by adding the below lines or modifying the existing lines from the config section above:
# for -r, -F and -w
/**.[pP][cC][aA][pP][0-9]* rw,
/**.[cC][aA][pP][0-9]* rw,
Solution
My solution isn't to disable apparmor, but instead to modify the apparmor policy so tcpdump can do what it needs and apparmor can continue to do what it does.
Commands
- Check the apparmor status:
sudo aa-status - Check the logs:
cat /var/log/syslog | grep -i deniedApr 26 20:58:00 hostname-pcap kernel: [ 2169.229999] audit: type=1400 audit(1651006680.331:31): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/mnt/pcap/web-traffic" pid=1905 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=109 ouid=109 Apr 26 20:58:54 hostname-pcap kernel: [ 2223.096608] audit: type=1400 audit(1651006734.198:32): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/mnt/pcap/web-traffic" pid=1923 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=109 ouid=109 Apr 26 21:00:02 hostname-pcap kernel: [ 2291.315473] audit: type=1400 audit(1651006802.421:33): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/mnt/pcap/web-traffic" pid=1933 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=109 ouid=109 Apr 26 21:01:55 hostname-pcap kernel: [ 2404.315427] audit: type=1400 audit(1651006915.426:34): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/mnt/pcap/web-traffic" pid=1953 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Apr 26 21:02:29 hostname-pcap kernel: [ 2438.316675] audit: type=1400 audit(1651006949.432:35): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/mnt/pcap/web_traffic" pid=1960 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Apr 26 21:02:40 hostname-pcap kernel: [ 2448.918463] audit: type=1400 audit(1651006960.032:36): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/mnt/pcap/web_traffic" pid=1963 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Apr 26 21:04:15 hostname-pcap kernel: [ 2544.397543] audit: type=1400 audit(1651007055.516:37): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/mnt/pcap/web_traffic" pid=1996 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=109 ouid=109 Apr 26 21:04:23 hostname-pcap kernel: [ 2552.557682] audit: type=1400 audit(1651007063.676:38): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/mnt/pcap/web_traffic" pid=1999 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Apr 26 21:05:29 hostname-pcap kernel: [ 2618.028858] audit: type=1400 audit(1651007129.151:39): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/mnt/pcap/web_traffic" pid=2018 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=109 ouid=109 Apr 26 21:05:35 hostname-pcap kernel: [ 2624.785708] audit: type=1400 audit(1651007135.907:40): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/mnt/pcap/web_traffic" pid=2021 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Apr 26 21:06:04 hostname-pcap kernel: [ 2653.751938] audit: type=1400 audit(1651007164.877:41): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/mnt/pcap/web_traffic" pid=2025 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=109 ouid=109 Apr 26 22:31:05 hostname-pcap kernel: [ 7753.978615] audit: type=1400 audit(1651012265.324:42): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/mnt/pcap/web_traffic.pcap1" pid=2042 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=109 ouid=109 Apr 27 09:52:34 hostname-pcap kernel: [48641.533480] audit: type=1400 audit(1651053154.580:43): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/mnt/pcap/web_traffic.pcap1" pid=3078 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=109 ouid=109 - Disable the tcpdump apparmor policy:
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.tcpdump - Modify the apparmor policy:
/etc/apparmor.d/usr.bin.tcpdump# for -r, -F and -w /**.[pP][cC][aA][pP][0-9]* rw, /**.[cC][aA][pP][0-9]* rw, - Test/Verify tcpdump can write/create new files. (NOTE: The policy is not activated yet. We just want to make sure it works while it's still off)
- Re-enable the tcpdump apparmor policy:
sudo apparmor_parser /etc/apparmor.d/usr.bin.tcpdump - Test/Verify tcpdump can write/create new files past the initial base filename given when the command was invoked.