Understanding tcpdump Across OSI Layers
This explains how tcpdump operates across different layers of the OSI model and how to interpret its output depending on the filter and protocol used.
✨ Overview
tcpdump is a powerful command-line packet capture tool used to observe network traffic. It captures packets from the network interface and displays headers and payloads depending on the specified options. It can operate across multiple OSI layers, depending on what data is being captured. tcpdump itself is not bound to one OSI layer — it captures and displays packets that contain information across multiple layers. The layer you’re observing depends entirely on:
- The protocol you’re filtering for
- The level of detail in the capture
- Whether the traffic is encrypted
HTTPS (TLSv1.3 – Port 443) :
HTTP (Plain – Port 80) :
| Layer | HTTPS (TLSv1.3 – Port 443) | HTTP (Plain – Port 80) |
|---|---|---|
| L7 (Application) | TLS Handshake (ClientHello) | HTTP Request / Response |
| L6 (Presentation) | TLS Encryption & Compression | None (Plain Text) |
| L5 (Session) | Encrypted TLS Session | Simple TCP Session |
| L4 (Transport) | TCP (43732 → 443) | TCP (36601 → 80) |
| L3 (Network) | IPv4 (52.27.131.192 → 172.22.30.221) | IPv4 (172.22.131.234 → 172.31.41.11) |
| L2 (Data Link) | Linux Cooked Capture v2 | Linux Cooked Capture v1 |
| L1 (Physical) | 506 bytes on wire | 2357 bytes on wire |
🌌 OSI Layer-Based Operation
| OSI Layer | Captured by tcpdump? | What It Sees |
|---|---|---|
| Layer 2 - Data Link | Yes | Ethernet headers: MAC addresses, EtherType, frame checks |
| Layer 3 - Network | Yes | IP headers: Source/destination IPs, TTL, protocol (TCP, UDP, ICMP) |
| Layer 4 - Transport | Yes | TCP/UDP headers: Ports, flags, sequence numbers |
| Layer 5–6 - Session/Presentation | Indirectly | TLS handshakes, session resumption, encryption metadata (not content) |
| Layer 7 - Application | Only if unencrypted | HTTP, DNS, FTP content if traffic is not encrypted (e.g., port 80, not 443) |
🔍 Layer-by-Layer Examples
Layer 2 (Data Link Layer)
tcpdump -e -i eth0 Shows Ethernet headers, MAC addresses(Ethernet headers: source/destination MACs).
Layer 3 (Network Layer)
tcpdump ip or tcpdump host 192.168.1.10 Filters by IP packet or specific IP address (IP headers: source/destination IP, TTL, protocol).
Layer 4 (Transport Layer)
tcpdump tcp port 443 Captures TCP handshakes and encrypted TLS payloads(TCP/UDP headers: ports, flags, seq/ack numbers). Layer 7 (Application Layer)
tcpdump -A port 80Displays readable HTTP request/response data (if not using HTTPS), Application data (e.g., HTTP headers) – only if unencrypted
🔒 Encrypted Traffic Consideration
If the traffic is encrypted (e.g., HTTPS on port 443), tcpdump will only show TLS handshake metadata. You cannot see HTTP headers or payloads unless you:
- Use a tool like Wireshark with decryption keys.
- Have access to TLS termination proxy with decrypted logs.
🔐 Important Note:
tcpdump never decrypts encrypted traffic. It only shows raw packet bytes.To analyze Layer 7 for HTTPS, you need decryption tools like:
- Wireshark + SSLKEYLOGFILE
- TLS termination proxy (MITM-like setup in dev)
- Reverse proxy logs (e.g., Apache or NGINX access logs)
🔎 How to Determine Which Layer You're Observing
| Command/Filter | Primary Layer Observed |
|---|---|
tcpdump -e |
Layer 2 (Ethernet addresses, frame type) |
tcpdump host <IP> |
Layer 3 (IP addresses, protocol (TCP/UDP)) |
tcpdump tcp port 443 |
Layer 4 (TCP/UDP port numbers, flags) |
tcpdump -A port 80 |
Layer 7 (HTTP, DNS, FTP (if unencrypted)) |
tcpdump port 443 with TLS handshake |
Layer 6 (TLS Handshake info (SNI, version)) |
✅ Summary
- tcpdump can observe Layer 2 to Layer 4 directly.
- Layer 7 content is only visible if unencrypted.
- TLS introduces encryption at Layer 6, hiding application content.
- Use appropriate flags and filters to target the layer and protocol you want to analyze.
For further inspection and visualization, consider exporting tcpdump captures using -w and opening them in Wireshark.
No comments:
Post a Comment