Chmod (change mode) is used to set the permissions (r read, w write, e execute, s setuid - set
user ID upon execution) for files to user groups (a all, u user, g group o other) in OS X / Linux environments. Since tcpdump is a file that has been given the setuid attribute, we need to add the s permission for our account u with the command chmod u+s
Under OS X tcpdump is located in the directory /usr/sbin/. From our home directory in the terminal, we take a look at the current permissions of tcpdump with the ls -l command: ls -l //usr/sbin/tcpdump -rwxr-xr-x@ 1 root wheel 692720 2 Nov 00:01 //usr/sbin/tcpdump
The third letter from the left, x, indicates that the setuid bit is not set. We now type (as superuser sudo) sudo chmod u+s //usr/sbin/tcpdump
and, after entering our administrator password, we can validate the change with another ls l command. The third bit from the right has changed from x to s: ls -l //usr/sbin/tcpdump -rwsr-xr-x@ 1 root wheel 692720 2 Nov 00:01 //usr/sbin/tcpdump
In general, setting the sudo bit can have significant impact on the security of your system. So always be very careful if you make changes like the above. On the Windows side there are no security settings active for WinDump and we can start the configuration for our monitoring script. The various functions of tcpdump and WinDump are identical and invoked using options following the start command. Option -D displays a list of all available network interfaces: tcpdump -D (or windump -D) 1.en0 2.fw0 3.vnic0 4.en1 5.vnic1 6.p2p0 7.lo0
With the -i option we specify the capture interface that we want to select, using the interface name or the number of the -D output, in our case the en1 interface or number 4: tcpdump -i 4
We now add the appropriate options for tcpdump to filter on the DHCP requests of our target smartphone with the MAC address 68:a8:6d:84:7d:42: tcpdump -i 4 -c 1 -n -v ether host 68:a8:6d:84:7d:42 and dst port 67 > dhcp_capture.txt -c sets the number of packets to capture (in our case 1) -n suppresses the name resolution which assigns names to IP addresses and ports. This