Get­ting Started with Tcp­dump

This ar­ti­cle is an in­tro­duc­tion to a pop­u­lar UNIX tool called tcp­dump—a very ca­pa­ble com­mand-line util­ity that al­lows you to cap­ture net­work data.

OpenSource For You - - ADMIN -

Tcp­dump is based on libp­cap, an open source C/CHH lLErDry Ior nHt­worN trDIfic cDStXrH. libp­cap al­lows you to write por­ta­ble code by pro­vid­ing a com­mon high­level API for net­work packet cap­tur­ing, be­cause al­most ev­ery oper­at­ing sys­tem of­fers its own se­man­tics on how to ap­proach low-lHYHl nHt­worN cDStXrH IXnc­tLonDlLty.

Run­ning tcp­dump

You usu­ally have to run tcp­dump with root priv­i­leges—with the help of the sudo com­mand—as net­work cap­tur­ing is not al­lowed to HYHry­onH, Ior sHcXrLty rHD­sons. ,I yoX try to cDStXrH nHt­worN data us­ing tcp­dump with­out hav­ing root priv­i­leges, you will get the fol­low­ing er­ror mes­sage: tcp­dump: no suit­able de­vice found. If you use the sudo coPPDnd, thHn yoX wLll hDYH no SroElHP. You can view the man page with the com­mand man tcp­dump.

ThH first thLng to do Ls find oXt whLch nHt­worN Ln­tHrIDcHs are avail­able on your iinux sys­tem; run tcp­dump with the –D op­tion, as shown be­low:

$ sudo tcp­dump -D 1.eth0 2.wlan0 3.Qflog (LiQux Qet­fil­teU log (1FL2G) iQteUfDce) 4.eth1 5.DQy (3seudo-de­vice thDt cDp­tuUes oQ Dll iQteUfDces) 6.lo

On Py MDc sys­tHP rXn­nLng MDc OS ; 10.8.2, thH com­mand pro­duces the fol­low­ing out­put:

1.en0 2.fw0 3.en1 4.lo0

Tcp­dump out­put for­mat

The fol­low­ing is the out­put from a sin­gle packet that was cap­tured us­ing tcp­dump:

20:21:18.347280 I3 v-4-kp07-d2084-56.xyzHost.com.http ! 192.168.1.10.54706: FlDgs [.], seq 50400:51840, Dck 1, wiQ 33, op­tioQs [Qop,Qop,T6 vDl 1109618191 ecU 1386382236], leQgth 1440

Now, let's un­der­stand the dif­fer­ent parts of the cap­tured packet: 20:21:18.347280: ThLs Ls thH tLPH thH cDStXrH tooN SlDcH. As you can eas­ily un­der­stand, this is unique to ev­ery packet cap­tured by tcp­dump. IP: ThLs LndLcDtHs thH XsH oI thH ,P Sro­to­col. v-4-kp07-d2084-56.xyzHost.com.http: These are the source Dd­drHss Dnd thH XsHd Sort (+TTP) IoXnd Ln thH nHt­worN SDcNHt. >: This sym­bol sep­a­rates the source part from the dHstLnDtLon SDrt. 192.168.1.10.54706: This is the des­ti­na­tion IP ad­dress and thH Sort nXPEHr (54706) XsHd. Flags [.]: VDrLoXs flDgs. seq 50400:51840: This is the be­gin­ning TCP se­quence nXPEHr (50400) Dnd thH HndLng TCP sHTXHncH nXPEHr. TCP XsHs sHTXHncH nXPEHrs to or­dHr thH rHcHLYHd dDtD. ack 1: ThLs Ls thH ACK flDg thDt DcNnowl­HdgHs rHcHLYLng thH dDtD IroP thH sHndHr. win 33: This is the amount of data that will be sent be­fore rHTXLrLng Dn ACK SDcNHt EDcN IroP thH sHrYHr. op­tions [nop,nop,TS val 1109618191 ecr 1386382236]: ThHsH DrH sHYHrDl othHr oStLons. length 1440: ThLs Ls thH lHngth oI thH nHt­worN SDcNHt.

Tcp­dump ba­sics

Tcp­dump doHs not cDStXrH thH Hn­tLrH nHt­worN SDcNHt, Ey dHIDXlt. This is be­cause, usu­ally, the in­ter­est lies in the header parts of the SDcNHt thDt DrH norPDlly cDStXrHd wLth thH dHIDXlt SDcNHt lHngth. Here are some of the most use­ful pa­ram­e­ters of tcp­dump: The –v pa­ram­e­ter pro­duces slightly more out­put than the de­fault; –vv pro­duces even more ver­bose out­put; for truly ver­bose out­put, use –vvv. By de­fault, tcp­dump shows the cap­tured net­work data on scrHHn. :hLlH thLs Ls XsHIXl soPHtLPHs, XsXDlly yoX sDYH thH cap­tured data to process it later—us­ing the –w pa­ram­e­ter Iol­lowHd Ey thH dHsLrHd filHnDPH. To rHDd D dDtD filH sDYHd Ey tcp­dump, use the –r op­tion Iol­lowHd Ey thH filHnDPH. Tcp­dump XsHs '1S nDPH rH­solXtLon Ey dHIDXlt. ,I yoX wDnt to turn that off, use the –n SDrDPHtHr. UsH –nn to turn off both '1S nDPH rH­solXtLon Dnd Sort nXPEHr rH­solXtLon. To cap­ture a given num­ber of pack­ets, use the –c SDrDPHtHr. The –tttt pa­ram­e­ter pro­duces a more read­able time­stamp out­put, as you can see in the fol­low­ing ex­am­ple:

2011-12-26 20:02:12.465078 I3 google-pub­licdQs-D.google.com.domDiQ ! 192.168.1.10.53028: 24315 1/0/0 3TR google-pub­lic-dQs-D.google.com. (82)

The –A oStLon SrLnts thH SDcNHt Ln ASC,, IorPDt. To print out­put in both the ApCII and HEu for­mat, use the –XX SDrDPHtHr.

Tcp­dump sce­nar­ios

That’s enough of the the­ory—now for some prac­ti­cal HxDPSlHs. ThH Iol­lowLng HxDPSlH cDStXrHs two SDcNHts oI nHt­worN trDIfic IroP TCP Sort 110 Ln ASC,, IorPDt: $ sudo tcp­dump –c 2 –$ poUt 110 lis­teQiQg oQ eth0, liQk-type E1100B (EtheUQet), cDp­tuUe size 65535 bytes 21:01:58.750072 I3 192.168.1.10.56836 ! pop.someHost.gU.pop3: FlDgs [6], seq 563784957, wiQ 65535, op­tioQs [mss 1460,Qop,wscDle 1,Qop,Qop,T6 vDl 1430216395 ecU 0,sDck2.,eol], leQgth 0 [email protected]@[email protected] Q.h6...n!...........{.............. U?^......... 21:01:58.751523 I3 192.168.1.10.56837 ! pop.someHost.gU.pop3: FlDgs [6], seq 3877282998, wiQ 65535, op­tioQs [mss 1460,Qop,wscDle 1,Qop,Qop,T6 vDl 1430216396 ecU 0,sDck2.,eol], leQgth 0 [email protected]@[email protected] Q.h6...n............{.............. U?^......... 2 pDck­ets cDp­tuUed 498 pDck­ets Ue­ceived by fil­teU 0 pDck­ets dUopped by keUQel

To cap­ture two pack­ets us­ing both the ApCII and HEu for­mat, use sudo tcp­dump -i eth0 -c 2 -XX. To cDStXrH 100 SDcNHts to D filH nDPHd out (-w out) and then stop, use sudo tcp­dump –c 100 –w out. To cDStXrH thH nHt­worN trDIfic oI thH Hn­tLrH 10.10.10.0/24 net­work, use sudo tcp­dump net 10.10.10.0/24. To cDStXrH Ln­coPLng trDIfic to <some_host> that is also go­ing to port 80 (XsXDlly +TTP trDIfic, EXt yoX shoXld not Dl­wDys trXst thH Sort nXPEHr Ior chDrDc­tHrLsLng thH trDIfic), XsH sudo tcp­dump dst host <some_host> and port 80. YoX cDn gHt coPPon Sort nXPEHrs and ser­vice names from /etc/ser­vices. To cDStXrH Dll SDcNHt tySHs ex­cept ARP and ICMP net­work pack­ets with the more read­able time­stamp for­mat, use sudo tcp­dump -tttt not arp and not icmp.

To cDStXrH trDIfic wLth thH +TTP Sort IroP ,P Dd­drHss 192.168.1.1 goLng to 192.168.1.10, or IroP 192.168.1.10 to 192.168.1.1 (sDPSlH oXtSXt shown): $ sudo tcp­dump ?(sUc 192.168.1.1 DQd poUt 80 DQd dst 192.168.1.10?) oU ?(sUc 192.168.1.10 DQd poUt 80 DQd dst 192.168.1.1 DQd poUt 80?) 21:38:11.492218 I3 192.168.1.10.57018 ! 192.168.1.1.http: FlDgs [F.], seq 383, Dck 72468, wiQ 65535, leQgth 0 21:38:11.492271 I3 192.168.1.1.http ! 192.168.1.10.57017: FlDgs [.], Dck 385, wiQ 6000, leQgth 0

To cDStXrH trDIfic IroP thH 192.168.1.0/24 nHt­worN to thH 10.10.10.0/24 nHt­worN:

$ sudo tcp­dump sUc Qet 192.168.1.0/24 DQd dst Qet 10.10.10.0/24

To chHcN trDIfic oI host 10.10.10.1 XsLng U'P Sort 514 (usu­ally the syslog server): $ sudo tcp­dump host 10.10.10.1 DQd 'udp poUt 514' 16:49:52.681405 I3 10.10.10.1.51787 ! 10.10.10.2.syslog: 6Y6L2G locDl7.Qo­tice, leQgth: 156

To cap­ture pack­ets be­low a cer­tain size, use sudo tcp­dump less 1024. To cDStXrH EroDd­cDst or PXltLcDst trDIfic, XsH sudo tcp­dump ‘broad­cast or mul­ti­cast’. To cDStXrH Dnd show ,PY6 trDIfic only, XsH sudo tcp­dump ip6.

Tcp­dump tips

:hHn cDStXrLng nHt­worN dDtD XsLng tcp­dump, keep the fol­low­ing points in mind: If a pa­ram­e­ter you are try­ing to use is not work­ing as HxSHc­tHd, chHcN thH PDn SDgH. Al­wDys chHcN thH tcp­dump PDn SDgH whHn XsLng Lt on D nHw sys­tHP. :hHn Ln doXEt, cDStXrH HYHry­thLng! 5HPHPEHr—yoX cDn Dl­wDys filtHr lDtHr, EXt yoX cDn­not find D nHt­worN SDcNHt thDt yoX dLd not cDStXrH. You can an­a­lyse cap­tured data us­ing WireShark. The main ad­van­tage of tcp­dump is that as a com­mand-line util­ity, yoX cDn XsH Lt wLth Dn SS+ con­nHc­tLon. WireShark, Ds D GU, ap­pli­ca­tion, has an over­head and can lose net­work data on a busy net­work—tcp­dump needs less sys­tems re­sources than WireShark. You can run tcp­dump us­ing the cron util­ity to cap­ture data wLthoXt EHLng log­gHd Ln Dt thH PDchLnH. To cap­ture full Eth­er­net frames, you should run tcp­dump with the –s 1514 pa­ram­e­ters; 1R14 is the max­i­mum length of (thHrnHt nHt­worN SDcNHts. Most oI thH tLPH, yoX do not nHHd thH IXll SDcNHt.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.