Introduction to tcpdump
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,177
On Slideshare
2,132
From Embeds
45
Number of Embeds
2

Actions

Shares
Downloads
39
Comments
0
Likes
6

Embeds 45

http://www.linkedin.com 35
https://www.linkedin.com 10

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. tcpdumpcapturing network traffic Lev Walkin @levwalkin
  • 2. What is tcpdump?Capture[Save]FilterShow and explain
  • 3. Why tcpdump?Universal file format (.pcap)Universal filter expressionCan work on remote hosts
  • 4. Quick start “No DNS” “Hex dump” faster display display payloadtcpdump -n -s 1500 -X “Packet size” fuller capture
  • 5. Header tcpdump -Xns0HEX ASCII(-X) (-A)...next
  • 6. Workflow 1: Online analysisFast (-n), full (-s0), with dump(-X), ...and filter:tcpdump -Xns0 port 80
  • 7. Workflow 2: Offline analysisFull (-s0), write to a file (-w),then read:tcpdump -s0 -w abc.pcap port 80tcpdump -nXr abc.pcap host nweb30
  • 8. Architecture tcpdump tcpdump.exe libpcap.so BPF libpcap.a /dev/bpf0 ???BPF BSD Kernel $OS Kernel
  • 9. BPF: Berkeley Packet Filter The human readable filter is converted to a bytecode (-d), sent to kernel. Efficient. http://www.tcpdump.org/ papers/bpf-usenix93.pdf
  • 10. Filter languageand, orport 80host nweb30‘src host localhost and dst port 80’
  • 11. Timestamp L3 protocol (-tt, -ttt, -tttt) Output (IP, GRE, etc) Relative TCP ack numbersrc host src port dst host & port TCP Flags Relative TCP Advertised TCP (S, F, R) sequence number 1343949078.196214 IP window size 216.218.215.245.61966 > 50.18.0.102.80: Flags [P.], seq 1:473, ack 1, win 8265, options [nop,nop,TS val 808617737 ecr 1091126708], length 472 List of TCP Payload length options (e.g. wscale)
  • 12. WTFs (0/3)tcpdump: no suitable devicefoundUse sudo or check /dev/bpf*permissions
  • 13. WTFs (1/3)Output is laggy?Disable DNS resolution (-n)Or save to a file (-w)
  • 14. WTFs (2/3)Nothing happens?Select a proper interface(-i ppp0)
  • 15. WTFs (3/3)Want to cut-n-paste HTML?Use ASCII output (-A), or saveto .pcap (-r) and fire up vim.
  • 16. RFCsIP: RFC791TCP: RFC793, 1122DNS: RFC1034, 1035Many short overviews exist!
  • 17. See alsoWireShark (GUI)SSLdump (decrypt HTTPS)tcpflow (split by TCP flow)libpcap (C interface)lionet.info/ipcad
  • 18. RTFMman pcap-filterman tcpdumpman pcapman bpf
  • 19. Questions?