4. INTRODUCTION
TCPdump is a utility used to capture and analyze packets on
network interface.
common computer network debugging tool runs under
command line.
A piece of software that gives insight into the traffic activity
occurs on network.
Allows user to intercept and display TCP/IP and other packets
being transmitted or received over a network.
Frequently used to debug applications that generate or receive
network traffic.
Also used for debugging the network setup itself, by
determining whether all necessary routing is occurring
properly, allowing the user to further isolate the source of a
problem.
5. What is TCPdump?
TCPdump is a UNIX tool.
Used to gather data from network, decipher the bits, and display the
output to the screen or they can be saved to a file for later analysis.
TCPdump uses the libpcap library to capture packets.
TCPdump is run by issuing the command tcpdump to read all the
traffic from the default network interface.
Has a filter that enables user to specify the records they interested in
collecting.
TCPdump displays records on the console, translated from native
raw output format to a human-readable format.
6. TCPDUMP
• Syntax:
tcpdump [options] [filter expression]
• Basic commnad
Eg: tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:34:57.266865 IP 173.194.36.6 > 192.168.1.101: ICMP echo reply, id 19941, seq
1176, length 64
16:34:57.267226 IP 192.168.1.101.21271 > 218.248.255.163.53: 23380+ PTR?
6.36.194.173.in-addr.arpa. (43)
16:34:57.274549 IP 218.248.255.163.53 > 192.168.1.101.21271: 23380 1/4/2 PTR
bom04s01-in-f6.1e100.net. (195)
16:34:57.297874 IP 192.168.1.101.56295 > 186.105.77.150.38213: UDP, length
105
7. TCPDUMP OUTPUT
• One of the hardest tasks for the novice analyst to master is
decrypting TCPdumb output.
• TCPdumb output is fairly standard for the different
protocols (TCP,UDP,ICMP, for example), but does have
some nuances.
• The first step is to identify protocols that you are examining
• TCP output will be used to explain the general TCPdump
format. Here is a TCP record displayed by TCPdump:
8. 8
01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh >
adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: .
2513546054:2513547434(1380) ack 1268355216 win 12816
Timestamp This is an IP packetSource host nameSource port number (22)
Destination host name Destination port number
TCP specific information
• Different output formats for different packet types
What does a line convey?
9. TCPdump Flags
TCP Flag Flag Rep Flag Meaning
SYN S This is a session establishment request, which is the first part of
any TCP connection
ACK ack This flag is used generally to acknowledge the receipt of data from
the sender.
FIN F This flag indicates the sender’s intention to gracefully terminate the
sending host’s connection to the receiving host.
RESET R This flag indicates the sender’s intention to immediately abort the
existing connection with the receiving host.
PUSH P This flag immediately “pushes” data from the sending host to the
receiving host’s application software.
URGENT urg This flag indicates that there is “urgent” data should take
precedence over other data. An example of this is pressing Ctrl+C
to abort an FTP download.
Placeholder . If the connection does not have a SYN, FIN, RESET, or PUSH flag
set, a placeholder (a period) will be found after the destination port.
10. Commands
• tcpdump –D :- List network interfaces
• tcpdump -i eth0
tcpdump -i 1 :- To use one of listed interfaces interface
name or index can be used
• tcpdump -i eth0 -c 10
• tcpdump -i eth0 -c 10 -n
• tcpdump -i eth0 -c 10 –A
• tcpdump -i eth0 -c 10 -XX
• tcpdump -i eth0 -e
• tcpdump -i eth0 tcp
• tcpdump -i eth0 port 21
• tcpdump -i eth0 src 192.168.0.2
• tcpdump -i eth0 dst 50.116.66.139
11. Continue…
To write the raw output to a file; use the command
tcpdump –w filename ,
filename is the name of the file to which the records will
be written in binary format.
To read this output file , another command line option is
necessary: tcpdump –r filename.
This option reads input to TCPdump from filename rather
than from the default network interface.
The user can read a file that has been written using the –w
option only by using TCPdump with the –r option.
12. ALTERING THE AMOUNT OF DATA COLLECTED
TCPdump does not collect the entire datagram sent due
to volume concerns and user’s interest in the header
portions of the datagram that usually collected with
default length.
The snapshot length, sometimes known as snaplen,
determines the exact number of bytes collected.
Most common lengths of collected data is 68 bytes.
13. 13
Running tcpdump
• Requires superuser/administrator privileges on Unix
– http://www.tcpdump.org/
– You can do it on your own Unix machine
– You can install a Linux OS in Vmware on your machine
• Tcpdump for Windows
– WinDump: http://www.winpcap.org/windump/
• Free software
• Refer the tcpdump man page.
14. So What is WireShark?
• Packet sniffer/protocol analyzer
• GUI Based Tool
• Open Source Network Tool
• Latest version of the ethereal tool