This document summarizes an introduction to packet analysis presentation. It covers the basics of analyzing traffic at layers 2 through 4, including MAC addresses, IP addresses, TCP and UDP ports and protocols. Specific examples are provided of capturing TCP and UDP traffic in different states like established connections, rejected attempts and responses. ICMP traffic analysis is also introduced through ping examples. Methods for capturing traffic are demonstrated including tcpdump commands and filters. Potential uses of packet analysis like troubleshooting bandwidth usage, VPNs, port forwarding and routing are listed. The presentation ends with case studies on analyzing a DDoS bot and a TCP window size of 0 issue.

1. pfSense Hang Out
May 2014
Intro to Packet Analysis

2. Project News
● Training course coming soon

3. Intro to Packet Analysis
● Extremely effective means of
troubleshooting
● Doesn’t have to be overwhelmingly complex
● Much of today’s presentation oversimplified

4. Intro to Packet Analysis
● Layer 2
○ Source and destination MAC addresses
● Layer 3
○ Source and destination IP addresses
● Layer 4
○ TCP, UDP, ICMP covered today
source MAC destination MAC
source IP destination IP

5. Intro to Packet Analysis - TCP intro
● Connection-oriented protocol
● Source and destination ports
○ source port not same as destination port
● TCP handshake
○ SYN client to server
○ SYN ACK server to client
○ ACK client to server

6. TCP Basics - Capture Scenarios
● Established successfully
10:01:15.868921 IP 10.2.5.1.11582 > 10.2.5.103.22: Flags [S], seq
3908118056, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 341740
ecr 0], length 0
10:01:15.869237 IP 10.2.5.103.22 > 10.2.5.1.11582: Flags [S.], seq
2912721290, ack 3908118057, win 28960, options [mss 1460,sackOK,TS val
112268 ecr 341740,nop,wscale 7], length 0
10:01:15.869366 IP 10.2.5.1.11582 > 10.2.5.103.22: Flags [.], ack 1, win
520, options [nop,nop,TS val 341740 ecr 112268], length 0
10:01:15.904659 IP 10.2.5.103.22 > 10.2.5.1.11582: Flags [P.], ack 1, win
227, options [nop,nop,TS val 112277 ecr 341740], length 41
10:01:15.905334 IP 10.2.5.1.11582 > 10.2.5.103.22: Flags [.], ack 42, win
520, options [nop,nop,TS val 341744 ecr 112277], length 0
10:01:17.287797 IP 10.2.5.1.11582 > 10.2.5.103.22: Flags [P.], ack 42, win
520, options [nop,nop,TS val 341882 ecr 112277], length 2
10:01:17.288202 IP 10.2.5.103.22 > 10.2.5.1.11582: Flags [.], ack 3, win
227, options [nop,nop,TS val 112623 ecr 341882], length 0

7. TCP Basics - Capture Scenarios
● Rejected connection attempt
09:58:13.527103 IP 10.2.5.1.8897 > 10.2.5.103.22: Flags [S], seq
1054206648, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 323506
ecr 0], length 0
09:58:13.527366 IP 10.2.5.103.22 > 10.2.5.1.8897: Flags [R.], seq 0, ack
1054206649, win 0, length 0
● No reply
10:05:30.928371 IP 10.2.5.103.52798 > 10.2.5.1.24: Flags [S], seq
3783265721, win 29200, options [mss 1460,sackOK,TS val 176033 ecr 0,nop,
wscale 7], length 0
10:05:31.926314 IP 10.2.5.103.52798 > 10.2.5.1.24: Flags [S], seq
3783265721, win 29200, options [mss 1460,sackOK,TS val 176283 ecr 0,nop,
wscale 7], length 0
10:05:33.930244 IP 10.2.5.103.52798 > 10.2.5.1.24: Flags [S], seq
3783265721, win 29200, options [mss 1460,sackOK,TS val 176784 ecr 0,nop,
wscale 7], length 0

8. Intro to Packet Analysis - UDP intro
● Connectionless protocol
● Some require a response
○ DNS
○ NTP
● Some silently accepted
○ syslog

9. UDP basic packet capture scenarios
● Accepted, or filtered
PORT STATE SERVICE
10/udp open|filtered unknown
05:49:42.602935 IP 192.168.1.2.45540 > 10.0.6.2.10: UDP, length 0
05:49:43.737327 IP 192.168.1.2.45541 > 10.0.6.2.10: UDP, length 0
● Rejected
05:50:39.324990 IP 192.168.1.2.62534 > 192.168.1.254.17: UDP, length 0
05:50:39.326449 IP 192.168.1.254 > 192.168.1.2: ICMP 192.168.1.254 udp
port 17 unreachable, length 36
● Receives reply
05:54:21.644173 IP 192.168.1.2.52027 > 192.168.1.254.53: 51162+ A? google.
com. (28)
05:54:21.701862 IP 192.168.1.254.53 > 192.168.1.2.52027: 51162 11/0/0 A
74.125.227.169, A 74.125.227.165, A 74.125.227.164, A 74.125.227.166, A
74.125.227.160, A 74.125.227.174, A 74.125.227.168, A 74.125.227.167, A
74.125.227.162, A 74.125.227.161, A 74.125.227.163 (204)

10. Intro to Packet Analysis - ICMP intro
● Types
● No ports
● Ping
○ Echo request
○ Echo reply
05:57:52.459547 IP 192.168.1.2 > 74.125.227.97: ICMP echo request, id
48902, seq 0, length 64
05:57:52.489406 IP 74.125.227.97 > 192.168.1.2: ICMP echo reply, id 48902,
seq 0, length 64
05:57:53.460369 IP 192.168.1.2 > 74.125.227.97: ICMP echo request, id
48902, seq 1, length 64
05:57:53.492072 IP 74.125.227.97 > 192.168.1.2: ICMP echo reply, id 48902,
seq 1, length 64
05:57:54.461349 IP 192.168.1.2 > 74.125.227.97: ICMP echo request, id
48902, seq 2, length 64

11. Web Packet Capture Page
Demo

12. tcpdump at command line
● option 8 via SSH
● Common command line arguments
○ -i capture traffic on specified interface
○ -n disable reverse DNS lookups
○ -e show link-level header - MAC addresses,
VLAN tags
○ -s snap length (when capturing to file)
○ -w capture to file

13. tcpdump filtering basics
● tcpdump ... | grep 1.2.3.4 - no, use filters
● Common filters
○ host 1.2.3.4 include host 1.2.3.4
○ port 53 include port 53 TCP and UDP
○ udp port 53 include UDP port 53
○ tcp port 80 include TCP port 80
● Combining filters
○ and
○ or
● Negation
○ not

14. tcpdump examples
● Display traffic on interface em0 with no
reverse DNS resolution
○ tcpdump -ni em0
● Display traffic to or from IP 1.2.3.4 on em0
including link-layer
○ tcpdump -nei em0 host 1.2.3.4
● Display all DNS traffic on em1_vlan5
○ tcpdump -ni em1_vlan5 port 53
● Display all TCP port 80 traffic (HTTP) except
that to or from host 10.0.0.5
○ tcpdump -ni em0 tcp port 80 and not host 10.0.0.5

15. Web Packet Capture vs tcpdump
Web Packet Capture tcpdump
Ease of selecting interface
Ease of basic filtering
Ease of saving capture to
file and downloading
Real time output
Highly flexible filtering
Capable of multiple
simultaneous captures

16. Bandwidth Usage Analysis
● Who’s using what, right now

17. VPN Troubleshooting

18. Port Forward Troubleshooting

19. Routing Troubleshooting

20. Case Study - DDoS Bot

21. Case Study - TCP Window 0

22. Questions?
Thanks for attending!
Comments, suggestions, etc. welcome to
gold@pfsense.org