Free Online Courses for Software Developers - MrBool
× Please, log in to give us a feedback. Click here to login
×

You must be logged to download. Click here to login

×

MrBool is totally free and you can help us to help the Developers Community around the world

Yes, I'd like to help the MrBool and the Developers Community before download

No, I'd like to download without make the donation

×

MrBool is totally free and you can help us to help the Developers Community around the world

Yes, I'd like to help the MrBool and the Developers Community before download

No, I'd like to download without make the donation

TCPDUMP – NETWORK ANALYSIS TOOL

The ‘tcpdump’ is a tool meant for network monitoring, protocol debugging and data acquisition. It is a network packet sniffer that runs under the command line. This document gives an overview of a ‘tcpdump’ tool.

TCPDUMP – NETWORK ANALYSIS TOOL

 

INTRODUCTION

The ‘tcpdump’ is a tool meant for network monitoring, protocol debugging and data acquisition. It is a network packet sniffer that runs under the command line. This document gives an overview of a ‘tcpdump’ tool.

HISTORY

The ‘tcpdump’ allows the user to intercept and display the TCP/IP and other network packets that are being transmitted/ received over a network to which the computer is attached.

The tool was originally written by Van Jacobson, Craig Leres and Steven McCanne who were working in the Lawrence Berkeley Laboratory Network Research Group.

DESCRIPTION

The ‘tcpdump’ is a premier network analysis that is being used by security professionals.

The ‘tcpdump' tool listens to and records traffic on a network segment. The tool can be highly useful in troubleshooting and monitoring network activity. It runs under command line. The tool prints out the packet headers on a network interface that match the expression which would be given as a part of the command. In all cases, only packets that match expression will be processed by tcpdump.

The simplest way to use the tool is to run with the option ‘-i’ specifying which network interface must be used. This would dump the summary of all the network packets transmitted and received on the network interface.

It’s always good to specify explicitly the correct network interface with the -i’ option. If there are any DNS problems, tcpdump might hang trying to lookup DNS names for IP addresses; to disable this feature use the -f or -n options.

The tool can also be run with the -w option, which would allow saving the packet data in to a file for later analysis. The file can be opened using the wireshark tool to interpret the request and response. The request headers, request body, response body etc. can be viewed in the wireshark tool which would be of great help in analyzing the network problems.

The tool, when not run with the -c flag, will continue capturing packets until interrupted by a SIGINT signal (typically control-C) or a SIGTERM signal (typically the kill command); if run with the -c option, the packets will be captured until interrupted by a SIGINT or SIGTERM signal or the specified number of packets have been processed.

On finishing the packet capturing, tool will report count of the packets received by the filter.


Here are different usages:

tcpdump -w test.pcap -i eth1 tcp port 6881

The TCP packets the flow over the network interface eth1 and port 6881 would be captured and stored in the test.pcap file.

tcpdump -w test.pcap -i eth1 tcp port 6881 or udp \( 33210 or 33220 \)

The TCP packets the flow over the network interface eth1 and port 6881 as well as UDP packets on port 33210/ 22220 would be captured and stored in the test.pcap file.

COMMON USES

When preliminary troubleshooting does not solve a network problem, tcpdump is the only utility that gives the details at the packet or frame level.

The ‘tcpdump’ tool is used to debug the applications which generate or receive network traffic. It can also be used for debugging the network setup itself, by determining whether all the necessary routing is occurring properly, allowing the user to further isolate the source of a problem.

There might be scenarios where the interception and display of the communication of another computer. The tool can also be used for such purposes.

The ‘tcpdump is also an excellent tool to help diagnose denial of service (DoS) attacks. These DoS attacks are somewhat hard to identify, since they normally consist of allowable traffic, but in a large quantity.

SUPPORTED OPERATING SYSTEMS

The ‘tcpdump’ does work on most of the Unix-like operating systems: Linux, Solaris, BSD, Mac OS X, HP-UX and AIX among others. In these Unix-like operating systems, the tool uses the libpcap library to capture packets.

There is also a flavor of tcpdump available for Windows which is called as ‘WinDump’; this windows flavor uses WinPcap, which is an equivalent of libpcap to Windows.

In most of the Unix-like operating systems, the user must have super user (su) privileges to use tcpdump. This is for the security purpose that the packet capturing mechanisms require elevated privileges. However, this can be overcome by configuring the packet capturing mechanisn to allow the non privileged users to use it.

CONCLUSION

While using such a tool that displays network traffic a more natural (raw) way the burden of analysis is displaced to the human rather than any other application. This approach cultivates continued and elevated understanding of the TCP/IP suite. I strongly advocate using tcpdump instead of other tools whenever possible for this reason.


APPENDIX

The man page of the tcpdump has been put here for reference.

Synopsis

tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ]
         [ -C file_size ] [ -F file ]
         [ -i interface ] [ -m module ] [ -r file ]
         [ -s snaplen ] [ -T type ] [ -U user ] [ -w file ]
         [ -E algo:secret ] [ expression ]

Options

-a      Attempt to convert network and broadcast addresses to names.

-c       Exit after receiving count packets.

-C       Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 2 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

-d      Dump the compiled packet-matching code in a human readable form to standard output and stop.

-dd     Dump packet-matching code as a C program fragment.

-ddd   Dump packet-matching code as decimal numbers (preceded with a count).

-e      Print the link-level header on each dump line.

-E       Use algo:secret for decrypting IPsec ESP packets. Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. The default is des-cbc. The ability to decrypt packets is only present if tcpdump was compiled with cryptography enabled. secret the ascii text for ESP secret key. We cannot take arbitrary binary value at this moment. The option assumes RFC2406 ESP, not RFC1827 ESP. The option is only for debugging purposes, and the use of this option with truly `secret' key is discouraged. By presenting IPsec secret key onto command line you make it visible to others, via ps(1) and other occasions.

-f       Print `foreign' internet addresses numerically rather than symbolically (this option is intended to get around serious brain damage in Sun's yp server --- usually it hangs forever translating non-local internet numbers).

-F       Use file as input for the filter expression. An additional expression given on the command line is ignored.

-i        Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback). Ties are broken by choosing the earliest match.

-m      Load SMI MIB module definitions from file module. This option can be used several times to load several MIB modules into tcpdump.

-n      Don't convert host addresses to names. This can be used to avoid DNS lookups.

-nn     Don't convert protocol and port numbers etc. to names either.

-N      Don't print domain name qualification of host names. E.g., if you give this flag then tcpdump will print ``nic'' instead of ``nic.ddn.mil''.

-O        Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer.

-p       Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, `-p' cannot be used as an abbreviation for `ether host {local-hw-addr} or ether broadcast'.

-q      Quick (quiet?) output. Print less protocol information so output lines are shorter.

-R      Assume ESP/AH packets to be based on old specification (RFC1825 to RFC1829). If specified, tcpdump will not print replay prevention field. Since there is no protocol version field in ESP/AH specification, tcpdump cannot deduce the version of ESP/AH protocol.

-r       Read packets from file (which was created with the -w option). Standard input is used if file is ``-''.

-S      Print absolute, rather than relative, TCP sequence numbers.

-s       Snarf snaplen bytes of data from each packet rather than the default of 68 (with SunOS's NIT, the minimum is actually 96). 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol information from name server and NFS packets (see below). Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 means use the required length to catch whole packets.

-T       Force packets selected by "expression" to be interpreted the specified type. Currently known types are cnfp (Cisco NetFlow protocol), rpc (Remote Procedure Call), rtp (Real-Time Applications protocol), rtcp (Real-Time Applications control protocol), snmp (Simple Network Management Protocol), vat (Visual Audio Tool), and wb (distributed White Board).

-t       Don't print a timestamp on each dump line.

-tt      Print an unformatted timestamp on each dump line.

-U      Drops root privileges and changes user ID to user and group ID to the primary group of user.

-ttt      Print a delta (in micro-seconds) between current and previous line on each dump line.

-tttt    Print a timestamp in default format proceeded by date on each dump line.

-u        Print undecoded NFS handles.

-v         (Slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

-vv     Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.

-vvv     Even more verbose output. For example, telnet SB ... SE options are printed in full. With -X telnet options are printed in hex as well.

-w       Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''.

-x        Print each packet (minus its link level header) in hex. The smaller of the entire packet or snaplen bytes will be printed. Note that this is the entire link-layer packet, so for link layers that pad (e.g. Ethernet), the padding bytes will also be printed when the higher layer packet is shorter than the required padding.

-X      When printing hex, print ascii too. Thus if -x is also set, the packet is printed in hex/ascii. This is very handy for analysing new protocols. Even if -x is not also set, some parts of some packets may be printed in hex/ascii.

Expression

The expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped.

The expression consists of one or more primitives. Primitives usually consist of an id (name or number) proceeded by one or more qualifiers. There are three different kinds of qualifier:

type    qualifiers say what kind of thing the id name or number refers to. Possible types are host, net and port.

E.g., `host foo', `net 128.3', `port 20'. If there is no type qualifier, host is assumed.

dir      qualifiers specify a particular transfer direction to and/or from id. Possible directions are src, dst, src or dst and src and dst. E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. If there is no dir qualifier, src or dst is assumed. For `null' link layers (i.e. point to point protocols such as slip) the inbound and outbound qualifiers can be used to specify a desired direction.

proto   qualifiers restrict the match to a particular protocol. Possible protos are: ether, fddi, tr, ip, ip6, arp, rarp, decnet, tcp and udp. E.g., `ether src foo', `arp net 128.3', `tcp port 21'. If there is no proto qualifier, all protocols consistent with the type are assumed. E.g., `src foo' means `(ip or arp or rarp) src foo' (except the latter is not legal syntax), `net bar' means `(ip or arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.

More complex filter expressions are built up by using the words and, or and not to combine primitives. E.g., `host foo and not port ftp and not port ftp-data'. To save typing, identical qualifier lists can be omitted. E.g., `tcp dst port ftp or ftp-data or domain' is exactly the same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.



colunista nao disponivel

What did you think of this post?
Services
[Close]
To have full access to this post (or download the associated files) you must have MrBool Credits.

  See the prices for this post in Mr.Bool Credits System below:

Individually – in this case the price for this post is US$ 0,00 (Buy it now)
in this case you will buy only this video by paying the full price with no discount.

Package of 10 credits - in this case the price for this post is US$ 0,00
This subscription is ideal if you want to download few videos. In this plan you will receive a discount of 50% in each video. Subscribe for this package!

Package of 50 credits – in this case the price for this post is US$ 0,00
This subscription is ideal if you want to download several videos. In this plan you will receive a discount of 83% in each video. Subscribe for this package!


> More info about MrBool Credits
[Close]
You must be logged to download.

Click here to login