Thursday, December 14, 2006

Tcpdump (Part One)

Tcpdump is a tool for network monitoring, protocol debugging and data acquisition. It is a packet capture utility deployed with libpcap. Tcpdump works on UNIX platforms such as Linux, Solaris, BSD, and HP-UNIX. Tcpdump must be able to put the interface into promiscuous mode to read all the network traffic. Normally, engineers use Tcpdump to capture network traffic and analysts use it to parse and analyze network traffic. More information about Tcpdump:

Here, i will discuss about basic usage of Tcpdump. I'm using FreeBSD and you can install it from FreeBSD port. A port of newest version available in /usr/ports/net/tcpdump.

tcpdump –n –i -s

This syntax:
-n : Not resolve IP addresses to domain names and port numbers to service names
-i : which interface to watch
-s : how much of the packet to record

-n, -i and -s switches mandatory will prevent many problems such as packet loss. I read from The Tao of Network Security Monitoring Beyond Intrusion Detection book. One of the first recommendations from him was disabling name resolution because the user was sending Tcpdump output to a text file. You need to specify an interface with -i to ensure that you're sniffing where you expect to sniff. He said that if you don't tell Tcpdump a snaplen value, it defaults to collect 68 bytes. With the average IP header being 20 bytes, and the TCP header being 20 bytes without options, only 28 bytes are left for application data. If 20 or more bytes of TCP options are present, hardly any application data might be seen. Nothing is more frustrating than deploying a sensor to log full content data only to find most of the content was lost.

How to store full content of data???
It's simple. You can use this command:
tcpdump –n –i –s –w
-w: Output tcpdump to specific file

Figure 1: Example of tcpdump to store full content data

How to read stored full content data???

You can use it to read trace files and see what they contain using the r plus the name of the captured file to see its contents.
E.g : tcpdump -n -r zaha.lpc | more (read full content of data from zaha.lpc file)

Figure 2: Example of tcpdump to read full content data

: tcpdump -n -r zaha.lpc -c 5 (-c 5 to specify showing only 5 packets)

Figure 3: Example of tcpdump to read only 5 packet.

tcpdump -n -r zaha.lpc -c 5 tcp (
shows only 5 packets of TCP)
tcpdump -n -r zaha.lpc -c 5 udp ( shows only 5 packets of TCP)

Tcpdump representation of ICMP
Because ICMP has no concept of ports, the output is very simple for this example:
19:47:27. 18921 IP > :ICMP echo request, id 41992

19:47:27. 18921 - Timestamp - Source IP
> - Direction Indicator - Destination IP
ICMP echo request - ICMP message type

Tcpdump representation of UDP

Tcpdump representation in UDP is very easy. Tcpdump doesn't know how to interpret traffic to port 6348 , so it presents the information we see below.

19:15:01. 022565 IP > UDP, length 33

19:15:01. 022565 - Timestamp - Source IP
3743 - Source port
> - Direction Indicator - Destination IP
6348 - Destination port
UDP, length 33 - Size of UDP datagram in bytes

Tcpdump representation of TCP
TCP is more complicated than ICMP or UDP.
20:25:29.153180 > S 3254677536:3254677536(0) win 5630 (DF)

Packet 2:
20:25:2.153301 > S 3206427300:3206427300(0) ack 3254677537 win 17520 (DF)

2025:29.153767 > . ack 3206427301 win 5630 (DF)

Packet 1 analysis:
20:25:29.153180 -Timestamp - Source IP
34800 - Source port
> - Direction Indicator - Destination IP
4201 - Destination port
S - TCP SYN flag is set
3254677536 - TCP initial sequence number (ISN)
3254677536 - Sequence number of the next byte of application data expected by
0 - Count of application data in this segment
win 5630 - Size of the TCP window in bytes
mss 1460 - TCP option for maximum segment size (MSS) set to 1460 bytes
sackOK -Selective acknowledgement, another TCP option, supported by the
source host
timestamp 27027249 - Timestamp value (27027249) and timestamp echo reply setting (0)
o - Means "no operation"; included to pad the TCP options section
wscale0 - Sender supports TCP window scaling; current multiplier is
(DF) - Specifies "do not fragment" for this packet

This represent three-way handshake. Packet 1 is the first step of 3-way handshake. The next two packets are packet 2 and packet 3 .

This is part one of Tcpdump. This is more on introduction to Tcpdump and the basic usage of tcpdump. In part two, i will discuss more about the usage of Tcpdump tool. If you want to learn more about TCPdump, you must have understanding about TCP/IP.


Anonymous said...

He said that if you don't tell Tcpdump a snaplen value, it defaults to collect 68 bytes

I think the defaults collect value for tcpdump is 96 bytes

Anonymous said...

asterisk bccc nightclub orna filmmaker musea natha yafo disgruntled conductors