Previous Section  < Day Day Up >  Next Section

2.7 Running tcpdump

Knowing the basics behind the captured tcpdump data, we can start looking at how to use tcpdump within the network. tcpdump can be used to test lines and network connections or sniff packets. There may be instances when problems arise within the network and you cannot physically lay hands on any machines for testing. It is times such as these that tcpdump comes in handy. If you can secure shell or SSH into a machine on the network and configure your network card to run in promiscuous mode, you can sniff the packets flowing by and later analyze them for issues.

It's interesting to note that tcpdump captures packets before the kernel receives them and after they leave it. Even more importantly, the packets are captured before they are processed by Netfilter. tcpdump allows you to see if the packets are arriving; it can also check the local machine for faulty configurations in the event of network problems.

If you are not sniffing from a remote host through an SSH session, instead of the client itself, be careful! You can end up sniffing your own terminal session traffic. tcpdump generates line after line of output that gets sent to your client through the terminal session, which generates more traffic, which gets sniffed, which... well, you get the idea. You can exclude the traffic generated by your terminal session with careful filtering (discussed later in the chapter).


Because tcpdump is command-line based, it is easy to run on any machine. You need not worry about a GUI interface as you would with ethereal. Rather than viewing the packets in real-time via the console, it is often more useful to capture them to a logfile and then use secure FTP (SFTP) or Secure Copy (SCP) to transfer the logs to another location. Use ethereal to better analyze the content.

2.7.1 Syntax Options

There are a few ways to run tcpdump from the command line. Rather than viewing every packet as it scrolls across the screen, write the data to a temporary file. If your network is as busy as mine, it will be impossible to view everything. Even if you could, you may drop packets, since a standard display cannot keep up with normal network speed. The console uses a serial terminal connection emulation, which has a speed far less then 100 MBit/s.

This example shows tcpdump writing data to a temp file:

# tcpdump -w /tmp/tcpdump.out

After capturing the data in raw binary format, use tcpdump to read or print the data in human-readable form. tcpdump is a better interpreter than WinDump, the Windows equivalent. WinDump sometimes experiences errors when reinterpreting raw data. There have been some reports that the latest alpha release of winpcap broke the ability to capture dial-up and PPP traffic. In other words, all ndiswan traffic from modem devices is inaccessible. Use an older, more stable version of WinDump and the winpcap library if you need to view this type of traffic on a Windows system.

# tcpdump -r /tmp/tcpdump.out

tcpdump can also collect data through a filter. Not all packets must be viewed; only those of interest are presented for further study. tcpdump filters are explained in more detail in the next section.

# tcpdump -F /home/myname/tcp.filter

To disable name/port resolution, use the following option:

# tcpdump -nn

While the -n option is enough to prohibit the conversion of host addresses to names, the -nn option disables the conversion of protocol and port numbers to names as well.


You can further modify the data gathered and view only MAC addresses of the source and destination network interface cards. The following option disables name resolution and shows only MAC addresses:

# tcpdump -e

Inorder to specify a specific number of packets to capture (useful on very busy networks or as protection against sniffing your own terminal traffic) you can use this (here we're specifying 100 packets):

# tcpdump -c 100

To specify how much of the packet to capture, use the -s (snaplength) option. I have been burned by not capturing enough of the packet to capture what I'm looking for. Here we are going to capture the first 1,500 bytes of the packet:

# tcpdump -s 1500

For more tcpdump options, consult the tcpdump manpage. Some options include sniffing data through a specific interface and stipulating the number of bytes for collection. You can also assign tcpdump to listen only for a specific host or traffic on a particular network or subnet. Using tcpdump in real-life situations is the best way to become familiar with your network traffic.

2.7.2 tcpdump Filters

tcpdump's power lies in its ability to filter out any unimportant data. Filters are usually additional options affixed to the end of the tcpdump command that specify which packets should be captured or examined. The examples below outline ways to filter for specific hosts, networks, or protocols. tcpdump can perform much more complex filtering. Knowing the TCP/IP header layout (down to the specific bits!) and what fields define which protocol, flags, options, and so forth is crucial to being able to create these more complex tcpdump filters. Filtering this complex is more easily performed using one of the GUI sniffers, like ethereal. If you're capturing traffic on a remote system, it's a good idea to dump the traffic to a file (using the -w option) with tcpdump and analyze the file using ethereal on another machine.

The following examples filter packets by running tcpdump against saved binary data (a common technique). For example, if I use SSH to securely connect to another machine but want to capture all traffic without seeing the local SSH packets generated by my connection, I filter all SSH packets using this command:

# tcpdump -r /tmp/tcpdump.out not port ssh

In order to view only traffic from a certain IP address and no port 22 or SSH traffic, I would use:

# tcpdump -r /tmp/tcpdump.out host 192.168.10.5 and not port ssh

Also, say I want to restrict tcpdump to a single port and host:

# tcpdump -r /tmp/tcpdump.out -n host 192.168.10.5 and port 80

To watch traffic between two specific hosts, I would use:

# tcpdump -r /tmp/tcpdump.out host 192.168.10.5 and host 192.168.10.10

2.7.3 tcpdump Capture of the TCP Three-Way Handshake

Test your skills by looking at the tcpdump output below (my laptop checking slashdot.org for the latest news):

22:21:50.378070 192.168.1.104.4268 > slashdot.org.http: S 1626477748:1626477748(0) 

win 64512 <mss 1260,nop,nop,sackOK> (DF)



22:21:50.488810 slashdot.org.http > 192.168.1.104.4268: S 3322271704:3322271704(0) 

ack 1626477749 win 5840 <mss 1460,nop,nop,sackOK> (DF)



22:21:50.489146 192.168.1.104.4268 > slashdot.org.http: . ack 1 win 64512 (DF)

    Previous Section  < Day Day Up >  Next Section