2.7 Running tcpdump
Knowing the basics behind the captured tcpdump
data, we can start looking at how to use tcpdump within the network.
tcpdump can be used to test lines and network connections or sniff
packets. There may be instances when problems arise within the
network and you cannot physically lay hands on any machines for
testing. It is times such as these that tcpdump comes in handy. If
you can secure shell or SSH into a machine on the network and
configure your network card to run in promiscuous mode, you can sniff
the packets flowing by and later analyze them for issues.
It's interesting to note that tcpdump captures
packets before the kernel receives them and after they leave it. Even
more importantly, the packets are captured before they are processed
by Netfilter. tcpdump allows you to see if the packets are arriving;
it can also check the local machine for faulty configurations in the
event of network problems.
 |
If you are not sniffing from a remote host through an SSH session,
instead of the client itself, be careful! You can end up sniffing
your own terminal session traffic. tcpdump generates line after line
of output that gets sent to your client through the terminal session,
which generates more traffic, which gets sniffed, which... well, you
get the idea. You can exclude the traffic generated by your terminal
session with careful filtering (discussed later in the chapter).
|
|
Because tcpdump is command-line based, it is easy to run on any
machine. You need not worry about a GUI interface as you would with
ethereal. Rather than viewing the packets in real-time via the
console, it is often more useful to capture them to a logfile and
then use secure FTP (SFTP) or Secure Copy (SCP) to transfer the logs
to another location. Use ethereal to better analyze the content.
2.7.1 Syntax Options
There are a few ways to run
tcpdump from the command line. Rather
than viewing every packet as it scrolls across the screen, write the
data to a temporary file. If your network is as busy as mine, it will
be impossible to view everything. Even if you could, you may drop
packets, since a standard display cannot keep up with normal network
speed. The console uses a serial terminal connection emulation, which
has a speed far less then 100 MBit/s.
This example shows
tcpdump writing data to a
temp file:
# tcpdump -w /tmp/tcpdump.out
After capturing the data in raw binary format, use tcpdump to read or
print the data in human-readable form. tcpdump is a better
interpreter than
WinDump,
the Windows equivalent. WinDump sometimes experiences errors when
reinterpreting raw data. There have been some reports that the latest
alpha release of
winpcap
broke the ability to capture dial-up and PPP traffic. In other words,
all ndiswan traffic from modem devices is
inaccessible. Use an older, more stable version of WinDump and the
winpcap library if you need to view this type of traffic on a Windows
system.
# tcpdump -r /tmp/tcpdump.out
tcpdump can also collect data through a filter. Not all packets must
be viewed; only those of interest are presented for further study.
tcpdump filters are explained in more detail in the next section.
# tcpdump -F /home/myname/tcp.filter
To disable name/port resolution, use the following option:
# tcpdump -nn
 |
While the
-n option is enough to prohibit
the conversion of host addresses to names, the -nn
option disables the conversion of protocol and port numbers to names
as well.
|
|
You can further modify the data gathered and view only MAC addresses
of the source and destination network interface cards. The following
option disables name resolution and shows only MAC addresses:
# tcpdump -e
Inorder to specify a specific number of packets to capture (useful on
very busy networks or as protection against sniffing your own
terminal traffic) you can use this (here we're
specifying 100 packets):
# tcpdump -c 100
To specify how much of the packet to capture, use the
-s (snaplength) option. I have been
burned by not capturing enough of the packet to capture what
I'm looking for. Here we are going to capture the
first 1,500 bytes of the packet:
# tcpdump -s 1500
For more tcpdump options, consult the tcpdump manpage. Some options
include sniffing data through a specific interface and stipulating
the number of bytes for collection. You can also assign tcpdump to
listen only for a specific host or traffic on a particular network or
subnet. Using tcpdump in real-life situations is the best way to
become familiar with your network traffic.
2.7.2 tcpdump Filters
tcpdump's
power lies in its ability to filter out any unimportant data. Filters
are usually additional options affixed to the end of the tcpdump
command that specify which packets should be captured or examined.
The examples below outline ways to filter for specific hosts,
networks, or protocols. tcpdump can perform much more complex
filtering. Knowing the TCP/IP header layout (down to the specific
bits!) and what fields define which protocol, flags, options, and so
forth is crucial to being able to create these more complex tcpdump
filters. Filtering this complex is more easily performed using one of
the GUI sniffers, like ethereal. If you're capturing
traffic on a remote system, it's a good idea to dump
the traffic to a file (using the -w option) with
tcpdump and analyze the file using ethereal on another machine.
The following examples filter packets by running tcpdump against
saved binary data (a common technique). For example, if I use SSH to
securely connect to another machine but want to capture all traffic
without seeing the local SSH packets generated by my connection, I
filter all SSH packets using this command:
# tcpdump -r /tmp/tcpdump.out not port ssh
In order to view only traffic from a certain IP address and no port
22 or SSH traffic, I would use:
# tcpdump -r /tmp/tcpdump.out host 192.168.10.5 and not port ssh
Also, say I want to restrict tcpdump to a single port and host:
# tcpdump -r /tmp/tcpdump.out -n host 192.168.10.5 and port 80
To watch traffic between two specific hosts, I would use:
# tcpdump -r /tmp/tcpdump.out host 192.168.10.5 and host 192.168.10.10
2.7.3 tcpdump Capture of the TCP Three-Way Handshake
Test your skills by looking at the
tcpdump output below
(my laptop checking slashdot.org for the latest news):
22:21:50.378070 192.168.1.104.4268 > slashdot.org.http: S 1626477748:1626477748(0)
win 64512 <mss 1260,nop,nop,sackOK> (DF)
22:21:50.488810 slashdot.org.http > 192.168.1.104.4268: S 3322271704:3322271704(0)
ack 1626477749 win 5840 <mss 1460,nop,nop,sackOK> (DF)
22:21:50.489146 192.168.1.104.4268 > slashdot.org.http: . ack 1 win 64512 (DF)
| 
