Sunday, March 31, 2013

tcpdump (Packet Sniffer)

Hello Everybody,
Today, I want to talk about very interesting tools called Tcpdump. Tcpdump is a packet sniffer like Wiresharck. It listenes to network traffic and record or print packets that meet your criteria of your choice.

Tcpdump is good for troubleshooting your network. For example, when you don't know what is the issue in your network or you know the issue but you want to discover the root of problem, Tcpdump can help you to solve these kind of issues.Tcpdump is also good for security purposes. For instance, you can find the source ip address of attackers to your network.

Tcpdump is installed in Linux by default. If not, you can install it by the following command:

yum install tcpdump

Tcpdump adjusts on the first network interface by default, for example eth0. However, you can change it the interface with -i flag.

tcpdump -i eth1

You can skip name lookups with tcpdump using -n flag. For instance, when the DNS is broken, you can use the following command:

tcpdump -n

The -v flag produces verbose output such as time to live, identification, total length and options in an IP paket. The -vv flag produces even more verbose output.

You can filter the packets by specific machine or network. For example, the following command filters the packets by source ip address:

tcpdump host

                                                                    Figure 1

                                                                  Figure 2

You can dump the output to a file for later use/review with -w flag. Note that tcpdump -w saves only packet headers by default. Use the -s option with a value of 1560 (MTU size) to capture whole packets.

                                                                  Figure 3

                                                                  Figure 4

You can't use cat command or other editors to look at the captured output file by above command. Look at the following picture (Figure 5).

                                                                    Figure 5

Instead, use the -r flag to see the output:
tcpdump -r name-of-file

                                                                   Figure 6

If you look at the above picture, the fist packet shows with port number of 49025 sending a dns lookup request about mytestmachine.localhost to R1J. Since the server port number (53) is well known, tcpdump shows its symbolic name, Domain.

17:42:07.993359 IP > R1J.domain: 2821+ A? mytestmachine.localhost. (41)

In short, tcpdump is a tool known as packet sniffers. It listens to network traffic and record or print packets that meet your criteria of your choice in human-readable form.

Hope you enjoyed.
Khosro Tataghi

No comments:

Post a Comment