Pages

Friday, 13 July 2018

Tcpdump



      In this post, I’ll try to explain all detail that how use tcpdump and read its output correctly. In my opinion, tcpdump should be most known for all engineers who work in different departments. Also, you can call it as a packet analyzer. If a anybody works as a data engineer, he/she can use to it for ip connectivity between two devices
which have bad connection. You can use it to catch sip packets for troubleshooting, if you work as a voice engineer too.
 
Before execute this command, you need to learn how you can determine all interfaces like this;

GBSBC-1:~ # ip link show
$ 1: lo:  mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0:  mtu 1500 qdisc mq state UP qlen 1000
    link/ether b8:ac:6f:65:31:e5 brd ff:ff:ff:ff:ff:ff
3: wlan0:  mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 00:21:6a:ca:9b:10 brd ff:ff:ff:ff:ff:ff
4: vboxnet0:  mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
5: pan0:  mtu 1500 qdisc noop state DOWN
    link/ether c2:10:fa:55:8e:32 brd ff:ff:ff:ff:ff:ff
6: vmnet1:  mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
11: ppp0:  mtu 1496 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp

lo               : Loopback interface
eth0           : Ethernet network interface
wlan0        : Wireless ethernet interface
ppp0          : Point to point network interface
vboxnet0   : Virtual machine interface working in bridge mod


Lets starts to learn it;

n       When you execute tcpdump command without any option, you’ll capture all packets from all interfaces. But if you filter just an interface, “-i” option will help you to filter it.
Example:


 “-c” option helps to you for giving packets until you determined number.

If you want to observe tcpdump outputs syntax with ASCII, you should execute tcpdump command with “-A” which shown below;


    Sometimes, outputs of tcpdump command may be ask to be kept in the file. For this case, “-w” option will you help to you.

root@anakin:~# tcpdump -c 5 -i eth0 -w egemen.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes


5 packets captured
13 packets received by filter
0 packets dropped by kernel
*You can use “tcpick” command in order to read .pcap file.

Filtering Host(src-dst) and Port  

port
Match only packets coming from or going to specific port
 port 69

host
Match only packets coming from or going to spesific host
 host B

 src
Match only packets coming from (src=source) spesific src host
 src host A

dst
Match only packets going to (dst=destination) spesific  host
 dst host C


Throughout these examples you can use standard logic to combine different filters.

 and or &&
 or or ||
 not or !
 


Change how you want to see output of tcpdump command:

“-t” helps to change format of outputs and you can execute like below;
-t     >> Don't print a timestamp on each dump line.
-tt    >> Print an unformatted timestamp on each dump line.
-ttt   >> Print a delta between current and previous line on each dump line.
-tttt  >> Print a timestamp in default format proceeded by date on each dump line.
-ttttt >> Print a delta between current and first line on each dump line.

With “-n”, it does not convert host addresses to name.
“-nn” does not convert protocol and port numbers etc. to name.



“-v”     >> Helps to you for more detail packets like values of TTL and ID.
"-vv"   >> Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets
"-vvv" >> Even more verbose output. For example, telnet SB ... SE options are printed in full.



All above explanations are executed common from all engineers who work different departments. If you want to check more detail information about tcpdump, you can visit the tcpdump main website;

https://www.tcpdump.org/tcpdump_man.html

Please do not hesitate to ask any question about tcpdump with using my e-mail.