TCPDump: Understanding the Network
TCPDump: Understanding the Network
• TCPDump is a tool that analyzes the traffic on a network
segment
• One of the most used/most useful tools
• Based on libpcap, which provides a platform-independent
library and API to perform traffic sniffing
• TCPDump and libpcap are both available at
http://www.tcpdump.org
• Allows to specify an expression that defines which packets
have to be printed
• Requires root privileges to be able to set the interface in
promiscuous mode (privileges not needed when reading
from file)
segment
• One of the most used/most useful tools
• Based on libpcap, which provides a platform-independent
library and API to perform traffic sniffing
• TCPDump and libpcap are both available at
http://www.tcpdump.org
• Allows to specify an expression that defines which packets
have to be printed
• Requires root privileges to be able to set the interface in
promiscuous mode (privileges not needed when reading
from file)
Command Line Options
• -e: print link-level addresses
• -n: do not translate IP addresses to FQDN names
• -x: print each packet in hex
• -i: use a particular network interface
• -r: read packets from a file
• -w: write packets to a file
• -s: specify the amount of data to be sniffed for each packet
(e.g., set to 65535 to get the entire IP packet)
• -f: specify a file containing the filter expression
• -n: do not translate IP addresses to FQDN names
• -x: print each packet in hex
• -i: use a particular network interface
• -r: read packets from a file
• -w: write packets to a file
• -s: specify the amount of data to be sniffed for each packet
(e.g., set to 65535 to get the entire IP packet)
• -f: specify a file containing the filter expression
Filter Expression
• A filter expression consists of one or more primitives
• Primitives are composed of a qualifier and an id
• Qualifiers
– type: defines the kind of entity
• host (e.g., “host longboard”, where “longboard” is the id)
• net (e.g., “net 128.111”)
• port (e.g., “port 23”)
– dir: specifies the direction of traffic
• src (e.g., “src host longboard”)
• dst
• src and dst
• Primitives are composed of a qualifier and an id
• Qualifiers
– type: defines the kind of entity
• host (e.g., “host longboard”, where “longboard” is the id)
• net (e.g., “net 128.111”)
• port (e.g., “port 23”)
– dir: specifies the direction of traffic
• src (e.g., “src host longboard”)
• dst
• src and dst
• Qualifiers (continued)
– proto: specifies a protocol of interest
• ether (e.g., “ether src host 00:65:FB:A6:11:15” )
• ip (e.g., “ip dst net 192.168.1”)
• arp (e.g., “arp”)
• rarp (e.g., “rarp src host)
• Operators can be used to compose complex filter expression
– and, or, not (e.g., “host shortboard and not port ftp”)
• Special keywords
– gateway: checks if a packet used a host as a gateway
– less and greater: used to check the size of a packet
– broadcast: used to check if a packet is a broadcast packet
– proto: specifies a protocol of interest
• ether (e.g., “ether src host 00:65:FB:A6:11:15” )
• ip (e.g., “ip dst net 192.168.1”)
• arp (e.g., “arp”)
• rarp (e.g., “rarp src host)
• Operators can be used to compose complex filter expression
– and, or, not (e.g., “host shortboard and not port ftp”)
• Special keywords
– gateway: checks if a packet used a host as a gateway
– less and greater: used to check the size of a packet
– broadcast: used to check if a packet is a broadcast packet
Examples
# tcpdump -i eth0 -n -x # tcpdump -s 65535 -w traffic.dump src host hitchcock % tcpdump -r traffic.dump arp # tcpdump arp[7] = 1 # tcpdump gateway csgw and \( port 21 or port 20 \)
0 comments:
Post a Comment