What is tcpdump?
It
is a feature in linux machines that enables you to analyze the packets that
enter or come out form your system. You can analyze each and every data that
passes through your machine, packet by packet. It also allows you to see the IP
address of the source and destination machines, as well as the MAC addresses of
the two. It provides many more details along with it.
The
manual page of tcpdump describes it as under:
Tcpdump
prints out a description of the contents of packets on a network interface that
match the boolean expression.
Getting
Started:
To get started with tcpdump, the first thing that you need
to do is install the package. It can be done by typing the below given line on
the command prompt:
#apt-get install tcpdump
Using
tcpdump:
It is really simple, all you need to do is type the
following on your command prompt:
#tcpdump
On typing the above command, the packet analysis will begin
all on active interfaces in the system. Go ahead and give it a try.
Output of tcpdump:
To understand the tcpdump output, we
provide a simple key here. tcpdump generates the following kind of output if
invoked via tcpdump
-nne. The first -n
tells tcpdump not to resolve hostnames and the second does prevent it from
resolving the ports to service names. The parameter -e
is used to get the MAC addresses of the traffic in the output.
19:27:01.454488
00:00:0c:04:b2:33 > 00:03:e3:d9:26:c0, ethertype IPv4 (0x0800),
[1] [2] [3] [4]
length
1687: IP 138.97.18.88.63259>64.154.80.51.80:P 0:1633(1633) ack1634win
[5]
[6] [7] [8] [9][10][11] [12][13][14]
[1]
TimeStamp [8] Destination IP
[2]
SourceMac [9] Destination Port
[3]
DestinationMac [10] TCP Flags
[4]
Network Protocol [11] TCP Sequence
Number
[5]
IP Packet Length [12] TCP Last
Sequence Number
[6]
Source IP [13] TCP Length
[7]
Source Port [14] ACK flag
Various options in
tcpdump
1.#tcpdump –e : Prints the MAC addres of the source and the destination machines
2. #tcpdump
–i <interface name> : Listens on the specified interface name only
i.e.
if you write,
#tcpdump
–i eth0
Then
the packets that pass through eth0 only will be displayed
3. Suppose you want to capture only TCP packets that come into your interface
3. Suppose you want to capture only TCP packets that come into your interface
#tcpdump tcp
It
will print only the tcp packets on any interface
4. To store the captured packets into a file
4. To store the captured packets into a file
#tcpdump –w <file name>
5. To read the captured packets form the file
#tcpdump –r <file name>
6. To display only n number of packets
#tcpdump –c <n>
7. To display packets coming from a specific source and a specific destination
#tcpdump src 10.102.1.111 and dst 10.102.1.51
With
these basic tricks of the trade you can begin using tcpdump efficiently and put
it to good use.
- Joohi Sinha
Stay tuned for more.
wow
ReplyDeleteFantastic Post......waiting for more......
ReplyDelete