TCP Dump

TCPDump is a tool for network monitoring and data acquisition. It requires the libcap library. Both can be found here.

Short Tutorial

After compiling and making the source files (with libcap sharing the same root directory), there should be a tcpdump file ready for execution in the tcpdump directory.

One has to be root to be able to run the program.

The basic syntax is:

tcpdump -i eth0

where eth0 is the interface that you wish to monitor packets on. This then squirts out loads of info onto the screen like as follows;

17:29:44.070670 802.1d config 8000.00:d0:79:95:98:03.8042 root 8000.00:50:80:f0:6a:03 pathcost 23 age 2 max 20 hello 2 fdelay 15
17:29:44.148451 0:30:b6:d1:9b:c5 > 1:0:c:cc:cc:cc snap ui/C len=81
17:29:44.644998 128.40.4.245 > IGRP-ROUTERS.MCAST.NET: ip-proto-88 40 [tos 0xc0]
17:29:44.645799 pc56.hep.ucl.ac.uk.32768 > link-1.ts.bcc.ac.uk.domain: 22373+[|domain] (DF)
17:29:44.648334 link-1.ts.bcc.ac.uk.domain > pc56.hep.ucl.ac.uk.32768: 22373[|domain]
17:29:44.648622 pc56.hep.ucl.ac.uk.32768 > link-1.ts.bcc.ac.uk.domain: 22374+[|domain] (DF)
17:29:44.650494 link-1.ts.bcc.ac.uk.domain > pc56.hep.ucl.ac.uk.32768: 22374 NXDomain*[|domain]
17:29:44.650736 pc56.hep.ucl.ac.uk.32768 > link-1.ts.bcc.ac.uk.domain: 22375+[|domain] (DF)
17:29:44.653101 link-1.ts.bcc.ac.uk.domain > pc56.hep.ucl.ac.uk.32768: 22375*[|domain]
17:29:45.628144 pc29.hep.ucl.ac.uk.631 > 128.40.4.255.631: udp 109
17:29:45.628391 pc56.hep.ucl.ac.uk.32768 > link-1.ts.bcc.ac.uk.domain: 22376+[|domain] (DF)
17:29:45.630839 link-1.ts.bcc.ac.uk.domain > pc56.hep.ucl.ac.uk.32768: 22376*[|domain]
17:29:46.069199 802.1d config 8000.00:d0:79:95:98:03.8042 root 8000.00:50:80:f0:6a:03 pathcost 23 age 2 max 20 hello 2 fdelay 15
17:29:46.769929 0.4.245.rtmp > 0.0.rtmp: at-rtmp 25
17:29:48.068060 802.1d config 8000.00:d0:79:95:98:03.8042 root 8000.00:50:80:f0:6a:03 pathcost 23 age 2 max 20 hello 2 fdelay 15
17:29:49.344812 128.40.4.245 > IGRP-ROUTERS.MCAST.NET: ip-proto-88 40 [tos 0xc0]
17:29:50.066283 802.1d config 8000.00:d0:79:95:98:03.8042 root 8000.00:50:80:f0:6a:03 pathcost 23 age 2 max 20 hello 2 fdelay 15
17:29:51.148361 0:30:b6:d1:9b:c5 > 1:0:c:cc:cc:cc snap ui/C len=81
17:29:51.627909 pc29.hep.ucl.ac.uk.631 > 128.40.4.255.631: udp 55
17:29:51.628003 pc29.hep.ucl.ac.uk.631 > 128.40.4.255.631: udp 88
17:29:51.628064 pc29.hep.ucl.ac.uk.631 > 128.40.4.255.631: udp 73
17:29:51.628145 pc29.hep.ucl.ac.uk.631 > 128.40.4.255.631: udp 72

As you can see there's loads of crap going on there, and that's only about 5 seconds worth when nothing is happening! (for some reason it's connected to the BBC...??!?!).

Various options exist:

-c count : show count number of packets

-e : show the link level header

-q : print less protocol information

-i iface : listen to interface iface, for example, eth0

-n : list numeric addresses and port numbers

-N : show only the hostname instead of FQDN (Fully Qualified Domain Name)

-s X : capture X number of bytes from each packet

-S : show absolute TCP sequence numbers

-v and -vv : increases the amount of information. -vv gives more information than -v

The number of bytes captured by default—which is 68—suffices for most purposes. -e and -q are useful for peeking into the link header and to get less—but easy to read—information on each packet, respectively.

You may not be looking for all the packets that flow through your network. So, you can capture packets flowing through selective hosts. For this use tcpdump’s filtering expressions, in which you can use "and", "or" and "not" to build up the filter you want.

Some of the common filtering expressions are:

type : type can be host, net or port, the default is host

src hostip : specify the IP address of the originating host

dst hostip : specify the IP address of the destination host

host hostip : specify the IP address of the host, for which you want to monitor all packets—to and from

src port : specify the source port of the packets

dst port : specify the destination port of the packets

port : specify the port, to monitor packets to and from

protocol : specify the protocol used by the packet, for example, TCP, IP, UDP, ICMP, ARP, RARP, etc

Trying some examples

tcpdump host 128.40.4.44

will capture all incoming and outgoing packets from the machine with IP 128.40.4.44 - in this case my laptop.

tcpdump src 128.40.4.44 and dst pc56.hep.ucl.ac.uk

will capture all packets moving from 128.40.4.44 to pc56.hep.ucl.ac.uk. Note the use of "and" here.

You can also capture packets of specific protocols, as in:

tcpdump tcp

To capture all packets destined to a specific port, like ftp:

tcpdump host 192.168.1.22 and port ftp

or

tcpdump host 192.168.1.22 and port 21

If you use a port’s name like ftp, it must be defined in /etc/services. Alternatively, you can use the port number, 21 in this case.

Ethereal

Ethereal is a GTK frontend for packet sniffers like tcpdump. It can classify output and generally make the output of TCPDump nicer. It can be found here.

Mon, 8 July, 2002 22:22