Options

Are u an expert in using TCPDUMP command?

binarysoulbinarysoul Member Posts: 993
in Off-Topic
If you use the tcpdump command on any Unix-based box, can you give me some specific examples of how you capture traffic to and from hosts?

I've gone through the 'man' page, but find it a big vauge. Any help is appreciated icon_lol.gif
· Share on FacebookShare on Twitter

Comments

  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    In it's most basic level I usuallly use something like this:

    tcpdump -i eth0 host 192.168.1.10

    This will listen on interface eth0 for any traffic to or from 192.168.1.10.

    =================================
    tcpdump -i eth0 host 192.168.1.10 and 192.168.1.20

    This will only listen for traffic that was between these hosts.

    ==================================
    tcpdump -i eth0 -v -w somefile host 192.168.1.10 and 192.168.1.20

    This does the same as above, but gives more verbose output and instead of the output being printed to the screen, it sends it to somefile, which can later be opened in tcpdump for reading by using the -r switch, or even pulled into a program like ethereal/wireshark for analysis.


    HTH. icon_cool.gif
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Thought I would throw in another example for you. You can also specify ports, directions and protocols. If you had a couple of dns servers and you wanted to capture the zone transfers, you could do this:

    tcpdump -i eth0 -v -w somefile host 192.168.1.10 and host 192.168.1.20 and tcp port 53

    Assuming those 2 ip addresses were both dns servers.

    Oh, and just for the record, I'm not an expert (c'mon, you were just thinking to yourself "Wow, he's an expert!"). icon_lol.gif

    I just have to use it occasionally. It's a great tool.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • Options
    ladiesman217ladiesman217 Member Posts: 416
    sounds dangerous. is it possible to do that on external networks?
    No Sacrifice, No Victory.
    · Share on FacebookShare on Twitter
  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    ladiesman217 wrote:
    sounds dangerous. is it possible to do that on external networks?

    Your computer has to be able to capture the traffic. By default, when you run tcpdump, it puts your nic into promiscuous mode. The only really reliable way to capture traffic though is to be "inline" or on a span port with the traffic. Basically you would want to run it on a gateway, router or firewall.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • Options
    livenliven Member Posts: 918
    Be careful with this command.

    I have seen guys run this command. Forget to kill it and it can bring a box down after time.

    Also, learn the switches of this tool, you can actually read the entire packet, see the syn, syn-ack, ack etc.

    This is by far one of the most useful trouble shooting tools I have EVER used.

    And it works best by far on a gateway or router. Especially on the boundary of a network. Like I said combine this tool with good logs getting piped to syslog (pix, cisco routers etc) and you should be able to figure out just about any networking issues.

    TCPDUMP don't leave home without it!!!
    encrypt the encryption, never mind my brain hurts.
    · Share on FacebookShare on Twitter
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    I prefer Wireshark.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    larkspurlarkspur Member Posts: 235
    windows servers have a similar tool it can be found in the resource kit. You can sav eto a cap file and vie win etherreal.


    very unmicrosft to use that extension but it is nice.
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • Options
    binarysoulbinarysoul Member Posts: 993
    Thanks guys for the responses; no I think you guys are expert compared to me :)

    Can someone explain the numbers after port 110, e.g. 18:34. I know win 32768 is window size. Also, why do I see repeated ack 1?


    22:47:31.960644 IP mytest.2250 > pop1.plus.mail.vip.re2.yahoo.com.110: . 18:34(16) ack 1 win 32768
    22:47:32.094386 IP mytest.2250 > pop1.plus.mail.vip.re2.yahoo.com.110: . 34:40(6) ack 1 win 32768
    22:47:32.342376 IP mytest.2250 > pop1.plus.mail.vip.re2.yahoo.com.110: . 40:46(6) ack 1 win 32768
    22:47:32.935431 IP mytest.2250 > pop1.plus.mail.vip.re2.yahoo.com.110: . 46:54( 8 ) ack 1 win 32768
    22:47:33.066697 IP mytest.2250 > pop1.plus.mail.vip.re2.yahoo.com.110: . 54:60(6) ack 1 win 32768
    22:47:33.489019 IP mytest.2250 > pop1.plus.mail.vip.re2.yahoo.com.110: . 60:66(6) ack 1 win 32768
    22:47:34.702862 IP mytest.2250 > pop1.plus.mail.vip.re2.yahoo.com.110: F 66:66(0) ack 1 win 32768
    22:47:34.702876 IP pop1.plus.mail.vip.re2.yahoo.com.110 > mytest.2250: F 1:1(0) ack 67 win 32768
    · Share on FacebookShare on Twitter
  • Options
    JDMurrayJDMurray Admin Posts: 13,034 Admin
    tcptrace is a utility specifically designed for analyzing tcpdump log files.

    Forum Admin at www.techexams.net
    --
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    · Share on FacebookShare on Twitter
  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    binarysoul wrote:
    Can someone explain the numbers after port 110, e.g. 18:34.

    Sequence number.
    I prefer Wireshark.
    It can be overkill for some things, also can be considered an invasion of privacy since you can see the data portion. But yeah, I like it too. icon_cool.gif
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.