Wise people learn when they can; fools learn when they must - Arthur Wellesley

Saturday, 8 September 2018

LINUX- 42 TCPDUMP -P1


                              LINUX- 42 TCPDUMP -P1

 TCPDUMP Part2
TCPDUMP-P2

WHAT IS TCPDUMP AND Its SIGNIFICANCE,

A Packet Sniffer or Network Analyzer or Trace Network traffic

Or Simply answer of Wireshark by UNIX.

Different parameters can be assigned to tcpdump for various results.

It works at Network layer and we know that network traffic travels in packets. Each packet having header which contains information which need to travel them across network. Most valuable info carried by TCP Header is source & destination address, state info and protocol identifiers. Rest of packet contains actual data.


tcpdump used to capture these network traffic, analyze them as requirement and save them for analysis. Basically, a great tool to troubleshoot Network issues.

tcpdump uses the libpcap library for packet capturing.
tcpdump can be run by root or with root privilege only.
Some versions of tcpdump by default captures first 96 bytes of packets, means only header.

How to check whether tcpdump is present or not,

[root@rhel7-server ~]# rpm -qa |grep tcpdump
tcpdump-4.5.1-2.el7.x86_64

if not present then install via yum.

How to know the tcpdump Version, (-h in tcpdump)

[root@rhel7-server ~]# tcpdump -h
tcpdump version 4.5.1
libpcap version 1.5.3
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -j tstamptype ] [ -M secret ]
                [ -P in|out|inout ]
                [ -r file ] [ -s snaplen ] [ -T type ] [ -V file ] [ -w file ]
                [ -W filecount ] [ -y datalinktype ] [ -z command ]
                [ -Z user ] [ expression ]

How to know the interfaces where we can run tcpdump,
(-D in tcpdump)

[root@rhel7-server ~]# tcpdump -D
1.eth0
2.bluetooth0 (Bluetooth adapter number 0)
3.nflog (Linux netfilter log (NFLOG) interface)
4.nfqueue (Linux netfilter queue (NFQUEUE) interface)
5.eth1
6.usbmon1 (USB bus number 1)
7.eth2
8.usbmon2 (USB bus number 2)
9.any (Pseudo-device that captures on all interfaces)
10.lo

How to capture tcp packets on all available interfaces,
(-any in tcpdump)

[root@rhel7-server ~]# tcpdump -i any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
13:54:16.985838 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895090537:3895090745, ack 2940789948, win 146, length 208
13:54:16.986058 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 208, win 252, length 0
13:54:17.821028 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
13:54:17.821049 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
13:54:17.821054 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
^C
5 packets captured
36 packets received by filter
0 packets dropped by kernel

How to capture tcp packets at particular interface,

[root@rhel7-server ~]# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
15:58:32.679751 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 3895183513, win 2050, length 0
15:58:32.679769 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 4294967089:1, ack 0, win 192, length 208
15:58:33.682794 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 1:289, ack 0, win 192, length 288
15:58:33.723071 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 289, win 2049, length 0
^C
4 packets captured
8 packets received by filter
0 packets dropped by kernel

How to capture particular no of packets via tcpdump,
(-c in tcpdump)

[root@rhel7-server ~]# tcpdump -i any -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
14:18:36.571180 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895099817:3895100025, ack 2940791612, win 146, length 208
14:18:36.571350 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 208, win 2052, length 0
14:18:36.821569 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
14:18:36.821594 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
14:18:36.821600 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
14:18:37.574481 IP localhost.34844 > localhost.domain: 53004+ PTR? 1.135.168.192.in-addr.arpa. (44)
14:18:37.574496 IP localhost > localhost: ICMP localhost udp port domain unreachable, length 80
14:18:37.574573 IP localhost.47549 > localhost.domain: 53004+ PTR? 1.135.168.192.in-addr.arpa. (44)
14:18:37.574578 IP localhost > localhost: ICMP localhost udp port domain unreachable, length 80
14:18:37.574681 IP localhost.48767 > localhost.domain: 29567+ PTR? 133.135.168.192.in-addr.arpa. (46)
10 packets captured
34 packets received by filter
0 packets dropped by kernel

In above o/p we can see there are hostnames instead of IP addresses and also well-known ports are covered by application names

How to display IP addresses and port numbers instead of domain and service names when capturing packets via tcpdump, (-n in tcpdump)

[root@rhel7-server ~]# tcpdump -i any -c 10 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
14:18:41.574746 IP 192.168.135.133.ssh > 192.168.135.1.7085: Flags [P.], seq 3066901102:3066901310, ack 4107391860, win 146, length 208
14:18:41.574922 IP 192.168.135.1.7085 > 192.168.135.133.ssh: Flags [.], ack 208, win 254, length 0
14:18:42.576750 IP 192.168.135.133.ssh > 192.168.135.1.7085: Flags [P.], seq 208:496, ack 1, win 146, length 288
14:18:42.618025 IP 192.168.135.1.7085 > 192.168.135.133.ssh: Flags [.], ack 496, win 252, length 0
14:18:43.578719 IP 192.168.135.133.ssh > 192.168.135.1.7085: Flags [P.], seq 496:768, ack 1, win 146, length 272
14:18:43.619890 IP 192.168.135.1.7085 > 192.168.135.133.ssh: Flags [.], ack 768, win 251, length 0
14:18:44.580560 IP 192.168.135.133.ssh > 192.168.135.1.7085: Flags [P.], seq 768:1040, ack 1, win 146, length 272
14:18:44.621073 IP 192.168.135.1.7085 > 192.168.135.133.ssh: Flags [.], ack 1040, win 256, length 0
14:18:44.864736 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
14:18:44.864759 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
10 packets captured
11 packets received by filter
0 packets dropped by kernel

At some places we need to specify -nn to display port numbers,

[root@rhel7-server ~]# tcpdump -i any -c 10 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
14:18:49.135518 IP 192.168.135.133.22 > 192.168.135.1.7086: Flags [P.], seq 356556249:356556457, ack 1973402113, win 146, length 208
14:18:49.136007 IP 192.168.135.1.7086 > 192.168.135.133.22: Flags [.], ack 208, win 2048, length 0
14:18:49.821155 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
14:18:49.821178 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
14:18:49.821184 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
14:18:50.137209 IP 192.168.135.133.22 > 192.168.135.1.7086: Flags [P.], seq 208:752, ack 1, win 146, length 544
14:18:50.177856 IP 192.168.135.1.7086 > 192.168.135.133.22: Flags [.], ack 752, win 2053, length 0
14:18:51.138906 IP 192.168.135.133.22 > 192.168.135.1.7086: Flags [P.], seq 752:1024, ack 1, win 146, length 272
14:18:51.179980 IP 192.168.135.1.7086 > 192.168.135.133.22: Flags [.], ack 1024, win 2052, length 0
14:18:52.140790 IP 192.168.135.133.22 > 192.168.135.1.7086: Flags [P.], seq 1024:1296, ack 1, win 146, length 272
10 packets captured
11 packets received by filter
0 packets dropped by kernel

Though in above outputs (green marked) tcpdump is capturing packets of 65535 bytes size. But there may some versions of tcpdump by default captures first 96 bytes of packets, means only header.

How to capture tcpdump of particular size,
(-s in tcpdump)

[root@rhel7-server ~]# tcpdump -i any -c 4 -n -s100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 100 bytes
14:40:09.150383 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895108473:3895108681, ack 2940794796, win 169, length 208
14:40:09.150616 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 208, win 2049, length 0
14:40:10.152826 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 208:496, ack 1, win 169, length 288
14:40:10.193473 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 496, win 2048, length 0
4 packets captured
4 packets received by filter
0 packets dropped by kernel

How to analyze tcpdump output,

14:40:09.150383 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895108473:3895108681, ack 2940794796, win 169, length 208

Time when packet is captured in HH:MM:SS. Milliseconds & Microseconds
Protocol
Source IP & Port No/Name
Destination IP & Port No/Name
Tcp Flags
SYN       [S] - Syn packet, a session establishment request
NONE      [.] – Placeholder, No Flag Set
PUSH      [P] - PSH Push, immediate push of data from sender.
FIN       [F] - Finish flag, indication of termination.
RESET     [R] – RST, Reset, indication of immediate abort of conn.
ACK       [A] - Ack packet, acknowledge sender’s data.
URGENT    [U] - Urgent, takes precedence over other data.

seq no of tcpdump (here it starts from 3895108473 and will end to 3895108680, 3895108681 is next packet sequence)
seq nos are 32 bit long 
To identify the number of packets, send or received. Whenever a machine initiates a TCP connection it informs the other side about its sequence number during the three-way handshake.

With the help of the sequence number's the receiver and the sender comes to know how much data has been transferred.
ack no of packet sequence

win means window size (multiply the window size by 2 to the power 7
**as wscale value is 7)
2 to the power 7 is 128 so here win is 169x128

[root@rhel7-server ~]# tcpdump -i any port 22 -c 4 -n -t
=============o/p removed============
IP 192.168.135.133.ssh > 192.168.135.143.58546: Flags [S.], seq 806970291, ack 34938470, win 14480, options [mss 1460,sackOK,TS val 53947015 ecr 29552199,nop,wscale 7], length 0
=============o/p removed============
Length is packet length which shows how many bytes inside, length always matches with seq no.
     seq 3895108473:3895108681 and length is 208
3895108681 – 3895108473 = 208

How to capture traffic on particular interface via tcpdump,
(-i in tcpdump)

[root@rhel7-server ~]# tcpdump -i eth0 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:26:45.763432 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895121529:3895121737, ack 2940802348, win 169, length 208
15:26:45.763647 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 208, win 2053, length 0
2 packets captured
3 packets received by filter
0 packets dropped by kernel

-A for ASCII & -XX for HEXADECIMAL packet capture,
(-A & -XX in tcpdump)

[root@rhel7-server ~]# tcpdump -A -i any -c 3
[root@rhel7-server ~]# tcpdump -XX -i any -c 3

How to run tcpdump for a particular time,

[root@rhel7-server ~]# timeout 10 tcpdump -i any

Above will let run tcpdump for 10 seconds.

How to get the ethernet/MAC address of source and destination in tcpdump, (-e in tcpdump)

[root@rhel7-server ~]# tcpdump -i any -c 4 -n -e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
15:48:40.707624 Out 00:0c:29:09:e3:b8 ethertype IPv4 (0x0800), length 264: 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895173449:3895173657, ack 2940815612, win 192, length 208
15:48:40.707796  In 00:50:56:c0:00:08 ethertype IPv4 (0x0800), length 62: 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 208, win 2050, length 0
15:48:41.709491 Out 00:0c:29:09:e3:b8 ethertype IPv4 (0x0800), length 456: 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 208:608, ack 1, win 192, length 400
15:48:41.750333  In 00:50:56:c0:00:08 ethertype IPv4 (0x0800), length 62: 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 608, win 2048, length 0
4 packets captured
4 packets received by filter
0 packets dropped by kernel

How to get the more verbose options in tcpdump,
(-v, -vv & -vvv in tcpdump)

[root@rhel7-server ~]# tcpdump -i any -c 4 -n -vvv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
15:53:08.543207 IP (tos 0x10, ttl 64, id 55136, offset 0, flags [DF], proto TCP (6), length 184)
    192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], cksum 0x9082 (incorrect -> 0xefe1), seq 3895175625:3895175769, ack 2940816444, win 192, length 144
15:53:08.543395 IP (tos 0x0, ttl 128, id 25971, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], cksum 0x6f2f (correct), seq 1, ack 144, win 2048, length 0
15:53:09.544732 IP (tos 0x10, ttl 64, id 55137, offset 0, flags [DF], proto TCP (6), length 568)
    192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], cksum 0x9202 (incorrect -> 0xe4f1), seq 144:672, ack 1, win 192, length 528
15:53:09.545304 IP (tos 0x0, ttl 128, id 25972, offset 0, flags [DF], proto TCP (6), length 136)
    192.168.135.1.6828 > 192.168.135.133.ssh: Flags [P.], cksum 0x24b2 (correct), seq 1:97, ack 672, win 2053, length 96
4 packets captured
8 packets received by filter
0 packets dropped by kernel

How to capture tcpdump output in a file,
(-w in tcpdump)

[root@rhel7-server ~]# tcpdump -i any -c 10 -n -w tcpdump-test-file
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
10 packets captured
13 packets received by filter
0 packets dropped by kernel

How to read tcpdump from saved file,
(-r in tcpdump)

[root@rhel7-server ~]# tcpdump -r tcpdump-test-file
reading from file tcpdump-test-file, link-type LINUX_SLL (Linux cooked)
16:00:41.549502 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895186121:3895186265, ack 2940820956, win 192, length 144
16:00:41.549656 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 144, win 2051, length 0
16:00:47.856631 IP 192.168.135.143.58546 > 192.168.135.133.ssh: Flags [P.], seq 34941115:34941163, ack 806976033, win 455, options [nop,nop,TS val 32741167 ecr 55860032], length 48
16:00:47.857197 IP 192.168.135.133.ssh > 192.168.135.143.58546: Flags [P.], seq 1:97, ack 48, win 175, options [nop,nop,TS val 57135984 ecr 32741167], length 96
16:00:47.857456 IP 192.168.135.143.58546 > 192.168.135.133.ssh: Flags [.], ack 97, win 455, options [nop,nop,TS val 32741168 ecr 57135984], length 0
16:00:52.865188 ARP, Request who-has 192.168.135.143 tell 192.168.135.133, length 28
16:00:52.865538 ARP, Reply 192.168.135.143 is-at 00:0c:29:16:08:65 (oui Unknown), length 46
16:00:55.587702 IP 192.168.135.143.58546 > 192.168.135.133.ssh: Flags [P.], seq 48:96, ack 97, win 455, options [nop,nop,TS val 32748898 ecr 57135984], length 48
16:00:55.588364 IP 192.168.135.133.ssh > 192.168.135.143.58546: Flags [P.], seq 97:193, ack 96, win 175, options [nop,nop,TS val 57143715 ecr 32748898], length 96
16:00:55.588654 IP 192.168.135.143.58546 > 192.168.135.133.ssh: Flags [.], ack 193, win 455, options [nop,nop,TS val 32748899 ecr 57143715], length 0

How to get the quick tcpdump output, (-q in tcpdump)

[root@rhel7-server ~]# tcpdump -i any -c 5 -n -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
16:06:12.472355 IP 192.168.135.133.ssh > 192.168.135.1.6828: tcp 208
16:06:12.472529 IP 192.168.135.1.6828 > 192.168.135.133.ssh: tcp 0
16:06:13.322234 ARP, Request who-has 192.168.135.133 (00:0c:29:09:e3:b8) tell 192.168.135.1, length 46
16:06:13.322256 ARP, Reply 192.168.135.133 is-at 00:0c:29:09:e3:b8, length 28
16:06:13.474215 IP 192.168.135.133.ssh > 192.168.135.1.6828: tcp 384
5 packets captured
10 packets received by filter
0 packets dropped by kernel



How to get the human readable timestamp in tcpdump output, (-tttt in tcpdump)


[root@rhel7-server ~]# tcpdump -c 5 -i any -tttt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
2018-09-08 17:09:23.879164 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895238569:3895238777, ack 2940848700, win 215, length 208
2018-09-08 17:09:23.879374 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 208, win 2053, length 0
2018-09-08 17:09:24.882512 IP localhost.54392 > localhost.domain: 5647+ PTR? 1.135.168.192.in-addr.arpa. (44)
2018-09-08 17:09:24.882527 IP localhost > localhost: ICMP localhost udp port domain unreachable, length 80
2018-09-08 17:09:24.882595 IP localhost.57134 > localhost.domain: 5647+ PTR? 1.135.168.192.in-addr.arpa. (44)
5 packets captured
20 packets received by filter
0 packets dropped by kernel

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)