Tcpdump: Difference between revisions

From Hackepedia
Jump to navigationJump to search
No edit summary
 
m ethereal -> wireshark
 
(11 intermediate revisions by 3 users not shown)
Line 1: Line 1:
tcpdump is a [[OSI]] layer 2+ sniffer.  It'll sniff [[Ethernet]], [[PPP]], [[SLIP]].  The name is misleading since [[TCP]] is on [[OSI]] layer 4.  tcpdump uses a library called [[libpcap]] which is a library that implements datalink (layer 2) capturing facilities.  In [[BSD]] libpcap uses the [[bpf]] interface to access the data link.
tcpdump is a [[OSI]] layer 2+ [[sniffer]].  It'll sniff [[Ethernet]], [[PPP]], and [[SLIP]].  The name is misleading since [[TCP]] is on [[OSI]] layer 4.  tcpdump uses a library called [[libpcap]] which is a library that implements datalink (layer 2) capturing facilities.  In [[BSD]] libpcap uses the [[bpf]] interface to access the data link.


In [[OpenBSD]] one can only use tcpdump as [[root]].  This is a new implementation to ensure that privilege seperation works.
In [[UBO]]s, one can only use tcpdump as [[root]].  This is a new implementation to ensure that privilege seperation works. If you're looking for a [[GUI]] sniffer, you might want to try [[Wireshark]] instead.


Here is an example of seeing [[ICMP]] packets of type 8 (ECHO REQUEST):
This example shows all traffic from host 192.168.1.6 on the rl0 interface.
# tcpdump -i rl0 host 192.168.1.6
 
Here is an example of seeing [[ICMP]] packets of type 8 (ECHO REQUEST or [[ping]] packets):
  # tcpdump -v -n -i pppoe0 icmp[0] == 8  
  # tcpdump -v -n -i pppoe0 icmp[0] == 8  
  tcpdump: listening on pppoe0, link-type PPP_ETHER
  tcpdump: listening on pppoe0, link-type PPP_ETHER
  13:35:51.690236 85.75.39.172 > 206.248.137.44: icmp: echo request (id:8e2c seq:0) (ttl 255, id    45180, len 84)
  13:35:51.690236 85.75.39.172 > 206.248.137.44: icmp: echo request (id:8e2c seq:0) (ttl 255, id    45180, len 84)
If you have pflog0 enabled (BSD pf firewall) you can watch your logged packets with:
# tcpdump -vvv -e -ttt -i pflog0
which uses an even more verbose output, includes the link-level header for each line, as well as the delta (in micro-seconds) between current and previous lines.
If you're looking to display packet contents use the -X flag with tcpdump:
# tcpdump -v -n -i pppoe0 -X -s 1500
01:04:44.228678 206.248.137.44.80 > 85.75.108.156.29295: P [tcp sum ok] 4917:5584(667) ack 3102 win 32806 <nop,nop,timestamp 61552946 2629671755> (DF) (ttl 54, id 58262, len 719)
  0000: 0021 4500 02cf e396 4000 3606 4486 cef8  .!E..Ïã.@.6.D.Îø
  0010: 892c 554b 6c9c 0050 726f 6f2a 2530 f14f  .,UKl..Proo*%0ñO
  0020: 5d33 8018 8026 d64f 0000 0101 080a 03ab  ]3...&ÖO.......«
  0030: 3932 9cbd 9b4b 4854 5450 2f31 2e31 2032  92.½.KHTTP/1.1 2
  0040: 3030 204f 4b0d 0a44 6174 653a 2053 6174  00 OK..Date: Sat
  0050: 2c20 3130 2044 6563 2032 3030 3520 3030  , 10 Dec 2005 00
  0060: 3a30 353a 3237 2047 4d54 0d0a 5365 7276  :05:27 GMT..Serv
  0070: 6572 3a20 4170 6163 6865 2f31 2e33 2e33  er: Apache/1.3.3
  0080: 3420 2855 6e69 7829 2050 4850 2f34 2e34  4 (Unix) PHP/4.4
  ...
== Debugging with Tcpdump ==
One good use for tcpdump is checking whether a certain daemon has enabled encryption, such as a mail server.  Periodic checking the headers and payload with tcpdump should ensure that sendmail doesn't drop into a non-encrypted mode if ever.
== Sample tcpdump ==
Here of a [[DNS]] packet.
[[File:Nsd-answer-centroid-eu.jpg]]

Latest revision as of 01:21, 9 October 2012

tcpdump is a OSI layer 2+ sniffer. It'll sniff Ethernet, PPP, and SLIP. The name is misleading since TCP is on OSI layer 4. tcpdump uses a library called libpcap which is a library that implements datalink (layer 2) capturing facilities. In BSD libpcap uses the bpf interface to access the data link.

In UBOs, one can only use tcpdump as root. This is a new implementation to ensure that privilege seperation works. If you're looking for a GUI sniffer, you might want to try Wireshark instead.

This example shows all traffic from host 192.168.1.6 on the rl0 interface.

# tcpdump -i rl0 host 192.168.1.6

Here is an example of seeing ICMP packets of type 8 (ECHO REQUEST or ping packets):

# tcpdump -v -n -i pppoe0 icmp[0] == 8 
tcpdump: listening on pppoe0, link-type PPP_ETHER
13:35:51.690236 85.75.39.172 > 206.248.137.44: icmp: echo request (id:8e2c seq:0) (ttl 255, id    45180, len 84)

If you have pflog0 enabled (BSD pf firewall) you can watch your logged packets with:

# tcpdump -vvv -e -ttt -i pflog0

which uses an even more verbose output, includes the link-level header for each line, as well as the delta (in micro-seconds) between current and previous lines.

If you're looking to display packet contents use the -X flag with tcpdump:

# tcpdump -v -n -i pppoe0 -X -s 1500
01:04:44.228678 206.248.137.44.80 > 85.75.108.156.29295: P [tcp sum ok] 4917:5584(667) ack 3102 win 32806 <nop,nop,timestamp 61552946 2629671755> (DF) (ttl 54, id 58262, len 719)
 0000: 0021 4500 02cf e396 4000 3606 4486 cef8  .!E..Ïã.@.6.D.Îø
 0010: 892c 554b 6c9c 0050 726f 6f2a 2530 f14f  .,UKl..Proo*%0ñO
 0020: 5d33 8018 8026 d64f 0000 0101 080a 03ab  ]3...&ÖO.......«
 0030: 3932 9cbd 9b4b 4854 5450 2f31 2e31 2032  92.½.KHTTP/1.1 2
 0040: 3030 204f 4b0d 0a44 6174 653a 2053 6174  00 OK..Date: Sat
 0050: 2c20 3130 2044 6563 2032 3030 3520 3030  , 10 Dec 2005 00
 0060: 3a30 353a 3237 2047 4d54 0d0a 5365 7276  :05:27 GMT..Serv
 0070: 6572 3a20 4170 6163 6865 2f31 2e33 2e33  er: Apache/1.3.3
 0080: 3420 2855 6e69 7829 2050 4850 2f34 2e34  4 (Unix) PHP/4.4
 ...


Debugging with Tcpdump

One good use for tcpdump is checking whether a certain daemon has enabled encryption, such as a mail server. Periodic checking the headers and payload with tcpdump should ensure that sendmail doesn't drop into a non-encrypted mode if ever.


Sample tcpdump

Here of a DNS packet.