|
|
 Parent Directory
| About TCPdump
Brett Lee
==========================================================================
TCPdump:
-------------
tcpdump
-n (no DNS lookup)
-s 0 (snarf the whole packet - 0 is unlimited)
-X (dump hex and ASCII of packet)
ip (capture IP)
and not port ssh (I'm connected via SSH, don't want to capture it... )
* As IP is not tied to a protocol, just say IP (ARP, TCP, UDP, etc.)
* As SSH is tied to a port, need to prefaces with "port".
[root@opteron ~]# tcpdump -n -s 0 -X ip and not port ssh
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:10:05.037455 IP 192.168.10.1.2503 > 192.168.10.5.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
0x0000: 4500 004e 044d 0000 4011 e0fb c0a8 0a01 E..N.M..@.......
0x0010: c0a8 0a05 09c7 0089 003a 1fc3 01c7 0010 .........:......
0x0020: 0001 0000 0000 0000 2043 4b41 4141 4141 .........CKAAAAA
0x0030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0040: 4141 4141 4141 4141 4100 0021 0001 AAAAAAAAA..!..
22:10:05.037827 IP 192.168.10.5.netbios-ns > 192.168.10.1.2503: NBT UDP
PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST
0x0000: 4500 0137 0000 4000 4011 a45f c0a8 0a05 E..7..@.@.._....
0x0010: c0a8 0a01 0089 09c7 0123 cf41 01c7 8400 .........#.A....
0x0020: 0000 0001 0000 0000 2043 4b41 4141 4141 .........CKAAAAA
0x0030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0040: 4141 4141 4141 4141 4100 0021 0001 0000 AAAAAAAAA..!....
0x0050: 0000 00e3 0a4f 5054 4552 4f4e 2020 2020 .....OPTERON....
0x0060: 2020 2020 0064 004f 5054 4552 4f4e 2020 .....d.OPTERON..
0x0070: 2020 2020 2020 0364 004f 5054 4552 4f4e .......d.OPTERON
0x0080: 2020 2020 2020 2020 2064 004f 5054 4552 .........d.OPTER
0x0090: 4f4e 2020 2020 2020 2020 0064 004f 5054 ON.........d.OPT
0x00a0: 4552 4f4e 2020 2020 2020 2020 0364 004f ERON.........d.O
0x00b0: 5054 4552 4f4e 2020 2020 2020 2020 2064 PTERON.........d
0x00c0: 0048 4f4d 4520 2020 2020 2020 2020 2020 .HOME...........
0x00d0: 00e4 0048 4f4d 4520 2020 2020 2020 2020 ...HOME.........
0x00e0: 2020 1ee4 0048 4f4d 4520 2020 2020 2020 .....HOME.......
0x00f0: 2020 2020 00e4 0048 4f4d 4520 2020 2020 .......HOME.....
0x0100: 2020 2020 2020 1ee4 0000 0000 0000 0000 ................
0x0110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0130: 0000 0000 0000 00
Now for some explanation - as we were only collecting IP, the timestamped first
line should be easily understood as "IP: ..10.1 talking to ..10.5".
22:10:05.037455 IP 192.168.10.1.2503 > 192.168.10.5.netbios-ns:
In looking at the HEX, each line contains sixteen bytes, so each grouping
(e.g. 4500, 0137, etc.) consists of two bytes.
In our capture, we only wanted to capture IP traffic, so we know that each
packet must be IP. The first four bits of the first byte equals a "4" (0x4)
which indicates that the payload will be IPv4. Remember, the
beginning of the data contains a header describing the payload (refer to
TCP-Tuning.txt in this directory for a refresher). FWIW, the "5" in
4500 indicates the number of 32-bit words in the IP header, while the "00"
indicate the TOS this packet is requesting. For more details on this see
the IP section at http://www.networksorcery.com.
Just as this IP packet has a payload (UDP in this case - more on that later),
this packet is the payload of the Ethernet frame. To investigate, we can
again use tcpdump to look at the header that was stripped off the Ethernet
frame and thus leave the IP payload.
To look at the the entire Ethernet frame and see the Layer 2 header, add a
second X:
[root@opteron ~]# tcpdump -n -s 0 -XX ip and not port ssh
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:25:59.006686 IP 192.168.10.13.netbios-dgm > 192.168.10.255.netbios-dgm: NBT
UDP PACKET(138)
0x0000: ffff ffff ffff 0013 02a7 c1b7 0800 4500 ..............E.
0x0010: 00f3 fdcb 0000 8011 a5d1 c0a8 0a0d c0a8 ................
0x0020: 0aff 008a 008a 00df 60a2 110e 9cac c0a8 ........`.......
0x0030: 0a0d 008a 00c9 0000 2046 4345 5045 4445 .........FCEPEDE
0x0040: 4c46 4a43 4143 4143 4143 4143 4143 4143 LFJCACACACACACAC
0x0050: 4143 4143 4143 4143 4100 2045 4945 5045 ACACACACA..EIEPE
0x0060: 4e45 4643 4143 4143 4143 4143 4143 4143 NEFCACACACACACAC
0x0070: 4143 4143 4143 4143 4142 4e00 ff53 4d42 ACACACACABN..SMB
0x0080: 2500 0000 0000 0000 0000 0000 0000 0000 %...............
0x0090: 0000 0000 0000 0000 0000 0000 1100 002f .............../
0x00a0: 0000 0000 0000 0000 00e8 0300 0000 0000 ................
0x00b0: 0000 002f 0056 0003 0001 0000 0002 0040 .../.V.........@
0x00c0: 005c 4d41 494c 534c 4f54 5c42 524f 5753 .\MAILSLOT\BROWS
0x00d0: 4500 0100 80fc 0a00 524f 434b 5900 4400 E.......ROCKY.D.
0x00e0: 3400 3500 3300 3400 0501 0310 0000 0f01 4.5.3.4.........
0x00f0: 55aa 546f 7368 6962 6120 4c61 7074 6f70 U.Toshiba.Laptop
0x0100: 00 .
Looking at the HEX again we are no longer starting with the IP header but
instead are looking at the Ethernet header. The first 6 bytes are the
MAC address of the "next hop" destination. In this case the destination was
...10.255 or ff:ff:ff:ff:ff:ff, a broadcast address. The source MAC address
are the next 6 bytes, or 00:13:02:a7:c1:b7.
The last two bytes "0800" of the MAC header indicate what the next payload
will be. As you guessed, the 0x0800 represents IP. Another common value
seen here is 0x0806 (ARP). A really interesting one is 0x8100. The 0x8100
indicates VLAN data exists, and the next two bytes contain the VLAN data.
Specifically, these 16 bits contain the 3-bit frame priority, the canonical
format indicator (CFI), and the 12-bit VLAN ID.
Looking beyond the 0x0800 we see the start of the IP header and our old
friend "4500". As mentioned earlier, the 4 indicates the type of protocol
(IPv4) in the IP payload.
It's nice to remember that a "4" means IPv4 and a "6" means IPv6.
A few more notes on this frame. The second line continues the IP header. A
few bytes over you will see the "8011" hex block. The 0x11 portion represents
decimal "17", indicating that this packet contains UDP data. Other common
values here are 0x06 (TCP) and 0x02 (IGMP).
Now that you've seen a little bit from the ground up, go get Ethereal and use
it to analyze your TCP dumps. Use the "-w file.cap" option and then open the
file with Ethereal and look at everything about the data quickly and simply.
You may want to experiment with command line capturing with ethereal.
An overview can be found here:
http://www.etpenguin.com/docs/pub/Networking/ethereal.txt
Good luck,
-Brett
You think this stuff is old, check out this: ftp://ftp.ncsa.uiuc.edu/Mosaic/
|
|
|
|
|
|
|
|
![[ Statistics by AWStats ]](/local_icons/LAMP/awstats_logo.png)
|
|
|
|
|
|
|
In an effort to provide a service of value to the open source community, I've put together this website that containing many of my notes and references.
This website is not authoritative and it is certainly not without errors; it is a work in progress.
In addition to my contributions you will also find the work of others. Where the work is not mine, I have tried to indicate that, and to reference the source of the work: by citing the original author, retaining the authors' name and license wherever present, or by placing the work in a suitably named URL containg /external/ in the path. If you find any work here that should not be publically available, please send me a note and it will be removed.
As for my contributions, you are free to use any of *MY* notes or code from this website unless specifically instructed otherwise.
Brett Lee, Ph.D., President & CEO
Everything Penguin, Inc.
|
|
|
![[ Powered by Red Hat Linux ]](/local_icons/LAMP/redhat_pb.gif){kind=icon}
![[ Powered by Apache Server]](/local_icons/LAMP/apache_pb.gif){kind=icon}
![[ Powered by MySQL ]](/local_icons/LAMP/mysql_pb.gif){kind=icon}