Everything Penguin

Focusing on Linux-based Operating Systems
htDig Search:

Operating Systems
  • /pub/OS/Linux

  • Storage
  • File Systems
  • HPC
  • /pub/Storage

  • Networking
  • /pub/Networking

  • Network Services
  • /pub/NetworkServices

  • Security
  • /pub/Security
  • Keytool/OpenSSL

  • Clustering
  • HA
  • DRM

  • Development
  • Design
  • C/C++
  • Java
  • Perl
  • Python
  • Shell
  • Web / J2EE

  • Not Linux ?
  • BSD
  • HP-UX
  • Mac
  • Solaris
  • VM
  • Windows
  • /pub/OS

  • Other
  • /pub
  • /pub/3rdParty
  •  Parent Directory

    About TCPdump
    Brett Lee
    ==========================================================================
    
    
    TCPdump:
    -------------
    tcpdump 
      -n  (no DNS lookup)
      -s 0 (snarf the whole packet - 0 is unlimited)
      -X (dump hex and ASCII of packet)
      ip (capture IP)
      and not port ssh (I'm connected via SSH, don't want to capture it... )
    
      *  As IP is not tied to a protocol, just say IP (ARP, TCP, UDP, etc.)
      *  As SSH is tied to a port, need to prefaces with "port". 
    
    [root@opteron ~]# tcpdump -n -s 0 -X ip and not port ssh
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    22:10:05.037455 IP 192.168.10.1.2503 > 192.168.10.5.netbios-ns: NBT UDP
    PACKET(137): QUERY; REQUEST; BROADCAST
            0x0000:  4500 004e 044d 0000 4011 e0fb c0a8 0a01  E..N.M..@.......
            0x0010:  c0a8 0a05 09c7 0089 003a 1fc3 01c7 0010  .........:......
            0x0020:  0001 0000 0000 0000 2043 4b41 4141 4141  .........CKAAAAA
            0x0030:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
            0x0040:  4141 4141 4141 4141 4100 0021 0001       AAAAAAAAA..!..
    22:10:05.037827 IP 192.168.10.5.netbios-ns > 192.168.10.1.2503: NBT UDP
    PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST
            0x0000:  4500 0137 0000 4000 4011 a45f c0a8 0a05  E..7..@.@.._....
            0x0010:  c0a8 0a01 0089 09c7 0123 cf41 01c7 8400  .........#.A....
            0x0020:  0000 0001 0000 0000 2043 4b41 4141 4141  .........CKAAAAA
            0x0030:  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
            0x0040:  4141 4141 4141 4141 4100 0021 0001 0000  AAAAAAAAA..!....
            0x0050:  0000 00e3 0a4f 5054 4552 4f4e 2020 2020  .....OPTERON....
            0x0060:  2020 2020 0064 004f 5054 4552 4f4e 2020  .....d.OPTERON..
            0x0070:  2020 2020 2020 0364 004f 5054 4552 4f4e  .......d.OPTERON
            0x0080:  2020 2020 2020 2020 2064 004f 5054 4552  .........d.OPTER
            0x0090:  4f4e 2020 2020 2020 2020 0064 004f 5054  ON.........d.OPT      
            0x00a0:  4552 4f4e 2020 2020 2020 2020 0364 004f  ERON.........d.O
            0x00b0:  5054 4552 4f4e 2020 2020 2020 2020 2064  PTERON.........d
            0x00c0:  0048 4f4d 4520 2020 2020 2020 2020 2020  .HOME...........
            0x00d0:  00e4 0048 4f4d 4520 2020 2020 2020 2020  ...HOME.........
            0x00e0:  2020 1ee4 0048 4f4d 4520 2020 2020 2020  .....HOME.......
            0x00f0:  2020 2020 00e4 0048 4f4d 4520 2020 2020  .......HOME.....
            0x0100:  2020 2020 2020 1ee4 0000 0000 0000 0000  ................
            0x0110:  0000 0000 0000 0000 0000 0000 0000 0000  ................
            0x0120:  0000 0000 0000 0000 0000 0000 0000 0000  ................
            0x0130:  0000 0000 0000 00
    
    Now for some explanation - as we were only collecting IP, the timestamped first
    line should be easily understood as "IP: ..10.1 talking to ..10.5".
    
    22:10:05.037455 IP 192.168.10.1.2503 > 192.168.10.5.netbios-ns:
    
    In looking at the HEX, each line contains sixteen bytes, so each grouping
    (e.g. 4500, 0137, etc.) consists of two bytes.
    
    In our capture, we only wanted to capture IP traffic, so we know that each
    packet must be IP.  The first four bits of the first byte equals a "4" (0x4)
    which indicates that the payload will be IPv4.  Remember, the 
    beginning of the data contains a header describing the payload (refer to 
    TCP-Tuning.txt in this directory for a refresher).  FWIW, the "5" in
    4500 indicates the number of 32-bit words in the IP header, while the "00"
    indicate the TOS this packet is requesting.  For more details on this see
    the IP section at http://www.networksorcery.com.
    
    Just as this IP packet has a payload (UDP in this case - more on that later),
    this packet is the payload of the Ethernet frame.  To investigate, we can
    again use tcpdump to look at the header that was stripped off the Ethernet
    frame and thus leave the IP payload.  
    
    
    To look at the the entire Ethernet frame and see the Layer 2 header, add a 
    second X:
    
    [root@opteron ~]# tcpdump -n -s 0 -XX ip and not port ssh
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    22:25:59.006686 IP 192.168.10.13.netbios-dgm > 192.168.10.255.netbios-dgm: NBT
    UDP PACKET(138)
            0x0000:  ffff ffff ffff 0013 02a7 c1b7 0800 4500  ..............E.
            0x0010:  00f3 fdcb 0000 8011 a5d1 c0a8 0a0d c0a8  ................
            0x0020:  0aff 008a 008a 00df 60a2 110e 9cac c0a8  ........`.......
            0x0030:  0a0d 008a 00c9 0000 2046 4345 5045 4445  .........FCEPEDE
            0x0040:  4c46 4a43 4143 4143 4143 4143 4143 4143  LFJCACACACACACAC
            0x0050:  4143 4143 4143 4143 4100 2045 4945 5045  ACACACACA..EIEPE
            0x0060:  4e45 4643 4143 4143 4143 4143 4143 4143  NEFCACACACACACAC
            0x0070:  4143 4143 4143 4143 4142 4e00 ff53 4d42  ACACACACABN..SMB
            0x0080:  2500 0000 0000 0000 0000 0000 0000 0000  %...............
            0x0090:  0000 0000 0000 0000 0000 0000 1100 002f  .............../
            0x00a0:  0000 0000 0000 0000 00e8 0300 0000 0000  ................
            0x00b0:  0000 002f 0056 0003 0001 0000 0002 0040  .../.V.........@
            0x00c0:  005c 4d41 494c 534c 4f54 5c42 524f 5753  .\MAILSLOT\BROWS
            0x00d0:  4500 0100 80fc 0a00 524f 434b 5900 4400  E.......ROCKY.D.
            0x00e0:  3400 3500 3300 3400 0501 0310 0000 0f01  4.5.3.4.........
            0x00f0:  55aa 546f 7368 6962 6120 4c61 7074 6f70  U.Toshiba.Laptop
            0x0100:  00                                       .
    
    Looking at the HEX again we are no longer starting with the IP header but
    instead are looking at the Ethernet header.  The first 6 bytes are the 
    MAC address of the "next hop" destination.  In this case the destination was 
    ...10.255 or ff:ff:ff:ff:ff:ff, a broadcast address.  The source MAC address 
    are the next 6 bytes, or 00:13:02:a7:c1:b7.
    
    The last two bytes "0800" of the MAC header indicate what the next payload
    will be.  As you guessed, the 0x0800 represents IP.  Another common value
    seen here is 0x0806 (ARP).  A really interesting one is 0x8100.  The 0x8100
    indicates VLAN data exists, and the next two bytes contain the VLAN data.
    Specifically, these 16 bits contain the 3-bit frame priority, the canonical 
    format indicator (CFI), and the 12-bit VLAN ID.
    
    Looking beyond the 0x0800 we see the start of the IP header and our old 
    friend "4500".  As mentioned earlier, the 4 indicates the type of protocol
    (IPv4) in the IP payload.  
    It's nice to remember that a "4" means IPv4 and a "6" means IPv6.
    
    A few more notes on this frame.  The second line continues the IP header.  A
    few bytes over you will see the "8011" hex block.  The 0x11 portion represents
    decimal "17", indicating that this packet contains UDP data.  Other common
    values here are 0x06 (TCP) and 0x02 (IGMP).  
    
    Now that you've seen a little bit from the ground up, go get Ethereal and use
    it to analyze your TCP dumps.  Use the "-w file.cap" option and then open the
    file with Ethereal and look at everything about the data quickly and simply.
    
    You may want to experiment with command line capturing with ethereal.
    An overview can be found here:
      http://www.etpenguin.com/docs/pub/Networking/ethereal.txt
    
    
    Good luck,
    -Brett
    
    You think this stuff is old, check out this: ftp://ftp.ncsa.uiuc.edu/Mosaic/
    

    Other Sites

    RFC's
  • FAQ's
  • IETF
  • RFC Sourcebook

  • Linux
  • Linux - Intro
  • Linux Kernel
  • Linux Kernel (LKML)
  • Bash - Intro
  • Bash - Advanced
  • Command Line
  • System Administration
  • Network Administration
  • Man Pages (& more)
  • More Guides
  • Red Hat Manuals
  • HOWTO's

  • Reference/Tutorials
  • C++ @ cppreference
  • C++ @ cplusplus
  • CSS @ echoecho
  • DNS @ Zytrax
  • HTML @ W3 Schools
  • Java @ Sun
  • LDAP @ Zytrax
  • Linux @ YoLinux
  • MySQL
  • NetFilter
  • Network Protocols
  • OpenLDAP
  • Quagga
  • Samba
  • Unix Programming



  • This site contains many of my notes from research into different aspects of the Linux kernel as well as some of the software provided by GNU and others. Thouugh these notes are not fully comprehensive or even completetly accurate, they are part of my on-going attempt to better understand this complex field. And, they are your to use.

    Should you wish to report any errors or suggestions, please let me know.

    Should you wish to make a donation for anything you may have learned here, please direct that donation to the ASPCA, with my sincere thanks.

    Brett Lee
    Everything Penguin

    The code for this site, which is just a few CGI scripts, may be found on GitHub (https://github.com/userbrett/cgindex).

    For both data encryption and password protection, try Personal Data Security (https://www.trustpds.com).


    "We left all that stuff out. If there's an error, we have this routine called 'panic', and when its called, the machine crashes, and you holler down the hall, 'Hey, reboot it.'"

        - Dennis Ritchie on Unix (vs Multics)


    Google
    [ Powered by Red Hat Linux ] [ Powered by Apache Server] [ Powered by MySQL ]

    [ Statistics by AWStats ]