tcpdump
All of the tools covered thus far in this chapter are most likely included in whichever Linux distribution you choose. tcpdump, although very popular, might not be included but should be the first thing installed after system installation. tcpdump is available at http://www.tcpdump.org/ and requires libpcap, also available at http://www.tcpdump.org, to operate. tcpdump is a small footprint protocol analyzer that should be placed on any Linux hosts acting as routers or performing other centralized services where troubleshooting should be infrequent but must be performed in a timely fashion when it is needed.
If tcpdump is started without any command-line parameters, it will place all connected interfaces into promiscuous mode and dump all packets the Linux node sees to stdout, which is typically the terminal. Besides a quick view to ensure the node is seeing network traffic, tcpdump without parameters usually creates too much output to be of much use; and because it is going to stdout, the output storage is limited to the terminal’s buffer. tcpdump, with the correct parameters, can turn screens of network traffic into useful chunks of data that can be analyzed and often lead to problem resolution.
–I Interface
To limit which packets tcpdump matches on, the -I interface can be used to tell tcpdump to only examine packets from a particular interface. For example, to only examine packets on eth1, use:
[root@lefty /root]# tcpdump -i eth1 Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on eth1
Before examining tcpdump parameters and output, let’s dissect the basic line of a tcpdump output:
11:22:53.138977 < 192.168.1.101.1041 > 192.168.1.254.telnet: . 0:0(0) ack 288 win 7479 (DF)
The first field in the tcpdump output is the time stamp with an additional sequence number added after the seconds. Following the time stamp is the > symbol, which signifies the direction of the packet in relation to the Linux node where tcpdump is running. < signifies incoming and > outgoing. Next is the source address of the packet followed by the port number (1041). The > is a placeholder between the source and destination.The destination is followed by the port number (talnet here) xxx, followed by the window size. The (DF) signifies that the do not fragment bit is set, so routers between the source and destination should not fragment the IP datagram into smaller frames during transmission.
–n
Like the arp -n parameter, tcpdump also uses the -n to not perform name resolution on the names. Generally, -n should be used because using name resolution creates an additional load on the node and network as tcpdump tries to resolve IP addresses it is examining. Here is an example of using -i with the -n parameter.
[root@lefty /root]# tcpdump -i eth0 -n Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on eth0 11:22:52.739123 < 192.168.1.101.1041 > 192.168.1.254.telnet: . 3768648:3768648(0) ack 2572562729 win 7766 (DF) 11:22:52.739231 > 192.168.1.254.telnet > 192.168.1.101.1041: P 1:82(81) ack 0 win 32120 (DF) 11:22:52.939102 < 192.168.1.101.1041 > 192.168.1.254.telnet: . 0:0(0) ack 82 win 7685 (DF) 11:22:52.939142 > 192.168.1.254.telnet > 192.168.1.101.1041: P 82:288(206) ack 0 win 32120 (DF) 11:22:53.138977 < 192.168.1.101.1041 > 192.168.1.254.telnet: . 0:0(0) ack 288 win 7479 (DF) 11:22:53.139013 > 192.168.1.254.telnet > 192.168.1.101.1041: P 288:477(189) ack0 win 32120 (DF) 6 packets received by filter
–q
-q, or quiet mode, tells tcpdump to just print the Layer 4 (tcp, udp, or ICMP) protocol and port number or name. Here is a tcp (telnet) example:
[root@lefty /root]# tcpdump -i eth0 -nq Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on eth0 11:26:39.114679 < 192.168.1.101.1041 > 192.168.1.254.telnet: tcp 0 (DF) 11:26:39.114788 > 192.168.1.254.telnet > 192.168.1.101.1041: tcp 81 (DF) 11:26:39.314634 < 192.168.1.101.1041 > 192.168.1.254.telnet: tcp 0 (DF) 11:26:39.314674 > 192.168.1.254.telnet > 192.168.1.101.1041: tcp 147 (DF) 4 packets received by filter
And here is an ICMP (ping) example using the -q in addition to other parameters:
[root@lefty /root]# tcpdump -i eth0 -nq Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on eth0 11:27:59.459644 < 192.168.1.101 > 192.168.1.254: icmp: echo request 11:27:59.459708 > 192.168.1.254 > 192.168.1.101: icmp: echo reply 2 packets received by filter
-t
The -t parameter instructs tcpdump to not print the timestamp on its output.
-x
The -x parameter will cause tcpdump to print the packets out in hexadecimal.
–w Filename
When a tcpdump output needs to be saved, the -w can be used to save the file in libpcap format, which saves space, as well as put the file in a format that can be read by many other network analyzers. The files created by tcpdump can grow quickly, so disk space should be monitored closely when saving the file.
–r Filename
Files created with the -w option can be read by tcpdump, and further analysis can be performed on the packet. If the original tcpdump was a tcpdump -w with no filters, then the tcpdump -r can use filters to refine the output to exactly what is needed:
tcpdump -r savedfile -n host 192.168.1.101 11:39:52.498409 eth0 < 192.168.1.101.1041 > 192.168.1.254.telnet: . 3768803:3768 803(0) ack 2572567146 win 7781 (DF) 11:39:52.498518 eth0 > 192.168.1.254.telnet > 192.168.1.101.1041: P 1:89(88) ack 0 win 32120 (DF) 11:39:52.698395 eth0 < 192.168.1.101.1041 > 192.168.1.254.telnet: . 0:0(0) ack 89win 7693 (DF)
-v
The -v (for verbose) tells tcpdump to print the time-to-live information as well as the type of service. Notice the difference between the output that follows with the -v parameter and the same command without the -v in the -r example given;
[root@lefty /root]# tcpdump -r savedfile -n -v host 192.168.1.101 11:39:52.498409 eth0 < 192.168.1.101.1041 > 192.168.1.254.telnet: . 3768803:3768 803(0) ack 2572567146 win 7781 (DF) (ttl 128, id 37383) 11:39:52.498518 eth0 > 192.168.1.254.telnet > 192.168.1.101.1041: P 1:89(88) ack 0 win 32120 (DF) (ttl 64, id 21483) 11:39:52.698395 eth0 < 192.168.1.101.1041 > 192.168.1.254.telnet: . 0:0(0) ack 89 win 7693 (DF) (ttl 128, id 37639)
tcpdump Expressions
tcpdump uses the concept of expressions to define which packets to display. The expression follows any command-line parameters that are passed to tcpdump. An expression is made up of a qualifier followed by an ID.
The qualifier is either an IP type (host, network or port), the direction (source or destination), or protocol. This may seem very confusing, but a few examples will clarify tcpdump’s use tremendously. If you examine the last tcpdump output, you will notice that the tcpdump already made use of the expression host 192.168.1.101, which tells tcpdump to print all packets that have the address 192.168.1.101 in either the source or destination fields.
To tell tcpdump to only print packets from 192.168.1.254, the src qualifier is used:
tcpdump -n -v src 192.168.1.254
Or to display only packets destined for 192.168.1.254:
tcpdump -n -v dst 192.168.1.254
To further limit the output to not only a destination of 192.168.1.101, but to also limit the output to DNS (udp or TCP port 53), the following can be used:
tcpdump -n -v dst 192.168.1.254 and port 53
tcpdump does not require the integer port number but can interpret the logical name for the service (protocol) as defined by the Internet Assigned Numbers Authority (http://www.isi.edu/in-notes/iana/assignments/port-numbers) Table 9.7 lists some common services.The file /etc/services, located on Linux (and UNIX) hosts’ also lists the ports and their logical names.
| Application | Application Protocol | Layer 4 Protocol | Port (Assigned Number) | tcpdump Logical Port Name |
|---|---|---|---|---|
| Simple Mail Transport Protocol (SMTP) | TCP | 25 | smtp | |
| Post Office Protocol version 3 | TCP | 110 | pop-3 | |
| File | File Transfer | UDP | 20 (data) | ftp |
| Download | Protocol (ftp) | UDP | 21 (command) | ftp-data |
| Name | Domain Name | TCP/UDP | 53 | domain |
| Resolution | System | |||
| Name | NetBios | UDP | 137 | netbios-ns |
| Resolution (Microsoft) | TCP | 137 | ||
| Network Management | Simple | UDP | 161 | snmp |
| Network Management Protocol (snmp) | UDP | 162 (traps) | snmp-trap | |
| Network Time | Network | UDP | 123 | ntp |
| Time Protocol (ntp) | TCP (rarely implemented) | |||
| Remote Access | Telnet | TCP | 23 | telnet |
| Routing Protocol | Border | UDP | 179 | bgp |
| Gateway Protocol | TCP | 179 | ||
| System Logging | syslog | UDP | 514 | syslog |
| World Wide Web | Hyper Text Transport Protocol (http) | TCP | 80 | www |
| UDP (rarely implemented) | 80 | |||
This means the aforementioned:
tcpdump -n -v dst 192.168.1.101 and port 53
can also be entered as
tcpdump -n -v dst 192.168.1.101 and port domain
And if this command is run and someone attempts to contact the web server at http://www.newriders.com/, a name resolution attempt would be printed:
[root@lefty /root]# tcpdump -n -v dst 192.168.1.254 and port domain Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 10:36:31.504218 eth0 < 10.1.1.1.domain > 192.168.1.254.1026: 1552 2/12/12 www.newriders.com. CNAME newriders.com., newriders.com. A 63.69.110.220 (465) (DF) (ttl 250, id 31400)
In addition to this modifier, tcpdump also supports the modifiers, not and or.A very useful application of the not modifier is to not print packets that are being created through the remote access session to the Linux node. Assuming telnet, the following tcpdump will print out all packets to and from the host except telnet:
tcpdump host 192.168.1.254 and not port 23
Using and, or, and not and the common expressions shown in Table 9.8, it is possible to troubleshoot most network problems and to filter exactly what needs to be analyzed.
| dst | host | tcpdump examines the IP packet and determines if there is a match. | The host is the IP address or name of the node being monitored. If the name resolves to multiple IP addresses, tcpdump checks for each address. |
| dst host | host | Same as above. | Same as above. |
| src host | host | The source bits are examined to determine a match. | |
| src host | host | The source bits are examined to determine a match. | |
| host | host | tcpdump examines the source and destination bits. | |
| ip | arp | rarp host | host | tcpdump determines if the packet is of type IP,ARP, or RARP and if the source or destination bits match host. | |
| gateway | host | tcpdump examines the MAC address of the packets | |
| dst | src | net | tcpdump examines the destination or source bits (depending on dst or src) and determines if the address is within the address range defined by net. | net can be either a network defined in /etc/networks or a network address such as 192.168.1.0 or a network mask with the prefix notation used: 192.168.1.0/24. |
| net | net | tcpdump determines if the source or destination falls within the address range defined by net. | |
| [tcp | udp] | port | Determines if the TCP or UDP destination port numbers equal port. If either tcp or udp from ([tcp | udp]) are specified, the match will check for the protocol specified. | port can be an integer or logical name. See Table 9.8. |
| [tcp | udp] port src | port | Determines if the TCP or UDP destination port numbers equal port. If tcp or udp is specified, the match will include the protocol. | |
| [tcp | udp] port | port | Determines if the TCP or UDP port source or destination port equal port. If tcp or udp is included, the match will include the protocol. | |
| ip broadcast | Determines if the destination address is set to all 1s or zeroes. | The netmask is used to determine the appropriate broadcast address. |
tcpdump Example
As mentioned in the traceroute section, the traceroute command deserves closer examination, and tcpdump is the perfect tool to see the command in action. For this example assume three nodes: the source (192.168.1.254), the first router (10.1.1.254), and the final destination router (10.2.2.254).
For this example, we will use ICMP as opposed to UDP to send the traceroute to the destination router:
[root@lefty /root]# traceroute -In 10.2.2.254
To capture the output, we will turn off name resolution to avoid further traffic creation and turn on the verbose flag. Below is the output of the traceroute command with the output lines numbered for easy reference.
[root@lefty /root]# tcpdump -nv 1 11:56:57.885796 eth0 > 192.168.1.254 > 10.2.2.254: icmp: echo request [ttl 1] (id 34072) 2 11:56:57.949353 eth0 < 10.1.1.254 > 192.168.1.254: icmp: time exceeded in- transit (ttl 64, id 11798) 3 11:56:57.949738 eth0 > 192.168.1.254 > 10.2.2.254: icmp: echo request [ttl 1] (id 34073) 4 11:56:57.984039 eth0 < 10.1.1.254 > 192.168.1.254: icmp: time exceeded in- transit (ttl 64, id 11804) 5 11:56:57.984272 eth0 > 192.168.1.254 >> 10.2.2.254: icmp: echo request [ttl 1] (id 34074) 6 11:56:58.017169 eth0 < 10.1.1.254 > 192.168.1.254: icmp: time exceeded in- transit (ttl 64, id 11810) 7 11:56:58.017459 eth0 > 192.168.1.254 > 10.2.2.254: icmp: echo request (ttl 2, id 34075) 8 11:56:58.043489 eth0 < 10.2.2.254 > 192.168.1.254: icmp: echo reply (ttl 254, id 34075) 9 11:56:58.043740 eth0 > 192.168.1.254 > 10.2.2.254: icmp: echo request (ttl 2, id 34076) 10 11:56:58.068649 eth0 < 10.2.2.254 > 192.168.1.254: icmp: echo reply (ttl 254, id 34076) 11 11:56:58.068873 eth0 > 192.168.1.254 > 10.2.2.254: icmp: echo request (ttl 2, id 34077) 12 11:56:58.094390 eth0 < 10.2.2.254 > 192.168.1.254: icmp: echo reply (ttl 254, id 34077) 34 packets received by filter
As can be seen in line 1, lefty (192.168.1.254) has sent out three echo requests with the ttl set to 1 to destination 10.2.2.254.The first router 10.1.1.254 decrements the ttl to 0 and then sends back the ICMP: time exceeded message to each of the echo requests as seen in lines 2, 4, and 6. traceroute then increments the ttl 2, which makes it to the destination and the destination then replies (lines 8, 10, and 12).