Scribd Logo
Upload

Welcome to Scribd!

  • Dilip Antony Joseph, Vern Paxson, Sukun Kim: Tcpdump (Options) (Filter Expression)

    Uploaded by

    Farooq Shaikh
    40 views4 pages
    This document provides an introduction to tcpdump, a popular network debugging tool used to intercept and display packets transmitted and received on a network. It demonstrates how to run basic tcpdump commands to capture packets and how to use filters to restrict the analysis to packets of interest. It also discusses writing filters, other related packet analysis tools, and some privacy and assignment requirements for using tcpdump.

    Original Description:

    Original Title

    tcpdump-6up

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides an introduction to tcpdump, a popular network debugging tool used to intercept and display packets transmitted and received on a network. It demonstrates how to run basic tcpdump commands to capture packets and how to use filters to restrict the analysis to packets of interest. It also discusses writing filters, other related packet analysis tools, and some privacy and assignment requirements for using tcpdump.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    40 views4 pages

    Dilip Antony Joseph, Vern Paxson, Sukun Kim: Tcpdump (Options) (Filter Expression)

    Uploaded by

    Farooq Shaikh
    This document provides an introduction to tcpdump, a popular network debugging tool used to intercept and display packets transmitted and received on a network. It demonstrates how to run basic tcpdump commands to capture packets and how to use filters to restrict the analysis to packets of interest. It also discusses writing filters, other related packet analysis tools, and some privacy and assignment requirements for using tcpdump.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 4

    Introduction

    • Popular network debugging tool


    • Used to intercept and display packets
    tcpdump Tutorial transmitted/received on a network
    • Filters used to restrict analysis to packets
    EE122 Fall 2006 of interest

    Dilip Antony Joseph, Vern Paxson, Sukun Kim

    Example Dump What does a line convey?


    • Ran tcpdump on the machine
    danjo.cs.berkeley.edu Timestamp This Source
    is an IPhost
    packet
    name
    Source port number (22)

    • First few lines of the output:


    01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh >
    adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: .
    01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 2513546054:2513547434(1380) ack 1268355216 win 12816
    7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack
    1268355216 win 12816
    01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
    7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 Destination port number
    Destination host name
    01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
    7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816 TCP specific information
    01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 >
    danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560
    • Different output formats for different packet
    types

    Demo 1 – Basic Run Filters


    • Syntax: • We are often not interested in all packets
    tcpdump [options] [filter expression] flowing through the network
    • Run the following command on the • Use filters to capture only packets of
    machine c199.eecs.berkeley.edu: interest to us
    tcpdump
    • Observe the output

    1
    Demo 2 Demo 2 (contd.)
    1. Capture only udp packets 1. Capture only UDP packets with destination
    port 53 (DNS requests)
    • tcpdump “udp”
    • tcpdump “udp dst port 53”
    2. Capture only tcp packets 2. Capture only UDP packets with source port 53
    • tcpdump “tcp” (DNS replies)
    • tcpdump “udp src port 53”
    3. Capture only UDP packets with source or
    destination port 53 (DNS requests and replies)
    • tcpdump “udp port 53”

    Demo 2 (contd.) How to write filters


    1. Capture only packets destined to • Refer cheat sheet slides at the end of this
    quasar.cs.berkeley.edu presentation
    • tcpdump “dst host quasar.cs.berkeley.edu” • Refer the tcpdump man page
    2. Capture both DNS packets and TCP
    packets to/from quasar.cs.berkeley.edu
    • tcpdump “(tcp and host
    quasar.cs.berkeley.edu) or udp port 53”

    Running tcpdump Other tools


    • Requires superuser/administrator privileges • Ethereal
    – Easy to use graphical interface
    • EECS instructional accounts – http://www.ethereal.com
    – You have pseudo superuser privileges – Will not currently work on EECS instructional
    – Simply run the command tcpdump accounts. Use on personal desktops/laptops
    – tcpdump will work only on the Solaris 10 machines listed at • IPsumdump
    http://inst.eecs.berkeley.edu/cgi-bin/clients.cgi?string=quasar
    – Summarize tcpdump output into human/machine
    readable form
    • Non EECS instructional accounts
    – http://www.cs.ucla.edu/~kohler/ipsumdump/
    – tcpdump works on many different operating systems
    – Download the version for your personal desktop/laptop from – For instructions to use IPsumdump on EECS
    • http://www.tcpdump.org instructional accounts, see slide “Appendix:
    • http://www.winpcap.org/windump/ IPsumdump on EECS instructional accounts”

    2
    Assignment Requirements Security/Privacy Issues
    • -w <dump_file_name> -s 0 options must • tcpdump allows you to monitor other people’s
    traffic
    be used for the traces submitted as part of • WARNING: Do NOT use tcpdump to violate
    the assignments privacy or security
    • Use filtering to restrict packet analysis to only
    the traffic associated with your echo_client and
    • Appropriately name each dump file you echo_server. The following is one way to ensure
    submit and briefly describe what each that you see only traffic associated with your
    dump file contains/illustrates in the client:
    – tcpdump –s 0 –w all_pkts.trace
    README file associated with the – tcpdump –s 0 –r all_pkts.trace “ –w my_pkts.trace
    assignment submission “port 12345”
    – where 12345 is the ephemeral port which your
    echo_client uses to talk to the echo_server.

    Cheat Sheet – Commonly Used Cheat Sheet – Commonly Used


    Options Options (contd.)
    • -n Don’t convert host addresses to names. • -s 0 tcpdump usually does not analyze and store
    Avoids DNS lookups. It can save you time. the entire packet. This option ensures that the
    • -w <filename> Write the raw packets to the entire packet is stored and analyzed. NOTE:
    specified file instead of parsing and printing You must use this option while generating the
    them out. Useful for saving a packet capture traces for your assignments.
    session and running multiple filters against it • -A (or –X in some versions) Print each packet
    later in ASCII. Useful when capturing web pages.
    • -r <filename> Read packets from the specified NOTE: The contents of the packet before the
    file instead of live capture. The file should have payload (for example, IP and TCP headers)
    been created with –w option often contain unprintable ASCII characters which
    • -q Quiet output. Prints less information per will cause the initial part of each packet to look
    output line like rubbish

    Cheat Sheet – Writing Filters (1) Cheat Sheet – Writing Filters (2)
    • Specifying the hosts we are interested in • Specifying ICMP packets
    – “dst host <name/IP>” – “icmp”
    – “src host <name/IP>”
    – “host <name/IP>” (either source or destination is
    • Specifying UDP packets
    name/IP) – “udp”
    • Specifying the ports we are interested in • Specifying TCP packets
    – “dst port <number>” – “tcp”
    – “src port <number>”
    – “port <number>”
    – Makes sense only for TCP and UDP packets

    3
    Appendix: IPsumdump on EECS
    Cheat Sheet – Writing Filters (2)
    instructional accounts
    • Download and untar the latest IPsumdump source distribution from
    • Combining filters http://www.cs.ucla.edu/~kohler/ipsumdump/
    – and (&&)
    • Set the following PATH and LD_LIBRARY_PATH environment
    – or (||) variables by using setenv or export (bash shell)
    – not (!) – setenv PATH /usr/ccs/bin:$PATH
    – setenv LD_LIBRARY_PATH /usr/sww/lib
    • Example:
    • Run ./configure followed by make. The executable is created in the
    – All tcp packets which are not from or to host src/ subdirectory
    quasar.cs.berkeley.edu
    • Use ipsumdump to analyze trace files generated by tcpdump (using
    tcpdump “tcp and ! host quasar.cs.berkeley.edu” –w option).
    – Lots of examples in the EXAMPLES section of the – For example: ipsumdump -r tracefile -s --payload prints the source and
    payload of the packets in tracefile in an easy-to-read format
    man page

    You might also like