Packet Capturing with TCPDUMP command in Linux

Transcription

1 Packet Capturing with TCPDUMP command in Linux In this tutorial we will be looking into a very well known tool in Linux system administrators tool box. Some times during troubleshooting this tool proves to be very helpful. With the help of this tool you can analyze the packet before it reaches the application stack. And some times detect why the server is not responding to a ping request, why an application is not responding to a certain machine etc etc. Its no tool other than TCPDUMP. Tcpdump is a very powerful tool because of its strength in capturing packets based on different parameters given. It operates on network layer, so will be able to capture all the packets in and out of the machine. You can use tcpdump to capture and save the packets to a file to analyse it later. TCPDUMP uses Libpcap(a c/c++ library that's used for packet capturing.) There are other tools out there which does the same job of packet capture/analyzing like wireshark, but tcpdump keeps all the captures raw. Which means its shows us the raw data it captures as it is. Things to understand before we go ahead.. tcpdump works in network layer. a network packet header consists of sender,destination,state information and other flag informations.. TCPDUMP only captures the first 96bytes of data from the packet by default. Most of the linux distributions these days comes preloaded with tcpdump tool. But you need to be root or sudo permissions to run the tool. Checking if TCPDUMP is already installed on the machine. [root@jboss ~]# rpm -qa grep tcpdump tcpdump gitdfcb..el6.x86_6 the above command searches the rpm database and greps for tcpdump package.

2 The advantage of using TCPDUMP over other packet analyzers is that you will need to understand a certain protocol in TCP in its detailed form. Otherwise deciphering the raw data captured by tcpdump is quite difficult without the understanding of TCP protocols. Hence using TCPDUMP in a way will keep yourself updated about how a certain protocol communicates over the wire. Lets have a look at some of the basic options available in TCPDUMP, and then will go into further options. -i option in tcpdump this option is used to specify the interface. Using this option we can tell tcpdump to capture packets that's coming towards a particular interface. For example [root@jboss ~]# tcpdump -i lo tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo, link-type EN0MB (Ethernet), capture size 6555 bytes Its clear from the above command that tcpdump is only listening on loopback interface for packets. And as mentioned before, the output clearly says that its capturing only 96bytes of the packet. [root@myvm ~]# tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN0MB (Ethernet), capture size 96 bytes the above command will dump all the packets thats destined towards eth0 interface. TCPDUMP output will be very fast, and will fill the screen if you got lot of connections. -n option in tcpdump

3 if you do not use tcpdump with -n option, all the sender and destination host address will be in "name" format, which means all ip's will be displayed with hostnames. Using -n option with tcpdump will disable name lookup. This will display all the output in sender and reciever's IP address format. -c option in tcpdump by using -c option you can specify the number of packets that needs to be captured. For example if you only want to capture packets you will do something as shown below. ~]# tcpdump -n -c -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN0MB (Ethernet), capture size 6555 bytes :: IP ssh > : Flags [P.], seq 79:7958, ack , win 858, length 96 :: IP ssh > : Flags [P.], seq 96:76, ack, win 858, length 80 packets captured packets received by filter as shown in the above command and its result you can clearly see that we told tcpdump to only capture packets from eth0 interface using -c option. -s option in tcpdump ~]# tcpdump -s0 -n -c -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN0MB (Ethernet), capture size 6555 bytes ::.97 IP ssh > :

4 Flags [P.], seq 80:800, ack , win 858, length 96 ::.5877 IP ssh > : Flags [P.], seq 96:76, ack, win 858, length 80 packets captured packets received by filter as mentioned earlier by default tcpdump only captures the firs 96bytes of a packet. But suppose you need to capture packets in its full size then you need to pass the size option -s with its argument. You can either use -s0 option to capture the whole packet or use number of bytes with -s argument. as you can see from the above output, its clearly mentioned that capture size is 6555 bytes instead of 96 bytes(the capture size is made bold in the output of the above command) -e option in tcpdump from all the above output we till now saw, the output only showed us information about the sender and receivers ip address. Suppose you want the mac address of the sender and reciever then you can include -e option. See our example output below. [root@jboss ~]# tcpdump -s0 -e -n -c -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN0MB (Ethernet), capture size 6555 bytes :7: :0c:9:05:b:0a > 00:50:56:c0:00:08, ethertype IPv (0x0800), length 50: ssh > : Flags [P.], seq 806:858, ack , win 858, length 96 :7: :0c:9:05:b:0a > 00:50:56:c0:00:08, ethertype IPv (0x0800), length : ssh > : Flags [P.], seq 96:56, ack, win 858, length 60

5 packets captured packets received by filter from the above output shown you can see the MAC address in the output(mac addressess are made bold in the output) -vvv option for more verbose output in tcpdump If you want your tcpdumpt output to show you more verbose information like, show all the flags, and headers in tcp we can use verbose options. -v for little more packet information,-vv for further more, and -vvv option for even more information. An example output is shown below ~]# tcpdump -s0 -vvv -e -n -c -i eth0 tcpdump: listening on eth0, link-type EN0MB (Ethernet), capture size 6555 bytes :57: :0c:9:05:b:0a > 00:50:56:c0:00:08, ethertype IPv (0x0800), length 86: (tos 0x0, ttl 6, id 576, offset 0, flags [DF], proto TCP (6), length 7) ssh > : Flags [P.], cksum 0x8 (correct), seq 850:858, ack , win 858, length :57: :0c:9:05:b:0a > 00:50:56:c0:00:08, ethertype IPv (0x0800), length 0: (tos 0x0, ttl 6, id 577, offset 0, flags [DF], proto TCP (6), length 96) ssh > : Flags [P.], cksum 0x8f6a (correct), seq :88, ack, win 858, length 56 packets captured packets received by filter 5

6 -S option in tcpdump this option in tcpdump can be used for showing absolute sequence numbers. Now what is sequence number? Sequence number is used in TCP, to identify the number of packets send or recieved. Whenever a machine initiates a TCP connection it informs the other side about its sequence number during the three way handshake. With the help of the sequence number's the receiver and the sender comes to know how much data has been transferred. TCPDUMP even show these sequence numbers. Using -S option will shown the abosolute tcp sequence numbers rather than relative with previous packets. -w option used in tcpdump using this -w option we can capture the output and save all the output to a specified file. This file can be later analyzed with the help of tools like editcap. using.pcap extention to the filename is advisable as this makes it readable by other packet analyzers. 5 [root@myvm ~]# tcpdump -w sampletcpdump.pcap -s0 -vvv -e -n -c -i eth0 tcpdump: listening on eth0, link-type EN0MB (Ethernet), capture size 6555 bytes packets captured 5 packets received by filter Dont read the file by opening it thorugh cat or vim...because you will not be able to read it. -r option used in tcpdump in order to read the file we just captured we need to use -r option with tcpdump command and passing filename as the argument to the command. [root@myvm ~]# tcpdump -r sampletcpdump.pcap reading from file sampletcpdump.pcap, link-type EN0MB (Ethernet) 0:0: IP > m-sv-xbox.599: P 59606:5960(6) ack 6789 win 670 0:0:0.77 IP myvm.599 > :. ack 6 win 6 6

7 Display packets for a particular port using TCPDUMP Till now in all above shown example we got all the packets towards all ports and were from random protocols, whatever the tool got during the capture, it showed those things. Now in case if you want to capture the packets thats coming towards port of one server. [root@myvm ~]# tcpdump -s0 -vvv -e -n -c -i eth0 port tcpdump: listening on eth0, link-type EN0MB (Ethernet), capture size 6555 bytes 0:09: ::7:c:97:00 > 00:5:7:8:0c:9c, ethertype IPv (0x0800), length 8: (tos 0x0, ttl 59, id 586, offset 0, flags [DF], proto: TCP (6), length: ) ssh > : P, cksum 0xacee (correct), 07807:0789(7) ack win 8 <nop,nop,timestamp > 0:09: :5:7:8:0c:9c > 00::7:c:97:00, ethertype IPv (0x0800), length 66: (tos 0x0, ttl 6, id 666, offset 0, flags [DF], proto: TCP (6), length: 5) > ssh:., cksum 0x9c9 (correct), :(0) ack 7 win 50 <nop,nop,timestamp > packets captured packets received by filter you can clearly see from the above output that all the packets captured with the port option are for ssh. Ignoring Packets with TCPDUMP If you want to ignore the packets coming towards port 80 and show all rest of the packets then you can do that by using the same port option but in a different way. Lets look at an example to do that with tcpdump [root@myvm ~]# tcpdump -i eth0 -n -c 5 'port!80' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN0MB (Ethernet), capture size 96 bytes 0::0.85 arp who-has (Broadcast) tell :: IP > :. 9768:98(580) ack win 7 0:: IP > :. ack 90 win 79 0:: IP > :. 580:8760(90) ack win 7 0:: IP > :. ack 580 win 7

8 packets captured 6 packets received by filter By doing the above thing your will screen will be dumped with all the traffic other than the traffic towards port 80. show packets towards a particular host Suppose you are trouble shooting something and only interested in knowing the traffic towards or from a particular host. In that case you can ask tcpdump to only show packets for that host, by the following command. [root@slashroot ~]# tcpdump -i eth0 -c 5 host host option can be used to do that. Always using -c option for specifying no of packets to capture is a good idea, other wise your screen will be dumped with all packets captured. Show packets from source with tcpdump Now you can even go further by only asking to show packets with a particular source address. This can be done by the following command. [root@slashroot ~]# tcpdump -i eth0 -c 5 src host So you just need to put "src" option along with the host option for doing that as shown above. Similarly you can do for destination as shown below. [root@slashroot ~]# tcpdump -i eth0 -c 5 dst host Filtering protocols using tcpdump command You can easily get information about packets of a certain protocol with the help of tcpdump. Without filtering tcpdump output with relevant options and arguments, the packets of interest can get lost in the huge amount of output dumped by tcpdump. 8

9 Lets see how can we look at the packets with certain protocols in it. Doing that is quite simple, you need to just pass the protocol name as argument after the command. ~]# tcpdump -i eth0 icmp OR ~]# tcpdump -i eth0 tcp OR ~]# tcpdump -i eth0 udp OR ~]# tcpdump -i eth0 arp 9