Download tcpdump Tutorial Introduction and more Slides Operating Systems in PDF only on Docsity!
tcpdump Tutorial
EE122 Fall 2006
Dilip Antony Joseph, Vern Paxson, Sukun Kim
Introduction
• Popular network debugging tool
• Used to intercept and display packets
transmitted/received on a network
• Filters used to restrict analysis to packets
of interest
Example Dump
01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481:. 2513546054:2513547434(1380) ack 1268355216 win 12816 01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481:. 2128:3508(1380) ack 1 win 12816 01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560
• Ran tcpdump on the machine
danjo.cs.berkeley.edu
• First few lines of the output:
01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481:. 2513546054:2513547434(1380) ack 1268355216 win 12816 Timestamp This is an IP packetSource host nameSource port number (22) Destination host name Destination port number TCP specific information
• Different output formats for different packet
types
What does a line convey?
Demo 2
1. Capture only udp packets
2. Capture only tcp packets
Demo 2 (contd.)
1. Capture only UDP packets with destination
port 53 (DNS requests)
- tcpdump “udp dst port 53”
2. Capture only UDP packets with source port 53
(DNS replies)
- tcpdump “udp src port 53”
3. Capture only UDP packets with source or
destination port 53 (DNS requests and replies)
Demo 2 (contd.)
1. Capture only packets destined to
quasar.cs.berkeley.edu
- tcpdump “dst host quasar.cs.berkeley.edu”
2. Capture both DNS packets and TCP
packets to/from quasar.cs.berkeley.edu
quasar.cs.berkeley.edu) or udp port 53”
How to write filters
• Refer cheat sheet slides at the end of this
presentation
• Refer the tcpdump man page
Assignment Requirements
• -w <dump_file_name> -s 0 options must
be used for the traces submitted as part of
the assignments
• Appropriately name each dump file you
submit and briefly describe what each
dump file contains/illustrates in the
README file associated with the
assignment submission
Security/Privacy Issues
- tcpdump allows you to monitor other people’s
traffic
- WARNING: Do NOT use tcpdump to violate
privacy or security
- Use filtering to restrict packet analysis to only
the traffic associated with your echo_client and
echo_server. The following is one way to ensure
that you see only traffic associated with your
client:
- tcpdump – s 0 – w all_pkts.trace
- tcpdump – s 0 – r all_pkts.trace “ – w my_pkts.trace “port 12345”
- where 12345 is the ephemeral port which your echo_client uses to talk to the echo_server.
Cheat Sheet – Commonly Used Options
- -n Don’t convert host addresses to names.
Avoids DNS lookups. It can save you time.
- -w Write the raw packets to the
specified file instead of parsing and printing
them out. Useful for saving a packet capture
session and running multiple filters against it
later
- -r Read packets from the specified
file instead of live capture. The file should have
been created with – w option
- -q Quiet output. Prints less information per
output line
Cheat Sheet – Commonly Used Options (contd.)
- -s 0 tcpdump usually does not analyze and store
the entire packet. This option ensures that the
entire packet is stored and analyzed. NOTE:
You must use this option while generating the
traces for your assignments.
- -A (or – X in some versions) Print each packet
in ASCII. Useful when capturing web pages.
NOTE: The contents of the packet before the
payload (for example, IP and TCP headers)
often contain unprintable ASCII characters which
will cause the initial part of each packet to look
like rubbish
Cheat Sheet – Writing Filters (2)
- Combining filters
- Example:
- All tcp packets which are not from or to host quasar.cs.berkeley.edu tcpdump “tcp and! host quasar.cs.berkeley.edu”
- Lots of examples in the EXAMPLES section of the man page
Appendix: IPsumdump on EECS
instructional accounts
- Download and untar the latest IPsumdump source distribution from http://www.cs.ucla.edu/~kohler/ipsumdump/
- Set the following PATH and LD_LIBRARY_PATH environment variables by using setenv or export (bash shell) - setenv PATH /usr/ccs/bin:$PATH - setenv LD_LIBRARY_PATH /usr/sww/lib
- Run ./configure followed by make. The executable is created in the src/ subdirectory
- Use ipsumdump to analyze trace files generated by tcpdump (using
- w option).
- For example: ipsumdump -r tracefile -s --payload prints the source and payload of the packets in tracefile in an easy-to-read format