Wadah Belajar Linux, Debian, Mikrotik, Networking, Routing, dan Ilmu Pendukungnya

< Browse > Home / Linux, Networking / Blog article: About TCPdump (English)

| Mobile | RSS

About TCPdump (English)

October 16th, 2008 | No Comments | Posted in Linux, Networking

TCPdump is a very powerful command line interface packet sniffer.
1. Install TCPDUMP
- To install TCPdump :
#apt-get install tcpdump

- To see the TCPdump dependencies:
#apt-cache depends tcpdump
tcpdump
Depends: libc6
Depends: libpcap0.8
Depends: libssl0.9.8

- To see the installed TCPdump version:
# apt-cache policy tcpdump
tcpdump:
Installed: 3.9.5-2etch1
Candidate: 3.9.5-2etch1
Version Table:
*** 3.9.5-2etch1 0
500 http://kambing.vlsm.org stable/main Packages
500 http://security.debian.org stable/updates/main Packages
100 /var/lib/dpkg/status

2. TCPDUMP USE
- To display the Standard TCPdump output:
#tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
15:49:57.950569 IP 116.212.100.13.ssh > 202.159.3.222.1766: P 705743480:705743596(116) ack 1737657567 win 20368
15:49:57.953868 arp who-has ns1.wave.net.id tell 116.212.100.13
15:49:57.953960 arp reply ns1.wave.net.id is-at 00:1b:11:e8:98:ba (oui Unknown)
15:49:57.953977 IP 116.212.100.13.1035 > ns1.wave.net.id.domain: 24955+ PTR? 222.3.159.202.in-addr.arpa. (44)
15:49:58.027214 IP ns1.wave.net.id.domain > 116.212.100.13.1035: 24955 NXDomain 0/1/0 (107)
15:49:58.027798 IP 116.212.100.13.1035 > ns1.wave.net.id.domain: 37723+ PTR? 13.100.212.116.in-addr.arpa. (45)
15:49:58.028068 IP ns1.wave.net.id.domain > 116.212.100.13.1035: 37723 NXDomain* 0/1/0 (105)
15:49:58.028765 IP 116.212.100.13.1035 > ns1.wave.net.id.domain: 28052+ PTR? 10.100.212.116.in-addr.arpa. (45)
15:49:58.029058 IP ns1.wave.net.id.domain > 116.212.100.13.1035: 28052* 1/2/2 (138)
15:49:58.096475 IP 202.159.3.222.1766 > 116.212.100.13.ssh: . ack 0 win 64623
15:49:58.096558 IP 116.212.100.13.ssh > 202.159.3.222.1766: P 116:1548(1432) ack 1 win 20368
15:49:58.096806 IP 116.212.100.13.ssh > 202.159.3.222.1766: P 1548:1760(212) ack 1 win 20368
15:49:58.161419 IP 202.159.3.222.1766 > 116.212.100.13.ssh: P 1:53(52) ack 0 win 64623

- Network interfaces available for the capture:
#tcpdump -D
1.eth1
2.any (Pseudo-device that captures on all interfaces)
3.lo

- To display numerical addresses rather than symbolic (DNS) addresses:
#tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
15:52:35.038923 IP 116.212.100.13.22 > 202.159.3.222.1766: P 705747000:705747116(116) ack 1737658607 win 20368
15:52:35.135921 IP 202.159.3.222.1766 > 116.212.100.13.22: . ack 0 win 65275
15:52:35.136008 IP 116.212.100.13.22 > 202.159.3.222.1766: P 116:396(280) ack 1 win 20368
15:52:35.136301 IP 116.212.100.13.22 > 202.159.3.222.1766: P 396:512(116) ack 1 win 20368
15:52:35.202463 IP 202.159.3.222.1766 > 116.212.100.13.22: P 1:53(52) ack 116 win 65159
15:52:35.202528 IP 116.212.100.13.22 > 202.159.3.222.1766: P 512:776(264) ack 53 win 20368

- To display the quick output:
#tcpdump -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
15:53:26.152224 IP 116.212.100.13.ssh > 202.159.3.222.1766: tcp 116
15:53:26.161792 IP 116.212.100.13.ssh > 202.159.3.222.1766: tcp 116
15:53:26.160278 arp who-has ns1.wave.net.id tell 116.212.100.13
15:53:26.160374 arp reply ns1.wave.net.id is-at 00:1b:11:e8:98:ba (oui Unknown)
15:53:26.160395 IP 116.212.100.13.1035 > ns1.wave.net.id.domain: UDP, length 44
15:53:26.160624 IP ns1.wave.net.id.domain > 116.212.100.13.1035: UDP, length 107
15:53:26.161187 IP 116.212.100.13.1035 > ns1.wave.net.id.domain: UDP, length 45
15:53:26.161413 IP ns1.wave.net.id.domain > 116.212.100.13.1035: UDP, length 105
15:53:26.162190 IP 116.212.100.13.1035 > ns1.wave.net.id.domain: UDP, length 45
15:53:26.162450 IP ns1.wave.net.id.domain > 116.212.100.13.1035: UDP, length 138
15:53:26.211335 IP 202.159.3.222.1766 > 116.212.100.13.ssh: tcp 0
15:53:26.211407 IP 116.212.100.13.ssh > 202.159.3.222.1766: tcp 1272

- Capture the traffic of a particular interface:
#tcpdump -i eth0

- To capture the UDP traffic:
#tcpdump udp

- To capture the TCP port 80 traffic:
#tcpdump port http

- To capture the traffic from a filter stored in a file:
#tcpdump -F file_name
To create a file where the filter is configured (here the TCP 80 port)
#vim file_name
port 80

- To stop the capture after 20 packets:
#tcpdump -c 20

- To send the capture output in a file instead of directly on the screen:
#tcpdump -w capture.log

- To read a capture file:
#tcpdump -r capture.log
reading from file capture.log, link-type EN10MB (Ethernet)
16:06:10.607444 IP 116.212.100.13.ssh > 202.159.3.222.1766: P 705756112:705756164(52) ack 1737661227 win 22512
16:06:10.607463 IP 116.212.100.13.ssh > 202.159.3.222.1766: P 52:168(116) ack 1 win 22512
16:06:10.704568 IP 202.159.3.222.1766 > 116.212.100.13.ssh: . ack 168 win 64431
16:06:12.450891 802.1d config 8000.00:1e:be:4f:93:08.8004 root 8000.00:1e:be:4f:93:08 pathcost 0 age 0 max 20 hello 2 fdelay 15
16:06:12.630703 IP 202.159.3.222.1766 > 116.212.100.13.ssh: P 1:53(52) ack 168 win 64431

- To display the packets having “www.zulfanruri.com” as their source or destination address:
#tcpdump host www.zulfanruri.com

- To display the FTP packets coming from 192.168.1.100 to 192.168.1.2:
#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp

- To display the packets content:
#tcpdump -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes
20:53:24.872785 IP local.40205 > 192.168.1.2.ftp: S 4155598838:4155598838(0) win 5840
….g………………..
…………
20:53:24.879473 IP local.40205 > 192.168.1.2.ftp: . ack 1228937421 win 183
….g.I@………….
……..
20:53:24.881654 IP local.40205 > 192.168.1.2.ftp: . ack 43 win 183
….g.I@…….8…..
……EN
20:53:26.402046 IP local.40205 > 192.168.1.2.ftp: P 0:10(10) ack 43 win 183
….g.I@……`$…..
…=..ENUSER teddybear

20:53:26.403802 IP local.40205 > 192.168.1.2.ftp: . ack 76 win 183
….h.I@………….
…>..E^
20:53:29.169036 IP local.40205 > 192.168.1.2.ftp: P 10:25(15) ack 76 win 183
….h.I@……#c…..
……E^PASS wakeup

20:53:29.171553 IP local.40205 > 192.168.1.2.ftp: . ack 96 win 183
….h.I@.,………..
……Ez
20:53:29.171649 IP local.40205 > 192.168.1.2.ftp: P 25:31(6) ack 96 win 183
….h.I@.,………..
……EzSYST

20:53:29.211607 IP local.40205 > 192.168.1.2.ftp: . ack 115 win 183
….h.I@.?…..j…..
……Ez
20:53:31.367619 IP local.40205 > 192.168.1.2.ftp: P 31:37(6) ack 115 win 183
….h.I@.?………..
……EzQUIT

20:53:31.369316 IP local.40205 > 192.168.1.2.ftp: . ack 155 win 183
….h.I@.g………..
……E.
20:53:31.369759 IP local.40205 > 192.168.1.2.ftp: F 37:37(0) ack 156 win 183
….h.I@.h…..e…..
……E.

Packets capture during a FTP connection. The FTP password can be easily intercepted because it is sent in clear text to the server.
We see in this capture the FTP username (teddybear) and password (wakeup).

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Blogosphere News
  • Live
  • MisterWong
  • MySpace
  • Ping.fm
  • Slashdot
  • StumbleUpon
  • Technorati
  • Print
  • email
Leave a Reply 1764 views, 2 so far today |
Tags: , , , , ,

Related Posts

Leave a Reply

Recent Post

Most Popular

Popular Today



View My Stats