C.5 Using tcpdump for Network Analysis tcpdump is a high-performing tool for monitoring the packet streams in local area networks. tcpdump -i interface can be used to log and output all activities in a LAN. The actions of the local area network can be fully logged only provided that it is a broadcast-capable medium, such as Ethernet or token ring, and that the network card supports the promiscuous mode. In switched LANs, we cannot log packets that are not actually sent to the adapter. Syntax tcpdump [ -deflnNOpqStvx ] [ -c <counter>] [ -F <file> ] [ -i <interface> ] [ -r <file>] [ -s <length> ] [ -2 <file> ] [<expression>]
If tcpdump is started without specifying options, it outputs all packets received by the specified network device. This is normally a large number of packets; hence, the output can become unclear. For this reason, we can specify a logical <expression> to limit the number of logged packets. This logical printout helps make the output more clear. We can use tcpdump for extremely useful studies. On the other hand, it can be misused by intruders to eavesdrop on communication in a LAN. For example, an intruder could log and evaluate the contents of communication connections. The intruder could then easily filter passwords transmitted in cleartext in Telnet or Rlogin sessions. For this reason, tcpdump can be executed only by administrators (root). Parameters -c counter: The analysis of tcpdump ends after receipt of counter packets. -d expression: The expression is evaluated and output, and the program is terminated. -e: The MAC header is output explicitly for each packet (i.e., the MAC sender address, the MAC destination address, and the protocol type). -f disables the DNS name resolution. If computers are not listed in /etc/hosts, their IP addresses will not be resolved. -F file: The logical expression (see option -d) is read from file, and expressions in the command line are ignored. -i interface specifies the network device for which the packets should be logged. Without this option, tcpdump always selects the first element from the internal list of active network adapters (except the loopback network device). -l buffers the output line by line. Without this option, each character is output immediately. -n disables the name resolution. IP addresses are not converted into DNS names; similarly with the allocation of ports. -N omits the domain names in addresses (i.e., www instead of www.linuxnetzwerkarchitektur.de). -O disables the internal optimization of the qualification expression. -p means that tcpdump does not activate the promiscuous mode. However, a network device may be in this mode for other reasons, so there is no guarantee that the promiscuous mode is disabled. -q outputs abbreviated messages and less protocol information. -r file reads the packets to be checked from the specified file. The file should previously have been created by tcpdump, as is achieved by using the option -w. -s length sets the number of bytes that tcpdump handles as protocol header at the beginning of a packet. Normally, these are 68 bytes, which is sufficient for IP, ICMP, TCP, and UDP. For NFS and DNS packets, this value may truncate information. -S outputs absolute instead of relative TCP sequence numbers. -t suppresses the timestamp output. -tt outputs the timestamp in unformatted form. This enables faster processing, because the time information does not have to be converted. However, the readability of the output suffers. -v enables more detailed outputs. For example, this option additionally outputs the TTL values and the TOS field values of IP packets. -vv enables outputs that are even more detailed. -w file causes unprocessed packet information to be written to the specified file. Subsequently, you can use the option -r to edit and analyze this information. This option is recommended when tcpdump has problems handling a large number of packets. -x causes each packet (except the LLC header) to be output in hexadecimal form. The number of output bytes can be defined by the option -s (default = 68). You can use an expression to output only packets of the LAN that meet this expression.
Expressions Expressions consist of one or several primitives. A primitive, in turn, is built from a qualification parameter and a value (name or number). There are three types of qualification parameters: Types define the type to be qualified. Three types are available: host, net, and port; host is the default if no type is specified. The direction defines the transmit direction of the packet to be analyzed. The direction can be either src, dst, src or dst, and src and dst. src stands for incoming packets and dst for transmitted packets. src or dst is assumed if nothing is specified. The protocol specifies that only packets of a specific protocol type should be analyzed. Some of the protocols that can be specified are ether, fddi, ip, arp, rarp, tcp, and udp.
If several protocols should be analyzed, then the types can be OR-linked. If no special protocol is specified, then all protocols matching the specified type are analyzed. Examples src tux: All packets from computer tux. (src tux) and (ip or arp): All packets from tux, but only IP or ARP packets. port 80: All packets of the TCP or UDP protocols where the port is equal 80.
Notice that keywords and arithmetic expressions can be used in addition to this syntax. Complex conditions are achieved by AND, OR, and NOT linking (e.g., host tux AND NOT port 80 AND NOT port 21). Other Conditions less length: Only packets with the a maximum of the specified length are considered. greater length: Only packets with at least the specified length are considered. broadcast: The packet must be a broadcast message. multicast: The packet must be a multicast message.
Arithmetic Conditions Data in a packet is accessed as follows: Protocol [ offset : length ]
The [ and ] characters must be stated; they are not used for optional specifications here. Protocol is one of the keywordsether, fddi, ip, arp, rarp, tcp, udp, or icmp and denotes the network protocol. Offset can be one of the valid arithmetic expressions. Length is optional; it denotes the field size. Possible values are 1 (byte), 2 (short integer), and 4 (long integer), where 1 is the default when nothing is specified. Examples Primitives can be grouped within brackets. The complete expression might have to be written between exclamation signs or be otherwise marked to prevent the shell from interpreting the information. Grouped or single expressions can be negated and logically AND or OR linked: ! or not: Negation. && or and: logical AND. || or or: Logical OR.
If a value is specified without qualification parameter, then the last of the specified keywords is assumed. For example, not host A and B is identical with not host A and host B, and should not be confused with not ( host A or B ). The outputs of tcpdump are extremely complex and require a detailed explanation of the network protocols, in addition to a detailed description, which would go far beyond a regular syntax description. |
