Introduction

• Popular network debugging tool

• Used to intercept and display packets
tcpdump Tutorial transmitted/received on a network
• Filters used to restrict analysis to packets
EE122 Fall 2006 of interest

Dilip Antony Joseph, Vern Paxson, Sukun Kim

Example Dump What does a line convey?

• Ran tcpdump on the machine
danjo.cs.berkeley.edu Timestamp This Source
is an IPhost
packet
name
Source port number (22)

• First few lines of the output:

01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh >
adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: .
01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 2513546054:2513547434(1380) ack 1268355216 win 12816
7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack
1268355216 win 12816
01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 Destination port number
Destination host name
01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-
7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816 TCP specific information
01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 >
danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560
• Different output formats for different packet
types

Demo 1 – Basic Run Filters

• Syntax: • We are often not interested in all packets
tcpdump [options] [filter expression] flowing through the network
• Run the following command on the • Use filters to capture only packets of
machine c199.eecs.berkeley.edu: interest to us
tcpdump
• Observe the output

1
 Demo 2 Demo 2 (contd.)
1. Capture only udp packets 1. Capture only UDP packets with destination
port 53 (DNS requests)
• tcpdump “udp”
• tcpdump “udp dst port 53”
2. Capture only tcp packets 2. Capture only UDP packets with source port 53
• tcpdump “tcp” (DNS replies)
• tcpdump “udp src port 53”
3. Capture only UDP packets with source or
destination port 53 (DNS requests and replies)
• tcpdump “udp port 53”

Demo 2 (contd.) How to write filters

1. Capture only packets destined to • Refer cheat sheet slides at the end of this
quasar.cs.berkeley.edu presentation
• tcpdump “dst host quasar.cs.berkeley.edu” • Refer the tcpdump man page
2. Capture both DNS packets and TCP
packets to/from quasar.cs.berkeley.edu
• tcpdump “(tcp and host
quasar.cs.berkeley.edu) or udp port 53”

Running tcpdump Other tools

• Requires superuser/administrator privileges • Ethereal
– Easy to use graphical interface
• EECS instructional accounts – http://www.ethereal.com
– You have pseudo superuser privileges – Will not currently work on EECS instructional
– Simply run the command tcpdump accounts. Use on personal desktops/laptops
– tcpdump will work only on the Solaris 10 machines listed at • IPsumdump
http://inst.eecs.berkeley.edu/cgi-bin/clients.cgi?string=quasar
– Summarize tcpdump output into human/machine
readable form
• Non EECS instructional accounts
– http://www.cs.ucla.edu/~kohler/ipsumdump/
– tcpdump works on many different operating systems
– Download the version for your personal desktop/laptop from – For instructions to use IPsumdump on EECS
• http://www.tcpdump.org instructional accounts, see slide “Appendix:
• http://www.winpcap.org/windump/ IPsumdump on EECS instructional accounts”

2
 Assignment Requirements Security/Privacy Issues
• -w <dump_file_name> -s 0 options must • tcpdump allows you to monitor other people’s
traffic
be used for the traces submitted as part of • WARNING: Do NOT use tcpdump to violate
the assignments privacy or security
• Use filtering to restrict packet analysis to only
the traffic associated with your echo_client and
• Appropriately name each dump file you echo_server. The following is one way to ensure
submit and briefly describe what each that you see only traffic associated with your
dump file contains/illustrates in the client:
– tcpdump –s 0 –w all_pkts.trace
README file associated with the – tcpdump –s 0 –r all_pkts.trace “ –w my_pkts.trace
assignment submission “port 12345”
– where 12345 is the ephemeral port which your
echo_client uses to talk to the echo_server.

Cheat Sheet – Commonly Used Cheat Sheet – Commonly Used

Options Options (contd.)
• -n Don’t convert host addresses to names. • -s 0 tcpdump usually does not analyze and store
Avoids DNS lookups. It can save you time. the entire packet. This option ensures that the
• -w <filename> Write the raw packets to the entire packet is stored and analyzed. NOTE:
specified file instead of parsing and printing You must use this option while generating the
them out. Useful for saving a packet capture traces for your assignments.
session and running multiple filters against it • -A (or –X in some versions) Print each packet
later in ASCII. Useful when capturing web pages.
• -r <filename> Read packets from the specified NOTE: The contents of the packet before the
file instead of live capture. The file should have payload (for example, IP and TCP headers)
been created with –w option often contain unprintable ASCII characters which
• -q Quiet output. Prints less information per will cause the initial part of each packet to look
output line like rubbish

Cheat Sheet – Writing Filters (1) Cheat Sheet – Writing Filters (2)
• Specifying the hosts we are interested in • Specifying ICMP packets
– “dst host <name/IP>” – “icmp”
– “src host <name/IP>”
– “host <name/IP>” (either source or destination is
• Specifying UDP packets
name/IP) – “udp”
• Specifying the ports we are interested in • Specifying TCP packets
– “dst port <number>” – “tcp”
– “src port <number>”
– “port <number>”
– Makes sense only for TCP and UDP packets

3
 Appendix: IPsumdump on EECS
Cheat Sheet – Writing Filters (2)
instructional accounts
• Download and untar the latest IPsumdump source distribution from
• Combining filters http://www.cs.ucla.edu/~kohler/ipsumdump/
– and (&&)
• Set the following PATH and LD_LIBRARY_PATH environment
– or (||) variables by using setenv or export (bash shell)
– not (!) – setenv PATH /usr/ccs/bin:$PATH
– setenv LD_LIBRARY_PATH /usr/sww/lib
• Example:
• Run ./configure followed by make. The executable is created in the
– All tcp packets which are not from or to host src/ subdirectory
quasar.cs.berkeley.edu
• Use ipsumdump to analyze trace files generated by tcpdump (using
tcpdump “tcp and ! host quasar.cs.berkeley.edu” –w option).
– Lots of examples in the EXAMPLES section of the – For example: ipsumdump -r tracefile -s --payload prints the source and
payload of the packets in tracefile in an easy-to-read format
man page