Scribd
Upload
286 views

Packet Capture: Sniffer, Tcpdump, Ethereal, Ntop

The document discusses packet capture, which is the real-time collection of network data as it travels over networks. It describes tools used for packet capture like packet sniffers and protocol analyzers. It provides guidance on when to use packet capture for troubleshooting or analyzing network traffic. It then focuses on using the tcpdump tool for packet capture, including how to use basic commands and filters to capture specific network data.

Uploaded by

passwordy
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
286 views

Packet Capture: Sniffer, Tcpdump, Ethereal, Ntop

The document discusses packet capture, which is the real-time collection of network data as it travels over networks. It describes tools used for packet capture like packet sniffers and protocol analyzers. It provides guidance on when to use packet capture for troubleshooting or analyzing network traffic. It then focuses on using the tcpdump tool for packet capture, including how to use basic commands and filters to capture specific network data.

Uploaded by

passwordy
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 32

Packet Capture

Sniffer, tcpdump, Ethereal,


ntop
What is Packet Capture?
 Real time collection of data as it
travels over networks
 Tools called:
 packet sniffers
 packet analysers
 protocol analysers, and sometimes
even
 traffic monitors
Systems and Network Management
Network Troubleshooting 2
When Packet Capture?
 Most powerful technique
 When need to see what client and
server are actually saying to each
other
 When need to analyse type of
traffic on network
 Requires understanding of network
protocols to use effectively
Systems and Network Management
Network Troubleshooting 3
Warning: Don’t Get
Sacked!
 Be sure that your boss agrees with you
capturing packets on your company’s
network
 People have been sacked for doing this
without permission!
 Do not invade the privacy of others
 Capturing passwords with insecure
protocols such as telnet, ftp, http (that
is not encrypted with TLS) is very easy
 DON’T DO IT!

Systems and Network Management


Network Troubleshooting 4
tcpdump
 Available everywhere
 Windows: http://windump.polito.it/
 Syntax also used by other programs (such as
Ethereal)
 Often it is the only tool available, so good to
know
 Works by putting network interface into
promiscuous mode
 normal Ethernet interface will ignore packets not
addressed to it
 in promiscuous mode, will examine all packets that
arrive, even those not addressed to it

Systems and Network Management


Network Troubleshooting 5
How to use tcpdump
 Can just type its name (as root):
$ sudo tcpdump
 ...but get a huge amount of data!

 Can restrict the data collected

using a filter
 A filter may select addresses,

protocols, port numbers,...

Systems and Network Management


Network Troubleshooting 6
tcpdump: some options
 -c n — capture a count of n packets then stop
 -w file — write raw data to file.
 Very useful — can filter and analyse this later with tcpdump,
ethereal or other tools
 but you cannot see what you are capturing till later!
 -i interface — collect from interface instead of lowest
numbered network interface
 -s bytes — collect no more than bytes of data from each
packet instead of default 68 bytes
 -e — show link level info, e.g., Ethernet addresses
 -x — gives a hexadecimal dump of packets
 excluding link level data
 -X — display ASCII as well as hexadecimal if have –x option
too
 Many more options: man tcpdump
Systems and Network Management
Network Troubleshooting 7
tcpdump Filters: host and
port
 Show all network traffic to and
from 192.168.0.1:
tcpdump host 192.168.0.1
 Show packets to 192.168.0.1:

tcpdump dst 192.168.0.1


 Show packets to port 68 on

192.168.0.1:
tcpdump dst 192.168.0.1 and port 68

Systems and Network Management


Network Troubleshooting 8
tcpdump filters: networks
 Capture traffic to or from
205.153.60/24:
tcpdump net 172.19.64/18
 can specify network as source or

destination:
tcpdump src net 205.153.60/24
tcpdump dst net 172.19.64/18

Systems and Network Management


Network Troubleshooting 9
tcpdump filters: protocol
 tcpdump ip
 tcpdump tcp
 tcpdump ip proto ospf
 This will catch DNS name lookups,
but not zone transfers (which use
tcp):
 tcpdump udp port 53

Systems and Network Management


Network Troubleshooting 10
tcpdump filters: combining
 This will not work as you might expect:
 tcpdump host ictlab and udp or
arp
 Instead, need group with parentheses,
and quote:
 tcpdump “host ictlab and (udp or arp)”
 many more ways of filtering: man
tcpdump

Systems and Network Management


Network Troubleshooting 11
IP Header
Bits

20

24

28
12

16

31
0

8
Version IHL Type of Service Total Length
1

Identification Fragmentation Offset

MF
DF
2

Time to Live Protocol Header Checksum


3
Words

Source Address
4

Destination Address
5

Options (0 to 40 bytes) Padding

5-16
Your data starts here
TCP Header
Bits

12

16

28

31
20

24
0

8
Source Port Destination Port
1

Sequence Number
2

Acknowledgement Number
3
Words

header
Reserved Window
URG
ACK

SYN
PSH
RST

FIN
4 length

Checksum Urgent Pointer


5

Options (0 to 40 bytes) Padding

5-15
Your data starts here
UDP Header

Bits

16

31
0

Source Port Destination Port

Length Checksum

Your data starts here

Systems and Network Management


Network Troubleshooting 14
Writing data to a file
sudo tcpdump -c 1000 -w ~/tmp/tcpdump.pcap
tcpdump: listening on eth0
1014 packets received by filter
0 packets dropped by kernel

Systems and Network Management


Network Troubleshooting 15
Reading a dumped file
$ tcpdump -nr ~/tmp/tcpdump.pcap arp
22:32:41.751452 arp who-has 172.19.127.254 tell 172.19.127.29
22:32:41.863173 arp who-has 172.19.64.52 tell 172.19.64.63
22:32:41.863198 arp reply 172.19.64.52 is-at 0:0:e2:35:af:ee
22:32:42.082584 arp who-has 172.19.65.16 tell 172.19.125.229
22:32:43.113655 arp who-has 172.19.123.211 tell 172.19.65.2
22:32:44.635149 arp who-has 172.19.65.16 tell 172.19.127.106
22:32:44.874117 arp who-has 172.19.65.6 tell 172.19.126.174
22:32:45.147178 arp who-has 172.19.65.16 tell 172.19.126.240
22:32:45.209507 arp who-has 172.19.127.254 tell 172.19.125.127
22:32:45.212484 arp who-has 172.19.127.175 tell 172.19.125.127
22:32:45.239445 arp who-has 172.19.127.254 tell 172.19.125.212
22:32:45.455863 arp who-has 172.19.65.16 tell 172.19.126.194
22:32:45.540507 arp who-has 172.19.126.50 (44:30:54:59:43:4d)
tell 172.19.65.10
22:32:45.562004 arp who-has 172.19.126.50 tell 172.19.65.2

Systems and Network Management


Network Troubleshooting 16
HTTP
tcpdump -nr ~/tmp/tcpdump.pcap port http
22:43:32.633636 192.168.25.9.14075 > 172.19.64.52.http: S
1015952778:1015952778(0) win 6144 <mss 1460> (DF)
22:43:32.633693 172.19.64.52.http > 192.168.25.9.14075: S
1929920485:1929920485(0) ack 1015952779 win 5840 <mss 1460>
(DF)
22:43:32.635828 192.168.25.9.14075 > 172.19.64.52.http: P
1:590(589) ack 1 win 6144 (DF)
22:43:32.635906 172.19.64.52.http > 192.168.25.9.14075: . ack
590 win 6479 (DF)
22:43:32.636758 172.19.64.52.http > 192.168.25.9.14075: P
1:217(216) ack 590 win 6479 (DF)
22:43:32.636982 172.19.64.52.http > 192.168.25.9.14075: F
217:217(0) ack 590 win 6479 (DF)
22:43:32.639080 192.168.25.9.14075 > 172.19.64.52.http: R
590:590(0) ack 217 win 0 (DF)

Systems and Network Management


Network Troubleshooting 17
tcpdump: When reading
TCP
 format:
 src > dst: flags data-seqno ack window
urgent options
 Flags are some combination of S (SYN), F (FIN),

P (PUSH) or R (RST) or a single '.' (no flags).


 The first time tcpdump sees a tcp

'conversation', it prints the sequence number


from the packet.
 On subsequent packets of the conversation,

the difference between the current packet's


sequence number and this initial sequence
number
Systems and Networkis printed.
Management
Network Troubleshooting 18
Window
 win nnn specifies data window the
sending host will accept in future
packets
 I.e., the maximum number of bytes
 TCP flow-control:
 host reduces this number if congested or
overloaded
 will sometimes set to 0 to temporarily halt
incoming traffic in this connection

Systems and Network Management


Network Troubleshooting 19
Ethereal

King of the Packet Analysers!


Available for Linux, Unix,
Windows
Ethereal
 Ethereal can read data captured by
tcpdump, e.g.,
$ ethereal –r tcpdump.pcap
 or File -> Open

 Can capture data itself

 Uses same filter language as

tcpdump

Systems and Network Management


Network Troubleshooting 21
Systems and Network Management
Network Troubleshooting 22
Systems and Network Management
Network Troubleshooting 23
You can expand any
protocol:
 If we click on the + next to
Bootstrap Protocol, we can see
the details of the DHCP Request:

Systems and Network Management


Network Troubleshooting 24
Systems and Network Management
Network Troubleshooting 25
Display Filters
 Note the box at the bottom of Ethereal for display
filters
 Select only some of the packets captured for display

 see man ethereal and search for DISPLAY FILTER

SYNTAX
 Different syntax than the syntax for capture filters

 Example:

ip.src==172.19.64.52 and ip.dest==172.19.64.57

Systems and Network Management


Network Troubleshooting 26
Tools -> Follow TCP
Stream
 Can view the contents of an entire
TCP stream conversation, in ASCII
or in hexadecimal.
 Be careful not to invade your
customers’ privacy.
 Can use to check if a
communications stream is really
encrypted
Systems and Network Management
Network Troubleshooting 27
Ntop: monitoring data at a
point
 The Ntop program
 listens on a network interface
 puts an Ethernet interface into promiscuous
mode and
 displays statistics through a web interface
 Shows:
 percentages of protocols,
 which machines generate most traffic
 which traffic is purely local, which traffic
comes from outside, which traffic goes from
inside to outside of network
Systems and Network Management
Network Troubleshooting 28
Ntop RPM
 I have made an RPM package of ntop
 it’s the best one available, or at least it was
when I made it :-)
 Can get from
/home/nfs/redhat/contrib/ntop-2.1.51-
20021031nu2.i386.rpm
 source rpm is there too
 Or search for it on http://rpmfind.net/
 Note that you will be prompted for a
password when you install it.
Systems and Network Management
Network Troubleshooting 29
Switched Networks
 Problem: a switched network is really a point-
to-point network
 You cannot normally capture the unicast traffic
from other hosts on a single switch port
 Solution: many switches support port
monitoring, where one port can monitor all
traffic on a specified VLAN
 Example: Cisco 3500XL switches provide the
port monitor command:
 port monitor vlan VLAN1

Systems and Network Management


Network Troubleshooting 30
How monitor one
machine?
 You are asked to check out a server on a switched network: what
to do?
 Use a small hub, and use a notebook running the capture
software
Ethernet
Switch

mini-hub

Device under test notebook


e.g., a server running capture software

Systems and Network Management


Network Troubleshooting 31
Are switched networks
secure?
 Is all unicast traffic on one port of
a switch private?
 No, there are tools (dsniff) freely
available to temporarily make a
switch behave like a hub, or that
provide other ways to compromise
switch security.

Systems and Network Management


Network Troubleshooting 32

You might also like