Scribd
Upload
246 views

Packet Capture

Packet capture tools like tcpdump and Ethereal are used to collect and analyze network packet data in real-time. Tcpdump is a command line tool that puts interfaces in promiscuous mode to sniff all network traffic. It can write captured packets to a file for later analysis. Ethereal is a graphical packet analyzer that can open capture files from tcpdump. Both tools use filters to select specific packet types and allow troubleshooting network issues. When using packet capture tools, permissions and privacy issues must be considered.

Uploaded by

fqchina
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
246 views

Packet Capture

Packet capture tools like tcpdump and Ethereal are used to collect and analyze network packet data in real-time. Tcpdump is a command line tool that puts interfaces in promiscuous mode to sniff all network traffic. It can write captured packets to a file for later analysis. Ethereal is a graphical packet analyzer that can open capture files from tcpdump. Both tools use filters to select specific packet types and allow troubleshooting network issues. When using packet capture tools, permissions and privacy issues must be considered.

Uploaded by

fqchina
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 32

Packet Capture

Sniffer, tcpdump, Ethereal,


ntop

What is Packet Capture?

Real time collection of data as it


travels over networks
Tools called:

packet sniffers
packet analysers
protocol analysers, and sometimes
even
traffic monitors

Systems and

Network Troubleshoo

When Packet Capture?

Most powerful technique


When need to see what client and
server are actually saying to each
other
When need to analyse type of traffic
on network
Requires understanding of network
protocols to use effectively

Systems and

Network Troubleshoo

Warning: Dont Get


Sacked!

Be sure that your boss agrees with you


capturing packets on your companys
network
People have been sacked for doing this
without permission!
Do not invade the privacy of others
Capturing passwords with insecure
protocols such as telnet, ftp, http (that is
not encrypted with TLS) is very easy
DONT DO IT!

Systems and

Network Troubleshoo

tcpdump

Available everywhere
Windows: http://windump.polito.it/
Syntax also used by other programs (such as
Ethereal)
Often it is the only tool available, so good to
know
Works by putting network interface into
promiscuous mode

normal Ethernet interface will ignore packets not


addressed to it
in promiscuous mode, will examine all packets that
arrive, even those not addressed to it

Systems and

Network Troubleshoo

How to use tcpdump


Can just type its name (as root):
$ sudo tcpdump
...but get a huge amount of data!
Can restrict the data collected
using a filter
A filter may select addresses,
protocols, port numbers,...

Systems and

Network Troubleshoo

tcpdump: some options

-c n capture a count of n packets then stop


-w file write raw data to file.

-i interface collect from interface instead of lowest


numbered network interface
-s bytes collect no more than bytes of data from each
packet instead of default 68 bytes
-e show link level info, e.g., Ethernet addresses
-x gives a hexadecimal dump of packets

Very useful can filter and analyse this later with tcpdump,
ethereal or other tools
but you cannot see what you are capturing till later!

excluding link level data

-X display ASCII as well as hexadecimal if have x option too


Many more options: man tcpdump

Systems and

Network Troubleshoo

tcpdump Filters: host and


port
Show all network traffic to and
from 192.168.0.1:
tcpdump host 192.168.0.1
Show packets to 192.168.0.1:
tcpdump dst 192.168.0.1
Show packets to port 68 on
192.168.0.1:

tcpdump dst 192.168.0.1 and port 68


Systems and

Network Troubleshoo

tcpdump filters: networks


Capture traffic to or from
205.153.60/24:
tcpdump net 172.19.64/18
can specify network as source or
destination:
tcpdump src net 205.153.60/24
tcpdump dst net 172.19.64/18

Systems and

Network Troubleshoo

tcpdump filters: protocol

tcpdump ip
tcpdump tcp
tcpdump ip proto ospf
This will catch DNS name lookups,
but not zone transfers (which use
tcp):
tcpdump udp port 53

Systems and

Network Troubleshoo

10

tcpdump filters: combining

This will not work as you might expect:


tcpdump host ictlab and udp or
arp
Instead, need group with parentheses,
and quote:

tcpdump host ictlab and (udp or arp)

many more ways of filtering: man


tcpdump

Systems and

Network Troubleshoo

11

IP Header
Version

Words

Time to Live

Source Address
Destination Address

Padding

Options (0 to 40 bytes)
Your data starts here

31

28

Fragmentation Offset
Header Checksum

Protocol

5-16

24

20

12

16

Total Length

Type of Service
Identification

2
3

8
IHL

DF
MF

Bits

TCP Header
Source Port

header
length

Reserved

URG
ACK
PSH
RST
SYN
FIN

Words

Acknowledgement Number
Window
Urgent Pointer

Checksum
Options (0 to 40 bytes)

5-15

Padding
Your data starts here

31

28

Sequence Number

24
Destination Port

20

16

12

Bits

UDP Header
31

16

Bits

Source Port

Destination Port

Length

Checksum
Your data starts here

Systems and

Network Troubleshoo

14

Writing data to a file


sudo tcpdump -c 1000 -w ~/tmp/tcpdump.pcap
tcpdump: listening on eth0
1014 packets received by filter
0 packets dropped by kernel

Systems and

Network Troubleshoo

15

Reading a dumped file


$ tcpdump -nr ~/tmp/tcpdump.pcap arp
22:32:41.751452 arp who-has 172.19.127.254 tell 172.19.127.29
22:32:41.863173 arp who-has 172.19.64.52 tell 172.19.64.63
22:32:41.863198 arp reply 172.19.64.52 is-at 0:0:e2:35:af:ee
22:32:42.082584 arp who-has 172.19.65.16 tell 172.19.125.229
22:32:43.113655 arp who-has 172.19.123.211 tell 172.19.65.2
22:32:44.635149 arp who-has 172.19.65.16 tell 172.19.127.106
22:32:44.874117 arp who-has 172.19.65.6 tell 172.19.126.174
22:32:45.147178 arp who-has 172.19.65.16 tell 172.19.126.240
22:32:45.209507 arp who-has 172.19.127.254 tell 172.19.125.127
22:32:45.212484 arp who-has 172.19.127.175 tell 172.19.125.127
22:32:45.239445 arp who-has 172.19.127.254 tell 172.19.125.212
22:32:45.455863 arp who-has 172.19.65.16 tell 172.19.126.194
22:32:45.540507 arp who-has 172.19.126.50 (44:30:54:59:43:4d)
tell 172.19.65.10
22:32:45.562004 arp who-has 172.19.126.50 tell 172.19.65.2

Systems and

Network Troubleshoo

16

HTTP
tcpdump -nr ~/tmp/tcpdump.pcap port http
22:43:32.633636 192.168.25.9.14075 > 172.19.64.52.http: S
1015952778:1015952778(0) win 6144 <mss 1460> (DF)
22:43:32.633693 172.19.64.52.http > 192.168.25.9.14075: S
1929920485:1929920485(0) ack 1015952779 win 5840 <mss 1460>
(DF)
22:43:32.635828 192.168.25.9.14075 > 172.19.64.52.http: P
1:590(589) ack 1 win 6144 (DF)
22:43:32.635906 172.19.64.52.http > 192.168.25.9.14075: . ack
590 win 6479 (DF)
22:43:32.636758 172.19.64.52.http > 192.168.25.9.14075: P
1:217(216) ack 590 win 6479 (DF)
22:43:32.636982 172.19.64.52.http > 192.168.25.9.14075: F
217:217(0) ack 590 win 6479 (DF)
22:43:32.639080 192.168.25.9.14075 > 172.19.64.52.http: R
590:590(0) ack 217 win 0 (DF)

Systems and

Network Troubleshoo

17

tcpdump: When reading


TCP

format:
src > dst: flags data-seqno ack window urgent
options
Flags are some combination of S (SYN), F (FIN), P
(PUSH) or R (RST) or a single '.' (no flags).
The first time tcpdump sees a tcp 'conversation',
it prints the sequence number from the packet.
On subsequent packets of the conversation, the
difference between the current packet's sequence
number and this initial sequence number is printed.

Systems and

Network Troubleshoo

18

Window

win nnn specifies data window the


sending host will accept in future
packets

I.e., the maximum number of bytes

TCP flow-control:

host reduces this number if congested or


overloaded
will sometimes set to 0 to temporarily halt
incoming traffic in this connection

Systems and

Network Troubleshoo

19

Ethereal
King of the Packet Analysers!
Available for Linux, Unix,
Windows

Ethereal
Ethereal can read data captured by
tcpdump, e.g.,
$ ethereal r tcpdump.pcap
or File -> Open
Can capture data itself
Uses same filter language as
tcpdump

Systems and

Network Troubleshoo

21

Systems and

Network Troubleshoo

22

Systems and

Network Troubleshoo

23

You can expand any


protocol:

If we click on the + next to


Bootstrap Protocol, we can see
the details of the DHCP Request:

Systems and

Network Troubleshoo

24

Systems and

Network Troubleshoo

25

Display Filters
Note the box at the bottom of Ethereal for display
filters
Select only some of the packets captured for display
see man ethereal and search for DISPLAY FILTER
SYNTAX
Different syntax than the syntax for capture filters
Example:
ip.src==172.19.64.52 and ip.dest==172.19.64.57

Systems and

Network Troubleshoo

26

Tools -> Follow TCP Stream

Can view the contents of an entire


TCP stream conversation, in ASCII or
in hexadecimal.
Be careful not to invade your
customers privacy.
Can use to check if a
communications stream is really
encrypted

Systems and

Network Troubleshoo

27

Ntop: monitoring data at a


point

The Ntop program

listens on a network interface


puts an Ethernet interface into promiscuous
mode and
displays statistics through a web interface

Shows:

percentages of protocols,
which machines generate most traffic
which traffic is purely local, which traffic comes
from outside, which traffic goes from inside to
outside of network

Systems and

Network Troubleshoo

28

Ntop RPM

I have made an RPM package of ntop

Can get from


/home/nfs/redhat/contrib/ntop-2.1.5120021031nu2.i386.rpm

its the best one available, or at least it was


when I made it :-)

source rpm is there too

Or search for it on http://rpmfind.net/


Note that you will be prompted for a
password when you install it.

Systems and

Network Troubleshoo

29

Switched Networks

Problem: a switched network is really a pointto-point network


You cannot normally capture the unicast traffic
from other hosts on a single switch port
Solution: many switches support port
monitoring, where one port can monitor all
traffic on a specified VLAN
Example: Cisco 3500XL switches provide the
port monitor command:
port monitor vlan VLAN1

Systems and

Network Troubleshoo

30

How monitor one


machine?

You are asked to check out a server on a switched network: what to do?
Use a small hub, and use a notebook running the capture software
Ethernet
Switch

mini-hub

Device under test


e.g., a server

Systems and

notebook
running capture software

Network Troubleshoo

31

Are switched networks


secure?

Is all unicast traffic on one port of a


switch private?
No, there are tools (dsniff) freely
available to temporarily make a
switch behave like a hub, or that
provide other ways to compromise
switch security.

Systems and

Network Troubleshoo

32

You might also like