TCP Dump

Tcpdump was created in 1987 by Van Jacobson, Craig Leres, and Steven McCanne and it wasn’t until 1999 that the website came to be. However, during the late 90’s there were several versions of TCP dump and was mostly uncoordinated until the website was established.

For those who don’t know, tcpdump is a packet analyzer. Its a powerful tool that allows its user to view incoming and out going data. This is a commonly used tool when troubleshooting network connectivity issues. I, myself, use it all the time. It goes a long way in helping me understand where and when an issue may have occurred.


Let’s check to see if your system currently has tcpdump. Type the following into a terminal.

#whereis TCP dump.

If you do not see a file path and location for the program, then its a safe bet that your OS does not have it installed. That’s ok. We’ll go ahead and install the program ourselves…

$ sudo apt-get install tcpdump 
-or-
$ sudo yum install tcpdump

Once the program is fully installed, run a quick upgrade to make sure the latest version is installed on your system. We’ll go ahead and give the options a quick look over. Mainly just to see what we can do in a packet capture.

#tcpdump –help
-or-
#tcpdump -man

Now it’s time we’re going to look at a few packets, but first,we need to specify an interface indicated by an “-i” option. So the command will look like this #tcpdump -i eth0.  it inst just limited to one interface, you can actually monitor multiple interfaces.  Adding a -c option will allow you to set a count and then exit after receiving the specified amount of packets.  So, it will look like this… #tcpdump -i eth0 -c 10 

Here is an example from one of my test VMs.

[root@localhost ~]# tcpdump -i eno16777736 -c 5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes
08:03:35.706916 IP 10.10.11.99.50123 > 224.0.0.252.hostmon: UDP, length 28
08:03:35.707706 IP localhost.localdomain.35740 > ns1.dc.cox.net.domain: 57543+ PTR? 252.0.0.224.in-addr.arpa. (42)
08:03:35.713901 IP ns1.dc.cox.net.domain > localhost.localdomain.35740: 57543 NXDomain 0/1/0 (99)
08:03:35.725514 IP localhost.localdomain.53059 > ns1.dc.cox.net.domain: 55834+ PTR? 99.11.10.10.in-addr.arpa. (42)
08:03:35.729252 IP ns1.dc.cox.net.domain > localhost.localdomain.53059: 55834 NXDomain* 0/1/0 (92)
5 packets captured
9 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#


Of course, there are several other options that can be used suck as the time stamp indicated by: -t which wont show the time stamp,  -tt which will show and unformatted time stamp,  -ttt wills how you the time stamp in a delta format, -ttttwill show you a time stamp in a default format

Another would be verbose indicated by -v,-vv and -vvv. This will give you more information relating to what is bring printed on the screen. Each option will help you get what you need from a network dump. If you need more information, please head to Linux Command’s where you can view the man page.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s