How To Monitor packet flow using tcpdump

Transcription

1 How To Monitor packet flow using tcpdump tcpdump prints out the headers of packets on a network interface that match the Boolean expression. tcpdump is a packet capture tool that allows to intercept and capture packets passing through a network interface, making it useful for understanding and troubleshooting network layer problems. It will help to monitor packet flow coming on interface, response for each packet, packet drop, and ARP information. This utility will not be of much help to identify and troubleshoot problems related to Application, hence before using this tool try to understand the behavior of the problem. Usage Use from Cyberoam Telnet Console, option 4 Cyberoam Console How to view traffic of the tcpdump command Example specific host tcpdump host <ipaddress> tcpdump host specific source host tcpdump src host <ipaddress> tcpdump src host specific destination host tcpdump dst host <ipaddress> tcpdump dst host specific network tcpdump net <network address> tcpdump net specific source network tcpdump src net <network address> tcpdump src net specific destination network tcpdump dst net <network address> tcpdump dst net specific port tcpdump port <port-number> tcpdump port 21 specific source port tcpdump src port <port-number> tcpdump src port 21 specific destination port tcpdump dst port <port-number> tcpdump dst port 21 specific host for the particular port the specific host for all the ports except SSH specific protocol tcpdump host <ipaddress> and port <port-number> tcpdump host <ipaddress> and port not <port-number> tcpdump proto ICMP tcpdump proto UDP tcpdump proto TCP tcpdump arp tcpdump host and port 21 tcpdump host and port not 22 paritcular interface tcpdump interface <interface> tcpdump interface eth1 specific port of a particular interface tcpdump interface <interface> port <port-number> tcpdump interface eth1 port 21 Note: Expression can be combined using logical operators AND or OR and with NOT also. Make sure to use different combinations within single quotes.

2 Port Mapping Appliance 50i, 100i, 250i, 500i Port A B C D Physical Interface eth0 eth1 eth2 eth3 Appliance 1000i, 1500i Port A B C D E F G H Physical Interface eth6 eth7 eth8 eth9 eth0 eth1 eth2 eth3 Analyzing tcpdump output corporate> tcpdump 'port 21' Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 12:29: eth0 < > ftp: S : (0) win <mss 1460,nop,nop,sackOK> (DF) 12:29: eth1 > > ftp: S : (0) win <mss 1460,nop,nop,sackOK> (DF) 12:29: eth1 < ftp > : S : (0) ack win 5840 <mss 1460> (DF) 12:29: eth0 > ftp > : S : (0) ack win 5840 <mss 1460> (DF) 12:29: eth0 < > ftp:. 1:1(0) ack 1 win (DF) 12:29: eth1 > > ftp:. 1:1(0) ack 1 win (DF) 12:29: eth1 < ftp > : P 1:65(64) ack 1 win 5840 (DF) 12:29: eth0 > ftp > : P 1:65(64) ack 1 win 5840 (DF) 12:29: eth0 < > ftp:. 1:1(0) ack 65 win (DF) 12:29: eth1 > > ftp:. 1:1(0) ack 65 win (DF) 12:29: eth0 < > ftp: P 1:17(16) ack 65 win (DF)

3 12:29: eth1 > > ftp: P 1:17(16) ack 65 win (DF) 12:29: eth1 < ftp > :. 65:65(0) ack 17 win 5840 (DF) 12:29: eth0 > ftp > :. 65:65(0) ack 17 win 5840 (DF) 12:29: eth1 < ftp > : P 65:133(68) ack 17 win 5840 (DF) 12:29: eth0 > ftp > : P 65:133(68) ack 17 win 5840 (DF) 12:29: eth0 < > ftp:. 17:17(0) ack 133 win (DF) 12:29: eth1 > > ftp:. 17:17(0) ack 133 win (DF) 12:29: eth0 < > ftp: P 17:31(14) ack 133 win (DF) 12:29: eth1 > > ftp: P 17:31(14) ack 133 win (DF) 12:29: eth1 < ftp > :. 133:133(0) ack 31 win 5840 (DF) 12:29: eth0 > ftp > :. 133:133(0) ack 31 win 5840 (DF) 12:30: eth1 < ftp > : P 133:181(48) ack 31 win 5840 (DF) 12:30: eth0 > ftp > : P 133:181(48) ack 31 win 5840 (DF) 12:30: eth0 < > ftp:. 31:31(0) ack 181 win (DF) 12:30: eth1 > > ftp:. 31:31(0) ack 181 win (DF) 12:30: eth0 < > ftp: P 31:37(6) ack 181 win (DF) 12:30: eth1 > > ftp: P 31:37(6) ack 181 win (DF) 12:30: eth1 < ftp > :. 181:181(0) ack 37 win 5840 (DF) 12:30: eth0 > ftp > :. 181:181(0) ack 37 win 5840 (DF) 12:30: eth1 < ftp > : P 181:227(46) ack 37 win 5840 (DF) 12:30: eth0 > ftp > : P 181:227(46) ack 37 win 5840 (DF) 12:30: eth0 < > ftp:. 37:37(0) ack 227 win (DF) 12:30: eth1 > > ftp:. 37:37(0) ack 227 win (DF) 12:30: eth1 < ftp > : P 227:293(66) ack 37 win 5840 (DF) 12:30: eth0 > ftp > : P 227:293(66) ack 37 win 5840 (DF) 12:30: eth1 < ftp > : FP 293:370(77) ack 37 win 5840 (DF) 12:30: eth0 > ftp > : FP 293:370(77) ack 37 win 5840 (DF) 12:30: eth0 < > ftp:. 37:37(0) ack 371 win (DF) 12:30: eth1 > > ftp:. 37:37(0) ack 371 win (DF) 12:30: eth0 < > ftp: F 37:37(0) ack 371 win (DF) 12:30: eth1 > > ftp: F 37:37(0) ack 371 win (DF) 1 st line: Brown color shows timestamp of the packet Green color shows the incoming interface Blue color shows source address who originates the request Red color shows destination IP address Orange color shows services which is being accessed Pink color shows flag of particular packet. This is new connection originated by IP address & destined for to access FTP services. This is first packet so flag is set to Sync S 3rd line: As three ways handshaking needs to be complete, second packet is the response coming back from server with Ack for Sync packet. This is nothing but Syn-Ack packet. 4th Line: Ack packet sent by source for Syn-Ack. For any tcp connection first three lines are like Source to Destination-- Sync Destination to Source-- Sync-Ack Source to Destination Ack

4 5 th to 40 th Line: Push packet (Data Packet) because of P &. Flag 41st and 42nd Line: Termination of FTP connection because F flag Flag Information: S Sync packet for new connection S Sync packet with ack P Push packet containing Data. -- No data information, only ack F FIN packet which provides information of termination of connection R Reset packet, Packet which dropped in between somewhere at firewall end Advanced Usage View packet contents in hexadecimal notations corporate> tcpdump hex Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 13:49: eth0 > telnet > : P : (2) ack win 5840 (DF) a b c0a8 0d28 ac c e 24bf 1c d0 13a d0a 13:49: eth1 B arp who-has (Broadcast) tell ba29 8f63 c0a8 021f ffff ffff ffff c0a8 021e :49: eth0 < > telnet:. 1:1(0) ack 2 win (DF) c3b ac c0a8 0d28 077c bf 1c fff :49: eth0 > telnet > : P 2:538(536) ack 1 win 5840 (DF) c0a8 0d28 ac c bf 1c d0 058f b65 726e 656c c c f 746f 636f 6c20 414c 4c2c d b f63 6b65 740d 0a d70 3a20 6c e 696e f6e c6c d0a a34 393a e :49: eth1 B arp who-has tell c 29ca 2f1e c0a8 0d c0a8 0d

5 :49: eth1 B arp who-has tell a132 e4f0 c0a8 01ce c0a8 015d 5d a View packet contents with Ethernet or other layer 2 header information corporate> tcpdump llh Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 13:49: eth1 B 0:3:ba:29:8f:63 Broadcast arp 60: arp who-has (Broadcast) tell :49: eth1 B 0:11:43:56:7d:7a Broadcast ip 92: netbios-ns > netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 13:49: eth0 < 0:11:11:93:47:9b 0:0:0:0:0:1 ip 60: > telnet: : (0) ack win (DF) 13:49: eth0 > 0:0:0:0:0:0 0:10:f3:9:cf:da ip 412: telnet > : P 1:359(358) ack 0 win 5840 (DF) 13:49: eth0 < 0:11:11:93:47:9b 0:0:0:0:0:1 ip 60: > telnet:. 0:0(0) ack 359 win (DF) 13:49: eth0 > 0:0:0:0:0:0 0:10:f3:9:cf:da ip 345: telnet > : P 359:650(291) ack 0 win 5840 (DF) 13:49: eth1 B 0:10:f3:a:a5:fd Broadcast arp 60: arp who-has tel l :49: eth1 B 0:13:20:dc:d0:63 Broadcast ip 110: netbios-n s > netbios-ns:NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST 13:49: eth1 B 0:13:20:dc:d0:63 Broadcast ip 110: netbios-n s > netbios-ns:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADC AST 13:49: eth0 < 0:11:11:93:47:9b 0:0:0:0:0:1 ip 60: > telnet:. 0:0(0) ack 650 win (DF) 13:49: eth0 > 0:0:0:0:0:0 0:10:f3:9:cf:da ip 741: telnet > : P 650:1337(687) ack 0 win 5840 (DF) 13:49: eth1 B 0:7:e9:2e:6c:c1 Broadcast arp 60: arp who-has (Broadcast) tell Generate binary file of traffic log generated with custom parameters Cyberoam also supports to save and download the tcpdump output in a binary file from Telnet Console. File tcpdump contains the troubleshooting information useful to analyze the traffic with advanced tool like ethereal for Cyberoam Support team. To save the output in the downloadable file, log on to Telnet Console: Go to Option 4 Cyberoam Console At the command prompt, issue the command: tcpdump <criteria> filedump Cyberoam saves this file under the name tcpdump.out Download from and mail this file to Cyberoam Support team at support@cyberoam.com

6 Monitoring VPN traffic Cyberoam will automatically configure VPN IPSec interface for each WAN port configured. For example, if Port B and Port C are configured as WAN ports then Cyberoam will configure ipsec0 and ipsec1 for Port B and Port C respectively. Use these ipsec ports to monitor VPN traffic e.g. tcpdump -i ipsec0 Document Version: /09/2007