Internet Traffic Measurements. TCPdump. School of Electrical Engineering AALTO UNIVERSITY

Transcription

1 Internet Traffic Measurements TCPdump School of Electrical Engineering AALTO UNIVERSITY

2 Page 1 Contents What is TCPdump?... 2 Hardware and software components used for this tutorial... 2 Getting familiar with TCPdump... 2 Install the package... 3 Getting all available interfaces... 3 Selecting a specific interface... 4 Capturing all IP packets... 4 Getting verbose results... 5 Capturing all TCP/UDP/ICMP packets... 6 Disabling hostname and port translation... 7 Disabling time stamp display... 7 Displaying the content of the packets in ASCII and hexadecimal... 8 Capturing the link layer header with the packets... 9 Capturing specific amount of packets... 9 Saving the captured packets into a file Reading the captured packets from a file Capturing packets for specific port/s Capturing packets for specific IP address Capturing packets for specific range of address... 12

3 Page 2 What is TCPdump? TCPdump is one of the best and greatest command line tools on UNIX and Linux based operating systems to capture and analyze the data transmitted and received by the network interface card. TCPdump is extremely flexible and versatile tools which can be used in many cases for traffic monitoring, measurements, network troubleshooting and security analysis so it is really important that students have a good understanding about the capabilities of this powerful networking tool. Hardware and software components used for this tutorial The material available in this tutorial is created based network devices in a virtual Lab environment running CentOS Linux version bit (minimal version) where all concepts and commands are also applicable to other Linux distributions. Linux machine hardware properties are as follows: Machine Name Hard Disk Drive RAM CPU No. NICs GPLinux 10GB 512MB 1 socket, 1 core 1 Note: All these commands and concepts are applicable to other UNIX and Linux distributions but as all the examples used in this guide are taken from the CentOS based system so it is recommended to use the same Linux distribution if you are new to UNIX and Linux based systems. Getting familiar with TCPdump Note: Linux kernel by default is able to sniff and capture all broadcast messages and packets that are destined to that specific machine and not every single packet transmitted and received by other machines on the network! In order to capture all the traffic that is not destined for a specific machine: 1- That traffic must be redirected to the sniffing NIC (by using Hub, tap interfaces or port mirroring technics). 2-NIC must be configured in promiscuous mode.

4 Page 3 Install the package Install the package using following command. Command : yum install tcpdump -y Loaded plugins: fastestmirror... Resolving Dependencies --> Running transaction check ---> Package tcpdump.x86_64 14: el7 will be erased --> Finished Dependency Resolution Dependencies Resolved Resolving Dependencies --> Running transaction check ---> Package tcpdump.x86_64 14: el7 will be installed --> Finished Dependency Resolution Running transaction Installed: tcpdump.x86_64 14: el7 Complete! Getting all available interfaces First step for working with TCPdump is checking for the list of available interfaces for capturing the packets on the system by using following command. Command : tcpdump -D 1.bluetooth0 (Bluetooth adapter number 0) 2.nflog (Linux netfilter log (NFLOG) interface) 3.nfqueue (Linux netfilter queue (NFQUEUE) interface) 4.usbmon1 (USB bus number 1) 5.usbmon2 (USB bus number 2)

5 Page 4 6.eno any (Pseudo-device that captures on all interfaces) 8.lo Note: 1- any interface is a kernel special type of interface designed to sniff the packets from all available NICs. 2- lo stands for loopback interface. Selecting a specific interface If you need to capture packets only on a specific interface then you need to use -i option as follows: Command : tcpdump -i eno :18: IP gplinux.ssh > : Flags [P.], seq : , ack , win 314, length :18: IP gplinux > gateway.domain: PTR? in-addr.arpa. (44) 10:18: IP gateway.domain > gplinux.50829: NXDomain 0/1/0 (103) 10:18: IP gplinux > gateway.domain: PTR? in-addr.arpa. (46) Capturing all IP packets TCPdump will capture all IP packets on interface if nothing else is specified as follows: Command : tcpdump -i eno :06: IP gplinux > gateway.domain: A? (32) 11:06: IP gplinux > gateway.domain: AAAA? (32) 11:06: IP gplinux > gateway.domain: PTR? in-addr.arpa. (44) 11:06: IP gateway.domain > gplinux.58759: NXDomain 0/1/0 (103)

6 Page 5 11:06: IP gplinux > gateway.domain: PTR? in-addr.arpa. (46) Getting verbose results If you need more detail result from TCPdump then you can use -v, -vv or -vvv for more verbose result. Command: tcpdump -i eno vvv tcpdump: listening on eno , link-type EN10MB (Ethernet), capture size bytes 12:08: IP (tos 0x0, ttl 64, id 13406, offset 0, flags [DF], proto ICMP (1), length 84) gplinux > google-public-dns-a.google.com: ICMP echo request, id 2679, seq 1, 12:08: IP (tos 0x0, ttl 64, id 9873, offset 0, flags [DF], proto UDP (17), length 66) gplinux > gateway.domain: [bad udp cksum 0x121a -> 0x61e9!] PTR? in-addr.arpa. (38) 12:08: IP (tos 0x0, ttl 128, id 65506, offset 0, flags [none], proto UDP (17), length 110) gateway.domain > gplinux.42014: [udp sum ok] q: PTR? inaddr.arpa. 1/0/ in-addr.arpa. [5s] PTR google-public-dns-a.google.com. (82) 12:08: IP (tos 0x0, ttl 64, id 9874, offset 0, flags [DF], proto UDP (17), length 74) gplinux > gateway.domain: [bad udp cksum 0x1222 -> 0xbd53!] PTR? in-addr.arpa. (46) 12:08: IP (tos 0x0, ttl 128, id 65507, offset 0, flags [none], proto ICMP (1), length 84) google-public-dns-a.google.com > gplinux: ICMP echo reply, id 2679, seq 1, 12:08: IP (tos 0x0, ttl 128, id 65508, offset 0, flags [none], proto UDP (17), length 133) gateway.domain > gplinux.59846: [udp sum ok] NXDomain q: PTR? in-addr.arpa. 0/1/0 ns: in-addr.arpa. [5s] SOA localhost. nobody.invalid (105) 12:08: IP (tos 0x0, ttl 64, id 9875, offset 0, flags [DF], proto UDP (17), length 72)

7 Page 6 gplinux > gateway.domain: [bad udp cksum 0x1220 -> 0x1b44!] PTR? in-addr.arpa. (44) 12:08: IP (tos 0x0, ttl 128, id 65509, offset 0, flags [none], proto UDP (17), length 131) gateway.domain > gplinux.33984: [udp sum ok] NXDomain q: PTR? in-addr.arpa. 0/1/0 ns: in-addr.arpa. [5s] SOA localhost. nobody.invalid (103) Capturing all TCP/UDP/ICMP packets If you need to capture only TCP, UDP or ICMP packets then you need to use following options to capture only those protocols: Command : tcpdump -i eno tcp 11:10: IP > gplinux.ssh: Flags [.], ack , win 253, length 0 11:10: IP gplinux.ssh > : Flags [P.], seq 1:193, ack 0, win 484, length :10: IP gplinux.ssh > : Flags [P.], seq 193:433, ack 0, win 484, length 240 Command : tcpdump -i eno udp 11:12: IP gplinux > gateway.domain: A? (31) 11:12: IP gplinux > gateway.domain: PTR? inaddr.arpa. (44) 11:12: IP gateway.domain > gplinux.46586: 2645 NXDomain 0/1/0 (103) 11:12: IP gplinux > gateway.domain: PTR? in-addr.arpa. (46) 11:12: IP gateway.domain > gplinux.44592: 1356 NXDomain 0/1/0 (105) 11:12: IP gateway.domain > gplinux.59986: /0/0 CNAME mail.google.com., CNAME googl .l.google.com., A (100)

8 Page 7 Command : tcpdump -i eno icmp 11:14: IP gplinux > google-public-dns-a.google.com: ICMP echo request, id 2355, seq 1, 11:14: IP google-public-dns-a.google.com > gplinux: ICMP echo reply, id 2355, seq 1, 11:14: IP gplinux > google-public-dns-a.google.com: ICMP echo request, id 2355, seq 2, 11:14: IP google-public-dns-a.google.com > gplinux: ICMP echo reply, id 2355, seq 2, Disabling hostname and port translation TCPdump will try to translate IP addresses and port numbers by default which might not be desired in some situation. Use -nn option to disable the name translation for captured packets as follows: Command : tcpdump -nn -i eno N/A Disabling time stamp display TCPdump will append time stamp to each capture packets by default which might not be suitable desired in some situation. Use -t option to disable the time stamp generation for captured packets as follows: Command : tcpdump -t -i eno Output: IP > : ICMP echo request, id 2687, seq 1, IP > : ICMP echo reply, id 2687, seq 1, IP > : ICMP echo request, id 2687, seq 2, IP > : ICMP echo reply, id 2687, seq 2,

9 Page 8 Displaying the content of the packets in ASCII and hexadecimal Use following option to show the content of the captured packets in ACSII format: Command : tcpdump -A -nn -i eno :29: IP > : ICMP echo request, id 2227, seq 1,...!"#$%&'()*+,-./ :29: IP > : ICMP echo reply, id 2227, seq 1,...!"#$%&'()*+,-./ :29: IP > : ICMP echo request, id 2227, seq 2,...I...K. W...\#...!"#$%&'()*+,-./ :29: IP > : ICMP echo reply, id 2227, seq 2, E..T.O...J...K. W...\#..../ !"#$%&'()*+,- And use x option to show the packet content in hexadecimal format or X to display the content in both ASCII and hexadecimal format as follows: 10:36: IP > : ICMP echo request, id 2251, seq 1, 0x0000: d0a c0a8 c886 E..T4`@.@.m... 0x0010: a9e3 08cb 0001 fab4 7c57... W 0x0020: e q... 0x0030: a1b 1c1d 1e1f !"# 0x0040: a2b 2c2d 2e2f $%&'()*+,-./0123 0x0050: :36: IP > : ICMP echo reply, id 2251, seq 1, 0x0000: ff5a a20f E..T.Z...

10 Page 9 0x0010: c0a8 c b1e3 08cb 0001 fab4 7c57... W 0x0020: e q... 0x0030: a1b 1c1d 1e1f !"# 0x0040: a2b 2c2d 2e2f $%&'()*+,-./0123 0x0050: Capturing the link layer header with the packets TCPdump will ignore link layer header in capture so if you need to see the link layer information as well you need to use -e option as follows: Command : tcpdump -e -nn -i eno :41: :0c:29:ad:fa:d7 > 00:50:56:f8:b9:13, ethertype IPv4 (0x0800), length 98: > : ICMP echo request, id 2270, seq 1, length 64 10:41: :50:56:f8:b9:13 > 00:0c:29:ad:fa:d7, ethertype IPv4 (0x0800), length 98: > : ICMP echo reply, id 2270, seq 1, length 64 10:41: :0c:29:ad:fa:d7 > 00:50:56:f8:b9:13, ethertype IPv4 (0x0800), length 98: > : ICMP echo request, id 2270, seq 2, length 64 10:41: :50:56:f8:b9:13 > 00:0c:29:ad:fa:d7, ethertype IPv4 (0x0800), length 98: > : ICMP echo reply, id 2270, seq 2, length 64 Capturing specific amount of packets If you need to capture only few packets instead of all packets use c option to limit amount of captured packets. Limiting number of captured packets is useful especially if you are dealing with huge amount of traffic on the link and only checking few packets from the flows is sufficient for you. Command : tcpdump -c 4 -nn -i eno not port 22

11 Page 10 10:52: IP > : ICMP echo request, id 2295, seq 1, 10:52: IP > : ICMP echo reply, id 2295, seq 1, 10:52: IP > : ICMP echo request, id 2295, seq 2, 10:52: IP > : ICMP echo reply, id 2295, seq 2, 4 packets captured 4 packets received by filter 0 packets dropped by kernel Saving the captured packets into a file TCPdump only capture the packets and do not save the captured ones. If you need to save the captured packets then you have to store them in a file using -w option as follows: Command : tcpdump -w Packet_Capture.pcap -c 4 -nn -i eno N/A Reading the captured packets from a file If you need to check the captured packets saved to file then you need to read those information using - r option as follows: Command : tcpdump -r Packet_Capture.pcap -c 4 -nn -i eno reading from file Packet_Capture.pcap, link-type EN10MB (Ethernet) 10:58: IP > : ICMP echo request, id 2298, seq 1, 10:58: IP > : ICMP echo reply, id 2298, seq 1, 10:58: IP > : ICMP echo request, id 2298, seq 2, 10:58: IP > : ICMP echo reply, id 2298, seq 2,

12 Page 11 Capturing packets for specific port/s If you need to capture packets for specific port then you need to use port option as follows: Command : tcpdump -i eno port 53 11:37: IP gplinux > gateway.domain: A? (31) Or if you need to capture packets sourced from a specific port or destined to a specific port then you need to use src and dst options with port Command : tcpdump -i eno dst port 53 11:37: IP gplinux > gateway.domain: A? (31) Note! If you do not specify any src or dst option for port then TCPdump will capture packets both from or to that specific port. Note! If you need to capture packets for a range of ports instead of a single port then simply use portrange option instead of port option. Command : tcpdump -nn -i eno portrange N/A Capturing packets for specific IP address If you need to capture packets for specific host address then you need to use host option as follows: Command : tcpdump -nn -i eno host :39: IP > : ICMP echo request, id 2581, seq 1,

13 Page 12 11:39: IP > : ICMP echo reply, id 2581, seq 1, Or if you need to capture packets sourced from a specific host address or destined to a specific host address then you need to use src and dst options with host. Note! If you do not specify any src or dst option for host then TCPdump will capture packets both from or to that specific host address. Capturing packets for specific range of address If you need to capture all packets that belongs to specific network address then you need to use net option as follows: Command : tcpdump -nn -i eno net /8 11:46: IP > : ICMP echo request, id 2610, seq 1, 11:46: IP > : ICMP echo reply, id 2610, seq 1, Or if you need to capture packets sourced from a specific network address or destined to a specific network address then you need to use src and dst options with net. Note! If you do not specify any src or dst option for net then TCPdump will capture packets both from or to that specific network address.