DOC PREVIEW
Berkeley ELENG 122 - tcpdump Tutorial

This preview shows page 1-2-3 out of 10 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 10 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 10 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 10 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 10 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1tcpdump TutorialEE122 Fall 2006Dilip Antony Joseph, Vern Paxson, Sukun KimIntroduction• Popular network debugging tool• Used to intercept and display packetstransmitted/received on a network• Filters used to restrict analysis to packetsof interest2Example Dump01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack1268355216 win 1281601:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 1281601:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 1281601:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 >danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560• Ran tcpdump on the machinedanjo.cs.berkeley.edu• First few lines of the output:01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh >adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: .2513546054:2513547434(1380) ack 1268355216 win 12816Timestamp This is an IP packetSource host nameSource port number (22)Destination host nameDestination port numberTCP specific information• Different output formats for different packettypesWhat does a line convey?3Demo 1 – Basic Run• Syntax:tcpdump [options] [filter expression]• Run the following command on themachine c199.eecs.berkeley.edu:tcpdump• Observe the outputFilters• We are often not interested in all packetsflowing through the network• Use filters to capture only packets ofinterest to us4Demo 21. Capture only udp packets• tcpdump “udp”2. Capture only tcp packets• tcpdump “tcp”Demo 2 (contd.)1. Capture only UDP packets with destinationport 53 (DNS requests)• tcpdump “udp dst port 53”2. Capture only UDP packets with source port 53(DNS replies)• tcpdump “udp src port 53”3. Capture only UDP packets with source ordestination port 53 (DNS requests and replies)• tcpdump “udp port 53”5Demo 2 (contd.)1. Capture only packets destined toquasar.cs.berkeley.edu• tcpdump “dst host quasar.cs.berkeley.edu”2. Capture both DNS packets and TCPpackets to/from quasar.cs.berkeley.edu• tcpdump “(tcp and hostquasar.cs.berkeley.edu) or udp port 53”How to write filters• Refer cheat sheet slides at the end of thispresentation• Refer the tcpdump man page6Running tcpdump• Requires superuser/administrator privileges• EECS instructional accounts– You have pseudo superuser privileges– Simply run the command tcpdump– tcpdump will work only on the Solaris 10 machines listed athttp://inst.eecs.berkeley.edu/cgi-bin/clients.cgi?string=quasar• Non EECS instructional accounts– tcpdump works on many different operating systems– Download the version for your personal desktop/laptop from• http://www.tcpdump.org• http://www.winpcap.org/windump/Other tools• Ethereal– Easy to use graphical interface– http://www.ethereal.com– Will not currently work on EECS instructionalaccounts. Use on personal desktops/laptops• IPsumdump– Summarize tcpdump output into human/machinereadable form– http://www.cs.ucla.edu/~kohler/ipsumdump/– For instructions to use IPsumdump on EECSinstructional accounts, see slide “Appendix:IPsumdump on EECS instructional accounts”7Assignment Requirements• -w <dump_file_name> -s 0 options mustbe used for the traces submitted as part ofthe assignments• Appropriately name each dump file yousubmit and briefly describe what eachdump file contains/illustrates in theREADME file associated with theassignment submissionSecurity/Privacy Issues• tcpdump allows you to monitor other people’straffic• WARNING: Do NOT use tcpdump to violateprivacy or security• Use filtering to restrict packet analysis to onlythe traffic associated with your echo_client andecho_server. The following is one way to ensurethat you see only traffic associated with yourclient:– tcpdump –s 0 –w all_pkts.trace– tcpdump –s 0 –r all_pkts.trace “ –w my_pkts.trace“port 12345”– where 12345 is the ephemeral port which yourecho_client uses to talk to the echo_server.8Cheat Sheet – Commonly UsedOptions• -n Don’t convert host addresses to names.Avoids DNS lookups. It can save you time.• -w <filename> Write the raw packets to thespecified file instead of parsing and printingthem out. Useful for saving a packet capturesession and running multiple filters against itlater• -r <filename> Read packets from the specifiedfile instead of live capture. The file should havebeen created with –w option• -q Quiet output. Prints less information peroutput lineCheat Sheet – Commonly UsedOptions (contd.)• -s 0 tcpdump usually does not analyze and storethe entire packet. This option ensures that theentire packet is stored and analyzed. NOTE:You must use this option while generating thetraces for your assignments.• -A (or –X in some versions) Print each packetin ASCII. Useful when capturing web pages.NOTE: The contents of the packet before thepayload (for example, IP and TCP headers)often contain unprintable ASCII characters whichwill cause the initial part of each packet to looklike rubbish9Cheat Sheet – Writing Filters (1)• Specifying the hosts we are interested in– “dst host <name/IP>”– “src host <name/IP>”– “host <name/IP>” (either source or destination isname/IP)• Specifying the ports we are interested in– “dst port <number>”– “src port <number>”– “port <number>”– Makes sense only for TCP and UDP packetsCheat Sheet – Writing Filters (2)• Specifying ICMP packets– “icmp”• Specifying UDP packets– “udp”• Specifying TCP packets– “tcp”10Cheat Sheet – Writing Filters (2)• Combining filters– and (&&)– or (||)– not (!)• Example:– All tcp packets which are not from or to hostquasar.cs.berkeley.edutcpdump “tcp and ! host quasar.cs.berkeley.edu”– Lots of examples in the EXAMPLES section of theman pageAppendix: IPsumdump on EECSinstructional accounts• Download and untar the latest IPsumdump source distribution fromhttp://www.cs.ucla.edu/~kohler/ipsumdump/• Set the following PATH and LD_LIBRARY_PATH environmentvariables by using setenv or export (bash shell)– setenv PATH /usr/ccs/bin:$PATH– setenv LD_LIBRARY_PATH /usr/sww/lib• Run ./configure followed by make. The executable is created in thesrc/ subdirectory• Use ipsumdump to analyze trace files generated by tcpdump (using–w option).– For example:


View Full Document

Berkeley ELENG 122 - tcpdump Tutorial

Documents in this Course
Lecture 6

Lecture 6

22 pages

Wireless

Wireless

16 pages

Links

Links

21 pages

Ethernet

Ethernet

10 pages

routing

routing

11 pages

Links

Links

7 pages

Switches

Switches

30 pages

Multicast

Multicast

36 pages

Switches

Switches

18 pages

Security

Security

16 pages

Switches

Switches

18 pages

Lecture 1

Lecture 1

56 pages

OPNET

OPNET

5 pages

Lecture 4

Lecture 4

16 pages

Ethernet

Ethernet

65 pages

Models

Models

30 pages

TCP

TCP

16 pages

Wireless

Wireless

48 pages

Load more
Download tcpdump Tutorial
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view tcpdump Tutorial and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view tcpdump Tutorial 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?