423 lines
16 KiB
HTML
423 lines
16 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>Exploring TCP/IP with TCPdump and Tethereal LG #86</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="tougher.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue86/vinayak.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="ward.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<TABLE BORDER><TR><TD WIDTH="200">
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<IMG ALT="LINUX GAZETTE" SRC="../gx/2002/lglogo_200x41.png"
|
|
WIDTH="200" HEIGHT="41" border="0"></A>
|
|
<BR CLEAR="all">
|
|
<SMALL>...<I>making Linux just a little more fun!</I></SMALL>
|
|
</TD><TD WIDTH="380">
|
|
|
|
|
|
<CENTER>
|
|
<BIG><BIG><STRONG><FONT COLOR="maroon">Exploring TCP/IP with TCPdump and Tethereal</FONT></STRONG></BIG></BIG>
|
|
<BR>
|
|
<STRONG>By <A HREF="../authors/vinayak.html">Vinayak Hegde</A></STRONG>
|
|
</CENTER>
|
|
|
|
</TD></TR>
|
|
</TABLE>
|
|
<P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
<h3> The shortest introduction to TCP/IP </h3>
|
|
|
|
<p align=justify>
|
|
TCP/IP has become the de facto standard protocol for communication between
|
|
computers. IP (Internet Protocol) provides functionality at the network layer
|
|
(addressing and routing) while TCP (Transmission Control Protocol) provides
|
|
(virtual) end-to-end connectivity. The <b> TCP/IP family </b>includes a host
|
|
of other useful protocols such as <b> ICMP </b> (Internet Control Message
|
|
Protocol), <b> IGMP </b> (Internet Group management protocol) and <b> UDP </b>
|
|
(User Datagram Protocol). An
|
|
overwhelming majority of today's networks use TCP/IP. Almost every other
|
|
application today incorporates some kind of a network functionality hence it
|
|
has become necessary for every programmer to have at least a working knowledge
|
|
of TCP/IP.
|
|
</p>
|
|
|
|
<p align=justify>
|
|
Communication between computers using TCP/IP takes place through the exchange of
|
|
packets. A packet is a PDU (Protocol Data Unit) at the IP layer. The PDU at the
|
|
TCP layer is called a segment while a PDU at the data-link layer (such as Ethernet)
|
|
is called a frame. However the term packet is generically used to describe the data
|
|
unit that is exchanged between TCP/IP layers as well as between two computers.
|
|
</p>
|
|
|
|
|
|
<p align=justify>
|
|
This is how an Ethernet frame looks:
|
|
<table bgcolor=#AAFFFF>
|
|
<td>
|
|
<pre>
|
|
|
|
+------------------------------------------------------------------+
|
|
| | | | | |
|
|
| Ethernet| IP | TCP | Encapsulated | Ethernet |
|
|
| Header | Header | Header | Data | Trailer |
|
|
| | | | | (FCS) |
|
|
+------------------------------------------------------------------+
|
|
<- 20 bytes -> <- 40 bytes ->
|
|
|
|
<---------- max length = 1500 bytes ---------->
|
|
|
|
FCS stands for Frame Check Sequence.
|
|
|
|
</pre>
|
|
</td>
|
|
</table>
|
|
</p>
|
|
|
|
<h3> TCPdump and Tethereal</h3>
|
|
|
|
<p align=justify>
|
|
TCPdump is a utility that allows a user to intercept and capture packets
|
|
passing through a network interface. This is an extremely nifty little utility
|
|
which can help a programmer to troubleshoot network applications. Because this
|
|
utility captures all the packets received by a network interface, it can be used
|
|
for used for unlawful purposes as well.
|
|
</p>
|
|
|
|
<p align=justify>
|
|
Normally only the packets which are addressed to a network interface are intercepted
|
|
and passed onto the upper layers of the TCP/IP protocol layer stack. Other packets
|
|
which are not addressed to the interface are ignored. In <b>Promiscuous</b> mode,
|
|
the packets which are not intended to be received by the interface are also
|
|
intercepted and passed onto the higher levels of the protocol stack. TCPdump works
|
|
by putting the network interface into promiscuous mode.
|
|
</p>
|
|
|
|
<p align=justify>
|
|
TCPdump uses the libpcap (packet capture library) which is freely available. The
|
|
libpcap library is versatile and works with BSD packet filter, the SVR4 Data-link
|
|
Provider Interface (DLPI) and the Linux SOCK_PACKET interface. Tethereal which is
|
|
the command line version of the popular network traffic analyser tool ethereal
|
|
also uses pcap packet capture library. Tethereal is a powerful tool for analysing
|
|
network traffic and also provides more facilities for decoding packets as compared
|
|
to TCPdump. Ethereal the GUI tool for analysing packets is extremely good and one can
|
|
see the different flags and options which have been used in a hierarchical way.
|
|
The best feature of ethereal is it can piece together the different fragments of the
|
|
the communication between two computers and show the whole ASCII text that was
|
|
exchanged during the conversation.
|
|
</p>
|
|
|
|
<h3> The TCP and IP packet format </h3>
|
|
|
|
<p align=justify>
|
|
ASCII representation from <a href="http://www.faqs.org/rfcs/rfc791.html"> RFC 791 </a>
|
|
|
|
<table>
|
|
<td bgcolor=#AAFFFF>
|
|
<pre>
|
|
|
|
0 1 2 3
|
|
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|Version| IHL |Type of Service| Total Length |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Identification |Flags| Fragment Offset |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Time to Live | Protocol | Header Checksum |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Source Address |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Destination Address |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Options | Padding |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
IP Header Format
|
|
|
|
</pre>
|
|
</td>
|
|
</table>
|
|
</p>
|
|
|
|
<p align=justify>
|
|
ASCII representation from <a href="http://www.faqs.org/rfcs/rfc793.html"> RFC 793 </a>
|
|
|
|
<table>
|
|
<td bgcolor=#AAFFFF>
|
|
<pre>
|
|
|
|
0 1 2 3
|
|
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Source Port | Destination Port |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Sequence Number |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Acknowledgment Number |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Data | |U|A|P|R|S|F| |
|
|
| Offset| Reserved |R|C|S|S|Y|I| Window |
|
|
| | |G|K|H|T|N|N| |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Checksum | Urgent Pointer |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Options | Padding |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| data |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
TCP Header Format
|
|
|
|
</pre>
|
|
</td>
|
|
</table>
|
|
</p>
|
|
|
|
<h3> Examples of Packet capture using TCPdump and Tethereal </h3>
|
|
|
|
<p align=justify>
|
|
You can experiment with TCPdump on any interface through which we can conduct
|
|
network transactions. To list the different interfaces connected to your
|
|
computer, you can give the command
|
|
|
|
<table>
|
|
<td bgcolor=#FFAADD>
|
|
<pre>
|
|
|
|
#ifconfig -a
|
|
|
|
</pre>
|
|
</td>
|
|
</table>
|
|
This will list out all the network interfaces connected to your system including
|
|
the loopback interface. If you are connected to the net using a dialup line, you
|
|
can also use the interface ppp0 for experimenting and debugging your applications
|
|
using TCPdump.
|
|
</p>
|
|
|
|
<p align=justify>
|
|
|
|
<b> Example #1 </b><br>
|
|
|
|
This is a snippet (from the file tcpdumpppp) of the captured packet using a dialup line (PPP).
|
|
The -vvv flag tells tcpdump to be very very verbose. The other switches for controlling
|
|
verbosity are -v and -vv.
|
|
|
|
<table>
|
|
<td bgcolor=#FFAADD>
|
|
<pre>
|
|
|
|
#tcpdump -vvv > tcpdumpppp
|
|
tcpdump: listening on ppp0
|
|
|
|
</pre>
|
|
</td>
|
|
</table>
|
|
|
|
The capturing of packets is stopped by pressing CTRL-C.
|
|
|
|
<table>
|
|
<td bgcolor=#FFFF99>
|
|
|
|
<pre>
|
|
|
|
15:57:58.181078 207.219.33.101.http > 203.94.236.47.33003: P 1:1399(1398) ack 736 win 31856 <nop,nop,timestamp 547724602 2802054> (DF) [tos 0x10] (ttl 38, id 28827, len 1450)
|
|
|
|
</pre>
|
|
|
|
</td>
|
|
</table>
|
|
Some of the information can be interpreted from the about packet dump
|
|
<ul>
|
|
<li> The protocol used is http (port 80 has been decoded as http).
|
|
<li> The local IP address assigned to me by my ISP after dialing up is 203.94.236.47 (this can be verified by grepping in /var/log/messages
|
|
<li> The http server's IP is 207.219.33.101 (IP have been changed for security reasons).
|
|
<li> The time-to-live is 38 hops.
|
|
<li> The Don't Fragment (bit) has been set informing the intermediate routers not to fragment the datagram.
|
|
<li> The ACK flag has been set (ack number 736 - piggybacking).
|
|
<li> The window size is 31856.
|
|
<li> The port on the receiver end is 33003
|
|
</ul>
|
|
|
|
</p>
|
|
|
|
<p align=justify>
|
|
|
|
<b> Example #2 </b> <br>
|
|
|
|
This packet dump was captured from a NIC (interface denoted by eth0)
|
|
|
|
<table>
|
|
<td bgcolor=#FFAADD>
|
|
<pre>
|
|
|
|
#tcpdump -a -i eth0
|
|
|
|
</pre>
|
|
</td>
|
|
</table>
|
|
|
|
<table>
|
|
<td bgcolor=#FFFF99>
|
|
|
|
<pre>
|
|
|
|
06:21:11.414863 > pca03.nt.co.in.ssh > pcc03.mum.nt.co.in.4944: P 252143283:252143331(48) ack 2638534821 win 62780 (DF) [tos 0x10]
|
|
|
|
E^P ^@ X .... @^@ @^F .. N .... ....
|
|
.... .... ^@^V ^S P ^O^G f.. .. D ....
|
|
P^X .. < .. t ^@^@ k + Y^Q .... .. (
|
|
^.. )^G c 3 ^\ v t.. ..^G ^J.. .. t
|
|
9.. .. - F.. .... 6.. /.. .... 9..
|
|
[.. .... G.. .. d
|
|
</pre>
|
|
|
|
</td>
|
|
</table>
|
|
Here we are telling TCPdump to resolve IPs to domain names if possible (-a)
|
|
and explicitly asking it to capture packets on interface eth0. If we don't give the
|
|
(-i) option TCPdump itself searches for the interfaces and then starts capturing
|
|
packets arriving on them.
|
|
|
|
|
|
Some of the information that can be gleamed from the above packet dump is:-
|
|
<ul>
|
|
<li> The ssh port (22) has been used on the server side. This can be seen from
|
|
the /etc/services file.
|
|
<li> One of the bits of Type of Service (TOS) has been set so the QoS enabled networks
|
|
can give the requested TOS to the packet.
|
|
<li> The window has been advertised as 62780.
|
|
<li> The length of the packet is 48 bytes.
|
|
</ul>
|
|
|
|
</p>
|
|
|
|
|
|
<b> Example #3 </b> <br>
|
|
|
|
<p align=justify>
|
|
The following snippet shows a packet dump of SYN (connection requesting) packet.
|
|
The packet dump was taken on Ethernet.
|
|
|
|
<table>
|
|
<td bgcolor=#FFFF99>
|
|
<pre>
|
|
|
|
15:57:56.074928 203.94.236.47.33003 > 216.239.33.101.http: S [tcp sum ok] 937694521:937694521(0) win 5840 <mss 1460,sackOK,timestamp 2801712 0,nop,wscale 0> (DF) (ttl 64, id 54537, len 60)
|
|
|
|
</pre>
|
|
</td>
|
|
</table>
|
|
|
|
The following information can be interpreted from the above dump:-
|
|
|
|
<ul>
|
|
<li> The Header checksum is correct ([tcp sum ok])
|
|
<li> This is a SYN packet (denoted by S).
|
|
<li> The amount of data encapsulated by tcp segment is 0.
|
|
<li> The window scaling option has been set to null.
|
|
<li> The MSS (Maximum Segment size is 1460). On Ethernet MSS = 1500 - 40 = 1460.
|
|
<li> The Length of the packet is 60 bytes (20 + 40) (see diagram above)
|
|
</ul>
|
|
</p>
|
|
|
|
<p align=justify>
|
|
<b> Example #4 </b> <br>
|
|
|
|
The following packet dump was taken using tethereal
|
|
|
|
<table>
|
|
<td bgcolor=#FFAADD>
|
|
<pre>
|
|
|
|
#tethereal -i lo
|
|
|
|
</pre>
|
|
</td>
|
|
</table>
|
|
|
|
<table>
|
|
<td bgcolor=#FFFF99>
|
|
<pre>
|
|
|
|
26 19.624878 localhost.localdomain -> localhost.localdomain TCP 33283 > http [FIN, ACK] Seq=877643253 Ack=882239950 Win=37296 Len=0
|
|
|
|
</pre>
|
|
</td>
|
|
</table>
|
|
|
|
As can be seen be seen from the above output the output of tethereal is not much different from
|
|
TCPdump. The above is a FIN,ACK Packet (to close the connection). Tethereal when used with it's
|
|
front-end ethereal can be very useful to detect network anomalies as well.
|
|
|
|
</p>
|
|
|
|
<h3> Final Words </h3>
|
|
|
|
<p align=justify>
|
|
While TCPdump is an extremely good tool, it focuses mainly on TCP/IP protocol. It does it's job well.
|
|
Ethereal is much more versatile and can understand a variety of protocols. Also, the user interface of
|
|
ethereal is well designed so that even a newbie can understand which packets are getting captured and
|
|
what information do they contain. The good interface makes the learning process even more enjoyable.
|
|
</p>
|
|
|
|
<h3> Resources </h3>
|
|
<ul>
|
|
<li> <a href="http://www.faqs.org/rfcs/"> Protocol RFCs </a>
|
|
<li> W. Richard Stevens TCP/IP Illustrated Vol I
|
|
<li> <a href="http://www.tcpdump.org"> TCPdump home </a>
|
|
<li> <a href="http://www.ethereal.com"> Ethereal Homepage </a>
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
<!-- *** BEGIN author bio *** -->
|
|
<P>
|
|
<P>
|
|
<!-- *** BEGIN bio *** -->
|
|
<P>
|
|
<img ALIGN="LEFT" ALT="[BIO]" SRC="../gx/2002/note.png">
|
|
<em>My life changed since I discovered Linux. Suddenly Computers became
|
|
interesting as i could try out lots of stuff on my Linux box due to the easy
|
|
availably of source code. My interests are predominantly in the fields of
|
|
networking, embedded systems and programming languages. I currently work for
|
|
Aparna Web services where we make Linux accessible for academia/corporations by
|
|
configuring remote boot stations (Thin Clients).
|
|
</em>
|
|
<br CLEAR="all">
|
|
<!-- *** END bio *** -->
|
|
|
|
<!-- *** END author bio *** -->
|
|
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<hr>
|
|
<CENTER><SMALL><STRONG>
|
|
Copyright © 2003, Vinayak Hegde.
|
|
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
|
|
Published in Issue 86 of <i>Linux Gazette</i>, January 2003
|
|
</STRONG></SMALL></CENTER>
|
|
<!-- *** END copyright *** -->
|
|
<HR>
|
|
|
|
<!--startcut ==========================================================-->
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="tougher.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue86/vinayak.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="ward.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|