LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue86/vinayak.html

423 lines
16 KiB
HTML
Raw Permalink Blame History

<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Exploring TCP/IP with TCPdump and Tethereal LG #86</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="tougher.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue86/vinayak.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="ward.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
<!--endcut ============================================================-->
<TABLE BORDER><TR><TD WIDTH="200">
<A HREF="http://www.linuxgazette.com/">
<IMG ALT="LINUX GAZETTE" SRC="../gx/2002/lglogo_200x41.png"
WIDTH="200" HEIGHT="41" border="0"></A>
<BR CLEAR="all">
<SMALL>...<I>making Linux just a little more fun!</I></SMALL>
</TD><TD WIDTH="380">
<CENTER>
<BIG><BIG><STRONG><FONT COLOR="maroon">Exploring TCP/IP with TCPdump and Tethereal</FONT></STRONG></BIG></BIG>
<BR>
<STRONG>By <A HREF="../authors/vinayak.html">Vinayak Hegde</A></STRONG>
</CENTER>
</TD></TR>
</TABLE>
<P>
<!-- END header -->
<h3> The shortest introduction to TCP/IP </h3>
<p align=justify>
TCP/IP has become the de facto standard protocol for communication between
computers. IP (Internet Protocol) provides functionality at the network layer
(addressing and routing) while TCP (Transmission Control Protocol) provides
(virtual) end-to-end connectivity. The <b> TCP/IP family </b>includes a host
of other useful protocols such as <b> ICMP </b> (Internet Control Message
Protocol), <b> IGMP </b> (Internet Group management protocol) and <b> UDP </b>
(User Datagram Protocol). An
overwhelming majority of today's networks use TCP/IP. Almost every other
application today incorporates some kind of a network functionality hence it
has become necessary for every programmer to have at least a working knowledge
of TCP/IP.
</p>
<p align=justify>
Communication between computers using TCP/IP takes place through the exchange of
packets. A packet is a PDU (Protocol Data Unit) at the IP layer. The PDU at the
TCP layer is called a segment while a PDU at the data-link layer (such as Ethernet)
is called a frame. However the term packet is generically used to describe the data
unit that is exchanged between TCP/IP layers as well as between two computers.
</p>
<p align=justify>
This is how an Ethernet frame looks:
<table bgcolor=#AAFFFF>
<td>
<pre>
+------------------------------------------------------------------+
| | | | | |
| Ethernet| IP | TCP | Encapsulated | Ethernet |
| Header | Header | Header | Data | Trailer |
| | | | | (FCS) |
+------------------------------------------------------------------+
<- 20 bytes -> <- 40 bytes ->
<---------- max length = 1500 bytes ---------->
FCS stands for Frame Check Sequence.
</pre>
</td>
</table>
</p>
<h3> TCPdump and Tethereal</h3>
<p align=justify>
TCPdump is a utility that allows a user to intercept and capture packets
passing through a network interface. This is an extremely nifty little utility
which can help a programmer to troubleshoot network applications. Because this
utility captures all the packets received by a network interface, it can be used
for used for unlawful purposes as well.
</p>
<p align=justify>
Normally only the packets which are addressed to a network interface are intercepted
and passed onto the upper layers of the TCP/IP protocol layer stack. Other packets
which are not addressed to the interface are ignored. In <b>Promiscuous</b> mode,
the packets which are not intended to be received by the interface are also
intercepted and passed onto the higher levels of the protocol stack. TCPdump works
by putting the network interface into promiscuous mode.
</p>
<p align=justify>
TCPdump uses the libpcap (packet capture library) which is freely available. The
libpcap library is versatile and works with BSD packet filter, the SVR4 Data-link
Provider Interface (DLPI) and the Linux SOCK_PACKET interface. Tethereal which is
the command line version of the popular network traffic analyser tool ethereal
also uses pcap packet capture library. Tethereal is a powerful tool for analysing
network traffic and also provides more facilities for decoding packets as compared
to TCPdump. Ethereal the GUI tool for analysing packets is extremely good and one can
see the different flags and options which have been used in a hierarchical way.
The best feature of ethereal is it can piece together the different fragments of the
the communication between two computers and show the whole ASCII text that was
exchanged during the conversation.
</p>
<h3> The TCP and IP packet format </h3>
<p align=justify>
ASCII representation from <a href="http://www.faqs.org/rfcs/rfc791.html"> RFC 791 </a>
<table>
<td bgcolor=#AAFFFF>
<pre>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
IP Header Format
</pre>
</td>
</table>
</p>
<p align=justify>
ASCII representation from <a href="http://www.faqs.org/rfcs/rfc793.html"> RFC 793 </a>
<table>
<td bgcolor=#AAFFFF>
<pre>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TCP Header Format
</pre>
</td>
</table>
</p>
<h3> Examples of Packet capture using TCPdump and Tethereal </h3>
<p align=justify>
You can experiment with TCPdump on any interface through which we can conduct
network transactions. To list the different interfaces connected to your
computer, you can give the command
<table>
<td bgcolor=#FFAADD>
<pre>
#ifconfig -a
</pre>
</td>
</table>
This will list out all the network interfaces connected to your system including
the loopback interface. If you are connected to the net using a dialup line, you
can also use the interface ppp0 for experimenting and debugging your applications
using TCPdump.
</p>
<p align=justify>
<b> Example #1 </b><br>
This is a snippet (from the file tcpdumpppp) of the captured packet using a dialup line (PPP).
The -vvv flag tells tcpdump to be very very verbose. The other switches for controlling
verbosity are -v and -vv.
<table>
<td bgcolor=#FFAADD>
<pre>
#tcpdump -vvv &gt; tcpdumpppp
tcpdump: listening on ppp0
</pre>
</td>
</table>
The capturing of packets is stopped by pressing CTRL-C.
<table>
<td bgcolor=#FFFF99>
<pre>
15:57:58.181078 207.219.33.101.http &gt; 203.94.236.47.33003: P 1:1399(1398) ack 736 win 31856 <nop,nop,timestamp 547724602 2802054> (DF) [tos 0x10] (ttl 38, id 28827, len 1450)
</pre>
</td>
</table>
Some of the information can be interpreted from the about packet dump
<ul>
<li> The protocol used is http (port 80 has been decoded as http).
<li> The local IP address assigned to me by my ISP after dialing up is 203.94.236.47 (this can be verified by grepping in /var/log/messages
<li> The http server's IP is 207.219.33.101 (IP have been changed for security reasons).
<li> The time-to-live is 38 hops.
<li> The Don't Fragment (bit) has been set informing the intermediate routers not to fragment the datagram.
<li> The ACK flag has been set (ack number 736 - piggybacking).
<li> The window size is 31856.
<li> The port on the receiver end is 33003
</ul>
</p>
<p align=justify>
<b> Example #2 </b> <br>
This packet dump was captured from a NIC (interface denoted by eth0)
<table>
<td bgcolor=#FFAADD>
<pre>
#tcpdump -a -i eth0
</pre>
</td>
</table>
<table>
<td bgcolor=#FFFF99>
<pre>
06:21:11.414863 &gt; pca03.nt.co.in.ssh &gt; pcc03.mum.nt.co.in.4944: P 252143283:252143331(48) ack 2638534821 win 62780 (DF) [tos 0x10]
E^P ^@ X .... @^@ @^F .. N .... ....
.... .... ^@^V ^S P ^O^G f.. .. D ....
P^X .. < .. t ^@^@ k + Y^Q .... .. (
^.. )^G c 3 ^\ v t.. ..^G ^J.. .. t
9.. .. - F.. .... 6.. /.. .... 9..
[.. .... G.. .. d
</pre>
</td>
</table>
Here we are telling TCPdump to resolve IPs to domain names if possible (-a)
and explicitly asking it to capture packets on interface eth0. If we don't give the
(-i) option TCPdump itself searches for the interfaces and then starts capturing
packets arriving on them.
Some of the information that can be gleamed from the above packet dump is:-
<ul>
<li> The ssh port (22) has been used on the server side. This can be seen from
the /etc/services file.
<li> One of the bits of Type of Service (TOS) has been set so the QoS enabled networks
can give the requested TOS to the packet.
<li> The window has been advertised as 62780.
<li> The length of the packet is 48 bytes.
</ul>
</p>
<b> Example #3 </b> <br>
<p align=justify>
The following snippet shows a packet dump of SYN (connection requesting) packet.
The packet dump was taken on Ethernet.
<table>
<td bgcolor=#FFFF99>
<pre>
15:57:56.074928 203.94.236.47.33003 &gt; 216.239.33.101.http: S [tcp sum ok] 937694521:937694521(0) win 5840 <mss 1460,sackOK,timestamp 2801712 0,nop,wscale 0> (DF) (ttl 64, id 54537, len 60)
</pre>
</td>
</table>
The following information can be interpreted from the above dump:-
<ul>
<li> The Header checksum is correct ([tcp sum ok])
<li> This is a SYN packet (denoted by S).
<li> The amount of data encapsulated by tcp segment is 0.
<li> The window scaling option has been set to null.
<li> The MSS (Maximum Segment size is 1460). On Ethernet MSS = 1500 - 40 = 1460.
<li> The Length of the packet is 60 bytes (20 + 40) (see diagram above)
</ul>
</p>
<p align=justify>
<b> Example #4 </b> <br>
The following packet dump was taken using tethereal
<table>
<td bgcolor=#FFAADD>
<pre>
#tethereal -i lo
</pre>
</td>
</table>
<table>
<td bgcolor=#FFFF99>
<pre>
26 19.624878 localhost.localdomain -&gt; localhost.localdomain TCP 33283 &gt; http [FIN, ACK] Seq=877643253 Ack=882239950 Win=37296 Len=0
</pre>
</td>
</table>
As can be seen be seen from the above output the output of tethereal is not much different from
TCPdump. The above is a FIN,ACK Packet (to close the connection). Tethereal when used with it's
front-end ethereal can be very useful to detect network anomalies as well.
</p>
<h3> Final Words </h3>
<p align=justify>
While TCPdump is an extremely good tool, it focuses mainly on TCP/IP protocol. It does it's job well.
Ethereal is much more versatile and can understand a variety of protocols. Also, the user interface of
ethereal is well designed so that even a newbie can understand which packets are getting captured and
what information do they contain. The good interface makes the learning process even more enjoyable.
</p>
<h3> Resources </h3>
<ul>
<li> <a href="http://www.faqs.org/rfcs/"> Protocol RFCs </a>
<li> W. Richard Stevens TCP/IP Illustrated Vol I
<li> <a href="http://www.tcpdump.org"> TCPdump home </a>
<li> <a href="http://www.ethereal.com"> Ethereal Homepage </a>
</ul>
<!-- *** BEGIN author bio *** -->
<P>&nbsp;
<P>
<!-- *** BEGIN bio *** -->
<P>
<img ALIGN="LEFT" ALT="[BIO]" SRC="../gx/2002/note.png">
<em>My life changed since I discovered Linux. Suddenly Computers became
interesting as i could try out lots of stuff on my Linux box due to the easy
availably of source code. My interests are predominantly in the fields of
networking, embedded systems and programming languages. I currently work for
Aparna Web services where we make Linux accessible for academia/corporations by
configuring remote boot stations (Thin Clients).
</em>
<br CLEAR="all">
<!-- *** END bio *** -->
<!-- *** END author bio *** -->
<!-- *** BEGIN copyright *** -->
<hr>
<CENTER><SMALL><STRONG>
Copyright &copy; 2003, Vinayak Hegde.
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
Published in Issue 86 of <i>Linux Gazette</i>, January 2003
</STRONG></SMALL></CENTER>
<!-- *** END copyright *** -->
<HR>
<!--startcut ==========================================================-->
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="tougher.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue86/vinayak.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="ward.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink