ORC Owl Logo 2  

Owl River Company

  Your IP is:

Up More Tips


tcpdump techniques tutorial

The tcpdump is the grand-daddy of the packet sniffers. A copy may be found at our FTP site, here (ftp://ftp.owlriver.com/pub/local/ORC/tcpdump/). As of late 2002, the reference site is: http://www.tcpdump.org/

The man page for tcpdump is well written, and learning the grammar of the options and arguments is a necessary part of being able to craft a 'filter' of the packets to pick out of a stream 'on the wire'. While the topic is outside of the scope of this presentation, we will use a pattern which excludes packets on port 5361. Can you figure out why?

Tools and techniques

Let's start by showing how to set up some markers which will 'jump out' of a packet trace. ping is a tool present on almost every network-aware operating system. It generates (by default, most places) packets of the ICMP type, rather than UDP or TCP types. The format of these ICMP packets allow for a 'payload section ' to permit adding a distinctive 'brand' to be carried in the body of each packet. This 'brand' can then be seen on a tcpdump packet trace.

By tradition and convention, the hexidecimal series: dead beef (thus, for example the name of the networking research group 'Cult of the dead cow') is a popular pattern. We can also embed arbitrary ASCII patterns, in a ping data packet portion. In our example, we use xxd (part of the vim-common package [the vi editor is installed almost everywhere]) to convert a string from ASCII to hex -- alternative converters include hexdump (in the util-linux package, again installed almost everywhere; use: hexdump -C for most useful formatting), or it may be done manually.

[root@ root]# echo "OwlRiver" | xxd - 0000000: 4f77 6c52 6976 6572 0a OwlRiver. [root@ root]# [root@ root]# ping -c 1 -p 'deadbeef20004f776c52697665722000' PATTERN: 0xdeadbeef20004f776c52697665722000 PING ( from : 56(84) bytes of data. --- ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss [root@ root]#
Note: The 0a is the final Carriage Return (CR) character, added by echo -- it is unwanted here. "00" and "20" are NUL and Space, respectively.

See: man ascii for a handy translator list of hex, octal, decimal and plain character representations. After doing traces for a while, patterns 'jump out' to the eye, but knowing that these decoder tools exist are great 'training wheels'.

Reviewing the tcpdump trace, we can see the patterns of both the 'dead beef' and the OwlRiver quite clearly.

[root@localhost rc.d]# tcpdump -i eth0 -nN -xX -s 1500 host \ and not port 5631 tcpdump: listening on eth0 09:09:27.709605 > icmp: echo request (DF) 0x0000 4500 0054 0000 4000 4001 4517 3f42 093c E..T..@.@.E.?B.< 0x0010 3f89 6d8b 0800 1d02 fc66 0000 077b 883d ?.m......f...{.= 0x0020 0bed 0a00 6c52 6976 6572 2000 dead beef ....lRiver...... 0x0030 2000 4f77 6c52 6976 6572 2000 dead beef ..OwlRiver...... 0x0040 2000 4f77 6c52 6976 6572 2000 dead beef ..OwlRiver...... 0x0050 2000 4f77 ..Ow
The combination of:  de ad be ef (four characters), two separator sets 20 00 of NUL and CR, and the eight characters of OwlRiver add up to a total 16 characters -- which is the line width repeat of tcpdump -- so with vertical alignment, the pattern again 'jumps out' to the observer.

Using sudo, and splitvt, in a ordinary user privilege account is a 'safer' way to delegate the ability for regular users to see the right and left side interfaces of a router simultaneously in a single terminal panel:

$ sudo ls (password required -- primes the 'sudo' authentication pump) $ sudo splitvt -upper 'tcpdump -nn -i eth1 net 192.168' \ -lower 'tcpdump -nn -i eth0 host and not port 5631'

In this way, timing effects are often more obvious, rather than flipping between several console screens, and comparing timestamp information.

My friend, m. Samir has been kind enough to re-work this into a video

See also:

We make this available for non-commercial and individual use. Please respect our copyright, and consider contacting us for all your Open Source and *nix design, architect / systems analysis, and administration needs.

rev 020919 RPH

Up More Tips

Back to Top Page
[legal] [ no spam policy ] [ Copyright] © 2008 Owl River Company
All rights reserved.

Last modified: Mon, 09 Mar 2009 15:57:15 -0400