As with the learning of protocols. It is also important to have a tool to capture the network packets on the wire. Tcpdump is a tool or command on Linux, for capturing network packets on the IP interface. This works over network interfaces and captures packets at the data link layer level. A computer may have multiple IP interfaces. Tcpdump command provides options to capture packets on a specific or on all network interfaces. Other than this, the command is very rich in the number of capturing filters. Enables a capture to be very specific for a network flow. E.g if one has to capture packets for a particular option, it has the option.
The output of Tcpdump can be seen on the console or can be saved in a file. The file is a Pcap file. Wireshark is the GUI based tool , which reads a Pcap file and analyzes the capture. Tcpdump uses libpcap library which is used to format the raw byte stream into pcap format.
Tcpdump in linux:
Linux is a very popular operating system for network communication systems. Provides system-level APIs for faster access. Tcpdump in Linux provides a very powerful tool for capturing network packets and analyzing network traffic. The command-line tool is available almost on all flavors of Linux. The tcpdump on Linux can be used to capture or filter traffic for TCP/IP, SCTP, HTTP, and many other protocols.
Install tcpdump :
To use a command fist it should be installed on the system. Here we are using examples for multiple Linux machines. Following are the commands for installing tcpdump command.
On centos or RHEL
#yum install tcpdump
#apt-get install tcpdump
Above command search for the mirror for tcpdump package and install the rpm on the machine.
Command provides multiple options for capturing the network packets. The options can also be used as filters. Based on options or filters, there can be many possible tcpdump examples. Here we are listing only a few examples.
On a specific port capture example:
A port number is an integer value. An application in IP networks uses a specific port for communication. In the situation where capturing for a specific port is required, tcpdump has an option for specifying the port number. Following is the example.
#tcpdump - i any port 5060
The above command is the example, where command captures on port 5060 from the Ethernet interfaces.
For windows, the equivalent of tcpdump is the WinDump. This can be downloaded from wincap download.
For a protocol capture example:
An IP network provides connectivity between the IP hosts. A host may run an application, which uses a transport protocol. Web-based applications use TCP protocol which runs over port 80. Sigtran, which is the ss7 signaling over IP uses SCTP protocol. Tcpdump provides a filter for a transport layer protocol. Following is tcpdump example for a type protocol capturing.
For capturing SCTP example,
#tcpdump -i any sctp
For capturing TCP example,
#tcpdump -i any tcp
For capturing UDP example,
#tcpdump -i any udp
Capture a fixed number of packets:
When we start capturing packet, by default tcpdump keeps capturing packets continuously. Until you do control + C. It may lead to consuming all disk space, in turn, the Linux machine will stop responding to a process. There is an option for capturing, a fixed number of packets in a pcap file. Suppose you are performing a test with a very strict filter and know that 1000 packets will be sufficient for the test. Following is the command.
#tcpdump -c 1000 -i any
For a non-Ethernet interface capture:
Linux machine has non-Ethernet interfaces as well. Some times requires a capture on these interfaces. If Linux box connected to the outer world via IPSEC. The received packet capture in Wireshark will show encrypted packets. To decrypt a packet requires authentication information. Nflog interface capture can be used for clear packets. Following lists all interface.
#tcpdump -D 1.virbr0 2.nflog (Linux netfilter log (NFLOG) interface) 3.nfqueue (Linux netfilter queue (NFQUEUE) interface) 4.usbmon1 (USB bus number 1) 5.eth12 6.eth13 7.any (Pseudo-device that captures on all interfaces) 8.lo
For an Ethernet interface capture example:
A machine in an IP network may have multiple interfaces. On Linux ‘ifconfig -a’, displays all the interfaces with the name. Tcpdump has the option to capture network packets on a specific interface. This reduces the size of the captured pcap file and only captures packets on key requirements.
#tcpdump -i eth0
For capturing on all interfaces,
#tcpdump -i any
Tcpdump and Wireshark:
Now we have captured the dump in a file. Next step to analyze the captures. Wireshark is the GUI based tool to read the pcap file generated by the tcpdump command. Wireshark decodes the message and each its parameter. For each decoding, it uses dissectors, developed for decoding.
Libpcap and Tcpdump :
When it comes to the capturing of packets. There needs to be open the device and read on the device file descriptor. Libpcap provides APIs to access a device and reads the data over the device. Libpcap is available on Linux. Tcpdump uses this library. The equivalent of libpcap on Windows OS is WinPcap.
One can download the library from the tcpdump site. A user can develop its own capturing program by using APIs. This reduces lots of time and work. The capturing and saving to file is one example over libpcap. There can be other applications, like alerting patterns.