As with the learning of protocols. It is also important to have a tool to capture the network packets on wire. Tcpdump is tool or command on linux, for capturing network packets. This works over network interfaces and captures packets at data link layer level. A computer may have multiple IP interfaces. Tcpdump command provides options to capture packets on a specific or on all network interfaces. Other than this, command is very rich is number of capturing filters. Enables a capture to be very specific. E.g if one has to capture packets for a particular option, it have the option.
The output of tcpdump can be seen on console or this can be saved in a file. The file is a pcap file. Wireshark is the GUI based tool , which reads a pcap file and analyze the capture. Tcpdump uses libpcap library which is used to format the raw byte stream into pcap format.
Tcpdump in linux:
Linux is a very popular operating systems for communication systems. Provides system level APIs for faster access. Tcpdump in linux provides a very powerful tool for capturing network packets and analyzing network traffic. The command line tool is available almost on all flavors of linux. The tcpdump on linux can be used to capture or filter traffic for TCP/IP, SCTP, HTTP and many other protocols.
Install tcpdump :
To use a command fist it should be installed on the system. Here we are using example for different linux machines. Following are the commands for installing tcpdump command.
On centos or rhel
#yum install tcpdump
#apt-get install tcpdump
Above command search for the mirror for tcpdump package and install the rpm on the machine.
Command provides multiple options for capturing the network packets. The options can also be used as filters. Based on options or filters, there can be many tcpdump examples. Here we are listing only few examples.
On a specific port capture example:
A port number is an integer value. An application in IP networks uses specific port for communication. In situation where , capturing for a specific port is required , tcpdump have option for specifying the port number. Following is the example.
#tcpdump - i any port 5060
Above command is the example , where command captures on port 5060 from the Ethernet interfaces.
For windows there equivalent of tcpdump is the WinDump. This can be downloaded from wincap download.
For a protocol capture example:
A ip network provides connectivity between the ip hosts. A host may run application, which uses a transport protocol. Web based applications uses TCP protocol which runs over port 80. Sigtran , which is the ss7 signaling over ip uses SCTP protocol. Tcpdump provides filter for transport layer protocol. Following is tcpdump example for a type protocol capturing.
For capturing SCTP example,
#tcpdump -i any sctp
For capturing TCP example,
#tcpdump -i any tcp
For capturing UDP example,
#tcpdump -i any udp
Capture a fix number of packets:
When we start capturing packet, by default tcpdump keep capturing packets continuously. Until you do control + C. It may lead to consume all disk space , in turns the linux machine stops responding to a process. There is an option for capturing, a fix number of packets in a pcap file. Suppose you are performing test with very strict filter and know that 1000 packets will be sufficient for the test. Following is command.
#tcpdump -c 1000 -i any
For an non Ethernet interface capture:
Linux machine have non Ethernet interfaces as well. Some times requires to capture on these interface. If linux box connected to the outer world via IPSEC. The received packet capture in wireshark will show encrypted packets. To decrypt a packet requires authentication information. Nflog interface capture can be used for clear packets. Following lists the all interface.
#tcpdump -D 1.virbr0 2.nflog (Linux netfilter log (NFLOG) interface) 3.nfqueue (Linux netfilter queue (NFQUEUE) interface) 4.usbmon1 (USB bus number 1) 5.eth12 6.eth13 7.any (Pseudo-device that captures on all interfaces) 8.lo
For an Ethernet interface capture example:
A machine in ip network may have multiple interfaces. On linux 'ifconfig -a' , displays all the interfaces with the name. Tcpdump have option to capture network packets on a specific interface. This reduces the size of captured pcap file and only captures packets on key requirements.
#tcpdump -i eth0
For capturing on all interfaces,
#tcpdump -i any
Tcpdump and wireshark:
Now we have captured the dump in a file. Next step to analyse the captures. Wireshark is the GUI based tool to read the pcap file generated by the tcpdump command. Wireshark decodes message and each its parameter. For each decoding it uses diasectors , developed for decoding.
Libpcap and tcpdump :
When it comes to the capturing of packets. There needs to be open the device and read on the device file descriptor. Libpcap provides APIs to access a device and reads the data over device. Libpcap is available on linux. Tcpdump uses this library. The equivalent of libpcap on Windows OS is WinPcap.
One can download the library from the tcpdump site. A user can develop its own capturing program via using APIs. This reduces lots of time an work. The capturing and saving to file is one example over libpcap. There can be other applications, like alerting patterns.