NAD710 Lab 3
Contents
NAD710 - Introduction to Networks - Using Linux
Objective
Monitoring and Analysing Network activities on a TCP/IP network using the tcpdump utility
Background Information
tcpdump is a network packet capturing program. It allows the root user to capture packets on a network and displaying them on the screen or saving them to a file for later analysis. The information provided by tcpdump can be used for identifying network problems or analysing network usage. Please consult the tcpdump man page for details.
Useful tcpdump command-line options
- Use the -D option to print a list of the network interfaces available on the system and on which tcpdump can capture packets.
[root@rh9 ~]# tcpdump -D 1.eth0 2.eth1 3.any (Pseudo-device that captures on all interfaces) 4.lo
- The -i option specifies the network interface which tcpdump should listen to. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface. This option should be used on systems with multiple network interfaces when you want tcpdump to listen to a specific one.
tcpdump -i <dev>
[root@rh9 ~]# tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 13:19:12.725355 IP 192.168.0.205.39165 > zenit.senecac.on.ca.http: S 3491853088:3491853088(0) win 5840 <mss 1460,sackOK,timestamp 10362561 0,nop,wscale 7> 13:19:12.793356 IP zenit.senecac.on.ca.http > 192.168.0.205.39165: S 1585955578:1585955578(0) ack 3491853089 win 1460 <mss 1452,sackOK,timestamp 9040063 10362561,nop,wscale 7> 13:19:12.793424 IP 192.168.0.205.39165 > zenit.senecac.on.ca.http: . ack 1 win 46 <nop,nop,timestamp 10362629 9040063> 13:19:12.793549 IP 192.168.0.205.39165 > zenit.senecac.on.ca.http: . 1:731(730) ack 1 win 46 <nop,nop,timestamp 10362629 9040063> 4 packets captured 5 packets received by filter 0 packets dropped by kernel
- The -n option instructs tcpdump not to convert IP addresses to host names. The -nn option is used to keep tcpdump from converting port numbers to application names, etc. In this lab, you should always include the -n option to avoid host name lookup.
tcpdump -n -i <dev> [root@rh9 ~]# tcpdump -n -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 13:19:12.725355 IP 192.168.0.205.39165 > 142.204.140.203.http: S 3491853088:3491853088(0) win 5840 <mss 1460,sackOK,timestamp 10362561 0,nop,wscale 7> 13:19:12.793356 IP 142.204.140.203.http > 192.168.0.205.39165: S 1585955578:1585955578(0) ack 3491853089 win 1460 <mss 1452,sackOK,timestamp 9040063 10362561,nop,wscale 7> 13:19:12.793424 IP 192.168.0.205.39165 > 142.204.140.203.http: . ack 1 win 46 <nop,nop,timestamp 10362629 9040063> 13:19:12.793549 IP 192.168.0.205.39165 > 142.204.140.203.http: . 1:731(730) ack 1 win 46 <nop,nop,timestamp 10362629 9040063> 4 packets captured 5 packets received by filter 0 packets dropped by kernel
[root@rh9 ~]# tcpdump -nn -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 13:19:12.725355 IP 192.168.0.205.39165 > 142.204.140.203.80: S 3491853088:3491853088(0) win 5840 <mss 1460,sackOK,timestamp 10362561 0,nop,wscale 7> 13:19:12.793356 IP 142.204.140.203.80 > 192.168.0.205.39165: S 1585955578:1585955578(0) ack 3491853089 win 1460 <mss 1452,sackOK,timestamp 9040063 10362561,nop,wscale 7> 13:19:12.793424 IP 192.168.0.205.39165 > 142.204.140.203.80: . ack 1 win 46 <nop,nop,timestamp 10362629 9040063> 13:19:12.793549 IP 192.168.0.205.39165 > 142.204.140.203.80: . 1:731(730) ack 1 win 46 <nop,nop,timestamp 10362629 9040063> 4 packets captured 5 packets received by filter 0 packets dropped by kernel
- The -e option instructs tcpdump to print the link-level header (MAC address on Ethernet network) on each dump line.
tcpdump -e -n -i <dev> [root@rh9 ~]# tcpdump -e -n -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 13:19:12.725355 00:1b:38:12:e2:33 > 00:11:95:0c:b3:94, ethertype IPv4 (0x0800), length 74: 192.168.0.205.39165 > 142.204.140.203.http: S 3491853088:3491853088(0) win 5840 <mss 1460,sackOK,timestamp 10362561 0,nop,wscale 7> 13:19:12.793356 00:11:95:0c:b3:94 > 00:1b:38:12:e2:33, ethertype IPv4 (0x0800), length 74: 142.204.140.203.http > 192.168.0.205.39165: S 1585955578:1585955578(0) ack 3491853089 win 1460 <mss 1452,sackOK,timestamp 9040063 10362561,nop,wscale 7> 13:19:12.793424 00:1b:38:12:e2:33 > 00:11:95:0c:b3:94, ethertype IPv4 (0x0800), length 66: 192.168.0.205.39165 > 142.204.140.203.http: . ack 1 win 46 <nop,nop,timestamp 10362629 9040063> 13:19:12.793549 00:1b:38:12:e2:33 > 00:11:95:0c:b3:94, ethertype IPv4 (0x0800), length 796: 192.168.0.205.39165 > 142.204.140.203.http: . 1:731(730) ack 1 win 46 <nop,nop,timestamp 10362629 9040063> 4 packets captured 5 packets received by filter 0 packets dropped by kernel
- The -w option causes tcpdump to write out raw packets to a file rather than parsing and printing them out. The packets can later be displayed with the -r option.
tcpdump -i <dev> -w filename
[root@h9 ~]# tcpdump -i eth0 -w packets tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 4 packets captured 5 packets received by filter 0 packets dropped by kernel
- The -r option causes tcpdump to read packets from a file created with the -w option. Any (non-root) user can use tcpdump (/usr/sbin/tcpdump) to read the file created by the -w option as long as they have the read permission on the file.
tcpdump -r filename
[root@rh9 ~]# cp packets /tmp <-- copy the file to the tmp directory with read permission for regular user [root@rh9 ~]# ls -l /tmp/packets -rw-r--r-- 1 root root 398 2008-09-17 13:33 /tmp/packets
[rchan@rh9 tmp]$ /usr/sbin/tcpdump -r /tmp/packets <--run by regular user, use absolute path for tcpdump reading from file packets, link-type EN10MB (Ethernet) 13:19:12.725355 IP 192.168.0.205.39165 > zenit.senecac.on.ca.http: S 3491853088:3491853088(0) win 5840 <mss 1460,sackOK,timestamp 10362561 0,nop,wscale 7> 13:19:12.793356 IP zenit.senecac.on.ca.http > 192.168.0.205.39165: S 1585955578:1585955578(0) ack 3491853089 win 1460 <mss 1452,sackOK,timestamp 9040063 10362561,nop,wscale 7> 13:19:12.793424 IP 192.168.0.205.39165 > zenit.senecac.on.ca.http: . ack 1 win 46 <nop,nop,timestamp 10362629 9040063> 13:19:12.793549 IP 192.168.0.205.39165 > zenit.senecac.on.ca.http: . 1:731(730) ack 1 win 46 <nop,nop,timestamp 10362629 9040063>
[rchan@rh9 tmp]$ /usr/sbin/tcpdump -r /tmp/packets -n reading from file packets, link-type EN10MB (Ethernet) 13:19:12.725355 IP 192.168.0.205.39165 > 142.204.140.203.http: S 3491853088:3491853088(0) win 5840 <mss 1460,sackOK,timestamp 10362561 0,nop,wscale 7> 13:19:12.793356 IP 142.204.140.203.http > 192.168.0.205.39165: S 1585955578:1585955578(0) ack 3491853089 win 1460 <mss 1452,sackOK,timestamp 9040063 10362561,nop,wscale 7> 13:19:12.793424 IP 192.168.0.205.39165 > 142.204.140.203.http: . ack 1 win 46 <nop,nop,timestamp 10362629 9040063> 13:19:12.793549 IP 192.168.0.205.39165 > 142.204.140.203.http: . 1:731(730) ack 1 win 46 <nop,nop,timestamp 10362629 9040063>
[rchan@rh9 tmp]$ /usr/sbin/tcpdump -r /tmp/packets -nn reading from file packets, link-type EN10MB (Ethernet) 13:19:12.725355 IP 192.168.0.205.39165 > 142.204.140.203.80: S 3491853088:3491853088(0) win 5840 <mss 1460,sackOK,timestamp 10362561 0,nop,wscale 7> 13:19:12.793356 IP 142.204.140.203.80 > 192.168.0.205.39165: S 1585955578:1585955578(0) ack 3491853089 win 1460 <mss 1452,sackOK,timestamp 9040063 10362561,nop,wscale 7> 13:19:12.793424 IP 192.168.0.205.39165 > 142.204.140.203.80: . ack 1 win 46 <nop,nop,timestamp 10362629 9040063> 13:19:12.793549 IP 192.168.0.205.39165 > 142.204.140.203.80: . 1:731(730) ack 1 win 46 <nop,nop,timestamp 10362629 9040063>
[rchan@rh9 tmp]$ /usr/sbin/tcpdump -r /tmp/packets -nne reading from file packets, link-type EN10MB (Ethernet) 13:19:12.725355 00:1b:38:12:e2:33 > 00:11:95:0c:b3:94, ethertype IPv4 (0x0800), length 74: 192.168.0.205.39165 > 142.204.140.203.80: S 3491853088:3491853088(0) win 5840 <mss 1460,sackOK,timestamp 10362561 0,nop,wscale 7> 13:19:12.793356 00:11:95:0c:b3:94 > 00:1b:38:12:e2:33, ethertype IPv4 (0x0800), length 74: 142.204.140.203.80 > 192.168.0.205.39165: S 1585955578:1585955578(0) ack 3491853089 win 1460 <mss 1452,sackOK,timestamp 9040063 10362561,nop,wscale 7> 13:19:12.793424 00:1b:38:12:e2:33 > 00:11:95:0c:b3:94, ethertype IPv4 (0x0800), length 66: 192.168.0.205.39165 > 142.204.140.203.80: . ack 1 win 46 <nop,nop,timestamp 10362629 9040063> 13:19:12.793549 00:1b:38:12:e2:33 > 00:11:95:0c:b3:94, ethertype IPv4 (0x0800), length 796: 192.168.0.205.39165 > 142.204.140.203.80: . 1:731(730) ack 1 win 46 <nop,nop,timestamp 10362629 9040063>
tcpdump expression
The tcpdump command accepts filter expressions either as a command line argument or from a text file. Packets that match the filter expression will be captured and displayed. If no expression is given, all packets on the net will be captured and displayed.
A tcpdump expression consists of one or more primitives. Primitives can be combined using concatenation (and), or alternation (or), or negation (not) to form complex filter expressions.
Primitives usually consist of an id (name or number) preceded by one or more qualifiers.
There are three different kinds of qualifier:
- type - the type qualifier says what kind of thing the id name or namer refers to.
- host (default type) (e.g. host cs.senecac.on.ca or host 142.204.140.48)
- net (e.g. net 192.168.1.0/24 - any packets from or to the network 192.168.1.0)
- port (e.g. port 22 - tcp or upd, source or destination port 22)
- portrane (e.g. portrange 1234-1240)
- dir - the dir qualifier specifies a particular transfer direction to and/or from id:
- src (e.g. src host zenit.senecac.on.ca)
- dst (e.g. dst net 192.168.1)
- src or dst (default dir) (e.g. src or dst port 80)
- src and dst
- proto - the proto qualifier restricts the match to a particular protocol:
- ether (e.g. ether dst mac, ether src mac, ether host mac)
- fddi
- tr
- wlan
- ip
- ip6
- arp
- rarp
- tcp
- udp
- (default) if there is no proto qualifier, all protocols consistent with the type are assumed
It is also possible to construct filter expressions to match specific fields in protocol headers. This is done with expressions of the form:
proto[offset:size]
to select bytes starting at offset with size bytes, for example:
ip[2:2]
the above primitive select the third byte (0 is the first byte) from the IP header up to the 5th byte. The following expression can be used to select packets that have their IP datagrames that are longer than 512 bytes:
ip[2:2]>512
The following expression selects packets with the SYN bit set in the TCP header - the first packet in the 3-way handshake for initializing a new TCP connection:
tcp[13] == 2
More examples can be found on the tcpdump man page.
Procedure
- Boot up a system in the lab to Fedora Core 8 (or FC9 if you are doing this lab in some other places).
- Login in as the regular "joker" (or any login name of a regular user).
- Open up two terminal windows. Name one as "super" and the other one as "joker".
On the "super" terminal
- On the "super" terminal, enter the command
su -
- When asked for the password, type in the root password to switch to the "root" user account on the "super" terminal window.
- Use the "ifconfig" or the "ip" command to find out the device name, IP address, broadcast address, netmask, and the MAC address of the active network interface. When you see a place holder <my-ip> below, replace it with the IP address of your system. When you see the place holder <my-mac> below, replace it with the MAC address of your NIC.
- Enter the following command to find out the IP address of the host matrix.senecac.on.ca:
[joker@FC8 ~]host matrix.senecac.on.ca matrix.senecac.on.ca has address 142.204.xxx.xxx
- Replace the place holder <matrix-ip> below with matrix's actual IP address. Enter the command:
[joker@FC8 ~]ping -c 5 <matrix-ip>
- Inform your instructor if the ping statistics indicates a 100% packet loss.
- Enter the following command to capture 10 packets either coming into your system or going out from your system:
tcpdump -i <dev> -c 10 -n host <my-ip>
- The purpose of the above tcpdump command is to verify that tcpdump works properly on your system.
- Enter the following command to capture packets coming into your system or going out from your system and save them to a file called "lab3-pkts":
tcpdump -i <dev> -s 0 host <my-ip> -w /tmp/lab3-pkts
On the "joker" terminal
- On the "joker" terminal, enter the commands:
ping -c 2 <matrix-ip> host cs.senecac.on.ca
- It is possible to login to matrix using a telnet client program. Do not use your real password during this telnet exercise, the password will be exposed and captured in the tcpdump file. The listing below shows an unsuccessful interactive telnet session attempting to login to matrix. Please follow each commands exactly as shown except replacing the place holder <my-account> with your learn account name. The password in blue will not be echoed on your screen as you type.
[joker@FC8 ~]$ telnet matrix.senecac.on.ca Trying 142.204.140.90... Connected to matrix.senecac.on.ca. Escape character is '^]'. Seneca College of Applied Arts & Technology Welcome to matrix.senecac.on.ca matrix login: <my-account> Password: seneca99 Login incorrect matrix login: <my-account> Password: secret-pw Login incorrect matrix login: <my-account> Password: happyday Login incorrect Connection closed by foreign host. [joker@FC9 ~]$
- Use the "ssh" command to login to matrix with your student account and password (use the real one this time). The following is an sample "ssh" session on matrix:
[user-a@localhost ~]$ ssh learn-id@matrix.senecac.on.ca The authenticity of host 'matrix.senecac.on.ca (142.204.140.90)' can't be established. RSA key fingerprint is 20:23:07:dd:63:81:d0:7f:39:81:0b:43:a4:60:38:e5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'matrix.senecac.on.ca,142.204.140.90' (RSA) to the list of known hosts. Password: <password> Last login: Tue Mar 18 12:47:01 2008 from zenit.senecac.on.ca Have a lot of fun... learn-id@matrix:~> exit logout Connection to matrix.senecac.on.ca closed. [user-a@localhost ~]$
Back to the "super" terminal
- Switch to the "super" terminal window and press <ctrl-c> to terminate the tcpdump program.
- copy the packet file "/tmp/lab3-pkts" to your USB key or transfer it to your home directory on matrix.
To transfer the packet file to matrix, use the command: [user-a@FC8 ~]$ scp /tmp/lab3-pkts learn-id@matrix.senecac.on.ca:
Questions
Answer the following questions based on the packet file "lab3-pkts" you created for this lab.
- Write a tcpdump command to display all the packets your system sent to matrix. Do not do any name resolution for any fields in the packet but do display the physical addresses contained in the packets.
- Write a tcpdump command to display all the packets sent to your system from matrix. Do not do any name resolution for any fields in the packet but do display the physical addresses contained in the packets.
- Write a tcpdump command to display all the ARP packets captured in the packet file (lab3-pkts). Include the output in your answer.
- Write a tcpdump command to display all the ICMP "echo-request" packets in the packet file. Include the output in your answer.
- Write a pipe line command, using tcpdump as part of the pipe line, to display the total number of packets belonging to the TELNET session between your system and matrix.
- Do the same for the SSH session.
- Write a pipe line command, using tcpdump as part of the pipe line, to display the total number of TCP packets in the packet file.
- Do the same for UDP packets.
- Describe the steps you could use to find out all MAC addresses captured in the packet file. Include all the MAC addresses found in your answer.
- Describe the steps you could use to find out the total number of bytes your system received from matrix.
- Write a tcpdump command to capture all your traffic on port 80 and then open the website google.ca make a search about “arcade” and then verify your captured data.
Completing this Lab
- Post your answers for this lab to NAD710 Lab 3 Answers
- You will be graded according to your contribution. If you have nothing to add to the answer page, please make some comments of the lab and the answers and email them to your professor.