Network Debugging Utility – tcpdump
tcpdump tool helps to see all or certain packets going over the Ethernet to debug network problems. It needs to be run as root under Linux in order to be able to sniff network packets.
The range of packets captured can be specified by the using a combination of logical operators and parameters such as source and destination IP addresses, protocol types and TCP/UDP port numbers.
tcpdump output has the following format,
For UDP packets
20:12:40.623187 csqlcache.com.3050> 192.168.1.51.34353: udp 234
where
| Timestamp | 20:12:40.623187 |
| Source address | csqlcache.com |
| Source port | 3050 |
| Destination address | 192.168.1.51 |
| Destination port | 34353 |
| Protocol | udp |
| Packet Size | 234 |
For TCP packets
20:12:40.623187 IP(…) csqlcache.com.3051 > 192.168.1.51.34353: P1:53(52)) ack 168 win 64315
where
| Timestamp | 16:23:01.079553 |
| Protocol | IP |
| Source address | csqlcache.com |
| Source port | 3051 |
| Destination address | 192.168.1.51 |
| Destination port | 34353 |
| Sequence number | 1 |
| Number of user data bytes in datagram | (52) |
To capture all traffic with the tcp or udp source or destination number 22 (ssh port), run the following command
$tcpdump port 22
It displays the following output
0:12:40.623084 IP (tos 0×10, ttl 64, id 34755, offset 0, flags [DF], proto TCP (6), length 92) 192.168.1.113.ssh > 192.168.1.103.appserv-https: P 3533382018:3533382070(52) ack 1574531805 win 9648
20:12:40.699411 IP (tos 0×10, ttl 64, id 34756, offset 0, flags [DF], proto TCP (6), length 156) 192.168.1.113.ssh > 192.168.1.103.appserv-https: P 52:168(116) ack 1 win 9648
20:12:40.623187 IP (tos 0×0, ttl 128, id 5012, offset 0, flags [DF], proto TCP (6), length 40) 192.168.1.103.appserv-https > 192.168.1.113.ssh: ., cksum 0x57ec (correct), ack 52 win 64431
20:12:40.777047 IP (tos 0×0, ttl 128, id 5013, offset 0, flags [DF], proto TCP (6), length 40) 192.168.1.103.appserv-https > 192.168.1.113.ssh: ., cksum 0x57ec (correct), ack 168 win 64315
20:12:41.506720 IP (tos 0×0, ttl 128, id 5014, offset 0, flags [DF], proto TCP (6), length 92) 192.168.1.103.appserv-https > 192.168.1.113.ssh: P 1:53(52) ack 168 win 64315
From this you can derive meaningful information for doing network analysis of your programs. This tool will be very helpful for debugging socket programs.
There are many options provided for this tool, for example
To capture all TCP traffic with source address csqlcache
$tcpdump tcp src host csqlcache
For complete set of options, please visit http://www.tcpdump.org/
Prabakaran Thirumalai
