Network Debugging Utility – tcpdump

tcpdump tool helps to see all or certain packets going over the Ethernet to debug network problems. It needs to be run as root under Linux in order to be able to sniff network packets.
The range of packets captured can be specified by the using a combination of logical operators and parameters such as source and destination IP addresses, protocol types and TCP/UDP port numbers.

tcpdump output has the following format,

For UDP packets

20:12:40.623187 csqlcache.com.3050> 192.168.1.51.34353: udp 234

where

Timestamp  20:12:40.623187
Source address csqlcache.com
Source port 3050
Destination address  192.168.1.51
Destination port 34353
Protocol udp
Packet Size  234

For TCP packets

20:12:40.623187 IP(…) csqlcache.com.3051 > 192.168.1.51.34353: P1:53(52)) ack 168 win 64315 

where

Timestamp  16:23:01.079553
Protocol IP
Source address csqlcache.com
Source port 3051
Destination address 192.168.1.51
Destination port 34353
Sequence number 1
Number of user data bytes in datagram (52)

To capture all traffic with the tcp or udp source or destination number 22 (ssh port), run the following command

$tcpdump port 22
It displays the following output

0:12:40.623084 IP (tos 0x10, ttl 64, id 34755, offset 0, flags [DF], proto TCP (6), length 92) 192.168.1.113.ssh > 192.168.1.103.appserv-https: P 3533382018:3533382070(52) ack 1574531805 win 9648
20:12:40.699411 IP (tos 0x10, ttl 64, id 34756, offset 0, flags [DF], proto TCP (6), length 156) 192.168.1.113.ssh > 192.168.1.103.appserv-https: P 52:168(116) ack 1 win 9648
20:12:40.623187 IP (tos 0x0, ttl 128, id 5012, offset 0, flags [DF], proto TCP (6), length 40) 192.168.1.103.appserv-https > 192.168.1.113.ssh: ., cksum 0x57ec (correct), ack 52 win 64431
20:12:40.777047 IP (tos 0x0, ttl 128, id 5013, offset 0, flags [DF], proto TCP (6), length 40) 192.168.1.103.appserv-https > 192.168.1.113.ssh: ., cksum 0x57ec (correct), ack 168 win 64315
20:12:41.506720 IP (tos 0x0, ttl 128, id 5014, offset 0, flags [DF], proto TCP (6), length 92) 192.168.1.103.appserv-https > 192.168.1.113.ssh: P 1:53(52) ack 168 win 64315
From this you can derive meaningful information for doing network analysis of your programs. This tool will be very helpful for debugging socket programs.

There are many options provided for this tool, for example

To capture all TCP traffic with source address csqlcache

$tcpdump tcp src host csqlcache
For complete set of options, please visit http://www.tcpdump.org/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s