All network administrators will eventually have to do some troubleshooting on the network due to performance degradation, timeouts, bottlenecks, or suspicious activity that indicates that the network may be compromised or the object of a remote attack. A packet sniffer, a tool that captures network traffic, is typically used for traffic analysis and observation to determine problems in a network or confirm hacking attempts against your computer or network systems. With a packet sniffer, you can use the data collected to identify what types of packets are hitting the system and where they came from. In this Daily Drill Down, I’ll show you how to use the Linux tcpdump tool for network filtering and a GUI tool, Ethereal, that will act as a nice front end for the command-line tcpdump.
The tcpdump packet sniffer has been used for a long time and is the basis for most other open source packet sniffers. As its name implies, tcpdump collects and dumps data on TCP/IP networks. Most Linux distributions come with tcpdump installed by default; you can also obtain it from its official Web site.
The tcpdump utility is a command-line tool, and it can be difficult to use if you’re unfamiliar with it. By default, tcpdump will listen to the lowest interface number (typically eth0), excluding the loopback interface, and report all traffic. This can be overwhelming and, more often than not, is just too much traffic to sort through. It’s also usually unnecessary to see all of this traffic. Because of this, tcpdump has a comprehensive filtering system that allows you to view only what you want and ignore the other packets.
To use tcpdump, you’ll need to be the root user or have the program setuid root (the tcpdump tool will only work with root privilege). Most vendors install tcpdump without the setuid bit set, so if you need to allow unprivileged users to use tcpdump, you’ll need to provide access via sudo or by making it setuid root. (Sudo would be the safer measure; after all, you don't want all of your users sniffing packets.)
If you need more information on using sudo, check out my Daily Drill Down ”Limiting root access with sudo, part 1.”
Before we get into the options of using tcpdump, let's take a quick look at its output. This is a sample tcpdump session, requesting one single packet.
It doesn't make much sense unless we know what to look for. Let's examine each part of the output. The first section is the timestamp of this packet, 13:03:45.164601. This represents the hour, minute, second, and milliseconds. The next part is the source host of the packet, in this case cmp25.some.net, which is using TCP port 41623. We see that it’s sending the packet (represented by the > character) to the destination host, cmp1.some.net, using port 22 (the ssh string is pulled from /etc/services). The single S represents that a SYN flag was sent to the server; in this case, it’s the first SYN flag. Because of this, the Initial Sequence Number (ISN) for the TCP connection is 1270183925, and all sequence numbers for this connection will be based on this ISN. This number is also the ending sequence number for this packet; thus, the string 1270183925:1270183925(0) represents the starting packet, the ending packet, and the packet size (in this case 0 bytes). If user data had been sent, the ending sequence number would have been increased by the number of bytes sent. We also see that the available receive window was 5840 bytes. The remaining information seems to be specific to the ssh protocol and merely gives detailed information about the contents of the packet. Of course, without having an intimate knowledge of TCP packet construction, we don't know for sure what the contents of the packet are.
This may seem a little complicated. We can use the -q option to make it a little quieter and easier to understand. For instance, this is much easier to understand. In this case, we see that cmp1.some.net is sending a packet from port 80 (our Web server, which is noted by the .http in cmp1.some.net.http) to external.host.com port 1035 (the port their browser is listening to) and that this is a TCP packet.
Options with tcpdump
You can use a number of options with tcpdump. We've looked at one option, -q, which tells tcpdump not to be so verbose. The opposite is the -v or –vv option, for verbose and extra verbose, respectively. If you want specifics, -v is for you. If you want to be able to understand what is happening without being overwhelmed by packet options and flags that may not mean anything to you, use -q. Other options you may often use include those found in Table A.
|-c||Quit tcpdump after x number of packets have been captured.|
|-I||Use the specified interface (i.e., eth1).|
|-n||List host addresses as numbers, not names (prevents using DNS lookups), and list port numbers (not their equivalent names) in /etc/services.|
|-p||Don't use promiscuous mode.|
You can use other options; check the tcpdump man page (run the command man tcpdump) for them. However, these are the ones that you’ll most likely use. Let's look at an example:
[root@cmp1 root]# tcpdump -i eth0 -c 25 -n
This will capture the first 25 packets on eth0 and then quit. It will display the host address as 192.168.0.25 rather than, for example, workstation.mynet.net. This also avoids using DNS to find the domain name.
Filtering with tcpdump
To make the packet selection process a little easier, tcpdump provides a number of expressions that can be used to filter the packets it captures. By default, tcpdump will capture and display all packets on the network between all hosts. With expressions, you can reduce this to only packets on the network between a set of hosts, or only a particular protocol or port address.
You can use several expressions with tcpdump, and you can use three types of qualifiers for expressions. The first is the type, which can be host, net, or port. The host is the IP address (i.e., 192.168.5.10) or domain name of the host to specify. The net is the network address (i.e., 192.168.5) or name from /etc/networks. The port is the port number (i.e., 80) or name from /etc/services.
The second qualifier is the direction of the packet. You can capture the source of the packet src or the destination of the packet dst. By default, packets are captured both ways, both source and destination.
The last qualifier is the protocol to capture. You can use any of the following protocols: arp, decnet, ether, fddi, ip, lat, mopddl, moprc, rarp, sca, tcp, or udp.
You can also combine qualifiers. Here are a few examples, just to illustrate how flexible expressions can be.
This captures all TCP traffic on port 80:
tcp port 80
This captures all traffic destined for the host web.mynet.net:
dst host web.mynet.net
This captures all UDP traffic on the 192.168.5 network:
udp net 192.168.5
You can also use the Boolean operators AND, NOT, and OR to further narrow filters. With this, you can create filters to capture traffic between more than one specific host, such as 192.168.5.25 and 192.168.5.50. You can use it to capture traffic for an entire network except one specific IP address, or you can use it to capture all traffic to and from one host or another host.
Here are a few examples that illustrate the use of filtering packets with Boolean operators. This will show all traffic on the eth0 interface between your local host (wrk1.mynet.net) and the remote Web site www.techrepublic.com; no other packets will be shown:
tcpdump -i eth0 host wrk1.mynet.net and www.techrepublic.com
Let's look at another example. This will display all ICMP (Internet Control Message Protocol) packets sent on eth0:
tcpdump icmp -i eth0
This is useful if you think you’re experiencing a ping flood, which can often be part of a DoS attack. This will display the domain name that is sending the ICMP packets to your system and will display any ICMP packets your system is sending out. You can use the -n option to use IP addresses instead of domain names.
You can also use some other special filters. The ip broadcast option will capture all IP broadcast packets. This is helpful for determining problems with automatic IP address allocation protocols such as BOOTP (Bootstrap Protocol) and DHCP (Dynamic Host Configuration Protocol). You can capture Ethernet multicast packets by using ether multicast and you can capture IP multicast packets by using ip multicast. For example:
tcpdump ip broadcast
tcpdump ether multicast
tcpdump ip multicast
Using Ethereal: The GUI packet sniffer
One reason tcpdump is reluctantly or rarely used is because it’s difficult to decipher. On text-only systems, you have few choices in tools, and tcpdump is a quick tool to get the job done. It is an exceptional help, especially if you're logged in to a remote system and need to troubleshoot the network. For casual observation, though, tcpdump is of limited use. The information scrolls by so quickly and the extra information it provides can be of no use or so confusing that it makes the rest of the data difficult to decipher. Because of this, GUI tools, such as Ethereal, can make packet sniffing an easier task.
Ethereal performs the same tasks as tcpdump, but provides a much more user-friendly output. It uses the same filter system as tcpdump, so to make appropriate use of Ethereal, you must have a basic understanding of the filters used in tcpdump.
As with tcpdump, you must run Ethereal as root or as a user with sufficient privilege. Although you can start Ethereal as an unprivileged user, you’ll be unable to start sniffing packets unless you are root.
The main Ethereal display is split into three panes. The top pane is the packet summary. It displays a summary of each packet, showing the packet number, the source, the destination, the protocol, and a summary of the information the packet provides.
The middle pane is the protocol tree, which displays the various layers of the packet selected in the packet summary pane. For instance, it shows information about the packet frame, such as the arrival time, length, and frame number. It shows the Ethernet II information, which displays the hardware MAC addresses for the packet's recipient and destination. It will also display information pertaining to the packet; a TCP packet might show information such as that pertaining to the IP protocol (header length and checksum, destination and source, time to live information, etc.), and the TCP protocol (source and destination ports, sequence numbers, window size, etc.). A packet using the SMB protocol for Samba networking will additionally show NetBIOS session service information and SMB protocol information.
Finally, the pane at the bottom is the hex dump of the packet. This is what the packet looks like as it travels the network.
You can define some preferences in Ethereal, such as which protocols it should be decoding and which it should be ignoring. You can also define the same filters you would use with tcpdump. For instance, you can tell Ethereal to use the same filter we used previously by specifying the following in the Filter section when you start a new scan:
host wrk1.mynet.net and www.techrepublic.com
Note that when you start a new scan, the panes are not updated by default, but a summary screen pops up with a single button to stop traffic analysis. As soon as you click on Stop, the panes fill with the packets collected during the scan. You can change this behavior by selecting Update List Of Packets In Real Time when you start a new scan. You’ll see the status window, which counts the packets, and the panes will also be updated in real time.
You can also enable or disable some other options when you start a new scan. You can enable or disable promiscuous mode, which allows a network device to intercept and read each network packet that arrives in its entirety. By default, MAC name resolution, network name resolution, and transport name resolution are enabled. This basically resolves MAC addresses (hardware Ethernet addresses) to the owning system, DNS resolution, and protocol name resolution, respectively. If you wanted to disable DNS lookups, you would disable network name resolution.
Perhaps one of the most redeeming features of Ethereal is the ability to save filter settings. You can create any number of filters and retrieve them any time you like by clicking on the Filter button in the Capture Preferences that are presented each time you start a new scan.
Packet sniffing is not only for crackers. It’s an extremely useful practice for administrators who are troubleshooting network problems. While the information from packet sniffing can be confusing to all but the experts, it can be accomplished in a way that makes it easier for those of us who don't understand the ins and outs of every network protocol. Tools such as tcpdump make ideal utilities for remote access where a GUI may not be available. Redirecting tcpdump's output to a file can be extremely useful for later review.
Using a GUI such as Ethereal can be even easier. Ethereal lacks none of the features found in tcpdump and provides even more information, should you care to view it. If all you're interested in is the basics of the packets, Ethereal's packet summary pane provides this information in an easy-to-understand way.
Cool Linux networking tools
Have a really groovy Linux networking tool or script you’ve written? Send it to Jack Wallen, Jr. and he’ll get you covered on TechProGuild.
Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.