How does TCPDump work on Linux

Butschek.de

Every now and then one is faced with the problem that one would like to look into the network traffic of one's own server. Be it to finally understand ominous connections, to analyze an alleged DoS attack or to find out what exactly is the reason for the unspecific message "Connection abort" in the mail client.

There are 2 tools that are available for this purpose. Tcpdump allows not only a live view of the traffic but also the saving of the entire traffic in a file. This is often the more sensible choice, as the collected data can be analyzed in peace with a suitable tool.

This suitable tool is called Wireshark. With this program, captures created with Tcpdump (in Windows: * .cap) can be opened and properly analyzed.

Recording with Tcpdump

First, Tcpdump has to be installed on the server. As usual, Debian offers a complete package for this:

aptitude install tcpdump

The program is ready to use immediately after installation. The following line starts the recording of the packets (capture):

tcpdump -p -s0 -w tcpdump.cap

Tcpdump now saves all packages. However, there is no output. The parameters specify that the tcpdump.cap file is to be used (-w), that the promiscuous mode should not be activated (-p) and that the packets are not truncated after 68 bytes, as in the default setting, but instead are full recorded (-s0, where 0 = unlimited).

Since a lot of data comes together here quickly and the later analysis takes a very long time, if we record 30,000 packets, you should only record as much as is necessary for the error analysis. That means: In the event of an error message, reproduce the error once, then cancel the recording. In the event of an attack, 10 seconds from the period in which the attack is running is usually sufficient.

The recording can be canceled with CTRL-C. The saved file (here: tcpdump.cap) can then be transferred to the local computer (scp / pscp).

Analysis with Wireshark

The software can be downloaded directly from the Wireshark homepage on Windows PCs. Debian and Ubuntu users can install the package directly from the sources:

aptitude install wireshark

After starting the program you can open the recorded file (above: tcpdump.cap) and land directly in the package view, in which you can see all recorded packages:

The view is divided into three parts: Above we see a list of the different packages, with the different colors representing different protocols. In the middle you can see the individual layers of the selected package. These can be opened in a tree structure so that all layers and their contents can be viewed.

Below we see the raw data, i.e. the package in hexadecimal and ASCII output, whereby the selected layer is automatically marked. A nice feature, because you can easily learn the nature of packages and quickly recognize which information can be found in which place in the package.

A nice feature of Wireshark is "Follow TCP Stream", ie following a TCP connection. It is sufficient to select a package and call up the function via the menu. Wireshark then filters all packets that belong to this TCP connection and shows in a window all the data that the client and server have transmitted:

So not packets are displayed, only the information transmitted. The representation in ASCII thus allows direct reading of the communication between client and server. A very nice function if the mail client gives a meaningless error message again, because here you can see exactly what was "spoken". Of course, this only applies to ASCII dialogues that do not use encryption (e.g. SSL).

Another interesting feature is the Flow Charts function in the Statistics menu. Here you can see the distribution of the packages with a percentage. Nice to reveal unusual network behavior, for example.

The Protocol Hierachy function is also located in the Statistics menu, with which the individual packets can be added hierarchically to the protocols used. This shows the distribution of the traffic and quickly recognizes which protocol is being used.

In general, many functions of the program are interesting; it would be too much to introduce them all here. Nevertheless, this article is intended to "tempt" you to just try it out. Anyone who knows a little about TCP / IP should learn a lot of interesting new things with the two tools and find and fix previously unsolvable network problems quickly and easily.

A word about data protection

Of course, it is not allowed to simply record and analyze traffic generated by third parties. This would violate privacy. Therefore this should only be used on private servers or home PCs. If the worst comes to the worst, tcpdump can also be made to save only packets from certain hosts in the file by adding a “host xx.xx.xx.xx” to the end of the line, where xx.xx.xx.xx is the IP -Adress is.