Describe the type of information available from the output of the tcpdump program
Packet Sniffing and TCP Dump
A packet sniffer is a program that reads all network traffic on a particular
network segment. Such a program is one of the most powerful tools available for network monitoring. The tcpdump program, which is widely available without cost, is one of the most highly developed packet sniffing programs.
Using tcpdump or other packet sniffers to their fullest capacity requires a sophisticated understanding of the TCP/IP protocols. Because TCP/IP is not the primary focus of this course, we will briefly discuss how tcpdump works and how it might be useful in debugging networking problems.
Ethernet is a broadcast protocol. On a single ethernet segment (such as an office or department local network), every piece of network traffic is “heard” by every node on the network. Under normal conditions, however, an ethernet interface will ignore all traffic not directed at
If an ethernet interface is placed in “promiscuous mode,” it will pass all the network traffic it receives up to the protocol stack. This means that a node equipped with an appropriate program (such as tcpdump) can read all the network traffic on the segment, not just traffic intended for that particular node. This behavior has many important consequences for network security; any machine with physical access
to an ethernet segment can examine every piece of data carried by that segment.
To put the ethernet device in promiscuous mode, tcpdump needs to run with root permissions.
View the code below to examine a few typical lines from the tcpdump output.
We will focus only on the source and destination part of the output. Interpreting the remaining part of the output is possible if you are familiar with the TCP and UDP protocols. On a busy network, the output from tcpdump may be overwhelming. Fortunately, the output may be filtered using a fairly sophisticated set of logical primitives. For example, to see telnet traffic coming into machine my_machine, you can use the command:
host# tcpdump –i eth0 dst host my_machine and dst port telnet
To see traffic between my_machine and your_machine, you may use:
host# tcpdump –i eth0 src host my_machine
and dst host \ your_machine or src host
your_machine and dst host my_machine