Network Monitoring  «Prev  Next»

Lesson 9Packet sniffing and tcpdump
ObjectiveDescribe the type of information available from the output of the tcpdump program

Packet Sniffing and TCP Dump

A packet sniffer is a program that reads all network traffic on a particular network segment. Such a program is one of the most powerful tools available for network monitoring. The tcpdump program, which is widely available without cost, is one of the most highly developed packet sniffing programs.
Using tcpdump or other packet sniffers to their fullest capacity requires a sophisticated understanding of the TCP/IP protocols. Because TCP/IP is not the primary focus of this course, we will briefly discuss how tcpdump works and how it might be useful in debugging networking problems.

Promiscuous mode

Ethernet is a broadcast protocol. On a single ethernet segment (such as an office or department local network), every piece of network traffic is “heard” by every node on the network. Under normal conditions, however, an ethernet interface will ignore all traffic not directed at it.
If an ethernet interface is placed in “promiscuous mode,” it will pass all the network traffic it receives up to the protocol stack. This means that a node equipped with an appropriate program (such as tcpdump) can read all the network traffic on the segment, not just traffic intended for that particular node. This behavior has many important consequences for network security; any machine with physical access to an ethernet segment can examine every piece of data carried by that segment.

Running tcpdump

To put the ethernet device in promiscuous mode, tcpdump needs to run with root permissions.
View the code below to examine a few typical lines from the tcpdump output.
Time stamp
  1. Time stamp
  2. Packet's source host and port
  3. Packet's destination host and port
  4. Information from the packet's IP, TCP, or UDP headers

We will focus only on the source and destination part of the output. Interpreting the remaining part of the output is possible if you are familiar with the TCP and UDP protocols.
On a busy network, the output from tcpdump may be overwhelming. Fortunately, the output may be filtered using a fairly sophisticated set of logical primitives. For example, to see telnet traffic coming into machine my_machine, you can use the command:
host# tcpdump –i eth0 dst host my_machine and dst port telnet

To see traffic between my_machine and your_machine, you may use:
host# tcpdump –i eth0 src host my_machine 
and dst host \ your_machine or src host 
your_machine and dst host my_machine 

traceRoute tcpdump - Quiz

Click the Quiz link below to take a short multiple-choice quiz on traceroute and tcpdump.
Trace Route tcp Dump - Quiz