BSD Newsletter.com
   Front | Info | Lists | Newsfeeds | Study Guide | What is BSD?
Advertisement: The OpenBSD PF Packet Filter Book: PF for NetBSD, FreeBSD, DragonFly and OpenBSD

BSD Links
·New Links
·Advocacy
·Drivers
·Events
·Flavours
·FAQs
·Guides
·Programming
·Security
·Software
·User Groups

This is the BSDA Study Guide Book written via a wiki collaboration. This is a work in progress. You may contribute to or discuss this specific page at http://bsdwiki.reedmedia.net/wiki/Demonstrate_basic_tcpdump__40__1__41___skills.html.

Demonstrate basic tcpdump(1) skills

Concept

Given some tcpdump(1) output, an admin should be able to answer basic network connectivity questions. Recognize common TCP and UDP port numbers, the difference between a TCP/IP server and a TCP/IP client, and the TCP three-way handshake.

Introduction

You are having problems connecting to an application server that is on the network. What to do and how do you start? One place to start is to see what traffic is going between the nodes. Tcpdump is a utility that comes with *BSD that will enable you to see what traffic is happening.

Examples

Let's say that you know that there are people having trouble getting a DHCP address on the network but there are more than one person having problems so now you wonder if it is the server that isn't responding. Or perhaps it's a problem on the network itself. Using the command "tcpdump dst port bootpc" we can see what traffic is happening.

# tcpdump dst port bootpc
tcpdump: listening on le0
12:14:03.941390 pmax.smithclan.prv.bootps > dhcp-ip97.smithclan.prv.bootpc:  xid:0x44e7 C:dhcp-ip97.smithclan.prv Y:dhcp-ip97.smithclan.prv S:pmax.smithclan.prv [|bootp]

Some another useful options in tcpdump.

# tcpdump -i fxp0

where fxp0 is your network interface, it's very useful when your box has more than one network interface and you want sniff traffic from one, without traffic from other network interfaces.

# tcpdump -X -i fxp0

This shows each packet in ASCII and hex from fxp0 interface. It's useful when you want look in the packet.

TODO: Look also at the -xx -XX -x options.

Practice Exercises

  1. Sniff traffic from all you interfaces.
  2. Sniff from specific interface.
  3. Look in packet, when you use some service (like ping or telnet).

More information

tcpdump(1)



Front | Information | Lists | Newsfeeds