Tcpdump

TCP

Add notes: https://packetlife.net/blog/2010/jun/7/understanding-tcp-sequence-acknowledgment-numbers/

UNDER CONSTRUCTION, PLEASE VISIT BACK SOON. https://support.rackspace.com/how-to/capturing-packets-with-tcpdump/ https://linux.die.net/man/8/tcpdump https://opensource.com/article/18/10/introduction-tcpdump https://www.thegeekdiary.com/examples-of-using-tcpdump-command-for-network-troubleshooting/ This one

How to use tcpdump for capturing packets on Linux Main Text

Environment - Amazon Linux - RHEL - CentOS - Ubuntu

Issue - How can I take packet capture with command line on Linux ?

Installation

You need to install tcpdump command first with the following command. - Amazon Linux/RHEL/CentOS

$ sudo yum install tcpdump

- Ubuntu

$ sudo apt-get install tcpdump

$ sudo tcpdump -i <INTERFACE> -s0 -w <OUTPUT FILE> host <IP ADDRESS> and port <PORT NUMBER>
$ sudo tcpdump -i eth0 -s0 -w output.pcap host 10.12.34.56 and port 80

$ sudo tcpdump -nv host x.x.x.x

# Common caputre commands (same as above, sorta): 
$ sudo tcpdump -i eth0 -n dst host x.x.x.x -w output.pcap

Ways to do packet capture simultaneously on both ends:

Most of the time, what you need is both src and dst packet capture at the same time so that we can compare them. So you would want three terminals, one for source, one for dest., one to push traffic.

On Source: 172.31.16.50 : 18.219.0.161, run:

$ sudo tcpdump -i eth0 -s0 dst host 18.217.17.82 and dst port 22  
$ sudo tcpdump -i eth0 -s0 dst host 172.31.41.139 and dst port 22 (Using private IPs worked)
$ sudo tcpdump -i eth0 dst 18.217.17.82 and dst port 22 
$ sudo tcpdump -i eth0 dst 172.31.41.139 and dst port 22 
$ sudo tcpdump -i eth0 -s0 -w output.source.pcap dst host 18.217.17.82 and port 22

On Destination: 172.31.41.139 : 18.217.17.82, run:

$ sudo tcpdump -i any -s0 host 18.219.0.161 and port 22 
$ sudo tcpdump -i eth0 -s0 host 18.219.0.161 and port 22 
$ sudo tcpdump -i eth0 -s0 host 172.31.16.50  and port 22 (Using private IPs worked)
$ sudo tcpdump -i eth0 src 172.31.16.50  and port 22 
$ sudo tcpdump -i any -s0 -w output.destination.pcap host 18.219.0.161 and port 22 
$ sudo tcpdump -i any -s0 -w output.destination.pcap port 22 
$ sudo tcpdump -i eth0 -s0 port 22 (Works but it will just capture everything happening on port 22)

Then on a third terminal run ssh or MTR

$ mtr -n -T -P 22 -c 200 <destination_ip_address> --report

THIS MIGHT BE EASIER: To monitor traffic on both directions between host_a and host_b you can use:

# tcpdump -nli eth6 host <host_a> and <host_b>

Other notes from case (one directional):

# On the Destination instance, run the following command to take packet capture. This command will save the data to the output.pcap file:
$ sudo tcpdump -i eth0 -s0 -w output.pcap host <source_ip_address> and port 80

# On the source instance, run MTR command with the -P flag to specify port 80. Please share with us the output of the MTR tests as well:
$ mtr -n -T -P 80 -c 200 <destination_ip_address> --report

By default, tcpdump captures packets on eth0. We can specify a different interface using the -i command line flag. This command captures all packets on the eth1 interface:

$ sudo tcpdump -i eth1

Use this command to capture packets for a specific port:

$ sudo tcpdump port 80

Now let’s be more specific and capture only packets with destination port 80. If you have a web server on your cloud, you can use the command below to see incoming packets.

$ sudo tcpdump dst port 80

You can also capture packets for a specific host. This command catches packets coming only from IP 1.2.3.4:

$ sudo tcpdump src host 1.2.3.4

Tcpdump can take logical arguments such as and, as well as or. You can use logical statements in a tcpdump command. For example, this command catches all the SSH packets going from an SSH server to a client with IP 1.2.3.4:

$ sudo  tcpdump "src port 22" and "dst host 1.2.3.4"

-i is used to specify the interface. -n tells tcpdump to not resolve IP address to URLs (reduce DNS queries on the network by you, if not, you will be creating more traffic while capturing). -w writes to a file that can be exported and analyzed by tools like wireshark.

Analyzing Packet Capture

PCAP file sotres data in binary format. You can read the PCAP file using the -r switch available in tcpdump. You cannot read a PCAP file using regular commands like cat, tail, etc. :

$ tcpdump -r /path/to/file

-r Read packets from file (which was created with the -w option or by other tools that write pcap or pcap-ng files).

You can also view the PCAP file using Wireshark - Wireshark is an open source tool for analyzing packets and profiling network traffic.
You can copy the PCAP file from EC2 instance to local machine using scp.

Tip: You can tell where the packet capture was taken by looking at the IPs. If the IP is private, it was likely taken on that host. If the IP is public, it's likely wasn't captured on that host.

Wireshark Options

Here are some examples of Wireshark preferences.

Wireshark -> Preferences -> Protocols -> TCP -> untick the relative sequence numbers option. This will allow us to see the absolute sequence numbers of TCP packets in flight.

View -> Untick Packet Bytes. This is a useless section and just eats up space on the screen.

Per James, be sure to follow 1 tcp stream. You can do so by doing the following steps in Wireshark: Analyze > Follow > TCP Stream.

How to filter in Wireshark

In the filter box at the top of wireshark, some common ways to filter to make things easier to read:

ip.addr == x.x.x.x
tcp.flags.reset==1
tcp.srcport==443
tcp.port==25
tcp.seq == 3817801554
- Click on a packet, in the bottom details of wireshark, search for Transmission Control Protocl > right click on Sequence Number: 3817801554 > Apply as filter > selected.

For example:

ip.addr == x.x.x.x && tcp.port==25

MTU & MSS

MSS - Maximum Segment Size: Maximum amount of data in bytes that can be the payload of a TCP segment.

MTU - Maximum Transmission Unit: The largest network layer packet in bytes that can be transferred across the internet.

MTU = MSS + TCP & IP headers.

Example: In the PCAP snippet where www.thegeekstuff.com was visited, 1514 bytes is the MTU, sequence number 252.

Navigation menu