• Recently Written

  • VI Basic Movement
  • Fun With Rsync - Part I
  • How to Remove Linux and Install Windows XP
  • Calculate big using bc
  • What’s wrong with NSOL?
  • to HUP or nohup?
  • Getting started with Ruby
  • Long live FreeBSD
  • What happened to LXPages?
  • Gmail is ridiculous!

• Archives

  • July 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • November 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006

• Blogroll

  • Agriculture
  • Business Services
  • Community Services
  • Construction
  • Education
  • Finance
  • Food & Dining
  • Government
  • Health & Medical
  • Industry
  • LXPages.com
  • Manufacturing
  • Motorized Vehicle
  • Personal Services
  • Professional
  • Real Estate
  • Shopping & Shopping Services
  • Transportation
  • Travel & Tourism

  Search

Tcpdump is one of the best network sniffers you cannot buy but download for free. This command will produce a lot of information, but you’ll need to know how to interpret it. It can also be dangerous if you run it without piping (|) it to the more command.

So to understand tcpdump, you’ll need to understand at least TCP and UDP. So here’s my 10 second TCP and UDP tutorials.

A) TCP

TCP is a connection based protocol. It’s reliable and ordered. Web traffic (HTTP) is based on this. A communication between IP A and B starts out like this.

IP A – SYN
IP B – SYN ACK
IP A – ACK

B) UDP

UDP is a simple connectionless based protocol. It’s unreliable and unordered. It’s like throwing popcorn into your mouth one after the other. So it can be pretty fast because you’re not verifying and ordering the packets.

So how do we use this? Because you can pass bolean expressions, you can pass some pretty complicated options. But in our case, we want to troubleshoot our web connection to youtube.com which translates into 208.65.153.251. So we run the tcpdump that we should listen to the eth0 interface and look for the host 208.65.153.251. The result of the command is as follows

[root@enterprise ~]# tcpdump -i eth0 host 208.65.153.251
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:40:27.762271 IP blog.lxpages.com.37670 > 208.65.153.251.http: S 536184889:536184889(0) win 5840
10:40:27.809184 IP 208.65.153.251.http > blog.lxpages.com.37670: S 283485771:283485771(0) ack 536184890 win 8190
10:40:27.809196 IP blog.lxpages.com.37670 > 208.65.153.251.http: . ack 1 win 5840
Because this is a TCP based connection, let us recall from our TCP tutorial that this connection should start with a handshake. We see that in these 3 lines, an illustration of the 3 way handshake. In line 1, there is the SYN represented by S, in line 2 there is the SYN ACK represented by S and ack and in line 3 there is the ACK represented by ack.

If this connection did not go through, we would see something like this

[root@enterprise ~]# tcpdump -i eth0 host 208.65.153.251
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:47:38.322846 IP blog.lxpages.com.37946 > 208.65.153.251.http: S 995240639:995240639(0) win 5840
10:47:41.323078 IP blog.lxpages.com.37946 > 208.65.153.251.http: S 995240639:995240639(0) win 5840
10:47:47.321887 IP blog.lxpages.com.37946 > 208.65.153.251.http: S 995240639:995240639(0) win 5840

We see here that our host sends 3 SYNs without an SYN ACK, which indicates that we cannot reach the host on that port.

Comments

• Categories

  • General
  • Health
  • Linux
  • PHP
  • Politics
  • Ruby
  • Security
  • SEO
  • Technology
  • Video Games
  • Web Design

• Sponsors