TCPDUMP - NetworK Packet Capture and Analysis

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
as a friend good it to you today I'm making a demonstration about the usual TCP dump to analyze your nature profit TCP don't is a command-line utility that can capture all the packet the flow in or out of a of an interface on a Linux system or this command-line utility can be very important especially when you need to resolve issues already have some issues from issues you might only be able to resolve them by giving insight into the protocols and traffic the flu on your interface another reason why this command may be important is if you just want to study network traffic another reason is maybe you want to store the or later protocols maybe you a student and you just link about HTTP you want to know what are the messages that actually flew or in her help or when you use HTTP so this is the organism these are all the reason why you want to use all this particular command so let's go to the terminal way I will show you what we can do with this command so I am on a centralized sender tree so make sure that to you all this appeared on is available on both Linux distributions if you don't find it on a system you can install it with your default or a case manager so let's look at the Vantage first or one page York recipe dump so like I said it is a it dome traffic on a network and open only this wanted to be done so if I wanted to be done oh my on this server you see it just you just keep on capturing all the packet the combing of you out of all my system but this is not the best way to use this command so like with every most utilities in Linux the best is only the options so let's look at help so we have a little option now can use with this command who are this options I will be demonstrating couple of beam will to you so the first one that I will demonstrate is a difficulty done - t after Ibaka T what the issues are he tells us all the interfaces that we can capture packet on these are all the interfaces that TCP don't can capture packets home both you might not want to capture packet on all these interfaces because some of them you know for example this this is Netley knows the future you might not be interested interested in capturing on all your interfaces so that is why we have another option - I - I typically don't - pie - pie to specify the particular interface that I want to capture the packet home - all specify my - all the file under command industry on my system I have I have one loopback interface I have etu and it is one so basically I have to eat innate alcohol interfaces fool the first one the people on my until you so again yes or don't it was information on me which way I mean and I want to do this or ha me know how to do this but at a good week or to use it Lisi I want to jump or operate in a certain timeframe maybe I just want to capture the packet a goes on in my on this network both it will be good if I can write in some way it should be good if I can stall this or output from way so that I can review later and that is why I will introduce the - W the - W is for you know writing house so basically that is done for so I can say - - please and I can say capture I get a capture the pickup so the pickup is usually the extension that is useful pocket capture who I can say disappea dome - i the interface - ee you to write it through or this far sure let me press enter so the capturing is going on through like you see here is a capture size so this is now the size of what's as in captured the this if mine if my server is a high traffic server this side of our goal we we do hope very fast so I will type control free to stop so this guy it was me okay oh it captured okay absolutely they also sue mystery side pocket received by shoe sizes so let me look at this file basically so let's try to look at this file with or less so but it would mean this file is a financial or do you are the feet okay Leslie to see oh this is basically not a mini food because it is the binary file and we can view that it does it text file so how can we use this pocket capture file one way that you can view these valleys to send it to eat - like Wireshark or fish actual there's another utilities to Shakti shark is a command line version of Wireshark so I can read my pockets capture that I have by sending it to the Sharks we free with T shark I'm able to read this chart to basically or it would mean the if it was me not the pocket I was captured the first pocket walls SSH going from 192 was a seat that 1.8 to Tendo 0.01 50 so that is one week too much to this up two feet with our o options Foley so I'm the option that I will introduce to you is a - 3 C 4 count so basically all this does is rather than capturing a whole lot of packages they say I want to capture the fourth pin okay it all pocket sorry I said pocket here I mean pocket pocket should be dumped - I it is you see tensor is going to capture the fourth 10 packets so apologies so you see or its captured came pocket and it exited who or if we are so lately let's capture one pocket so that I can all explain to you the field that are in these pockets I'm just going to capture pull the 1 / K through 8 I captured all the one pocket you see we started from here so the fourth field that you see here is the time to come so the timestamp is the fourth field that you see here the net fee is the type of bucket this is IP packet IPE essentially means ipv4 IP version 4 and it totals this packet is coming is going from server 1 dot Nova Luka they see dot dot then this the name of the hobbies SSH so that the name of the service going the ECD Harrow going to 10.00 150 or port 59 8 1 6 next you see the flags so this this part is a TCP cut to the TCP slugs or the sequence number acknowledgment the window size then the TCP options so that is oh one package that we can capture through this time or the timestamp CC here we can view it in different ways with the help of another option I'm introduced on the option - 3 so the number of T you can look at it man pages for this but depending on what format you want so let's use - TTT so basically see how the pockets are the timestamp came up this time around or let's include 1 3 o is going to change the timestamp again see now a total repeat 2017 o 123 the time then the time or the time that elapsed you know to capture this pocket so that is for the timestamp so the I have introduced a couple of options - I - I is very important most times you are going to run TCP dump with - I because you need to specify particular interface you want to capture on - see the not the number the count of packets that you want to capture then - PTT is for b2 all the time stamp through but let's see all of you can do you can actually capture different kind of traffic let's say I want to capture - I okay I'm going to generate some traffic on this actually then I will show you oh oh then we can see more of what is done so I will say this if you don't - right and I'll capture five pockets and what I'm going to do I'm going to pink I'm going to ping this server this is my seller one I'm going to pink that's ever from myself ooh so I'm going to do pink one ninety two dot optics each note one of eight okay now capturing let's see what's going on here oh sorry I never Christ enter I wrote the comment by never press ENTER ok ok let's do the experiment again so oh let me put me actually introduce something to you I can capture a specific type of or traffic I can't capture you know what if I do or if I run these a little traffic is going on board with me I'm interested only in ICMP traffic I want to capture only ICMP you see I'm learning the command both nothing this been captured because there's no ICMP traffic going on I can generate some ICMP traffic by pinging myself one doing this so you see let me stop the pink so it has captured couple of packets for us so like I said the force field is the timestamp the next is the IP this is this is the type of packet this IP this is the sauce this is the source of the traffic 182 don't want to see does one dirty level that is my server to the destination is several one dot slow below coup d'etat are the or the after the IP layer the next layer is ICMP so this telling me this is an ICMP or a cool quest sushi are familiar with ICMP it sends a cool question right and they could reply the messages who you can see the a cool question the equal go reply so I am able to control a specific kind of traffic so let's look at another option that we can look at so another option that our introduces the both option so if I want this capture to be memorable I will use HIV so this if I want it to be depending on how they not be level verbosity that I want we determine the how many degrees that I will useful let's say I use only and I want to capture traffic of type int so let's run our King again so now you can see it's all more it has a little bit more information for us than what we had earlier so now we can see the timestamp game IP and we can look at the gig of information into the IP packet itself footer know this the type of service the time to leave 64 the ID the offset or flux does this without fragmentation or this is a fragmentation slug then the proto-tool the proto which is ICMP and the length of the packet which is 84 or then we see the source of the traffic the destination ICMP echo request or ID sequence like sequence number under length III got more information because we use the verbal flood risk but of these that so now we have to be Sudanese we increase the velocity we are going to get more information about our traffic let's do it again of ester on the paint again so let's call the pink so let's see if we got more information or actually I think maybe does I think the information here is the same as before both so maybe that's how much information can get on this particular ICMP packet so let's move a little shoulder and let's all look at on my street on my suspense everyone actually I have and I have a word so Apache web server running so if I call to a koala locals so this is this is several one so now let's capture PPTP traffic rather than capturing ICMP something now I want traffic so again I can specify like something like forty D or I can do false pork a be put another don't get anything if I did relentlessly of destination port it is where I want traffic that are going to destination of port 80 so this right for my summer fruit instead of ending I will do it for Susie this is everyone so let's look at what we got so we got a couple of packets so the first one was on a caiman world all of this and now we see now the type of traffic now is all TCP and HTTP so I think we can actually use HTTP 3 oh it doesn't appear so HTTP is not so part of the Saturday you can use a book like this like week with three we can use something like what 80 or what we can do let's do what it means let me reduce the verbal screaming remove this velocity so you just want to see traffic that involve port 80 so okay I think after two fortunately suya port 80 on to see traffic that in close what each issue let me do the call again so now we see the to this are all the messages that so for this o 2 for this call to walk these are all the messages the way has changed so we see or the first message include or involve be same pocket the first one is actually same pocket the second one is or acknowledgment you know thin hug then I think let's do the robot pasilla we can see best increases velocity so now we can see all these messages so these are the messages that were exchanged you know to solve now this with web page rucifee you know call is any call to you know from our server one so we see through the or TCP related traffic in an op shops you know things like the maximum segment size selective acknowledgement or CBT think okay be oh this is the error or congestion okay now this is okay I think I forgot what they start robot follows ECR star for highest you know what we see well window scale is seven so this are basically holy TCP options that wine hooked and the city checks on under so put this we want to actually see want to see we can actually look at this HTTP or traffic by using it an option a for Aki who want to figure out tube you know in ASCII test let's good call again so now if we maybe we are putting a ski test and you can if you look through you can see how the HTTP HTTP a does so if you're familiar with HTTP - like HTTP 1.1 oh holy headers and the you can see the response this is several one and but I HTTP related he does too I think one won't be when you are we that like that I know that like I suppose we will read to read this pocket better like I introduce a level with T shock so we can write this output to a file I'll probably pick up I'll run the caller game we see oh I'm writing now we don't see any output because I'm writing it without any toodles or go to ten let me go to paint bucket so we expecting to see impacted okay precludes it to our everyone to shock now C sharp or three so we see see a little bit more for this Callie with T shock we able to see the the exert all participated is like thing like I said that is the fourth TCP message when chasity wants to open or it's okay which is referred to us three we and shake to sing then you see the scene hug then we should be accomplishment after the acknowledgement the we get the data so you see HTTP GET so after getting there's an hug then only 200 okay there's an hug food did all this three packet here okay actually four pockets I get four five six seven related to you know the attract getting of the date of the webpage so to see to the last three packets are related to closing of the pocket so you see we have seen in hack you know the you know like hoping it disappears okay we have to close the TCP socket also with the ending the same with the same set of dummies sequence of messages in like he has to be framed yeah and the acknowledgement they declined the server also reply with the shrimp and acknowledgement and finally declined as to acknowledge so research there is no recipie preserving the shin jeok before the circuit can be closed so oh this is a demonstration of our you can use or recipie don't to study your network protocol so let's see what other option we can introduce to again okay an option is - a package if uppercase if either you know when we run this with this TCP dump on officially for this is 50/50 protocol you can easily abacus abacus is allows us to see the absolute sequence number so cushy in a rather than using a religious equation about we actually see the absolute sequence number so the first of the best number is called in the initial sequence number two from there to see two bit you see the side of this or this equation Allah is bigger so it advocates for 3d absolute request number so on bottles can I introduce can I show you show you all most of the options that are come on you know to use so I think one more thing I can show is or shooters this can shoot L so for example like I showed you earlier you can use filter with the output food I can get a cleaner of khufu filter refers to things like both ad and which I use something like 480 and port 22 so this width or cultural booth port 80 and port 22 so or is something like TCP you know with you know with disappears on the capture only or you want to cut only entirely participe let's try something we didn't see this tree once cultural pocket with GDP let's generate it TCP or UDP okay so this is film i-71 I just opened it tamanna on a separate I just opened the same stuff on a separate terminal so a current big or I okay I have a big so you see I generated or UDP traffic this particularly look for oh I can dial it for perfectly so this will be teenage who lets me do something I take home to take good so if you want to look at what all good on which or DNS so this is oh our Guinness messages different DNA's messages that I exchanged so shady things like um because I mean we can you see all the these are little the IP so you see here now is it true - is UDP under which is something like a record that is trying to get the error code of Google calm so all options ok the piece size 4096 so basically if you want to study what's going on when you do DNS so this is an example of it so I think or what one last thing that I would like to show you an option - - an option so this ready let me run or see here put on port 80 so let me run the call again you see when we run this we get things like suddenly a wonderful local oku and dot HTTP let's you want to get the actual IP address and the a cure-all service we don't want its resolving name so we can use it with - n - n so if we run to call again so rather than getting the the hostname will get the IP address we are ticketing HTTP a letter I'm getting put any we can fit just by adding one more hand whoo - mmm so if you run this call again oh sorry or on the call again so see now we see 192 don't want to see the 1.8 then dot 80 so that is a way to make sure we see all the actual IP address rather than just the Muslim so on with all the options that I've introduced to you on you know if you combine all these options you be able to do a lot of things or with this command or one thing that I may want to show you quickly the three you can use the filter with IP address 150 only traffic that originated from let me show you that again I also see traffic the originates only from this IP address so the shooter is actually all very very useful I can combine it with Swissy and taught 80 flown to see the own the house saw five I P address all this and that spot it is you'll see we are not seen anything because you see because I added and put kitty so if I generate put it in traffic again now you see this you oh we only have half of our HTTP traffic so we see only packets the originate from 192 once I see the 1.8 and put Eddie so see how we can combine or the filter would make it feel very powerful and like I showed you you can write to e-file I think writing to files a very powerful thing when you write to a file if you cannot view if if it's intervening or is difficult you have to transport the file to maybe a desktop that has Wireshark running or use the teashop I've showed you I introduced the use of a shock or so search for the Trisha so I showed you the use of a shock to read the captured all data I see so those are ways by which you can if you cannot use the shark on the command line you can transport it to a desktop way you can use a wire shark so so I think this is good enough for this video or if you want to learn more you can look at one pages and try combinations of all these options lot of introduced to you although I think you'll find it useful oh I hope you enjoyed the video I hope you learn one of the things thank you
Info
Channel: dolastack devops
Views: 11,020
Rating: undefined out of 5
Keywords: tcpdump, tshark, wireshark, linux networking, tcp/ip
Id: tN1YzH9Wb4Q
Channel Id: undefined
Length: 34min 35sec (2075 seconds)
Published: Sun Jan 22 2017
Related Videos
How to use TCPDUMP Command while troubleshooting CheckPoint Gateways?
QOS Technology
55K
How to Use Packet Analysis to Prove it's Not the Network (or it is the network)
PacketBomb
40K
Lets Tech: NetMon, Don't Be Afraid Of Packet Captures!
bigdaddy9z
4.9K
When BGP meets Big data
NANOG
1.6K
Debugging & Troubleshooting in Linux || Linux most common issues with solution
OPEN-GYAN-HOUSE
21K
Is It The Client, Network, or Server? - Packet Analysis with Wireshark - Sharkfest Talks
Chris Greer
15K
TCP Tips and Tricks - What Makes Applications Slow? - Wireshark TCP/IP Analysis
Chris Greer
164K
Troubleshooting BACnet in Wireshark
Optigo Networks
6.4K
tcpdump - Traffic Capture & Analysis
HackerSploit
117K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.