...making Linux just a little more fun! |
By Vinayak Hegde |
TCP/IP has become the de facto standard protocol for communication between computers. IP (Internet Protocol) provides functionality at the network layer (addressing and routing) while TCP (Transmission Control Protocol) provides (virtual) end-to-end connectivity. The TCP/IP family includes a host of other useful protocols such as ICMP (Internet Control Message Protocol), IGMP (Internet Group management protocol) and UDP (User Datagram Protocol). An overwhelming majority of today's networks use TCP/IP. Almost every other application today incorporates some kind of a network functionality hence it has become necessary for every programmer to have at least a working knowledge of TCP/IP.
Communication between computers using TCP/IP takes place through the exchange of packets. A packet is a PDU (Protocol Data Unit) at the IP layer. The PDU at the TCP layer is called a segment while a PDU at the data-link layer (such as Ethernet) is called a frame. However the term packet is generically used to describe the data unit that is exchanged between TCP/IP layers as well as between two computers.
This is how an Ethernet frame looks:
+------------------------------------------------------------------+ | | | | | | | Ethernet| IP | TCP | Encapsulated | Ethernet | | Header | Header | Header | Data | Trailer | | | | | | (FCS) | +------------------------------------------------------------------+ <- 20 bytes -> <- 40 bytes -> <---------- max length = 1500 bytes ----------> FCS stands for Frame Check Sequence. |
TCPdump is a utility that allows a user to intercept and capture packets passing through a network interface. This is an extremely nifty little utility which can help a programmer to troubleshoot network applications. Because this utility captures all the packets received by a network interface, it can be used for used for unlawful purposes as well.
Normally only the packets which are addressed to a network interface are intercepted and passed onto the upper layers of the TCP/IP protocol layer stack. Other packets which are not addressed to the interface are ignored. In Promiscuous mode, the packets which are not intended to be received by the interface are also intercepted and passed onto the higher levels of the protocol stack. TCPdump works by putting the network interface into promiscuous mode.
TCPdump uses the libpcap (packet capture library) which is freely available. The libpcap library is versatile and works with BSD packet filter, the SVR4 Data-link Provider Interface (DLPI) and the Linux SOCK_PACKET interface. Tethereal which is the command line version of the popular network traffic analyser tool ethereal also uses pcap packet capture library. Tethereal is a powerful tool for analysing network traffic and also provides more facilities for decoding packets as compared to TCPdump. Ethereal the GUI tool for analysing packets is extremely good and one can see the different flags and options which have been used in a hierarchical way. The best feature of ethereal is it can piece together the different fragments of the the communication between two computers and show the whole ASCII text that was exchanged during the conversation.
ASCII representation from RFC 791
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IP Header Format |
ASCII representation from RFC 793
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TCP Header Format |
You can experiment with TCPdump on any interface through which we can conduct network transactions. To list the different interfaces connected to your computer, you can give the command
#ifconfig -a |
Example #1
This is a snippet (from the file tcpdumpppp) of the captured packet using a dialup line (PPP).
The -vvv flag tells tcpdump to be very very verbose. The other switches for controlling
verbosity are -v and -vv.
#tcpdump -vvv > tcpdumpppp tcpdump: listening on ppp0 |
15:57:58.181078 207.219.33.101.http > 203.94.236.47.33003: P 1:1399(1398) ack 736 win 31856 |
Example #2
This packet dump was captured from a NIC (interface denoted by eth0)
#tcpdump -a -i eth0 |
06:21:11.414863 > pca03.nt.co.in.ssh > pcc03.mum.nt.co.in.4944: P 252143283:252143331(48) ack 2638534821 win 62780 (DF) [tos 0x10] E^P ^@ X .... @^@ @^F .. N .... .... .... .... ^@^V ^S P ^O^G f.. .. D .... P^X .. < .. t ^@^@ k + Y^Q .... .. ( ^.. )^G c 3 ^\ v t.. ..^G ^J.. .. t 9.. .. - F.. .... 6.. /.. .... 9.. [.. .... G.. .. d |
The following snippet shows a packet dump of SYN (connection requesting) packet. The packet dump was taken on Ethernet.
15:57:56.074928 203.94.236.47.33003 > 216.239.33.101.https: S [tcp sum ok] 937694521:937694521(0) win 5840 |
Example #4
The following packet dump was taken using tethereal
#tethereal -i lo |
26 19.624878 localhost.localdomain -> localhost.localdomain TCP 33283 > http [FIN, ACK] Seq=877643253 Ack=882239950 Win=37296 Len=0 |
While TCPdump is an extremely good tool, it focuses mainly on TCP/IP protocol. It does it's job well. Ethereal is much more versatile and can understand a variety of protocols. Also, the user interface of ethereal is well designed so that even a newbie can understand which packets are getting captured and what information do they contain. The good interface makes the learning process even more enjoyable.
My life changed since I discovered Linux. Suddenly Computers became
interesting as i could try out lots of stuff on my Linux box due to the easy
availably of source code. My interests are predominantly in the fields of
networking, embedded systems and programming languages. I currently work for
Aparna Web services where we make Linux accessible for academia/corporations by
configuring remote boot stations (Thin Clients).