Network troubleshooting with tcpdump * Network hardware * switches vs hubs * promiscuous mode of ethernet adapters * related terminology * pcap - packet capture file format pcap is a file format for storing captured network packets, which was created specifically for tcpdump * libpcap - Free Software library that handles reading and writing pcap files libpcap began as tcpdump code that was repackaged as a library so that it could be shared with other projects (e.g. wireshark, snort, nmap...) * BPF - Berkeley Packet Filter an efficient method of classifying received traffic so that packets of interest can be captured and the rest quickly discarded * common options * which interface: -i eth0, -i any * skip name lookups for ip addresses or port numbers: -n use this if DNS is having problems so that name lookups are slow or failing * verbose: -v, -vv, or -vvv * no limit on captured packet size: -s 0 REMEMBER TO USE THIS WHEN STORING PACKETS FOR LATER ANALYSIS! * write captured packets to file: -w filename * read from existing file (instead of live capture): -r filename * filter syntax * limit by ip address/hostname: host x.x.x.x, host somehost.com * limit by port number/port name: port 80, port http official port names can be found in /etc/services * limit by packet type: ip, tcp, udp, icmp, esp, ah, arp * combine simple limits into more complex criteria: not, and, or * group operators in complex criteria: ( ) good idea to use quotes around the whole filter statement if it is complicated enough to need parentheses... * examples * display summary of packets to/from any web server tcpdump -i any port http * display summary of ping packets to/from google.com tcpdump -i any icmp and host google.com * capture all traffic to a file for later analysis (e.g. in wireshark) tcpdump -i any -s 0 -w /tmp/saved_traffic.pcap -v * capture all traffic except your own ssh connection to a file tcpdump -i any -s 0 -w /tmp/saved_traffic.pcap -v "not ( port ssh and host me.org )"