Tcpdump Tutorial

1. The frequently used options:

   • -n: display the IP address instead of host name.

   • -S: display the actual TCP/IP sequence numbers instead of the relative one.

   • -vv: more verbose output

   • some useful filter expressions: the expressions supports logic operations, and, or, not.

     • host: the destination or source host.

2. The data format of tcpdump outputs. 09:44:54.549293 IP (tos 0x0, ttl 64, id 38374, offset 0, flags [DF], length: 60) 192.168.1.2.43986 > XXX.XXX.XXX.XXX.80: S [tcp sum ok] 698054336:698054336(0) win 5840

   • 09:44:54.549293: timestamp.

   • IP: protocal.

   • IP head:

     • tos: type of service.

     • ttl: time to live.

     • id: Identifier.

     • offset:

     • flags:

     • length: the length of total data including the ip head.

   • 192.168.1.2.43986: source address and it's port.

   • XXX.XXX.XXX.XXX.80: destination address and it's port.

   • S:TCP flags

     • S:SYN, Synchrosized the sequence numbers to init a connection.

     • F:FIN, The sender is finished sending data.

     • P:PUSH, The redeiver should send this data to application as soon as possible.

     • RST:Reset, Reset the connection.

     • .:no flags.

   • 698054336:698054336(0):sequence numbers and bytes of user data.

   • win:TCP window size.

   • TCP options

     • mss: maximum segment size.

     • sackOK:Selective Acknowledgment Permitted,SackOK must be included in the TCP options in both the SYN and SYN/ACK packets during the TCP three-way handshake, or it cannot be used. SackOK should not appear in any other packets.

     • timestamp:

     • nop:No Operation (NOP) TCP option

     • wscale:Window Scale, definde in

The Freqently used TCP/IP Head's format analyze with tcpdump output

1. The TCP IP structure.

   • The IP's strcture

     IP header structure
     4	8	16	32 bits
     Ver.	IHL	Type of service	Total length
     Identification			Flags(3Bits)	Fragment offset
     Time to live		Protocol	Header checksum
     Source address
     Destination address
     Option + Padding
     Data

   • The TCP's Head structure

     TCP's Head
     8		8	8	8
     SOURCE PORT			DESTINATION PORT
     SEQENCE NUMBER
     ACKNOWLEDGMENT NUMBER
     HLEN	RESERVED(6bits)	FLAGS(6bits)	WINDOW SIZE
     CHECKSUM			URGENT POINTER
     OPTIONS AND PADDDING

   • ICMP

     ICMP's HEAD
     8	8	8	8
     TYPE	CODE	CHECKSUM

     The commanly used type and code
     NAME	TYPE	CODE	COMMENT
     ICMP_ECHO	8	0	Ping
     ICMP_ECHOREPLY	0	0	Ping response.
     ICMP_UNREACH	3	4	ICMP_UNREACH_NEEDFRAG - Used by Path MTU to determine the optimal MTU setting.
     ICMP_TIMXCEED	11	0	TTL expired in transit. Used by UNIX traceroute and Windows tracert. Note that UNIX traceroute also uses a high UDP port. This message is also important when routing loops occur.

     • The tracert's ouptput

       • 6:53:23.579839 IP (tos 0x0, ttl   1, id 41569, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 50432, length 72
         
         16:53:27.640386 IP (tos 0x0, ttl   1, id 41619, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 50688, length 72
         
         16:53:31.645176 IP (tos 0x0, ttl   1, id 41670, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 50944, length 72
         
         
         16:53:35.650113 IP (tos 0x0, ttl   2, id 41719, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51200, length 72
         
         16:53:35.664651 IP (tos 0x0, ttl 254, id 16045, offset 0, flags [none], proto: ICMP (1), length: 56) 61.148.36.17 > 192.168.1.2: ICMP time exceeded in-transit, length 36
                 IP (tos 0x0, ttl   1, id 41719, offset 0, flags [none], proto: ICMP (1), length: 92, bad cksum 7ece (->8183)!) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51200, length 72
         
         16:53:35.664766 IP (tos 0x0, ttl   2, id 41720, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51456, length 72
         
         16:53:35.680677 IP (tos 0x0, ttl 254, id 16061, offset 0, flags [none], proto: ICMP (1), length: 56) 61.148.36.17 > 192.168.1.2: ICMP time exceeded in-transit, length 36
                 IP (tos 0x0, ttl   1, id 41720, offset 0, flags [none], proto: ICMP (1), length: 92, bad cksum 7ecd (->8182)!) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51456, length 72
         
         16:53:35.680755 IP (tos 0x0, ttl   2, id 41721, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51712, length 72
         
         16:53:35.696444 IP (tos 0x0, ttl 254, id 16068, offset 0, flags [none], proto: ICMP (1), length: 56) 61.148.36.17 > 192.168.1.2: ICMP time exceeded in-transit, length 36
                 IP (tos 0x0, ttl   1, id 41721, offset 0, flags [none], proto: ICMP (1), length: 92, bad cksum 7ecc (->8181)!) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51712, length 72
         
         
         16:53:36.682241 IP (tos 0x0, ttl   3, id 41734, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51968, length 72
         

       The above is the WindowsXP tracert packet output. It sends an ECHO Requset 3 times with TTL value as 1 at first, then increase TTL by 1 every time. The node with send the Time to Live Exceeded Transmit(ICMP11/0) to the clients.

2. The original output of TCP packet from tcpdump.

           0x0000:  4500 003c 2c84 4000 4006 7911 c0a8 0102  E..<,.@.@.y.....
           0x0010:  ca6c 0910 a0c6 0050 9107 d404 0000 0000  .l.....P........
           0x0020:  a002 16d0 9cf7 0000 0204 05b4 0402 080a  ................
           0x0030:  0073 f880 0000 0000 0103 0302          
    

   The length of the TCP head is 5 x 4 = 20 bytes, so the TCP head part of this packet is

           0x0000:  4500 003c 2c84 4000 4006 7911 c0a8 0102  E..<,.@.@.y.....
           0x0010:  ca6c 0910
    

   And the remaining part is the TCP and user data part.

                              a0c6 0050 9107 d404 0000 0000  .l.....P........
           0x0020:  a002 16d0 9cf7 0000 0204 05b4 0402 080a  ................
           0x0030:  0073 f880 0000 0000 0103 0302         
    

   The 13th oct's is the TCP head lenght, so the TCP lenght is a x 4 = 60 bytes.

3. TCP/IP hree way handshake

The TCP three way handshake is the process for establishing a TCP connection. A TCP connection is established as shown in the below example. In this example, we assume a client computer is contacting a server to send it some information.

1. The client sends a packet with the SYN bit set and a sequence number of N. 11:20:00.779825 IP (tos 0x0, ttl 64, id 11396, offset 0, flags [DF], length: 60) 192.168.1.2.41158 > XXX.XXX.XXX.XXX.80: S [tcp sum ok] 2433209348:2433209348(0) win 5840

2. The server sends a packet with an ACK number of N+1, the SYN bit set and a sequence number of X. 11:20:00.795387 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], length: 60) XXX.XXX.XXX.XXX.80192.168.1.2.41158: S [tcp sum ok] 906011348:906011348(0) ack 2433209349 win 5792

3. The client sends a packet with an ACK number of X+1 and the connection is established. 11:20:00.795505 IP (tos 0x0, ttl 64, id 11398, offset 0, flags [DF], length: 52) 192.168.1.2.41158 > XXX.XXX.XXX.XXX.80: . [tcp sum ok] 2433209349:2433209349(0) ack 906011349 win 1460

4. The client sends the data. 11:20:00.801691 IP (tos 0x0, ttl 64, id 11400, offset 0, flags [DF], length: 589) 192.168.1.2.41158 > XXX.XXX.XXX.XXX.80: P 2433209349:2433209886(537) ack 906011349 win 1460