8.2 What Tcpdump Can Help You Do
Tcpdump will allow you to view the entire data portion of an Ethernet frame or other link layer protocol and can optionally print the frame header as well (see Figure 8.1). In common use this means tcpdump will allow you to view the entirety of an IP packet, an ARP packet, or any protocol at a higher layer than Ethernet. By default, tcpdump prints packets at the IP layer.
Figure 8.1. An Ethernet or Layer 2 Frame.
An example of typical tcpdump output looks like this:
11:51:46.637811 10.25.71.241.80 > 10.18.0.100.61965: . ack 415 ... 11:51:46.643077 10.25.71.241.80 > 10.18.0.100.61966: . ack 415 ... 11:51:46.644830 10.209.29.151.80 > 10.18.0.100.61961: . ack 458... 11:51:46.653025 10.18.0.100 > 10.7.14.114: icmp: echo request (DF) 11:51:46.653226 10.7.14.114 > 10.18.0.100: icmp: echo reply (DF) 11:51:46.658675 10.209.29.137.53 > 10.18.0.100.53454: 46268*- 2... 11:51:46.659970 10.18.0.100.53454 > 10.70.10.79.53: 23134 A? sn... 11:52:24.306670 arp who-has 10.18.1.80 tell 10.18.0.1
Each line represents one packet. Details on how to read each field are presented later in the chapter, but at first glance, we can see an ARP request, a DNS query and response, and access to a web server.
In another mode, we can ask tcpdump to print all the data within each packet. The output is obviously much longer:
16:05:52.209620 10.7.21.77.80 > 10.18.0.100.62532: P 1:236(235)... 4500 0113 27a4 4000 3f06 d977 0a07 154d 0a12 0064 0050 f444 dec4 4cd8 5894 b1d4 5018 f82f c99a 0000 4854 5450 2f31 2e31 2033 3034 204e 6f74 204d 6f64 6966 6965 640d 0a44 6174 653a 2046 7269 2c20 3033 204a 616e 2032 3030 3320 3231 3a30 353a 3532 2047 4d54 0d0a 5365 7276 6572 3a20 4d49 5420 5765 6220 5365 7276 6572 2041 7061 6368 652f 312e 332e 3236 204d 6172 6b2f 312e 3420 2855 6e69 7829 206d 6f64 5f73 736c 2f32 2e38 2e39 204f 7065 6e53 534c 2f30 2e39 2e36 670d 0a43 6f6e 6e65 6374 696f 6e3a 204b 6565 702d 416c 6976 650d 0a4b 6565 702d 416c 6976 653a 2074 696d 656f 7574 3d31 352c 206d 6178 3d39 390d 0a45 5461 673a 2022 3236 3166 3932 6265 2d32 342d 3365 3135 6662 3164 220d 0a0d 0a
This is one entire IP packet, beginning with the IP version number (4) and the IP header length (5, representing the number of 32-bit words in the header).
The number of problems that can be solved with the help of tcpdump is limitless. Because it prints such detailed information about network traffic, tcpdump is to a network administrator what the microscope is to a biologist. It will not give you a feel for large trends as Neo or MRTG will, but it will give you a very clear picture of a specific part of your network. For this reason, it is an excellent tool to use when the problem is simply that something is not working properly.
Imagine a Web browser that is unable to load pages from a particular server; the Web browser just hangs. Is it a problem with the client, the server, or something in between? If you run tcpdump while loading the Web page, you can watch every stage of the transaction. You can make sure the DNS query for the Web server's hostname is completed, watch the client make the HTTP request to the server, and check to see if the server responds. Regardless of whether the server responds or not, you are now one step closer to understanding the problem.
Tcpdump can also help debug denial of service attacks. If a network is flooded and all other attempts to determine the source or destination of the traffic fail, tcpdump will show you the source address, destination address, and type of traffic involved. Even when other methods can pinpoint the traffic for you, tcpdump is often useful for examining the contents of the traffic should you wish to learn more about the nature of the attack.
There is one catch that can make tcpdump difficult to use: The machine running it must be connected to the network in such a way that it can view the traffic you wish to monitor. This means both that the machine must be connected to the same physical network as the one in question and that the physical network must allow your machine to view the traffic. Both issues are discussed in the section on using tcpdump.
8.2.1 Limitations of Tcpdump
Although tcpdump will display very detailed information about the packets on a network, its view is in some ways limited by the network hardware. For example, a typical Ethernet card will discard packets with an invalid checksum. Therefore, tcpdump will not be a helpful tool for detecting this kind of broken packet on your network. For that, you will need specialized hardware.
Tcpdump is also able to report on only what it finds in the packet. If an IP address is forged in the packet, tcpdump has no ability to report anything else. Be aware that tcpdump is showing you only what the data is, not what it ought to be.