How To - Monitor Packet Flow Using Tcpdump

How To - Monitor packet flow with tcpdump
How To Monitor packet flow using

tcpdump
tcpdump prints out the headers of packets on a network interface that match the Boolean expression.
tcpdump is a packet capture tool that allows to intercept and capture packets passing through a network
interface, making it useful for understanding and troubleshooting network layer problems. It will help to
monitor packet flow coming on interface, response for each packet, packet drop, and ARP information.
This utility will not be of much help to identify and troubleshoot problems related to Application, hence
before using this tool try to understand the behavior of the problem.
Usage
Use from Cyberoam Telnet Console, option 4 Cyberoam Console
How to view traffic of the
tcpdump command
Example
specific host
tcpdump host <ipaddress>
tcpdump host 10.10.10.1
specific source host
tcpdump src host <ipaddress>
tcpdump src host 10.10.10.1
specific destination host
tcpdump dst host <ipaddress>
tcpdump dst host 10.10.10.1
specific network
tcpdump net <network address>
tcpdump net 10.10.10.0
specific source network
tcpdump src net <network address>
tcpdump src net 10.10.10.0
specific destination network
tcpdump dst net <network address>
tcpdump dst net 10.10.10.0
specific port
tcpdump port <port-number>
tcpdump port 21
specific source port
tcpdump src port <port-number>
tcpdump src port 21
specific destination port
tcpdump dst port <port-number>
tcpdump dst port 21
specific
host
for
the
particular port
the specific host for all the
ports except SSH
specific protocol
tcpdump host 10.10.10.1 and

port 21
tcpdump host 10.10.10.1 and
port not 22
paritcular interface
tcpdump host <ipaddress> and port

<port-number>
tcpdump host <ipaddress> and port
not <port-number>
tcpdump proto ICMP
tcpdump proto UDP
tcpdump proto TCP
tcpdump arp
tcpdump interface <interface>
specific port of a particular

interface
tcpdump interface <interface> port

<port-number>
tcpdump interface eth1 port 21
tcpdump interface eth1
Note: Expression can be combined using logical operators AND or OR and with NOT also. Make
sure to use different combinations within single quotes.
Port Mapping
Appliance 50i, 100i, 250i, 500i
Port
Physical Interface
eth0
eth1
eth2
eth3
Appliance 1000i, 1500i

Port
Physical Interface
eth6
eth7
eth8
eth9
eth0
eth1
eth2
eth3
Analyzing tcpdump output

corporate> tcpdump 'port 21'
Kernel filter, protocol ALL, datagram packet socket
tcpdump: listening on all devices
12:29:33.860721 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: S 4023323694:4023
323694(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
12:29:33.860769 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: S 4023323694:402
3323694(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
12:29:33.861293 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: S 1587918290:158
7918290(0) ack 4023323695 win 5840 <mss 1460> (DF)
12:29:33.861324 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: S 1587918290:1587
918290(0) ack 4023323695 win 5840 <mss 1460> (DF)
12:29:33.861530 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: . 1:1(0) ack 1 win 65535 (DF)
12:29:33.861567 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: . 1:1(0) ack 1 win 65535 (DF)
12:29:34.872070 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: P 1:65(64) ack 1 win 5840 (DF)
12:29:34.872114 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: P 1:65(64) ack 1 win 5840 (DF)
12:29:34.977585 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: . 1:1(0) ack 65 win 65471 (DF)
12:29:34.977623 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: . 1:1(0) ack 65 win 65471 (DF)
12:29:45.885899 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: P 1:17(16) ack 65 win 65471 (DF)
12:29:45.885937 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: P 1:17(16) ack 65 win 65471 (DF)
12:29:45.886350 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: . 65:65(0) ack 17 win 5840 (DF)
12:29:45.886369 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: . 65:65(0) ack 17 win 5840 (DF)
12:29:46.444599 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: . 17:17(0) ack 133 win 65403 (DF)
12:29:46.444639 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: . 17:17(0) ack 133 win 65403 (DF)
12:29:52.569079 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: . 133:133(0) ack 31 win 5840 (DF)
12:29:52.569097 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: . 133:133(0) ack 31 win 5840 (DF)
12:30:00.627489 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: . 31:31(0) ack 181 win 65355 (DF)
12:30:00.627532 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: . 31:31(0) ack 181 win 65355 (DF)
12:30:07.698430 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: . 181:181(0) ack 37 win 5840 (DF)
12:30:07.698450 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: . 181:181(0) ack 37 win 5840 (DF)
12:30:08.272170 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: . 37:37(0) ack 227 win 65309 (DF)
12:30:08.272205 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: . 37:37(0) ack 227 win 65309 (DF)
12:30:08.526981 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: FP 293:370(77) ack 37 win 5840 (DF)
12:30:08.527006 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: FP 293:370(77) ack 37 win 5840 (DF)
12:30:08.527221 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: . 37:37(0) ack 371 win 65166 (DF)
12:30:08.527248 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: . 37:37(0) ack 371 win 65166 (DF)
12:30:08.536286 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: F 37:37(0) ack 371 win 65166 (DF)
12:30:08.536312 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: F 37:37(0) ack 371 win 65166 (DF)
1st line:
Brown color shows timestamp of the packet
Green color shows the incoming interface
Blue color shows source address who originates the request
Red color shows destination IP address
Orange color shows services which is being accessed
Pink color shows flag of particular packet. This is new connection originated by 172.16.16.81 IP address
& destined for 161.114.22.105 to access FTP services. This is first packet so flag is set to Sync S
3rd line: As three ways handshaking needs to be complete, second packet is the response coming back
from server with Ack for Sync packet. This is nothing but Syn-Ack packet.
4th Line: Ack packet sent by source for Syn-Ack. For any tcp connection first three lines are like
Source to Destination-- Sync
Destination to Source-- Sync-Ack
Source to DestinationAck
5th to 40th Line: Push packet (Data Packet) because of P & . Flag
41st and 42nd Line: Termination of FTP connection because F flag
Flag Information:
S Sync packet for new connection
S Sync packet with ack
P Push packet containing Data
. -- No data information, only ack
F FIN packet which provides information of termination of connection
R Reset packet, Packet which dropped in between somewhere at firewall end
Advanced Usage
View packet contents in hexadecimal notations
corporate> tcpdump hex
13:49:04.438097 eth0 > 192.168.13.40.telnet > 172.16.16.81.1916: P 831812622:831
812624(2) ack 616504356 win 5840 (DF)
4500 002a 4841 4000 4006 685b c0a8 0d28
ac10 1051 0017 077c 3194 740e 24bf 1c24
5018 16d0 13a6 0000 0d0a
13:49:04.545219 eth1 B arp who-has 192.168.2.30 (Broadcast) tell 192.168.2.31
0001 0800 0604 0001 0003 ba29 8f63 c0a8
021f ffff ffff ffff c0a8 021e 0000 0000
0000 0000 0000 0000 0000 0000 0000
13:49:04.553181 eth0 < 172.16.16.81.1916 > 192.168.13.40.telnet: . 1:1(0) ack 2 win 65523 (DF)
4500 0028 3c3b 4000 8006 3463 ac10 1051
c0a8 0d28 077c 0017 24bf 1c24 3194 7410
5010 fff3 3794 0000 0000 0000 0000
13:49:04.553217 eth0 > 192.168.13.40.telnet > 172.16.16.81.1916: P 2:538(536) ack 1 win 5840 (DF)
4500 0240 4842 4000 4006 6644 c0a8 0d28
ac10 1051 0017 077c 3194 7410 24bf 1c24
5018 16d0 058f 0000 4b65 726e 656c 2066
696c 7465 722c 2070 726f 746f 636f 6c20
414c 4c2c 2064 6174 6167 7261 6d20 7061
636b 6574 2073 6f63 6b65 740d 0a74 6370
6475 6d70 3a20 6c69 7374 656e 696e 6720
6f6e 2061 6c6c 2064 6576 6963 6573 0d0a
3133 3a34 393a 3034 2e34 3338 3039 3720
13:49:04.662912 eth1 B arp who-has 192.168.13.4 tell 192.168.13.5
0001 0800 0604 0001 000c 29ca 2f1e c0a8
0d05 0000 0000 0000 c0a8 0d04 0000 0000
0000 0000 0000 0000 0000 0000 0000

13:49:04.674536 eth1 B arp who-has 192.168.1.93 tell 192.168.1.206
0001 0800 0604 0001 0008 a132 e4f0 c0a8
01ce 0000 0000 0000 c0a8 015d 5d00 0100
0001 0000 0000 0000 046a 6973 7000
View packet contents with Ethernet or other layer 2 header information
corporate> tcpdump llh
13:49:51.785823 eth1 B 0:3:ba:29:8f:63 Broadcast arp 60: arp who-has 192.168.2.3 0 (Broadcast) tell
192.168.2.31
13:49:51.868616 eth1 B 0:11:43:56:7d:7a Broadcast ip 92: 192.168.1.23.netbios-ns
>
192.168.15.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:49:51.930139 eth0 < 0:11:11:93:47:9b 0:0:0:0:0:1 ip 60: 172.16.16.81.1916 > 1 92.168.13.40.telnet: .
616504364:616504364(0) ack 831819683 win 65281 (DF)
13:49:51.930177 eth0 > 0:0:0:0:0:0 0:10:f3:9:cf:da ip 412: 192.168.13.40.telnet > 172.16.16.81.1916: P
1:359(358) ack 0 win 5840 (DF)
13:49:52.131308 eth0 < 0:11:11:93:47:9b 0:0:0:0:0:1 ip 60: 172.16.16.81.1916 > 1 92.168.13.40.telnet: .
0:0(0) ack 359 win 64923 (DF)
359:650(291) ack 0 win 5840 (DF)
13:49:52.165068 eth1 B 0:10:f3:a:a5:fd Broadcast arp 60: arp who-has 3.3.3.1 tel l 3.3.3.3
13:49:52.328476 eth1 B 0:13:20:dc:d0:63 Broadcast ip 110: 192.168.4.51.netbios-n s >
192.168.15.255.netbios-ns:NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
13:49:52.328986 eth1 B 0:13:20:dc:d0:63 Broadcast ip 110: 192.168.4.51.netbios-n s >
192.168.15.255.netbios-ns:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADC
AST
13:49:52.332491 eth0 < 0:11:11:93:47:9b 0:0:0:0:0:1 ip 60: 172.16.16.81.1916 > 1 92.168.13.40.telnet: .
0:0(0) ack 650 win 64632 (DF)
650:1337(687) ack 0 win 5840 (DF)
13:49:52.370134 eth1 B 0:7:e9:2e:6c:c1 Broadcast arp 60: arp who-has 192.168.1.1 6 (Broadcast) tell
192.168.1.16
Generate binary file of traffic log generated with custom parameters
Cyberoam also supports to save and download the tcpdump output in a binary file from Telnet Console.
File tcpdump contains the troubleshooting information useful to analyze the traffic with advanced tool like
ethereal for Cyberoam Support team.
To save the output in the downloadable file, log on to Telnet Console:
Go to Option 4 Cyberoam Console
At the command prompt, issue the command:

tcpdump <criteria> filedump
Cyberoam saves this file under the name tcpdump.out
Download from http://<cyberooam_ip>/documents/tcpdump.out and mail this file to Cyberoam Support
team at support@cyberoam.com
Monitoring VPN traffic

Cyberoam will automatically configure VPN IPSec interface for each WAN port configured. For example,
if Port B and Port C are configured as WAN ports then Cyberoam will configure ipsec0 and ipsec1 for
Port B and Port C respectively.
Use these ipsec ports to monitor VPN traffic e.g. tcpdump -i ipsec0
Document Version: 2.0-24/09/2007

How To - Monitor Packet Flow Using Tcpdump

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

How To - Monitor Packet Flow Using Tcpdump

Diunggah oleh

Hak Cipta:

Format Tersedia

How To - Monitor packet flow with tcpdump