while working in network programming (linux), i stumbled upon a command line -nix based tool named “tcpdump”. tcpdump is a common packet analyser that allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

After I used it for the first time, i became so obsessed with tcpdump that i began to intercept all the packets travelling through my network, for fun..haha…

So lets start and share some of the functionalities i observed during the usage of the tool…

As I have already told you, this is a command based tool..so open a gnome-terminal and shoot the command

# tcpdump -i eth0 (as the symbol in terminal indicates you should be in root)

so if i am correct you should see this screen…

screen1

As you can see that it is listing all the packets received by you in your computer..

just take a close watch on that. The big number followed by the ip address is the port number and the symbol ‘>’ denotes the source ip address from where the packets have come. This tool will even list the data carried by each packets for this see the last part of each line.

Next, if you want more interactive viewing of the packets retreived just type

# tcpdump -i eth0 -x

you will get a screen similar to this one

screen2

here you can see the hex value of data in the packets each 16-bits grouped as column.

There are a lot of options that can be used with the tcpdump so that we can filter the particular data from a source or to a particular destination as well as from or to a particular port number…

here are some of the example

# tcpdump -i eth0 -x -p ip src <ipaddress>

will give packets having source address <ipaddress>

#tcpdump -i eth0 -x -p ip dst <ipaddress>

will list all the packets bearing the destination address <ipadress>

#tcpdump -i eth0 -x -p ip src <ipaddress1> and dst <ipaddress2>

will list all the packets bearing the src address as ipadress1 and dst address as ipaddress2

#tcpdump -i wlan0 -x

will lists all the packets if you are using wifi connection

#tcpdump -i eth0 -x port 6666

will lists all packets from port number 6666

#tcpdump -i eth0 -xmulticast/broadcast

will lists all the packets having multicast/broadcast address

#tcpdump -i eth0 -x less 120

#tcpdump -i eth0 -x greater 90

will lists all the pavkets having length more than 90 bytes

thats all ….for more updates and more options check the man page of tcpdump….

Happy Coding…N’Joy…

Advertisements