ERIC BRUHN

Network Applications and Network Applications Lab

Chapter Two Notes

 

Other Chapter Notes:

[Chapter One]

[Chapter Two]

[Chapter Three]

[Chapter Four]

[Chapter Five]

[Chapter Six]

[NID Outline]

[Back to Notes]

[Home]

Introduction to TCPdump and TCP

  • You cannot do analysis without a tool of some sort.
  • TCPdump or Windump (for windows) is used to give you some insight into the traffic on a network.
  • TCPdump
    • UNIX tool used to gather data from the network, decipher the bits, and display the output in a readable format.
    • Spend time watching the network traffic, this may help you in the future the diagnose problems.
  • TCPdump Behavior
    • TCPdump can only be run at the root level.
    • Requires access to devices accessible to root only.
    • Filters
      • You can use filters to choose what information is blocked and not recorded and displayed.
    • Binary Collection
      • By default, TCPdump puts all the information collected on the screen.
      • Most times TCPdump will run in the background.  Store the information collected in binary so that you can translate later for analysis.
      • Command: tcpdump –w filename where filename is the name of the file.
    • Altering the Amount of Data Collected
      • TCPdump does not attempt to collect the entire datagram sent
      •  
  • TCPdump Output
    • Example: 09:32:43 :910000 nmap.edu.1173 > dns.net.21: S 62697789: 62697789(0) win 512
      • 09:32:43 :910000 = time stamp
      • nmap.edu = source host name
      • 1173 = source port number or port service
      • > = This is the directional marker to indicate a directional flow going from source to destination.
      • dns.net = Destination host name
      • 21 = Destination port number (might me FTP)
      • S = TCP flag, S represent SYN flag, which indicates a request to start a TCP connection.
      • 62697789:62697789(0) = Beginning TCP sequence number.  Ending TCP sequence number (data bytes). Sequence numbers are used by TCP to order the data received.
      • win 512 - The receiving buffer size (in bytes) of nmap.edu for this connection.
      • TCPdump Flags
  • Absolute and Relative Sequence Numbers
    • TCP sequence numbers are used by the destination host to reassemble TCP traffic that arrives.
    • TCP guarantees order whereas UDP doesn’t.

 

[Home] [Procedures] [Reading Notes] [Back to Top]

Questions or Comments? Click here to email me.