Tuesday, 3 January 2012

Analysing TCP Traffic

There are often times when you want to analyze TCP network traffic to see what is actually being sent over the network in a lower level. There are a few nifty tools around that are able to do this. Graphically, wireshark is one. However, i prefer to just use a command line tool - thankfully, one of the default apps available on Ubuntu on a fresh install can also dump traffic, and this is tcpdump.

By running this command with some default options, you can get aanalyze the packets being transmitted over the network. The packets can be captured in realtime, or to a dump file, which can be later analyzed. What I have found more useful, is to first capture it to an a dump file.

For example, I have a web based application running on port 8080, that I want to inspect to see what is going on, so I issue the following command:

sudo tcpdump -i eth0 -s 0 -nw output.dmp dst port 8080

The argument basically say, in their order:

interface: eth0
snarf: 0 bytes, rather than the default 68 - less information to go through - For me, I am only really interested in the headers
no address/name resolution - maintain their IP address value
write: to output.dmp
dst port: only capture packets going to port 8080; More complex filters can be captured, and documentation on the filter syntax can be viewed in the man page of pcap-filter

This produces a binary file, so it is no good trying to read this in a simple text editor, however you can output the contents by passing in the -r flag (read)

sudo tcpdump -r output.dmp -A

I prefer to use the A flag (ASCII), but you could also use the -X flag. I think the -A flag produces slightly more readable request headers. In saying that, the X flag would be useful for viewing the data in both hex and ASCII format.

Another useful tool (which you need to install) is tcpick, which can also parse the data dumps captured by tcpdump.

sudo tcpick -C -yP -r output.dmp

Which is basically saying, print with syntax highlighting, and to show data contained in the packets. No doubt, this does output the data nicely formatted, but other than that, I see no real reason not just to use tcpdump with the -A flag for viewing the captured packets.

No comments:

Post a Comment