How to - Monitor Packet Flow Using Tcpdump
Content
How To - Monitor packet flow with tcpdump
How To – Monitor packet flow using tcpdump
tcpdump prints out the headers of packets on a network interface that match the Boolean expressio expression. n. tcpdump is a packet capture tool that allows to intercept and capture packets passing through a network interface, making it useful for understanding and troubleshooting network layer problems. It will help to monitor packet flowbecoming onhelp interface, response for each packet, packetrelated drop, and ARP information. This utility will not of much to identify and troubleshoot problems to Application, hence before using this tool try to understand the behavior of the problem. Usage Use from Cyberoam Telnet Console, option 4 Cyberoam Console
How to view traffic of the
tcpdump command
Exa Example mple
specific host
tcpdump ’host <ipaddress>’ <ipaddress>’
tcpdump ‘host 10.10.10.1’
specific source host
tcpdump ’src host <ipaddre <ipaddress>’ ss>’
tcpdump ‘src host 10.10.10.1 10.10.10.1’’
specific destination host
tcpdump ’dst host <ipaddr <ipaddress>’ ess>’
tcpdump ‘dst host 10.10.10.1 10.10.10.1’’
specific network
tcpdump ’net <network address>’
tcpdump ‘net 10.10.10.0’
specific source network
tcpdump ’src net <network address>’
tcpdump ‘src net 10.10.10.0’
specific destination network
tcpdump ’dst net <network address>’
tcpdump ‘dst net 10.10.10.0’
specific port
tcpdump ’port <port-number>’
tcpdump ‘port 21’
specific source port
tcpdump ’src port <port-number>’
tcpdump ‘src port 21’
specific destination port
tcpdump ’dst port <port-number>’
tcpdump ‘dst port 21’
tcpdump ‘host <ipaddress> and port <port-number>’ tcpdump ‘host <ipaddress> and port not <port-number>’
tcpdump ‘host 10.10.10.1 and port 21’ tcpdump ‘host 10.10.10.1 and port not 22’
specific host for the particular port the specific host for all the ports except SSH This website stores data such as specific protocol cookies to enable essential site functionality, as well as marketing, personalization, and analytics. You may change your settings at any time paritcular interface or accept the default settings. specific port of a particular interface Privacy Policy
tcpdump ’proto ICMP’ tcpdump ’proto UDP’ tcpdump ’proto TCP’ tcpdump ‘arp’ tcpdump interface <interface>
tcpdump interface eth1
tcpdump interface <interface> ‘port <port-number>’
tcpdump interface eth1 ‘port 21’
Marketing Note: Expression can be combined using logical operators AND or OR and with NOT also. Make sure to use different different combinations w ithin sin gle quotes. Personalization Analytics Save
Accept All
How To - Monitor packet flow with tcpdump
Port Mapping Appliance – 50i, 100i, 250i, 250i, 500i Port
Physical Interface
A
eth0
B
eth1
C
eth2
D
eth3
Appliance – 1000i, 1500i 1500i Port
Physical Interface
A
eth6
B
eth7
C
eth8
D E
eth9 eth0
F
eth1
G
eth2
H
eth3
An aly alyzin zin g t cp du mp ou tp ut corporate> tcpdump 'port 21' Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 12:29:33.860721 eth0 < 172.16.16.81.1633 172.16.16.81.1633 > > 161.114.22.105. 161.114.22.105 .ftp: ftp: S 4023323694:4023 12:29:33.860721 eth0 < 323694(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) 12:29:33.860769 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: S 4023323694:402 This website stores data such as 3323694(0) winsite 65535 <mss 1460,nop,nop,sackOK> (DF) cookies to enable essential eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: S 1587918290:158 functionality,12:29:33.861293 as well as marketing, personalization, and analytics. You 7918290(0) ack 4023323695 win 5840 <mss 1460> (DF) may change12:29:33.861324 your settings at any time eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: S 1587918290:1587 or accept the default settings. 918290(0) ack 4023323695 win 5840 <mss 1460> (DF) 12:29:33.861530 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: . 1:1(0) ack 1 win 65535 (DF) 12:29:33.861567 Privacy Policy 12:29:34.872070 Marketing 12:29:34.872114 Personalization 12:29:34.977585
eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: . 1:1(0) ack 1 win 65535 (DF) eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: P 1:65(64) ack 1 win 5840 (DF) eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: P 1:65(64) ack 1 win 5840 (DF) eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: . 1:1(0) ack 65 win 65471 (DF)
12:29:34.977623 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: . 1:1(0) ack 65 win 65471 (DF) Analytics 12:29:45.885899 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: P 1:17(16) ack 65 win 65471 (DF) Save Accept All
How To - Monitor packet flow with tcpdump
12:29:45.885937 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: P 1:17(16) ack 65 win 65471 (DF) 12:29:45.886350 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: . 65:65(0) ack 17 win 5840 (DF) 12:29:45.886369 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: . 65:65(0) ack 17 win 5840 (DF) 12:29:46.280547 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: P 65:133(68) ack 17 win 5840 (DF) 12:29:46.280567 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: P 65:133(68) ack 17 win 5840 (DF) 12:29:46.444599 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: . 17:17(0) ack 133 win 65403 (DF) 12:29:46.444639 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: . 17:17(0) ack 133 win 65403 (DF) 12:29:52.568606 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: P 17:31(14) ack 133 win 65403 (DF) 12:29:52.568638 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: P 17:31(14) ack 133 win 65403 (DF) 12:29:52.569079 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: . 133:133(0) ack 31 win 5840 (DF) 12:29:52.569097 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: . 133:133(0) ack 31 win 5840 (DF) 12:30:00.428258 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: P 133:181(48) ack 31 win 5840 (DF) 12:30:00.428289 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: P 133:181(48) ack 31 win 5840 (DF) 12:30:00.627489 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: . 31:31(0) ack 181 win 65355 (DF) 12:30:00.627532 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: . 31:31(0) ack 181 win 65355 (DF) 12:30:07.696901 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: P 31:37(6) ack 181 win 65355 (DF) 12:30:07.696937 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: P 31:37(6) ack 181 win 65355 (DF) 12:30:07.698430 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: . 181:181(0) ack 37 win 5840 (DF) 12:30:07.698450 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: . 181:181(0) ack 37 win 5840 (DF) 12:30:08.133574 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: P 181:227(46) ack 37 win 5840 (DF) 12:30:08.133593 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: P 181:227(46) ack 37 win 5840 (DF) 12:30:08.272170 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: . 37:37(0) ack 227 win 65309 (DF) 12:30:08.272205 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: . 37:37(0) ack 227 win 65309 (DF) 12:30:08.526813 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: P 227:293(66) ack 37 win 5840 (DF) 12:30:08.526832 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: P 227:293(66) ack 37 win 5840 (DF) 12:30:08.526981 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: FP 293:370(77) ack 37 win 5840 (DF) 12:30:08.527006 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: FP 293:370(77) ack 37 win 5840 (DF) 12:30:08.527221 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: . 37:37(0) ack 371 win 65166 (DF) 12:30:08.527248 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: . 37:37(0) ack 371 win 65166 (DF) 12:30:08.536286 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: F 37:37(0) ack 371 win 65166 (DF) 12:30:08.536312 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: F 37:37(0) ack 371 win 65166 (DF) st
1 line: Brown color Brown color shows timestamp of the packet Green color shows the incoming interface Green color color shows address who originates the request Blue This websiteBlue color stores data such source as Red color Red color shows destination IP address cookies to enable essential site functionality,Orange color as well color as marketing, shows services which is being accessed Orange personalization, and analytics. You of particular packet. This is new connection originated by 172.16.16.81 IP address Pink color shows flag Pink color may change&your settings any time destined for at 161.114.22.10 161.114.22.105 5 to access FTP services. This is first packet so flag is set to Sync “S” or accept the default settings. 3rd line: As three ways handshaking needs to be complete, second packet is the response coming back from server with “Ack” for Sync packet. This is nothing but “Syn-Ack” packet. Privacy Policy
Marketing 4th Line: “Ack” packet sent by source for “Syn-Ack”. For any tcp connection first three lines are like Source to Destination-- Sync Personalization
Analytics Destination to Source-- Sync-Ack Source to Destination— Destination—Ack Ack Save
Accept All
How To - Monitor packet flow with tcpdump
th
th
5 to 40 Line: Push packet (Data Packet) because of “P” & “.” Flag 41st and 42nd Line: Termination of FTP connection because “F” flag Flag Fla g Information: “S” – Sync packet for new connection “S” – Sync packet with “ack” “P” – Push packet containing Data “.” -- No data information, only “ack” “F” – FIN packet which provides information of termination of connection “R” – Reset packet, Packet which dropped in between somewhere at firewall end
Ad van vanced ced Usag e View Vie w p acket acket con tents in hexa hexadecimal decimal notations corporate> tcpdump hex Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 13:49:04.438097 eth0 > 192.168.13.40.telnet > 172.16.16.81.1916: P 831812622:831 812624(2) ack 616504356 win 5840 (DF) 4500 002a 4841 4000 4006 685b c0a8 0d28 ac10 1051 0017 077c 3194 740e 24bf 1c24 5018 16d0 13a6 0000 0d0a 13:49:04.545219 eth1 B arp who-has 192.168.2.30 (Broadcast) tell 192.168.2.31 0001 0800 0604 0001 0003 ba29 8f63 c0a8 021f ffff ffff ffff c0a8 021e 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 13:49:04.553181 eth0 < 172.16.16.81.1916 > 192.168.13.40.telnet: . 1:1(0) ack 2 win 65523 (DF) 4500 0028 3c3b 4000 8006 3463 ac10 1051 c0a8 0d28 077c 0017 24bf 1c24 3194 7410 5010 fff3 3794 0000 0000 0000 0000
This website13:49:04.553217 stores data such eth0 as > 192.168.13.40.telnet > 172.16.16.81.1916: P 2:538(536) ack 1 win 5840 (DF) 4500 0240 4842 4000 4006 6644 c0a8 0d28 cookies to enable essential site functionality, as well as marketing, ac10 1051 0017 077c 3194 7410 24bf 1c24 personalization, and analytics. You16d0 058f 0000 4b65 726e 656c 2066 5018 may change your settings at any time 696c 7465 722c 2070 726f 746f 636f 6c20 or accept the default settings. 414c 4c2c 2064 6174 6167 7261 6d20 7061 636b 6574 2073 6f63 6b65 740d 0a74 6370
Privacy Policy Marketing
6475 6d70 3a20 6c69 7374 656e 696e 6720 6f6e 2061 6c6c 2064 6576 6963 6573 0d0a
3133 3a34 393a 3034 2e34 3338 3039 3720 Personalization 13:49:04.662912 eth1 B arp who-has 192.168.13.4 tell 192.168.13.5 Analytics 0001 0800 0604 0001 000c 29ca 2f1e c0a8
Save
0d05 0000 0000 0000 c0a8 0d04 0000 0000 Accept All
How To - Monitor packet flow with tcpdump
0000 0000 0000 0000 0000 0000 0000 13:49:04.674536 eth1 B arp who-has 192.168.1.93 tell 192.168.1.206 0001 0800 0604 0001 0008 a132 e4f0 c0a8 01ce 0000 0000 0000 c0a8 015d 5d00 0100 0001 0000 0000 0000 046a 6973 7000 View Vie w p acket acket cont ents with Etherne Ethernett or other layer 2 hea header der information corporate> tcpdump llh Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 13:49:51.785823 eth1 B 0:3:ba:29:8f:63 Broadcast arp 60: arp who-has 192.168.2.3 0 (Broadcast) tell 192.168.2.31 13:49:51.868616 eth1 B 0:11:43:56:7d:7a 0:11:43:56:7d :7a Broadcast ip 92: 192.168.1.23. 192.168.1.23.netbios-ns netbios-ns 192.168.15.255.netbios-ns:NBT 192.168.15.255.netb ios-ns:NBT UDP PACKET(137): PACKET(137): QUERY; REQUEST; BROADCAST
>
13:49:51.930139 eth0 < 0:11:11:93:47:9b 0:0:0:0:0:1 ip 60: 172.16.16.81.1916 > 1 92.168.13.40.telnet: . 616504364:616504364(0) ack 831819683 win 65281 (DF) 13:49:51.930177 eth0 > 0:0:0:0:0:0 0:10:f3:9:cf:da ip 412: 192.168.13.40.telnet > 172.16.16.81.1916: P 1:359(358) ack 0 win 5840 (DF) 13:49:52.131308 eth0 < 0:11:11:93:47:9b 0:0:0:0:0:1 ip 60: 172.16.16.81.1916 > 1 92.168.13.40.telnet: . 0:0(0) ack 359 win 64923 (DF) 13:49:52.131339 eth0 > 0:0:0:0:0:0 0:10:f3:9:cf:da ip 345: 192.168.13.40.telnet > 172.16.16.81.1916: P 359:650(291) ack 0 win 5840 (DF) 13:49:52.165068 eth1 B 0:10:f3:a:a5:fd Broadcast arp 60: arp who-has 3.3.3.1 tel l 3.3.3.3 13:49:52.328476 eth1 B 0:13:20:dc:d0:63 Broadcast ip 110: 192.168.4.51.netbios-n 192.168.15.255.netbios-ns:NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
s
>
13:49:52.328986 eth1 B 0:13:20:dc:d0:63 Broadcast ip 110: 192.168.4.51.netbios-n 192.168.15.255.netbios-ns:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADC
s
>
AST 13:49:52.332491 eth0 < 0:11:11:93:47:9b 0:0:0:0:0:1 ip 60: 172.16.16.81.1916 > 1 92.168.13.40.telnet: . 0:0(0) ack 650 win 64632 (DF) 13:49:52.332519 eth0 > 0:0:0:0:0:0 0:10:f3:9:cf:da ip 741: 192.168.13.40.telnet > 172.16.16.81.1916: P 650:1337(687) ack 0 win 5840 (DF) 13:49:52.370134 eth1 B 0:7:e9:2e:6c:c1 Broadcast arp 60: arp who-has 192.168.1.1 6 (Broadcast) tell 192.168.1.16 Genera Ge nerate te binary f ile of traffic log gene generate rated d w ith custom paramete parameters rs
This website stores data such as Cyberoam also site supports to save and download the tcpdump output in a binary file from Telnet Console. cookies to enable essential tcpdump contains the troubleshooting information information useful to analyze the traffic with advanced tool like functionality,File as well as marketing, ethereal Cyberoam personalization, and for analytics. You Support team. may change your settings at any time or accept the settings. Todefault save the output in the downloadable file, log on to Telnet Console:
•
Go to Option 4 Cyberoam Console
Privacy Policy At the command prompt, issue the command: tcpdump <criteria> filedump Marketing •
Personalization Cyberoam saves this file under the name tcpdump.out Download from http://<cyberooam_ip>/documents/tcpdump.out and mail this file to Cyberoam Support Analytics team at [email protected] [email protected]
Save
Accept All
How To - Monitor packet flow with tcpdump
Monitoring VPN traffic Cyberoam will automatically configure VPN IPSec interface for each WAN port configured. For example, if Port B and Port C are configured as WAN ports then Cyberoam will configure ipsec0 and ipsec1 for Port B and Port C respectivel respectively. y.
Use these ipsec ports to monitor VPN traffic e.g. tcpdump “-i ipsec0”
Document Version: 2.0-24/09/2007
This website stores data such as cookies to enable essential site functionality, as well as marketing, personalization, and analytics. You may change your settings at any time or accept the default settings.
Privacy Policy Marketing Personalization Analytics Save
Accept All
