Capturing & Analyzing Network Traffic:tcpdump/tshark and WiresharkEE 122: Intro to Communication NetworksVern Paxson / Jorge Ortiz / Dilip Anthony Joseph1

Some slides added from Fei Xu's slides,Small modifications by Dr. Enis Karaarslan

Overview Examples of network protocols Protocol Analysis– Verify Correctness– Analyze performance– Better understanding of existing protocols– Optimization and debugging of new protocols Tools– tcpdump & tshark– Wireshark3

Network Protocol Examples Defines the rules of exchange between a pair (ormore) machines over a communication network HTTP (Hypertext Transfer Protocol)– Defines how web pages are fetched and sent across anetwork TCP (Transmission Control Protocol)– Provides reliable, in-order delivery of a stream of bytes Your protocol here4

Protocol Analysis Verify correctness Debug/detect incorrect behavior Analyze performance Gain deeper understanding of existing protocols by“seeing” how they behave in actual use5

Analysis Methods Instrument the code– Difficult task, even for experienced network programmers– Tedious and time consuming Use available tools– tcpdump / tshark– Wireshark– ipsumdump Write your own tool– libpcap6

Tools overview Tcpdump– Unix-based command-line tool used to intercept packetso Including filtering to just the packets of interest– Reads “live traffic” from interface specified using ioption – or from a previously recorded trace file specified using r optiono You create these when capturing live traffic using w option Tshark– Tcpdump-like capture program that comes w/ Wireshark– Very similar behavior & flags to tcpdump Wireshark– GUI for displaying tcpdump/tshark packet traces7

Tcpdump example Ran tcpdump on the First few lines of the output:01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh . 2513546054:2513547434(1380) ack1268355216 win 1281601:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh P 1380:2128(748) ack 1 win 1281601:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh . 2128:3508(1380) ack 1 win 1281601:46:28.890021 IP danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 165608

What does a line convey?TimestampThis Sourceis an IPhostpacketnameSourceport number (22)01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh .2513546054:2513547434(1380) ack 1268355216 win 12816Destination host nameDestination port numberTCP specific information Different output formats for different packettypes9

Similar Output from Tshark1190003744.940437 - Encrypted request packet len 481190003744.940916 - Encrypted response packet len 481190003744.955764 - 6943 ssh [ACK] Seq 48 Ack 48 Win 65514Len 0 TSV 445871583 TSER 6325354931190003745.035678 - Encrypted request packet len 481190003745.036004 - Encrypted response packet len 481190003745.050970 - 6943 ssh [ACK] Seq 96 Ack 96 Win 65514Len 0 TSV 445871583 TSER 63253550210

Demo 1 – Basic Run Syntax:tcpdump [options] [filter expression] Run the following command on themachine Observe the output11

Filters We are often not interested in all packetsflowing through the network Use filters to capture only packets ofinterest to us12

Demo 21. Capture only udp packets tcpdump “udp”2. Capture only tcp packets tcpdump “tcp”13

Demo 2 (contd.)1. Capture only UDP packets with destinationport 53 (DNS requests) tcpdump “udp dst port 53”2. Capture only UDP packets with source port 53(DNS replies) tcpdump “udp src port 53”3. Capture only UDP packets with source ordestination port 53 (DNS requests and replies) tcpdump “udp port 53”14

Demo 2 (contd.)1. Capture only packets destined tcpdump “dst host”2. Capture both DNS packets and TCPpackets to/from tcpdump “(tcp and or udp port 53”15

How to write filters Refer cheat sheet slides at the end of thispresentation Refer the tcpdump/tshark man page16

Running tcpdump Requires superuser/administrator privileges – tcpdump, tshark & wireshark work on many different operatingsystems– Download the version for your personal desktop/laptop from, http://www.wireshark.org17

Security/Privacy Issues Tcpdump/tshark/wireshark allow you tomonitor other people’s traffic WARNING: Do NOT use these toviolate privacy or security Use filtering to restrict packet analysisto only the traffic associated with yourassignment. E.g., for project #1:– tcpdump –s 0 –w all pkts.trace tcp port 778818

What is Wireshark? Wireshark is a network packet/protocol analyzer. A network packet analyzer will try to capture networkpackets and tries to display that packet data asdetailed as possible. Wireshark is perhaps one of the best opensource packet analyzers available today for UNIXand Windows.

Install under Windows Download Install

Install under Debian/ Ubuntu # apt-get install wireshark

Wireshark System Overview22

ConfigurationThis checkboxallows you tospecify thatWireshark shouldput the interfacein promiscuousmode whencapturing. If youdo not specifythis, Wiresharkwill only capturethe packets goingto or from yourcomputer (not allpackets on yourLAN segment).


Wireshark Interface25

Demonstration Questions?26

More resource Search “wireshark tutorial”

Other Useful Tools IPsumdump– Handy “Swiss army knife” for displaying inASCII fields of interest in packet trace files– kohler/ipsumdump/– For instructions to use IPsumdump on EECSinstructional accounts, see slide “Appendix:IPsumdump on EECS instructional accounts” Libpcap– Unix packet capture library on whichtcpdump/tshark are built–

Assignment Requirements tcpdump -w dump file name -s 0options must be used for the tracessubmitted as part of the assignments– tshark doesn’t require -s 0 (default) Appropriately name each dump file yousubmit and briefly describe what eachdump file contains/illustrates in theREADME file associated with theassignment submission29

Cheat Sheet – Commonly UsedTcpdump Options -n Don’t convert host addresses to names.Avoids DNS lookups. It can save you time. -w filename Write the raw packets to thespecified file instead of parsing and printing themout. Useful for saving a packet capture sessionand running multiple filters against it later -r filename Read packets from the specifiedfile instead of live capture. The file should havebeen created with –w option -q Quiet output. Prints less information peroutput line30

Cheat Sheet – Commonly UsedOptions (contd.) -s 0 tcpdump usually does not analyze and storethe entire packet. This option ensures that theentire packet is stored and analyzed. NOTE:You must use this option while generating thetraces for your assignments. (Default in tshark) -A (or –X in some versions) Print each packetin ASCII. Useful when capturing web pages.NOTE: The contents of the packet before thepayload (for example, IP and TCP headers)often contain unprintable ASCII characterswhich will cause the initial part of each packet tolook like rubbish31

Cheat Sheet – Writing Filters (1) Specifying the hosts we are interested in– “dst host name/IP ”– “src host name/IP ”– “host name/IP ” (either source or destination isname/IP) Specifying the ports we are interested in– “dst port number ”– “src port number ”– “port number ”– Makes sense only for TCP and UDP packets32

Cheat Sheet – Writing Filters (2) Specifying ICMP packets– “icmp” Specifying UDP packets– “udp” Specifying TCP packets– “tcp”33

Cheat Sheet – Writing Filters (2) Combining filters– and (&&)– or ( )– not (!) Example:– All tcp packets which are not from or to hostquasar.cs.berkeley.edutcpdump “tcp and ! host”– Lots of examples in the EXAMPLES section of theman page34

What is Wireshark? Wireshark is a network packet/protocol analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. Wireshark is perhaps one of the best open sour