tcpdump

“TcpDump” is a great way to inspect data packets over a network or internet connection. At base, it can be relatively easy to use for basic packet sniffing. However, it can be very complicated as well. There are even books written specifically about tcpdump! I am interested in this case in using tcpdump on a Windows server. In order to use tcpdump, not only does the tcpdump software itself need to be downloaded but so does WinPcap. The latter is, according to the WinPcap web site …

“WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.”

This Wikipedia link provides for an extensive history and explanation of tcpdump

http://en.wikipedia.org/wiki/Tcpdump

So, inaddition to installing tcpdump on your system, you also need to install the WinPcap package.

Here is an example ‘sniff”. Let’s say you want to examine network traffic data packets coming into port 25, the well known Simple Mail Transport Protocol (SMTP) port. Sometimes, the commands are not so easy, especially if you have two network interface cards, and you are not fluent in the Unix like command line interface (CLI) environment.

Basically, the above command, “tcpdump -i 2 port 25”, says “let’s do a data traffic dump over interface (NIC) # 2 for all email traffic relating to SMTP (which uses port 25)”. NIC #2 in my case is the one connected to the Internet. This system is indeed running an email server so in fact the traffic can at times be a busy, albeit usually from spammers and other losers.

After the initial login, the ‘listening’ starts. The tcpdump program is now listening for traffic over the internet, but again, only pertaining to port 25, or SMTP.

After this, you may see some SMTP traffic real fast. With spammers and other miscreants always on duty, you may see more traffic than you need or it may be entirely legitmate – this is up to or depends upon your business model and needs, RBL (relay block lists) and spam filtering, etc to determine.

You may see the device listening information, including the long winded identification of said device – the part in between the {}brackets. This is followed by the time stamp, and the local host information. After the greater > symbol, you can see that there is an external IP address listed in the reverse IP addressing: the ip address followed by hostname like information. The information that follows mostly pertains to the time of communications travel, in milliseconds.

Same principle applies for capturing web traffic. To use tcpdump to capture data packets over an HTTP connection, or web server port 80 in order to analyze web traffic, I issued the following (again, this assumes a second NIC interface, which is the public facing one):
C:\Program Files\tcpdump>tcpdump -i 2 port 80

As you can tell, simply filling in a well known port number may yield packet sniffing data.

Results will vary, depending on your set up.



Leave a Reply

Not Just Any WordPress Themed I.T. Site!