Skip to main content
RH124

Understand Your Network More Effectively with TCPDump

By February 15, 2020No Comments

In this blog we will help you learn to understand your network more effectively with TCPDump and analyzing ping and traceroute, the basic connectivity checking tools.

Key to running an effective network is being able to understand your network more effectively with TCPDump. TCPDump is a command line tool in Linux which may seem scary at first but with a little practice and knowledge you will soon be able to start understanding your network.


Using Ping Effectively

Firstly, we look at ping. Yes, I know you all think you know this and you probably do have a good understanding but hopefully we can help you discover a little more.

$ ping 1.1

Yes, we can ping 1.1, this will expand to 1.0.0.1 accepting that if we provide just 2 octets then the second octet must represent 24 bits and have leading zeros. This is why it expands to 1.0.0.1  one of Cloudflare’s DNS servers.

The ping will continue in Linux until we issue a CTRL+C. To ping a set about we use the option -c.

$ ping -c3 1.1
PING 1.1 (1.0.0.1) 56(84) bytes of data.
64 bytes from 1.0.0.1: icmp_seq=1 ttl=56 time=24.9 ms
64 bytes from 1.0.0.1: icmp_seq=2 ttl=56 time=18.0 ms
64 bytes from 1.0.0.1: icmp_seq=3 ttl=56 time=17.0 ms

--- 1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 17.031/20.011/24.962/3.528 ms

We may often concentrate on the time in the main output  of ping but the summary at the bottom is more useful.

  • rtt = rount trip time
  • min = quickest time, 17 ms
  • max = slowest time, 20 ms
  • mdev = deviation, 3.5

Also we see the ttl, (time to live), in the main output. Packets can cross 56 routers before expiring.

A ping uses the ICMP protocol and the message type of ECHO Request and ECHO Reply. We can see this by using a second terminal so that we are able to ping whilst capturing data.

Terminal 1: Capture traffic

Use the IP address of your host in the filter in place of 192.168.0.254

$ sudo tcpdump -i eth0 icmp and host 192.168.0.254 and 1.0.0.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

Terminal 2: Ping

$ ping -c1 1.1

Terminal 1: Results

9:28:02.268523 IP 192.168.0.254 > one.one.one.one: ICMP echo request, id 6944, seq 1, length 64
19:28:02.287321 IP one.one.one.one > 192.168.0.254: ICMP echo reply, id 6944, seq 1, length 64

So with a little practice we can see the ICMP type and we have been able to build a packet capture filter and we are starting to understand your Network more effectively with TCPDump and ping.

Understanding Traceroute

Secondly, we look at traceroute, another command line tool to diagnose network traffic. This then shows the route that is taken to the destination host. In Linux this used the UDP protocol by default. In Windows, the ICMP protocol is used. The way that traceroute shows you the route taken is be the TTL of the packet. The first packet is sent with a TTL of 1 so it expires on the first router and packer is returned. The second packet is sent with a TTL of 2 and so on. We can see that UDP is used and the increasing TTL with TCPDump:

Terminal 1: Capture traffic

Use the IP address of your host in the filter in place of 192.168.0.254

$ sudo tcpdump -i eth0 udp and host 192.168.0.254 and 1.0.0.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

Terminal 2: Traceroute

$ traceroute 1.1
traceroute to 1.1 (1.0.0.1), 30 hops max, 60 byte packets
 1  192.168.0.1 (192.168.0.1)  5.883 ms  5.519 ms  6.225 ms
 2  10.35.108.1 (10.35.108.1)  22.865 ms  22.924 ms  22.791 ms
 3  pete-core-2a-xe-120-0.network.virginmedia.net (80.3.129.77)  24.953 ms  24.814 ms  24.942 ms
 4  * * *
 5  * * *
 6  * * *
 7  tcma-ic-2-ae9-0.network.virginmedia.net (62.253.174.178)  21.591 ms  25.977 ms  25.151 ms
 8  162.158.32.254 (162.158.32.254)  27.120 ms  25.934 ms  27.108 ms
 9  one.one.one.one (1.0.0.1)  23.235 ms  29.548 ms  30.257 ms

Terminal 1: Results

19:40:30.912920 IP 192.168.0.254.33491 > one.one.one.one.33434: UDP, length 32
19:40:30.913221 IP 192.168.0.254.38255 > one.one.one.one.33435: UDP, length 32
19:40:30.913419 IP 192.168.0.254.46443 > one.one.one.one.33436: UDP, length 32
19:40:30.913580 IP 192.168.0.254.60132 > one.one.one.one.33437: UDP, length 32
19:40:30.913719 IP 192.168.0.254.52295 > one.one.one.one.33438: UDP, length 32
19:40:30.913848 IP 192.168.0.254.49651 > one.one.one.one.33439: UDP, length 32
19:40:30.913982 IP 192.168.0.254.60732 > one.one.one.one.33440: UDP, length 32
19:40:36.006958 IP 192.168.0.254.56222 > one.one.one.one.33452: UDP, length 32
19:40:36.007241 IP 192.168.0.254.58702 > one.one.one.one.33453: UDP, length 32
19:40:36.007315 IP 192.168.0.254.44034 > one.one.one.one.33454: UDP, length 32
19:40:36.007391 IP 192.168.0.254.37993 > one.one.one.one.33455: UDP, length 32
19:40:36.007556 IP 192.168.0.254.45468 > one.one.one.one.33456: UDP, length 32
19:40:36.007717 IP 192.168.0.254.60707 > one.one.one.one.33457: UDP, length 32
19:40:36.007928 IP 192.168.0.254.41799 > one.one.one.one.33458: UDP, length 32
19:40:36.008705 IP 192.168.0.254.48818 > one.one.one.one.33459: UDP, length 32
19:40:36.008924 IP 192.168.0.254.48520 > one.one.one.one.33460: UDP, length 32
19:40:36.008982 IP 192.168.0.254.40047 > one.one.one.one.33461: UDP, length 32
19:40:36.009033 IP 192.168.0.254.51384 > one.one.one.one.33462: UDP, length 32
19:40:36.009083 IP 192.168.0.254.55295 > one.one.one.one.33463: UDP, length 32
19:40:36.009139 IP 192.168.0.254.56502 > one.one.one.one.33464: UDP, length 32

Hmmm, whilst this is OK, we can see that UDP is used, we are not seeing the TTL. Let’s try adjusting TCPDump. We run the process again on both system but this time using the option -v with tcpdump:

$ sudo tcpdump -v -i eth0 udp and host 192.168.0.254 and 1.0.0.1

Then running the exact same traceroute command from the second terminal we can see the new captured data:

19:45:55.356115 IP (tos 0x0, ttl 1, id 5286, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.34385 > one.one.one.one.33434: UDP, length 32
19:45:55.356450 IP (tos 0x0, ttl 1, id 5287, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.46850 > one.one.one.one.33435: UDP, length 32
19:45:55.356613 IP (tos 0x0, ttl 1, id 5288, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.53398 > one.one.one.one.33436: UDP, length 32
19:45:55.356764 IP (tos 0x0, ttl 2, id 5289, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.52200 > one.one.one.one.33437: UDP, length 32
19:45:55.356907 IP (tos 0x0, ttl 2, id 5290, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.41797 > one.one.one.one.33438: UDP, length 32
19:45:55.357040 IP (tos 0x0, ttl 2, id 5291, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.60770 > one.one.one.one.33439: UDP, length 32
19:45:55.357186 IP (tos 0x0, ttl 3, id 5292, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.46766 > one.one.one.one.33440: UDP, length 32
19:46:00.455392 IP (tos 0x0, ttl 6, id 5336, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.50015 > one.one.one.one.33451: UDP, length 32
19:46:00.455599 IP (tos 0x0, ttl 7, id 5337, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.51156 > one.one.one.one.33452: UDP, length 32
19:46:00.455729 IP (tos 0x0, ttl 7, id 5338, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.39045 > one.one.one.one.33453: UDP, length 32
19:46:00.455856 IP (tos 0x0, ttl 7, id 5339, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.33983 > one.one.one.one.33454: UDP, length 32
19:46:00.455997 IP (tos 0x0, ttl 8, id 5340, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.34578 > one.one.one.one.33455: UDP, length 32
19:46:00.456134 IP (tos 0x0, ttl 8, id 5341, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.51943 > one.one.one.one.33456: UDP, length 32
19:46:00.456257 IP (tos 0x0, ttl 8, id 5342, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.36211 > one.one.one.one.33457: UDP, length 32
19:46:00.456416 IP (tos 0x0, ttl 9, id 5343, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.33592 > one.one.one.one.33458: UDP, length 32
19:46:00.457017 IP (tos 0x0, ttl 9, id 5344, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.57627 > one.one.one.one.33459: UDP, length 32
19:46:00.457642 IP (tos 0x0, ttl 11, id 5350, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.50244 > one.one.one.one.33465: UDP, length 32
19:46:00.478248 IP (tos 0x0, ttl 12, id 5353, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.60948 > one.one.one.one.33467: UDP, length 32
19:46:00.479943 IP (tos 0x0, ttl 12, id 5354, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.58305 > one.one.one.one.33468: UDP, length 32
19:46:00.480090 IP (tos 0x0, ttl 12, id 5355, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.56355 > one.one.one.one.33469: UDP, length 32
19:46:00.480218 IP (tos 0x0, ttl 13, id 5356, offset 0, flags [none], proto UDP (17), length 60)
192.168.0.254.54455 > one.one.one.one.33470: UDP, length 32

This shows the incrementing TTL of each packet. We also need to send more than one UDP packet to determine which UDP, port will be active on the target host. To use ICMP with traceroute we must run as root and add the -I option:

Terminal 1: Capture traffic

Use the IP address of your host in the filter in place of 192.168.0.254

$ sudo tcpdump -i eth0 icmp and host 192.168.0.254 and 1.0.0.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

Terminal 2: Traceroute

$ sudo traceroute -I 1.1
traceroute to 1.1 (1.0.0.1), 30 hops max, 60 byte packets
 1  192.168.0.1 (192.168.0.1)  5.883 ms  5.519 ms  6.225 ms
 2  10.35.108.1 (10.35.108.1)  22.865 ms  22.924 ms  22.791 ms
 3  pete-core-2a-xe-120-0.network.virginmedia.net (80.3.129.77)  24.953 ms  24.814 ms  24.942 ms
 4  * * *
 5  * * *
 6  * * *
 7  tcma-ic-2-ae9-0.network.virginmedia.net (62.253.174.178)  21.591 ms  25.977 ms  25.151 ms
 8  162.158.32.254 (162.158.32.254)  27.120 ms  25.934 ms  27.108 ms
 9  one.one.one.one (1.0.0.1)  23.235 ms  29.548 ms  30.257 ms

Terminal 1: Results

19:40:30.912920 IP 192.168.0.254.33491 > one.one.one.one.33434: UDP, length 32
19:40:30.913221 IP 192.168.0.254.38255 > one.one.one.one.33435: UDP, length 32
19:40:30.913419 IP 192.168.0.254.46443 > one.one.one.one.33436: UDP, length 32
19:40:30.913580 IP 192.168.0.254.60132 > one.one.one.one.33437: UDP, length 32
19:40:30.913719 IP 192.168.0.254.52295 > one.one.one.one.33438: UDP, length 32
19:40:30.913848 IP 192.168.0.254.49651 > one.one.one.one.33439: UDP, length 32
19:40:30.913982 IP 192.168.0.254.60732 > one.one.one.one.33440: UDP, length 32
19:40:36.006958 IP 192.168.0.254.56222 > one.one.one.one.33452: UDP, length 32
19:40:36.007241 IP 192.168.0.254.58702 > one.one.one.one.33453: UDP, length 32
19:40:36.007315 IP 192.168.0.254.44034 > one.one.one.one.33454: UDP, length 32
19:40:36.007391 IP 192.168.0.254.37993 > one.one.one.one.33455: UDP, length 32
19:40:36.007556 IP 192.168.0.254.45468 > one.one.one.one.33456: UDP, length 32
19:40:36.007717 IP 192.168.0.254.60707 > one.one.one.one.33457: UDP, length 32
19:40:36.007928 IP 192.168.0.254.41799 > one.one.one.one.33458: UDP, length 32
19:40:36.008705 IP 192.168.0.254.48818 > one.one.one.one.33459: UDP, length 32
19:40:36.008924 IP 192.168.0.254.48520 > one.one.one.one.33460: UDP, length 32
19:40:36.008982 IP 192.168.0.254.40047 > one.one.one.one.33461: UDP, length 32
19:40:36.009033 IP 192.168.0.254.51384 > one.one.one.one.33462: UDP, length 32
19:40:36.009083 IP 192.168.0.254.55295 > one.one.one.one.33463: UDP, length 32
19:40:36.009139 IP 192.168.0.254.56502 > one.one.one.one.33464: UDP, length 32

Hmmm, whilst this is OK, we can see that UDP is used, we are not seeing the TTL. Let’s try adjusting TCPDump. We run the process again on both system but this time using the option -v with tcpdump:

$ sudo tcpdump -v -i eth0 icmp and host 192.168.0.254 and 1.0.0.1

Then running the $ sudo traceroute -I 1.1  command from the second terminal we can see the new captured data on the first terminal:

19:53:22.338302 IP (tos 0x0, ttl 1, id 27946, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 1, length 40

19:53:22.338995 IP (tos 0x0, ttl 1, id 27947, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 2, length 40

19:53:22.339171 IP (tos 0x0, ttl 1, id 27948, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 3, length 40

19:53:22.339489 IP (tos 0x0, ttl 2, id 27949, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 4, length 40

19:53:22.339652 IP (tos 0x0, ttl 2, id 27950, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 5, length 40

19:53:22.339771 IP (tos 0x0, ttl 2, id 27951, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 6, length 40

19:53:22.339888 IP (tos 0x0, ttl 3, id 27952, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 7, length 40

19:53:27.447858 IP (tos 0x0, ttl 7, id 28463, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 19, length 40

19:53:27.448021 IP (tos 0x0, ttl 7, id 28464, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 20, length 40

19:53:27.448223 IP (tos 0x0, ttl 7, id 28465, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 21, length 40

19:53:27.448466 IP (tos 0x0, ttl 8, id 28466, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 22, length 40

19:53:27.448650 IP (tos 0x0, ttl 8, id 28467, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 23, length 40

19:53:27.448845 IP (tos 0x0, ttl 8, id 28468, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 24, length 40

19:53:27.449034 IP (tos 0x0, ttl 9, id 28469, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 25, length 40

19:53:27.449524 IP (tos 0x0, ttl 9, id 28470, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 26, length 40

19:53:27.449703 IP (tos 0x0, ttl 9, id 28471, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 27, length 40

19:53:27.449776 IP (tos 0x0, ttl 10, id 28472, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 28, length 40

19:53:27.449814 IP (tos 0x0, ttl 10, id 28473, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 29, length 40

19:53:27.449930 IP (tos 0x0, ttl 10, id 28474, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 30, length 40

19:53:27.450055 IP (tos 0x0, ttl 11, id 28475, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 31, length 40

19:53:27.450080 IP (tos 0x0, ttl 11, id 28476, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 32, length 40

19:53:27.450215 IP (tos 0x0, ttl 11, id 28477, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 33, length 40

19:53:27.450333 IP (tos 0x0, ttl 12, id 28478, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 34, length 40

19:53:27.470076 IP (tos 0x0, ttl 56, id 31177, offset 0, flags [none], proto ICMP (1), length 60)

    one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 25, length 40

19:53:27.470080 IP (tos 0x0, ttl 56, id 31178, offset 0, flags [none], proto ICMP (1), length 60)

    one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 26, length 40

19:53:27.470463 IP (tos 0x0, ttl 56, id 31179, offset 0, flags [none], proto ICMP (1), length 60)

    one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 27, length 40

19:53:27.470466 IP (tos 0x0, ttl 56, id 31180, offset 0, flags [none], proto ICMP (1), length 60)

    one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 28, length 40

19:53:27.473030 IP (tos 0x0, ttl 56, id 31181, offset 0, flags [none], proto ICMP (1), length 60)

    one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 29, length 40

19:53:27.473034 IP (tos 0x0, ttl 56, id 31182, offset 0, flags [none], proto ICMP (1), length 60)

    one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 30, length 40

19:53:27.473749 IP (tos 0x0, ttl 56, id 31183, offset 0, flags [none], proto ICMP (1), length 60)

    one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 31, length 40

19:53:27.473752 IP (tos 0x0, ttl 56, id 31184, offset 0, flags [none], proto ICMP (1), length 60)

    one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 32, length 40

19:53:27.473925 IP (tos 0x0, ttl 56, id 31185, offset 0, flags [none], proto ICMP (1), length 60)

    one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 33, length 40

19:53:27.473928 IP (tos 0x0, ttl 56, id 31186, offset 0, flags [none], proto ICMP (1), length 60)

    one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 34, length 40

Now we can start using the tools with more confidence and we really do understand your Network more effectively with TCPDump and ping.

 

Leave a Reply