Wireless Hacks. 1917 IndustrialStrength Tips and Tools [Electronic resources] نسخه متنی

Hack 37 Watching Traffic with tcpdump

This famous command-line packet capture tool is
invaluable for troubleshooting thorny network problems.

Virtually
all modern
variations of Unix ship with the tcpdump
utility. Its deceptively simple interface hides a very powerful and
complex tool designed to capture data from a network interface,
filter it, and print it out so you can get a better grasp of what is
really happening on your network. Note that you need to be root to
capture packets with tcpdump.

The simplest way to start it is to run it while specifying the
network device you would like to listen to:

remote:~# tcpdump -i eth0

If you are logged into a remote machine while doing this, you will
see a flood of traffic fly by, even on an unloaded machine. This is
because tcpdump is capturing your ssh session
traffic and displaying it to your terminal, which generates more
traffic, which is again displayed, in an endless loop of wasted bits.
This is easily avoided by using a simple filter. For example, you
could just ignore all ssh traffic:

remote:~# tcpdump -i eth0 -n 'port ! 22'

Here I also specified the -n switch, which tells
tcpdump to skip DNS lookups for every host it encounters. When
capturing network data, the name of the game is speed. If your
machine is tied up with some other network function (like looking up
DNS names), it could miss packets as they fly past, particularly on a
busy network. Skipping lookups speeds up capturing, but it means that
you will be looking at IP addresses and port numbers instead of names
and services.

One common use for tcpdump is to look for ping traffic
when troubleshooting connectivity problems. To only see
ICMP traffic, specify the protocol in a
filter. Don't forget the backslash when specifying
protocol names.

pebble:~# tcpdump -i wlan0 'proto \icmp'
tcpdump: listening on eth0
16:34:33.842093 10.15.6.33 > www.google.com: icmp: echo request
16:34:33.873784 www.google.com > 10.15.6.33: icmp: echo reply
16:34:34.893981 10.15.6.33 > www.google.com: icmp: echo request
16:34:34.940997 www.google.com > 10.15.6.33: icmp: echo reply

Here you can see a user sending echo requests (pings) to www.google.com, who then sends echo replies.
If you see echo requests with no associated echo reply, this
indicates problems somewhere further up the network. If you are
sending pings and you don't even see the echo
request on your router, you know that the problem is somewhere
between your client and your router. Making educated guesses at where
the problem might be, combined with judicious tcpdump filters, can
quickly find the source of the trouble.

You can also capture all data from a particular host
using tcpdump. Use the host directive:

pebble:~# tcpdump -i wlan0 'host 10.15.6.88'  
tcpdump: listening on eth0
16:47:16.494447 10.15.6.88.1674 > florian.1900: udp 132 [ttl 1]
16:47:16.494524 florian > 10.15.6.88: icmp: florian udp port 1900 
unreachable [tos 0xc0] 
16:47:16.495831 10.15.6.88.1674 > florian.1900: udp 133 [ttl 1]
16:47:16.495926 florian > 10.15.6.88: icmp: florian udp port 1900 
unreachable [tos 0xc0] 
16:47:21.488711 arp who-has 10.15.6.88 tell florian
16:47:21.491861 arp reply 10.15.6.88 is-at 0:40:96:41:80:2c
16:47:28.293719 baym-cs197.msgr.hotmail.com.1863 > 10.15.6.88.1046: . ack 5 
win 17128

This person is
obviously using MSN Messenger, as evidenced by their connection to
baym-cs197.msgr.hotmail.com port 1863, and by
the UDP broadcasts to port 1900 as well. You can also see an ARP
response that shows the user's MAC address starting
with 0:40:96, indicating a Cisco card (see [Hack #27] for more details). Without
even resorting to nmap [Hack #40] or
another active scan, we could make a fair guess that this user is
using a PC laptop running Windows. This information is revealed in
just a few seconds, by observing a mere five or six packets. Had the
user been using application layer encryption, this sort of
eavesdropping would be impossible. See Chapter 7
for a much more detailed look at wireless security.

Mac OS X is even
chattier than MS Windows, revealing the user's name
(and occasionally even their photo) in the form of iChat multicast
broadcasts. Decoding this data is left as an exercise for the reader,
but capturing it is simple enough:

pebble:~# tcpdump -i wlan0 -X -s 0 -n -l 'port 5353'

This will show you a full dump of packets, both in hex and in ASCII.
If you need to analyze large amounts of data, it is usually easier to
use a graphical tool like Ethereal [Hack #39] to pour over it. Since
your AP probably isn't running Xwindows, you can use
tcpdump to capture the actual data. Specifying the
-w switch writes all packets to a file in pcap
format, which many tools (like Ethereal) will read:

pebble:~# tcpdump -i wlan0 -n -w captured.pcap 'port 5353'

Now just transfer the captured.pcap file to your
local machine, and open it up in
Ethereal.

For a command-line utility, tcpdump is a surprisingly complete packet
capture tool. It has a complex and powerful filter expression
language, and can be adapted to capture precisely the data you are
after. Be sure to read man
tcpdump for many more details on what tcpdump can
do for you.