Solution

• The tcpdump command is present by default on most Unix-based systems.

• It is useful in debugging networks and services.

• Tcpdump is a common packet analyzer that runs under the command line.

• It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

• However, its potential for abuse, especially in the era of remote administration via telnet, gave tcpdump a bad reputation.

• WinDump is the tcpdump command’s counterpart for Windows systems.

• Tcpdump is primarily a sniffer as opposed to a protocol analyzer.

• Its filters enable you to extract any combination of network packets, but it doesn’t parse higher- level protocols like HTTP, SNMP, or DNS into more human-readable formats or annotate the traffic.

• For example, a protocol analyzer would know how to interpret the specific flags, options, and steps for an SSL connection handshake.

• The sniffer just shows the raw packets.

• Tcpdump and WinDump both use the packet capture (pcap) library, a set of packet capture routines written by the Lawrence Berkeley National Laboratory.

• The pcap routines provide the interface and functionality for OS-level packet filtering and disassembling IP packets into raw data.

• Because WinDump is simply a Windows port of tcpdump, the two commands are mostly interchangeable.

• The only difference is the name of the network interface to specify for capturing traffic.

• The tools require privileged user access to capture data.

• Make sure to execute them with sudo or “Run As Administrator” as appropriate.

• Another reason tcpdump and WinDump require privileged access is because they put the network interface into promiscuous mode in order to see all traffic across the device.

• Some network devices such as Ethernet hubs broadcast a packet to all ports on the hub (all hosts connected to the hub) in expectation that only the intended recipient will accept it.

• The other hosts receive the packet as well, but they ignore it because the packet is not intended for their MAC address.

• Tcpdump filters control what kinds of traffic the command captures.

• Filter expressions are defined with the Berkeley Packet Filter (BPF) syntax.

• Multiple filters may be combined with Boolean operators such as AND, OR, and NOT.

• The typical format of an expression is a label (representing a packet characteristic) followed by a value:

                    $ tcpdump packet_characteristic value
  
   - Type Qualifiers is a packet characteristic.
  
  
  
   - The most typical packet qualifiers are the type labels: host, net,
     and port.
  
  
  
   - For example, the following command tells tcpdump we want to see only
     packets to or from
  
  
                192.168.1.100: $ tcpdump host 192.168.1.100
  

• If all we care about is web traffic, we can narrow the filter to the default port for HTTP:

                  $ tcpdump host 192.168.1.100 and port 80
  
  
   - The net qualifier captures traffic destined for or originating from  
     any host that matches the filter:
  
              
                   $ tcpdump net 192.168.1.0/24 and port 80
  

• Remember that the net qualifier only exposes traffic visible to the sniffer’s network interface.

• Specifying a network doesn’t automatically make its traffic visible—only network proximity of the sniffer does.

• Common uses of Tcpdump are as follows:

  • Tcpdump prints the contents of network packets.

  • It can read packets from a network interface card or from a previously created saved packet file.

  • It can write packets to standard output or a file.

  • It is also possible to use tcpdump for the specific purpose of intercepting and displaying the communications of another user or computer.