X
Business

Making sense of tcpdump with add-on enhancements

As a system architect, you may need a tool beyond a simple "ping" to help you analyze the traffic on your network interface. A dump can be useful in tracking down abusive use of the system(s), crack attempts, or other performance issues. Tcpdump, a command line tool, will accomplish this quickly and easily.
Written by Stew Benedict, Contributor
As a system architect, you may need a tool beyond a simple "ping" to help you analyze the traffic on your network interface. A dump can be useful in tracking down abusive use of the system(s), crack attempts, or other performance issues. Tcpdump, a command line tool, will accomplish this quickly and easily. As shown in Figure A, the most basic usage simply requires you to call the program, and the dump will be displayed on stdout.

Figure A

Tcpdump displayed on stdout

In Figure A, note the extract of a browser session (note the "www"). I use sudo to be able to run the program as a normal user. Because of the nature of tcpdump, you'll need to run it as root, or by using sudo to assume the root role for the duration of the command. As with most UNIX programs, mantcpdump will give you a rundown of all the various command-line options.

Tcpdump output can be convoluted, but several wrappers are available that make it more manageable. For the remainder of the article, we'll examine some of these wrappers and look at the pros and cons of each. First, we'll examine two that are limited to text mode, which could be useful if you happen to be working at the command line or across a Secure Shell (SSH) connection to a remote system.

Sniff
Sniff is a text mode wrapper around tcpdump. It color codes and formats the tcpdump output to make it a little more readable, as shown in Figure B. To try it, just untar the tar archive and run it. To see the options, type sniff -h. Because you also call tcpdump when you run sniff, all the tcpdump options need to come after the double dash (--). The -l /usr/local/sbin tells sniff the path to tcpdump.

Figure B

Sniff screenshot

Sniff requires Perl, and as far as I can tell, the author does not offer the source for download—only Linux binaries. There is also no install program, so you must manually copy the binary to /usr/local/sbin or wherever you'd like it to reside. If binary files are an issue with you, you may want to try some of the other tcpdump wrappers. Aside from the colorization and a slight refinement of the output, sniff doesn't do much more than you can do with judicious use of tcpdump's command-line options.

Tcpdfilter
Another basic filtering program is tcpdfilter. As shown in Figure C, the build routine is very straightforward.

Figure C

Tcpdfilter build routine

As shown in Figure D, you can just pipe the output of tcpdump straight through tcpdfilter.

Figure D

Tcpdfilter build routine

Like sniff, tcpdfilter has some command-line options, but they are fairly limited. The -d, or decode, option is the most useful, because it adds a packet analysis to the output, as illustrated in Figure E.

Figure E

Packet analysis added to the output

Packet analysis, plus the availability of source code, makes me lean more toward tcpdfilter than sniff for text-based use.

Netdude
If you prefer GUI tools for tcpdump output analysis, check out Netdude.
In addition to the latest version of Netdude, you will need tcpdump and GTK, the gimp toolkit to build the GUI interface. As shown in Figure F, the build is similar to the others.

Figure F

Netdude build

It's important to note that you need to dump your logs from tcpdump using the -w option, as shown in Figure G, or Netdude will complain that the file is not a tcpdump save file. This output is not very readable, because it is raw binary; but Netdude can read it, letting you drill down to Ethernet, IP, and TCP information on each packet, as well as allowing you to edit them.

Figure G

The –w option in Netdude

Netdude combines the capabilities of tcpdump and tcpdfilter, and its GUI is easy to work with. Development has slowed a bit in recent months due to the author's other obligations, but the program is usable as it stands now. The TCP filter is shown in Figure H.

Figure H

Netdude tcpfilter

Ethereal
Ethereal is an advanced sniffer in its own right, but it can also read dumps from tcpdump (see Figure I). Ethereal is available for both UNIX and Windows. Download the most recent version here.
The build process is the same as for the other wrappers: untar the source, configure, make, make install. Again, you should use tcpdump files created with the -w flag.
Like Netdude, Ethereal lets you look at an individual line and apply filters and a multitude of other options, such as sorting by packet number, time, source, destination, or protocol. This package is definitely the best-of-class of the various programs I looked at. If you have the luxury of being able to use a GUI for your analysis, I highly recommend Ethereal.

Figure I

Ethereal
Summary
That sums up the functioning wrappers I found for tcpdump. I’ve covered everything from basic pipeline filters to fancy GUIs, along with some related packages. One of these or a combination should meet your needs when you’re analyzing your network traffic.



Editorial standards