tcpdump interview questions
Top tcpdump frequently asked interview questions
I opened a pcap in wireshark and it displays a lot of packets as "tcp segment of a reassembled pdu". How wireshark is able to determine which tcp packets are segments of a reassembled pdu ? I am not able to find any header field or anything else by which wireshark can determine this.
Any help will be greatly appreciated. THANKS !!!
Source: (StackOverflow)
I have used both, and I conclude that I can read html data from webpages with tcpflow but cannot do so with tcpdump. The best I get is some ugly ASCII text with lots of period symbols.
My understanding is that tcpdump doesn't reassemble packets, whereas tcpflow does. But if that was the key difference, wouldn't the packet data from tcpdump still be human readable - just in smaller chunks? Is the problem that tcpdump is limited to ASCII and most network traffic is encoded in UTF-8?
I'm a rookie on network analysis/programming so forgive me if I'm missing something obvious.
Source: (StackOverflow)
One of the tools I am using uses encryption/decryption to send out data over the network. I am modifying the tool and I need to be sure that the data is actually being sent in an encrypted form.
Are Wireshark and tcpdump the right tools for the purpose? At which point during the transfer do they capture the network packets?
Source: (StackOverflow)
I applied a filter in wireshark to display only the incoming packets to my PC. When I save the filtered/displayed packets to a .csv file, I actually saves all the packets (un-filtered). How can I save only the displayed/filtered packets?
Source: (StackOverflow)
I want to run tcpdump
with some parameters (Still dont know what to use). Then load the this stackoverflow.com page.
Output should be the HTTP communication. Later I want to use it as a shell script. So whenever I want to check the HTTP communicaiton of a site site.com I just can run script.sh site.com
The HTTP communication should be simple enough. Like following.
GET /questions/9241391/how-to-capture-all-the-http-communication-data-using-tcp-dump
Host: stackoverflow.com
...
...
HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Length: 35061
Content-Type: text/html; charset=utf-8
Expires: Sat, 11 Feb 2012 15:36:46 GMT
Last-Modified: Sat, 11 Feb 2012 15:35:46 GMT
Vary: *
Date: Sat, 11 Feb 2012 15:35:45 GMT
....
decoded deflated data
....
Now, could you tell me which options should I use with tcpdump
to capture it.
Source: (StackOverflow)
I am trying to find a way to read multiple ports using tcpdump. Suppose I have two ports, p1 and p2, and I want to read the traffic moving through both ports simultaneously. Is there any way to do it using tcpdump or will I have to use some other tool?
Basically I am running a proxy server which is running on some port. I want to read the traffic moving through this port as well traffic moving through port 80(HTTP).
Source: (StackOverflow)
I am running tcpdump on DD-WRT routers in order to capture uplink data from mobile phones. I would like to listen only to some mac addresses. To do this I tried to run the command using a syntax similar to Wireshark:
tcpdump -i prism0 ether src[0:3] 5c:95:ae -s0 -w | nc 192.168.1.147 31337
so that I can listen to all the devices that have as initial mac address 5c:95:ae
.
The problem is that the syntax is wrong and I was wondering if anyone of you knows the right syntax to get what I want.
Source: (StackOverflow)
I want to have tcpdump write raw packet data into a file and display packet analysis in standard output as the packets are captured (by analysis I mean the lines it displays normally when -w is missing).
Can anybody please tell me how to do that?
Source: (StackOverflow)
How to concatenate two tcpdump files, so that one traffic will appear after another in the file? To be concrete I want to "multiply" one tcpdump file, so that all the sessions will be repeated one after another sequentially few times.
Source: (StackOverflow)
In tcpdump, how I can capture all incoming IP traffic destined to my machine? I don't care about my local traffic.
Should I just say:
tcpdump ip dst $MyIpAddress and not src net $myIpAddress/$myNetworkBytes
... or am I missing something?
Source: (StackOverflow)
1 import subprocess
2 raw = raw_input("Filename:").lower()
3 ip = raw_input("Host:").lower()
4 cmd = subprocess.call("tcpdump -c5 -vvv -w" + " raw " + " ip ",shell=True)
So this is my script. I everything works besides one key objective, using the raw input.
It allows me to input anything i want, but when it goes to saving the file or using an ip/host doe doesn't actually do anything.
Sure it gives me the packets, but from the localhost not the host i type in.
how i know this isn't working is cause my first raw input is the filename, so i put in test, when i look in the folder were my script is, it produces a file called "raw" meaning, its not actually taking my input only using whats inside my "X"...
So i make a few chances to come to this:
1 import subprocess
2 raw = raw_input("Filename:").lower()
3 ip = raw_input("Host:").lower()
4 cmd = subprocess.call("tcpdump -c5 -vvv -w" + raw + "host" + ip,shell=True)
Which is great because it actually calls for the -w but it saves it now as rawhostip instead of "raw"s input.
for reference this is what the command looks like in the terminal:
tcpdump -c5 -vvv -w savename host wiki2
the only two variabls are savename and wiki2 the rest are needed for the command to work.
with this script i get this error:
import subprocess
raw = raw_input("Filename:").lower()
ip = raw_input("Host:").lower()
cmd = subprocess.call("tcpdump -c5 -vvv -w" + raw, "host" + ip,shell=True)
Error:
Traceback (most recent call last):
File "te.py", line 4, in <module>
cmd = subprocess.call("tcpdump -c5 -vvv -w" + raw, "host" + ip,shell=True)
File "/usr/lib/python2.6/subprocess.py", line 480, in call
return Popen(*popenargs, **kwargs).wait()
File "/usr/lib/python2.6/subprocess.py", line 583, in __init__
raise TypeError("bufsize must be an integer")
TypeError: bufsize must be an integer
I am at a lost. Any help will be great, yes I know look at subprocess's doc's on site:X, I have I need a human to teach me, I don't understand what I am reading.
My question is how do I work with these variables.
Source: (StackOverflow)
I'm trying to view traffic transmitted to a specific multicast address on a network in order to analyze a protocol we're using.
I don't have Wireshark available on the setup (unfortunately). TCPDump is available though. So, can anyone show me a command have TCPDump filter to only view messages transmitted to a secific multicast group address?
Source: (StackOverflow)
Is there a possibility to filter tcpdump (live or after creating a dump) based on tcp connection time (connection duration)?
I'm recording http json rpc traffic.
I want to record only connections that are longer than lets say 1000 ms.
In wireshark there is tool in Menu->Statistics->Conversations (TCP tab) and there i can sort by "Duration". But i want to record (or filter) long lived connections before (not in wireshark).
In pseudo commands I want to do something like this:
tcpdump -i eth0 port 80 and connectionTime>1000ms -w data.pcap
or after recording:
cat data.pcap | SOMETOOL -connectionTime>1000ms > dataLongConnections.pcap
SOMETOOL must export filtered data to format that Wireshark will understand.
Because after filtering I want to analyze that data in Wireshark.
How I can do this?
Source: (StackOverflow)
I am running a Linux box running 2.6.9-55.ELsmp, x86_64.
I am trying to set the TCP receive window by using the setsockopt() function using C. I try the following:
rwnd = 1024;
setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (char *)&rwnd, sizeof(rwnd));
The code segment above is in a client program that receives data from a server. When I kick off the program to receive and observe tcpdump output, I observe window negotiation like so:
11:34:40.257755 IP clientReceiver.42464 > serverSender.8991:
S 1742042788:1742042788(0) win 5840
<mss 1460,sackOK,timestamp 1688222886 0,nop,wscale 2>
We see that the client program is in fact negotiating a window different from what I have set in the client program. However, from how I can interpret Steven's text ("TCP/IP Illustrated, Volume 1") Section 20.4, I believe you effect what he refers to in the second block quote in Section 20.4 using the setsockopt() call I use (see above).
I'd like to understand where I have gone wrong.
Perhaps my interpretation of what Stevens is saying is incorrect. In that case, could you point me to the correct way of setting the receive buffer size? As a proof of my confusion, I refer the Linux TCP sockets man page at http://linux.die.net/man/7/tcp (see comment on SO_RCFBUF).
What am I missing in this story? How do I control the receive buffer size (and have it show in the tcpdump output)? Please note that I allude to here a setting of the socket option SO_RCFBUF--I understand that's what shows up in the window negotiation in the SYN.
Any input is appreciated.
Source: (StackOverflow)
I have been trying to filter tcpdump output based on packets lengths. But I had no luck.
This is the simple output for a command;
tcpdump -n -i eth0 dst port 443 -A
17:03:30.866890 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [S], seq 2685064927, win 14600, options [mss 1460,sackOK,TS val 7028787 ecr 0,nop,wscale 4], length 0
E..<..@.@.......>K.<.0...
........9............
.k@3........
17:03:30.867658 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [.], ack 2285019097, win 913, options [nop,nop,TS val 7028787 ecr 974439509], length 0
E..4..@.@.......>K.<.0...
...2.............
.k@3:..U
17:03:30.867928 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [P.], seq 0:171, ack 1, win 913, options [nop,nop,TS val 7028787 ecr 974439509], length 171
E.....@.@..f....>K.<.0...
...2.............
.k@3:..U...........Opw2.....l..".T.7.q.]h..8W..%.....H...
.......9.8.......5... .....E.D.3.2...........A...../.........
...1.........alice.sni.velox.ch.
.................#..
17:03:30.869712 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [.], ack 1319, win 1078, options [nop,nop,TS val 7028788 ecr 974439511], length 0
E..4..@.@.......>K.<.0...
...2.....6.......
.k@4:..W
17:03:30.870724 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [P.], seq 171:178, ack 1319, win 1078, options [nop,nop,TS val 7028788 ecr 974439511], length 7
E..;..@.@.......>K.<.0...
...2.....6.......
.k@4:..W......0
I want to see packages only if they have more then 100bytes length. for this case, only the 3rd packet.
options [nop,nop,TS val 7028787 ecr 974439509], length 171
I have looked at man pages for tcpdump, but couldn't find any useful parameter. there is an expression 'greater length' mentioned here; http://www.ethereal.com/docs/man-pages/tcpdump.8.html but i couldn't use that expression too.
$ tcpdump -n -i eth0 dst port 443 -A -x greater 100
tcpdump: syntax error
Thank's for any help.
Source: (StackOverflow)