TCPDump is a Unix tool, which can be used to collect data from networks and can help decipher the output in an easy to understand manner. At first trying to make sense of any amount of data can be a real trial yet that’s where using the analyser and it’s filters is so important.
If you leave it at the defaults, TCPdump wiil examine all records either directly on the wire or from a dump file creates by another program. The problem is that this amount of data can be very difficult to analyse especially if you’re not that experienced. For network personnel who are looking for specific activity maybe evidence of a malicious attack or simply trying to solve a network related issue then being able to focus on specific addresses or protocols quickly is essential.
This is where the use of filters is so important, you can create filters to look for specific information. Solving a DNS problem or trying to fix a network sharing issue then simply create a filter which only displays the relevant protocol.
There is already help built in to the program, for example you’ll find that most common, general filters have easily available. So if you’re looking for ICMP messages or DNS requests then you’ll just need to apply the pre-prepared filter. TCPdump assigns a designated name for each type of header, associated with specific protocols. So for example ‘ip’ would be specified for a field in the IP header or datagram, ‘tcp’ for part of the TCP header or datagram and so on.
You can then reference these fields by specific protocols, by working through it’s displacement for the beginning of the header. These don’t change so you can work out what’s the IP segment and which is the TCP header and so on. Remember to carefully consider the source and destinations of the stream you’re analyzing it’s easy to get confused especially if things like VPNs or proxies are involved.
It takes a bit of practice but you should be able to use TCPdump to select any specific datagram for example perhaps to look into an embedded protocol like ICMP. This makes it much easier to troubleshoot specific issues. It also allows you to filter out data which cannot be read – for example if that data is encrypted. Imagine trying to solve network problems or determine issues when half the data is being deliberately hidden, perhaps many users are using proxies or VPNs. Some of these are being used very commonly even within corporate network – here’s an article discussing the use of the best vpn for Netflix which people use to switch versions (usually to the US version of Netflix).
Filters and proxies, J Brewer – Proxy online – Harvard Press, 2014
Great post. I’ve been trying to use these filters and it’s actually quite confusing, this helped me out.