This month I received about 2 or 3 requests from my clients to educate them on TCPDUMP with respect to the F5. There are plenty of TCPDUMP HOW-TO's (a popular one can be found here). This is slightly the same concept as a Dummies book, but more or less a FAQ.
I hope you like the article
I hope you like the article
What is TCPDUMP?
The tcpdump utility is a command line packet sniffer with many features and options. For a full description, refer to the tcpdump man pages by typing the following command:
man tcpdump
Q: What devices use TCPDUMP?
A: It is available on the F5 BIGIP Devices as well Linux devices.
Q: Selecting an interface or VLAN?
A: The tcpdump utility is able to sniff for packets on only one interface or VLAN. By default, it will select the lowest numbered interface.
To select an interface, use the -i flag as follows:
tcpdump -i <interface>
Examples:
tcpdump -i exp1
tcpdump -i 1.10
tcpdump -i internal
Q: How do you disable name resolution?
A:By default, tcpdump will attempt to look up IP addresses and use names, rather than numbers, in the output. BIG-IP must wait for a response from the DNS server, so the lookups can be time consuming and the output may be confusing.
To disable name resolution, use the -n flag as in the following examples:
tcpdump -n
tcpdump -ni internal
Q: How do you save TCPDUMP output to a file?
You can save the tcpdump data to one of the following file formats:
- A binary file that contains all the information collected by the tcpdump and is readable by the tcpdump utility as well as many other traffic analysis packages.
- A text file that contains a subset of the full tcpdump data, but is readable only as plain text.
Binary file
To save the tcpdump output to a binary file, type the following command:
tcpdump -w <filename>
For example:
tcpdump -w dump1.bin
Note: The tcpdump utility will not print data to the screen while it is capturing to a file. To stop the capture, press CTRL-C.
Text file
To save the tcpdump output to a text file, type the following command:
tcpdump > filename.txt
For example:
tcpdump > dump1.txt
Q: How do you read binary file output?
A:To read data from a binary tcpdump file (that you saved by using the tcpdump -w command), type the following command:
tcpdump -r <filename>
For example:
tcpdump -r dump1.bin
In this mode, the tcpdump utility reads stored packets from the file, but otherwise operates just as it would reading from the network interface. As a result, you can use formatting commands and filters.
Q: How do I do filtering?
A:The tcpdump utility allows you to use filters to, among other things, restrict the output to specified addresses and ports and specified tcp flags.
Filtering on a host address
- To view all packets that are traveling to or from a specific IP address, type the following command:
tcpdump host IP_ADDRESS
For example:
tcpdump host 10.90.100.1
- To view all packets that are traveling from a specific IP address, type the following command:
tcpdump src host IP_ADDRESS
For example:
tcpdump src host 10.90.100.1
- To view all packets that are traveling to a particular IP address, type the following command:
tcpdump dst host IP_ADDRESS
For example:
tcpdump dst host 10.90.100.1
Filtering on a port
- To view all packets that are traveling through the BIG-IP system and are either sourced from or destined to a specific port, type the following command:
tcpdump port PORT_NUM
For example:
tcpdump port 80
- To view all packets that are traveling through the BIG-IP system and sourced from a specific port, type the following command:
tcpdump src port PORT_NUM
For example:
tcpdump src port 80
- To view all packets that are traveling through the BIG-IP system and destined to a specific port, type the following command:
tcpdump dst port PORT_NUM
For example:
tcpdump dst port 80
Filtering on a tcp flag
- To view all packets that are traveling through the BIG-IP system that contain the SYN flag, type the following command:
tcpdump 'tcp[tcpflags] & (tcp-syn) != 0'
- To view all packets that are traveling through the BIG-IP system that contain the RST flag, type the following command:
tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'
Combining filters with the and operator
You can use the and operator to filter for a mixture of output.
Following are some examples of useful combinations:
tcpdump host 10.90.100.1 and port 80
tcpdump src host 172.16.101.20 and dst port 80
tcpdump src host 172.16.101.20 and dst host 10.90.100.
Q: How do I combine TCPDUMP options?
A: This Solution contains the most essential tcpdump options. You will generally need to use most of the options in combination.
Following are examples of how to combine the tcpdump options to provide the most meaningful output:
tcpdump -ni internal -w dump1.bin
tcpdump -ni internal -r dump1.bin host 10.90.100.1
tcpdump -ni exp1 host 10.90.100.1 and port 80
tcpdump -ni 1.10 src host 172.16.101.20 and dst port 80 >dump1.txt
This comment has been removed by the author.
ReplyDeleteNice explanations n effective
ReplyDelete