January 20, 2019

Stumbling and Sniffing Wireless Networks in Linux, Part 2 - page 2

Stumbling (and Managing) with KwiFiManager

  • October 26, 2009
  • By Eric Geier

One of the most common packet sniffers is tcpdump, a command line tool in Linux that uses the popular libpcap library for the actual packet capturing. Tcpdump shows you header information of packets, and optionally the contents. As you see in Figure 3, it prints lines containing packet details, such as the packet type and size and the source/destination IP addresses. If you're a command-line enthusiast, tcpdump is a great choice for inspecting network traffic.

figure 3
figure 3

Figure 3: An example of the packet details tcpdump shows you.

If you want to use tcpdump, install it and libpcap from your Linux package manager. Then open a Terminal window and type tcpdump. You'll probably have to run the tool as root. For more details on using this tool, including all its options, type man tcpdump to view its manual. However, we'll review some useful options.

Here are a few options you can use for more features and functionally:

  • i: Specifies the interface (eth0, ath0, etc) to listen in on. If you aren't sure which interface is what, check the networking status or tools for your particular desktop.
  • n: Don't replace IP addresses with hostnames.
  • nn: Don't resolve hostnames or port names.
  • s number: Defines the maximum amount of bytes to display for each packet. The default 68 byte maximum is probably enough, but you can either define an exact amount or use 0 to automatically capture entire packets.
  • S: Prints the absolute, rather than relative, TCP sequence numbers, so you can better spot some problems.
  • v, -vv, and -vvv: These commands let you step up the amount of information printed with the packets. This includes information such as the total length and options in an IP packet, fully decoded SMB packets, and telnet details.
  • x: Displays the packet contents in the HEX format.
  • X: Prints the packet contents in the ASCII format.

To summarize, here are a few option combinations you might want to use:

  • Basic packet information, dropping any host and port names, and using the real sequence numbers: tcpdump -nnS
  • More packet information without resolution of host and port names: tcpdump -nnvvS
  • Complete packet information showing (partial) contents: tcpdump -nnvvvXS
  • More packet information showing complete packet contents: tcpdump -nnvvXSs 0

If you don't need to see all the network traffic, use expressions to filter what's printed on the screen. Depending upon how you want to filter, tcpdump provides three expression types: type, dir (direction), and proto (protocol).

For the type, you can use the host, net, or port options. For dir, you can filter for the src (source) only, dst (destination) only, src or dst, and src and dst. To filter by proto, simply use the protol acronyms, such as ICMP, DHCP, DNS, FTP, or HTTP.

Here are a few examples of filtering, which include the previous options we discovered:

  • See only traffic involving a particular computer or host: tcpdump host 192.168.181
  • Display only traffic sent to a particular computer: tcpdump dst 192.168.181
  • Print only network error messages: tcpdump protol ICMP
  • To use more than one expression at a time, you may include and, or, or not. For example, to see the DHCP traffic involving a single computer: tcpdump host 192.168.181 and protol DHCP

Stay tuned--in the next part, we'll do some sniffing with a GUI-based utility, Wireshark. Plus we'll discover open source solutions for tracking down rogue APs and providing intrusion detection.

Eric Geier is an author of many computing and networking books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft Windows Vista (Que 2007).

Most Popular LinuxPlanet Stories