UCSD - TCPDUMP for trouble shooting

Version 2

    TCP dump is a Linux native tool to trouble shoot IP traffic.

     

    This package is not installed by default on the UCSD appliance.

     

    This package can be installed using yum (yum install tcpdump)

     

    (prerequisite UCSD needs to be able to resolve external DNS and have access to the internet)

     

    Here is the install:

     

     

    [root@localhost tmp]# yum install tcpdump

    Loaded plugins: fastestmirror

    Determining fastest mirrors

    * addons: mirror.steadfast.net

    * base: pubmirrors.dal.corespace.com

    * extras: mirror.us.oneandone.net

    * updates: dallas.tx.mirror.xygenhosting.com

    addons                                                                                                  | 1.9 kB     00:00   

    base                                                                                                    | 1.1 kB     00:00   

    extras                                                                                                  | 2.1 kB     00:00   

    updates                                                                                                 | 1.9 kB     00:00   

    updates/primary_db                                                                                      | 518 kB     00:00   

    Setting up Install Process

    Resolving Dependencies

    --> Running transaction check

    ---> Package tcpdump.x86_64 14:3.9.4-15.el5 set to be updated

    --> Finished Dependency Resolution

     

    Dependencies Resolved

     

    ===============================================================================================================================

    Package                      Arch                        Version                              Repository                 Size

    ===============================================================================================================================

    Installing:

    tcpdump                      x86_64                      14:3.9.4-15.el5                      base                      456 k

     

    Transaction Summary

    ===============================================================================================================================

    Install      1 Package(s)       

    Update       0 Package(s)       

    Remove       0 Package(s)       

     

    Total download size: 456 k

    Is this ok [y/N]: y

    Downloading Packages:

    tcpdump-3.9.4-15.el5.x86_64.rpm                                                                               | 456 kB     00:00   

    Running rpm_check_debug

    Running Transaction Test

    Finished Transaction Test

    Transaction Test Succeeded

    Running Transaction

      Installing     : tcpdump                                                                                                       1/1

     

    Installed:

      tcpdump.x86_64 14:3.9.4-15.el5                                                                                                   

     

    Complete!

     

    The manual page for tcpdump can be obtained by typing

         man tcpdump

     

     

    Execution of tcpdump (show me everything going on eth0):

     

    [root@localhost tmp]# tcpdump

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

    18:26:12.552602 IP 172.17.32.135.ssh > 192.168.32.110.54221: P 1632689526:1632689638(112) ack 1251125419 win 151 <nop,nop,timestamp 1035954528 651295310>

     

     

    Looking for traffic from a specific host:

     

    [root@localhost tmp]# tcpdump -nn src host 172.17.32.110

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

    18:32:54.015905 IP 172.17.32.110.61537 > 172.17.32.111.443: P 1430747147:1430747221(74) ack 1798473513 win 256

    18:32:54.015971 IP 172.17.32.110.61537 > 172.17.32.111.443: P 74:164(90) ack 1 win 256

    18:32:54.026873 IP 172.17.32.110.61537 > 172.17.32.111.443: . ack 816 win 253

    18:32:58.882358 arp who-has 172.17.32.111 (00:25:b5:01:a0:6f) tell 172.17.32.110

     

     

    Looking for CDP packets:

     

    [root@localhost tmp]# tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'

    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes

    18:35:42.695736 CDPv2, ttl: 180s, checksum: 692 (unverified), length 230

      Device-ID (0x01), length: 30 bytes: 'VSM100V-1(8618679311377563319)'

      Address (0x02), length: 13 bytes: IPv4 (1) 172.17.32.6

      Port-ID (0x03), length: 5 bytes: 'mgmt0'

      Capability (0x04), length: 4 bytes: (0x00000209): Router, L2 Switch

      Version String (0x05), length: 69 bytes:

        Cisco Nexus Operating System (NX-OS) Software, Version 5.2(1)SK1(1.1)

      Platform (0x06), length: 10 bytes: 'Nexus1000V'

      AVVID trust bitmap (0x12), length: 1 byte: 0x00

      AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00

      Duplex (0x0b), length: 1 byte: full

      MTU (0x11), length: 4 bytes: 1500 bytes

      System Name (0x14), length: 9 bytes: 'VSM100V-1'

      System Object ID (not decoded) (0x15), length: 14 bytes:

        0x0000:  060c 2b06 0104 0109 0c03 0103 8648

      Management Addresses (0x16), length: 13 bytes: IPv4 (1) 172.17.32.6

    1 packets captured

    4 packets received by filter

    0 packets dropped by kernel

     

    Looking for a source host and port:

     

    tcpdump -nn src host 1.2.3.4 and 'tcp port 3389'