1
00:00:00,390 --> 00:00:07,020
‫TCPDUMP is a free, open source, very common and fast packet analyzer that runs under the command line.

2
00:00:08,100 --> 00:00:13,950
‫It prints out a description of the contents of packets on a network interface that matched the Boolean

3
00:00:13,950 --> 00:00:15,840
‫expression given as a parameter.

4
00:00:17,190 --> 00:00:19,860
‫TCPDUMP has a lot of filtering options.

5
00:00:20,520 --> 00:00:22,770
‫We'll discuss some of them in the next slide.

6
00:00:24,360 --> 00:00:29,640
‫It can be preferred to the other pack it analyze, such as Wireshark, because it's so fast.

7
00:00:31,200 --> 00:00:35,850
‫It also supports some of the most common network traffic capturing format pcap.

8
00:00:36,480 --> 00:00:41,280
‫You can say the result as raw ASCII text in a document as well.

9
00:00:43,040 --> 00:00:44,300
‫So have a look at this.

10
00:00:44,690 --> 00:00:52,910
‫These are some of the parameters you can use with the tcpdump command D or list interfaces, prints

11
00:00:52,940 --> 00:00:59,060
‫the list of the network interfaces available in the system and on which tcpdump can capture packets.

12
00:01:00,060 --> 00:01:04,650
‫I or interface listens in on the interface.

13
00:01:05,710 --> 00:01:12,340
‫If unspecified tcpdump searches, the system interface list for the lowest numbered configured interface,

14
00:01:13,150 --> 00:01:17,860
‫excluding loopback, which may turn out to be, for example, if zero.

15
00:01:19,590 --> 00:01:27,750
‫In means do not convert addresses, that is host addresses, port numbers, et cetera, to names.

16
00:01:29,510 --> 00:01:33,320
‫V produces verbose output when parsing and printing.

17
00:01:33,950 --> 00:01:41,930
‫The more V, the more detailed W writes the raw packet to specified file rather than parsing and printing

18
00:01:41,930 --> 00:01:42,320
‫them out.

19
00:01:43,450 --> 00:01:51,790
‫Are reads packets from the file, which was created with the option or by other tools that write PCAP

20
00:01:51,790 --> 00:01:53,620
‫or P capping files.

21
00:01:54,920 --> 00:01:56,150
‫A prince.

22
00:01:56,210 --> 00:01:57,460
‫Each packet in ASCII.

23
00:01:58,900 --> 00:02:05,140
‫Handy for capturing Web pages when parsing and printing, in addition to printing the headers of each

24
00:02:05,140 --> 00:02:05,590
‫packet.

25
00:02:06,340 --> 00:02:11,020
‫Capital X prints the data of each packet in Hex and ASCII.

26
00:02:11,990 --> 00:02:14,270
‫It's very handy for analyzing new protocol.

27
00:02:15,380 --> 00:02:20,630
‫So if you use the X option, the data of each packet is printed in Hex.

28
00:02:22,100 --> 00:02:25,850
‫In addition to these options, you can filter the results in several ways.

29
00:02:27,070 --> 00:02:33,370
‫If you would like to monitor a specific protocol such as TCP, you can use its name as the filter.

30
00:02:34,760 --> 00:02:43,010
‫You can capture packets to or from an endpoint residing in the network using net filter or use host

31
00:02:43,010 --> 00:02:48,200
‫filter to see the packets of a host as a source destination or either one.

32
00:02:49,880 --> 00:02:59,330
‫Use the port to filter TCP or UDP packets sent to or from a specified port use port range to listen

33
00:02:59,330 --> 00:03:01,330
‫to ports in any given range.

34
00:03:02,950 --> 00:03:09,790
‫Now, if you use the R C option, you can see only the packets where the target system is the source

35
00:03:09,790 --> 00:03:10,420
‫of the packet.

36
00:03:11,050 --> 00:03:16,000
‫Similarly, DSD is used to specify the destination system.

37
00:03:17,150 --> 00:03:23,990
‫So, of course, you can use more than one filter and a command and set up the relation using and and

38
00:03:24,110 --> 00:03:31,820
‫or as logical operators, for example, host is one that 1.1.1 and Port is 80.

39
00:03:33,270 --> 00:03:41,790
‫Now, before running several tcpdump commands, let's examine the fields of a typical tcpdump output

40
00:03:41,790 --> 00:03:46,290
‫row, the rows shown in the slide is a TCP packet.

41
00:03:47,720 --> 00:03:55,160
‫The first field is the time when the packet arrived with the time stamp as hour, minute, second and,

42
00:03:55,160 --> 00:03:57,140
‫well, the fractions of a second.

43
00:03:58,800 --> 00:04:04,950
‫So the second field is a protocol running atop the link layer, in this case IPV four.

44
00:04:06,090 --> 00:04:12,690
‫Now for IP packets, the third field is the IP address, her hostname of the host sending the packet

45
00:04:12,690 --> 00:04:16,650
‫along with four TCP and UDP packets, the source port.

46
00:04:17,940 --> 00:04:25,020
‫The packet on the slide came from Port 80 of the system, one seven two one six nine nine eight one

47
00:04:25,260 --> 00:04:25,890
‫three nine.

48
00:04:27,030 --> 00:04:33,420
‫Now the fourth field is the IP address or hostname of the host receiving the packet, along with four

49
00:04:33,420 --> 00:04:35,440
‫TCP and UDP packets.

50
00:04:35,460 --> 00:04:40,800
‫The destination port flags is the TCP segment flag.

51
00:04:41,310 --> 00:04:45,600
‫The packet on the slide doesn't have any flag, said, other than ACH.

52
00:04:46,650 --> 00:04:49,830
‫Ach is the acknowledgment number in the packet.

53
00:04:50,370 --> 00:04:57,510
‫TCPDUMP shows sequence and acknowledgement numbers relative to the initial sequence number by default.

54
00:04:58,670 --> 00:05:08,450
‫When is the source hosts TCP window and you see the options field length is the length of the data in

55
00:05:08,450 --> 00:05:09,560
‫the TCP segment.

56
00:05:10,130 --> 00:05:15,080
‫Mike here is zero, so that means that no data is exchanged yet.

57
00:05:16,220 --> 00:05:17,990
‫So that's enough for now.

58
00:05:18,380 --> 00:05:20,600
‫Let's see tcpdump in action.

59
00:05:21,140 --> 00:05:22,190
‫Time for hands on.