tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: using TCPDump

From: "Antonio I." <cocoadeveloper () netscape net>
Date: Sun, 05 Jan 2003 13:57:41 -0500
Sorry for not answering before, I had some family outings. Richard, thanks a lot. The -s 0 works beautifully. Recently I have been doing dumps on my network card and another computer's in my network. One thing I noted though, to my dismay, is that I only get packets which are being interchanged by the two computers but no packets going to or coming from other computers. A clear example, I do a tcpdump on the other machine's network card, and ( in order to avoid unnecessary network traffic with ssh) I access a web site from it directly. I do not see any of the packets I should be seeing, actually nothing at all. I am calling tcpdump through:
tcpdump -s 0 -X -i en0 ether src 00:03:93:09:dd:62 (This is the other machine's MAC address) 

I also tried:

tcpdump -s 0 -X -i en0 ip host 192.168.2.5
As a last attempt I tried dumping data going to the router ( this is a small network ), but it was still the same. Actually I could only see packets coming to or going from MY network card. Am I making the tcpdump call correctly? Also, is it possible at all, to make a dump of a machine outside of the network? I know the router would need to be in promiscuous mode, but there is no option for that on my little SMC. Is there a way to bypass this promiscuity of the router? Thanks a lot to both Richard and Guy. 
Tony

rsharpe () richardsharpe com wrote:


On Wed, 1 Jan 2003, Antonio I. wrote:
I found this website on the net: http://www.robertgraham.com/pubs/sniffing-faq.html Take a look at it. Go to section 5.1 and look at one of the example packets. Well, the author mentions that packets may be as large as 1500 bytes or more. Although the data of the packet displayed there is not 1500 bytes long, it does contain many more things that I am not seeing in my dumps, including the http data. One thing I noticed was that the beginning of his packet was very similar to what I get. Then I thought that maybe the method I am using to dump is only giving me the first part of the packet data, maybe only the tcp and ip header information (I'm guessing here). Well I assume that our method of dumping: tcpdump -X -i en0 is not giving us the whole thing. Is there a way to get the rest of the data from the packet using tcpdump? I sent an email to the author of the paper asking the same question. I doubt I will get an answer because it seems he wrote this paper back in 2000, so he may not keep track of his messages.
Have a look at the man pages. By default, tcpdump captures about 68 bytes of each frame. You want: 

 tcpdump -s <some-larger-frame-size> ...

It's all in the man pages.


gharris () sonic net wrote:


On Mon, Dec 30, 2002 at 09:07:23PM -0500, Antonio I. wrote:
I think we are moving forward. The output from putting -X is quite peculiar. I see data, just plain data, but I don't see a way to interpret it. Let me give you an example of what I get on my terminal:
20:41:02.760587 205.188.7.140.5190 > 192.168.2.8.49682: . ack 1 win 16384 (DF) 
0x0000   4500 0028 dd37 4000 2b06 da9f cdbc 078c        E..(.7@.+.......
0x0010   c0a8 0208 1446 c212 6932 51e8 a91e 4860        .....F..i2Q...H`
0x0020   5010 4000 54e9 0000 0000 0000 0000 4944        P. ()  T         ID
0x0030   0057                                           .W


Well, the "45" is the first byte of the IP header.  To see a way to
interpret it, and the rest of the IP header, read RFC 791.

You're assuming here that there's more ASCII in network traffic than
there really is.  In, for example, an Ethernet packet containing an HTTP
reply, there is an Ethernet header (not normally shown by "-X"), an IP
header, a TCP header, and then, *after* the IP and TCP header, the HTTP
reply header and data.

The HTTP reply header is ASCII, and, *IF* the stuff being fetched over
HTTP is text (e.g., HTML text), the HTTP reply data is ASCII as well.
Ok, so then let me ask you this, is it possible at all to obtain html data from a tcpdump? 


Yes, but that packet isn't a packet containing any HTML data.  It's a
TCP acknowledgment with no data in it.  Read RFC 793 to understand
what's in a TCP packet.

Furthermore, tcpdump won't extract *just* the HTML data; it's not an
HTML-data-extraction program, it's a network traffic analysis program.



-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe






-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: