Network trace debugging is a solid way to see what happens under the hood in a network. It can help you understand how various applications are interacting over the network, analyze protocol information and debug data packets that are being sent or being received!
There are a number of tools we use for this purpose. In linux we use tcpdump (native linux utility) and wireshark tools (in windows called as wireshark and in linux known as tethereal or tshark)
note- tethereal or tshark is same and we will be referring to this with either one of this names
tshark or tethereal can be installed in linux using yum (yum install wireshark)^ or by downloading the package from the web and installing it manually
note^- yum is in available in some distros while the command in others may vary
People always have this doubt whatβs the difference with tcpdump / tethereal / tshark and wireshark. For this let me try to give you some background. tcpdump is a linux utility which is bundled with the various linux distributions which is quite powerful in itself and can capture packets and also help you debug the packets in the linux terminal. There is one more organization known by wireshark.org who are experts in network sniffing segment, they have a tool called tethereal or tshark (for linux) and a tool named a wireshark (for windows). This is an advanced version of tcpdump.
OSI Protocol Stack
Let us assume you are browsing a webpage, then most likely you are using the following protocols..
- HTTP (Application layer)
- TCP (Transport layer)
- IP (Network layer)
- Ethernet (Physical layer)
How all this works in a general way is when you request for some data through your browser, the browser sends an HTTP request to the server where your data is located. But an HTTP packet cannot travel to the destination server all by itself. It needs some help from other lower level protocols. So the HTTP packet is submitted to the tcp protocol which encapsulates the original message (called as payload) adds its own extra protocol data (called as headers and trailers which are needed for various functions such as reliable data transfer, error correction, sequencing etc which is specific to the role of that protocol) then it forwards the packet to the IP protocol (Network layer) which does a similar thing and then to the physical layer protocol (Ethernet or may be wifi protocol) which again does a similar thing and routes your message towards the destination server
If you want to see how the data is being transported from one protocol to the other and routed to your destination, we have to capture what is traditionally called as a tcp-dump or a network trace
1. Tcpdump Utility
[root@localhost ~]# tcpdump -D
1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.usbmon1 (USB bus number 1)
5.any (Pseudo-device that captures on all interfaces)
6.loRunning a βtcpdump -Dβ command on a linux terminal gives you the list of network interfaces that the system is having. Most likely you shall have one or more network interfaces like a eth0, eth1, em0, br0, bond0, any, lo
note- lo (loopback) is a virtual interface which is setup and assigned the IP β127.0.0.1β in your machine itself, which is used to communicate between processes in the same machine using one of the networking protocols such as tcp, udp, http, snmp etc..
tcpdump command syntax
tcpdump -i <interface_id> <optional_arguments>An Example!
tcpdump -i eth0 -w capture.pcapThis will capture all the packets on the βeth0β interface and β-w capture.pcapβ allows you to save the capture in the local disk with the name capture.pcap
note- we give the capture files extension as *.cap or *.pcap to identify these are capture files
Letβs look at some common examples of optional arguments.
SwitchSignificanceAllowed valuesExampleInterpretation-iInterface IDeth0, eth1, br0, lo etc or any-i anySpecifies the network interface to capture-sSnaplength0β255-s 0Specifies the length of the size of frame to be captured (in bytes).
0 means unlimitedportPort number0β65535port 2905Specifies to capture on specific porthostIPValid IPhost 192.168.1.1Specifies to capture on specific host-wWrites to fileValid path-w sample_capture.pcapSpecifies where to save the capture locally
2. Tshark Utility
Now that we have seen the basics of tcpdump let us explore tethereal or tshark.
note- most of them are also supported by tcpdump
- Capturing on a host
[root@localhost ~]# tshark -i any host 192.168.1.2
0.000000 192.168.1.3 -> 192.168.1.2 TCP 56 62858 > ssh [ACK] Seq=1 Ack=1 Win=16292 Len=0
0.015702 192.168.1.2 -> 192.168.1.2 TCP 76 48950 > fodms [SYN] Seq=0 Win=65535 Len=0 MSS=65495 SACK_PERM=1
0.015711 192.168.1.2 -> 192.168.1.2 TCP 56 fodms > 48950 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
0.022716 192.168.1.2 -> 192.168.1.2 TCP 85 41393 > 7140 [PSH, ACK] Seq=1 Ack=1 Win=525 Len=17 TSval=3103350289- Capturing on a particular port
[root@localhost ~]# tshark -i any port 22
0.000000 192.168.1.3 -> 192.168.1.2 TCP 56 62858 > ssh [ACK] Seq=1 Ack=1 Win=15968 Len=0
0.517507 192.168.1.2 -> 192.168.1.3 SSH 204 Encrypted response packet len=148- Capturing on a particular host and port
[root@localhost ~]# tshark -i any host 192.168.1.2 and port 22
0.000000 192.168.1.3 -> 192.168.1.2 TCP 56 62858 > ssh [ACK] Seq=1 Ack=1 Win=16392 Len=0
0.116029 192.168.1.3 -> 192.168.1.2 TCP 56 62858 > ssh [ACK] Seq=1 Ack=101 Win=16292 Len=0- Capturing on a particular host A (ip=192.168.1.2) and host B ( ip=192.168.1.4)
[root@localhost ~]# tshark -i any host 192.168.1.2 and host 192.168.1.4
0.000000 192.168.1.2 -> 192.168.1.4 SCTP 88 HEARTBEAT
0.000305 192.168.1.4 -> 192.168.1.2 SCTP 88 HEARTBEAT_ACK- Capturing on a particular host A (ip=192.168.1.2) with port=2905 and host B ( ip=192.168.1.4) with port=2905
[root@localhost ~]# tshark -i any host 192.168.1.2 adn port 2905 and host 192.168.1.4 and port 2905
0.000000 192.168.1.2 -> 192.168.1.4 SCTP 88 HEARTBEAT
0.000315 192.168.1.4 -> 192.168.1.2 SCTP 88 HEARTBEAT_ACK- Printing timestamp for each packet
[root@localhost ~]# tshark -i any -t a
18:05:55.692945 192.168.1.3 -> 192.168.1.2 TCP 56 62858 > ssh [ACK] Seq=1 Ack=1 Win=16292 Len=0
18:05:55.695861 192.168.1.5 -> 192.168.1.2 SCTP 88 HEARTBEAT
18:05:55.695940 192.168.1.2 -> 192.168.1.5 SCTP 88 HEARTBEAT_ACKβ18:05:55.692945β is the timestamp here in the format of HH-MM-SS.mili_seconds
- Controlling the output file (Auto file rotate)
[root@localhost ~]# tshark -i any -b filesize:10000 -w capture.pcapβ-b filesize:10000β means that the capture file (capture.pcap) will be rotated to a new file once the file size reaches 10000 Kb or approximately 10 Mb.
note: sometimes due to the big file size it make sense to split the files into smaller ones
- Capturing only based on specific protocol (Only Transport layer)
[root@localhost ~]# tshark -i any sctp
0.000000 192.168.1.5 -> 192.168.1.2 SCTP 88 HEARTBEAT
0.000094 192.168.1.2 -> 192.168.1.5 SCTP 88 HEARTBEAT_ACK
[root@localhost ~]# tshark -i any tcp
0.000000 192.168.1.3 -> 192.168.1.2 TCP 56 62858 > ssh [ACK] Seq=1 Ack=1 Win=16392 Len=0
0.112080 192.168.1.2 -> 192.168.1.2 TCP 85 41393 > 7140 [PSH, ACK] Seq=1 Ack=1 Win=525 Len=17 TSval=3104622289note: Common Transport layer protocolβs are ( tcp, sctp & udp )
- Printing complete protocol information in terminal (requires tshark v1.8)
[root@localhost ~]# tethereal -i any -O sctp
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.1.6 (192.168.1.6), Dst: 192.168.1.2 (192.168.1.2)
Stream Control Transmission Protocol, Src Port: m3ua (2905), Dst Port: m3ua (2905)
Source port: 2905
Destination port: 2905
Verification tag: 0x3fa4c661
Checksum: 0x8676b1f2 (not verified)
HEARTBEAT chunk (Information: 36 bytes)
Chunk type: HEARTBEAT (4)
0... .... = Bit: Stop processing of the packet
.0.. .... = Bit: Do not report
Chunk flags: 0x00
Chunk length: 40
Heartbeat info parameter (Information: 32 bytes)
Parameter type: Heartbeat info (0x0001)
0... .... .... .... = Bit: Stop processing of chunk
.0.. .... .... .... = Bit: Do not report
Parameter length: 36
Heartbeat information: 0000000c5b702b350001a072000100080a140a2b0003000c...-O <protocol_names> will show you detailed data for only the specified protocols
note: you can specify multiple protocol name with comma β,β separated manner
Ex. tethereal -i any sctp -O sccp,tcap,gsm_map,gsm_sms
- To read from an existing capture file
[root@localhost ~]# tshark -i any sctp -r capture.pcap
0.000000000 192.168.1.8 -> 192.168.1.7 SCTP 88 HEARTBEAT
0.000092622 192.168.1.7 -> 192.168.1.8 SCTP 88 HEARTBEAT_ACK
0.103038327 192.168.1.7 -> 192.168.1.9 SCTP 88 HEARTBEAT- To apply advanced filters
[root@localhost ~]# tshark -i any -R "ip.src == 192.168.1.7 and ip.dst == 192.168.1.8" -r capture.cap
0.000092622 192.168.1.7 -> 192.168.1.8 SCTP 88 HEARTBEAT_ACK
1.551766402 192.168.1.7 -> 192.168.1.8 SCTP 88 HEARTBEAT
2.000320833 192.168.1.7 -> 192.168.1.8 SCTP 88 HEARTBEAT_ACKβ-R β<expression>ββ is the switch used to apply filter in linux command line
note- All the advanced filters supported in wireshark (windows tool) can use applied here, the filter framing can be done in the wireshark (windows tool) and then applied here.
Thanks for reading, comments are welcome. Please reach out for anything.
