How to use TCPDump.

TCPDump is a network packet analyser, it is available for download from tcpdump.org.

Below are instruction detailing

How to build TCPDump

How to install TCPDump under Linux Mandrake

How to use TCPDump

How to use TCPDump to monitor IGMP

How to use TCPDump to monitor RTP and RTCP

How to use TCPDump to monitor IPv6 Traffic

Further information on using TCPDump can be obtained from the man page.


How to build TCPDump

TCPDump requires libpcap to be installed, building libpcap may require bison and flex, these packages are available from a variety of souces.

To build libpcap, untar the source package, enter the directory and execute the following commands

./configure (errors at this stage may indicate if flex/bison are not in your path)

make

make install

Flex and bison are both built in exactly the same way. You must then ensure that they are in your path before builidng libpcap.

To build tcpdump, untar the source package, enter the directory and execute the following commands

./configure

make

make install

Following the steps above should leave you with a tcpdump binary in /usr/local/sbin, you will need to have root permissions to use it to caputre from a network interface.

Top of the page


How to install TCPDump under Linux Mandrake

The recommended way is to install the libpcap and tcpdump RPMS, building a working TCPDump binary from source under Mandrake is difficult! The RPMS are available throught the Mandrake "software centre" or from the software archive.

To confiure the software centre to download RPMS from an ftp site the folow steps need to be completed.

Open the software centre Configuration > Packaging > Software Centre

Select Define Sources

Select FTP source from pull down menu

Enter the name of the source (ie Mirror.ac.uk)

Enter the URL of the source (ie ftp://ftp.mirror.ac.uk/sites/sunsite.uio.no/pub/unix/Linux/Mandrake/Mandrake/8.2/i586/Mandrake/RPMS)

Enter the path to the hdlist.cz file (ie ../base/hdlist.cz)

Enter your ftp username and password or leave blank for anonymous ftp.

You can search or browse the package list for the desired packages. The software manager will automatically download and install the packages you select.

To install the RPMS simply execute the following commands, rmp -i <filename>

Top of the page


How to use TCPDump

TCPDump has a wide range of features and can be used in a number of ways. This section gives a brief introduction to the basic features of TCPDump.

TCPDump can be used to capture some or all packets received by a network interface. The range of packets captured can be specified by the using a combination of logical operators and parameters such as source and destination Mac or IP addresses, protocol types (IP and ethernet) and TCP/UDP port numbers. The range of options is rather large!! See the man pages with you version of TCPDump to see what it supports.

The packets captured can either be written to file as raw data for later processing by tcpdump, or directed to standard output where they can be displayed or processed using other tools and scripts. Data written to file can be examined using TCPDump and the data directed to standard output.

It is quite common to use TCPDump to write to file a range of packets to file and then read the packets required from this file, this allows the dataset to be examined repeatedly while an expression is refined to extract exactly the packets required. It's quite frustrating when you realise that you've only captures 98% of what you wanted, it's fat better to capture 120% and then filter!

TCPDump output has the following output format.

For UDP datagrams

15:22:41.400299 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 110

Timestamp 15:22:41.400299
Source address orac.erg.abdn.ac.uk
Source port 1052
Destination address 224.2.156.220
Destination port 57392
Protocol udp
Size 110

For TCP datagrams

16:23:01.079553 churchward.erg.abdn.ac.uk.33635 > gordon.erg.abdn.ac.uk.32772: P 12765:12925(160) ack 19829 win 24820 (DF)

Timestamp 16:23:01.079553
Source address churchward.erg.abdn.ac.uk
Source port 33635
Destination address gordon.erg.abdn.ac.uk
Destination port 32772
Indicates that the PUSH flag is set P
Sequence number (also start byte) 12765:
Contained data bytes from sqeuence number upto but not including 12925
Number of user data bytes in datagram (160)
Details of acknowledgements, Window size and Header flags ack 19829 win 24820 (DF)

The TCP headers using TCPDump is not discussed, however this is a well researched area, google is a good starting point.

To get tcpdump to display more information about each packet use the verbose output mode

tcpdump -v <expression>

tcpdump -vv <expression>

tcpdump -vvv <expression>

Time Stamps

TCPDump adds timestamps to packets by default, the timestamp is in the following format - hours : minutes : seconds . seconds

15:22:41.400299 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 110

the following switches alter the timestamp format.

-t suppresses the timestamp output

orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 597

-tt gives an unfomatted time stamp, this value is a count in seconds from the OS clock initial value

1029507868.335134 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 520

-tttt gives the interval between the packet recieved and the previous packet

358020 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 586
328704 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 893
391361 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 491

Source and Destination addresses and Ports

To capture packets to or from particuar groups or hosts a range of expression can be used, here are some example.

To capture all traffic with host churchward as source or destination address

tcpdump host churchward

To capture all traffic with the tcp or udp, source or destination port number 53

tcpdump port 53

To capture all traffic with the source address churchward

tcpdump src host churchward

To capture all trafffic with the destination tcp or udp port 53

tcpdump dst port 53

To capture all TCP traffic with the source address churchward

tcpdump tcp src host churchward

To capture all trafffic with the destination udp port 53

tcpdump udp dst port 53

There are a huge range of options available, the examples above are intened to give an introduction to teh structure and syntax, see the man page for your release for full details of the supported options.

Logical Operators

Expressions can be combined using AND and OR with the additional use of NOT.

To capture all traffic with the source address churchward AND with the destination udp port 53

tcpdump src host churchward and udp dst port 53

To capture all traffic with the destination address 224.2.127.254 OR with the destination address 239.255.255.255

tcpdump dst 224.2.127.254 or dst 239.255.255.255

To capture all traffic with the destination address 224.2.127.254 NOT with the source address 139.133.204.110

tcpdump dst 224.2.127.254 and not src 139.133.204.110

Writing to and Reading from file

To write ram packets to a file for later processing the syntax is as follows

tcpdump -w <filename>

This can be combined with an expression to only write some packets to the file.

tcpdump -w dns-file udp dst port 53

This would write all packets to or from tcp or udp port 53 to file.

To read packets from a dump file

tcpdump -r <filename>

This can be combined with an expression to only read some packets from the file.

tcpdump -r dns-file src host churchward and udp

This would read any udp packets sent by host churchward from the file.

Top of the page


How to use TCPDump to monitor IGMP messages

TCPDump can be used to capture all IGMP packets seen by the network interface card using the following syntax

tcpdump ip proto 2 (capture all packets with IP Protocol type 2)

This can be combined with the systax above to adjust time stamps, monitor specific hosts or groups and to write raw packets to file.

To monitor IGMP membership queries and responces sent to the group 224.2.127.254

tcpdump ip proto 2 and dst 224.2.127.254

17:03:27.080329 churchward.erg.abdn.ac.uk > SAP.MCAST.NET: igmp v2 report SAP.MCAST.NET [ttl 1]

Top of the page


How to use TCPDump to monitor RTP and RTCP traffic

TCPDump contains options to decipher RTP traffic, this presents the output in a manner that is easily manipulated using tools such as awk or perl scripts.

RTP and RTCP packets each contain a number of importnat fields, this section details these fields and illustrates how to use TCPDump to capture them.

RTP data should always be transmitted on an even numbered TCP/UDP port, RTCP data relating to the data stream is always transmitted on "data port number" +1.

RTP traffic

To capture RTP headers the following syntax is required.

tcpdump -T rtp -vvv src

RTP headers contains these "interesting" fields.

Timestamp 18:00:56.156473

Source Address orac.erg.abdn.ac.uk

Source Port 1052

Destination Address 224.2.156.220

Destination Port 57392

Protocol udp/rtp

RTP Payload size (B) 741

RTP Media type c31

RTP Header "Marker' field ("*"=y " "=n) *

RTP Sequence number 50140

RTP Timestamp 2686364689

Synchronization Source (SSRC) Identifier 489542890

Field displayed for H.261 video only, 1st 16bits of the 32bit H.261 payload header. 0x1200

TTL ttl 127

IP Header identifier id 22854

Lengeh of the IP Datagram (B) len 781

You also need to specify carefully which packets you wish to capture, in the example below we capture based on source address and destination port.

tcpdump -T rtp -vvv src orac and dst port 57392

18:00:56.156473 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 741 c31 * 50140 2686364689 489542890 0x1200 (ttl 127, id 22854, len 781)
18:00:56.473889 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 321 c31 * 50141 2686393485 489542890 0x0e00 (ttl 127, id 22855, len 361)
18:00:56.915274 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 585 c31 * 50142 2686433084 489542890 0x0600 (ttl 127, id 22856, len 625)
18:00:57.236431 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 707 c31 * 50143 2686461872 489542890 0x1600 (ttl 127, id 22857, len 747)
18:00:57.432472 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 457 c31 * 50144 2686479874 489542890 0x1e00 (ttl 127, id 22858, len 497)
18:00:57.754166 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 570 c31 * 50145 2686508679 489542890 0x1e00 (ttl 127, id 22859, len 610)
18:00:58.157492 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 689 c31 * 50146 2686544679 489542890 0x1600 (ttl 127, id 22860, len 729)
18:00:58.510588 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 569 c31 * 50147 2686577061 489542890 0x0e00 (ttl 127, id 22861, len 609)
18:00:58.676815 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 594 c31 * 50148 2686591457 489542890 0x1e00 (ttl 127, id 22862, len 634)
18:00:58.999954 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 539 c31 * 50149 2686620273 489542890 0x0600 (ttl 127, id 22864, len 579)
18:00:59.368993 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 1024 c31 * 50150 2686652683 489542890 0x0a00 (ttl 127, id 22865, len 1064)
18:00:59.768796 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 988 c31 50151 2686688705 489542890 0x1e00 (ttl 127, id 22866, len 1028)
18:00:59.829548 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 178 c31 * 50152 2686688705 489542890 0x3e87 (ttl 127, id 22867, len 218)
18:01:00.092032 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 1006 c31 * 50153 2686717509 489542890 0x1200 (ttl 127, id 22868, len 1046)
18:01:00.491389 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp/rtp 1008 c31 * 50154 2686753461 489542890 0x1600 (ttl 127, id 22869, len 1048)

This can be combined with the options above to alter time stamp format and to write raw packets to file.

Top of the section

RTCP traffic

There are five types or RTCP packets, the five types are

SR: Sender report, for transmission and reception statistics from participants that are active senders

RR: Receiver report, for reception statistics from participants that are not active senders

SDES: Source description items, including CNAME

BYE: Indicates end of participation

APP: Application specific functions

Two of these are more common and interesting, sender and reciever reports. Details of the format of these messages is given below.

Sender Reports

Due to the size of sender reports it is necessary to delve further into the packet so the -s option is used to specify the number of bytes to be captured, in this case 128B.

tcpdump -s 128 -vvv -T rtcp src <sender IP> and dst port <RTCP Port>

Timestamp 11:58:52.027102

Source Address orac.erg.abdn.ac.uk

Source Port 1053

Destination Address 224.2.156.220

Destination Address 57393

Type of RTCP Packet sr

Synchronization Source (SSRC) Identifier of sender 489542890

NTP Timestamp reference @3238744444.18

Media timestamp reference 2584794646

Number of packets sent 12583800p

Number of Bytes sent 2794620371b

Synchronization Source (SSRC) Identifier of source 489542890

Cumulative number of packets lost 1l

extended last seq number received 12646339s

Jitter 0j

orig. ts from last rr from this src @0.00

time from recpt of last rr to xmit time +0.00

No of Bytes of Source Description (sdes) data in the report sdes 60

Synchronization Source (SSRC) Identifier of Sender 489542890

TTL ttl 127

IP Header identifier id 22421

Length of the IP Datagram (B) len 140

You need to specify carefully which packets you wish to capture, in the example below we capture based on source address and destination port.

Here is a sample of RTCP sender reports from the ERG Rooftop Camera source.

tcpdump -s 128 -vvv -T rtcp src orac and port 57393

11:58:52.027102 orac.erg.abdn.ac.uk.1053 > 224.2.156.220.57393: sr 489542890 @3238744444.18 2584794646 12583800p 2794620371b 489542890
1l 12646339s 0j @0.00+0.00 sdes 60 489542890 (ttl 127, id 19051, len 140)

11:58:55.772400 orac.erg.abdn.ac.uk.1053 > 224.2.156.220.57393: sr 489542890 @3238744447.93 2585131669 12583837p 2794653187b 489542890
1l 12646376s 0j @0.00+0.00 sdes 60 489542890 (ttl 127, id 19089, len 140)

11:59:00.478495 orac.erg.abdn.ac.uk.1053 > 224.2.156.220.57393: sr 489542890 @3238744452.64 2585555168 12583874p 2794686955b 489542890
1l 12646413s 0j @0.00+0.00 sdes 60 489542890 (ttl 127, id 19127, len 140)

11:59:07.916442 orac.erg.abdn.ac.uk.1053 > 224.2.156.220.57393: sr 489542890 @3238744460.07 2586224502 12583901p 2794700449b 489542890
1l 12646440s 0j @0.00+0.00 sdes 60 489542890 (ttl 127, id 19155, len 140)

11:59:13.840491 orac.erg.abdn.ac.uk.1053 > 224.2.156.220.57393: sr 489542890 @3238744466.00 2586757598 12583931p 2794716009b 489542890
1l 12646470s 0j @0.00+0.00 sdes 60 489542890 (ttl 127, id 19186, len 140)

Top of the section

Reciever Reports

To capture reciever reports the following syntax is required.

tcpdump -s 96 -vvv -T rtcp <reciever IP> and dst port <RTCP Port>

The structure of an RTCP reciever report is given below.

Timestamp 17:56:49.960317

Source Address churchward.erg.abdn.ac.uk

Source Port 32895

Destination Address 224.2.156.220

Destination Port 57393

Type of RTCP Packet rr

Synchronization Source (SSRC) Identifier of Sender 1030014788

Synchronization Source (SSRC) Identifier of Source 489542890

Cumulative number of packets lost 254l

extended last seq number received 639135s

Jitter 0j

orig. ts from last rr from this src @45275.34

time from recpt of last rr to xmit time +1.92

No of Bytes of Source Description (sdes) data in the report sdes 72

Synchronization Source (SSRC) Identifier of Sender 1030014788

TTL ttl 127

IP Header identifier id 16048

Length of the IP Datagram (B) len 132

You need to specify carefully which packets you wish to capture, in the example below we capture based on source address and destination port.

Here is a sample of RTCP reciever reports from a machine viewing the ERG Rooftop camera source.

tcpdump -s 96 -vvv -T rtcp src churchward and port 57393

17:56:49.960317 churchward.erg.abdn.ac.uk.32895 > 224.2.156.220.57393: rr 1030014788 489542890 254l 639135s 0j @45275.34+1.92
sdes 72 1030014788 (ttl 127, id 16048, len 132)

17:56:57.260313 churchward.erg.abdn.ac.uk.32895 > 224.2.156.220.57393: rr 1030014788 489542890 254l 639156s 0j @45282.35+2.20
sdes 56 1030014788 (ttl 127, id 16049, len 116)

17:57:00.130274 churchward.erg.abdn.ac.uk.32895 > 224.2.156.220.57393: rr 1030014788 489542890 265l 639168s 0j @45287.25+0.17
sdes 60 1030014788 (ttl 127, id 16050, len 120)

17:57:04.800336 churchward.erg.abdn.ac.uk.32895 > 224.2.156.220.57393: rr 1030014788 489542890 265l 639185s 0j @45287.25+4.84
sdes 56 1030014788 (ttl 127, id 16051, len 116)

IPv6

To capture IPv6 traffic the option ip6 needs to be specified.

tcpdump ip6 <expression>

All the options above can be used such as reading and writing data to/from file, obtaining more verbose output using the -v -vv or -vvv options.

Top of the section

Top of the page


This page is maintained by Alastair Matthews <alastair@erg.abdn.ac.uk>. It was last updated on 14/8/02.