Results 1 to 7 of 7

Thread: Packet Sniffing(tcpdump install and first use)

  1. #1
    Senior Member
    Join Date
    Jul 2001
    Posts
    461

    Packet Sniffing(tcpdump install and first use)

    Please post or message me with criticism. Or things I missed, or have written incorrectly. Constructive criticism is welcome.

    I used Red Hat 7.1 as my model for this tutorial, so, you may get slightly different results with different distros.

    ************************************
    WARNING!!!!!!! The way you choose to use this information may get you
    into trouble. I am posting this simply as a learning tool, so that people
    can start to look at how network protocols work in the real world.
    Proceed with caution if you are part of an enterprise network(get
    permission) or a university network(get permission). If you are on a
    cable modem or DSL, you should not be able to see others packets anyway
    due to the way their switches are set up. Dial up users, I cant help you.
    *************************************

    The ability to sniff packets(and understand what you are seeing) is very
    usefull under many different circumstances. Packet sniffing can help you
    to troubleshoot network problems(routing issues, packetstorms\, etc.),
    spot intrusion attempts on a network you are responsible for, or even just
    learn a lot about computers and the way in which they
    communicate(protocols, etc.).

    There are a number of different packet sniffing tools available, some with
    gui some without, some with more flexibility, others more suited for only
    a singly task(such as grabbing plaintext passwords from the ether). This
    tutorial will deal with tcpdump, and open source, command line packet
    sniffer for *nix. There is a windows version(called windump.exe
    must be used with winpcap.exe) but lets stick with *nix. One good reason
    to get familiar with tcpdump(as opposed to its GUI brothers and sisters)
    is that the way tcpdump does business(filters, formats, etc)is compatible
    with a powerfull open source intrusion detection system, SNORT.

    In order for the install to work, you need several things, the source for
    tcpdump and libpcap, root access, and an ANSI compatible c compiler(such
    as gcc on my Red Hat 7.1 machine).

    To start off, you need to download the source for tcpdump from

    www.tcpdump.org (or one of their mirrors)

    Also download the source for libpcap from the same site. I would
    reccomend downloading the latest stable version, and not the beta version.
    As of this writing the latest versions of the two are

    tcpdump version 3.6.2
    libpcap version 0.6.2

    After you have downloaded the files, you will need to uncompress them, for
    me the commands were:

    gzip -dv tcpdump-3.6.2.tar.gz
    tar -xvf tcpdump-3.6.2.tar

    gzip -dv libpcap-0.6.2.tar.gz
    tar -xvf libpcap-0.6.2.tar

    It is possible to do the unzip and get the files out of the tarball in one
    command, but I have yet to figure out what that command is.(and it wasnt
    worth my time tonight to figure that one out).

    Now, you should have 2 new directories in the folder which the downloaded
    files were saved.

    For me these are

    libpcap-0.6.2

    and

    tcpdump-3.6.2

    First we need to compile,configure and install libpcap. The scripts which
    came with libpcap call your c compiler so no need to worry about
    compiling, unless you are very unlucky.

    Do this using the following commands from the directory libpcap-0.6.2

    su
    ./configure
    make
    make install
    exit

    You should see an approximation of the following output...

    ***********************************
    [ -d /usr/local/lib ] || \
    (mkdir -p /usr/local/lib; chmod 755 /usr/local/lib)
    /usr/bin/install -c -m 644 libpcap.a /usr/local/lib/libpcap.a
    ranlib /usr/local/lib/libpcap.a
    [ -d /usr/local/include ] || \
    (mkdir -p /usr/local/include; chmod 755 /usr/local/include)
    /usr/bin/install -c -m 644 ./pcap.h /usr/local/include/pcap.h
    /usr/bin/install -c -m 644 ./pcap-namedb.h \
    /usr/local/include/pcap-namedb.h
    [ -d /usr/local/include/net ] || \
    (mkdir -p /usr/local/include/net; chmod 755 /usr/local/include/net)
    /usr/bin/install -c -m 644 ./bpf/net/bpf.h \
    /usr/local/include/net/bpf.h
    [ -d /usr/local/man/man3 ] || \
    (mkdir -p /usr/local/man/man3; chmod 755 /usr/local/man/man3)
    /usr/bin/install -c -m 644 ./pcap.3 \
    /usr/local/man/man3/pcap.3
    **************************************

    This shows that the libpcap install has created the appropriate
    directories with the appropriate rights. The latest version of the
    libpcap installer has been configured to correctly put the nesscessary
    files in the correct places. Previous versions did not do that, and I
    spent several hours once copying files to the proper place by hand, it
    wasnt fun.

    OK, change directory to the tcpdump-3.6.2 directory

    Enter the following commands

    su
    ./configure
    make
    make install
    exit

    You should see an approximation of the following output.

    **********************************
    [ -d /usr/local/sbin ] || \
    (mkdir -p /usr/local/sbin; chmod 755 /usr/local/sbin)
    /usr/bin/install -c tcpdump /usr/local/sbin/tcpdump
    [ -d /usr/local/man/man1 ] || \
    (mkdir -p /usr/local/man/man1; chmod 755 /usr/local/man/man1)
    /usr/bin/install -c -m 644 ./tcpdump.1 /usr/local/man/man1/tcpdump.1
    **********************************

    Assuming you recieved no error messages, it is time to try it out.

    The tcpdump install defaults to installing the tcpdump binary in

    /usr/local/sbin

    So, lets change to that directory, and try out the command...

    cd /usr/local/sbin

    su

    ./tcpdump

    Now you should have a information pulled from captured packets streaming
    across the screen. Depending on the size of the network you are on,
    there will be greater or lesser amounts of traffic. For learning
    purposes, I would set up your machine on a private network of about 3 or
    so machines, and try different configurations, and watch what happens.

    I will follow up with other tutorials, on how to use tcpdump when I have
    some more time. For now, read the man pages, search the net for
    information about tcpdump filters and options(such as saving the data to a
    file to review later, filtering out everything except one specific type of
    traffic, etc.). Explore tcpdump and have fun. If you have questions
    about what you are seeing there are some great resources on the web(and in
    your locally bricks and mortar library/bookstore)about the way packets are
    formed for the various protocols.

    On of my favorites(although a bit dry for pleasure reading) is

    TCP/IP illustrated by Richard Stevens I believe.

    I feel obliged to warn you again, if you are doing this at work, or at
    school, you could get in a lot of trouble, if you are caught capturing packets
    without permission. If you set up your own private network for learning,
    you should have no worries, and you can see the results of different
    things that you might do with your computer. On a bigger network, that
    traffic may tend to get lost.

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    what? I cant delete my reply to my post...
    Oh well..

  3. #3
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Got rid of what? A reason? Everything needs a reason...?
    [HvC]Terr: L33T Technical Proficiency

  4. #4
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    I just got rid of some useless text in response to a comment that someone made Terr,

    heh.. it was kinda useless...

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    429

    Re: Packet Sniffing(tcpdump install and first use)

    Originally posted by IchNiSan
    It is possible to do the unzip and get the files out of the tarball in one
    command, but I have yet to figure out what that command is.(
    Use tar -zxvf file.tar.gz to unzip & untar in 1 command.

    J.

  6. #6
    Banned
    Join Date
    Oct 2005
    Posts
    6
    packet sniffin is cool but gets LaMe after a while!!!

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Yes, they have been informed........................Neg's box is full

    Kill this one................it is "the ****" again?


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •