Professional Documents
Culture Documents
equal
3. TCPDUMP USE
To display the Standard TCPdump output:
#tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type
EN10MB (Ethernet), capture size 96 bytes
21:57:29.004426
21:57:31.228013
21:57:31.228020
21:57:38.035382
21:57:38.613206
IP
IP
IP
IP
IP
IP
IP
IP
length
length
length
length
53
36
53
53
P 1548302662:1548303275(613) ack
ack 613 win 86
1:511(510) ack 613 win86
ack 511 win 16527
The captured data isn't stored in plain text so you cannot read it with a text editor, you have to use
a special tool like TCPdump (see above) or Wireshark (Formerly Ethereal) which provides a graphical
interface.
The capture.log file is opened with Wireshark.
To display the packets having "www.openmaniak.com" as their source or destination address:
#tcpdump host www.openmaniak.com
To display the FTP packets coming from 192.168.1.100 to 192.168.1.2:
#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp
To display the packets content:
#tcpdump -A
Packets capture during a FTP connection. The FTP password can be easily intercepted because it is sent
in clear text to the server.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type
EN10MB (Ethernet), capture size 96 bytes 20:53:24.872785 IP ubuntu.local.40205 > 192.168.1.2.ftp: S
4155598838:4155598838(0) win 5840 ....g....................
............
20:53:24.879473 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 1228937421 win 183 ....g.I@..........
20:53:24.881654 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 43 win 183...g.I@...........8......EN
20:53:26.402046 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 0:10(10) ack 43 win 183.g.I@...`$.
.=..ENUSER teddybear
20:53:26.403802 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 76 win 183
....h.I@.............
...>..E^
20:53:29.169036 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 10:25(15) ack 76 win 183
....h.I@......#c.....
......E^PASS wakeup
20:53:29.171553 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 96 win 183
....h.I@.,...........
......Ez
20:53:29.171649 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 25:31(6) ack 96 win 183
....h.I@.,...........
......EzSYST
20:53:29.211607 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 115 win 183
....h.I@.?.....j.....
......Ez
20:53:31.367619 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 31:37(6) ack 115 win 183
....h.I@.?...........
......EzQUIT
20:53:31.369316 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 155 win 183
....h.I@.g...........
......E.
20:53:31.369759 IP ubuntu.local.40205 > 192.168.1.2.ftp: F 37:37(0) ack 156 win 183
....h.I@.h.....e.....
......E.
We see in this capture the FTP username (teddybear) and password (wakeup).