1
00:00:00,390 --> 00:00:07,010
TCP dump is a free open source, very common and fast packet analyzer that runs under the command line.

2
00:00:08,100 --> 00:00:13,980
It prints out a description of the contents of packets on a network interface that matched the Boolean

3
00:00:13,980 --> 00:00:15,870
expression given as a parameter.

4
00:00:17,190 --> 00:00:19,890
DCPI Dump has a lot of filtering options.

5
00:00:20,520 --> 00:00:22,770
We'll discuss some of them in the next slide.

6
00:00:24,330 --> 00:00:29,670
It can be preferred to the other packet analysers, such as Wireshark, because it's so fast.

7
00:00:31,170 --> 00:00:37,170
It also supports some of the most common network traffic capturing format, PopCap, you can say the

8
00:00:37,170 --> 00:00:41,310
result as raw ASCII text in a document as well.

9
00:00:43,010 --> 00:00:44,340
So I have a look at this.

10
00:00:44,690 --> 00:00:53,030
These are some of the parameters you can use with the TCP command deed or list interfaces, Prince the

11
00:00:53,030 --> 00:00:59,120
list of the network interfaces available on the system and on which TCP dump can capture packet's.

12
00:01:00,060 --> 00:01:04,680
I or interface listens in on the interface.

13
00:01:05,680 --> 00:01:12,370
If unspecified, TCP dump searches the system interface list for the lowest numbered configured interface,

14
00:01:13,120 --> 00:01:17,890
excluding loop back, which may turn out to be, for example, if zero.

15
00:01:19,560 --> 00:01:27,780
RN means do not convert addresses, that is hosted addresses, port numbers, etc. to names.

16
00:01:29,510 --> 00:01:38,360
V produces verbose output when parsing and printing, the more V, the more details W. writes the raw

17
00:01:38,360 --> 00:01:42,350
packets to specified file rather than parsing and printing them out.

18
00:01:43,420 --> 00:01:51,790
Are reads packets from the file, which was created with the option or by other tools that write PopCap

19
00:01:51,790 --> 00:01:53,650
or recapping files.

20
00:01:54,920 --> 00:01:57,500
A prince, each packet and aski.

21
00:01:58,870 --> 00:02:05,140
Handy for capturing Web pages when passing and printing, in addition to printing the headers of each

22
00:02:05,140 --> 00:02:11,020
packet, capital letters prints the data of each packet in hex and ASCII.

23
00:02:11,990 --> 00:02:14,270
It's very handy for analyzing new protocol.

24
00:02:15,380 --> 00:02:20,660
So if you use the X option, the data of each packet is printed in X.

25
00:02:22,070 --> 00:02:25,880
In addition to these options, you can filter the results in several ways.

26
00:02:27,070 --> 00:02:33,370
If you would like to monitor specific protocol such as TCP, you can use its name as the filter.

27
00:02:34,760 --> 00:02:43,040
You can capture packets to or from an endpoint residing in the network using net filter or use a host

28
00:02:43,040 --> 00:02:48,260
filter to see the packets of a host as a source destination or either one.

29
00:02:49,880 --> 00:02:59,480
Use the port to filter TCP or UDP packet sent to or from a specified port use port range to listen to

30
00:02:59,480 --> 00:03:01,370
ports in any given range.

31
00:03:02,920 --> 00:03:09,790
Now, if you use the Sarsae option, you can see only the packets where the target system is the source

32
00:03:09,790 --> 00:03:10,430
of the packet.

33
00:03:11,020 --> 00:03:16,030
Similarly, DST is used to specify the destination system.

34
00:03:17,120 --> 00:03:24,110
So, of course, you can use more than one filter and a command and set up the relation using and and

35
00:03:24,140 --> 00:03:31,820
or as logical operators, for example, host is one point one one up one, and port is 80.

36
00:03:33,240 --> 00:03:42,150
Now, before running several dumb commands, let's examine the fields of a typical TCP dump output row.

37
00:03:42,930 --> 00:03:46,410
The rows shown in the slide is a TCP packet.

38
00:03:47,690 --> 00:03:55,190
The first field is the time when the package arrived with a time stamp as our minute, second and,

39
00:03:55,190 --> 00:03:57,170
well, the fractions of a second.

40
00:03:58,770 --> 00:04:04,980
So the second field is a protocol running atop the link layer, in this case IPV for.

41
00:04:06,060 --> 00:04:12,690
Now for IP packets, the third field is the IP address, her host name of the host sending the packet

42
00:04:12,690 --> 00:04:16,680
along with four TCP and UDP packets, the source port.

43
00:04:17,940 --> 00:04:25,900
The packet on the slide came from Port 80 of the system, 172 dot one six nine nine dot one three nine.

44
00:04:27,000 --> 00:04:33,450
Now, the fourth field is the IP address or hostname of the host receiving the packet, along with four

45
00:04:33,450 --> 00:04:35,460
TCAP and UDP packet.

46
00:04:35,490 --> 00:04:40,800
The destination Port Flagg's is the TCP segment flag.

47
00:04:41,310 --> 00:04:45,630
The packet on the slide doesn't have any flags set other than ACC.

48
00:04:46,650 --> 00:04:49,860
ACC is the acknowledgement number in the packet.

49
00:04:50,370 --> 00:04:57,510
DCPI shows sequence and acknowledgement numbers relative to the initial sequence number by default.

50
00:04:58,700 --> 00:05:08,270
When is the source host TCP window and you see the options, field length is the length of the data

51
00:05:08,270 --> 00:05:11,910
in the TCP segment, like here is zero.

52
00:05:12,380 --> 00:05:15,080
So that means that no data is exchanged yet.

53
00:05:16,220 --> 00:05:22,220
So that's enough for now, let's see, TCP dove in action, time for Hands On.