LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-12-2009, 03:04 AM   #1
deostroll
Member
 
Registered: Aug 2007
Location: Bangalore
Distribution: fedora
Posts: 112

Rep: Reputation: 15
Question Does any1 understand the output of tcpdump?


Hi. I cannot understand the output of tcpdump. Can anyone make sense of this...

Code:
# tcpdump -nnvvv -i eth0 host xxx.xxx.130.22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:47:25.771967 IP (tos 0x10, ttl  64, id 38758, offset 0, flags [DF], proto: TCP (6), length: 60) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: S, cksum 0xe447 (correct), 3037035322:3037035322(0) win 5840 <mss 1460,sackOK,timestamp 216132700 0,nop,wscale 3>
13:47:26.068305 IP (tos 0x0, ttl  61, id 23569, offset 0, flags [DF], proto: TCP (6), length: 64) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: S, cksum 0x187b (correct), 130741572:130741572(0) ack 3037035323 win 32768 <mss 1460,nop,nop,sackOK,wscale 0,nop,nop,nop,timestamp 27022044 216132700>
13:47:26.068391 IP (tos 0x10, ttl  64, id 38759, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xd523 (correct), 1:1(0) ack 1 win 730 <nop,nop,timestamp 216132774 27022044>
13:47:26.364679 IP (tos 0x0, ttl  61, id 23570, offset 0, flags [DF], proto: TCP (6), length: 55) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P, cksum 0x3420 (correct), 1:4(3) ack 1 win 32768 <nop,nop,timestamp 27022074 216132700> [telnet DO OLD-ENVIRON]
13:47:26.364756 IP (tos 0x10, ttl  64, id 38760, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xd4b8 (correct), 1:1(0) ack 4 win 730 <nop,nop,timestamp 216132848 27022074>
13:47:30.986929 IP (tos 0x10, ttl  64, id 38761, offset 0, flags [DF], proto: TCP (6), length: 85) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: P 1:34(33) ack 4 win 730 <nop,nop,timestamp 216134004 27022074> [telnet DO ENCRYPT, WILL ENCRYPT, DO SUPPRESS GO AHEAD, WILL TERMINAL TYPE, WILL NAWS, WILL TSPEED, WILL LFLOW, WILL LINEMODE, WILL NEW-ENVIRON, DO STATUS]
13:47:31.351849 IP (tos 0x0, ttl  61, id 23571, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: ., cksum 0x50fa (correct), 4:4(0) ack 34 win 32768 <nop,nop,timestamp 27022573 216134004>
13:47:31.351919 IP (tos 0x10, ttl  64, id 38762, offset 0, flags [DF], proto: TCP (6), length: 55) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: P, cksum 0xa9bf (correct), 34:37(3) ack 4 win 730 <nop,nop,timestamp 216134094 27022573> [telnet WILL OLD-ENVIRON]
13:47:31.648214 IP (tos 0x0, ttl  61, id 23572, offset 0, flags [DF], proto: TCP (6), length: 59) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P, cksum 0x3875 (correct), 4:11(7) ack 37 win 32768 <nop,nop,timestamp 27022602 216134094> [telnet SB OLD-ENVIRON SEND 0x3 SE]
13:47:31.648290 IP (tos 0x10, ttl  64, id 38763, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xcd54 (correct), 37:37(0) ack 11 win 730 <nop,nop,timestamp 216134169 27022602>
13:47:31.648580 IP (tos 0x10, ttl  64, id 38764, offset 0, flags [DF], proto: TCP (6), length: 90) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: P 37:75(38) ack 11 win 730 <nop,nop,timestamp 216134169 27022602>
13:47:31.950716 IP (tos 0x0, ttl  61, id 23573, offset 0, flags [DF], proto: TCP (6), length: 55) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P, cksum 0x37e1 (correct), 11:14(3) ack 75 win 32768 <nop,nop,timestamp 27022632 216134169> [telnet DO TERMINAL TYPE]
13:47:31.950787 IP (tos 0x0, ttl  61, id 23574, offset 0, flags [DF], proto: TCP (6), length: 88) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P 14:50(36) ack 75 win 32768 <nop,nop,timestamp 27022632 216134169> [telnet WONT ENCRYPT, DONT ENCRYPT, WILL SUPPRESS GO AHEAD, DO NAWS, DO TSPEED, DO LFLOW, DONT LINEMODE, DONT NEW-ENVIRON, WONT STATUS, DONT XDISPLOC]
13:47:31.950991 IP (tos 0x10, ttl  64, id 38765, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xcc9e (correct), 75:75(0) ack 50 win 730 <nop,nop,timestamp 216134244 27022632>
13:47:32.027078 IP (tos 0x10, ttl  64, id 38766, offset 0, flags [DF], proto: TCP (6), length: 72) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: P, cksum 0xb27f (correct), 75:95(20) ack 50 win 730 <nop,nop,timestamp 216134264 27022632> [telnet SB NAWS IS 0x50 0 0x18 SE, SB TERMINAL TYPE IS 0x58 0x54 0x45 0x52 0x4d SE]
13:47:32.323571 IP (tos 0x0, ttl  61, id 23575, offset 0, flags [DF], proto: TCP (6), length: 58) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P, cksum 0x2f2f (correct), 50:56(6) ack 95 win 32768 <nop,nop,timestamp 27022670 216134264> [telnet SB TSPEED SEND SE]
13:47:32.323842 IP (tos 0x10, ttl  64, id 38767, offset 0, flags [DF], proto: TCP (6), length: 69) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: P, cksum 0x8bef (correct), 95:112(17) ack 56 win 730 <nop,nop,timestamp 216134338 27022670> [telnet SB TSPEED IS 0x33 0x38 0x34 0x30 0x30 0x2c 0x33 0x38 0x34 0x30 0x30 SE]
13:47:32.621752 IP (tos 0x0, ttl  61, id 23576, offset 0, flags [DF], proto: TCP (6), length: 562) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P 56:566(510) ack 112 win 32768 <nop,nop,timestamp 27022699 216134338> [telnet WILL ECHO, DO ECHO]
13:47:32.621825 IP (tos 0x0, ttl  61, id 23577, offset 0, flags [DF], proto: TCP (6), length: 111) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P 566:625(59) ack 112 win 32768 <nop,nop,timestamp 27022699 216134338>
13:47:32.621846 IP (tos 0x10, ttl  64, id 38768, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xc8c9 (correct), 112:112(0) ack 625 win 864 <nop,nop,timestamp 216134412 27022699>
13:47:32.622154 IP (tos 0x10, ttl  64, id 38769, offset 0, flags [DF], proto: TCP (6), length: 58) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: P, cksum 0xcabc (correct), 112:118(6) ack 625 win 864 <nop,nop,timestamp 216134412 27022699> [telnet DO ECHO, WONT ECHO]
13:47:32.626532 IP (tos 0x0, ttl  61, id 23578, offset 0, flags [DF], proto: TCP (6), length: 59) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P, cksum 0xea4f (correct), 625:632(7) ack 112 win 32768 <nop,nop,timestamp 27022700 216134338>
13:47:32.671155 IP (tos 0x10, ttl  64, id 38770, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xc8ae (correct), 118:118(0) ack 632 win 864 <nop,nop,timestamp 216134425 27022700>
13:47:32.918462 IP (tos 0x0, ttl  61, id 23579, offset 0, flags [DF], proto: TCP (6), length: 55) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P, cksum 0x4af4 (correct), 632:635(3) ack 118 win 32768 <nop,nop,timestamp 27022729 216134412> [telnet DONT ECHO]
13:47:32.918696 IP (tos 0x10, ttl  64, id 38771, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xc851 (correct), 118:118(0) ack 635 win 864 <nop,nop,timestamp 216134486 27022729>

25 packets captured
25 packets received by filter
0 packets dropped by kernel
I tried to write this to a file, but I got some encrypted junk...

Anyway here I hve just opened a telnet session via command prompt. The first thing I have to do (usually) is log-in to proceed with this telnet session. I have captured the output until that point (where it asks for the credentials). Can anyone help me understand this output. Thanx in advance.

PS: Need to understand this output. Final goal is that I want to capture the output (data sent via telnet server) within an application.
 
Old 08-12-2009, 03:50 AM   #2
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by deostroll View Post
Hi. I cannot understand the output of tcpdump. Can anyone make sense of this...

Code:
# tcpdump -nnvvv -i eth0 host xxx.xxx.130.22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:47:25.771967 IP (tos 0x10, ttl  64, id 38758, offset 0, flags [DF], proto: TCP (6), length: 60) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: S, cksum 0xe447 (correct), 3037035322:3037035322(0) win 5840 <mss 1460,sackOK,timestamp 216132700 0,nop,wscale 3>
13:47:26.068305 IP (tos 0x0, ttl  61, id 23569, offset 0, flags [DF], proto: TCP (6), length: 64) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: S, cksum 0x187b (correct), 130741572:130741572(0) ack 3037035323 win 32768 <mss 1460,nop,nop,sackOK,wscale 0,nop,nop,nop,timestamp 27022044 216132700>
13:47:26.068391 IP (tos 0x10, ttl  64, id 38759, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xd523 (correct), 1:1(0) ack 1 win 730 <nop,nop,timestamp 216132774 27022044>
13:47:26.364679 IP (tos 0x0, ttl  61, id 23570, offset 0, flags [DF], proto: TCP (6), length: 55) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P, cksum 0x3420 (correct), 1:4(3) ack 1 win 32768 <nop,nop,timestamp 27022074 216132700> [telnet DO OLD-ENVIRON]
13:47:26.364756 IP (tos 0x10, ttl  64, id 38760, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xd4b8 (correct), 1:1(0) ack 4 win 730 <nop,nop,timestamp 216132848 27022074>
13:47:30.986929 IP (tos 0x10, ttl  64, id 38761, offset 0, flags [DF], proto: TCP (6), length: 85) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: P 1:34(33) ack 4 win 730 <nop,nop,timestamp 216134004 27022074> [telnet DO ENCRYPT, WILL ENCRYPT, DO SUPPRESS GO AHEAD, WILL TERMINAL TYPE, WILL NAWS, WILL TSPEED, WILL LFLOW, WILL LINEMODE, WILL NEW-ENVIRON, DO STATUS]
13:47:31.351849 IP (tos 0x0, ttl  61, id 23571, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: ., cksum 0x50fa (correct), 4:4(0) ack 34 win 32768 <nop,nop,timestamp 27022573 216134004>
13:47:31.351919 IP (tos 0x10, ttl  64, id 38762, offset 0, flags [DF], proto: TCP (6), length: 55) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: P, cksum 0xa9bf (correct), 34:37(3) ack 4 win 730 <nop,nop,timestamp 216134094 27022573> [telnet WILL OLD-ENVIRON]
13:47:31.648214 IP (tos 0x0, ttl  61, id 23572, offset 0, flags [DF], proto: TCP (6), length: 59) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P, cksum 0x3875 (correct), 4:11(7) ack 37 win 32768 <nop,nop,timestamp 27022602 216134094> [telnet SB OLD-ENVIRON SEND 0x3 SE]
13:47:31.648290 IP (tos 0x10, ttl  64, id 38763, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xcd54 (correct), 37:37(0) ack 11 win 730 <nop,nop,timestamp 216134169 27022602>
13:47:31.648580 IP (tos 0x10, ttl  64, id 38764, offset 0, flags [DF], proto: TCP (6), length: 90) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: P 37:75(38) ack 11 win 730 <nop,nop,timestamp 216134169 27022602>
13:47:31.950716 IP (tos 0x0, ttl  61, id 23573, offset 0, flags [DF], proto: TCP (6), length: 55) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P, cksum 0x37e1 (correct), 11:14(3) ack 75 win 32768 <nop,nop,timestamp 27022632 216134169> [telnet DO TERMINAL TYPE]
13:47:31.950787 IP (tos 0x0, ttl  61, id 23574, offset 0, flags [DF], proto: TCP (6), length: 88) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P 14:50(36) ack 75 win 32768 <nop,nop,timestamp 27022632 216134169> [telnet WONT ENCRYPT, DONT ENCRYPT, WILL SUPPRESS GO AHEAD, DO NAWS, DO TSPEED, DO LFLOW, DONT LINEMODE, DONT NEW-ENVIRON, WONT STATUS, DONT XDISPLOC]
13:47:31.950991 IP (tos 0x10, ttl  64, id 38765, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xcc9e (correct), 75:75(0) ack 50 win 730 <nop,nop,timestamp 216134244 27022632>
13:47:32.027078 IP (tos 0x10, ttl  64, id 38766, offset 0, flags [DF], proto: TCP (6), length: 72) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: P, cksum 0xb27f (correct), 75:95(20) ack 50 win 730 <nop,nop,timestamp 216134264 27022632> [telnet SB NAWS IS 0x50 0 0x18 SE, SB TERMINAL TYPE IS 0x58 0x54 0x45 0x52 0x4d SE]
13:47:32.323571 IP (tos 0x0, ttl  61, id 23575, offset 0, flags [DF], proto: TCP (6), length: 58) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P, cksum 0x2f2f (correct), 50:56(6) ack 95 win 32768 <nop,nop,timestamp 27022670 216134264> [telnet SB TSPEED SEND SE]
13:47:32.323842 IP (tos 0x10, ttl  64, id 38767, offset 0, flags [DF], proto: TCP (6), length: 69) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: P, cksum 0x8bef (correct), 95:112(17) ack 56 win 730 <nop,nop,timestamp 216134338 27022670> [telnet SB TSPEED IS 0x33 0x38 0x34 0x30 0x30 0x2c 0x33 0x38 0x34 0x30 0x30 SE]
13:47:32.621752 IP (tos 0x0, ttl  61, id 23576, offset 0, flags [DF], proto: TCP (6), length: 562) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P 56:566(510) ack 112 win 32768 <nop,nop,timestamp 27022699 216134338> [telnet WILL ECHO, DO ECHO]
13:47:32.621825 IP (tos 0x0, ttl  61, id 23577, offset 0, flags [DF], proto: TCP (6), length: 111) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P 566:625(59) ack 112 win 32768 <nop,nop,timestamp 27022699 216134338>
13:47:32.621846 IP (tos 0x10, ttl  64, id 38768, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xc8c9 (correct), 112:112(0) ack 625 win 864 <nop,nop,timestamp 216134412 27022699>
13:47:32.622154 IP (tos 0x10, ttl  64, id 38769, offset 0, flags [DF], proto: TCP (6), length: 58) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: P, cksum 0xcabc (correct), 112:118(6) ack 625 win 864 <nop,nop,timestamp 216134412 27022699> [telnet DO ECHO, WONT ECHO]
13:47:32.626532 IP (tos 0x0, ttl  61, id 23578, offset 0, flags [DF], proto: TCP (6), length: 59) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P, cksum 0xea4f (correct), 625:632(7) ack 112 win 32768 <nop,nop,timestamp 27022700 216134338>
13:47:32.671155 IP (tos 0x10, ttl  64, id 38770, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xc8ae (correct), 118:118(0) ack 632 win 864 <nop,nop,timestamp 216134425 27022700>
13:47:32.918462 IP (tos 0x0, ttl  61, id 23579, offset 0, flags [DF], proto: TCP (6), length: 55) xxx.xxx.130.22.23 > xxx.xxx.109.8.56343: P, cksum 0x4af4 (correct), 632:635(3) ack 118 win 32768 <nop,nop,timestamp 27022729 216134412> [telnet DONT ECHO]
13:47:32.918696 IP (tos 0x10, ttl  64, id 38771, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.109.8.56343 > xxx.xxx.130.22.23: ., cksum 0xc851 (correct), 118:118(0) ack 635 win 864 <nop,nop,timestamp 216134486 27022729>

25 packets captured
25 packets received by filter
0 packets dropped by kernel
I tried to write this to a file, but I got some encrypted junk...

Anyway here I hve just opened a telnet session via command prompt. The first thing I have to do (usually) is log-in to proceed with this telnet session. I have captured the output until that point (where it asks for the credentials). Can anyone help me understand this output. Thanx in advance.

PS: Need to understand this output. Final goal is that I want to capture the output (data sent via telnet server) within an application.

write to a file and open the file with an analyzer like wireshark.

get a good dump like so

Code:
tcpdump -Xi eth0 -s0 -w out_file
sometimes you can use strings to see what has been captured.

Code:
strings out_file | less
or better still, just use wireshark to do the whole capture and analysis.

Last edited by centosboy; 08-12-2009 at 03:57 AM.
 
Old 08-12-2009, 04:56 AM   #3
deostroll
Member
 
Registered: Aug 2007
Location: Bangalore
Distribution: fedora
Posts: 112

Original Poster
Rep: Reputation: 15
Wht does the X switch do...?
 
Old 08-12-2009, 10:55 AM   #4
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by deostroll View Post
Wht does the X switch do...?
from the man page

Code:
 -X     Print each packet (minus its link level header) in hex and ASCII.  This is very handy for analysing new protocols.

tcpdump is good of course.
wireshark is an all in one, so it will collect the traffic and analyze it / arrange it into something meaningful.i suggest you try that...it has a nice gui too
 
Old 08-12-2009, 12:20 PM   #5
hua
Member
 
Registered: Oct 2006
Location: Slovak Republic
Distribution: Slackware 13.37, 14.0
Posts: 390

Rep: Reputation: 49
Great - centosboy.
It is always good idea to read each post - you always learn something more.
Till now I was leaving xorg packages and KDE on my server just because I do network traffic monitoring on the server sometimes with wireshark.
And the solution is just as simple...
Thanks..

Last edited by hua; 08-12-2009 at 12:22 PM.
 
Old 08-13-2009, 10:00 AM   #6
deostroll
Member
 
Registered: Aug 2007
Location: Bangalore
Distribution: fedora
Posts: 112

Original Poster
Rep: Reputation: 15
Okay I've tried wireshark on windows. (I don't see a linux version tho). I don't understand how you go about doing analysis on that data?

@centosboy: tried above command with out the -w switch. I redirected the screen output onto a text file. I see some familiar things, but, I can't figure what "I" should send from my application in order to get those things? I don't know if there is much I can do with wireshark because I get the same data there too; they are just mapped properly, I guess.
 
Old 08-13-2009, 10:02 AM   #7
deostroll
Member
 
Registered: Aug 2007
Location: Bangalore
Distribution: fedora
Posts: 112

Original Poster
Rep: Reputation: 15
@centosboy:...and I am working in a shell. I am connecting to it via putty. I can't have anything gui on it!!!
 
Old 08-14-2009, 07:00 AM   #8
hua
Member
 
Registered: Oct 2006
Location: Slovak Republic
Distribution: Slackware 13.37, 14.0
Posts: 390

Rep: Reputation: 49
It depends on what do you think under analysis of the network traffic.

For example you can track your DNS requests. Where you can see who is the DNS to whom you are talking to (IP addrsess).
You can see what names you are requesting. The wireshark automatically identifies the protocol for you (DNS in this case). And finaly you can see the answer from the DNS server.
For example this kind of analysis helped me to find out that one infected PC was requesting DNS names from an unknown DNS server, although I had configured the DNS of my ISP properly. And so the antivirus program was not able to update its virus database.

But there are more complex protocols like SMB, Netbios, http, smtp, IMAP ... And when your communication is longer you can just right click to the packet and follow the TCP stream where you get the complete communication like this:

The client http request. Mozilla > www.yahoo.com
Quote:
GET / HTTP/1.1

Host: www.yahoo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; sk; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: sk,cs;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
The server answers
Quote:
HTTP/1.1 200 OK

Date: Fri, 14 Aug 2009 11:53:36 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Cache-Control: private
Vary: User-Agent
domain=.yahoo.com
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
This is the beginning of http protocol traffic. Of course these data would tell you anything if you don't know the protocol.

Althoug I don't use ubuntu here you can download the package for it:
http://www.wireshark.org/download.html

Just scroll down for third-party packages and select the package for ubuntu.

Last edited by hua; 08-14-2009 at 07:21 AM.
 
Old 08-14-2009, 07:16 AM   #9
hua
Member
 
Registered: Oct 2006
Location: Slovak Republic
Distribution: Slackware 13.37, 14.0
Posts: 390

Rep: Reputation: 49
Start the tcpdump to put the network traffic into file like network_traf for example.
Quote:
tcpdump -w network_traf
After some time you will find the file which tcpdump creates > network_traf. (stop the tcpdump)
Download this file to PC where the wireshark is installed. Start it. And open the downloaded file network_traf from wireshark menu > file > open.

Last edited by hua; 08-14-2009 at 07:19 AM.
 
  


Reply

Tags
tcpdump


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
tcpdump output question lumix Linux - Networking 1 10-23-2007 09:29 AM
tcpdump output help asim_s2000 Linux - Networking 4 11-11-2004 08:30 AM
Summarizing tcpdump output Xit Linux - Networking 1 08-07-2004 02:35 PM
tcpdump output hampel Linux - Security 9 07-18-2003 12:53 AM
Help reading TCPDUMP output BenCarlisle Linux - Networking 3 02-27-2003 02:35 PM


All times are GMT -5. The time now is 01:45 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration