LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Tcpdump question? (https://www.linuxquestions.org/questions/linux-software-2/tcpdump-question-400719/)

chinmays 01-07-2006 07:47 PM
Tcpdump question?
 
Hi,

I use the following command to store the packet information in a file:

tcpdump -wfilename

But now when i open up this file using vi the contents are all encrypted, can somebody siggest me something. Its kinda urgent

bulliver 01-08-2006 01:29 PM
From 'man tcpdump'

Quote:
-w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option.
You could also open the raw packet dump with ethereal if you like.

chinmays 01-08-2006 03:53 PM
thanks for the reply, i have the following situation right now:

i am currently using tcpdump on a network. The network consist of 3 nodes. A, B and C. A is connected to B and B to C. The tcpdump is run on Node B, but it does noot seem to capture the packets which are going from A to C, through B. it only captures packets which are either sourced from or destined to node B. You have any idea.
I SSH to all these nodes from my account and tcpdump is already present in my account. So i just use the SUDO command to run this software on any node. What i am trying to say is that tcpdump is not specifically installed on node B.
SUDO command allows a person to run as a root
i have also converted the mode to promiscuous
one more thing, the packets are going for sure from A to C via B. This is because there is no other route for them to follow. If i run tcpdump on node C then it captures these packets.

chinmays 01-08-2006 03:54 PM
I have also tried using tethereal, it gives the same results as tcpdump

Mara 01-08-2006 04:09 PM
It's worth checking which interface your tcpdump uses. Remember that you control it by using tcpdump -i.

chinmays 01-08-2006 05:37 PM
I am using interface eth0,
Do you think i should be using some other interface, this is my list of interfaces:

eth0 Link encap:Ethernet HWaddr 00:06:29:0F:04:24
inet addr:192.168.1.6 Bcast:192.168.3.255 Mask:255.255.252.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2818 errors:0 dropped:0 overruns:0 frame:0
TX packets:2764 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:244457 (238.7 Kb) TX bytes:536407 (523.8 Kb)
Interrupt:16 Base address:0x2000 Memory:feb7f000-feb7f038

eth2 Link encap:Ethernet HWaddr 00:04:23:9F:14:FF
inet addr:10.1.3.3 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Base address:0x2080 Memory:eff60000-eff80000

eth3 Link encap:Ethernet HWaddr 00:04:23:9F:16:E4
inet addr:10.1.2.3 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:346 (346.0 b)
Base address:0x20c0 Memory:eff40000-eff60000

eth4 Link encap:Ethernet HWaddr 00:04:23:9F:16:E5
inet addr:10.1.1.2 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Base address:0x2300 Memory:efea0000-efec0000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING PROMISC MTU:16436 Metric:1
RX packets:43 errors:0 dropped:0 overruns:0 frame:0
TX packets:43 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4220 (4.1 Kb) TX bytes:4220 (4.1 Kb)

bulliver 01-08-2006 05:52 PM
If you are trying to see packets going from A ==> C from B, then sniffing either the interface that connects B ==> A or B ==> C should reveal the packets if indeed B is routing for A and C.

Does that make sense?

chinmays 01-08-2006 06:06 PM
Hey,

I am using an NS script to bulid the topology.

Consider the following script, it is little different than what i had mentioned.

set ns [new Simulator]
source tb_compat.tcl

set OS0 RHL9-STD
set OS1 FBSD410-STD
set OS2 RHL9-STD
set OS3 FBSD410-STD

set node0 [$ns node]
tb-set-node-os $node0 $OS0
set node1 [$ns node]
tb-set-node-os $node1 $OS1
set node2 [$ns node]
tb-set-node-os $node2 $OS2
set node3 [$ns node]
tb-set-node-os $node3 $OS3

set link0 [$ns duplex-link $node0 $node2 1000Mb 0ms DropTail]
set link1 [$ns duplex-link $node1 $node2 1000Mb 0ms DropTail]
set link2 [$ns duplex-link $node2 $node3 1000Mb 0ms DropTail]

$ns rtproto Static
$ns run

The topology is shown as follows:

-------- --------
|Node 0 | |Node 1|
-------- --------
\ Attacker / Normal client
\ /
\ /
\ /
--------
|Node 2| Gateway
--------
|
|
|
--------
|Node 3| Server
--------

This statement :$ns rtproto Static in the above script is used to enable routing.
Now i send traffic from Node0 to Node3, i start tcpdump on node2. But i cannot capture the packets which are going from node0 to node3. I can only capture the packets which are either or sourced or destined to Node 2.

chinmays 01-08-2006 06:12 PM
Quote:
Originally Posted by bulliver
If you are trying to see packets going from A ==> C from B, then sniffing either the interface that connects B ==> A or B ==> C should reveal the packets if indeed B is routing for A and C.

Does that make sense?
I know it does, but it is not showing the attack.

One more thing that i would like to add is that i am using the Apache-scalp.c (available on net) program on node0 to attack apache installed on node3. The attacke takes place successfully, i.e the apache error_log shows memory faults but there are no sign of packest.

chinmays 01-08-2006 08:56 PM
Bingo!!! Problem Solved. Turns out i was listening on the wrong interface.


All times are GMT -5. The time now is 01:08 PM.