Tcpdumpsniffing

gonium edited this page Jul 27, 2011 · 1 revision
Clone this wiki locally

Using TCPDump

tcpdump is a handy tool for sniffing network traffic. Typically, it runs on the router and allows you to observe traffic directly there. Use

  # okpg install tcpdump

to install the OpenWRT package. The interface usb0 is typically used by the usb stick:

  root@OpenWrt:~# ifconfig usb0
  usb0      Link encap:Ethernet  HWaddr 02:11:22:33:44:55  
            inet6 addr: aaaa::1/64 Scope:Global
            inet6 addr: fe80::11:22ff:fe33:4455/64 Scope:Link
            UP BROADCAST RUNNING MULTICAST  MTU:1284  Metric:1
            RX packets:23 errors:0 dropped:0 overruns:0 frame:0
            TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000 
            RX bytes:1564 (1.5 KiB)  TX bytes:2616 (2.5 KiB)

In order to show the IP packets on this network, use

   # tcpdump -i usb0
   tcpdump: WARNING: usb0: no IPv4 address assigned
   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
   listening on usb0, link-type EN10MB (Ethernet), capture size 96 bytes

   23:13:02.553968 IP6 :: > ff02::2: ICMP6, router solicitation, length 8
   23:13:02.836969 IP6 :: > ff02::1:ff33:4411: ICMP6, neighbor solicitation, who has fe80::11:22ff:fe33:4411, length 24
   23:13:06.469967 IP6 fe80::11:22ff:fe33:4411 > ff02::2: ICMP6, router solicitation, length 16
   23:13:10.378973 IP6 fe80::11:22ff:fe33:4411 > ff02::2: ICMP6, router solicitation, length 16

By observing the ICMP6 router solicitation messages, you can see that one device has the IPv6 address fe80::11:22ff:fe33:4411. This requires a working radvd on the router. If you're unsure what the link-local address of your socket is, this is a great way to identify it.

By using the -s 0 switch, you can tell tcpdump to work on the full network package. For example:

    # tcpdump -i usb0 -s 0
    tcpdump: WARNING: usb0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on usb0, link-type EN10MB (Ethernet), capture size 65535 bytes
    23:31:45.646483 IP6 fe80::11:22ff:fe33:4455 > ff02::1:ff33:4411: ICMP6, neighbor solicitation, who has         aaaa::11:22ff:fe33:4411, length 32
    23:31:45.722965 IP6 aaaa::11:22ff:fe33:4411 > fe80::11:22ff:fe33:4455: ICMP6, neighbor advertisement, tgt is aaaa::11:22ff:fe33:4411, length 32
    23:31:45.723075 IP6 bbbb::f07b:a2b8:ed4e:8c19 > aaaa::11:22ff:fe33:4411: ICMP6, echo request, seq 0, length 16
    23:31:45.795941 IP6 aaaa::11:22ff:fe33:4411 > bbbb::f07b:a2b8:ed4e:8c19: ICMP6, echo reply, seq 0, length 16
    23:31:46.639696 IP6 bbbb::f07b:a2b8:ed4e:8c19 > aaaa::11:22ff:fe33:4411: ICMP6, echo request, seq 1, length 16
    23:31:46.716964 IP6 aaaa::11:22ff:fe33:4411 > bbbb::f07b:a2b8:ed4e:8c19: ICMP6, echo reply, seq 1, length 16

Finally, you can use -w /tmp/foo.pcap to write a pcap file. This can then be processed on a different machine. Wireshark is also capable of reading pcap files.