Tcpdumpsniffing

gonium edited this page Jul 27, 2011 · 1 revision

Using TCPDump

tcpdump is a handy tool for sniffing network traffic. Typically, it runs on the router and allows you to observe traffic directly there. Use

  # okpg install tcpdump

to install the OpenWRT package. The interface usb0 is typically used by the usb stick:

  root@OpenWrt:~# ifconfig usb0
  usb0      Link encap:Ethernet  HWaddr 02:11:22:33:44:55  
            inet6 addr: aaaa::1/64 Scope:Global
            inet6 addr: fe80::11:22ff:fe33:4455/64 Scope:Link
            UP BROADCAST RUNNING MULTICAST  MTU:1284  Metric:1
            RX packets:23 errors:0 dropped:0 overruns:0 frame:0
            TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000 
            RX bytes:1564 (1.5 KiB)  TX bytes:2616 (2.5 KiB)

In order to show the IP packets on this network, use

   # tcpdump -i usb0
   tcpdump: WARNING: usb0: no IPv4 address assigned
   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
   listening on usb0, link-type EN10MB (Ethernet), capture size 96 bytes

   23:13:02.553968 IP6 :: > ff02::2: ICMP6, router solicitation, length 8
   23:13:02.836969 IP6 :: > ff02::1:ff33:4411: ICMP6, neighbor solicitation, who has fe80::11:22ff:fe33:4411, length 24
   23:13:06.469967 IP6 fe80::11:22ff:fe33:4411 > ff02::2: ICMP6, router solicitation, length 16
   23:13:10.378973 IP6 fe80::11:22ff:fe33:4411 > ff02::2: ICMP6, router solicitation, length 16

By observing the ICMP6 router solicitation messages, you can see that one device has the IPv6 address fe80::11:22ff:fe33:4411. This requires a working radvd on the router. If you're unsure what the link-local address of your socket is, this is a great way to identify it.

By using the -s 0 switch, you can tell tcpdump to work on the full network package. For example:

    # tcpdump -i usb0 -s 0
    tcpdump: WARNING: usb0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on usb0, link-type EN10MB (Ethernet), capture size 65535 bytes
    23:31:45.646483 IP6 fe80::11:22ff:fe33:4455 > ff02::1:ff33:4411: ICMP6, neighbor solicitation, who has         aaaa::11:22ff:fe33:4411, length 32
    23:31:45.722965 IP6 aaaa::11:22ff:fe33:4411 > fe80::11:22ff:fe33:4455: ICMP6, neighbor advertisement, tgt is aaaa::11:22ff:fe33:4411, length 32
    23:31:45.723075 IP6 bbbb::f07b:a2b8:ed4e:8c19 > aaaa::11:22ff:fe33:4411: ICMP6, echo request, seq 0, length 16
    23:31:45.795941 IP6 aaaa::11:22ff:fe33:4411 > bbbb::f07b:a2b8:ed4e:8c19: ICMP6, echo reply, seq 0, length 16
    23:31:46.639696 IP6 bbbb::f07b:a2b8:ed4e:8c19 > aaaa::11:22ff:fe33:4411: ICMP6, echo request, seq 1, length 16
    23:31:46.716964 IP6 aaaa::11:22ff:fe33:4411 > bbbb::f07b:a2b8:ed4e:8c19: ICMP6, echo reply, seq 1, length 16

Finally, you can use -w /tmp/foo.pcap to write a pcap file. This can then be processed on a different machine. Wireshark is also capable of reading pcap files.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.