Exploring TCP/IP with TCPdump and Tethereal

By Vinayak Hegde


Internet RFCs

Usenet FAQs

Other FAQs




The shortest introduction to TCP/IP

TCP/IP has become the de facto standard protocol for communication between computers. IP (Internet Protocol) provides functionality at the network layer (addressing and routing) while TCP (Transmission Control Protocol) provides (virtual) end-to-end connectivity. The TCP/IP family includes a host of other useful protocols such as ICMP (Internet Control Message Protocol), IGMP (Internet Group management protocol) and UDP (User Datagram Protocol). An overwhelming majority of today's networks use TCP/IP. Almost every other application today incorporates some kind of a network functionality hence it has become necessary for every programmer to have at least a working knowledge of TCP/IP.

Communication between computers using TCP/IP takes place through the exchange of packets. A packet is a PDU (Protocol Data Unit) at the IP layer. The PDU at the TCP layer is called a segment while a PDU at the data-link layer (such as Ethernet) is called a frame. However the term packet is generically used to describe the data unit that is exchanged between TCP/IP layers as well as between two computers.

This is how an Ethernet frame looks:

	|	  |		|		|		|	   |	
	| Ethernet|     IP  	|     TCP	| Encapsulated	| Ethernet |	
	| Header  |    Header	|    Header	|    Data	| Trailer  |	
	|         |		|		|		|  (FCS)   |	
		  <- 20 bytes -> <- 40 bytes ->					
	  	  <---------- max length = 1500 bytes ---------->
			FCS stands for Frame Check Sequence.

TCPdump and Tethereal

TCPdump is a utility that allows a user to intercept and capture packets passing through a network interface. This is an extremely nifty little utility which can help a programmer to troubleshoot network applications. Because this utility captures all the packets received by a network interface, it can be used for used for unlawful purposes as well.

Normally only the packets which are addressed to a network interface are intercepted and passed onto the upper layers of the TCP/IP protocol layer stack. Other packets which are not addressed to the interface are ignored. In Promiscuous mode, the packets which are not intended to be received by the interface are also intercepted and passed onto the higher levels of the protocol stack. TCPdump works by putting the network interface into promiscuous mode.

TCPdump uses the libpcap (packet capture library) which is freely available. The libpcap library is versatile and works with BSD packet filter, the SVR4 Data-link Provider Interface (DLPI) and the Linux SOCK_PACKET interface. Tethereal which is the command line version of the popular network traffic analyser tool ethereal also uses pcap packet capture library. Tethereal is a powerful tool for analysing network traffic and also provides more facilities for decoding packets as compared to TCPdump. Ethereal the GUI tool for analysing packets is extremely good and one can see the different flags and options which have been used in a hierarchical way. The best feature of ethereal is it can piece together the different fragments of the the communication between two computers and show the whole ASCII text that was exchanged during the conversation.

The TCP and IP packet format

ASCII representation from RFC 791

    0                   1                   2                   3   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 	    
   |Version|  IHL  |Type of Service|          Total Length         |	
   |         Identification        |Flags|      Fragment Offset    |	
   |  Time to Live |    Protocol   |         Header Checksum       |	
   |                       Source Address                          |	
   |                    Destination Address                        |	
   |                    Options                    |    Padding    |	
			IP Header Format				

ASCII representation from RFC 793

    0                   1                   2                   3   	
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1	 
   |          Source Port          |       Destination Port        |
   |                        Sequence Number                        |
   |                    Acknowledgment Number                      |
   |  Data |           |U|A|P|R|S|F|                               |
   | Offset| Reserved  |R|C|S|S|Y|I|            Window             |
   |       |           |G|K|H|T|N|N|                               |
   |           Checksum            |         Urgent Pointer        |
   |                    Options                    |    Padding    |
   |                             data                              |

                            TCP Header Format 

Examples of Packet capture using TCPdump and Tethereal

You can experiment with TCPdump on any interface through which we can conduct network transactions. To list the different interfaces connected to your computer, you can give the command

#ifconfig -a				

This will list out all the network interfaces connected to your system including the loopback interface. If you are connected to the net using a dialup line, you can also use the interface ppp0 for experimenting and debugging your applications using TCPdump.

Example #1
This is a snippet (from the file tcpdumpppp) of the captured packet using a dialup line (PPP). The -vvv flag tells tcpdump to be very very verbose. The other switches for controlling verbosity are -v and -vv.

#tcpdump -vvv > tcpdumpppp		
tcpdump: listening on ppp0		

The capturing of packets is stopped by pressing CTRL-C.

15:57:58.181078 > P 1:1399(1398) ack 736 win 31856  (DF) [tos 0x10]  (ttl 38, id 28827, len 1450)

Some of the information can be interpreted from the about packet dump

  • The protocol used is http (port 80 has been decoded as http).
  • The local IP address assigned to me by my ISP after dialing up is (this can be verified by grepping in /var/log/messages
  • The http server's IP is (IP have been changed for security reasons).
  • The time-to-live is 38 hops.
  • The Don't Fragment (bit) has been set informing the intermediate routers not to fragment the datagram.
  • The ACK flag has been set (ack number 736 - piggybacking).
  • The window size is 31856.
  • The port on the receiver end is 33003

Example #2
This packet dump was captured from a NIC (interface denoted by eth0)

#tcpdump -a -i eth0		

06:21:11.414863 > pca03.nt.co.in.ssh > pcc03.mum.nt.co.in.4944: P 252143283:252143331(48) ack 2638534821 win 62780 (DF) [tos 0x10] 

			  E^P ^@ X ....  @^@  @^F .. N .... ....
			 .... .... ^@^V ^S P ^O^G  f.. .. D ....
			  P^X .. < .. t ^@^@  k +  Y^Q .... .. (
			  ^..  )^G  c 3 ^\ v  t.. ..^G ^J.. .. t
			  9.. .. -  F.. ....  6..  /.. ....  9..
			  [.. ....  G.. .. d
Here we are telling TCPdump to resolve IPs to domain names if possible (-a) and explicitly asking it to capture packets on interface eth0. If we don't give the (-i) option TCPdump itself searches for the interfaces and then starts capturing packets arriving on them. Some of the information that can be gleamed from the above packet dump is:-

  • The ssh port (22) has been used on the server side. This can be seen from the /etc/services file.
  • One of the bits of Type of Service (TOS) has been set so the QoS enabled networks can give the requested TOS to the packet.
  • The window has been advertised as 62780.
  • The length of the packet is 48 bytes.
Example #3

The following snippet shows a packet dump of SYN (connection requesting) packet. The packet dump was taken on Ethernet.

15:57:56.074928 > S [tcp sum ok] 937694521:937694521(0) win 5840  (DF) (ttl 64, id 54537, len 60)

The following information can be interpreted from the above dump:-

  • The Header checksum is correct ([tcp sum ok])
  • This is a SYN packet (denoted by S).
  • The amount of data encapsulated by tcp segment is 0.
  • The window scaling option has been set to null.
  • The MSS (Maximum Segment size is 1460). On Ethernet MSS = 1500 - 40 = 1460.
  • The Length of the packet is 60 bytes (20 + 40) (see diagram above)

Example #4
The following packet dump was taken using tethereal

#tethereal -i lo		

26  19.624878 localhost.localdomain -> localhost.localdomain TCP 33283 > http [FIN, ACK] Seq=877643253 Ack=882239950 Win=37296 Len=0

As can be seen be seen from the above output the output of tethereal is not much different from TCPdump. The above is a FIN,ACK Packet (to close the connection). Tethereal when used with it's front-end ethereal can be very useful to detect network anomalies as well.

Final Words

While TCPdump is an extremely good tool, it focuses mainly on TCP/IP protocol. It does it's job well. Ethereal is much more versatile and can understand a variety of protocols. Also, the user interface of ethereal is well designed so that even a newbie can understand which packets are getting captured and what information do they contain. The good interface makes the learning process even more enjoyable.



  My life changed since I discovered Linux. Suddenly Computers became interesting as i could try out lots of stuff on my Linux box due to the easy availably of source code. My interests are predominantly in the fields of networking, embedded systems and programming languages. I currently work for Aparna Web services where we make Linux accessible for academia/corporations by configuring remote boot stations (Thin Clients).

Copyright © 2003, Vinayak Hegde. Copying license http://www.linuxgazette.com/copying.html
Published in Issue 86 of Linux Gazette, January 2003