Demonstrate basic tcpdump(1) skills

Author: name contact BSD flavour

Reviewer: name contact BSD flavour

Reviewer: name contact BSD flavour


Given some tcpdump(1) output, an admin should be able to answer basic network(((networking))) connectivity questions. Recognize common TCP(((TCP))) and UDP(((UDP))) port(((port, TCP or UDP))) numbers, the difference between a TCP/IP server and a TCP/IP client, and the TCP three-way handshake.


You are having problems connecting to an application server that is on the network. What to do and how do you start? One place to start is to see what traffic is going between the nodes. The tcpdump utility enables you to see what traffic is happening.


Let's say that you know that there are people having trouble getting a DHCP address on the network but there are more than one person having problems so now you wonder if it is the server that isn't responding. Or perhaps it's a problem on the network itself. Using the command "tcpdump dst port bootpc" we can see what traffic is happening.

""# tcpdump dst port bootpc ""tcpdump: listening on le0 ""12:14:03.941390 pmax.smithclan.prv.bootps > dhcp-ip97.smithclan.prv.bootpc: xid:0x44e7 C:dhcp-ip97.smithclan.prv Y:dhcp-ip97.smithclan.prv S:pmax.smithclan.prv [|bootp]

Some another useful options in tcpdump.

""# tcpdump -i fxp0

where fxp0 is your network interface, it's very useful when your box has more than one network interface and you want sniff traffic from one, without traffic from other network interfaces.

""# tcpdump -X -i fxp0

This shows each packet in ASCII and hex from fxp0 interface. It's useful when you want look in the packet.

TODO: Look also at the -xx -XX -x options.

Practice Exercises

  1. Sniff traffic from all you interfaces.
  2. Sniff from specific interface.
  3. Look in packet, when you use some service (like ping or telnet).

More information