[custom-header-login]
In this blog we will help you learn to understand your network more effectively with TCPDump and analyzing ping and traceroute, the basic connectivity checking tools.
Key to running an effective network is being able to understand your network more effectively with TCPDump. TCPDump is a command line tool in Linux which may seem scary at first but with a little practice and knowledge you will soon be able to start understanding your network.
Using Ping Effectively
Firstly, we look at ping. Yes, I know you all think you know this and you probably do have a good understanding but hopefully we can help you discover a little more.
$ ping 1.1
Yes, we can ping 1.1, this will expand to 1.0.0.1 accepting that if we provide just 2 octets then the second octet must represent 24 bits and have leading zeros. This is why it expands to 1.0.0.1 one of Cloudflare’s DNS servers.
The ping will continue in Linux until we issue a CTRL+C. To ping a set about we use the option -c.
$ ping -c3 1.1 PING 1.1 (1.0.0.1) 56(84) bytes of data. 64 bytes from 1.0.0.1: icmp_seq=1 ttl=56 time=24.9 ms 64 bytes from 1.0.0.1: icmp_seq=2 ttl=56 time=18.0 ms 64 bytes from 1.0.0.1: icmp_seq=3 ttl=56 time=17.0 ms --- 1.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 17.031/20.011/24.962/3.528 ms
We may often concentrate on the time in the main output of ping but the summary at the bottom is more useful.
- rtt = rount trip time
- min = quickest time, 17 ms
- max = slowest time, 20 ms
- mdev = deviation, 3.5
Also we see the ttl, (time to live), in the main output. Packets can cross 56 routers before expiring.
A ping uses the ICMP protocol and the message type of ECHO Request and ECHO Reply. We can see this by using a second terminal so that we are able to ping whilst capturing data.
Terminal 1: Capture traffic
Use the IP address of your host in the filter in place of 192.168.0.254
$ sudo tcpdump -i eth0 icmp and host 192.168.0.254 and 1.0.0.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Terminal 2: Ping
$ ping -c1 1.1
Terminal 1: Results
9:28:02.268523 IP 192.168.0.254 > one.one.one.one: ICMP echo request, id 6944, seq 1, length 64 19:28:02.287321 IP one.one.one.one > 192.168.0.254: ICMP echo reply, id 6944, seq 1, length 64
So with a little practice we can see the ICMP type and we have been able to build a packet capture filter and we are starting to understand your Network more effectively with TCPDump and ping.
Understanding Traceroute
Secondly, we look at traceroute, another command line tool to diagnose network traffic. This then shows the route that is taken to the destination host. In Linux this used the UDP protocol by default. In Windows, the ICMP protocol is used. The way that traceroute shows you the route taken is be the TTL of the packet. The first packet is sent with a TTL of 1 so it expires on the first router and packer is returned. The second packet is sent with a TTL of 2 and so on. We can see that UDP is used and the increasing TTL with TCPDump:
Terminal 1: Capture traffic
Use the IP address of your host in the filter in place of 192.168.0.254
$ sudo tcpdump -i eth0 udp and host 192.168.0.254 and 1.0.0.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Terminal 2: Traceroute
$ traceroute 1.1 traceroute to 1.1 (1.0.0.1), 30 hops max, 60 byte packets 1 192.168.0.1 (192.168.0.1) 5.883 ms 5.519 ms 6.225 ms 2 10.35.108.1 (10.35.108.1) 22.865 ms 22.924 ms 22.791 ms 3 pete-core-2a-xe-120-0.network.virginmedia.net (80.3.129.77) 24.953 ms 24.814 ms 24.942 ms 4 * * * 5 * * * 6 * * * 7 tcma-ic-2-ae9-0.network.virginmedia.net (62.253.174.178) 21.591 ms 25.977 ms 25.151 ms 8 162.158.32.254 (162.158.32.254) 27.120 ms 25.934 ms 27.108 ms 9 one.one.one.one (1.0.0.1) 23.235 ms 29.548 ms 30.257 ms
Terminal 1: Results
19:40:30.912920 IP 192.168.0.254.33491 > one.one.one.one.33434: UDP, length 32 19:40:30.913221 IP 192.168.0.254.38255 > one.one.one.one.33435: UDP, length 32 19:40:30.913419 IP 192.168.0.254.46443 > one.one.one.one.33436: UDP, length 32 19:40:30.913580 IP 192.168.0.254.60132 > one.one.one.one.33437: UDP, length 32 19:40:30.913719 IP 192.168.0.254.52295 > one.one.one.one.33438: UDP, length 32 19:40:30.913848 IP 192.168.0.254.49651 > one.one.one.one.33439: UDP, length 32 19:40:30.913982 IP 192.168.0.254.60732 > one.one.one.one.33440: UDP, length 32 19:40:36.006958 IP 192.168.0.254.56222 > one.one.one.one.33452: UDP, length 32 19:40:36.007241 IP 192.168.0.254.58702 > one.one.one.one.33453: UDP, length 32 19:40:36.007315 IP 192.168.0.254.44034 > one.one.one.one.33454: UDP, length 32 19:40:36.007391 IP 192.168.0.254.37993 > one.one.one.one.33455: UDP, length 32 19:40:36.007556 IP 192.168.0.254.45468 > one.one.one.one.33456: UDP, length 32 19:40:36.007717 IP 192.168.0.254.60707 > one.one.one.one.33457: UDP, length 32 19:40:36.007928 IP 192.168.0.254.41799 > one.one.one.one.33458: UDP, length 32 19:40:36.008705 IP 192.168.0.254.48818 > one.one.one.one.33459: UDP, length 32 19:40:36.008924 IP 192.168.0.254.48520 > one.one.one.one.33460: UDP, length 32 19:40:36.008982 IP 192.168.0.254.40047 > one.one.one.one.33461: UDP, length 32 19:40:36.009033 IP 192.168.0.254.51384 > one.one.one.one.33462: UDP, length 32 19:40:36.009083 IP 192.168.0.254.55295 > one.one.one.one.33463: UDP, length 32 19:40:36.009139 IP 192.168.0.254.56502 > one.one.one.one.33464: UDP, length 32
Hmmm, whilst this is OK, we can see that UDP is used, we are not seeing the TTL. Let’s try adjusting TCPDump. We run the process again on both system but this time using the option -v with tcpdump:
$ sudo tcpdump -v -i eth0 udp and host 192.168.0.254 and 1.0.0.1
Then running the exact same traceroute command from the second terminal we can see the new captured data:
19:45:55.356115 IP (tos 0x0, ttl 1, id 5286, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.34385 > one.one.one.one.33434: UDP, length 32 19:45:55.356450 IP (tos 0x0, ttl 1, id 5287, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.46850 > one.one.one.one.33435: UDP, length 32 19:45:55.356613 IP (tos 0x0, ttl 1, id 5288, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.53398 > one.one.one.one.33436: UDP, length 32 19:45:55.356764 IP (tos 0x0, ttl 2, id 5289, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.52200 > one.one.one.one.33437: UDP, length 32 19:45:55.356907 IP (tos 0x0, ttl 2, id 5290, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.41797 > one.one.one.one.33438: UDP, length 32 19:45:55.357040 IP (tos 0x0, ttl 2, id 5291, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.60770 > one.one.one.one.33439: UDP, length 32 19:45:55.357186 IP (tos 0x0, ttl 3, id 5292, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.46766 > one.one.one.one.33440: UDP, length 32 19:46:00.455392 IP (tos 0x0, ttl 6, id 5336, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.50015 > one.one.one.one.33451: UDP, length 32 19:46:00.455599 IP (tos 0x0, ttl 7, id 5337, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.51156 > one.one.one.one.33452: UDP, length 32 19:46:00.455729 IP (tos 0x0, ttl 7, id 5338, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.39045 > one.one.one.one.33453: UDP, length 32 19:46:00.455856 IP (tos 0x0, ttl 7, id 5339, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.33983 > one.one.one.one.33454: UDP, length 32 19:46:00.455997 IP (tos 0x0, ttl 8, id 5340, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.34578 > one.one.one.one.33455: UDP, length 32 19:46:00.456134 IP (tos 0x0, ttl 8, id 5341, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.51943 > one.one.one.one.33456: UDP, length 32 19:46:00.456257 IP (tos 0x0, ttl 8, id 5342, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.36211 > one.one.one.one.33457: UDP, length 32 19:46:00.456416 IP (tos 0x0, ttl 9, id 5343, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.33592 > one.one.one.one.33458: UDP, length 32 19:46:00.457017 IP (tos 0x0, ttl 9, id 5344, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.57627 > one.one.one.one.33459: UDP, length 32 19:46:00.457642 IP (tos 0x0, ttl 11, id 5350, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.50244 > one.one.one.one.33465: UDP, length 32 19:46:00.478248 IP (tos 0x0, ttl 12, id 5353, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.60948 > one.one.one.one.33467: UDP, length 32 19:46:00.479943 IP (tos 0x0, ttl 12, id 5354, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.58305 > one.one.one.one.33468: UDP, length 32 19:46:00.480090 IP (tos 0x0, ttl 12, id 5355, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.56355 > one.one.one.one.33469: UDP, length 32 19:46:00.480218 IP (tos 0x0, ttl 13, id 5356, offset 0, flags [none], proto UDP (17), length 60) 192.168.0.254.54455 > one.one.one.one.33470: UDP, length 32
This shows the incrementing TTL of each packet. We also need to send more than one UDP packet to determine which UDP, port will be active on the target host. To use ICMP with traceroute we must run as root and add the -I option:
Terminal 1: Capture traffic
Use the IP address of your host in the filter in place of 192.168.0.254
$ sudo tcpdump -i eth0 icmp and host 192.168.0.254 and 1.0.0.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Terminal 2: Traceroute
$ sudo traceroute -I 1.1 traceroute to 1.1 (1.0.0.1), 30 hops max, 60 byte packets 1 192.168.0.1 (192.168.0.1) 5.883 ms 5.519 ms 6.225 ms 2 10.35.108.1 (10.35.108.1) 22.865 ms 22.924 ms 22.791 ms 3 pete-core-2a-xe-120-0.network.virginmedia.net (80.3.129.77) 24.953 ms 24.814 ms 24.942 ms 4 * * * 5 * * * 6 * * * 7 tcma-ic-2-ae9-0.network.virginmedia.net (62.253.174.178) 21.591 ms 25.977 ms 25.151 ms 8 162.158.32.254 (162.158.32.254) 27.120 ms 25.934 ms 27.108 ms 9 one.one.one.one (1.0.0.1) 23.235 ms 29.548 ms 30.257 ms
Terminal 1: Results
19:40:30.912920 IP 192.168.0.254.33491 > one.one.one.one.33434: UDP, length 32 19:40:30.913221 IP 192.168.0.254.38255 > one.one.one.one.33435: UDP, length 32 19:40:30.913419 IP 192.168.0.254.46443 > one.one.one.one.33436: UDP, length 32 19:40:30.913580 IP 192.168.0.254.60132 > one.one.one.one.33437: UDP, length 32 19:40:30.913719 IP 192.168.0.254.52295 > one.one.one.one.33438: UDP, length 32 19:40:30.913848 IP 192.168.0.254.49651 > one.one.one.one.33439: UDP, length 32 19:40:30.913982 IP 192.168.0.254.60732 > one.one.one.one.33440: UDP, length 32 19:40:36.006958 IP 192.168.0.254.56222 > one.one.one.one.33452: UDP, length 32 19:40:36.007241 IP 192.168.0.254.58702 > one.one.one.one.33453: UDP, length 32 19:40:36.007315 IP 192.168.0.254.44034 > one.one.one.one.33454: UDP, length 32 19:40:36.007391 IP 192.168.0.254.37993 > one.one.one.one.33455: UDP, length 32 19:40:36.007556 IP 192.168.0.254.45468 > one.one.one.one.33456: UDP, length 32 19:40:36.007717 IP 192.168.0.254.60707 > one.one.one.one.33457: UDP, length 32 19:40:36.007928 IP 192.168.0.254.41799 > one.one.one.one.33458: UDP, length 32 19:40:36.008705 IP 192.168.0.254.48818 > one.one.one.one.33459: UDP, length 32 19:40:36.008924 IP 192.168.0.254.48520 > one.one.one.one.33460: UDP, length 32 19:40:36.008982 IP 192.168.0.254.40047 > one.one.one.one.33461: UDP, length 32 19:40:36.009033 IP 192.168.0.254.51384 > one.one.one.one.33462: UDP, length 32 19:40:36.009083 IP 192.168.0.254.55295 > one.one.one.one.33463: UDP, length 32 19:40:36.009139 IP 192.168.0.254.56502 > one.one.one.one.33464: UDP, length 32
Hmmm, whilst this is OK, we can see that UDP is used, we are not seeing the TTL. Let’s try adjusting TCPDump. We run the process again on both system but this time using the option -v with tcpdump:
$ sudo tcpdump -v -i eth0 icmp and host 192.168.0.254 and 1.0.0.1
Then running the $ sudo traceroute -I 1.1 command from the second terminal we can see the new captured data on the first terminal:
19:53:22.338302 IP (tos 0x0, ttl 1, id 27946, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 1, length 40 19:53:22.338995 IP (tos 0x0, ttl 1, id 27947, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 2, length 40 19:53:22.339171 IP (tos 0x0, ttl 1, id 27948, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 3, length 40 19:53:22.339489 IP (tos 0x0, ttl 2, id 27949, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 4, length 40 19:53:22.339652 IP (tos 0x0, ttl 2, id 27950, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 5, length 40 19:53:22.339771 IP (tos 0x0, ttl 2, id 27951, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 6, length 40 19:53:22.339888 IP (tos 0x0, ttl 3, id 27952, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 7, length 40 19:53:27.447858 IP (tos 0x0, ttl 7, id 28463, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 19, length 40 19:53:27.448021 IP (tos 0x0, ttl 7, id 28464, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 20, length 40 19:53:27.448223 IP (tos 0x0, ttl 7, id 28465, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 21, length 40 19:53:27.448466 IP (tos 0x0, ttl 8, id 28466, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 22, length 40 19:53:27.448650 IP (tos 0x0, ttl 8, id 28467, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 23, length 40 19:53:27.448845 IP (tos 0x0, ttl 8, id 28468, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 24, length 40 19:53:27.449034 IP (tos 0x0, ttl 9, id 28469, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 25, length 40 19:53:27.449524 IP (tos 0x0, ttl 9, id 28470, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 26, length 40 19:53:27.449703 IP (tos 0x0, ttl 9, id 28471, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 27, length 40 19:53:27.449776 IP (tos 0x0, ttl 10, id 28472, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 28, length 40 19:53:27.449814 IP (tos 0x0, ttl 10, id 28473, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 29, length 40 19:53:27.449930 IP (tos 0x0, ttl 10, id 28474, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 30, length 40 19:53:27.450055 IP (tos 0x0, ttl 11, id 28475, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 31, length 40 19:53:27.450080 IP (tos 0x0, ttl 11, id 28476, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 32, length 40 19:53:27.450215 IP (tos 0x0, ttl 11, id 28477, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 33, length 40 19:53:27.450333 IP (tos 0x0, ttl 12, id 28478, offset 0, flags [none], proto ICMP (1), length 60) 192.168.0.254 > one.one.one.one: ICMP echo request, id 6998, seq 34, length 40 19:53:27.470076 IP (tos 0x0, ttl 56, id 31177, offset 0, flags [none], proto ICMP (1), length 60) one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 25, length 40 19:53:27.470080 IP (tos 0x0, ttl 56, id 31178, offset 0, flags [none], proto ICMP (1), length 60) one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 26, length 40 19:53:27.470463 IP (tos 0x0, ttl 56, id 31179, offset 0, flags [none], proto ICMP (1), length 60) one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 27, length 40 19:53:27.470466 IP (tos 0x0, ttl 56, id 31180, offset 0, flags [none], proto ICMP (1), length 60) one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 28, length 40 19:53:27.473030 IP (tos 0x0, ttl 56, id 31181, offset 0, flags [none], proto ICMP (1), length 60) one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 29, length 40 19:53:27.473034 IP (tos 0x0, ttl 56, id 31182, offset 0, flags [none], proto ICMP (1), length 60) one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 30, length 40 19:53:27.473749 IP (tos 0x0, ttl 56, id 31183, offset 0, flags [none], proto ICMP (1), length 60) one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 31, length 40 19:53:27.473752 IP (tos 0x0, ttl 56, id 31184, offset 0, flags [none], proto ICMP (1), length 60) one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 32, length 40 19:53:27.473925 IP (tos 0x0, ttl 56, id 31185, offset 0, flags [none], proto ICMP (1), length 60) one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 33, length 40 19:53:27.473928 IP (tos 0x0, ttl 56, id 31186, offset 0, flags [none], proto ICMP (1), length 60) one.one.one.one > 192.168.0.254: ICMP echo reply, id 6998, seq 34, length 40
Now we can start using the tools with more confidence and we really do understand your Network more effectively with TCPDump and ping.