Say I make a DNS request:
$ dig +short @220.127.116.11 google.com 18.104.22.168
What went over the network?
We can find out with a program called
tcpdump is a command-line program
which can prints everything that goes over a network interface on a UNIX box.
Let’s see an example, getting all DNS traffic.
DNS requests go over UDP port 53.
tcpdump for this using the expression
udp and port 53:
$ sudo tcpdump -n 'udp and port 53' tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 23:21:50.909488 IP 192.168.1.4.61988 > 192.168.1.254.53: 61163+ [1au] A? google.com. (39) 23:21:50.929583 IP 192.168.1.254.53 > 192.168.1.4.61988: 61163 1/0/1 A 22.214.171.124 (55)
The output shows exactly two UDP packets. One for the DNS request, the next for the response.
You’ll notice that
tcpdump is terribly named!
It does not just dump TCP; it can dump all manner of network activity:
UDP, IP, ICMP, Ethernet, and many others.
More by Jim
- Project C-43: the lost origins of asymmetric crypto
- How Hacker News stays interesting
- My parents are Flat-Earthers
- The dots do matter: how to scam a Gmail user
- The sorry state of OpenSSL usability
- I hate telephones
- The Three Ts of Time, Thought and Typing: measuring cost on the web
- Granddad died today
- Your syntax highlighter is wrong
I wrote this because I felt like it. This post is not associated with my employer. Found an error? Edit this page.