Learn more about Israeli war crimes in Gaza, funded by the USA, Germany, the UK and others.

Running tcpdump on a TCP connection

The tcpdump program is badly named: it can capture much more than TCP traffic! But let’s see tcpdump in its original use to view a small TCP conversation.

The conversation is going to be on the local machine over the loopback interface using TCP port 12345. So let’s start listening for that:

$ sudo tcpdump -i lo -v -X -n 'tcp port 12345'
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes

For the TCP server and client, I’ll use nc (“netcat”). I’ll start the server listening on 127.0.0.2:12345. (127.0.0.2 is configured to go to the loopback interface. This helps clarify client and server in our tcpdump logs.) To start this server, use nc -l:

$ nc -l 127.0.0.2 12345

nc -l tells the OS that it wants to receive new TCP connections to 127.0.0.2:12345. Nothing has happened on the network yet! Next, open a connection to this TCP server:

$ nc 127.0.0.2 12345

Our nc programs show no output, but tcpdump shows activity!:

22:09:04.387241 IP (tos 0x0, ttl 64, id 33056, offset 0, flags [DF], proto TCP (6), length 60)
    127.0.0.1.56742 > 127.0.0.2.12345: Flags [S], cksum 0xfe31 (incorrect -> 0x212f), seq 3112279261, win 43690, options [mss 65495,sackOK,TS val 29629949 ecr 0,nop,wscale 6], length 0
	0x0000:  4500 003c 8120 4000 4006 bb98 7f00 0001  E..<..@.@.......
	0x0010:  7f00 0002 dda6 3039 b981 9cdd 0000 0000  ......09........
	0x0020:  a002 aaaa fe31 0000 0204 ffd7 0402 080a  .....1..........
	0x0030:  01c4 1dfd 0000 0000 0103 0306            ............
22:09:04.387254 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    127.0.0.2.12345 > 127.0.0.1.56742: Flags [S.], cksum 0xfe31 (incorrect -> 0x046a), seq 3504942089, ack 3112279262, win 43690, options [mss 65495,sackOK,TS val 29629949 ecr 29629949,nop,wscale 6], length 0
	0x0000:  4500 003c 0000 4000 4006 3cb9 7f00 0002  E..<..@.@.<.....
	0x0010:  7f00 0001 3039 dda6 d0e9 2c09 b981 9cde  ....09....,.....
	0x0020:  a012 aaaa fe31 0000 0204 ffd7 0402 080a  .....1..........
	0x0030:  01c4 1dfd 01c4 1dfd 0103 0306            ............
22:09:04.387266 IP (tos 0x0, ttl 64, id 33057, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.56742 > 127.0.0.2.12345: Flags [.], cksum 0xfe29 (incorrect -> 0xd558), ack 1, win 683, options [nop,nop,TS val 29629949 ecr 29629949], length 0
	0x0000:  4500 0034 8121 4000 4006 bb9f 7f00 0001  E..4.!@.@.......
	0x0010:  7f00 0002 dda6 3039 b981 9cde d0e9 2c0a  ......09......,.
	0x0020:  8010 02ab fe29 0000 0101 080a 01c4 1dfd  .....)..........
	0x0030:  01c4 1dfd                                ....

This is a lot of output! We asked tcpdump for a lot of output. We used -v for verbose, and -X to “print the data of each packet (minus its link level header) in hex and ASCII”. Let’s interpret this output.

There are three blocks here, corresponding to three IP packets. This is the “TCP three-way handshake”. The goal of this process is to establish a connection. Connection establishment is like a legal contract. Each party must agree to the contract, and have a copy of the other party’s agreement to the contract. The contract content could be thought of as

127.0.0.1 and 127.0.0.2 shall transmit two byte streams between each other. 127.0.0.1 shall send a byte stream from port 56742 to port 12345 on 127.0.0.2, and the first byte in this stream shall have number 3112279261. 127.0.0.2 shall send a byte stream from port 12345 to port 56742 on 127.0.0.1, and the first byte in this stream shall have number 3504942089.

Next, I told the client nc to send the string hi, do you sell donuts?. Here’s the tcpdump output:

22:12:18.253405 IP (tos 0x0, ttl 64, id 33058, offset 0, flags [DF], proto TCP (6), length 76)
    127.0.0.1.56742 > 127.0.0.2.12345: Flags [P.], cksum 0xfe41 (incorrect -> 0x169c), seq 1:25, ack 1, win 683, options [nop,nop,TS val 29678415 ecr 29629949], length 24
	0x0000:  4500 004c 8122 4000 4006 bb86 7f00 0001  E..L."@.@.......
	0x0010:  7f00 0002 dda6 3039 b981 9cde d0e9 2c0a  ......09......,.
	0x0020:  8018 02ab fe41 0000 0101 080a 01c4 db4f  .....A.........O
	0x0030:  01c4 1dfd 6869 2c20 646f 2079 6f75 2073  ....hi,.do.you.s
	0x0040:  656c 6c20 646f 6e75 7473 3f0a            ell.donuts?.
22:12:18.253424 IP (tos 0x0, ttl 64, id 12791, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.2.12345 > 127.0.0.1.56742: Flags [.], cksum 0xfe29 (incorrect -> 0x5a9b), ack 25, win 683, options [nop,nop,TS val 29678415 ecr 29678415], length 0
	0x0000:  4500 0034 31f7 4000 4006 0aca 7f00 0002  E..41.@.@.......
	0x0010:  7f00 0001 3039 dda6 d0e9 2c0a b981 9cf6  ....09....,.....
	0x0020:  8010 02ab fe29 0000 0101 080a 01c4 db4f  .....).........O
	0x0030:  01c4 db4f                                ...O

Two packets are exchanged: the client’s message to the server in the first packet, then a second packet acknowledging the message. You can see the message in the hexdump output; notice it includes a trailing newline character sent by nc.

Next, I typed no, sorry, try donuts.com from the server. The same process happens in reverse: a message from the server to the client, then an acknowledgement. Notice both acknowledgement packets are 52 bytes (the first, IP line says length 52), despite not having any message payload (the second, TCP line says length 0).

22:16:15.346758 IP (tos 0x0, ttl 64, id 12792, offset 0, flags [DF], proto TCP (6), length 78)
    127.0.0.2.12345 > 127.0.0.1.56742: Flags [P.], cksum 0xfe43 (incorrect -> 0x9d71), seq 1:27, ack 25, win 683, options [nop,nop,TS val 29737689 ecr 29678415], length 26
	0x0000:  4500 004e 31f8 4000 4006 0aaf 7f00 0002  E..N1.@.@.......
	0x0010:  7f00 0001 3039 dda6 d0e9 2c0a b981 9cf6  ....09....,.....
	0x0020:  8018 02ab fe43 0000 0101 080a 01c5 c2d9  .....C..........
	0x0030:  01c4 db4f 6e6f 2c20 736f 7272 792e 2074  ...Ono,.sorry..t
	0x0040:  7279 2064 6f6e 7574 732e 636f 6d0a       ry.donuts.com.
22:16:15.346782 IP (tos 0x0, ttl 64, id 33059, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.56742 > 127.0.0.2.12345: Flags [.], cksum 0xfe29 (incorrect -> 0x8b6b), ack 27, win 683, options [nop,nop,TS val 29737689 ecr 29737689], length 0
	0x0000:  4500 0034 8123 4000 4006 bb9d 7f00 0001  E..4.#@.@.......
	0x0010:  7f00 0002 dda6 3039 b981 9cf6 d0e9 2c24  ......09......,$
	0x0020:  8010 02ab fe29 0000 0101 080a 01c5 c2d9  .....)..........
	0x0030:  01c5 c2d9                                ....

Finally I hit Ctrl-D on the server process, sending EOF. This caused three more packets:

22:16:50.176655 IP (tos 0x0, ttl 64, id 12793, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.2.12345 > 127.0.0.1.56742: Flags [F.], cksum 0xfe29 (incorrect -> 0x6967), seq 27, ack 25, win 683, options [nop,nop,TS val 29746396 ecr 29737689], length 0
	0x0000:  4500 0034 31f9 4000 4006 0ac8 7f00 0002  E..41.@.@.......
	0x0010:  7f00 0001 3039 dda6 d0e9 2c24 b981 9cf6  ....09....,$....
	0x0020:  8011 02ab fe29 0000 0101 080a 01c5 e4dc  .....)..........
	0x0030:  01c5 c2d9                                ....
22:16:50.176690 IP (tos 0x0, ttl 64, id 33060, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.56742 > 127.0.0.2.12345: Flags [F.], cksum 0xfe29 (incorrect -> 0x4763), seq 25, ack 28, win 683, options [nop,nop,TS val 29746396 ecr 29746396], length 0
	0x0000:  4500 0034 8124 4000 4006 bb9c 7f00 0001  E..4.$@.@.......
	0x0010:  7f00 0002 dda6 3039 b981 9cf6 d0e9 2c25  ......09......,%
	0x0020:  8011 02ab fe29 0000 0101 080a 01c5 e4dc  .....)..........
	0x0030:  01c5 e4dc                                ....
22:16:50.176698 IP (tos 0x0, ttl 64, id 12794, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.2.12345 > 127.0.0.1.56742: Flags [.], cksum 0xfe29 (incorrect -> 0x4763), ack 26, win 683, options [nop,nop,TS val 29746396 ecr 29746396], length 0
	0x0000:  4500 0034 31fa 4000 4006 0ac7 7f00 0002  E..41.@.@.......
	0x0010:  7f00 0001 3039 dda6 d0e9 2c25 b981 9cf7  ....09....,%....
	0x0020:  8010 02ab fe29 0000 0101 080a 01c5 e4dc  .....)..........
	0x0030:  01c5 e4dc                                ....

This is similar to another three-way handshake, agreeing the end of the connection.

There’s a huge amount I didn’t cover here! More blog posts necessary.

Tagged #programming, #unix, #networking.

Similar posts

How to make a webserver with netcat (nc)
Use nc (netcat) to create a web server that returns custom HTTP responses. 2018-12-31
Creating a UDP connection with netcat
nc can create UDP connections. UDP connections are established when the first data packet is sent, and terminated when the server becomes unreachable. ICMP messages notify the client of an unreachable server. 2018-03-04
What does Linux do with a lost TCP connection?
Linux uses exponential backoff to retry dropped TCP connections, with a configurable retry limit. 2018-02-27
What is DHCP?
DHCP dynamically assigns IP addresses to hosts, using a client-server protocol over UDP. It involves a sequence of DORA (Discover, Offer, Request, Acknowledge) messages to obtain and configure a network lease. 2018-02-06
What is tcpdump?
tcpdump captures and displays network traffic. An example inspecting DNS requests and responses. 2018-02-01
osquery: UNIX as a SQL database
osquery allows querying a UNIX system using SQL. 2017-12-11

More by Jim

What does the dot do in JavaScript?
foo.bar, foo.bar(), or foo.bar = baz - what do they mean? A deep dive into prototypical inheritance and getters/setters. 2020-11-01
Smear phishing: a new Android vulnerability
Trick Android to display an SMS as coming from any contact. Convincing phishing vuln, but still unpatched. 2020-08-06
A probabilistic pub quiz for nerds
A “true or false” quiz where you respond with your confidence level, and the optimal strategy is to report your true belief. 2020-04-26
Time is running out to catch COVID-19
Simulation shows it’s rational to deliberately infect yourself with COVID-19 early on to get treatment, but after healthcare capacity is exceeded, it’s better to avoid infection. Includes interactive parameters and visualizations. 2020-03-14
The inception bar: a new phishing method
A new phishing technique that displays a fake URL bar in Chrome for mobile. A key innovation is the “scroll jail” that traps the user in a fake browser. 2019-04-27
The hacker hype cycle
I got started with simple web development, but because enamored with increasingly esoteric programming concepts, leading to a “trough of hipster technologies” before returning to more productive work. 2019-03-23
Project C-43: the lost origins of asymmetric crypto
Bob invents asymmetric cryptography by playing loud white noise to obscure Alice’s message, which he can cancel out but an eavesdropper cannot. This idea, published in 1944 by Walter Koenig Jr., is the forgotten origin of asymmetric crypto. 2019-02-16
How Hacker News stays interesting
Hacker News buried my post on conspiracy theories in my family due to overheated discussion, not censorship. Moderation keeps the site focused on interesting technical content. 2019-01-26
My parents are Flat-Earthers
For decades, my parents have been working up to Flat-Earther beliefs. From Egyptology to Jehovah’s Witnesses to theories that human built the Moon billions of years in the future. Surprisingly, it doesn’t affect their successful lives very much. For me, it’s a fun family pastime. 2019-01-20
The dots do matter: how to scam a Gmail user
Gmail’s “dots don’t matter” feature lets scammers create an account on, say, Netflix, with your email address but different dots. Results in convincing phishing emails. 2018-04-07
The sorry state of OpenSSL usability
OpenSSL’s inadequate documentation, confusing key formats, and deprecated interfaces make it difficult to use, despite its importance. 2017-12-02
I hate telephones
I hate telephones. Some rational reasons: lack of authentication, no spam filtering, forced synchronous communication. But also just a visceral fear. 2017-11-08
The Three Ts of Time, Thought and Typing: measuring cost on the web
Businesses often tout “free” services, but the real costs come in terms of time, thought, and typing required from users. Reducing these “Three Ts” is key to improving sign-up flows and increasing conversions. 2017-10-26
Granddad died today
Granddad died. The unspoken practice of death-by-dehydration in the NHS. The Liverpool Care Pathway. Assisted dying in the UK. The importance of planning in end-of-life care. 2017-05-19
How do I call a program in C, setting up standard pipes?
A C function to create a new process, set up its standard input/output/error pipes, and return a struct containing the process ID and pipe file descriptors. 2017-02-17
Your syntax highlighter is wrong
Syntax highlighters make value judgments about code. Most highlighters judge that comments are cruft, and try to hide them. Most diff viewers judge that code deletions are bad. 2014-05-11
Want to build a fantastic product using LLMs? I work at Granola where we're building the future IDE for knowledge work. Come and work with us! Read more or get in touch!

This page copyright James Fisher 2018. Content is not associated with my employer. Found an error? Edit this page.

Jim Fisher
CV
Speaking
Blogroll
RSS
TigYog
Kickabout