Spy on Yourself with tcpdump - Page 2

By Carla Schroder | Posted Dec 1, 2004
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

This shows the protocol is pop3s, rather than pop3, which is what we want. We can dig even deeper and view the login itself:

# tcpdump -X port 995

The X option displays the packet in nice readable ASCII, as this snippet shows:

E...R(@.5..fE8..
................
P...`.......J...
F..A....yY.I.D..
=2....'i..E.....J.

Readable enough to verify that anyone snooping on our connection cannot capture logins and passwords. This snippet plainly shows the login and password in a clear text login:

# tcpdump -X port 110
E8.....n.....V%.
P...T...USER.car
la@domain.com..

32:46(14) ack 70 win 5840 (DF)
E..6..@.@..x....
E8.....n...".V&.
P...n...PASS.mgY6Rf9W..

Hubs Are Blabbermouths

If your LAN is connected with hubs, which is so twentieth century, you can sniff traffic for any host on the network from the comfort of your own chair. Anyone on the LAN can simply name the host they wish to surveil:

# tcpdump dst host workstation5

Or specify the host's IP address. tcpdump automatically puts your NIC into promiscuous mode, but you won't see this with ifconfig. You'll see it in dmesg or /var/log/messages. Just for kicks, open two terminal windows. In one, run tail -f /var/log/messages. In the other, run tcpdump, then stop it. The first one will show something like

Nov 22 20:43:30 windbag kernel: eth0: Promiscuous mode enabled.
Nov 22 20:43:30 windbag kernel: device eth0 entered promiscuous mode
Nov 22 20:44:07 windbag kernel: eth0: Promiscuous mode enabled.
Nov 22 20:44:07 windbag kernel: device eth0 left promiscuous mode

Foiled By Switches

If your LAN is blessed with switches instead of hubs, you cannot do this. You must first put the switch in SPAN (Switch Port Analyzer) mode. This is also called "port mirroring." Whatever you call it, it puts the switch in broadcast mode just like a hub, with one major difference: all the LAN traffic is directed to a sniffer port, so only you, the godlike admin, can see the packets. Low-cost SOHO switches, such as those made by Linksys, D-Link, and Netgear, cannot do this; this is a feature of higher-priced products from Cisco and Extreme.

Come back next week to learn some nifty network diagnostic tricks with tcpdump, such as finding signs of evil activity, diagnosing network problems, and sending tcpdump's output to binary files suitable for parsing by utilities like Ethereal and Snort.

Resources

Unlike my columns, RFCs are less-than-riveting reading. But they contain complete information.

  • rfc 793 describes the transmission control protocol (tcp) in exhaustive detail.
  • rfc 1180 is an excellent tutorial.
  • tcpdump home page

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter