Wednesday, May 21, 2008

Using linux to view network traffic on a port

When we are interested to investigate who/what is connecting to our server, Linux provides some nice tools. Here are some examples with the output.

Tested with CentOS 5.1.

Using tcpdump
# tcpdump -i eth0 tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:16:41.172405 IP 10.20.20.164.36273 > 10.20.20.232.http: S 1619435837:1619435837(0) win 5840
10:16:41.172433 IP 10.20.20.232.http > 10.20.20.164.36273: S 553643372:553643372(0) ack 1619435838 win 5792
10:16:41.172683 IP 10.20.20.164.36273 > 10.20.20.232.http: . ack 1 win 92
10:16:41.172932 IP 10.20.20.164.36273 > 10.20.20.232.http: P 1:445(444) ack 1 win 92
10:16:41.172951 IP 10.20.20.232.http > 10.20.20.164.36273: . ack 445 win 54
10:16:41.174744 IP 10.20.20.232.http > 10.20.20.164.36273: P 1:208(207) ack 445 win 54
10:16:41.174832 IP 10.20.20.232.http > 10.20.20.164.36273: F 208:208(0) ack 445 win 54
10:16:41.174996 IP 10.20.20.164.36273 > 10.20.20.232.http: . ack 208 win 108
10:16:41.177857 IP 10.20.20.164.36273 > 10.20.20.232.http: F 445:445(0) ack 209 win 108
10:16:41.177866 IP 10.20.20.232.http > 10.20.20.164.36273: . ack 446 win 54

Using Tcptrack (GUI)
# tcptrack -i eth0 port 80

Using Wireshark
# tshark tcp port 80
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000 10.20.20.164 -> 10.20.20.232 TCP 46538 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=1461217 TSER=0 WS=6
0.000027 10.20.20.232 -> 10.20.20.164 TCP http > 46538 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=609213593 TSER=1461217 WS=7
0.000279 10.20.20.164 -> 10.20.20.232 TCP 46538 > http [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=1461217 TSER=609213593
0.000285 10.20.20.164 -> 10.20.20.232 HTTP GET / HTTP/1.1
0.000305 10.20.20.232 -> 10.20.20.164 TCP http > 46538 [ACK] Seq=1 Ack=445 Win=6912 Len=0 TSV=609213594 TSER=1461217
0.001955 10.20.20.232 -> 10.20.20.164 HTTP HTTP/1.1 200 OK (text/html)
0.002056 10.20.20.232 -> 10.20.20.164 TCP http > 46538 [FIN, ACK] Seq=208 Ack=445 Win=6912 Len=0 TSV=609213595 TSER=1461217
0.002212 10.20.20.164 -> 10.20.20.232 TCP 46538 > http [ACK] Seq=445 Ack=208 Win=6912 Len=0 TSV=1461218 TSER=609213595
0.002593 10.20.20.164 -> 10.20.20.232 TCP 46538 > http [FIN, ACK] Seq=445 Ack=209 Win=6912 Len=0 TSV=1461218 TSER=609213595
0.002601 10.20.20.232 -> 10.20.20.164 TCP http > 46538 [ACK] Seq=209 Ack=446 Win=6912 Len=0 TSV=609213596 TSER=1461218

Using nc
For ports that are being used but is receiving data, the data can be displayed using nc.
#nc -l 80

GET / HTTP/1.1
Host: 10.20.20.232
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.14) Gecko/20080418 Ubuntu/7.10 (gutsy) Firefox/2.0.0.14
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0

Using ngrep (from dag repo)
# ngrep -q -t -d any port 80
interface: any
filter: (ip) and ( port 80 )

T 2008/05/21 18:26:53.772736 10.20.20.164:49392 -> 10.20.20.232:80 [AP]
GET / HTTP/1.1..Host: 10.20.20.232..User-Agent: Mozilla/5.0 (X11; U; Linux
i686; en-US; rv:1.8.1.14) Gecko/20080418 Ubuntu/7.10 (gutsy) Firefox/2.0.0.
14..Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5..Accept-Language: en-us,en;q=0.5..Acce
pt-Encoding: gzip,deflate..Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7..
Keep-Alive: 300..Connection: keep-alive..Cookie: Cacti=s5kjjkt79vg5kq17kf86
qfjda1....

T 2008/05/21 18:26:53.774644 10.20.20.232:80 -> 10.20.20.164:49392 [AP]
HTTP/1.1 200 OK..Date: Wed, 21 May 2008 10:26:53 GMT..Server: Apache/2.2.3
(CentOS)..X-Powered-By: PHP/5.1.6..Content-Length: 16..Connection: close..C
ontent-Type: text/html; charset=UTF-8....
Nicholas presents Networking Tools

And the netstat

  • List all open ports
    $ sudo netstat -lpAinet
  • List users of a specific port. Example port 443
    $ sudo fuser -v 443/tcp

1 comment:

해적선 said...

Good informantion.

by linuxtip.net