dokucama

This is an old revision of the document!

TCPDUMP
https://softbackbone.net/2021/06/19/tcpdump-notes-i/ «««««««««« for the tcpdump section

To write the tcpdump output in pcap format. If we Add capital W, that means rotate:

tcpdump -ni eth0 -s0 -w /var/tmp/capture.pcap
tcpdump -ni eth0 -w /var/tmp/trace -W 48 -G 1800 -C 100 -K    # 48 files, either every 1800 seconds (=30 minutes) or every 100 MB, -K don't verify checksum
tcpdump -nni bond1 -w /var/tmp/trace -W 1 -G 20 -C 100 -K

After capture, transfer example:

gk# scp root@slingshot2.nj.grapeshot.co.uk:/var/tmp/capture.pcap /home/jaime_santos/Downloads/
hm# scp root@gatekeeper.grapeshot.co.uk:/home/jaime_santos/Downloads/capture.pcap capture-ams.pcap
remote# rm /var/tmp/capture.pcap
gk# rm /var/tmp/capture.pcap

These are useful links:
link1 link2 link3

Check port, protocol and source or destination address:
host is for bidirectional flow. For source or destination IP , we use src and dst. For port: src port or dst port

tcpdump -nnvvi eth1 host 10.5.2.3 and dst port 3389 and tcp
tcpdump -nni any portrange 60000-60100
tcpdump -vv -e -nni any ether proto 0x8809   # LACP

To show mac address headers. Note that if we specify any as interface, we will miss one mac address, always try to specify the interface we are capturing data:

tcpdump -c10 -enni wlp2s0 # showd ETHERNET HEADERS and captures a FEW PACKETS.
tcpdump -e -nni  bond0  ether src host 00:00:5e:00:01:04 and not vrrp      # to show ETHERNET HEADERS

-S : To print absolute rather than relative TCP sequence numbers.

tcpdump -nnvvi bond0 'not (src net (10 or 172.16/12 or 192.168/16) and dst net (10 or 172.16/12 or 192.168/16))'   # EXCLUDE PRIVATE ADDRESSES
tcpdump -nni any 'not ((dst net (10 or 172.16/12 or 192.168/16 or 169.254/16)) or host 127.0.0.1)'   # EXCLUDE PRIVATE ADDRESSES and APIPA and loopback

A very simple check before tcpdump is the one below, showing which interface is passing the traffic:

cat /proc/net/dev

http://danielmiessler.com/study/tcpdump/ http://packetpushers.net/masterclass-tcpdump-expressions/
Examples

tcpdump -ni any port 5005 -s0 -A
tcpdump -nni eth1 -A -s 0  vlan 4000 and '(host 155.140.121.12 or (vlan and host 155.140.121.12))' -n # Spanned ports
tcpdump src port 1025 and tcp
tcpdump -nnvvS and src 10.5.2.3 and dst port 3389
tcpdump -w net75.out -s 0 net 65.192.0.0/10\\
\\

TOP TALKERS, or just iftop

sudo tcpdump -tnn -c 400000 -i bond0  | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | head

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n host 192.168.1.1

-S : To print absolute rather than relative TCP sequence numbers.

tcpdump -ni eth1 vlan 4001 and '(host 94.142.191.160 or (vlan and host 94.142.191.160))' -n -A -s 0 |grep FIX |sed 's/.*FIX/FIX/'
tcpdump -nr span-EAT-MDS-eth1-96 vlan and port 57462 or '(vlan and port 57462)' -s 0 -A > /tmp/out <-- This is to apply tcpdump ON A FILE
tcpdump -nr span-EAT-MDS-eth1-96 -s 0 -A |grep -B 1 -i  barct1md |head <-- to look for a string in the body  ; sed 's/\.\.*\././g' <-- to strip the point/dot trails ; | grep -B 1 -E '192.168.0.9.32933' <-- to follow  the flow ; grep -w '\[P.\]' <-- to find flags
tcpdump -nr span-PROD-OE-eth4-0573 -s 0 -A |grep -B 1 -E '155.195.219.196.25727' | grep --color '\[S\.\]\|\[R\.\]\|\[F\.\]'
tcpdump -nnr span-EAT-OE-eth1-86 vlan 4001 -s 0 -A |grep -B 1 dhubt2|head <-- to search for the source IP corresponding to an account name
tcpdump -nnr span-PROD-OE-eth4-0664 -A -s 0 |sed 's/.*FIfX/8=FIX/'| grep -v 35=0| grep -B 2 'msoe1\|10.39.145.1' | more
tcpdump -ni eth1 -s 0 -A  | grep FIX | sed -e 's/^.*8=FIX/8=FIX/g' -e 's/8=FIX/\n&/g' | egrep "269=[0-9].278=[0-9]*.270=[0-9]*.[0-9]*.271=[0-9]*." --color\\

This is to capture bidirectional flows in RSPAN tagged connection (tag separates different span points, in this case is 4000:

tcpdump -ni eth1 -A -s 0  vlan 4000 and '(host 155.140.121.12 or (vlan and host 155.140.121.12))' -n -A -s 0 |grep FIX |sed 's/.*FIX/FIX/'

Flags significance:

• “[X.]” means X plus ACK piggybacked
  
• “P” Seeing a PUSH flag is not necessary bad. For real time messages (as FIX prot). TCP presents to upper layers a simple socket which can be read from and written to. “pushing” data out immediately, rather than waiting for additional data to enter the buffer.
  

In the following example we extract packets only with the P flag:

tcpdump -nr span-EAT-MDS-eth1-96 -s 0 -A |grep -B 1 -i  barct1md |sed 's/\.\.*\././g' | grep -w '\[P.\]' \\

Formatting some FIX traffc:

tcpdump -ni eth1 -s 0 -A  | grep FIX | sed -e 's/^.*8=FIX/8=FIX/g' -e 's/8=FIX/\n&/g' | egrep "269=[0-9].278=[0-9]*.270=[0-9]*.[0-9]*.271=[0-9]*." --color

IPV6:

tcpdump -nni any icmp6 and '(ip6[40] == 128 or ip6[40] == 129)'   # ICMP request and reply
tcpdump -nni any icmp6 and '(ip6[40] == 135 or ip6[40] == 136)'   # NS and NA
tcpdump -nni any icmp6 and '(ip6[40] == 133 or ip6[40] == 134)'   # RS and RA

FOR RUNTIME STATISTICS:

tshark -i any -n -q -z 'io,stat,0,FRAMES()tcp.port==389,FRAMES()tcp.port==88,FRAMES()udp.port==53'

TCP NOTES

• MSS is Announced (not really negotiated but just announced), in the 3 way handshake
• Window scaling is also announced in the 3 way handshake. The default window size is 64kB which is far too small. That's way w. scaling is ON 99% of the times
• SACK also announced in the 3 way handshake and also ON 99% of the times. If received 1,2,3 5,6 but not 4, I acknoledge 3 and 'selectively acknowledge 5 and 6.

The ACK number for a packet is the packet's sequence number plus the data length. See this Link

• The congestion window is a sender imposed window that was implemented to avoid overrunning some routers in the middle of the network path. The sender, with each segment sent, increases the congestion window slightly, i.e. the sender will allow itself more outstanding sent data.
  • You can't 'get' that value directly from the capture file, as it is NOT ADVERTISED, it lives in the sender
• The receive window is the amount of data the receiver can take at once without getting overwhelmed. Managed by the receiver, who sends out window sizes to the sender. The window sizes announce the number of bytes still free in the receiver buffer, i.e. the number of bytes the sender can still send without needing an acknowledgement from the receive

TCP CONGESTION CONTROL ALGORITHMS (Reno, Cubic, Tahoe, more recently, BBR + Vegas, , Westwood) https://medium.com/@atoonk/tcp-bbr-exploring-tcp-congestion-control-84c9c11dc3a9

• sysctl net.ipv4.tcp_congestion_control # default is usually cubic or reno
• sysctl net.ipv4.tcp_available_congestion_control # list available suites
• sysctl -w net.ipv4.tcp_congestion_control=bbr # rebuilt suite so it takes latency as congestion, not packet losses (by google)

To test performance:

tc qdisc replace dev enp0s20f0 root netem loss 1.5% latency 70ms # introduces some latency and packet loss

WINDOWING:

• MSS and window scaling is negotiated at the beginning. Normally ~*128

When a port is not available and the connection is rejected, an ICMP unreachable message is sent and then a RST tcp packet

TCP OPTIMIZATION
https://www.extrahop.com/company/blog/2016/tcp-nodelay-nagle-quickack-best-practices/
- NAGLE: Aim is to reduce the number of small packets sent over the network. You might want to fill up the truck instead of sending it just with one box, or not.. Nagle's algorithm and delayed ACKs. Hence Nagle's algorithm is undesirable in highly interactive environments.

1. TCP_NODELAY socket option allows your network to bypass Nagle Delays by disabling Nagle's algorithm, and sending the data as soon as it's available

- Delayed ACK: is basically a bet taken by the destination betting 200 - 500 ms, that a new packet will arrive before the delayed ACK timer expires. Nagle's algorithm effectively only allows one packet to be actively transporting on the network at any given time, this tends to hold back traffic due to the interactions between the Nagle's algorithm and delayed ACKs.

1. To disable Delayed ACKs, use the TCP_QUICKACK socket option.