Posted: . At: 2:40 PM. This was 10 years ago. Post ID: 6998
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.

How to use ipgrab to capture TCP packets that are travelling through a network interface.

How to use ipgrab to capture TCP packets.

The ipgrab command when run as root is very useful for capturing information about network packets that are traveling through your network interfaces. In this example I am capturing packets from my wlan0 interface.

ubuntu ~ $ sudo ipgrab -i eth0 > capture.log
ipgrab 0.9.10
Listening on device eth0 (ethernet)

Here is a sample of the captured data. This is what you will end up with in your cap.log file.

**************************************************************************
                        Ethernet
                        Mon Feb 24 14:10:10 2014
 --------------------------------------------------------------------------
Hardware source:        4c:0f:6e:5d:e1:25
Hardware destination:   84:c9:b2:bd:c2:e7
Type / Length:          0x800 (IP)
Media length:           76
--------------------------------------------------------------------------
                        IP Header
--------------------------------------------------------------------------
Version:                4
Header length:          5 (20 bytes)
TOS:                    0x00
Total length:           62
Identification:         377
Fragmentation offset:   0
Unused bit:             0
Don't fragment bit:     1
More fragments bit:     0
Time to live:           64
Protocol:               17 (UDP)
Header checksum:        46560
Source address:         192.168.1.4
Destination address:    192.168.1.1
--------------------------------------------------------------------------
                        UDP Header
--------------------------------------------------------------------------
Source port:            40254 (unknown)
Destination port:       53 (DNS)
Length:                 42
Checksum:               22576
--------------------------------------------------------------------------
                        DNS Header
--------------------------------------------------------------------------
Identification:         31874
Flag query/response:    0 (query)
Flag opcode:            0 (standard)
Flag auth answer:       0
Flag trunctated:        0
Flag recursion desired: 0
Flag recursion availab: 0
Flag zero:              0
Flag return code:       1 (format error)
# of questions:         1
# of answers:           0
# of authorization RRs: 0
# of additional RRs:    0
Query:                  start.ubuntu.com
  Query type:           1 (A - IP address)
  Query class:          1 (Internet)
**************************************************************************
                        Ethernet
                        Mon Feb 24 14:10:10 2014
 --------------------------------------------------------------------------
Hardware source:        4c:0f:6e:5d:e1:25
Hardware destination:   84:c9:b2:bd:c2:e7
Type / Length:          0x800 (IP)
Media length:           76
--------------------------------------------------------------------------
                        IP Header
--------------------------------------------------------------------------
Version:                4
Header length:          5 (20 bytes)
TOS:                    0x00
Total length:           62
Identification:         378
Fragmentation offset:   0
Unused bit:             0
Don't fragment bit:     1
More fragments bit:     0
Time to live:           64
Protocol:               17 (UDP)
Header checksum:        46559
Source address:         192.168.1.4
Destination address:    192.168.1.1
--------------------------------------------------------------------------
                        UDP Header
--------------------------------------------------------------------------
Source port:            29522 (unknown)
Destination port:       53 (DNS)
Length:                 42
Checksum:               1279
--------------------------------------------------------------------------
                        DNS Header
--------------------------------------------------------------------------
Identification:         63876
Flag query/response:    0 (query)
Flag opcode:            0 (standard)
Flag auth answer:       0
Flag trunctated:        0
Flag recursion desired: 0
Flag recursion availab: 0
Flag zero:              0
Flag return code:       1 (format error)
# of questions:         1
# of answers:           0
# of authorization RRs: 0
# of additional RRs:    0
Query:                  start.ubuntu.com
  Query type:           28 (AAAA - IPv6 address)
  Query class:          1 (Internet)
**************************************************************************
                        Ethernet
                        Mon Feb 24 14:10:10 2014
 --------------------------------------------------------------------------
Hardware source:        84:c9:b2:bd:c2:e7
Hardware destination:   4c:0f:6e:5d:e1:25
Type / Length:          0x800 (IP)
Media length:           92
--------------------------------------------------------------------------
                        IP Header
--------------------------------------------------------------------------
Version:                4
Header length:          5 (20 bytes)
TOS:                    0x00
Total length:           78
Identification:         0
Fragmentation offset:   0
Unused bit:             0
Don't fragment bit:     1
More fragments bit:     0
Time to live:           64
Protocol:               17 (UDP)
Header checksum:        46921
Source address:         192.168.1.1
Destination address:    192.168.1.4
--------------------------------------------------------------------------
                        UDP Header
--------------------------------------------------------------------------
Source port:            53 (DNS)
Destination port:       40254 (unknown)
Length:                 58
Checksum:               24814
--------------------------------------------------------------------------
                        DNS Header
--------------------------------------------------------------------------
Identification:         31874
Flag query/response:    0 (query)
Flag opcode:            0 (standard)
Flag auth answer:       0
Flag trunctated:        0
Flag recursion desired: 1
Flag recursion availab: 1
Flag zero:              0
Flag return code:       0 (no error)
# of questions:         1
# of answers:           1
# of authorization RRs: 0
# of additional RRs:    0
Query:                  start.ubuntu.com
  Query type:           1 (A - IP address)
  Query class:          1 (Internet)
Answers:                start.ubuntu.com
  Query type:           1 (A - IP address)
  Query class:          1 (Internet)
  TTL:                  552
  Resource data length: 4
  Resource data:        91.189.90.40

Wireshark is another very useful application for grabbing TCP packets that are traveling across your network. This enables you to see what is actually happening when a certain network application is running.

But the ipgrab utility is very useful for finding out what is happening on your network.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.