How to use ipgrab to capture TCP packets that are travelling through a network interface.

Posted: February 24, 2014. At: 2:40 PM. This was 3 years ago. Post ID: 6998

How to use ipgrab to capture TCP packets.

The ipgrab command when run as root is very useful for capturing information about network packets that are traveling through your network interfaces. In this example I am capturing packets from my wlan0 interface.

ubuntu ~ $ sudo ipgrab -i eth0 > capture.log
ipgrab 0.9.10
Listening on device eth0 (ethernet)

Here is a sample of the captured data. This is what you will end up with in your cap.log file.

**************************************************************************
                        Ethernet
                        Mon Feb 24 14:10:10 2014
 --------------------------------------------------------------------------
Hardware source:        4c:0f:6e:5d:e1:25
Hardware destination:   84:c9:b2:bd:c2:e7
Type / Length:          0x800 (IP)
Media length:           76
--------------------------------------------------------------------------
                        IP Header
--------------------------------------------------------------------------
Version:                4
Header length:          5 (20 bytes)
TOS:                    0x00
Total length:           62
Identification:         377
Fragmentation offset:   0
Unused bit:             0
Don't fragment bit:     1
More fragments bit:     0
Time to live:           64
Protocol:               17 (UDP)
Header checksum:        46560
Source address:         192.168.1.4
Destination address:    192.168.1.1
--------------------------------------------------------------------------
                        UDP Header
--------------------------------------------------------------------------
Source port:            40254 (unknown)
Destination port:       53 (DNS)
Length:                 42
Checksum:               22576
--------------------------------------------------------------------------
                        DNS Header
--------------------------------------------------------------------------
Identification:         31874
Flag query/response:    0 (query)
Flag opcode:            0 (standard)
Flag auth answer:       0
Flag trunctated:        0
Flag recursion desired: 0
Flag recursion availab: 0
Flag zero:              0
Flag return code:       1 (format error)
# of questions:         1
# of answers:           0
# of authorization RRs: 0
# of additional RRs:    0
Query:                  start.ubuntu.com
  Query type:           1 (A - IP address)
  Query class:          1 (Internet)
**************************************************************************
                        Ethernet
                        Mon Feb 24 14:10:10 2014
 --------------------------------------------------------------------------
Hardware source:        4c:0f:6e:5d:e1:25
Hardware destination:   84:c9:b2:bd:c2:e7
Type / Length:          0x800 (IP)
Media length:           76
--------------------------------------------------------------------------
                        IP Header
--------------------------------------------------------------------------
Version:                4
Header length:          5 (20 bytes)
TOS:                    0x00
Total length:           62
Identification:         378
Fragmentation offset:   0
Unused bit:             0
Don't fragment bit:     1
More fragments bit:     0
Time to live:           64
Protocol:               17 (UDP)
Header checksum:        46559
Source address:         192.168.1.4
Destination address:    192.168.1.1
--------------------------------------------------------------------------
                        UDP Header
--------------------------------------------------------------------------
Source port:            29522 (unknown)
Destination port:       53 (DNS)
Length:                 42
Checksum:               1279
--------------------------------------------------------------------------
                        DNS Header
--------------------------------------------------------------------------
Identification:         63876
Flag query/response:    0 (query)
Flag opcode:            0 (standard)
Flag auth answer:       0
Flag trunctated:        0
Flag recursion desired: 0
Flag recursion availab: 0
Flag zero:              0
Flag return code:       1 (format error)
# of questions:         1
# of answers:           0
# of authorization RRs: 0
# of additional RRs:    0
Query:                  start.ubuntu.com
  Query type:           28 (AAAA - IPv6 address)
  Query class:          1 (Internet)
**************************************************************************
                        Ethernet
                        Mon Feb 24 14:10:10 2014
 --------------------------------------------------------------------------
Hardware source:        84:c9:b2:bd:c2:e7
Hardware destination:   4c:0f:6e:5d:e1:25
Type / Length:          0x800 (IP)
Media length:           92
--------------------------------------------------------------------------
                        IP Header
--------------------------------------------------------------------------
Version:                4
Header length:          5 (20 bytes)
TOS:                    0x00
Total length:           78
Identification:         0
Fragmentation offset:   0
Unused bit:             0
Don't fragment bit:     1
More fragments bit:     0
Time to live:           64
Protocol:               17 (UDP)
Header checksum:        46921
Source address:         192.168.1.1
Destination address:    192.168.1.4
--------------------------------------------------------------------------
                        UDP Header
--------------------------------------------------------------------------
Source port:            53 (DNS)
Destination port:       40254 (unknown)
Length:                 58
Checksum:               24814
--------------------------------------------------------------------------
                        DNS Header
--------------------------------------------------------------------------
Identification:         31874
Flag query/response:    0 (query)
Flag opcode:            0 (standard)
Flag auth answer:       0
Flag trunctated:        0
Flag recursion desired: 1
Flag recursion availab: 1
Flag zero:              0
Flag return code:       0 (no error)
# of questions:         1
# of answers:           1
# of authorization RRs: 0
# of additional RRs:    0
Query:                  start.ubuntu.com
  Query type:           1 (A - IP address)
  Query class:          1 (Internet)
Answers:                start.ubuntu.com
  Query type:           1 (A - IP address)
  Query class:          1 (Internet)
  TTL:                  552
  Resource data length: 4
  Resource data:        91.189.90.40

Wireshark is another very useful application for grabbing TCP packets that are traveling across your network. This enables you to see what is actually happening when a certain network application is running.

But the ipgrab utility is very useful for finding out what is happening on your network.

No comments have been made. Use this form to start the conversation :)

Leave a Reply