How to use ipgrab to capture TCP packets.
The ipgrab command when run as root is very useful for capturing information about network packets that are traveling through your network interfaces. In this example I am capturing packets from my wlan0 interface.
ubuntu ~ $ sudo ipgrab -i eth0 > capture.log ipgrab 0.9.10 Listening on device eth0 (ethernet) |
Here is a sample of the captured data. This is what you will end up with in your cap.log file.
************************************************************************** Ethernet Mon Feb 24 14:10:10 2014 -------------------------------------------------------------------------- Hardware source: 4c:0f:6e:5d:e1:25 Hardware destination: 84:c9:b2:bd:c2:e7 Type / Length: 0x800 (IP) Media length: 76 -------------------------------------------------------------------------- IP Header -------------------------------------------------------------------------- Version: 4 Header length: 5 (20 bytes) TOS: 0x00 Total length: 62 Identification: 377 Fragmentation offset: 0 Unused bit: 0 Don't fragment bit: 1 More fragments bit: 0 Time to live: 64 Protocol: 17 (UDP) Header checksum: 46560 Source address: 192.168.1.4 Destination address: 192.168.1.1 -------------------------------------------------------------------------- UDP Header -------------------------------------------------------------------------- Source port: 40254 (unknown) Destination port: 53 (DNS) Length: 42 Checksum: 22576 -------------------------------------------------------------------------- DNS Header -------------------------------------------------------------------------- Identification: 31874 Flag query/response: 0 (query) Flag opcode: 0 (standard) Flag auth answer: 0 Flag trunctated: 0 Flag recursion desired: 0 Flag recursion availab: 0 Flag zero: 0 Flag return code: 1 (format error) # of questions: 1 # of answers: 0 # of authorization RRs: 0 # of additional RRs: 0 Query: start.ubuntu.com Query type: 1 (A - IP address) Query class: 1 (Internet) ************************************************************************** Ethernet Mon Feb 24 14:10:10 2014 -------------------------------------------------------------------------- Hardware source: 4c:0f:6e:5d:e1:25 Hardware destination: 84:c9:b2:bd:c2:e7 Type / Length: 0x800 (IP) Media length: 76 -------------------------------------------------------------------------- IP Header -------------------------------------------------------------------------- Version: 4 Header length: 5 (20 bytes) TOS: 0x00 Total length: 62 Identification: 378 Fragmentation offset: 0 Unused bit: 0 Don't fragment bit: 1 More fragments bit: 0 Time to live: 64 Protocol: 17 (UDP) Header checksum: 46559 Source address: 192.168.1.4 Destination address: 192.168.1.1 -------------------------------------------------------------------------- UDP Header -------------------------------------------------------------------------- Source port: 29522 (unknown) Destination port: 53 (DNS) Length: 42 Checksum: 1279 -------------------------------------------------------------------------- DNS Header -------------------------------------------------------------------------- Identification: 63876 Flag query/response: 0 (query) Flag opcode: 0 (standard) Flag auth answer: 0 Flag trunctated: 0 Flag recursion desired: 0 Flag recursion availab: 0 Flag zero: 0 Flag return code: 1 (format error) # of questions: 1 # of answers: 0 # of authorization RRs: 0 # of additional RRs: 0 Query: start.ubuntu.com Query type: 28 (AAAA - IPv6 address) Query class: 1 (Internet) ************************************************************************** Ethernet Mon Feb 24 14:10:10 2014 -------------------------------------------------------------------------- Hardware source: 84:c9:b2:bd:c2:e7 Hardware destination: 4c:0f:6e:5d:e1:25 Type / Length: 0x800 (IP) Media length: 92 -------------------------------------------------------------------------- IP Header -------------------------------------------------------------------------- Version: 4 Header length: 5 (20 bytes) TOS: 0x00 Total length: 78 Identification: 0 Fragmentation offset: 0 Unused bit: 0 Don't fragment bit: 1 More fragments bit: 0 Time to live: 64 Protocol: 17 (UDP) Header checksum: 46921 Source address: 192.168.1.1 Destination address: 192.168.1.4 -------------------------------------------------------------------------- UDP Header -------------------------------------------------------------------------- Source port: 53 (DNS) Destination port: 40254 (unknown) Length: 58 Checksum: 24814 -------------------------------------------------------------------------- DNS Header -------------------------------------------------------------------------- Identification: 31874 Flag query/response: 0 (query) Flag opcode: 0 (standard) Flag auth answer: 0 Flag trunctated: 0 Flag recursion desired: 1 Flag recursion availab: 1 Flag zero: 0 Flag return code: 0 (no error) # of questions: 1 # of answers: 1 # of authorization RRs: 0 # of additional RRs: 0 Query: start.ubuntu.com Query type: 1 (A - IP address) Query class: 1 (Internet) Answers: start.ubuntu.com Query type: 1 (A - IP address) Query class: 1 (Internet) TTL: 552 Resource data length: 4 Resource data: 91.189.90.40 |
Wireshark is another very useful application for grabbing TCP packets that are traveling across your network. This enables you to see what is actually happening when a certain network application is running.
But the ipgrab utility is very useful for finding out what is happening on your network.