Capturing and viewing TCP/IP packets (over ethernet)...

Capturing and viewing TCP/IP packets (over ethernet)...

Post by Bill Pa » Wed, 15 Apr 1998 04:00:00



Daring to challenge the will of the almighty Leviam00se,

: The question about capturing and viewing packets is very common I'm sure, but
: I need to know more than what snoop on Solaris seems to be giving me.

: For example, I wanted to see why I was having authentication trouble with
: samba between a Win95 PC and my Solaris host.  Without seeing the contents of
: a packet, I can't tell exactly what's going on using snoop.  I can only see
: the headers of the packet and whether or not they were received.  With tcpdump
: I can capture raw packets, but from looking at the man page, I can't view the
: contents - again just the headers...

: Is there anything (noncommercial) for Solaris or some sources that may compile
: on Solaris that'll let me look at the contents of a packet and not just the
: header?  I wouldn't mind if there was some tool that used tcpdump's raw packet
: capture...

You're not reading the tcpdump man page correctly. Tcpdump by default only
captures a small amount of the packet since typically most people only want
to see the header, but you can specify a larger size if you want. You can
also specify -x to dump the packet contents in hexadecimal. So if you want to
display say, at least 256 bytes of each packet, then use:

# tcpdump -x -s 256

You can also dump the raw packet contents to a file and then use tcpdump
to 'replay' the file contents later. In effect, it 'captures' the data
from the file just like it did originally from the network.

Alternatively, you can write your own program using the libpcap library,
which is what tcpdump uses. You cat get libpcap from:

ftp://ftp.ee.lbl.gov/libpcap.tar.Z

It happens that _UNIX Network Programming, 2nd Edition_ by W. Richard
Stevens has a section that explains how libpcap works and presents sample
code that uses it. It's really pretty straightforward. Libpcap also works
on SunOS, HP-UX 10.20, IRIX, AIX 4 (using BPF) in addition to Solaris.
It also knows about certain non-ethernet devices on Solaris as well (I've
used with Fore ATM adapters).

-Bill

--
=============================================================================
-Bill Paul            (212) 854-6020 | System Manager, Master of Unix-Fu


=============================================================================
  "Now, that's "Open" as used in the sentence "Open your wallet", right?"
=============================================================================

 
 
 

Capturing and viewing TCP/IP packets (over ethernet)...

Post by Paul Youn » Wed, 15 Apr 1998 04:00:00



> The question about capturing and viewing packets is very common I'm sure, but
> I need to know more than what snoop on Solaris seems to be giving me.

> For example, I wanted to see why I was having authentication trouble with
> samba between a Win95 PC and my Solaris host.  Without seeing the contents of
> a packet, I can't tell exactly what's going on using snoop.  I can only see
> the headers of the packet and whether or not they were received.  With tcpdump
> I can capture raw packets, but from looking at the man page, I can't view the
> contents - again just the headers...

> Is there anything (noncommercial) for Solaris or some sources that may compile
> on Solaris that'll let me look at the contents of a packet and not just the
> header?  I wouldn't mind if there was some tool that used tcpdump's raw packet
> capture...

To the best of my knowledge, you have three options:

1.  Have tcpdump write the packet data to a file and try to make some sense out
of the hex data (which would involve knowing more about the protocol than most
would care to).

2.  Use tools specifically designed to debug the target protocol.  I'm not aware
of any that would work with SMB, but maybe the samba tools could somehow help you
with the problem.

3.  Write a program to interperet the hex data from tcpdump.  This would also
involve knowing the details of the SMB protocol, as well as some extra time to
put together the piece of software.  I read a paper by a guy who did something
similar with the nfs protocol:  He did filesystem access profiling using tcpdump
to get the necessary data and some sed and awk magic to interperet the data.  In
theory a SMB protocol viewer could be a very useful tool, if someone takes the
time to write it.

Sorry I can't provide any references to existing programs that can be used to
solve your problem.

Paul Young

 
 
 

Capturing and viewing TCP/IP packets (over ethernet)...

Post by Tim Whi » Thu, 16 Apr 1998 04:00:00



>The question about capturing and viewing packets is very common I'm sure, but
>I need to know more than what snoop on Solaris seems to be giving me.

>For example, I wanted to see why I was having authentication trouble with
>samba between a Win95 PC and my Solaris host.  Without seeing the contents of
>a packet, I can't tell exactly what's going on using snoop.  I can only see
>the headers of the packet and whether or not they were received.  With tcpdump
>I can capture raw packets, but from looking at the man page, I can't view the
>contents - again just the headers...

  You should definitely jump over to comp.protocols.smb and ask your question
 ( similar questions are asked about 3 times every day ). Better yet read the
 samba documentation...there's a short debugging list on basic connectivity.
 Or read the Tracing.txt file which tells you how to trace the system calls on
 the Solaris side of the conversation. Or put nmbd/smbd in debugging mode and
 that will generate REAMS of output telling you about the smb conversation.
 There's a ton of online info in the source tree under 'docs'.

  I think 'snoop'ing the conversation will give you some info but it'd take a
 lot longer and you'd probably have to understand the smb protocols and how to
 eliminate background noise.

------------------------------------------------------------------------
Tim White                       Open Systems Administrative Services

(803)-561-6464                  Columbia, SC 29211        

Remove the X's to email.

 
 
 

Capturing and viewing TCP/IP packets (over ethernet)...

Post by David S. Goldbe » Thu, 16 Apr 1998 04:00:00



according to the man page).  I don't recall where I got it from though
I think it was in a comp.sources.somethingorother posting.  It is
quite useful.  It reads the output of tcpdump -enx and provides a nice
view of the data.  I don't know if it will help in the cased of smb
since I don't know the format of that data, but for protocols that
send ASCII messages it is a great tool.

Dave Goldberg
Post: The Mitre Corporation\MS B305\202 Burlington Rd.\Bedford, MA 01730
Phone: 781-271-3887

 
 
 

1. How to capture TCP or IP packet ?

Hello! Every one,
   I want to capture TCP or IP packet in application layer or
kernel layer! Can anyone provide me any valuable information or
URL or source code? thanks a lot!
Anbo Peng

--
Posted via Mailgate.ORG Server - http://www.Mailgate.ORG

2. Permission Discussion

3. TCP/IP packet capture and modify

4. unzip - I can't get it to work

5. How to capture TCP or IP packet?

6. Setting up Sendmail

7. question regard rootvg and transfering it from a crash!

8. How to convert TCP/IP packet to IPX packet and visa-versa ?

9. Tracing TCP/IP packets from NIC to TCP

10. TCP/IP: Slow packets every so often, even with the TCP patch.

11. Capturing ethernet packets