Watching Ping and DNS in tcpdump

Watching Ping and DNS in tcpdump


So in lesson one, you use the pin tool
to test connectivity between your machine and another network host. But what’s ping actually doing? There’s a tool you can use to display
quite a bit of detail about network traffic between hosts and networks. It’s called TCP dump, and
that’s slightly misnamed. You can actually look at any
network traffic, not just TCP. You already installed it on your
machine back in lesson one. So let’s take a look at the manual for
it. Holy wow, that’s a lot of options. Okay, we’re going to
ignore most of these. The important part is that we need to
tell TCP Dump what traffic we want. It has its own little language for
this, called the PKep filter syntax. You can look at the pcap-filter
man page for more about it. But for now, I’ll just give you a really
straightforward command to catch traffic that’s going between your host and
the host at 8.8.8.8. It’s going to be sudo
tcpdump -n host 8.8.8.8. Now let’s run tcpdump over here and
run ping again over here. Hey, look. Packets. Now for each ping over here. Which there are three. We see two packet records over here. Two messages appear from tcpdump,
one after the other. Each one of these records is
a description of one of the packets that ping is sending over to that machine or
one that’s coming back. See here’s 8.8.8.8 and
here’s the IP address of my machine, and here it says that,
this record is an ICMP echo request, that’s a ping request, and
then coming back as an echo reply. Like a request is
the message the ping sense, an echo reply is the one coming back,
other things agree too. For instance the ping program
tells us that ii got 64 bytes, and sure enough there’s length 64 to
exit TCPDUMP we’ll type control c. You can use tcpdump to monitor
traffic for any network application. Like for instance if you wanted to see
all the DNS requests your machine sends, you’d need to know what port DNS uses,
which is port 53 by the way, and then you’d compose a line like this,
Sudo tcpdump -n port 53. Then if you do anything
that causes a DNS lookup, like say pinging a machine by host name,
you’d see the DNS traffic like so. If you look closely, here’s my IP
address and here’s the IP address of the DNS server that I’m using,
and since I pinged Yahoo.com, here’s an A query, or A request,
question mark for query, for Yahoo.com. And then here comes back the response
on the next line, with an A response. The first ip address sent
at being 206.190.36.45. Which is the ip address that ping is using to ping Yahoo
took a moment to try this yourself. Don’t worry about all the other bits
the TCP non temperance up, but do get a sense of where the traffic you’re
looking out is coming from and going to.

Leave a Reply

Your email address will not be published. Required fields are marked *