1
00:00:00,420 --> 00:00:07,040
‫TCP dump is a free open source, very common and fast packet analyzer that runs under the command line.

2
00:00:08,130 --> 00:00:14,010
‫It prints out a description of the contents of packets on a network interface that matched the Boolean

3
00:00:14,010 --> 00:00:15,900
‫expression given as a parameter.

4
00:00:17,220 --> 00:00:19,920
‫DCPI Dump has a lot of filtering options.

5
00:00:20,550 --> 00:00:22,800
‫We'll discuss some of them in the next slide.

6
00:00:24,360 --> 00:00:29,700
‫It can be preferred to the other packet analysers, such as Wireshark, because it's so fast.

7
00:00:31,200 --> 00:00:37,170
‫It also supports some of the most common network traffic capturing format, PopCap, you can see the

8
00:00:37,170 --> 00:00:41,340
‫result as raw ASCII text in a document as well.

9
00:00:43,030 --> 00:00:44,360
‫So I have a look at this.

10
00:00:44,740 --> 00:00:51,910
‫These are some of the parameters you can use with the Tsipi command deed or list interfaces.

11
00:00:52,660 --> 00:00:58,540
‫Prince The list of the network interface is available on the system and on which TCP dump can capture

12
00:00:58,540 --> 00:00:59,140
‫packet's.

13
00:01:00,060 --> 00:01:04,710
‫I or interface listens in on the interface.

14
00:01:05,710 --> 00:01:12,400
‫If unspecified, TCP dump searches the system interface list for the lowest numbered configured interface,

15
00:01:13,150 --> 00:01:17,890
‫excluding loop back, which may turn out to be, for example, if zero.

16
00:01:19,590 --> 00:01:27,810
‫RN means do not convert addresses, that is hosted addresses, port numbers, etc. to names.

17
00:01:29,500 --> 00:01:38,410
‫V produces verbose output when parsing and printing, the more V, the more details W. writes the raw

18
00:01:38,410 --> 00:01:42,370
‫packets to specified file rather than parsing and printing them out.

19
00:01:43,450 --> 00:01:51,820
‫Are reads packets from the file, which was created with the option or by other tools that write PopCap

20
00:01:51,820 --> 00:01:53,680
‫or P files.

21
00:01:54,940 --> 00:02:00,520
‫A prince, each packet and aski handy for capturing Web pages.

22
00:02:01,470 --> 00:02:08,220
‫When passing and printing, in addition to printing the headers of each packet, Capital X prints,

23
00:02:08,220 --> 00:02:11,040
‫the data of each packet in Hex and ASCII.

24
00:02:11,910 --> 00:02:14,300
‫This is very handy for analyzing new protocol.

25
00:02:15,410 --> 00:02:20,690
‫So if you use the X option, the data of each packet is printed in Hex.

26
00:02:22,100 --> 00:02:25,910
‫In addition to these options, you can filter the results in several ways.

27
00:02:27,100 --> 00:02:33,400
‫If you would like to monitor specific protocol such as TCP, you can use its name as the filter.

28
00:02:34,760 --> 00:02:43,070
‫You can capture packets to or from an endpoint residing in the network using net filter or use a host

29
00:02:43,070 --> 00:02:48,260
‫filter to see the packets of a host as a source destination or either one.

30
00:02:49,910 --> 00:02:59,480
‫Use the port to filter TCP or UDP packet sent to or from a specified port use port range to listen to

31
00:02:59,480 --> 00:03:01,400
‫ports in any given range.

32
00:03:02,970 --> 00:03:09,810
‫Now, if you use the sars-cov-2, you can see only the packets where the target system is the source

33
00:03:09,810 --> 00:03:10,450
‫of the packet.

34
00:03:11,040 --> 00:03:16,050
‫Similarly, DST is used to specify the destination system.

35
00:03:17,150 --> 00:03:24,140
‫So, of course, you can use more than one filter in a command and set up their relation using and and

36
00:03:24,170 --> 00:03:31,850
‫or as logical operators, for example, host is one point one one to one, and port is 80.

37
00:03:33,270 --> 00:03:41,850
‫Now, before running several Taqaddum commands, let's examine the fields of a typical TCP dump output

38
00:03:41,850 --> 00:03:42,180
‫row.

39
00:03:42,990 --> 00:03:46,440
‫The row shown in the slide is a TCP packet.

40
00:03:47,690 --> 00:03:55,220
‫The first field is the time when the package arrived with a time stamp as our minute, second and,

41
00:03:55,220 --> 00:03:57,200
‫well, the fractions of a second.

42
00:03:58,800 --> 00:04:05,010
‫So the second field is a protocol running atop the link layer, in this case IPV for.

43
00:04:06,080 --> 00:04:12,740
‫Now for IP packets, the third field is the IP address, her host name of the host sending the packet

44
00:04:12,740 --> 00:04:16,700
‫along with four TCP and UDP packets, the source port.

45
00:04:17,960 --> 00:04:25,940
‫The packet on the slide came from Port 80 of the system, 172 dot one six nine nine dot one three nine.

46
00:04:27,040 --> 00:04:33,460
‫Now, the fourth field is the IP address or hostname of the host receiving the packet, along with four

47
00:04:33,460 --> 00:04:40,840
‫TCAP and UDP packets, the destination, Port Flagg's is the TCP IP segment flag.

48
00:04:41,320 --> 00:04:45,640
‫The packet on the slide doesn't have any flags set other than ACC.

49
00:04:46,660 --> 00:04:49,870
‫ACC is the acknowledgement number in the packet.

50
00:04:50,410 --> 00:04:57,550
‫DCPI shows sequence and acknowledgement numbers relative to the initial sequence number by default.

51
00:04:58,750 --> 00:05:08,290
‫When is the source host TCP window and you see the options, field length is the length of the data

52
00:05:08,290 --> 00:05:11,930
‫in the TCP segment, like here is zero.

53
00:05:12,400 --> 00:05:15,100
‫So that means that no data is exchanged yet.

54
00:05:16,270 --> 00:05:22,270
‫Well, that's enough for now, let's see, TCP dove in action, time for Hands On.