Tcpdump Grasping Package Analysis detailed

Looking for a long time to grasp the analysis of some examples, can be just a few in the non-stop repetition. Grasp the bag analysis to feel the basic skills are not enough, involved in too many things, to understand too many things. The purpose of this post is to have the hope that we are fortunate enough to share your labor sweat and crystallization
I suggest that we give more examples, thank you.

Tcpdump Grasping Package Analysis detailed http://blog.csdn.net/yeqihong/archive/2007/01/08/1477050.aspx

Using tcpdump to analyze the working principle of traceroute [original]
Http://www.0ginr.com/bbs/viewthread.php?tid=184&extra=page%3D1

Case 1:arp Fault

Symptom: A server in the LAN with Solaris operating system A-server network connection is not normal, can not ping the server from any host.

Troubleshooting: First check the system, the system itself is working normally, no special process running, CPU, memory utilization Normal, no hook up any form of firewall, network cable normal.
At this point we use Tcpdump to troubleshoot, first of all, we will execute from the b-client host ping command, send ICMP packets to A-server, as follows:
[Root@redhat log]# Ping A-server
PING a-server from b-client:56 bytes of data.
At this point, the packets from the host b-client are captured by the A-server boot tcpdump.
a-server# tcpdump Host B-client
Tcpdump:listening on HME0
16:32:32.611251 ARP Who-has a-server tell B-client
16:32:33.611425 ARP Who-has a-server tell B-client
16:32:34.611623 ARP Who-has a-server tell B-client
We see that, instead of receiving the expected ICMP message, we caught the ARP broadcast packet sent by B-client, because the host b-client could not use ARP to get the server A-server

Address, so repeatedly asked A-server MAC address, from this point of view, the high level of the possibility of a problem, very likely in the link layer some problems, first to check the host A-server

The ARP table:
a-server# arp-a
Net to Media Table
Device IP address Mask Flags Phys Addr
------ -------------------- --------------- ----- ---------------
HME0 netgate 255.255.255.255 00:90:6d:f2:24:00
HME0 a-server 255.255.255.255 S 00:03:ba:08:b2:83
HME0 base-address. Mcast.net 240.0.0.0 SM 01:00:5e:00:00:00
Please note the flags of a-server, we see only the S flag. As we know, Solaris in the ARP implementation, the ARP flags need to set the P flag in order to respond to ARP

Requests
Add p bit manually
a-server# arp-s a-server 00:03:ba:08:b2:83 Pub
Call ARP-A now and see
a-server# arp-a
Net to Media Table
Device IP address Mask Flags Phys Addr
------ -------------------- --------------- ----- ---------------
HME0 netgate 255.255.255.255 00:90:6d:f2:24:00
HME0 a-server 255.255.255.255 SP 00:03:ba:08:b2:83
HME0 base-address. Mcast.net 240.0.0.0 SM 01:00:5e:00:00:00
We see this machine already has the PS flag, at this time the network connection of the test system is restored to normal, problem solves.

Example 2:netflow software problem

Failure phenomenon: Install Cisco NetFlow Software on the new network management workstation to analyze the routing by the equipment, the router is configured in accordance with the requirements, the local work software installation

Normal, no error information, but start NetFlow collector can not receive the traffic information emitted on any routers, resulting in the software failure. Troubleshooting: Repeatedly checking Routing and soft

Parts, the configuration is correct. Using step-by-Step analysis method, first of all to locate the problem of the device, is the router did not send traffic information or local system to receive problems.
It suddenly occurred to me that on the router we defined the received client driven by UDP port 9998 receive data, and you can monitor the port to see if the router is actually sending UDP data.

If the system is able to receive packets from the route, the routing problem may be small and vice versa.
Use tcpdump on the network management workstation to see:
Nms#tcpdump Port 9995
Tcpdump:listening on HME0
18:15:34.373435 Routea > NMS.9995:UDP 1464
18:15:34.373829 routea.50111 > NMS.9995:UDP 1464
18:15:34.374100 routea.50111 > NMS.9995:UDP 1464
Immediately we see that the packet is actually sent from the router, the problem is the possibility of the basic elimination of the router, the re-verification system, sure enough, the network management workstation installed a fire

Wall, UDP port 9998 is blocked, adjust the firewall configuration on the workstation, NetFlow work back to normal, troubleshooting.
Example 3: Messaging Server troubleshooting

Symptom: The local area network newly installs the background for QMail mail server, the mail server sends and receives the mail and so on basic function is normal, but discovers a common strange phenomenon in the use

: It takes a long time to connect to a mail server when sending mail on a PC machine to start the actual sending work.

Troubleshooting: There is no problem with the network connection, the Messaging server server and the following PC performance is not a problem, what may be the problem. For accurate positioning, we are in the PC

Client to send the message, and at the same time using tcpdump to capture analysis of this client's packet on the mail servers server, as follows:
Server#tcpdump Host Client
Tcpdump:listening on HME0
client.1065 > Server.smtp:s 1087965815:1087965815 (0) win 64240 <mss 1460,nop,wscale 19:04:30.040578

0,nop,nop,timestamp[|tcp]> (DF)
19:04:30.040613 server.smtp > Client.1065:s 99285900:99285900 (0) Ack 1087965816 win 10136 <nop,nop,timestamp 20468 779

0,nop,[|tcp]> (DF)
19:04:30.040960 client.1065 > SERVER.SMTP:. Ack 1 win 64240 (DF)
The smooth completion of three times shaking hands, so far normal, look down
19:04:30.048862 server.33152 > Client.113:s 99370916:99370916 (0) win 8760 <mss 1460> (DF)
19:04:33.411006 server.33152 > Client.113:s 99370916:99370916 (0) win 8760 <mss 1460> (DF)
19:04:40.161052 server.33152 > Client.113:s 99370916:99370916 (0) win 8760 <mss 1460> (DF)
19:04:56.061130 server.33152 > Client.113:r 99370917:99370917 (0) win 8760 (DF)
19:04:56.070108 server.smtp > Client.1065:p 1:109 (Ten ack 1 win 10136 <nop,nop,timestamp 20471382 167656> (DF)

There's a problem here, we see the server side trying to connect to the client's 113 Identd port, requiring authentication, but not receiving a client-side response, and the server side has repeatedly tried 3

Time, take 26 seconds, only to give up the authentication request, the initiative sent the Reset sign packet, start to push the data behind, and it is in the process of 26 seconds to build

It's a long wait when you send a message.
Problem found, it can be the right remedy, by modifying the server-side qmail configuration, so that it no longer carry out 113-port authentication, grab the package again, see mail server no longer

113-Port authentication attempt, but after three handshake direct push data, problem solving.

Summary: Above, we demonstrate the role of package analysis software in fault resolution through practical examples, we can not find that with good package analysis software, the system

Administrators quickly and accurately locate network failures, and analyze network problems can not be replaced by the role
Transferred from http://chinabeta.cn/wgjs/pmsj/200704/15695.html

The general process of using ethereal filter to deal with a school network problem
Http://bbs.chinaunix.net/viewthread.php?tid=874452&highlight= the general process of using a ethereal filter to handle a school network problem

One school found that there were ARP spoofing, Shockwave virus, and Worm King virus that needed to be dealt with.

Processing process:
Configure Port mirroring on the core switch to grasp the data packets of each network segment respectively, (the aim of each network segment is to reduce the core switch pressure, and also to reduce the analytical volume).

1.ARP Deception
Use the following filter rules:
Arp.opcode==1 or arp.opcode==2
After the ARP spoofing package is found, the filter condition is based on its Mac:
ETH.SCR = = .....
Analyze its related IP information and find specific users. If the user modifies the IP and MAC address, there is only one root to pull the line!

2. Shockwave virus
Analyze the packet and use the following filter rules:
Tcp.port = 135
Tcp.port = 139
After analyzing the filtered packets, the first SYN packet in the TCP three handshake was found, and the ratio of the total data was far higher than the normal level.
Find the source by IP!

3. Worm King virus
Tcp.port = 1433
After analyzing the filtered packets, the first SYN packet in the TCP three handshake was found, and the ratio of the total data was far higher than the normal level.
Find the source by IP!

4. Use the following filter rules:
! (Tcp.port ==5900 or Tcp.port ==135 or tcp.port==139)
First save the filtered packets, and then analyze.
Found:
Tcp.port = 5900 is also a higher rate of data consumption
VNC TCP port:5900) 5900/tcp Open VNC VNC (Protocol 3.
Track related ip!

Because the PC in the classroom has a hardware restore card, and its PC is also management is more confusing. The decision was made to add an access list to the core switch.

The scenario reference for the specific access list:
Access list or rule that is frequently used in Network device configuration (used in Huawei devices)

FreeBSD is strictly limited in the order of tcpdump parameters
such as: #tcpdump-I eth1-w c.cap-s 0 host 192.168.2.1 and host 23.33.22.56
Can be executed under FreeBSD, if you put the-W C.cap to the end of the error, but in Linux can still be executed.