interface knows its own address because it is attached to the hardware. If the address
of an inbound frame matches the MAC address, the frame is forwarded up to the
operating system. Similarly, if the MAC address is the broadcast address, the frame is
forwarded up. In promiscuous mode, all comers are welcome. This means that all
frames, whether they are addressed for this particular system or not, are forwarded
up to the operating system. Being able to look at only frames addressed to that inter‐
face is nice and valuable, but it’s far more valuable to be able to see all frames that
come across a network interface.
Modern network interfaces typically support not only things like full duplex and
auto-negotiation but also promiscuous mode. This means we don’t need protocol
analyzers anymore (as the hardware that could do this work was often called) because
every system is capable of being a protocol analyzer. All we need is to know how to
grab the frames and then peer into them to see what is going on.
Using tcpdump
While other operating systems have had other packet capture programs, like Solaris
had
snoop
, the de facto packet capture program these days, especially on Linux sys‐
tems, is
tcpdump
if all you have is access to a command line. We will take a look at a
GUI a little later, but there is a lot of value in learning about
tcpdump
. You won’t
always have access to a full desktop with a GUI. In many cases, you will have only a
console or just an SSH session that you can use to run command-line programs. As a
result,
tcpdump
will become a good friend. As an example, I used it earlier to verify
that the protocol being used by our SIP testing program was really just using UDP
and not using TCP. It has a lot of value in understanding what is going on with a pro‐
gram that isn’t otherwise telling you.
Before we start looking at options, let’s take a look at the output from
tcpdump
. Being
able to read what is happening by looking at the output takes some getting used to.
When we run
tcpdump
without any options, we get a short summary of the packets
that are passing through.
Example 2-10
is a sample of
tcpdump
output.
Example 2-10. tcpdump output
10:26:26.543550 IP binkley.lan.57137 > testwifi.here.domain: 32636+ PTR?
c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa.
(
90
)
10:26:26.555133 IP testwifi.here.domain > binkley.lan.57137:
32636
NXDomain
0/1/0
(
154
)
10:26:26.557367 IP binkley.lan.57872 > testwifi.here.domain: 44057+ PTR?
201.86.168.192.in-addr.arpa.
(
45
)
10:26:26.560368 IP testwifi.here.domain > binkley.lan.57872: 44057* 1/0/0 PTR
kilroyhue.lan.
(
99
)
10:26:26.561678 IP binkley.lan.57726 > testwifi.here.domain: 901+ PTR?
211.1.217.172.in-addr.arpa.
(
44
)
10:26:26.583550 IP testwifi.here.domain > binkley.lan.57726:
901
4/0/0 PTR
