Name | Last modified | Size | Description | |
---|---|---|---|---|
Parent Directory | - | |||
README.html | 2005-07-01 20:14 | 41K | ||
README | 2005-07-01 20:14 | 40K | ||
pdump.pl.html | 2005-07-01 20:14 | 36K | ||
changeLog | 2005-07-01 20:14 | 9.2K | ||
MISC | 2005-07-01 20:14 | 2.2K | ||
FUTURE | 2005-07-01 20:14 | 1.8K | ||
INSTALL | 2005-07-01 20:14 | 1.7K | ||
NAME
pdump 0.8 - dumps, greps, monitors, creates, and modifies traffic on a network
SYNOPSIS
pdump [ -abCfGILmMnNOpqRStTuUvxXzZ ] [ -A 'data string' ] [ -B hostname ] [ -c count ] [ -d destination-host ] [ -D destination-port ] [ -e 'string' ] [ -E 'expression' ] [ -F file ] [ -g [ 'regexp' ] ] [ -H 'regexp' ] [ -i interface ] [ -J [ -1..9 ] ] [ -l /pdump/directory ] [ -P 'regexp' ] [ -Q MAC address ] [ -r file ] [ -s snaplen ] [ -w file ] [ -W [ 'ftp, etc' ] ] [ -y source-host ] [ -Y source-port ]
DESCRIPTION
pdump prints out the headers of packets on a network interface that match the boolean expression. Pdump does many other things such as sniffing raw data, sniffing for passwords or specified packets, spoofing things such as MAC addresses, modifies network packets, creates well crafted packets, along with many other things. Pdump requires root on all operating systems it's run on. Future development on a pdump-specific perl module will attempt to minimize the security risk and only require certain access on specific systems.
OPTIONS
-a Will do passive network mapping (passive operating system detection/fingerprinting), similar to siphon. This will attempt to show the operating systems of all computers which are incoming or outgoing from the network. -A This options requires -E to eliminate most problems :) What this option does is send packets into a connection without disrupting it and keeping it in sync. It does this by sniffing everything it can with -E and on the first connection it sees, it will 'zero in' on that one specific connection. Once it has done that, it will send spoofed packets with that data into the connect- ion without hijacking the connection, redirecting packets, and without resetting the connection. This is a proof of concept and can show how easy it is to do things such as sending commands to a telnet session or packets to an IRC server which would make some pretty easy takeovers of channels, etc.. -b Sniffs all outgoing web GETs and POSTs and will output all URLs sniffed and will also send your browser directly to the pages that other users on the network are browsing live. This is almost identical to dsniff's webspy. -B This will do the same thing as the -b option except it will only sniff a certain user on the network. You specify that user with their hostname, that being the element passed to -B. -c Exit after receiving count packets. -C Case-insensitive to the regular expression used with -H. -d Uses hostname as the destination hostname when used with -M. -D Uses port as the destination port when used with -M. -e Will take string and parse it to have what comes out be only what the user wants. Instead of having to see all information in the same order, you can specify only certain things to be displayed and also things that normally, if ever, aren't displayed. See the 'Strings' section below for detailed information along with many detailed examples. -E Only dumps packets which match expression. Scroll down for detailed information on expressions along with examples in the expressions section. -f Print `foreign' internet addresses numerically rather than symbolically (this option is intended for tcpdump to get around serious brain damage in Sun's yp server - usually it hangs forever translating non-local internet numbers). -F Use file as input for the filter expression. An addi- tional expression given on the command line is ignored. -g Prints all data from a packet if the data matches the regular expression. Scroll down to the expressions for detailed information on the option, regular expressions, and examples. If no regular expressoin is given it will match all data going through the filter. This option can also be used with the -L option. See the -L option for further information. -G Case-insensitive to the regular expression used with -g. -H Matches hostnames and IP addresses with the regular expression and will print all packets except for those that matched. -i Listen on interface. If unspecified, pdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback). Ties are broken by choosing the earliest match. -I Case-insensitive to the regular expression used with -P. -J Will send RST packets to all destination addresses or all destination addresses specified in an expression, using -E, and will kill the connection. Without using -E, pdump will kill all open TCP connections on the network. This is identical to dsniff's tcpkill. -l Will take the directory you specify and expect the lib directory to be in the directory you specified so you can run pdump from any directory. Example: your lib directory is at /usr/pdump/lib. You aren't in the /usr/pdump directory so you run 'pdump -l /usr/pdump' and pdump will then use /usr/pdump/lib as the lib directory automatically. -L Will sniff all email going through the network and display it in Berkeley mbox format, which is readable offline by many clients such as mail(1) and pine(1). You are able to use the -g option along with a regular expression to match the header/body with. If the email is matched, the message will be displayed, otherwise, it won't be. The -G options will match the regular expression with case-insensitivity. The -O option will do the opposite of -g, using the regular expression from -g and will display any messages where the body/header doesn't match the regular expression. This option is a 'clone' of dsniff's mailsnarf and does the same exact thing that mailsnarf does, possibly even what carnivore does. :) -m Uses a different method of extracting IP addresses out of packets. On a few systems pdump may display invalid or incorrect IP addresses of packets and this function should fix that problem if that problem occurs. -M Floods the local network with random MAC addresses the same way macof would and is able to crash some network devices. -n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names. -N Don't print domain name qualification of host names. E.g., if you give this flag then pdump will print ``nic'' instead of ``nic.ddn.mil''. -O Matches any data from packets which don't match the regular expression used with -g. -p Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, `-p' cannot be used as an abbreviation for `ether host {local-hw-addr} or ether broadcast'. This is module specific. This option will be active in the next module for pdump. -P Matches port numbers and services with th e regular expression and will print all packets except for those that match. -q Quick (quiet?) output. Print less protocol informa- tion so output lines are shorter. With -g, doesn't output any information other than packet headers and their payloads. -Q Sets MAC address as the destination address when using -M. -r Read packets from file (which was created with the -w option). Standard input is used if file is ``-''. -R Uses random destination MAC addresses when using -M. -s Snarf snaplen bytes of data from each packet rather than the default of 68 (with SunOS's NIT, the minimum is actually 96). 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol information from name server and NFS packets (see below). Packets trun- cated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process pack- ets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. -S Print port numbers instead of services. -t Don't print a timestamp on each dump line. -T Print an unformatted timestamp on each dump line. -u Uses ANSI color for most everything. Colors are defined at the top of pdump.pl and can be very easily changed. -U Outputs all requested URLs sniffed from HTTP traffic. -v (Slightly more) verbose output. For example, the time to live and type of service information in an IP packet is printed. -w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''. -W Sniffs passwords, user names, and other information from all services specified. Specify the services in a comma-delimited fashion. All of the protocols that are able to be sniffed are protocols that dsniff is able to sniff. If no arguements are specified, all of the allowable arguements will be displayed. -x Will dump all data in the packets in hex, very similar to tcpdump's -x option. -X Will dump all data in the packet in hex and ascii, similar to tcpdump's -X option. -y Uses hostname as the source hostname when used with -M. -Y Uses port as the source port when used with -M. -z Would be like using -g without any regular expression at all so pdump would print all data from all packets that are allowed to be printed. -Z This will sniff all traffic for FTP, SMB, and Samba file transfers. When it sees one, it will give you some information and also 'swipe' that file and stick it in a file on your local machine in the current directory you're in. It will tell you what file it places it in.
STRINGS
are what allow the user to specify the look, feel, and data that should be outputted with pdump instead of the conventional way. Here is an example of what a normal TCP packet would look like with pdump:
18:39:35.488521 irc.skynetweb.com.6667 > LucidX.com.2719: P 134763246 ack 720092664 win 17520 (tcp)
A lot of this information may be completely unimportant to you and there may be a lot of important information missing from here that you want. With the strings opt- ion on pdump (-e 'string') you are able to modify the output of pdump however you wish. Here is an example:
bash# pdump -e '$time $source.$sserv > $dest.$dserv: $headers $sequence ack $ackseq win $winsize ($proto)'
(pdump.pl) 0.780
(/usr/bin/pdump): listening on rl0 :: x.x.x.x []
18:39:35.488521 irc.skynetweb.com.6667 > LucidX.com.2719: P 134763246 ack 720092664 win 17520 (tcp)
As you can see, this is exactly how the last packet we saw looked like. Here are a few other examples...
pdump -e '$source-$sport >>> $dest-$dport :: $seq _-_ tos $tos' irc.skynetweb.com-6667 >>> LucidX.com-2719 :: 134763246 _-_ tos 16
pdump -e '$saddr:$daddr - $sserv:$dserv' 23.211.85.116:63.199.194.66 - http:4829
Here is the hash with information on what variables to use for what:
"saddr", $stest, # source ip "daddr", $dtest, # dest ip "source", $sname, # source port "dest", $dname, # dest port "shost", $sname, # source hostname (ip if the ip doesn't reverse) "dhost", $dname, # dest hostname (ip if the ip doesn't reverse)
"sserv", $stype,
"dserv", $dtype,
"version", $vers,
"ihl", $ihl,
"tos", $tos, # tos "totlen", $tot, # tot "id", $id, # id "fragoff", $frg, # fragment offset "ttl", $ttl, # ttl "protocol", $pro, # protocol number, example: 6 "proto", $prt, # protocol name, example: tcp
"check1", $chc,
"rawsaddr", $saddr,
"rawdaddr", $daddr,
"sport", $sport, # source port "dport", $dport, # dest port "sequence", $seq, # sequence "seq", $seq, # sequence (same as above) "ackseq", $aseq, # ack sequence
"doff", $dof,
"res1", $res1,
"res2", $res2,
"urg", $urg, # returns 1 if urg is set "ack", $ack, # returns 1 if ack is set "psh", $psh, # returns 1 if psh is set "rst", $rst, # returns 1 if rst is set "syn", $syn, # returns 1 if syn is set "fin", $fin, # returns 1 if fin is set "winsize", $win, # window size "hexwin", sprintf("%x", $win), # hex output of the window size (good for fingerprinting) "df", $df, # returns (DF) if the packet frag offset is 16834 "check2", $chk, "data", $data, # data of packet "time", $tm, # millisecond
"headers", $headers, # headers, example: SR (for syn and rst)
The strings on the left side are what you would use with the -e option, just with a $ in front of it stating that it's a variable.
EXPRESSIONS
select which packets will be dumped. If no expression is given, all packets on the net will be dumped. Oth- erwise, only packets for which expression is `true' will be dumped. The expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers. There are three different kinds of qualifier: type qualifiers say what kind of thing the id name or number refers to. Possible types are host, net and port. E.g., `host foo', `net 128.3', `port 20'. If there is no type qualifier, host is assumed. dir qualifiers specify a particular transfer direction to and/or from id. Possible directions are src, dst, src or dst and src and dst. E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. If there is no dir qualifier, src or dst is assumed. For `null' link layers (i.e. point to point proto- cols such as slip) the inbound and outbound qual- ifiers can be used to specify a desired direction. proto qualifiers restrict the match to a particular pro- tocol. Possible protos are: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp. E.g., `ether src foo', `arp net 128.3', `tcp port 21'. If there is no proto qualifier, all protocols consistent with the type are assumed. E.g., `src foo' means `(ip or arp or rarp) src foo' (except the latter is not legal syntax), `net bar' means `(ip or arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'. [`fddi' is actually an alias for `ether'; the parser treats them identically as meaning ``the data link level used on the specified network interface.'' FDDI headers contain Ethernet-like source and destination addresses, and often contain Ethernet-like packet types, so you can filter on these FDDI fields just as with the analogous Ethernet fields. FDDI headers also contain other fields, but you cannot name them expli- citly in a filter expression.] In addition to the above, there are some special `prim- itive' keywords that don't follow the pattern: gate- way, broadcast, less, greater and arithmetic expres- sions. All of these are described below. More complex filter expressions are built up by using the words and, or and not to combine primitives. E.g., `host foo and not port ftp and not port ftp-data'. To save typing, identical qualifier lists can be omitted. E.g., `tcp dst port ftp or ftp-data or domain' is exactly the same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'. Allowable primitives are: dst host host True if the IP destination field of the packet is host, which may be either an address or a name. src host host True if the IP source field of the packet is host. host host True if either the IP source or destination of the packet is host. Any of the above host expressions can be prepended with the keywords, ip, arp, or rarp as in: ip host host which is equivalent to: ether proto \ip and host host If host is a name with multiple IP addresses, each address will be checked for a match. ether dst ehost True if the ethernet destination address is ehost. Ehost may be either a name from /etc/ethers or a number (see ethers(3N) for numeric format). ether src ehost True if the ethernet source address is ehost. ether host ehost True if either the ethernet source or destination address is ehost. gateway host True if the packet used host as a gateway. I.e., the ethernet source or destination address was host but neither the IP source nor the IP destina- tion was host. Host must be a name and must be found in both /etc/hosts and /etc/ethers. (An equivalent expression is ether host ehost and not host host which can be used with either names or numbers for host / ehost.) dst net net True if the IP destination address of the packet has a network number of net. Net may be either a name from /etc/networks or a network number (see networks(4) for details). src net net True if the IP source address of the packet has a network number of net. net net True if either the IP source or destination address of the packet has a network number of net. net net mask mask True if the IP address matches net with the specific netmask. May be qualified with src or dst. net net/len True if the IP address matches net a netmask len bits wide. May be qualified with src or dst. dst port port True if the packet is ip/tcp or ip/udp and has a destination port value of port. The port can be a number or a name used in /etc/services (see tcp(4P) and udp(4P)). If a name is used, both the port number and protocol are checked. If a number or ambiguous name is used, only the port number is checked (e.g., dst port 513 will print both tcp/login traffic and udp/who traffic, and port domain will print both tcp/domain and udp/domain traffic). src port port True if the packet has a source port value of port. port port True if either the source or destination port of the packet is port. Any of the above port expres- sions can be prepended with the keywords, tcp or udp, as in: tcp src port port which matches only tcp packets whose source port is port. less length True if the packet has a length less than or equal to length. This is equivalent to: len <= length. greater length True if the packet has a length greater than or equal to length. This is equivalent to: len >= length. ip proto protocol True if the packet is an ip packet (see ip(4P)) of protocol type protocol. Protocol can be a number or one of the names icmp, igrp, udp, nd, or tcp. Note that the identifiers tcp, udp, and icmp are also keywords and must be escaped via backslash (\), which is \\ in the C-shell. ether broadcast True if the packet is an ethernet broadcast packet. The ether keyword is optional. ip broadcast True if the packet is an IP broadcast packet. It checks for both the all-zeroes and all-ones broad- cast conventions, and looks up the local subnet mask. ether multicast True if the packet is an ethernet multicast packet. The ether keyword is optional. This is shorthand for `ether[0] & 1 != 0'. ip multicast True if the packet is an IP multicast packet. ether proto protocol True if the packet is of ether type protocol. Protocol can be a number or a name like ip, arp, or rarp. Note these identifiers are also keywords and must be escaped via backslash (\). [In the case of FDDI (e.g., `fddi protocol arp'), the pro- tocol identification comes from the 802.2 Logical Link Control (LLC) header, which is usually lay- ered on top of the FDDI header. Pdump assumes, when filtering on the protocol identifier, that all FDDI packets include an LLC header, and that the LLC header is in so-called SNAP format.] decnet src host True if the DECNET source address is host, which may be an address of the form ``10.123'', or a DECNET host name. [DECNET host name support is only available on Ultrix systems that are config- ured to run DECNET.] decnet dst host True if the DECNET destination address is host. decnet host host True if either the DECNET source or destination address is host. ip, arp, rarp, decnet Abbreviations for: ether proto p where p is one of the above protocols. lat, moprc, mopdl Abbreviations for: ether proto p where p is one of the above protocols. Note that pdump does not currently know how to parse these protocols. tcp, udp, icmp Abbreviations for: ip proto p where p is one of the above protocols. expr relop expr True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and expr is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, &, |], a length operator, and special packet data accessors. To access data inside the packet, use the following syntax: proto [ expr : size ] Proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or icmp, and indicates the protocol layer for the index operation. The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword len, gives the length of the packet. For example, `ether[0] & 1 != 0' catches all mul- ticast traffic. The expression `ip[0] & 0xf != 5' catches all IP packets with options. The expres- sion `ip[6:2] & 0x1fff = 0' catches only unfrag- mented datagrams and frag zero of fragmented datagrams. This check is implicitly applied to the tcp and udp index operations. For instance, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment. Primitives may be combined using: A parenthesized group of primitives and operators (parentheses are special to the Shell and must be escaped). Negation (`!' or `not'). Concatenation (`&&' or `and'). Alternation (`||' or `or'). Negation has highest precedence. Alternation and con- catenation have equal precedence and associate left to right. Note that explicit and tokens, not juxtaposi- tion, are now required for concatenation. If an identifier is given without a keyword, the most recent keyword is assumed. For example, 'not host vs and ace' is short for 'not host vs and host ace' which should not be confused with 'not ( host vs or ace )' Expression arguments can be passed to pdump as either a single argument or as multiple arguments, whichever is more convenient. Generally, if the expression con- tains Shell metacharacters, it is easier to pass it as a single, quoted argument. Multiple arguments are con- catenated with spaces before being parsed.
EXAMPLES
To print all packets arriving at or departing from sundown: pdump -E "host sundown" To print traffic between helios and either hot or ace: pdump -E "host helios and \( hot or ace \)" To print all IP packets between ace and any host except helios: pdump -E "ip host ace and not helios" To print all traffic between local hosts and hosts at Berke- ley: pdump -E "net ucb-ether" To print all ftp traffic through internet gateway snup: (note that the expression is quoted to prevent the shell from (mis-)interpreting the parentheses): pdump -E 'gateway snup and (port ftp or ftp-data)' To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net). pdump -E "ip and not net localnet" To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host. pdump -E 'tcp[13] & 3 != 0 and not src and dst net localnet' To print IP packets longer than 576 bytes sent through gate- way snup: pdump -E 'gateway snup and ip[2:2] > 576' To print IP broadcast or multicast packets that were not sent via ethernet broadcast or multicast: pdump -E 'ether[0] & 1 = 0 and ip[16] >= 224' To print all ICMP packets that are not echo requests/replies (i.e., not ping packets): pdump -E 'icmp[0] != 8 and icmp[0] != 0'
OUTPUT FORMAT
The output of pdump is protocol dependent. The following gives a brief description and examples of most of the for- mats. (N.B.:The following description assumes familiarity with the TCP protocol described in RFC-793. If you are not familiar with the protocol, neither this description nor pdump will be of much use to you.) The general format of a tcp protocol line is: src > dst: flags data-seqno ack window urgent options Src and dst are the source and destination IP addresses and ports. Flags are some combination of S (SYN), F (FIN), P (PUSH) or R (RST) or a single `.' (no flags). Data-seqno describes the portion of sequence space covered by the data in this packet (see example below). Ack is sequence number of the next data expected the other direction on this con- nection. Window is the number of bytes of receive buffer space available the other direction on this connection. Urg indicates there is `urgent' data in the packet. Options are tcp options enclosed in angle brackets (e.g., <mss 1024>). Src, dst and flags are always present. The other fields depend on the contents of the packet's tcp protocol header and are output only if appropriate. Here is the opening portion of an rlogin from host rtsg to host csam. rtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024> csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024> rtsg.1023 > csam.login: . ack 1 win 4096 rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096 csam.login > rtsg.1023: . ack 2 win 4096 rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096 csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077 csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1 csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1 The first line says that tcp port 1023 on rtsg sent a packet to port login on csam. The S indicates that the SYN flag was set. The packet sequence number was 768512 and it con- tained no data. (The notation is `first:last(nbytes)' which means `sequence numbers first up to but not including last which is nbytes bytes of user data'.) There was no piggy- backed ack, the available receive window was 4096 bytes and there was a max-segment-size option requesting an mss of 1024 bytes. Csam replies with a similar packet except it includes a piggy-backed ack for rtsg's SYN. Rtsg then acks csam's SYN. The `.' means no flags were set. The packet contained no data so there is no data sequence number. Note that the ack sequence number is a small integer (1). The first time pdump sees a tcp `conversation', it prints the sequence number from the packet. On subsequent packets of the conversation, the difference between the current packet's sequence number and this initial sequence number is printed. This means that sequence numbers after the first can be interpreted as relative byte positions in the conversation's data stream (with the first data byte each direction being `1'). `-S' will override this feature, causing the original sequence numbers to be output. On the 6th line, rtsg sends csam 19 bytes of data (bytes 2 through 20 in the rtsg -> csam side of the conversation). The PUSH flag is set in the packet. On the 7th line, csam says it's received data sent by rtsg up to but not including byte 21. Most of this data is apparently sitting in the socket buffer since csam's receive window has gotten 19 bytes smaller. Csam also sends one byte of data to rtsg in this packet. On the 8th and 9th lines, csam sends two bytes of urgent, pushed data to rtsg. UDP Packets UDP format is illustrated by this rwho packet: actinide.who > broadcast.who: udp 84 This says that port who on host actinide sent a udp datagram to port who on host broadcast, the Internet broadcast address. The packet contained 84 bytes of user data. Some UDP services are recognized (from the source or desti- nation port number) and the higher level protocol informa- tion printed. In particular, Domain Name service requests (RFC-1034/1035) and Sun RPC calls (RFC-1050) to NFS. UDP Name Server Requests (N.B.:The following description assumes familiarity with the Domain Service protocol described in RFC-1035. If you are not familiar with the protocol, the following description will appear to be written in greek.) Name server requests are formatted as src > dst: id op? flags qtype qclass name (len) h2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37) Host h2opolo asked the domain server on helios for an address record (qtype=A) associated with the name ucbvax.berkeley.edu. The query id was `3'. The `+' indi- cates the recursion desired flag was set. The query length was 37 bytes, not including the UDP and IP protocol headers. The query operation was the normal one, Query, so the op field was omitted. If the op had been anything else, it would have been printed between the `3' and the `+'. Simi- larly, the qclass was the normal one, C_IN, and omitted. Any other qclass would have been printed immediately after the `A'. A few anomalies are checked and may result in extra fields enclosed in square brackets: If a query contains an answer, name server or authority section, ancount, nscount, or arcount are printed as `[na]', `[nn]' or `[nau]' where n is the appropriate count. If any of the response bits are set (AA, RA or rcode) or any of the `must be zero' bits are set in bytes two and three, `[b2&3=x]' is printed, where x is the hex value of header bytes two and three. UDP Name Server Responses Name server responses are formatted as src > dst: id op rcode flags a/n/au type class data (len) helios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273) helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97) In the first example, helios responds to query id 3 from h2opolo with 3 answer records, 3 name server records and 7 authority records. The first answer record is type A (address) and its data is internet address 128.32.137.3. The total size of the response was 273 bytes, excluding UDP and IP headers. The op (Query) and response code (NoError) were omitted, as was the class (C_IN) of the A record. In the second example, helios responds to query 2 with a response code of non-existent domain (NXDomain) with no answers, one name server and no authority records. The `*' indicates that the authoritative answer bit was set. Since there were no answers, no type, class or data were printed. Other flag characters that might appear are `- ' (recursion available, RA, not set) and `|' (truncated message, TC, set). If the `question' section doesn't contain exactly one entry, `[nq]' is printed. Note that name server requests and responses tend to be large and the default snaplen of 68 bytes may not capture enough of the packet to print. Use the -s flag to increase the snaplen if you need to seriously investigate name server traffic. `-s 128' has worked well for me. Timestamps By default, all output lines are preceded by a timestamp. The timestamp is the current clock time in the form hh:mm:ss.frac and is as accurate as the kernel's clock. The timestamp reflects the time the kernel first saw the packet. No attempt is made to account for the time lag between when the ethernet interface removed the packet from the wire and when the kernel serviced the `new packet' interrupt.
SUPPORT AND TROUBLESHOOTING
You can either join #pdump on SUIDnet (irc.LucidX.com) or you can send me an email at commport5@lucidx.com and I'll reply as soon as I can with whatever questions/comments that you have.
SEE ALSO
traffic(1C), nit(4P), bpf(4), pcap(3), tcpdump(1), ngrep(8), dsniff, siphon
AUTHORS
Samy Kamkar [CommPort5@LucidX.com] Van Jacobson, Craig Leres and Steven McCanne, all of the Lawrence Berkeley National Laboratory, University of Calif- ornia, Berkeley, CA.
BUGS
Please send bug reports to CommPort5@LucidX.com.
NIT doesn't let you watch your own outbound traffic, BPF will. We recommend that you use the latter. pdump for Ultrix requires Ultrix version 4.0 or later; the kernel has to have been built with the packetfilter pseudo- device driver (see packetfilter(4)). In order to watch either your own outbound or inbound traffic, you will need to use Ultrix version 4.2 or later, and you will have to have used the pfconfig(8) command to enable ``copyall'' mode. Under SunOS 4.1, the packet capture code (or Streams NIT) is not what you'd call efficient. Don't plan on doing much with your Sun while you're monitoring a busy network. On Sun systems prior to release 3.2, NIT is very buggy. If run on an old system, pdump may crash the machine. Some attempt should be made to reassemble IP fragments or, at least to compute the right length for the higher level protocol. Name server inverse queries are not dumped correctly: The (empty) question section is printed rather than real query in the answer section. Some believe that inverse queries are themselves a bug and prefer to fix the program generat- ing them rather than pdump. Apple Ethertalk DDP packets could be dumped as easily as KIP DDP packets but aren't. Even if we were inclined to do any- thing to promote the use of Ethertalk (we aren't), LBL doesn't allow Ethertalk on any of its networks so we'd would have no way of testing this code. A packet trace that crosses a daylight savings time change will give skewed time stamps (the time change is ignored). Filters expressions that manipulate FDDI headers assume that all FDDI packets are encapsulated Ethernet packets. This is true for IP, ARP, and DECNET Phase IV, but is not true for protocols such as ISO CLNS. Therefore, the filter may inad- vertently accept certain packets that do not properly match the filter expression.