Day 43 - Tcpdump: traffic analysis
If you need to analyse network traffic at a low level, you can use the tcpdump unix command.
(Must be executed with root permissions)
$ tcpdump
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
# In a different terminal
$ curl api.iadvize.com
You will see the following output:
16:06:12.711242 IP (tos 0x0, ttl 64, id 8023, offset 0, flags [DF], proto TCP (6), length 64)
172.16.17.14.50466 > ec2-35-158-49-198.eu-central-1.compute.amazonaws.com.http: Flags [S], cksum 0xcda3 (correct), seq 3596701967, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 659243688 ecr 0,sackOK,eol], length 0
16:06:12.732035 IP (tos 0x0, ttl 243, id 0, offset 0, flags [DF], proto TCP (6), length 60)
ec2-35-158-49-198.eu-central-1.compute.amazonaws.com.http > 172.16.17.14.50466: Flags [S.], cksum 0xa122 (correct), seq 3251349329, ack 3596701968, win 26847, options [mss 1460,sackOK,TS val 51079274 ecr 659243688,nop,wscale 8], length 0
16:06:12.732144 IP (tos 0x0, ttl 64, id 14042, offset 0, flags [DF], proto TCP (6), length 52)
172.16.17.14.50466 > ec2-35-158-49-198.eu-central-1.compute.amazonaws.com.http: Flags [.], cksum 0x28a5 (correct), seq 1, ack 1, win 4117, options [nop,nop,TS val 659243709 ecr 51079274], length 0
16:06:12.732537 IP (tos 0x0, ttl 64, id 63996, offset 0, flags [DF], proto TCP (6), length 131)
172.16.17.14.50466 > ec2-35-158-49-198.eu-central-1.compute.amazonaws.com.http: Flags [P.], cksum 0xbcd9 (correct), seq 1:80, ack 1, win 4117, options [nop,nop,TS val 659243709 ecr 51079274], length 79: HTTP, length: 79
GET / HTTP/1.1
Host: api.iadvize.com
User-Agent: curl/7.51.0
Accept: */*
16:06:12.753267 IP (tos 0x0, ttl 243, id 53026, offset 0, flags [DF], proto TCP (6), length 52)
ec2-35-158-49-198.eu-central-1.compute.amazonaws.com.http > 172.16.17.14.50466: Flags [.], cksum 0x37fc (correct), seq 1, ack 80, win 105, options [nop,nop,TS val 51079280 ecr 659243709], length 0
16:06:12.775466 IP (tos 0x0, ttl 243, id 53027, offset 0, flags [DF], proto TCP (6), length 494)
ec2-35-158-49-198.eu-central-1.compute.amazonaws.com.http > 172.16.17.14.50466: Flags [P.], cksum 0xe54b (correct), seq 1:443, ack 80, win 105, options [nop,nop,TS val 51079285 ecr 659243709], length 442: HTTP, length: 442
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: text/html
Date: Tue, 30 May 2017 14:06:12 GMT
ETag: "56cc643e-9f"
Last-Modified: Tue, 23 Feb 2016 13:53:02 GMT
Server: openresty
Vary: Accept-Encoding
X-Powered-By: iSystemize
Content-Length: 159
Connection: keep-alive
<html>
<head>
<title>Welcome on iAdvize!</title>
</head>
<body>
<h1>You should not be getting here buddy!</h1>
</body>
</html>
16:06:12.775552 IP (tos 0x0, ttl 64, id 1139, offset 0, flags [DF], proto TCP (6), length 52)
172.16.17.14.50466 > ec2-35-158-49-198.eu-central-1.compute.amazonaws.com.http: Flags [.], cksum 0x2676 (correct), seq 80, ack 443, win 4103, options [nop,nop,TS val 659243750 ecr 51079285], length 0
16:06:12.775807 IP (tos 0x0, ttl 64, id 45582, offset 0, flags [DF], proto TCP (6), length 52)
172.16.17.14.50466 > ec2-35-158-49-198.eu-central-1.compute.amazonaws.com.http: Flags [F.], cksum 0x2675 (correct), seq 80, ack 443, win 4103, options [nop,nop,TS val 659243750 ecr 51079285], length 0
On this dump, we can see my host (172.16.17.14) opening a new tcp connection to ec2-35-158-49-198.eu-central-1.compute.amazonaws.com.
The local port is 50466.
The size of the tcp/ip packets are 64, 60, 52…
The http request is 79 bytes long. The answer is 442 bytes long.
The TTL for IP packets is 64 to go to aws.
More about tcpdump tomorrow ;)