TCP dump used for and how can it be used

Question

What are the advantages and benifits of TCP dump and how can this be used and in which environments it can be used

@symcbean That's what shotguns with #8 birdshot is for: tcpdump on rfc-1149. — cjc, Apr 05 '12 at 12:15

sysadmin1138 · Answer 1 · 2012-04-05T11:52:59.407

Packet sniffers are a very valuable tool. When coupled with a protocol decoder such as Wireshark, they can tell you in explicit detail what's actually happening on the network wire. Depending on what you're trying to figure out, they can show you the exact problem, or lead you into the right course of research for the actual problem. Learning to read packet traces is one of the skills most system administrators need at least a little of.

A brief list of things that a packet trace will display in gory detail:

DNS resolution problems. You'll see the full resolution failback process, and can highlight configuration problems (why are we hitting THAT server? Why are we attempting to resolve a dns domain that died 5 years ago? Why are we attempting to resolve IPv6 addresses before IPv4?)
TCP errors. Retransmits, bad windowing, packet corruption. All these things really slow connections down.
SMB Protocol negotiation problems. Of interest to Windows/Samba administrators, this will show protocol negotiation problems (NTLM? NTLMv2? Kerberos? LanMan?) between clients and the server.

And that's just the easy stuff that the dissectors tell you outright. Once you've learned how things are supposed to look, you'll start to see patterns in the traffic that the dissectors don't reveal.

However, not all problems can be broken by packet sniffing. Problems with SSL/TLS communication are almost by definition invisible. Sometimes the problem is with a higher layer protocol (such as a hand built web-API) and doesn't show any artifacts on the wire.

thanks for your answer.can you suggest me how to learn these and where to start learning — developer, Apr 05 '12 at 11:48
@developer The most accessible source is probably the [Wireshark Wiki](http://wiki.wireshark.org/). They even have example captures to download and look at, and pages to tell you what you are looking at. Example-based education! — sysadmin1138, Apr 05 '12 at 11:54

score 3 · Answer 2 · answered Apr 05 '12 at 11:53

You can use it

to see all the network traffic generated by application
to solve network problems
for security testing

Not to mention that they are extremely useful when starting to study computer networks, because you can see exactly what kind of information is flowing through the network and how this information is represented.

TCP dump used for and how can it be used

2 Answers2