Having worked on SUN platform for a while, I have always complained that I do not have a snoop like utility for Linux. Little did I know that there is such a command, called tethereal that performed those functions. Lots of folks know about ethereal that provides a GUI based dump and analysis tool for network traffic. tethereal is its command-line cousin.
tethereal [ -vh ] [ -DlLnpqSVx ] [ -a <capture autostop="" condition=""> ] ...
[ -b <capture ring="" buffer="" option=""> ] ...
[ -c <capture packet="" count=""> ]
[ -d <layer_type>==<selector>,<decode_as_protocol> ] ...
[ -f <capture filter=""> ] [ -F <output file="" type=""> ]
[ -i <capture interface=""> ] [ -N <name resolving="" flags=""> ]
[ -o <preference setting=""> ] ... [ -r <infile> ]
[ -R <read (display="" filter=""> ] [ -s <capture snaplen=""> ]
[ -t <time stamp="" format=""> ] [ -T pdml|ps|psml|text ]
[ -w <savefile> ] [ -y <capture link="" type=""> ] [ -z <statistics> ]
Valid file type arguments to the "-F" flag:
libpcap - libpcap (tcpdump, Ethereal, etc.)
rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump)
suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)
modlibpcap - modified libpcap (tcpdump)
nokialibpcap - Nokia libpcap (tcpdump)
nseclibpcap - Nanosecond libpcap (Ethereal)
lanalyzer - Novell LANalyzer
ngsniffer - Network Associates Sniffer (DOS-based)
snoop - Sun snoop
netmon1 - Microsoft Network Monitor 1.x
netmon2 - Microsoft Network Monitor 2.x
ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1
ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x
nettl - HP-UX nettl trace
visual - Visual Networks traffic capture
5views - Accellent 5Views capture
niobserverv9 - Network Instruments Observer version 9
rf5 - Tektronix K12xx 32-bit .rf5 format
default is libpcapAgain, if you want snoop style output, the
-F snoop
option will give the output.
# tethereal -F snoop -i eth0 port ldap 1 0.000000 [fromip > toip] TCP 43282 > ldap [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=538761192 TSER=0 WS=2 2 0.000250 [fromip > toip] TCP ldap > 43282 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 3 0.000264 [fromip > toip] TCP 43282 > ldap [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=538761192 TSER=0 4 0.000453 [fromip > toip] LDAP MsgId=1 Search Request, Base DN=(null) 5 0.000749 [fromip > toip] LDAP MsgId=1 Search Entry, 1 result 6 0.000760 [fromip > toip] TCP 43282 > ldap [ACK] Seq=91 Ack=223 Win=5840 Len=0 TSV=538761193 TSER=56589504 7 0.001073 [fromip > toip] LDAP MsgId=2 Search Request, Base DN=(null) 8 0.001375 [fromip > toip] LDAP MsgId=2 Search Entry, 1 result 9 0.001512 [fromip > toip] LDAP MsgId=3 Bind Request, DN=(null) 10 0.001874 [fromip > toip] LDAP MsgId=3 Bind Result, saslBindInProgress 11 0.042279 [fromip > toip] TCP 43282 > ldap [ACK] Seq=181 Ack=460 Win=5840 Len=0 TSV=538761234 TSER=56589504 12 0.135371 [fromip > toip] TCP 43282 > ldap [FIN, ACK] Seq=181 Ack=460 Win=5840 Len=0 TSV=538761328 TSER=56589504 13 0.135667 [fromip > toip] TCP ldap > 43282 [ACK] Seq=460 Ack=182 Win=65355 Len=0 TSV=56589505 TSER=538761328 14 0.135681 [fromip > toip] TCP ldap > 43282 [FIN, ACK] Seq=460 Ack=182 Win=65355 Len=0 TSV=56589505 TSER=538761328 15 0.135691 [fromip > toip] TCP 43282 > ldap [ACK] Seq=182 Ack=461 Win=5840 Len=0 TSV=538761328 TSER=56589505
if I only knew that samba‘s ads_connect does a simple and stupid ldap call.. I could have saved a few hrs of troubleshooting…
Have you ever heard about tcpdump?
Yeah I use both of those tools. Who doesn’t ? I thought tethereal did a much better job of displaying the packet contents (use it with a -V) option..
for e.g.
tethereal -i eth0 -V port ldap