DEV Community

kei
kei

Posted on

How to see TCP connection establishment with tcpdump

This post describes how to see TCP connection establishment and termination as packets using tcpdump on linux.

Preparing

Install following commands on your linux.

  • tcpdump
  • nc
  • telnet
  • netstat

See TCP connection establishment

1. start TCP server

Start TCP server using nc command with l,k option.

$ nc -lk 12345

Open another terminal and verify 12345 port is listening using netstat command.

$ netstat -anp | grep 12345
tcp  0  0  0.0.0.0:12345  0.0.0.0:*  LISTEN  <PID>/nc             

2. start TCP client and establish connection

Start TCP client using telnet to establish TCP connection with TCP server of step 1.

$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

Open another terminal and verify nc process and telnet are establishing connection using netstat command.

$ netstat -anp | grep 12345
tcp  0  0 0.0.0.0:12345     0.0.0.0:*        LISTEN      <PID>/nc
tcp  0  0 127.0.0.1:<port>  127.0.0.1:12345  ESTABLISHED <PID>/telnet
tcp  0  0 127.0.0.1:12345   127.0.0.1:<port> ESTABLISHED <PID>/nc 

Terminate TCP client with type "Ctrl+[" and "quit" on telnet. Then Connection is close.

$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
$ 

It's ready to see TCP connection establishment with tcpdump.

3. See TCP 3-Way Handshake as TCP connection establishment

Verify TCP server that start at step 1 listen 12345 port.

$ netstat -anp | grep 12345
tcp  0  0  0.0.0.0:12345  0.0.0.0:*  LISTEN  <PID>/nc             

Perform tcpdump with specify local interface and port 12345 as follows.

$ sudo tcpdump -i lo -nnn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes

Start TCP client using telnet to establish TCP connection with TCP server of step 1.

$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

Verify tcpdump output as follows.

HH:mm:ss.SSSSSS IP 127.0.0.1.<port> > 127.0.0.1.12345:  Flags [S], seq ...
HH:mm:ss.SSSSSS IP 127.0.0.1.12345  > 127.0.0.1.<port>: Flags [S.], seq ...
HH:mm:ss.SSSSSS IP 127.0.0.1.<port> > 127.0.0.1.12345:  Flags [.], ack ...

The format is as follows

timestamp IP source IP.port destination > IP.port: flags

First line means a SYN packet as "[S]" flag that telnet sent to TCP server.
Second line means SYN + ACK packet as "[S.]" flag that TCP server sent to telnet.
Third line means ACK packet as "[.]" flag that TCP server sent to telnet.

Open another terminal and verify nc process and telnet are establishing connection using netstat command.

$ netstat -anp | grep 12345
tcp  0  0 0.0.0.0:12345     0.0.0.0:*        LISTEN      <PID>/nc
tcp  0  0 127.0.0.1:<port>  127.0.0.1:12345  ESTABLISHED <PID>/telnet
tcp  0  0 127.0.0.1:12345   127.0.0.1:<port> ESTABLISHED <PID>/nc 

3. See terminate TCP connection establishment

Keep tcpdump, and terminate TCP client with type "Ctrl+[" and "quit" on telnet. Then Connection is close.

$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
$ 

Verify tcpdump output as follows.

HH:mm:ss.SSSSSS IP 127.0.0.1.<port> > 127.0.0.1.12345:  Flags [F.], seq 1,
HH:mm:ss.SSSSSS IP 127.0.0.1.12345  > 127.0.0.1.<port>: Flags [F.], seq 1,
HH:mm:ss.SSSSSS IP 127.0.0.1.<port> > 127.0.0.1.12345:  Flags [.], ack 2,

First line means a FIN packet as "[F]" flag that telnet sent to TCP server.
Second line means FIN + ACK packet as "[F.]" flag that TCP server sent to telnet.
Third line means ACK packet as "[.]" flag that TCP server sent to telnet.

Open another terminal and verify nc process only.

$ netstat -anp | grep 12345
tcp  0  0 0.0.0.0:12345     0.0.0.0:*        LISTEN      <PID>/nc

Top comments (0)