This post describes how to see TCP connection establishment and termination as packets using tcpdump on linux.
Preparing
Install following commands on your linux.
- tcpdump
- nc
- telnet
- netstat
See TCP connection establishment
1. start TCP server
Start TCP server using nc command with l,k option.
$ nc -lk 12345
Open another terminal and verify 12345 port is listening using netstat command.
$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN <PID>/nc
2. start TCP client and establish connection
Start TCP client using telnet to establish TCP connection with TCP server of step 1.
$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Open another terminal and verify nc process and telnet are establishing connection using netstat command.
$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN <PID>/nc
tcp 0 0 127.0.0.1:<port> 127.0.0.1:12345 ESTABLISHED <PID>/telnet
tcp 0 0 127.0.0.1:12345 127.0.0.1:<port> ESTABLISHED <PID>/nc
Terminate TCP client with type "Ctrl+[" and "quit" on telnet. Then Connection is close.
$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
$
It's ready to see TCP connection establishment with tcpdump.
3. See TCP 3-Way Handshake as TCP connection establishment
Verify TCP server that start at step 1 listen 12345 port.
$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN <PID>/nc
Perform tcpdump with specify local interface and port 12345 as follows.
$ sudo tcpdump -i lo -nnn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
Start TCP client using telnet to establish TCP connection with TCP server of step 1.
$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Verify tcpdump output as follows.
HH:mm:ss.SSSSSS IP 127.0.0.1.<port> > 127.0.0.1.12345: Flags [S], seq ...
HH:mm:ss.SSSSSS IP 127.0.0.1.12345 > 127.0.0.1.<port>: Flags [S.], seq ...
HH:mm:ss.SSSSSS IP 127.0.0.1.<port> > 127.0.0.1.12345: Flags [.], ack ...
The format is as follows
timestamp IP source IP.port destination > IP.port: flags
First line means a SYN packet as "[S]" flag that telnet sent to TCP server.
Second line means SYN + ACK packet as "[S.]" flag that TCP server sent to telnet.
Third line means ACK packet as "[.]" flag that TCP server sent to telnet.
Open another terminal and verify nc process and telnet are establishing connection using netstat command.
$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN <PID>/nc
tcp 0 0 127.0.0.1:<port> 127.0.0.1:12345 ESTABLISHED <PID>/telnet
tcp 0 0 127.0.0.1:12345 127.0.0.1:<port> ESTABLISHED <PID>/nc
3. See terminate TCP connection establishment
Keep tcpdump, and terminate TCP client with type "Ctrl+[" and "quit" on telnet. Then Connection is close.
$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
$
Verify tcpdump output as follows.
HH:mm:ss.SSSSSS IP 127.0.0.1.<port> > 127.0.0.1.12345: Flags [F.], seq 1,
HH:mm:ss.SSSSSS IP 127.0.0.1.12345 > 127.0.0.1.<port>: Flags [F.], seq 1,
HH:mm:ss.SSSSSS IP 127.0.0.1.<port> > 127.0.0.1.12345: Flags [.], ack 2,
First line means a FIN packet as "[F]" flag that telnet sent to TCP server.
Second line means FIN + ACK packet as "[F.]" flag that TCP server sent to telnet.
Third line means ACK packet as "[.]" flag that TCP server sent to telnet.
Open another terminal and verify nc process only.
$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN <PID>/nc
Top comments (0)