User Controls

Navigation

Niggas in Space > Technophiliacs & Technophiles > TCPDUMP

TCPDUMP

  1. 2016-01-23 at 9:09 AM UTC
    #1
    SBTlauien African Astronaut
    So I did some arp poisoning and TCPdump and got a bunch of packets like this...


        192.168.33.103.47915 > 224.0.0.251.5353: [udp sum ok] 49 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.c155cba214b389d11489f34ccc12d0c2.local. TXT "txtvers=0" "i_1=net.allplay.MediaPlayer", sender-info.c155cba214b389d11489f34ccc12d0c2.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=57" "upcv4=47915" (213)
    02:19:38.696652 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 240)
        192.168.33.103.53813 > 224.0.0.251.5353: [udp sum ok] 1 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "i_1=net.allplay.MediaPlayer", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=1" "upcv4=53813" (212)
    02:19:38.696983 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 233)
        192.168.33.103.53813 > 224.0.0.251.5353: [udp sum ok] 2 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "n_1=org.alljoyn.sl.*", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=2" "upcv4=53813" (205)
    02:19:41.765351 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 240)
        192.168.33.103.53813 > 224.0.0.251.5353: [udp sum ok] 1 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "i_1=net.allplay.MediaPlayer", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=7" "upcv4=53813" (212)
    02:19:41.765483 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 233)
        192.168.33.103.53813 > 224.0.0.251.5353: [udp sum ok] 2 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "n_1=org.alljoyn.sl.*", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=8" "upcv4=53813" (205)
    02:19:41.765551 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 51)
        192.168.33.103.9956 > 224.0.0.113.9956: [udp sum ok] UDP, length 23
    02:19:41.765614 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 51)
        192.168.33.103.9956 > 192.168.33.255.9956: [udp sum ok] UDP, length 23
    02:20:07.078385 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 241)
        192.168.33.103.53813 > 224.0.0.251.5353: [udp sum ok] 1 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "i_1=net.allplay.MediaPlayer", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=11" "upcv4=53813" (213)
    02:20:07.078461 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 234)
        192.168.33.103.53813 > 224.0.0.251.5353: [udp sum ok] 2 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "n_1=org.alljoyn.sl.*", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=12" "upcv4=53813" (206)
    02:22:08.525020 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 241)
        192.168.33.103.36911 > 224.0.0.251.5353: [udp sum ok] 13 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "i_1=net.allplay.MediaPlayer", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=13" "upcv4=36911" (213)
    02:22:08.525563 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 234)
        192.168.33.103.36911 > 224.0.0.251.5353: [udp sum ok] 14 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "n_1=org.alljoyn.sl.*", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=14" "upcv4=36911" (206)
    02:22:08.526502 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 51)
        192.168.33.103.9956 > 224.0.0.113.9956: [udp sum ok] UDP, length 23
    02:22:08.528570 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 51)
        192.168.33.103.9956 > 192.168.33.255.9956: [udp sum ok] UDP, length 23
    02:22:08.529550 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 51)
        192.168.33.103.9956 > 224.0.0.113.9956: [udp sum ok] UDP, length 23
    02:22:08.531408 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 51)
        192.168.33.103.9956 > 192.168.33.255.9956: [udp sum ok] UDP, length 23
    02:22:08.536775 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 241)


    What's it mean? On this network, there was a password required to browse the internet but I was still able to ping other nodes before I had entered the password. The server was NANOHTTPD which I thought was kind of strange since I haven't seen any yet but I actually use it myself(for SSLSTRIP).

    RIght now this is how I am running TCPdump...

    We'll say I want to capture for IP address "192.168.33.121"

    tcpdump -nn 192.168.33.121 -vv -s 0


    Should I be using -vvv instead? I'd like more data.

    Edit: I can see that "org.alljoyn.sl" is https://allseenalliance.org, so it must be someone connected to the router via their phone...
  2. 2016-01-24 at 3:35 PM UTC
    #2
    LiquidIce Houston
    So I did some arp poisoning and TCPdump and got a bunch of packets like this…


    192.168.33.103.47915 > 224.0.0.251.5353: [udp sum ok] 49 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.c155cba214b389d11489f34ccc12d0c2.local. TXT "txtvers=0" "i_1=net.allplay.MediaPlayer", sender-info.c155cba214b389d11489f34ccc12d0c2.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=57" "upcv4=47915" (213)
    02:19:38.696652 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 240)
    192.168.33.103.53813 > 224.0.0.251.5353: [udp sum ok] 1 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "i_1=net.allplay.MediaPlayer", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=1" "upcv4=53813" (212)
    02:19:38.696983 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 233)
    192.168.33.103.53813 > 224.0.0.251.5353: [udp sum ok] 2 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "n_1=org.alljoyn.sl.*", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=2" "upcv4=53813" (205)
    02:19:41.765351 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 240)
    192.168.33.103.53813 > 224.0.0.251.5353: [udp sum ok] 1 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "i_1=net.allplay.MediaPlayer", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=7" "upcv4=53813" (212)
    02:19:41.765483 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 233)
    192.168.33.103.53813 > 224.0.0.251.5353: [udp sum ok] 2 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "n_1=org.alljoyn.sl.*", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=8" "upcv4=53813" (205)
    02:19:41.765551 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 51)
    192.168.33.103.9956 > 224.0.0.113.9956: [udp sum ok] UDP, length 23
    02:19:41.765614 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 51)
    192.168.33.103.9956 > 192.168.33.255.9956: [udp sum ok] UDP, length 23
    02:20:07.078385 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 241)
    192.168.33.103.53813 > 224.0.0.251.5353: [udp sum ok] 1 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "i_1=net.allplay.MediaPlayer", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=11" "upcv4=53813" (213)
    02:20:07.078461 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 234)
    192.168.33.103.53813 > 224.0.0.251.5353: [udp sum ok] 2 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "n_1=org.alljoyn.sl.*", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=12" "upcv4=53813" (206)
    02:22:08.525020 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 241)
    192.168.33.103.36911 > 224.0.0.251.5353: [udp sum ok] 13 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "i_1=net.allplay.MediaPlayer", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=13" "upcv4=36911" (213)
    02:22:08.525563 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 234)
    192.168.33.103.36911 > 224.0.0.251.5353: [udp sum ok] 14 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "n_1=org.alljoyn.sl.*", sender-info.5b9a024aea5fc7b9419f393ae058e0b3.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=14" "upcv4=36911" (206)
    02:22:08.526502 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 51)
    192.168.33.103.9956 > 224.0.0.113.9956: [udp sum ok] UDP, length 23
    02:22:08.528570 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 51)
    192.168.33.103.9956 > 192.168.33.255.9956: [udp sum ok] UDP, length 23
    02:22:08.529550 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 51)
    192.168.33.103.9956 > 224.0.0.113.9956: [udp sum ok] UDP, length 23
    02:22:08.531408 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 51)
    192.168.33.103.9956 > 192.168.33.255.9956: [udp sum ok] UDP, length 23
    02:22:08.536775 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 241)


    What's it mean? On this network, there was a password required to browse the internet but I was still able to ping other nodes before I had entered the password. The server was NANOHTTPD which I thought was kind of strange since I haven't seen any yet but I actually use it myself(for SSLSTRIP).

    RIght now this is how I am running TCPdump…

    We'll say I want to capture for IP address "192.168.33.121"

    tcpdump -nn 192.168.33.121 -vv -s 0


    Should I be using -vvv instead? I'd like more data.

    Edit: I can see that "org.alljoyn.sl" is https://allseenalliance.org, so it must be someone connected to the router via their phone…

    By "On this network, there was a password required to browse the internet" do you mean that there's a captive portal that asks you for a password before you can connect to the web? The traffic looks like dns queries, the ip looks like a multicast (anycast?) address.

    How to sift through this traffic? I usually had the opposite problem of having too much data ie. thousands of packets. I then captured packets with tcpdump, but analyzed them in wireshark because of them cool enhancements. You could try running it with -X to see the packets in ascii+hex.
  3. 2016-01-24 at 3:45 PM UTC
    #3
    EasyDoesIt Tuskegee Airman
    I'm going to get back to you on this. I saw this right before I had to leave for work or I would have responded sooner.
  4. 2016-01-24 at 4:58 PM UTC
    #4
    EasyDoesIt Tuskegee Airman
    So I'm not sure that I'm understanding your question clearly, but figured I'd give it a whirl and drop off the little knowledge I have on this.

    192.168.33.103.47915 > 224.0.0.251.5353: [udp sum ok] 49 [2au] PTR (QU)? _alljoyn._tcp.local. ar: search.c155cba214b389d11489f34ccc12d0c2.local. TXT "txtvers=0" "i_1=net.allplay.MediaPlayer", sender-info.c155cba214b389d11489f34ccc12d0c2.local. TXT "txtvers=0" "ajpv=12" "ipv4=192.168.33.103" "pv=2" "sid=57" "upcv4=47915" (213) 02:19:38.696652 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 240)

    What's it mean?


    192.168.33.103

    This is the source IP. I'm not sure how much you know about TCP/IP (obviously enough to be running TCPdump / wireshark) but, each packet has a source IP address, a source port, a destination IP address, and a destination port. The data is sent to the right service by the port number.

    47915


    This is that source port.


    >

    "...The datagrams are being sent to.."


    224.0.0.251

    This is the destination IP.

    5353

    This is the destination port.


    [udp sum ok]

    This is the User Datagram Protocool (UDP) of the internet protocool suite (the distant cousin of TCP/IP). Basically UDP provides checkums for data integrity, meaning it calculates the sum of the correct digits in a piece of transmitted data and "checks the sum" against the final delivery to see if you lost any. In this case, the sum was the same.


    49 [2au]

    This is where I start kind of getting confused because this is normally where your flags would go (I think). I'm not sure what this noise is.

    PTR

    This is your pointer request. Basically this tells the computer that you want the ip address translated into a name.

    alljoyn._tcp.local. ar: search.c155cba214b389d11489f34ccc12d0c2.local. TXT "txtvers=0" "i_1=net.allplay.MediaPlayer", sender-info.c155cba214b389d11489f34ccc12d0c2.local. TXT "txtvers=0" "ajpv=12"

    This is the name, which you said you found...

    Edit: I can see that "org.alljoyn.sl" is https://allseenalliance.org, so it must be someone connected to the router via their phone…

    I'm not sure if any of this is actually helpful because I'm not sure how advanced you are or if that helped clear anything up. The only other consolation I could offer is the basic troubleshooting of using -XX or -A flags to make it more legible.

  5. 2016-01-25 at 12:52 AM UTC
    #5
    SBTlauien African Astronaut
    By "On this network, there was a password required to browse the internet" do you mean that there's a captive portal that asks you for a password before you can connect to the web?

    Yes. But even with the captive portal set, I was still able to ping other nodes on the network. When I use my Android app to create a captive portal, then conenct to it with another phone of mine, and then use my app to ping the network, I don't get anything because I have DNS set up to forward all packet to a specific IP address and IPTABLES set to redirect all packets sent to that IP address to a specific port at that IP address.

    So maybe their captive portal isn't set up correctly. I've noticed other places that have captive portals will redirect all traffic just like the ones I create on my phone. This one is different though.
Jump to Top