howforge.com

Today I have to investigate network related problem that caused some networks were usable for a moment. This problem was occurring at remote site so I didn't have physical access to anything. What I have is just an account on the Linux router for the NAT network in training room. The application relies on web services technology so it is absolutely pure TCP. There are so many problem regarding this investigation. The coordinator don't understand the lower level of network so I can't ask too much information. Actually, I have to try by myself. At a glance, I would like to know if the connection from the client to the web services container is success or not. So I need to have a kind of sniffer.

First, I tried tcpdump which worked but the information displayed on secure shell was too much. Then I tried tcpick.

tcpick is a textmode sniffer libpcap-based that can track, reassemble and reorder tcp streams. Tcpick is able to save the captured flows in different files or displays them in the terminal, and so it is useful to sniff files that are transmitted via ftp or http. It can display all the stream on the terminal, when the connection is closed in different display modes like hexdump, hexdump + ascii, only printable charachters, raw mode and so on. Available a color mode too, helpful to read and understand better the output of the program. Actually it can handle several interfaces, including ethernet cards and ppp. It is useful to keep track of what users of a network are doing, and is usable with textmode tools like grep, sed, awk.

Using tcpick is very similar to tcpdump. For example, I would like to track all TCP packets of 192.168.1.60 in eth3.

sudo tcpick -i eth3 "host 192.168.1.60"

Anyway, you have to install it first. In Ubuntu, use below command.

sudo apt-get install tcpick

Tags: linux, ubuntu, tcpick