This post describes how to see TCP connection establishment and termination as packets using tcpdump on linux.
Preparing
Install following commands on your linux.
\
- tcpdump \
- nc \
- telnet \
- netstat
\
\
Start TCP server using nc command with l,k option.
$ nc -lk 12345
Open a Listening port on Linux
Open another terminal and verify 12345 port is listening using netstat command.
$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN /nc
\
Start TCP client using telnet to establish TCP connection with TCP server of step 1.
$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Open another terminal and verify nc process and telnet are establishing connection using netstat command.
5 ways to Check a remote port is open in Linux
$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN /nc
tcp 0 0 127.0.0.1: 127.0.0.1:12345 ESTABLISHED /telnet
tcp 0 0 127.0.0.1:12345 127.0.0.1: ESTABLISHED /nc
Terminate TCP client with type "Ctrl+[" and "quit" on telnet. Then Connection is close.
$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
$
It's ready to see TCP connection establishment with tcpdump.
\
Verify TCP server that start at step 1 listen 12345 port.
$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN /nc
Perform tcpdump with specify local interface and port 12345 as follows.
$ sudo tcpdump -i lo -nnn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
Start TCP client using telnet to establish TCP connection with TCP server of step 1.
$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Tcpdump: Filter Packets By Port
Verify tcpdump output as follows.
HH:mm:ss.SSSSSS IP 127.0.0.1. > 127.0.0.1.12345: Flags [S], seq ...
HH:mm:ss.SSSSSS IP 127.0.0.1.12345 > 127.0.0.1.: Flags [S.], seq ...
HH:mm:ss.SSSSSS IP 127.0.0.1. > 127.0.0.1.12345: Flags [.], ack ...
The format is as follows
timestamp IP source IP.port destination > IP.port: flags
First line means a SYN packet as "[S]" flag that telnet sent to TCP server.
Second line means SYN + ACK packet as "[S.]" flag that TCP server sent to telnet.
Third line means ACK packet as "[.]" flag that TCP server sent to telnet.
Exploring Tcpdump Filters with Examples
Understanding TCP Socket With Examples
\
Open another terminal and verify nc process and telnet are establishing connection using netstat command.
$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN /nc
tcp 0 0 127.0.0.1: 127.0.0.1:12345 ESTABLISHED /telnet
tcp 0 0 127.0.0.1:12345 127.0.0.1: ESTABLISHED /nc
\
Keep tcpdump, and terminate TCP client with type "Ctrl+[" and "quit" on telnet. Then Connection is close.
$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
$
Verify tcpdump output as follows.
Understanding TCP Flags SYN ACK RST FIN URG PSH
HH:mm:ss.SSSSSS IP 127.0.0.1. > 127.0.0.1.12345: Flags [F.], seq 1,
HH:mm:ss.SSSSSS IP 127.0.0.1.12345 > 127.0.0.1.: Flags [F.], seq 1,
HH:mm:ss.SSSSSS IP 127.0.0.1. > 127.0.0.1.12345: Flags [.], ack 2,
First line means a FIN packet as "[F]" flag that telnet sent to TCP server.
Second line means FIN + ACK packet as "[F.]" flag that TCP server sent to telnet.
Third line means ACK packet as "[.]" flag that TCP server sent to telnet.
Tcpdump: Filter Packets with Tcp Flags
Understanding TCP Connection with Examples
Understanding TCP Sequence Number with Examples\