6. TCPDump

Important

Read this section, but do not try to do this until you have completed the RIP configuration task in the next assessment.

In the following section you will be required to use a network sniffer (traffic capture) utility called tcpdump, which is a widely known program for seeing what traffic is going through a network interface.

Note

Although we say “traffic capture” occasionally, we do not prevent the packet from reaching its destination. In this way, we are capturing a copy of the packet.

Because tcpdump requires root privilege, you will need to reinstate the ability to login as root. You can do this with the configuration command set system login user root authentication plaintext-password roots_new_password and then using commit. Now if you logout you will be able to login as root. Root gets a slightly different shell to standard Vyatta users which allows you to use standard system commands, such as ls or tcpdump.

Typically, an Ethernet interface will only pass up to the operating system those ethernet frames that are either addressed to its own MAC address, or are a broadcast or multicast frame.

To enable functionality for traffic sniffing or packet forwarding (ie. acting as a router) the interface needs to pick up all frames. Accepting all packets in this way is called the promiscuous mode. Enabling promiscous mode is done automatically by tcpdump and similar tools on most platforms.

All these tools can commonly understand the PCAP format, so you can use tcpdump to capture packets from a remote machine to a file (the -w option), copy it to your local machine, and then analyse it further using tools such as Wireshark.