Read this section, but do not try to do this until you have completed the RIP configuration task in the next assessment.
In the following section you will be required to use a network sniffer (traffic capture) utility called tcpdump, which is a widely known program for seeing what traffic is going through a network interface.
Although we say “traffic capture” occasionally, we do not prevent the packet from reaching its destination. In this way, we are capturing a copy of the packet.
Because tcpdump requires root privilege,
you will need to reinstate the ability to login as root. You can
do this with the configuration command set system login
user root authentication plaintext-password
roots_new_password and then using
commit. Now if you logout you will be able to
login as root. Root gets a slightly different shell to standard
Vyatta users which allows you to use standard system commands,
such as ls or
tcpdump.
tcpdump is a very well known network sniffer in the Unix world. It is a command-line tool that takes a Packet CAPture (PCAP) expression and watches all the packets coming into, or going out of, an interface on the machine. For those packets that match the expression, a brief description of the packet header is printed.
Have a look at the manual page for tcpdump(8), where you will find a rich number of examples near the bottom.
RIP traffic uses the
“router” port (UDP port 520),
and if you tell tcpdump to output in
verbose mode, it will decode the RIP
advertisements. You will want to grab (“snarf”)
all the packet (-s0), otherwise you will
only get a small part of the body of the packet, and not all
of the advertisement will be printed.
#tcpdump -i ethXXX-v -s0 udp and port 520
Note you will require root privilege for this to work, though different systems have different ways of granting this privilege to other users.
Typically, an Ethernet interface will only pass up to the operating system those ethernet frames that are either addressed to its own MAC address, or are a broadcast or multicast frame.
To enable functionality for traffic sniffing or packet forwarding (ie. acting as a router) the interface needs to pick up all frames. Accepting all packets in this way is called the promiscuous mode. Enabling promiscous mode is done automatically by tcpdump and similar tools on most platforms.
All these tools can commonly understand the
PCAP format, so you can use
tcpdump to capture packets from a remote
machine to a file (the -w option), copy it to your
local machine, and then analyse it further using tools such as
Wireshark.