TCPDump Lab

We picked up a DEC Alpha Multia cheap at auction a couple years ago. We will use this multia to dump the network traffic that NT creates on boot using TCPDump. The first problem we had was that our Multia is not Y2K compatible. Many of our files ended up with dates of 2019, and our package manager, among other things, broke. So, before we start sniffing, we have to hack on our filesystem. We used:
find . -depth -print -exec touch 0615060500 {} ;
to reset the files to the current date. Seems to work fine now. After we fixed up our poor Y2K challenged alph, we were able to install tcpdump:
rpm -i tcpdump-3.4-10.alpha.rpm
Many Linux distributions use rpm for package management. Check your documentation for your particular distribution. We don’t know of a Linux distribution that doesn’t include tcpdump, so finding it shouldn’t be a big problem. For the source, and other info, see TCPDUMP public repository.
Our NT box is actually a VMWare session running under Linux. It is NT 4.0 SP6a w/ IE5. We set the default gateway of the NT box to the address of alph (10.50.100.9). As an aside, it is a good idea *at a minimum* to monitor the traffic that goes over your ppp connection, or whatever you use to access the internet. All you need to do is run ifconfig to find out the exact name of the interface you are using. In our case, our interface is ppp0:
tcpdump -i ppp0
OK, back to alph. Let’s kick off a dump of the interface on 10.50.100.9 (eth0). We will limit the dump to src addresses from our NT box (10.50.100.88):
/usr/sbin/tcpdump -q src host 10.50.100.88
Now, we’ll boot the NT session in VMWare, and log on. Here is the dump:
04:01:57.196290 arp who-has 10.50.100.88 tell 10.50.100.88
04:01:58.176758 arp who-has 10.50.100.88 tell 10.50.100.88
04:01:59.181641 arp who-has 10.50.100.88 tell 10.50.100.88
04:02:01.309571 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:02.041993 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:02.807618 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:03.574219 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:04.400391 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:05.149415 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:05.903321 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:06.652344 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:07.450196 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:08.203125 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:08.447266 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 201
04:02:08.954102 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:09.703125 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:10.493165 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 201
04:02:10.537110 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:10.656250 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:10.716797 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:11.293946 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:11.413086 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:11.473633 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:12.042969 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:12.163086 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:12.223633 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:12.923829 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:12.983399 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:13.916993 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 174
04:02:13.985352 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 201
04:02:15.455079 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 174
04:02:15.638672 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:15.656250 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:15.663086 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 220
04:02:16.384766 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:16.404297 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:16.975586 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 174
04:02:17.134766 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:17.163086 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:18.466797 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 174
04:02:19.966797 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 186
04:02:20.701172 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:20.712891 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:20.713868 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 220
04:02:20.964844 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 186
04:02:21.455079 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:21.464844 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:21.964844 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 186
04:02:22.205079 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:22.214844 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:22.957032 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 186
04:02:23.970704 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:24.715821 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:25.464844 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:26.215821 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:26.969727 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:27.735352 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:28.486329 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:29.236329 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:29.988282 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 174
04:02:29.989258 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 174
04:02:30.041993 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 204
04:02:30.068360 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:30.815430 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:31.566407 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:35.079102 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:35.082032 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:35.083985 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 220
04:02:35.835938 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:35.846680 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:36.611329 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:36.621094 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:40.166993 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:40.190430 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:40.197266 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 220
04:02:40.916993 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:40.942383 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:41.656250 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:41.685547 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:42.185547 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:42.967774 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:43.752930 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:44.530274 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 68
04:02:44.601563 arp who-has alph.groceryshoppin.com tell 10.50.100.88
04:02:44.606446 10.50.100.88 > 199.181.164.1: icmp: echo request
04:02:45.366211 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:45.405274 10.50.100.88 > 199.181.164.1: icmp: echo request
04:02:46.111329 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:46.418946 10.50.100.88 > 199.181.164.1: icmp: echo request
04:02:46.872071 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:47.426758 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:48.178711 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:48.928711 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:49.703125 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:50.404297 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:50.411133 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:50.461915 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:50.490235 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 220
04:02:50.786133 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 201
04:02:50.801758 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 201
04:02:51.148438 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:51.158204 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:51.208985 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:51.898438 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:51.909180 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:51.999024 10.50.100.88 > 207.46.209.218: icmp: echo request
04:02:52.920899 10.50.100.88 > 207.46.209.218: icmp: echo request
04:02:53.936524 10.50.100.88 > 207.46.209.218: icmp: echo request
04:02:55.582032 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:55.602540 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:55.605469 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 220
04:02:56.319336 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:56.338868 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:57.080079 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:02:57.099610 10.50.100.88.netbios-ns > 10.50.100.255.netbios-ns: udp 50
04:03:30.509766 10.50.100.88.netbios-dgm > 10.50.100.255.netbios-dgm: udp 204

Didjya know just how much NetBIOS stuff goes on? All the …255 stuff goes to all hosts on the network 10.50.100. This is why alph picks it up. There is also an icmp query to our configured DNS server (199.181.164.1). Additionally, there is an icmp request to www.msn.com. This is most intrigueing of all. We imagine this must be some feature or other to determine internet connectivity, but pinging this merely because you log on seems a little curious. We did verify that our home page for IE was not set to msn.com. Hmmmm…