12
TCPDUMP TCPDUMP

TCPDUMP

Tags:

Embed Size (px)

DESCRIPTION

TCPDUMP. INTRODUCTION. TCPdump ~ a common computer network debugging tool runs under command line. A piece of software that gives insight into the traffic activity occurs on network. Allows user to intercept and display TCP/IP and other packets being transmitted or received over a network. - PowerPoint PPT Presentation

Citation preview

Page 1: TCPDUMP

TCPDUMPTCPDUMP

Page 2: TCPDUMP

INTRODUCTION INTRODUCTION

TCPdump ~ a common computer network debugging tool TCPdump ~ a common computer network debugging tool runs under command line.runs under command line.

A piece of software that gives insight into the traffic A piece of software that gives insight into the traffic activity occurs on network. activity occurs on network.

Allows user to intercept and display TCP/IP and other Allows user to intercept and display TCP/IP and other packets being transmitted or received over a network.packets being transmitted or received over a network.

Frequently used to debug applications that generate or Frequently used to debug applications that generate or receive network traffic.receive network traffic.

Also used for debugging the network setup itself, by Also used for debugging the network setup itself, by determining whether all necessary routing is occurring determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of properly, allowing the user to further isolate the source of a problem.a problem.

Page 3: TCPDUMP

What is TCPdump?What is TCPdump?

TCPdump is a UNIX tool.TCPdump is a UNIX tool.

Used to gather data from network, decipher the bits, and display Used to gather data from network, decipher the bits, and display the output in a semi coherent fashion. the output in a semi coherent fashion.

TCPdump works on most Unix-like operating systems: Linux, TCPdump works on most Unix-like operating systems: Linux, Solaris, BSD, Mac OS X, HP-UX and AIX among others. Solaris, BSD, Mac OS X, HP-UX and AIX among others.

TCPdump uses the libpcap library to capture packets. TCPdump uses the libpcap library to capture packets.

Can be used to intercepting and displaying the communications Can be used to intercepting and displaying the communications of another user or computer. of another user or computer.

A user with privileges acting as a router or gateway through A user with privileges acting as a router or gateway through which unencrypted traffic such as TELNET or HTTP passes can which unencrypted traffic such as TELNET or HTTP passes can use TCPdump to view login IDs, passwords, the URLs and content use TCPdump to view login IDs, passwords, the URLs and content of websites being viewed, or any other unencrypted information.of websites being viewed, or any other unencrypted information.

Page 4: TCPDUMP

TCPdump BehaviorTCPdump Behavior

TCPdump is run by issuing the command TCPdump is run by issuing the command tcpdump to read all to read all the traffic from the default network interface. the traffic from the default network interface.

Has a filter that enables user to specify the records they Has a filter that enables user to specify the records they interested in collecting. interested in collecting.

tcpdump ‘tcp’tcpdump ‘tcp’ command uses to collect only TCP records and command uses to collect only TCP records and ‘tcp’ ‘tcp’ is the filter.is the filter.

TCPdump has an TCPdump has an –F –F filenamefilename option to indicate that the filter option to indicate that the filter is located in the file is located in the file filenamefilename..

TCPdump displays records on the console, translated from TCPdump displays records on the console, translated from native raw output format native raw output format to a to a human-readable formathuman-readable format. .

Page 5: TCPDUMP

Continue…Continue…For retrospective analysis, the desired format for storage is For retrospective analysis, the desired format for storage is the the binary modebinary mode, , in which all captured data is stored, not just in which all captured data is stored, not just the data translated for output. the data translated for output.

To collect in raw output mode; use the command To collect in raw output mode; use the command tcpdump –tcpdump –w w filenamefilename , and the , and the filename filename is the name of the file to which is the name of the file to which the records will be written in binary format.the records will be written in binary format.

To read this raw output file , another command line option is To read this raw output file , another command line option is necessary: necessary: tcpdump –r tcpdump –r filename.filename.

This option reads input to TCPdump from This option reads input to TCPdump from filenamefilename rather rather than from the default network interface. than from the default network interface.

The user can read a file that has been written using the The user can read a file that has been written using the –w–w option only by using TCPdump with the option only by using TCPdump with the –r–r option. option.

Page 6: TCPDUMP

ALTERING THE AMOUNT OF DATA COLLECTED ALTERING THE AMOUNT OF DATA COLLECTED TCPdump does not collect the entire datagram sent due to TCPdump does not collect the entire datagram sent due to volume concerns and user’s interest in the header volume concerns and user’s interest in the header portions of the datagram that usually collected with portions of the datagram that usually collected with default length. default length. The snapshot length, sometimes known as The snapshot length, sometimes known as snaplensnaplen, , determines the exact number of bytes collected. determines the exact number of bytes collected. Most common lengths of collected data is 68 bytes.Most common lengths of collected data is 68 bytes.

Page 7: TCPDUMP

TCPDUMP OUTPUTTCPDUMP OUTPUT One of the hardest tasks for the novice analyst to master is One of the hardest tasks for the novice analyst to master is

decrypting TCPdumb output. decrypting TCPdumb output. TCPdumb output is fairly standard for the different protocols TCPdumb output is fairly standard for the different protocols

(TCP,UDP,ICMP, for example), but does have some nuances. (TCP,UDP,ICMP, for example), but does have some nuances. The first step is to identify protocols that you are examining The first step is to identify protocols that you are examining TCP output will be used to explain the general TCPdump TCP output will be used to explain the general TCPdump

format. Here is a TCP record displayed by TCPdump:format. Here is a TCP record displayed by TCPdump:

Page 8: TCPDUMP

Continue…Continue… 09:32:43:910000 nmap.edu.1173 > dns.net.21: S 62697789: 62697789 (0) win 51209:32:43:910000 nmap.edu.1173 > dns.net.21: S 62697789: 62697789 (0) win 512

09:32:43:914788209:32:43:9147882 Time stamp in the format of two digits for hours, two Time stamp in the format of two digits for hours, two digits for minutes, two digits for seconds, and six digits for fractional parts digits for minutes, two digits for seconds, and six digits for fractional parts of a second.of a second.

nmap.edunmap.edu Source host name. Source host name. 11731173 Source port number or port service. Source port number or port service. >> Marker to indicate a directional flow going from source to destination. Marker to indicate a directional flow going from source to destination. dns.netdns.net Destination host name. Destination host name. 2121 destination port number. destination port number. SS TCP flag. S represents the SYN flag. TCP flag. S represents the SYN flag. 62697789:62697789(0)62697789:62697789(0) Beginning TCP sequence number.ending TCP Beginning TCP sequence number.ending TCP

sequence number (data bytes)sequence number (data bytes) win 512win 512 Receiving buffer size (in bytes). Receiving buffer size (in bytes).

Page 9: TCPDUMP

TCPdump FlagsTCPdump FlagsTCP Flag Flag Rep Flag Meaning

SYN S This is a session establishment request, which is the first part of any TCP connection

ACK ack This flag is used generally to acknowledge the receipt of data from the sender. This might be seen in conjunction with or “piggybacked” with other flags.

FIN F This flag indicates the sender’s intention to gracefully terminate the sending host’s connection to the receiving host.

RESET R This flag indicates the sender’s intention to immediately abort the existing connection with the receiving host.

PUSH P This flag immediately “pushes” data from the sending host to the receiving host’s application software. There is no waiting for the buffer to fill up. In this case, responsiveness, not bandwidth efficiency, is the focus. For many interactive applications such as telnet, the primary concern is the quickest response time, which the PUSH flag attempts to signal.

URGENT urg This flag indicates that there is “urgent” data should take precedence over other data. An example of this is pressing Ctrl+C to abort an FTP download.

Placeholder If the connection does not have a SYN, FIN, RESET, or PUSH flag set, a placeholder (a period) will be found after the destination port.

Page 10: TCPDUMP

Absolute and Relative Sequence Absolute and Relative Sequence NumbersNumbers

TCP sequence numbers need to be addressed in a little more TCP sequence numbers need to be addressed in a little more detail.detail.

Sequence numbers are associated only with TCP output, as Sequence numbers are associated only with TCP output, as just discussed. just discussed.

TCP sequence numbers are used by the destination host to TCP sequence numbers are used by the destination host to reassemble TCP traffic that arrives. reassemble TCP traffic that arrives.

Page 11: TCPDUMP

Dumping in HexadecimalDumping in Hexadecimal TCPdump does not display all the fields of the captured data. TCPdump does not display all the fields of the captured data.

For example, the IP header has a field that stores the length of For example, the IP header has a field that stores the length of the IP headerthe IP header..

How do you display this field if it is not available from the How do you display this field if it is not available from the standard TCPdump output? standard TCPdump output?

There is a TCPdump command-line option (-x) that dumps the There is a TCPdump command-line option (-x) that dumps the entire datagram captured with the default snaplen in entire datagram captured with the default snaplen in hexadecimal. Hexadecimal output is far more difficult to read hexadecimal. Hexadecimal output is far more difficult to read and interpret, but it is necessary to display the entire and interpret, but it is necessary to display the entire captured datagram.captured datagram.

Page 12: TCPDUMP

SUMMARYSUMMARY TCPdump can make intelligent assessments about traffic TCPdump can make intelligent assessments about traffic

activity.activity.

TCP is the protocol for applications that require reliable TCP is the protocol for applications that require reliable delivery.delivery.

TCP exchanges follow a prescribed architecture of session TCP exchanges follow a prescribed architecture of session establishment, possible data transfer, and session establishment, possible data transfer, and session termination. termination.

TCP has been robustly mutated for malicious uses. TCP has been robustly mutated for malicious uses.

It is important for an intrusion analyst to have a good It is important for an intrusion analyst to have a good understanding of TCP, and TCPdump is an excellent understanding of TCP, and TCPdump is an excellent instructional tool.instructional tool.


Analizando La Red Con TCPDump

Analizando La Red Con TCPDump

Documents
Packet Capture Wireshark · tcpdump command example # tcpdump –nni eth0 –s0 # tcpdump –nni eth0 not port 22 –s0 –c 1000 # tcpdump –nni eth0 not port 22 and dst host 10.10.10.10

Packet Capture Wireshark · tcpdump command example # tcpdump –nni eth0 –s0 # tcpdump –nni eth0 not port 22 –s0 –c 1000 # tcpdump –nni eth0 not port 22 and dst host 10.10.10.10

Documents
How to Capture Packet via Tcpdump

How to Capture Packet via Tcpdump

Documents
Tcpdump and Wireshark

Tcpdump and Wireshark

Documents
Using the Ethereal and tcpdump Protocol Analyzers

Using the Ethereal and tcpdump Protocol Analyzers

Documents
Visualisation of tcpdump Output - Bathmdv/courses/CM30082/projects.bho/2009-10/Pag… · Visualisation of tcpdump Output Alexander Page Bachelor of Science in Computer Science with

Visualisation of tcpdump Output - Bathmdv/courses/CM30082/projects.bho/2009-10/Pag… · Visualisation of tcpdump Output Alexander Page Bachelor of Science in Computer Science with

Documents
TCPDump and WinDump - Florida Institute of Technology

TCPDump and WinDump - Florida Institute of Technology

Documents
Step-by-Step Intrusion Detection using TCPdump

Step-by-Step Intrusion Detection using TCPdump

Documents
NAME SYNOPSIS −AdDeflLnNOpqRStuUvxX ][esj/cnt4504/reading/tcpdump.1.pdf · TCPDUMP(8) TCPDUMP(8) Algorithms may bedes-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc,ornone.The

NAME SYNOPSIS −AdDeflLnNOpqRStuUvxX ][esj/cnt4504/reading/tcpdump.1.pdf · TCPDUMP(8) TCPDUMP(8) Algorithms may bedes-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc,ornone.The

Documents
Using tcpdump. tcpdump is a powerful tool that allows us to sniff network packets and make some statistical analysis out of those dumps. tcpdump operates

Using tcpdump. tcpdump is a powerful tool that allows us to sniff network packets and make some statistical analysis out of those dumps. tcpdump operates

Documents
tcpdump : network traffic capture - Santa Monica Collegehomepage.smc.edu/morgan_david/linux/n-prog-01-tcpdump.pdf · tcpdump : network traffic capture David Morgan ... [root@rh clientserver]#

tcpdump : network traffic capture - Santa Monica Collegehomepage.smc.edu/morgan_david/linux/n-prog-01-tcpdump.pdf · tcpdump : network traffic capture David Morgan ... [root@rh clientserver]#

Documents
Tcpdump and Wireshark - Princeton University Computer Science · Tcpdump examples (Mac OS X) - Use “ifconfig” or “sudo tcpdump -D” to get a list of interfaces - “sudo tcpdump

Tcpdump and Wireshark - Princeton University Computer Science · Tcpdump examples (Mac OS X) - Use “ifconfig” or “sudo tcpdump -D” to get a list of interfaces - “sudo tcpdump

Documents
Tcpdump a.2

Tcpdump a.2

Education
Autour de la libpcap [width=.8]tcpdump

Autour de la libpcap [width=.8]tcpdump

Documents
Julia Evans · NAME tcpdump SYNOPSIS tcpdump [ dump traffic on a network -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer size ] -c count ] -C file size ] [ -G rotate seconds ]

Julia Evans · NAME tcpdump SYNOPSIS tcpdump [ dump traffic on a network -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer size ] -c count ] -C file size ] [ -G rotate seconds ]

Documents
Análise de tráfego em redes TCP/IP com tcpdump...Análise de tráfego em redes TCP/IP com tcpdump João Eriberto Mota Filho Campinas, SP, 17 abr. 2013

Análise de tráfego em redes TCP/IP com tcpdump...Análise de tráfego em redes TCP/IP com tcpdump João Eriberto Mota Filho Campinas, SP, 17 abr. 2013

Documents
Packet Capture Wireshark - RGnet · # tcpdump –nni eth0 –s0 # tcpdump –nni eth0 not port 22 –s0 –c 1000 # tcpdump –nni eth0 not port 22 and dst host 10.10.10.10 and not

Packet Capture Wireshark - RGnet · # tcpdump –nni eth0 –s0 # tcpdump –nni eth0 not port 22 –s0 –c 1000 # tcpdump –nni eth0 not port 22 and dst host 10.10.10.10 and not

Documents
Chapter 13 TCP/IP Networkingchwong/course/... · sudo tcpdump tcpdump -n host 140.113.235.131 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening

Chapter 13 TCP/IP Networkingchwong/course/... · sudo tcpdump tcpdump -n host 140.113.235.131 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening

Documents
Using TCPDump, TCPTrace, & XPlot to Debug Network …fasterdata.es.net/assets/Uploads/20131016-TCPDumpTracePlot.pdf · Using TCPDump, TCPTrace, & XPlot to Debug Network Problems Jason

Using TCPDump, TCPTrace, & XPlot to Debug Network …fasterdata.es.net/assets/Uploads/20131016-TCPDumpTracePlot.pdf · Using TCPDump, TCPTrace, & XPlot to Debug Network Problems Jason

Documents
Tcpdump hunter

Tcpdump hunter

Technology
Un sistema di Network Intrusion Detection basato su tcpdump

Un sistema di Network Intrusion Detection basato su tcpdump

Documents
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis

Documents
o t i u TCPDUMP t a r G Alonso Eduardo Caballero Quezada r ... · TCPDump TCPDump permite realizar un volcado del tráfico de la red. TCPDump imprime la descripción del contenido

o t i u TCPDUMP t a r G Alonso Eduardo Caballero Quezada r ... · TCPDump TCPDump permite realizar un volcado del tráfico de la red. TCPDump imprime la descripción del contenido

Documents
Command Line Interface Industrial ETHERNET (Gigabit ...€¦ · 4.2.1 debug tcpdump help 87 4.2.2 debug tcpdump start cpu 87 4.2.3 debug tcpdump start cpu filter 88 4.2.4 debug tcpdump

Command Line Interface Industrial ETHERNET (Gigabit ...€¦ · 4.2.1 debug tcpdump help 87 4.2.2 debug tcpdump start cpu 87 4.2.3 debug tcpdump start cpu filter 88 4.2.4 debug tcpdump

Documents
Command Line Interface Industrial ETHERNET (Gigabit ... Manual Command Line ... 2 Quick Start up 35 ... 4.2.1 debug tcpdump help 81 4.2.2 debug tcpdump start cpu 81 4.2.3 debug tcpdump

Command Line Interface Industrial ETHERNET (Gigabit ... Manual Command Line ... 2 Quick Start up 35 ... 4.2.1 debug tcpdump help 81 4.2.2 debug tcpdump start cpu 81 4.2.3 debug tcpdump

Documents
Packet Capture Wireshark - wiki.apnictraining.net · # tcpdump–nnieth0 –s0 # tcpdump–nnieth0 not port 22 –s0 –c 1000 # tcpdump–nnieth0 not port 22 and dsthost 10.10.10.10

Packet Capture Wireshark - wiki.apnictraining.net · # tcpdump–nnieth0 –s0 # tcpdump–nnieth0 not port 22 –s0 –c 1000 # tcpdump–nnieth0 not port 22 and dsthost 10.10.10.10

Documents
Etude de l'Outil d'Administration Réseau TCPDUMP

Etude de l'Outil d'Administration Réseau TCPDUMP

Documents
59143627 FTP Postfix TCPDump

59143627 FTP Postfix TCPDump

Documents
tcpdump & xtrabackup @ MySQL Casual Talks #1

tcpdump & xtrabackup @ MySQL Casual Talks #1

Technology
Tcpdump Manual

Tcpdump Manual

Documents