1 / 12

TCPDUMP

TCPDUMP. INTRODUCTION. TCPdump ~ a common computer network debugging tool runs under command line. A piece of software that gives insight into the traffic activity occurs on network. Allows user to intercept and display TCP/IP and other packets being transmitted or received over a network.

sierra-mcclain
Télécharger la présentation

TCPDUMP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TCPDUMP

  2. INTRODUCTION • TCPdump ~ a common computer network debugging tool runs under command line. • A piece of software that gives insight into the traffic activity occurs on network. • Allows user to intercept and display TCP/IP and other packets being transmitted or received over a network. • Frequently used to debug applications that generate or receive network traffic. • Also used for debugging the network setup itself, by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem.

  3. What is TCPdump? • TCPdump is a UNIX tool. • Used to gather data from network, decipher the bits, and display the output in a semi coherent fashion. • TCPdump works on most Unix-like operating systems: Linux, Solaris, BSD, Mac OS X, HP-UX and AIX among others. • TCPdump uses the libpcap library to capture packets. • Can be used to intercepting and displaying the communications of another user or computer. • A user with privileges acting as a router or gateway through which unencrypted traffic such as TELNET or HTTP passes can use TCPdump to view login IDs, passwords, the URLs and content of websites being viewed, or any other unencrypted information.

  4. TCPdump Behavior • TCPdump is run by issuing the command tcpdumpto read all the traffic from the default network interface. • Has a filter that enables user to specify the records they interested in collecting. • tcpdump ‘tcp’command uses to collect only TCP records and ‘tcp’ is the filter. • TCPdump has an –F filenameoption to indicate that the filter is located in the file filename. • TCPdump displays records on the console, translated from native raw output format to a human-readable format.

  5. Continue… • For retrospective analysis, the desired format for storage is the binary mode, in which all captured data is stored, not just the data translated for output. • To collect in raw output mode; use the command tcpdump –w filename, and the filename is the name of the file to which the records will be written in binary format. • To read this raw output file , another command line option is necessary: tcpdump –r filename. • This option reads input to TCPdump from filenamerather than from the default network interface. • The user can read a file that has been written using the –w option only by using TCPdump with the –r option.

  6. ALTERING THE AMOUNT OF DATA COLLECTED • TCPdump does not collect the entire datagram sent due to volume concerns and user’s interest in the header portions of the datagram that usually collected with default length. • The snapshot length, sometimes known as snaplen, determines the exact number of bytes collected. • Most common lengths of collected data is 68 bytes.

  7. TCPDUMP OUTPUT • One of the hardest tasks for the novice analyst to master is decrypting TCPdumb output. • TCPdumb output is fairly standard for the different protocols (TCP,UDP,ICMP, for example), but does have some nuances. • The first step is to identify protocols that you are examining • TCP output will be used to explain the general TCPdump format. Here is a TCP record displayed by TCPdump:

  8. Continue… 09:32:43:910000 nmap.edu.1173 > dns.net.21: S 62697789: 62697789 (0) win 512 • 09:32:43:9147882 Time stamp in the format of two digits for hours, two digits for minutes, two digits for seconds, and six digits for fractional parts of a second. • nmap.edu Source host name. • 1173 Source port number or port service. • > Marker to indicate a directional flow going from source to destination. • dns.net Destination host name. • 21 destination port number. • S TCP flag. S represents the SYN flag. • 62697789:62697789(0)Beginning TCP sequence number.ending TCP sequence number (data bytes) • win 512 Receiving buffer size (in bytes).

  9. TCPdump Flags

  10. Absolute and Relative Sequence Numbers • TCP sequence numbers need to be addressed in a little more detail. • Sequence numbers are associated only with TCP output, as just discussed. • TCP sequence numbers are used by the destination host to reassemble TCP traffic that arrives.

  11. Dumping in Hexadecimal • TCPdump does not display all the fields of the captured data. For example, the IP header has a field that stores the length of the IP header. • How do you display this field if it is not available from the standard TCPdump output? • There is a TCPdump command-line option (-x) that dumps the entire datagram captured with the default snaplen in hexadecimal. Hexadecimal output is far more difficult to read and interpret, but it is necessary to display the entire captured datagram.

  12. SUMMARY • TCPdump can make intelligent assessments about traffic activity. • TCP is the protocol for applications that require reliable delivery. • TCP exchanges follow a prescribed architecture of session establishment, possible data transfer, and session termination. • TCP has been robustly mutated for malicious uses. • It is important for an intrusion analyst to have a good understanding of TCP, and TCPdump is an excellent instructional tool.

More Related