Сегодня у нас четвертая часть серии "Анализ сетевых пакетов", переходим к TCPDump. Инструмент Tcpdump представляет собой основное средство сетевого анализа, используемое специалистами в сфере информационной безопасности.
• Tcpdump captures packets of network traffic on a given network interface
• It uses command line arguments for selecting specific destinations, sources, protocols, etc
• It can also use filter files containing command line arguments. Filters are used to restrict analysis to packets of interest
• Output from tcpdump is called dump
Example dump
Ran tcpdump on the machine xanadu.ieu.edu.tr. First few lines of the output:
01:46:28.808262 IP xanadu.ieu.edu.tr.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816
01:46:28.808271 IP xanadu.ieu.edu.tr.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816
01:46:28.808276 IP xanadu.ieu.edu.tr.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816
01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > xanadu.ieu.edu.tr.ssh: P 1:49(48) ack 1380 win 16560
Closer look at a tcpdump line?
01:46:28.808262 IP xanadu.ieu.edu.tr.ssh >
adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816
Command line use:
Syntax: tcpdump [options] [filter expression]
• tcpdump tcp port 22
• tcpdump –A –c 5 dst xanadu.ieu.edu.tr
Filters I
Use filters to capture only packets of interest.
Example: capture only packets given by protocol names
- tcpdump udp
- tcpdump tcp
- tcpdump ip
- tcpdump icmp
- tcpdump arp
Filters II
• Capture only UDP packets with destination port 53 (DNS requests)
tcpdump udp dst port 53
• Capture only UDP packets with source port 53 (DNS replies)
tcpdump udp src port 53
• Capture only UDP packets with source or destination port 53 (DNS requests and replies)
tcpdump udp port 53
Filters III
Capture only packets destined to xanadu.ieu.edu.tr
- tcpdump dst host xanadu.ieu.edu.tr
Capture both DNS packets and TCP packets to/from xanadu.ieu.edu.tr
- tcpdump (tcp and host xanadu.ieu.edu.tr) or udp port 53
- tcpdump -w myfile.dump -i eth0
- tcpdump -r myfile.dump
- tcpdump less 1024 -w less.dump
- tcpdump –i eth0 greater 2048
Writing filters:
• Specifying the hosts we are interested in
- dst host <name/IP>
- src host <name/IP>
- host <name/IP> (either source or destination is name/IP)
• Specifying the ports we are interested in
- dst port <number>
- src port <number>
- port <number>
- makes sense only for TCP and UDP packets
Combining filters options:
• Combining filters:
- and (&&)
- or (||)
- not (!)
• Example:
- all tcp packets which are not from or to host xanadu.ieu.edu.tr
tcpdump tcp and ! host xanadu.ieu.edu.tr
- just type man tcpdump can find more examples
Some useful options:
• -n Don’t convert host addresses to names. Avoids DNS lookups. It can save you time.
• -w <filename> Write the raw packets to the specified file instead of parsing and printing them out.
• -r <filename> Read packets from the specified file instead of live capture.
• -q Quiet output. Prints less information per output line
• -s 0 This option ensures that the entire packet is stored and analyzed.
• -A (or –X in some versions) Print each packet in ASCII. Useful when capturing web pages.
• -vvv increased verbose Print more information.
Good luck.
No comments:
Post a Comment
А что вы думаете по этому поводу?