А АWednesday, 22 June 2022

Анализ сетевых пакетов c TCPDump.

Всем привет.

Сегодня у нас четвертая часть серии "Анализ сетевых пакетов", переходим к TCPDump. Инструмент Tcpdump представляет собой основное средство сетевого анализа, используемое специалистами в сфере информационной безопасности. 


Tcpdump captures packets of network traffic on a given network interface

It uses command line arguments for selecting specific destinations, sources, protocols, etc

It can also use filter files containing command line arguments. Filters are used to restrict analysis to packets of interest

Output from tcpdump is called  dump 


Example dump

Ran tcpdump on the machine xanadu.ieu.edu.tr. First few lines of the output:

01:46:28.808262 IP xanadu.ieu.edu.tr.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816

01:46:28.808271 IP xanadu.ieu.edu.tr.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816

01:46:28.808276 IP xanadu.ieu.edu.tr.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816

01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > xanadu.ieu.edu.tr.ssh: P 1:49(48) ack 1380 win 16560


Closer look at a tcpdump line?

01:46:28.808262 IP xanadu.ieu.edu.tr.ssh > 

adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816


Command line use:

Syntax: tcpdump [options] [filter expression]

tcpdump tcp port 22

tcpdump –A –c 5 dst xanadu.ieu.edu.tr


Filters I

Use filters to capture only packets of interest.

Example: capture only packets given by protocol names

  • tcpdump udp
  • tcpdump tcp
  • tcpdump ip
  • tcpdump icmp
  • tcpdump arp


Filters II

Capture only UDP packets with destination port 53 (DNS requests)

tcpdump udp dst port 53

Capture only UDP packets with source port 53 (DNS replies)

tcpdump udp src port 53

Capture only UDP packets with source or destination port 53 (DNS requests and replies)

tcpdump udp port 53


Filters III

Capture only packets destined to xanadu.ieu.edu.tr

- tcpdump dst host xanadu.ieu.edu.tr

Capture both DNS packets and TCP packets to/from xanadu.ieu.edu.tr

- tcpdump (tcp and host xanadu.ieu.edu.tr) or udp port 53

- tcpdump -w myfile.dump -i eth0 

- tcpdump -r myfile.dump 

- tcpdump less 1024 -w less.dump 

- tcpdump –i eth0 greater 2048 


Writing filters:

Specifying the hosts we are interested in

- dst host <name/IP> 

- src host <name/IP> 

- host <name/IP>  (either source or destination is name/IP)


Specifying the ports we are interested in

- dst port <number> 

- src port <number> 

- port <number> 

- makes sense only for TCP and UDP packets


Combining filters options:

Combining filters:

- and (&&)

- or (||)

- not (!)


Example:

- all tcp packets which are not from or to host xanadu.ieu.edu.tr

tcpdump  tcp and ! host xanadu.ieu.edu.tr 

- just type man tcpdump can find more examples 


Some useful options:

-n Don’t convert host addresses to names. Avoids DNS lookups.  It can save you time.

-w <filename> Write the raw packets to the specified file instead of parsing and printing them out.  

-r <filename> Read packets from the specified file instead of live capture.  

-q Quiet output.  Prints less information per output line

-s 0 This option ensures that the entire packet is stored and analyzed. 

-A (or –X in some versions) Print each packet in ASCII.  Useful when capturing web pages.  

-vvv increased verbose Print more information.


Good luck.

No comments:

Post a Comment

А что вы думаете по этому поводу?

Версия на печать

Популярное