*. tcpdump command is also called as packet analyzer.
*. TCPdump is a tool we can use for packet analysis.
*. TCP dump is software that allows us to see inside the traffic
activity that occurs on a network. TCPdump is a Unix tool used to gather data from the
network, decipher the bits, and display the output in a human readable format (granted it does
take a little bit of instruction to learn the TCPdump language).
Commands:
====================================
1. To select an interface type:
tcpdump -i eth0
where eth0 is the interface
=====================================
2. To select the type of traffic you want to watch you can just specify after your interface. For
now we want to see TCP traffic.
tcpdump -i etho tcp
====================================
3.TCPdump gives us the option to dump the records into binary format to read later with
TCPdump. We do this using the –w filename option.
TCPdump -i eth0 -F myfilter.txt -w LSOoutput
And to read that file back in we use the –r filename option, gee that makes sense; read = –r
& write = –w.
TCPdump -i eth0 -F myfilter.txt -r LSOoutput
====================================
4.Reading TCPdump Output
Here is an example record:
20:08:41.313149 rootwars.org.1086 > 66.102.9.104.80: S
1192278531:1192278531(0) win 1638
-
a) 20:08:41.313149 This is the time stamp in the format of two digits for hours, two
digits for minutes, two digits for seconds, and six digits for fractional parts of a
second.
b) rootwars.org This is the source host name. The default behavior is to resolve the
hostname but you can turn it off with the TCPdump –n option. If you don’t see a
DNS name the IP will appear. Something like IP COMPUTERNAME.
c) 1086 This is the source port number or port service.
> This is a marker to indicate direction flow going from source to destination.
66.102.9.104 This is the desintation host name or IP address.
d) 80 This is the desination port number or maybe it will be translated ad HTTP.
e) S This is the TCP Flag. The S represents a SYN Flag (see the next section).
f) 1192278531:1192278531(0) This is the beginning TCP sequence number: ending
TCP sequence number (data bytes). Sequence nubers are used by TCP to order the
data received. The initial sequence number (ISN) is selected as a unique number to
mark the first byte of data. The ending sequence number is the beginning sequence
plus the number of bytes being sent with this TCP segment. In this case there were
zero bytes sent, the beginning and ending sequence numbers are the same.
win 1638 This is the receiving buffer size in bytes of rootwars.org for this connection.
======================================
5. TCP Flags in TCPdump
1. SYN - S - Session establishment request which is the first part of any TCP connection (3 way handshake).
2. ACK - ack - Ack flag is generally used to acknowledge the receipt of data from the sender. Might be in conjunction
with other flags.
3. FIN - F - Fin flag is generally used to indicate the sender’s intention to gracefully terminate the sending host’s
connection to the receiving
4. RESET - R - Reset flag is generally used to indicate the sender’s intention to immediately abort the existing
connection wit the receiving
5. PUSH - P - Push flag is generally used to immediately “push” data from the sending host to the receiving host. This is for
applications like telnet
6. URGENT - urg - Urgent flag is generally used to mean that there is “urgent” data that takes precedence over other data.
7. Placeholder - . - If the connections does not have a SYN, FIN, RESET,or PUSH flag set, a
placeholder (a period: .)will be found after the destination port
========================================
When you execute tcpdump command without any option, it will capture all the packets flowing through all the interfaces. -i option with tcpdump command, allows you to filter on a particular ethernet interface.
Some examples for tcpdump command :
1.tcpdump -i eth1 : In this example, tcpdump captured all the packets flows in the interface eth1 and displays in the standard output.
2.tcpdump -c 2 -i eth0 : When you execute tcpdump command it gives packets until you cancel the tcpdump command. Using -c option you can specify the number of packets to capture.This tcpdump command captured only 2 packets from interface eth0.
3.Capture the packets and write into a file using tcpdump -w
: tcpdump allows you to save the packets to a file, and later you can use the packet file for further analysis.
-w option writes the packets into a given file. The file extension should be .pcap, which can be read by any network protocol.
4. Display Captured Packets in ASCII using tcpdump -A
: The following tcpdump syntax prints the packet in ASCII.
$ tcpdump -A -i eth0
5.Display Captured Packets in HEX and ASCII using tcpdump -XX
: Some users might want to analyse the packets in hex values. tcpdump provides a way to print packets in both ASCII and HEX format.
$tcpdump -XX -i eth0
6. Capture packets with IP address using tcpdump -n
: In all the above examples, it prints packets with the DNS address, but not the ip address. The following example captures the packets \ and it will display the IP address of the machines involved.
: $ tcpdump -n -i eth0
7. Capture packets with proper readable timestamp using tcpdump -tttt
: $ tcpdump -n -tttt -i eth0
8. Read packets longer than N bytes
: $ tcpdump -w g_1024.pcap greater 1024
9. Receive only the packets of a specific protocol type
: You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6,arp,rarp, decnet, tcp and udp. The following example captures only arp packets flowing through the eth0 interfac
: $ tcpdump -i eth0 arp
10. Read packets lesser than N bytes
: You can receive only the packets lesser than n number of bytes using a filter ‘less’ through tcpdump command
: $ tcpdump -w l_1024.pcap less 1024
11.Receive packets flows on a particular port using tcpdump port:
: If you want to know all the packets received by a particular port on a machine, you can use tcpdump command as shown below.
: $ tcpdump -i eth0 port 22
12. Capture packets for particular destination IP and Port:
: The packets will have source and destination IP and port numbers. Using tcpdump we can apply filters on source or destination IP and port number. The following command captures packets flows in eth0, with a particular destination ip and port number 22.
: $ tcpdump -w xpackets.pcap -i eth0 dst 10.181.140.216 and port 22
13. Capture TCP communication packets between two hosts
: If two different process from two different machines are communicating through tcp protocol, we can capture those packets using tcpdump as shown below.
: $tcpdump -w comm.pcap -i eth0 dst 16.181.170.246 and port 22
14. tcpdump Filter Packets – Capture all the packets other than arp and rarp
: In tcpdump command, you can give “and”, “or” and “not” condition to filter the packets accordingly.
: $ tcpdump -i eth0 not arp and not rarp
==================
some examples:
tcpdump -npi eth0
9941 2011-08-02 13:58:03 tcpdump -nnpi eth0 not dst port 22
9942 2011-08-02 13:58:47 tcpdump -nnpi eth0 not dst port 22 and src port 22
9943 2011-08-02 13:59:23 tcpdump -nnpi eth0 and not dst port 22 and src port 22
9944 2011-08-02 13:59:31 tcpdump -nnpi eth0 and not dst port 22
9945 2011-08-02 13:59:44 tcpdump -nnp and not dst port 22
9946 2011-08-02 13:59:51 tcpdump -nnp not dst port 22
9947 2011-08-02 14:00:54 tcpdump -nnp not dst port 22 and not src port 22
9948 2011-08-02 14:01:23 tcpdump -nnp -tttt -A not dst port 22 and not src port 22
tcpdump -nnp -tttt -A not dst port 22 and not src port 22 -S
=============================================
tcpdump command examples
tcpdump -nni eth0
tcpdump -nni eth0 host 10.0.0.100
tcpdump -nni eth0 dst host 10.0.0.100 and proto tcp
tcpdump -nni eth0 src net 10.0.0.0/24 and
proto tcp and portrange 1-1024
-nn = don’t use DNS to resolve IPs and display port numbers
-i = interface to watch: lo or eth0 or venet0 (virtual machines)
dst = watch only traffic destined to a net, host, or port
src = watch only traffic whose src is a net, host, or port
net = specifies a network 10.0.0.0/24
host = specifies a host,10.0.0.100
port = specifies a port also portrange
roto = protocol ie tcp udp icmp
tcpdump -s0 -A -nni eth0 dst host 10.0.0.100
tcpdump -s0 -A -nni eth0 dst host 10.0.0.100 and dst port 80
tcpdump -s0 -A -nni eth0 dst host 10.0.0.100 and dst port 80 and
src net 10.100.0/24
tcpdump -s0 -A -nni eth0 dst net 10.0.0.0/24
tcpdump -s0 -A -nni venet0 not port 22 and dst host 10.0.0.100
and not src net 10.20.20.0/24 and not host 10.10.10.10
and src net 10.50.0.0/24
-s0 = Setting snaplen to 0 means use the required length
to catch whole packets.
-A = Print each packet (minus its link level header) in ASCII.
tcpdump -vv -c10000 -s0 -A -w hack3rcon.pcap -nni eth0 not port 22
-c = count of packets to display for exiting
-
vv = displays number of packets captured
-
w = Write the raw packets to file
# you can’t limit the size of the pcap, only the packets count
# use -c & -w together so you don’t fill up your HD.
tcpdump -s0 -A -nn -r hack3rcon.pcap and port 80
-r = read from file
Basic Usage Examples:
View Basic Network communication
tcpdump -nS (Don't resolve DNS names, print the absolute sequence numbers)
View Basic Network communication, with added verbosity
tcpdump -nnvvS (Don't resolve DNS or Port names, be more verbose when printing info, print the absolute sequence numbers)
View Network Communication Payloads in HEX
tcpdump -nnvvXS (Same as above, but this time prints the packets payload in HEX)
View Detailed Packet Information
tcpdmp -nnvvXSs 1514 (Same as above, this time we are specifying a packet length with -s 1514)
As you can see running the above on a busy network will produce loads of network traffic information.
This can be close to impossible to interpret as-is.. Tcpdump has a wonderfull thing called 'expressions'.
Using the tcpdump expressions we can remove all of the traffic we do not wish to see andonly view exactly
what we are looking for.
--------------------------------------.
0xIII TCPDump Expression: /
------------------------------------'
The true network ninja will have mastered these expressions to unleash the true power of tcpdump.
Tcpdump expressions come in three main types, those are as follows: type, dir and proto. The type
options beloging to these types are as follows: host, net and port.
The packet direction is specified by using dir, with this directive you can use the src, dst, src
or dst and src and dst options. Below are some examples of using each of these.
host - Looks for traffic based on the specified IP address, this can also be a valid dns name if the
-n options is not specified.
tcpdump host 192.168.1.1
src,dst - Looks for traffic from a specific source or destination.
tcpdump src 192.168.1.2
tcpdump dst 192.168.1.3
net - Looks for traffic from an entire CIDR range.
tcpdump net 192.168.1.0/24
proto - Looks for the type of traffic specified. proto does not need to be specified.
tcpdump tcp
tcpdump udp
tcpdump icmp
port - Looks for traffic to or from specified port. Port names can be specified by there name or numeric value.
tcpdump port 22 or tcpdump port ssh
src port, dst port - Looks for traffic based on the source or destination ports.
tcpdump src port 1025
tcpdump dst port 22
As you can see tcpdump expressions are fairly powerfull in breaking down the types of traffic we would like to see.
Now we will look into the real funky comadema that lies within tcpdump. Tcpdump has some cool features that will
allow you to combine these expresions to create even more detailed, and specific information related to traffic on
the wire. Tcpdump supports three different combinations to perform these advanced expressions, if your are a c0de
m0nkey then these will be nothing new to see... move along ....
No comments:
Post a Comment