Add to collection(s) Add to saved
  1. No category
Uploaded by Văn Toàn Tạ

Learn tcpdump: Network Traffic Analysis Tutorial

advertisement 
TC P
U
TC
D
P
U
DP
P
what's this
The man page for tcpdump starts like this
NAME
tcpdump - dump traffic on a network
SYNOPSIS
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ --number ] [ -Q in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]
to
E
i
m
what
tcp dump for
is
tcpdump captures network traffic
and prints it out for you
For example
on
Yesterday DNS lookups
my laptop were slow
wT
ooowhatbhappening
qq.my
Sudo topdump
IEn p E
n
i
any port 53
DNSqueries
11:12:44.486716 IP 192.168.1.170.28282 > 192.168.1.1.53: 24457+ A? ask.metafilter.com. (36)
11:12:47.468911 IP 192.168.1.170.28282 > 192.168.1.1.53: 24457+ A? ask.metafilter.com. (36)
11:12:50.456712 IP 192.168.1.170.28282 > 192.168.1.1.53: 24457+ A? ask.metafilter.com. (36)
11:12:50.467894 IP 192.168.1.1.53 > 192.168.1.170.28282: 24457 2/4/5 CNAME metafilter.com., A
54.186.13.33 (307)
EDNS response
This means that there
were
3 DNS queries
at 11 12 44 11 12 47 11 12 50
but only
the 3rd one got a response I
I figured my router was probably the problem so
I restarted it and my internet was fast again
Let's learn how to debug problems with topdump
answer
questions you can
with tcpdump
what DNS queries is my laptop sending
topdump i any port 53
I have a
server
running on port 1337
Are any packets arriving at that port AT ALL
topdump i any port 1337
what packets are coming into that
from IP 1.2 3.4
server
tcpdump i any port 1337 and host 1.2 3 4
show me all DNS queries that
topdump ud p 1 1
Ox f
fail
3
complicated but it works 9 This checks for a flag
in the 11 th byte of the UDPpacket
how long are the TCP connections
this box lasting right now
on
Save packets to disk with
and
tcpdump w packets p cap
packets
in wire shark
what top dump output
means
Every line of tapdump output represents a packet
The parts I usually pay attention to are
source
dest IP addresses and ports
timestamp
TCP flags like SYN and ACK Good for spotting
the beginning of a TCP connection
the DNS query for DNS queries
UDPp acket
timestamp
source IP
port
dest IP
myrouter port
11:12:44.486716 IP 192.168.1.170.28282 > 192.168.1.1.53: 24457+
A? ask.metafilter.com. (36)
F
DNS
TCP
DNSqueryID
I ignore this
query
packets
TCPflags
S is for SYN
is for ACK
09:16:23.402215 IP 192.168.1.170.33016 > 52.84.90.246.443:
Flags [S.], seq 3119184139, win 29200, options [mss
1460,sackOK,TS val 2147980923 ecr 0,nop,wscale 7], length 0
error
connection refused
Here's what that looks like in tcpdumpto spyN
Ever
seen
a
09:50:22.544102 IP 127.0.0.1.40822 > 127.0.0.1.1234: Flags [S]
09:50:22.544118 IP 127.0.0.1.1234 > 127.0.0.1.40822: Flags [R.]
RST TACK
we sent a SYN to open the connection
the
but
replied with an RST packet That
it
gets translated to connection refused
server
BPF
filters
tcpdump uses a small language called BPF
berkeley packet filter
to let you filter packets
In Sudo tapdump port 533
port 53 is a
BPF filter which means only show port 53 packets
Here's a quick guide to BPF filters
port 80
0 dst
port 80
0
tcp port 80
are what
they
port 53
to
checks if the source port or
thedest port is 53 matches
TCP port 53 and UDP port 53
host 192.168
B
a
host 192.168 3.2
and
you can
or
or
port 80
use
not
and
so are
look like
Src host l 2 3.4
dst host 1 2 3.4
3.2
checks if the source
or dest IP is 192.168 3.2
s
Src
0
Udp EID
K
you
on
Oxf
3
byte 11
can do bit math
packet contents
This checks for the
DNS response
NX DOMAIN
I googled to find
Wire
shark
I want to know
Y
a Em
twat
m
in my packetsor
Wire shark is
incredibly powerful
packet analysis tool I
an
i
Things Wire shark has
nice graphical interface
search through your
packets easily
it can filter to just
packets from one
TCP connection
If you want to analyze packets from
Cpdump in Wire shark you can either
save a pcap file f open it in Wire shark
pipe topdump output into wire shark
ssh some.remote.host tcpdump -pni any -w -s0 -U port 8888 | wireshark -k -i
my
command
favorite
line
arguments
I use these 3 arguments the most
i which network interface to
capture
packets on I often use EIIIII
The default interface topdump picks
is for
interface isn't always what you want
Emf
IWT
for
write
is
I
Example sudo tcpdump -i lo
shows you packets on the local
loop back interface
Instead of printing out packets
write them to a file This is
VERY USEFUL for analyzing the
packets later I use it all the time
Example
WI
sudo tcpdump host 8.8.8.8
-w packets.pcap
t when writing to a file
be carefulI
You don't want to accidentally fill up
is for i
drive
hard
i
I will
your
count i
only capture 10,000 packets
Example
sudo tcpdump host 8.8.8.8
-w packets.pcap
-c 30000
and here
are
a
few
more
good
ones
This prints out every packet's contents
For example suppose I have a web server
y on
port 7777
sudo tcpdump -A port 7777
will show me all the HTTP packets
being sent to 1 from the server
Cngrep is better than tcpdump A for
looking at HTTP request bodies though
4mm By default tcpdump will translate
IP addresses to host names Aunt
i forces it to
just print the IP
i
is for
Ethernet
Ip
l Includes
i that
the
the MAC address
packet
came
from
1 Filters to only packets to 1 from
1
your computer's IP address
I
network
administration
tools
Finally there are a lot more tools than
tcpdump We won't explain them here but
here's a list
fTthese
P
are
computers even
connected
ifconfighth
what's my
ip address
ngreium
dig1nslookupmT netstatismut
does that
domain exist
v's'ianngstsheaffort
ipf interfaces arty
configures
routes and
successor
more
to
see your
ARP table
ifconfig
traceroutelmtrut NET
grep for
your network
what servers
are on the way
to that server
netcat Make
TCP connections
Fpfttaabbleeshnut
sysctIuT
ethtooing
setup
configure lots
of networking
settings
understand
firewalls
and NAT
by hand
your Ethernet
connections
remain
whoisT
IsotT
took up a
what ports are
telnetT
shrew
stunnetmT
see if a port
can't forget
this one
in ur
network
scanning ur ports
on
another
server is open
domain
being used
a
TLS
proxy
emotion i w
GUI tool to configure
wifi etc on a laptop
lots of different
performance and
benchmarking tools
papingT
openvprimm
sing using
set up a VPN
Tcp
E
i
socatT
connect TCP
and unix
sockets
TC P
U
TC
D
P
U
DP
P
Related documents
f5 int q
f5 int q
P3 Assessment Exam Paper
P3 Assessment Exam Paper
Download
advertisement