Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Intro to Packet Analysis - pfSense Hangout May 2014

122 views

Published on

Slides for the May 2014 pfSense Hangout video

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Intro to Packet Analysis - pfSense Hangout May 2014

  1. 1. pfSense Hang Out May 2014 Intro to Packet Analysis
  2. 2. Project News ● Training course coming soon
  3. 3. Intro to Packet Analysis ● Extremely effective means of troubleshooting ● Doesn’t have to be overwhelmingly complex ● Much of today’s presentation oversimplified
  4. 4. Intro to Packet Analysis ● Layer 2 ○ Source and destination MAC addresses ● Layer 3 ○ Source and destination IP addresses ● Layer 4 ○ TCP, UDP, ICMP covered today source MAC destination MAC source IP destination IP
  5. 5. Intro to Packet Analysis - TCP intro ● Connection-oriented protocol ● Source and destination ports ○ source port not same as destination port ● TCP handshake ○ SYN client to server ○ SYN ACK server to client ○ ACK client to server
  6. 6. TCP Basics - Capture Scenarios ● Established successfully 10:01:15.868921 IP 10.2.5.1.11582 > 10.2.5.103.22: Flags [S], seq 3908118056, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 341740 ecr 0], length 0 10:01:15.869237 IP 10.2.5.103.22 > 10.2.5.1.11582: Flags [S.], seq 2912721290, ack 3908118057, win 28960, options [mss 1460,sackOK,TS val 112268 ecr 341740,nop,wscale 7], length 0 10:01:15.869366 IP 10.2.5.1.11582 > 10.2.5.103.22: Flags [.], ack 1, win 520, options [nop,nop,TS val 341740 ecr 112268], length 0 10:01:15.904659 IP 10.2.5.103.22 > 10.2.5.1.11582: Flags [P.], ack 1, win 227, options [nop,nop,TS val 112277 ecr 341740], length 41 10:01:15.905334 IP 10.2.5.1.11582 > 10.2.5.103.22: Flags [.], ack 42, win 520, options [nop,nop,TS val 341744 ecr 112277], length 0 10:01:17.287797 IP 10.2.5.1.11582 > 10.2.5.103.22: Flags [P.], ack 42, win 520, options [nop,nop,TS val 341882 ecr 112277], length 2 10:01:17.288202 IP 10.2.5.103.22 > 10.2.5.1.11582: Flags [.], ack 3, win 227, options [nop,nop,TS val 112623 ecr 341882], length 0
  7. 7. TCP Basics - Capture Scenarios ● Rejected connection attempt 09:58:13.527103 IP 10.2.5.1.8897 > 10.2.5.103.22: Flags [S], seq 1054206648, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 323506 ecr 0], length 0 09:58:13.527366 IP 10.2.5.103.22 > 10.2.5.1.8897: Flags [R.], seq 0, ack 1054206649, win 0, length 0 ● No reply 10:05:30.928371 IP 10.2.5.103.52798 > 10.2.5.1.24: Flags [S], seq 3783265721, win 29200, options [mss 1460,sackOK,TS val 176033 ecr 0,nop, wscale 7], length 0 10:05:31.926314 IP 10.2.5.103.52798 > 10.2.5.1.24: Flags [S], seq 3783265721, win 29200, options [mss 1460,sackOK,TS val 176283 ecr 0,nop, wscale 7], length 0 10:05:33.930244 IP 10.2.5.103.52798 > 10.2.5.1.24: Flags [S], seq 3783265721, win 29200, options [mss 1460,sackOK,TS val 176784 ecr 0,nop, wscale 7], length 0
  8. 8. Intro to Packet Analysis - UDP intro ● Connectionless protocol ● Some require a response ○ DNS ○ NTP ● Some silently accepted ○ syslog
  9. 9. UDP basic packet capture scenarios ● Accepted, or filtered PORT STATE SERVICE 10/udp open|filtered unknown 05:49:42.602935 IP 192.168.1.2.45540 > 10.0.6.2.10: UDP, length 0 05:49:43.737327 IP 192.168.1.2.45541 > 10.0.6.2.10: UDP, length 0 ● Rejected 05:50:39.324990 IP 192.168.1.2.62534 > 192.168.1.254.17: UDP, length 0 05:50:39.326449 IP 192.168.1.254 > 192.168.1.2: ICMP 192.168.1.254 udp port 17 unreachable, length 36 ● Receives reply 05:54:21.644173 IP 192.168.1.2.52027 > 192.168.1.254.53: 51162+ A? google. com. (28) 05:54:21.701862 IP 192.168.1.254.53 > 192.168.1.2.52027: 51162 11/0/0 A 74.125.227.169, A 74.125.227.165, A 74.125.227.164, A 74.125.227.166, A 74.125.227.160, A 74.125.227.174, A 74.125.227.168, A 74.125.227.167, A 74.125.227.162, A 74.125.227.161, A 74.125.227.163 (204)
  10. 10. Intro to Packet Analysis - ICMP intro ● Types ● No ports ● Ping ○ Echo request ○ Echo reply 05:57:52.459547 IP 192.168.1.2 > 74.125.227.97: ICMP echo request, id 48902, seq 0, length 64 05:57:52.489406 IP 74.125.227.97 > 192.168.1.2: ICMP echo reply, id 48902, seq 0, length 64 05:57:53.460369 IP 192.168.1.2 > 74.125.227.97: ICMP echo request, id 48902, seq 1, length 64 05:57:53.492072 IP 74.125.227.97 > 192.168.1.2: ICMP echo reply, id 48902, seq 1, length 64 05:57:54.461349 IP 192.168.1.2 > 74.125.227.97: ICMP echo request, id 48902, seq 2, length 64
  11. 11. Web Packet Capture Page Demo
  12. 12. tcpdump at command line ● option 8 via SSH ● Common command line arguments ○ -i capture traffic on specified interface ○ -n disable reverse DNS lookups ○ -e show link-level header - MAC addresses, VLAN tags ○ -s snap length (when capturing to file) ○ -w capture to file
  13. 13. tcpdump filtering basics ● tcpdump ... | grep 1.2.3.4 - no, use filters ● Common filters ○ host 1.2.3.4 include host 1.2.3.4 ○ port 53 include port 53 TCP and UDP ○ udp port 53 include UDP port 53 ○ tcp port 80 include TCP port 80 ● Combining filters ○ and ○ or ● Negation ○ not
  14. 14. tcpdump examples ● Display traffic on interface em0 with no reverse DNS resolution ○ tcpdump -ni em0 ● Display traffic to or from IP 1.2.3.4 on em0 including link-layer ○ tcpdump -nei em0 host 1.2.3.4 ● Display all DNS traffic on em1_vlan5 ○ tcpdump -ni em1_vlan5 port 53 ● Display all TCP port 80 traffic (HTTP) except that to or from host 10.0.0.5 ○ tcpdump -ni em0 tcp port 80 and not host 10.0.0.5
  15. 15. Web Packet Capture vs tcpdump Web Packet Capture tcpdump Ease of selecting interface Ease of basic filtering Ease of saving capture to file and downloading Real time output Highly flexible filtering Capable of multiple simultaneous captures
  16. 16. Bandwidth Usage Analysis ● Who’s using what, right now
  17. 17. VPN Troubleshooting
  18. 18. Port Forward Troubleshooting
  19. 19. Routing Troubleshooting
  20. 20. Case Study - DDoS Bot
  21. 21. Case Study - TCP Window 0
  22. 22. Questions? Thanks for attending! Comments, suggestions, etc. welcome to gold@pfsense.org

×