Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CNIT 50: 6. Command Line Packet Analysis Tools

617 views

Published on

For a college class in Network Security Monitoring at CCSF.
Course website: https://samsclass.info/50/50_F17.shtml

Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34

Published in: Education
  • Be the first to comment

  • Be the first to like this

CNIT 50: 6. Command Line Packet Analysis Tools

  1. 1. CNIT 50: Network Security Monitoring 6 Command Line Packet Analysis Tools
  2. 2. Topics • SO Tool Categories • Running Tcpdump • Using Dumpcap and Tshark • Running Argus and the Ra Client
  3. 3. SO Tool Categories
  4. 4. Three Types of Tools • Data presentation • Data collection • Data delivery
  5. 5. Data Presentation Tools • Packet Analysis Tools • Read traffic from a live interface or from a saved PCAP file • Command-line: tcpdump, Tshark (with Dumpcap), and Argus Ra Client • Graphical interface: Wireshark, Xplico, and NetworkMiner (see Ch 7)
  6. 6. NSM Consoles • Gateways to NSM data • Squil, Squert, and ELSA (see Ch 8) • Text discusses Snorby but it's abandoned and no longer included in Security Onion • Links Ch 1e, 1f
  7. 7. Data Collection Tools • These applications collect and generate the NSM data available to the presentation tools • Argus server, Netsniff-ng, PRADS, Snort, Suricata, and Bro
  8. 8. Argus and PRADS • Argus server and PRADS create and store their own form of session data • Argus uses a proprietary binary format suited for rapid command-line mining • PRADS data is best read through an NSM console
  9. 9. Netsniff-ng • Simply writes full-content data to disk in pcap format
  10. 10. Snort and Suricata • Network intrusion detection systems (NIDS) • Inspect traffic and write alerts • According to signatures deployed with each tool
  11. 11. Bro • Observes and interprets traffic that has been generted and logged in a variety of NSM datatypes
  12. 12. Data Delivery Tools • Middleware between the data presentation and data collection tools • PulledPork manages IDS rules • Barnyard2 manages alert processing • Capme manages pcap access
  13. 13. Squil Agents • Shuttle data from the collection tools to the presentation software • pcap_agent and snort_agent • Apache web server • MySQL database • Sphinx index application
  14. 14. Integrating Tools • Integrate host-centric analysis analysis features • OSSEC host IDS • Syslog-ng for transport and aggregation of log messages
  15. 15. Running Tcpdump
  16. 16. Tcpdump • Protocol analyzer: understands layers of networking • Included in SO but not running by default • Often used to analyze pcaps in /nsn/sensor_data/ <sensorname>/dailylogs • Can also collect live data
  17. 17. Basic Usage • Requires sudo • Specify interface with -i
  18. 18. Other Useful Switches • -n Don't resolve names • -s # Adjust "snaplength" -- Number of bytes to collect (default is 68 bytes for IPv4) • -c count Only collect count packets (0 for all data) • -X Print out packet bytes • -w filename.pcap Write PCAP file
  19. 19. -X
  20. 20. DNS Query & Reply
  21. 21. TCP Handshake • [S] SYN • [S.] SYN/ACK • [.] ACK
  22. 22. Capture Filters • In Berkeley Packet Format (BPF) • Add filter to the end of the command line • icmp Only ICMP protocol • port 53 UDP or TCP port 53 • tcp and port 443 Requires both conditions • man pcap-filter to see all options
  23. 23. Capture Filters • host 192.168.1.1 traffic to or from this IP • src host 192.168.1.1 traffic from this IP • dst host 192.168.1.1 traffic to this IP • src net 192.168.1.0 traffic from this network
  24. 24. Only ICMP Replies
  25. 25. Looping Through Files
  26. 26. Using Dumpcap and Tshark
  27. 27. Shipped with Wireshark • Dumpcap is a simple packet collection tool • Tshark is the command-line version of Wireshark • Analyzes traffic • Friendlier than tcpdump • Uses human-readable syntax
  28. 28. Tshark as Root • Protocol dissectors may contain vulnerabilities • Recommended: collect with dumpcap, analyze later with tshark and wireshark
  29. 29. • When running as root, Dumpcap can't write to the user's home directory, so the output's in /tmp • Dumpcap captures whole packets by default, unlike tcpdump
  30. 30. Running Dumpcap without root Privileges • sudo dpkg-reconfigure wireshark-common
  31. 31. Running Dumpcap without root Privileges • sudo usermod -a -G wireshark so • sudo reboot
  32. 32. Capturing Pings with Dumpcap
  33. 33. Absolute Timestamps in Tshark • tshark -t ad -r icmp.pcap
  34. 34. Using Display Filters with Tshark • Display filters use a different format than BPF • Display filters don't affect packet capture • tshark -r icmp.pcap -Y "icmp.type == 0"
  35. 35. Full Decode • -V for verbose protocol decode • -x for hex and ASCII
  36. 36. Tshark Display Filters in Action • View HTTP Traffic
  37. 37. Tshark Display Filters in Action • Use -Y instead of -R
  38. 38. Tshark Display Filters in Action • Searching for a range of IP addresses
  39. 39. Running Argus and the Ra Client
  40. 40. Argus • A session data generation and analysis suite • Argus server is running by default on Security Onion • Client is in /nsm/sensor_data/<sensorname>/ argus directory • sudo nsm_sensor_ps-status --only-argus • Shows Argus status
  41. 41. Was Off by Default • Do this to start argus • sudo sed -i 's|ARGUS_ENABLED="no"| ARGUS_ENABLED="yes"|g' /etc/nsm/*/ sensor.conf • sudo service nsm restart
  42. 42. Stopping and Starting Argus • sudo nsm_sensor_ps-stop --only-argus • sudo nsm_sensor_ps-start --only-argus
  43. 43. Argus Data
  44. 44. Argus File Format • Argus stores flows, not complete pcaps • Much smaller: ex: 48 days of data
  45. 45. Examining Argus Data • -n Don't resolve port numbers to names • tcp and dst port 21 BPF packet filter • -s Specify which fields to display
  46. 46. Argus Data in SO
  47. 47. Ra Help • - switch to filter
  48. 48. Ra Filtered for ICMP
  49. 49. Ra for SSH • Many records for the same conversation
  50. 50. Racluster • Ra can break a long conversation into separate sections • Racluster combines them into one record
  51. 51. Number of Lines
  52. 52. Advanced Usage Example • -m saddr daddr groups records by source and destination IP address
  53. 53. Without -m
  54. 54. With -m • Combines many conversations into one record
  55. 55. Advanced Usage Example

×