More Related Content
What's hot
What's hot (20)
Similar to Tc pdump mod
Similar to Tc pdump mod (20)
Recently uploaded
Recently uploaded (20)
Tc pdump mod
- 1. Network Traffic Monitoring Using Tcpdump & Wireshark
- 2. Motivation for Network Monitoring • Essential for Network Management – Router and Firewall policy – Detecting abnormal/error in networking – Access control • Security Management – Detecting abnormal traffic – Traffic log for future forensic analysis 2
- 3. TCPDUMP
- 4. INTRODUCTION TCPdump is a utility used to capture and analyze packets on network interface. common computer network debugging tool runs under command line. A piece of software that gives insight into the traffic activity occurs on network. Allows user to intercept and display TCP/IP and other packets being transmitted or received over a network. Frequently used to debug applications that generate or receive network traffic. Also used for debugging the network setup itself, by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem.
- 5. What is TCPdump? TCPdump is a UNIX tool. Used to gather data from network, decipher the bits, and display the output to the screen or they can be saved to a file for later analysis. TCPdump uses the libpcap library to capture packets. TCPdump is run by issuing the command tcpdump to read all the traffic from the default network interface. Has a filter that enables user to specify the records they interested in collecting. TCPdump displays records on the console, translated from native raw output format to a human-readable format.
- 6. TCPDUMP • Syntax: tcpdump [options] [filter expression] • Basic commnad Eg: tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:34:57.266865 IP 173.194.36.6 > 192.168.1.101: ICMP echo reply, id 19941, seq 1176, length 64 16:34:57.267226 IP 192.168.1.101.21271 > 218.248.255.163.53: 23380+ PTR? 6.36.194.173.in-addr.arpa. (43) 16:34:57.274549 IP 218.248.255.163.53 > 192.168.1.101.21271: 23380 1/4/2 PTR bom04s01-in-f6.1e100.net. (195) 16:34:57.297874 IP 192.168.1.101.56295 > 186.105.77.150.38213: UDP, length 105
- 7. TCPDUMP OUTPUT • One of the hardest tasks for the novice analyst to master is decrypting TCPdumb output. • TCPdumb output is fairly standard for the different protocols (TCP,UDP,ICMP, for example), but does have some nuances. • The first step is to identify protocols that you are examining • TCP output will be used to explain the general TCPdump format. Here is a TCP record displayed by TCPdump:
- 8. 8 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 Timestamp This is an IP packetSource host nameSource port number (22) Destination host name Destination port number TCP specific information • Different output formats for different packet types What does a line convey?
- 9. TCPdump Flags TCP Flag Flag Rep Flag Meaning SYN S This is a session establishment request, which is the first part of any TCP connection ACK ack This flag is used generally to acknowledge the receipt of data from the sender. FIN F This flag indicates the sender’s intention to gracefully terminate the sending host’s connection to the receiving host. RESET R This flag indicates the sender’s intention to immediately abort the existing connection with the receiving host. PUSH P This flag immediately “pushes” data from the sending host to the receiving host’s application software. URGENT urg This flag indicates that there is “urgent” data should take precedence over other data. An example of this is pressing Ctrl+C to abort an FTP download. Placeholder . If the connection does not have a SYN, FIN, RESET, or PUSH flag set, a placeholder (a period) will be found after the destination port.
- 10. Commands • tcpdump –D :- List network interfaces • tcpdump -i eth0 tcpdump -i 1 :- To use one of listed interfaces interface name or index can be used • tcpdump -i eth0 -c 10 • tcpdump -i eth0 -c 10 -n • tcpdump -i eth0 -c 10 –A • tcpdump -i eth0 -c 10 -XX • tcpdump -i eth0 -e • tcpdump -i eth0 tcp • tcpdump -i eth0 port 21 • tcpdump -i eth0 src 192.168.0.2 • tcpdump -i eth0 dst 50.116.66.139
- 11. Continue… To write the raw output to a file; use the command tcpdump –w filename , filename is the name of the file to which the records will be written in binary format. To read this output file , another command line option is necessary: tcpdump –r filename. This option reads input to TCPdump from filename rather than from the default network interface. The user can read a file that has been written using the –w option only by using TCPdump with the –r option.
- 12. ALTERING THE AMOUNT OF DATA COLLECTED TCPdump does not collect the entire datagram sent due to volume concerns and user’s interest in the header portions of the datagram that usually collected with default length. The snapshot length, sometimes known as snaplen, determines the exact number of bytes collected. Most common lengths of collected data is 68 bytes.
- 13. 13 Running tcpdump • Requires superuser/administrator privileges on Unix – http://www.tcpdump.org/ – You can do it on your own Unix machine – You can install a Linux OS in Vmware on your machine • Tcpdump for Windows – WinDump: http://www.winpcap.org/windump/ • Free software • Refer the tcpdump man page.
- 14. So What is WireShark? • Packet sniffer/protocol analyzer • GUI Based Tool • Open Source Network Tool • Latest version of the ethereal tool
- 15. Wireshark • http://www.wireshark.org/ • Download: http://prdownloads.sourceforge.net/wireshark/wires hark- setup-0 99 5 exe 0.99.5.exe • Wireshark User's Guide http://www wireshark org/docs/wsug html/