Transcript 05-TCPdump
TCPDUMP INTRODUCTION TCPdump ~ a common computer network debugging tool runs under command line. A piece of software that gives insight into the traffic activity occurs on network. Allows user to intercept and display TCP/IP and other packets being transmitted or received over a network. Frequently used to debug applications that generate or receive network traffic. Also used for debugging the network setup itself, by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem. What is TCPdump? TCPdump is a UNIX tool. Used to gather data from network, decipher the bits, and display the output in a semi coherent fashion. TCPdump works on most Unix-like operating systems: Linux, Solaris, BSD, Mac OS X, HP-UX and AIX among others. TCPdump uses the libpcap library to capture packets. Can be used to intercepting and displaying the communications of another user or computer. A user with privileges acting as a router or gateway through which unencrypted traffic such as TELNET or HTTP passes can use TCPdump to view login IDs, passwords, the URLs and content of websites being viewed, or any other unencrypted information. TCPdump Behavior TCPdump is run by issuing the command tcpdump to read all the traffic from the default network interface. Has a filter that enables user to specify the records they interested in collecting. tcpdump ‘tcp’ command uses to collect only TCP records and ‘tcp’ is the filter. TCPdump has an –F filename option to indicate that the filter is located in the file filename. TCPdump displays records on the console, translated from native raw output format to a human-readable format. Continue… For retrospective analysis, the desired format for storage is the binary mode, in which all captured data is stored, not just the data translated for output. To collect in raw output mode; use the command tcpdump – w filename , and the filename is the name of the file to which the records will be written in binary format. To read this raw output file , another command line option is necessary: tcpdump –r filename. This option reads input to TCPdump from filename rather than from the default network interface. The user can read a file that has been written using the –w option only by using TCPdump with the –r option. ALTERING THE AMOUNT OF DATA COLLECTED TCPdump does not collect the entire datagram sent due to volume concerns and user’s interest in the header portions of the datagram that usually collected with default length. The snapshot length, sometimes known as snaplen, determines the exact number of bytes collected. Most common lengths of collected data is 68 bytes. TCPDUMP OUTPUT One of the hardest tasks for the novice analyst to master is decrypting TCPdumb output. TCPdumb output is fairly standard for the different protocols (TCP,UDP,ICMP, for example), but does have some nuances. The first step is to identify protocols that you are examining TCP output will be used to explain the general TCPdump format. Here is a TCP record displayed by TCPdump: Continue… 09:32:43:910000 nmap.edu.1173 > dns.net.21: S 62697789: 62697789 (0) win 512 09:32:43:9147882 Time stamp in the format of two digits for hours, two digits for minutes, two digits for seconds, and six digits for fractional parts of a second. nmap.edu Source host name. 1173 Source port number or port service. > Marker to indicate a directional flow going from source to destination. dns.net Destination host name. 21 destination port number. S TCP flag. S represents the SYN flag. 62697789:62697789(0) Beginning TCP sequence number.ending TCP sequence number (data bytes) win 512 Receiving buffer size (in bytes). TCPdump Flags TCP Flag Flag Rep Flag Meaning SYN S ACK ack FIN F RESET R PUSH P URGENT urg Placeholder This is a session establishment request, which is the first part of any TCP connection This flag is used generally to acknowledge the receipt of data from the sender. This might be seen in conjunction with or “piggybacked” with other flags. This flag indicates the sender’s intention to gracefully terminate the sending host’s connection to the receiving host. This flag indicates the sender’s intention to immediately abort the existing connection with the receiving host. This flag immediately “pushes” data from the sending host to the receiving host’s application software. There is no waiting for the buffer to fill up. In this case, responsiveness, not bandwidth efficiency, is the focus. For many interactive applications such as telnet, the primary concern is the quickest response time, which the PUSH flag attempts to signal. This flag indicates that there is “urgent” data should take precedence over other data. An example of this is pressing Ctrl+C to abort an FTP download. If the connection does not have a SYN, FIN, RESET, or PUSH flag set, a placeholder (a period) will be found after the destination port. Absolute and Relative Sequence Numbers TCP sequence numbers need to be addressed in a little more detail. Sequence numbers are associated only with TCP output, as just discussed. TCP sequence numbers are used by the destination host to reassemble TCP traffic that arrives. Dumping in Hexadecimal TCPdump does not display all the fields of the captured data. For example, the IP header has a field that stores the length of the IP header. How do you display this field if it is not available from the standard TCPdump output? There is a TCPdump command-line option (-x) that dumps the entire datagram captured with the default snaplen in hexadecimal. Hexadecimal output is far more difficult to read and interpret, but it is necessary to display the entire captured datagram. SUMMARY TCPdump can make intelligent assessments about traffic activity. TCP is the protocol for applications that require reliable delivery. TCP exchanges follow a prescribed architecture of session establishment, possible data transfer, and session termination. TCP has been robustly mutated for malicious uses. It is important for an intrusion analyst to have a good understanding of TCP, and TCPdump is an excellent instructional tool.