Transcript 05-TCPdump
TCPDUMP
INTRODUCTION
TCPdump ~ a common computer network debugging tool
runs under command line.
A piece of software that gives insight into the traffic
activity occurs on network.
Allows user to intercept and display TCP/IP and other
packets being transmitted or received over a network.
Frequently used to debug applications that generate or
receive network traffic.
Also used for debugging the network setup itself, by
determining whether all necessary routing is occurring
properly, allowing the user to further isolate the source of
a problem.
What is TCPdump?
TCPdump is a UNIX tool.
Used to gather data from network, decipher the bits, and
display the output in a semi coherent fashion.
TCPdump works on most Unix-like operating systems: Linux,
Solaris, BSD, Mac OS X, HP-UX and AIX among others.
TCPdump uses the libpcap library to capture packets.
Can be used to intercepting and displaying the
communications of another user or computer.
A user with privileges acting as a router or gateway through
which unencrypted traffic such as TELNET or HTTP passes
can use TCPdump to view login IDs, passwords, the URLs and
content of websites being viewed, or any other unencrypted
information.
TCPdump Behavior
TCPdump is run by issuing the command tcpdump to read all
the traffic from the default network interface.
Has a filter that enables user to specify the records they
interested in collecting.
tcpdump ‘tcp’ command uses to collect only TCP records and
‘tcp’ is the filter.
TCPdump has an –F filename option to indicate that the filter
is located in the file filename.
TCPdump displays records on the console, translated from
native raw output format to a human-readable format.
Continue…
For retrospective analysis, the desired format for storage is
the binary mode, in which all captured data is stored, not just
the data translated for output.
To collect in raw output mode; use the command tcpdump –
w filename , and the filename is the name of the file to which
the records will be written in binary format.
To read this raw output file , another command line option is
necessary: tcpdump –r filename.
This option reads input to TCPdump from filename rather
than from the default network interface.
The user can read a file that has been written using the –w
option only by using TCPdump with the –r option.
ALTERING THE AMOUNT OF DATA COLLECTED
TCPdump does not collect the entire datagram sent due
to volume concerns and user’s interest in the header
portions of the datagram that usually collected with
default length.
The snapshot length, sometimes known as snaplen,
determines the exact number of bytes collected.
Most common lengths of collected data is 68 bytes.
TCPDUMP OUTPUT
One of the hardest tasks for the novice analyst to master is
decrypting TCPdumb output.
TCPdumb output is fairly standard for the different
protocols (TCP,UDP,ICMP, for example), but does have
some nuances.
The first step is to identify protocols that you are examining
TCP output will be used to explain the general TCPdump
format. Here is a TCP record displayed by TCPdump:
Continue…
09:32:43:910000 nmap.edu.1173 > dns.net.21: S 62697789: 62697789 (0) win 512
09:32:43:9147882 Time stamp in the format of two digits for hours, two
digits for minutes, two digits for seconds, and six digits for fractional parts
of a second.
nmap.edu Source host name.
1173 Source port number or port service.
> Marker to indicate a directional flow going from source to destination.
dns.net Destination host name.
21 destination port number.
S TCP flag. S represents the SYN flag.
62697789:62697789(0) Beginning TCP sequence number.ending TCP
sequence number (data bytes)
win 512 Receiving buffer size (in bytes).
TCPdump Flags
TCP Flag
Flag Rep Flag Meaning
SYN
S
ACK
ack
FIN
F
RESET
R
PUSH
P
URGENT
urg
Placeholder
This is a session establishment request, which is the first part of
any TCP connection
This flag is used generally to acknowledge the receipt of data from
the sender. This might be seen in conjunction with or “piggybacked”
with other flags.
This flag indicates the sender’s intention to gracefully terminate the
sending host’s connection to the receiving host.
This flag indicates the sender’s intention to immediately abort the
existing connection with the receiving host.
This flag immediately “pushes” data from the sending host to the
receiving host’s application software. There is no waiting for the
buffer to fill up. In this case, responsiveness, not bandwidth
efficiency, is the focus. For many interactive applications such as
telnet, the primary concern is the quickest response time, which the
PUSH flag attempts to signal.
This flag indicates that there is “urgent” data should take
precedence over other data. An example of this is pressing Ctrl+C
to abort an FTP download.
If the connection does not have a SYN, FIN, RESET, or PUSH flag
set, a placeholder (a period) will be found after the destination port.
Absolute and Relative Sequence
Numbers
TCP sequence numbers need to be addressed in a little more
detail.
Sequence numbers are associated only with TCP output, as
just discussed.
TCP sequence numbers are used by the destination host to
reassemble TCP traffic that arrives.
Dumping in Hexadecimal
TCPdump does not display all the fields of the captured data.
For example, the IP header has a field that stores the length
of the IP header.
How do you display this field if it is not available from the
standard TCPdump output?
There is a TCPdump command-line option (-x) that dumps the
entire datagram captured with the default snaplen in
hexadecimal. Hexadecimal output is far more difficult to read
and interpret, but it is necessary to display the entire
captured datagram.
SUMMARY
TCPdump can make intelligent assessments about traffic
activity.
TCP is the protocol for applications that require reliable
delivery.
TCP exchanges follow a prescribed architecture of session
establishment, possible data transfer, and session
termination.
TCP has been robustly mutated for malicious uses.
It is important for an intrusion analyst to have a good
understanding of TCP, and TCPdump is an excellent
instructional tool.