Transcript TCPdump
TCPDUMP
Network-Based Intrusion Detection
Description
Packet sniffing is the heart of
intrusion detection and of
understanding what is actually
occurring on your network.
TCPDUMP provides options and
filters to assist in the proper and
thorough analysis of the acquired
traffic.
How to install?
For Linux
For windows
Download libpcap from
http://www.tcpdump.org/release/libpcap-0.7.2.tar.gz
tar zxvf libpcap-0.7.2.tar.gz; cd libpcap-0.7.2;
./configure; make; make install
Download tcpdump fom
http://www.tcpdump.org/release/tcpdump-3.7.2.tar.gz
tar zxvf tcpdump-3.7.2.tar.gz; cd tcpdump-3.7.2;
./configure; make; make install
Download winpcap.exe from
http://winpcap.polito.it/install/bin/WinPcap_3_0.exe
Download windump.exe from
http://windump.polito.it/install/bin/WinDump.exe
Install winpcap and execute windump.exe
For FreeBSD
bulit-in function
Output format
ARP/RARP packets
arp who-has [A] tell [B]
arp reply [A] is-at [a]
TCP packets
src > dst: flags data-seqno ack window urgent options
src: source ip address and port
dst: destination ip address and port
flags: S (SYN), F (FIN), P(PUSH), R(RST), . (no flags)
Data-seqno: describes the portion of sequence space covered
by the data in the packet
Ack: sequence number of the next data
Window: the number of byte of receive buffer space
Urg: indicates there is “urgent” data in the packet
Options: tcp options enclosed in angle brackets
Summary
Tcpdump and windump are powerful
packet capture utilities that allow
for the extraction of particular types
of network traffic based on header
information. They can filter any field
in the IP, ICMP, UDP, or TCP header
using byte offsets.
Conclusion&What do you learn?
To demonstrate how to install and
use tcpdump and windump and how
to analyze data that is collected
To understand what the basic
functionality of network-based
intrusion detection.
More information about WinDump,
plz visit
http://windump.polito.it/docs/defaul
t.htm
TCPREPLAY
Replay packets from capture files
Description
Tcpreplay is a tool for replaying
network traffic from files saved with
tcpdump
basic operation
to resend all packets from input
files at the spped at wich they were
recorded, a specified data rate, or
as fast as the hardware is capable.
example
Summary
By processing a cache file
generated by tcpprep, tcpreplay is
able to split traffic between two
interfaces. This is useful for testing
bridges, routers, and other gateway
devices.