TCPdump

Download Report

Transcript TCPdump 

TCPDUMP
Network-Based Intrusion Detection
Description


Packet sniffing is the heart of
intrusion detection and of
understanding what is actually
occurring on your network.
TCPDUMP provides options and
filters to assist in the proper and
thorough analysis of the acquired
traffic.
How to install?

For Linux





For windows




Download libpcap from
http://www.tcpdump.org/release/libpcap-0.7.2.tar.gz
tar zxvf libpcap-0.7.2.tar.gz; cd libpcap-0.7.2;
./configure; make; make install
Download tcpdump fom
http://www.tcpdump.org/release/tcpdump-3.7.2.tar.gz
tar zxvf tcpdump-3.7.2.tar.gz; cd tcpdump-3.7.2;
./configure; make; make install
Download winpcap.exe from
http://winpcap.polito.it/install/bin/WinPcap_3_0.exe
Download windump.exe from
http://windump.polito.it/install/bin/WinDump.exe
Install winpcap and execute windump.exe
For FreeBSD

bulit-in function
Output format

ARP/RARP packets
arp who-has [A] tell [B]
arp reply [A] is-at [a]
 TCP packets
src > dst: flags data-seqno ack window urgent options








src: source ip address and port
dst: destination ip address and port
flags: S (SYN), F (FIN), P(PUSH), R(RST), . (no flags)
Data-seqno: describes the portion of sequence space covered
by the data in the packet
Ack: sequence number of the next data
Window: the number of byte of receive buffer space
Urg: indicates there is “urgent” data in the packet
Options: tcp options enclosed in angle brackets
Summary

Tcpdump and windump are powerful
packet capture utilities that allow
for the extraction of particular types
of network traffic based on header
information. They can filter any field
in the IP, ICMP, UDP, or TCP header
using byte offsets.
Conclusion&What do you learn?



To demonstrate how to install and
use tcpdump and windump and how
to analyze data that is collected
To understand what the basic
functionality of network-based
intrusion detection.
More information about WinDump,
plz visit
http://windump.polito.it/docs/defaul
t.htm
TCPREPLAY
Replay packets from capture files
Description

Tcpreplay is a tool for replaying
network traffic from files saved with
tcpdump
basic operation

to resend all packets from input
files at the spped at wich they were
recorded, a specified data rate, or
as fast as the hardware is capable.
example
Summary

By processing a cache file
generated by tcpprep, tcpreplay is
able to split traffic between two
interfaces. This is useful for testing
bridges, routers, and other gateway
devices.