A tcpdump Primer with Examples.docx
《A tcpdump Primer with Examples.docx》由会员分享,可在线阅读,更多相关《A tcpdump Primer with Examples.docx(8页珍藏版)》请在冰豆网上搜索。
AtcpdumpPrimerwithExamples
AtcpdumpPrimerwithExamples
∙Options
∙BasicUsage
∙Examples
∙WritingtoaFile
∙GettingCreative
∙Advanced
tcpdump isthepremiernetworkanalysistoolfor informationsecurityprofessionals.Havingasolidgraspofthisüber-powerfulapplicationismandatoryforanyonedesiringathoroughunderstandingof TCP/IP.Manyprefertousehigherlevelanalysistoolssuchas EtherealWireshark,butIbelievethistousuallybeamistake.
Inadisciplinesodependentonatrueunderstandingofconceptsvs.rotelearning,it’simportanttostayfluentintheunderlyingmechanicsoftheTCP/IPsuite.Athoroughgraspoftheseprotocolsallowsonetotroubleshootatalevelfarbeyondtheaverageanalyst,butmasteryoftheprotocolsisonlypossiblethroughcontinuedexposuretothem.
Whenusingatoolthatdisplaysnetworktrafficamorenatural(raw)waytheburdenofanalysisisplaceddirectlyonthehumanratherthantheapplication.ThisapproachcultivatescontinuedandelevatedunderstandingoftheTCP/IPsuite,andforthisreasonI stronglyadvocateusing tcpdump insteadofothertoolswheneverpossible.
15:
31:
34.079416IP(tos0x0,ttl64,id20244,offset0,flags[DF],
proto:
TCP(6),length:
60)source.35970>dest.80:
S,cksum0x0ac1
(correct),2647022145:
2647022145(0)win58400x0000:
4500003c4f144000
400674170afb0257E..0x0010:
4815222a8c8200509dc65a410000
0000H."*...P..ZA....0x0020:
a00216d00ac10000020405b4
0402080a................0x0030:
14b415550000000001030302
Options
Belowareafewoptions(withexamples)thatwillhelpyougreatlywhenworkingwiththetool.They’reeasytoforgetand/orconfusewithothertypesoffilters,i.e.ethereal,sohopefullythispagecanserveasareferenceforyou,asitdoesme.
Firstoff,Iliketoaddafewoptionstothe tcpdump commanditself,dependingonwhatI’mlookingat.Thefirstoftheseis -n,whichrequeststhatnamesarenotresolved,resultingintheIPsthemselvesalwaysbeingdisplayed.Thesecondis -X,whichdisplaysbothhexandasciicontentwithinthepacket.Thefinaloneis -S,whichchangesthedisplayofsequencenumberstoabsoluteratherthanrelative.Theideathereisthatyoucan’tseeweirdnessinthesequencenumbersifthey’rebeinghiddenfromyou.Remember,theadvantageofusingtcpdump vs.anothertoolisgettingmanualinteractionwiththepackets.
It’salsoimportanttonotethat tcpdump onlytakesthefirst 68 96bytesofdatafromapacketbydefault.Ifyouwouldliketolookatmore,addthe -s number optiontothemix,where number isthenumberofbytesyouwanttocapture.Irecommendusing0(zero)forasnaplength,whichgetseverything.Here’sashortlistoftheoptionsIusemost:
[NOTE:
Allofthefollowingcomeafter tcpdump,forexample:
tcpdump-iany ]
▪-iany :
Listenonallinterfacesjusttoseeifyou’reseeinganytraffic.
▪-ieth0 :
Listenontheeth0interface.
▪-D :
Showthelistofavailableinterfaces
▪-n :
Don’tresolvehostnames.
▪-nn :
Don’tresolvehostnames or portnames.
▪-q :
Belessverbose(morequiet)withyouroutput.
▪-X :
Showthepacket’s contents inboth hex and ASCII.
▪-XX :
Sameas -X,butalsoshowstheethernetheader.
▪-v,-vv,-vvv :
Increasetheamountofpacketinformationyougetback.
▪-c :
Onlyget x numberofpacketsandthenstop.
▪icmp :
OnlygetICMPpackets.
▪-s :
Definethe snaplength (size)ofthecaptureinbytes.Use-s0 togeteverything,unlessyouareintentionallycapturingless.
▪-S :
Printabsolutesequencenumbers.
▪-e :
Gettheethernetheaderaswell.
▪-q :
Showlessprotocolinformation.
▪-E :
DecryptIPSECtrafficbyprovidinganencryptionkey.
[Thedefaultsnaplengthasof tcpdump 4.0haschangedfrom68bytesto96bytes.Whilethiswillgiveyoumoreofapackettosee,itstillwon’tgeteverything.Use -s1514 togetfullcoverage]
BasicUsage
So,basedonthekindoftrafficI’mlookingfor,Iuseadifferentcombinationofoptionsto tcpdump,ascanbeseenbelow:
1.Basiccommunication //seethebasicswithoutmanyoptions
# tcpdump -nS
2.Basiccommunication(veryverbose) //seeagoodamountoftraffic,withverbosityandnonamehelp
# tcpdump -nnvvS
3.Adeeperlookatthetraffic //adds-Xforpayloadbutdoesn’tgrabanymoreofthepacket
# tcpdump -nnvvXS
4.Heavypacketviewing //thefinal“s”increasesthesnaplength,grabbingthewholepacket
# tcpdump -nnvvXSs 1514
Here’sacaptureofexactlytwo(-c2) ICMP packets(a ping andpong)usingsomeoftheoptionsdescribedabove.Noticehowmuchweseeabouteachpacket.
hermesroot#tcpdump-nnvXSs0-c2icmp
tcpdump:
listeningoneth0,link-typeEN10MB(Ethernet),23:
11:
10.370321IP
(tos0x20,ttl48,id34859,offset0,flags[none],length:
84)
69.254.213.43>72.21.34.42:
icmp64:
echorequestseq0
0x0000:
45200054882b000030017cf545fed52bE..T.+..0.|.E..+
0x0010:
4815222a08003530272a000025ffd744H."..50'..%..D
0x0020:
ae5e050008090a0b0c0d0e0f10111213.^..............
0x0030:
1415161718191a1b1c1d1e1f20212223.............!
"#
0x0040:
2425262728292a2b2c2d2e2f30313233$%&'()+,-./0123
0x0050:
343536374567
23:
11:
10.370344IP(tos0x20,ttl64,id35612,offset0,flags[none],
length:
84)72.21.34.42>69.254.213.43:
icmp64:
echoreplyseq0
0x0000:
452000548b1c000040016a044815222aE..T....@.j.H."
0x0010:
45fed52b00003d30272a000025ffd744E..+..=0'..%..D
0x0020:
ae5e050008090a0b0c0d0e0f10111213.^..............
0x0030:
1415161718191a1b1c1d1e1f20212223.............!
"#
0x0040:
2425262728292a2b2c2d2e2f30313233$%&'()+,-./0123
0x0050:
343536374567
2packetscaptured
2packetsreceivedbyfilter
0packetsdroppedbykernel
hermesroot#
Examples
Expressionsallowyoutotrimoutvarioustypesoftrafficandfindexactlywhatyou’relookingfor.Masteringtheexpressionsandlearningtocombinethemcreativelyiswhatmakesonetrulypowerfulwith tcpdump.Therearethreemaintypesofexpression:
type, dir,and proto.
Typeoptionsare host, net,and port.Directionisindicatedby dir,andthereyoucanhave src, dst, srcordst,and srcanddst.Hereareafewthatyoushoulddefinitelybecomfortablewith:
▪host //lookfortrafficbasedonIPaddress(alsoworkswithhostnameifyou’renotusing -n)
# tcpdump host 1.2.3.4
▪src, dst //findtrafficfromonlyasourceordestination(eliminatesonesideofa host conversation)
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6
▪net //captureanentirenetworkusing CIDR notation
# tcpdump net 1.2.3.0/24
▪proto //worksfortcp,udp,andicmp.Notethatyoudon’thavetotypeproto
# tcpdump icmp
▪port //seeonlytraffictoorfromacertainport
# tcpdump port 3389
▪src,dstport //filterbasedonthesourceordestinationport
# tcpdump src port 1025 # tcpdump dst port 389
▪src/dst,port,protocol //combineallthree
# tcpdump src port 1025 and tcp
# tcpdump udp and src port 53
Youalsohavetheoptiontofilterbya range ofportsinsteadofdeclaringthemindividually,andtoonlyseepacketsthatareaboveorbelowacertainsize.
▪PortRanges //seetraffictoanyportinarange
tcpdump portrange 21-23
▪PacketSizeFilter //onlyseepacketsbeloworaboveacertainsize(inbytes)
tcpdump less 32
tcpdump greater 128
[Youcanusethesymbolsfor lessthan, greaterthan,and lessthanorequal / greaterthanorequalsigns aswell.]
//filteringforsizeusingsymbols
tcpdump > 32
tcpdump <= 128
WritingtoaFile
tcpdump allowsyoutosendwhatyou’recapturingtoafileforlateruseusingthe -w option,andthentoreaditbackusingthe -r option.Thisisanexcellentwaytocapturerawtrafficandthenrunitthroughvarioustoolslater.
Thetrafficcapturedinthiswayisstoredin tcpdump format,whichisprettymuchuniversalinthenetworkanalysisspace.Thismeansitcanbereadinbyallsortsoftools,including Wireshark, Snort,etc.
CaptureallPort80TraffictoaFile
# tcpdump-s1514 port 80 -w capture_file
Then,atsomepointinthefuture,youcanthenreadthetrafficbackinlikeso:
ReadCapturedTrafficbackinto tcpdump
# tcpdump-r capture_file
GettingCreative
Expressionsarenice,buttherealmagicof tcpdump comesfromtheabilityto combine themincreativewaysinordertoisolateexactlywhatyou’relookingfor.Therearethreewaystodocombinations,andifyou’vestudiedcomputersatallthey’llbeprettyfamilartoyou:
1.AND
and or &&
2.OR
or or ||
3.EXCEPT
not or !
MoreExamples
#TCPtrafficfrom10.5.2.3destinedforport3389
tcpdump-nnvvS src10.5.2.3 and dstport3389
#Trafficoriginatingfromthe192.168networkheadedforthe10or172.16networks
tcpdump-nvXsrcnet192.168.0.0/16 and dstnet10.0.0.0/8 or172.16.0.0/16
#Non-ICMPtrafficdestinedfor192.168.0.2fromthe172.16network
tcpdump-nvvXSs1514dst192.168.0.2 and srcnet and noticmp
#TrafficoriginatingfromMarsorPlutothatisn’ttotheSSHport
tcpdump-vvsrcmars and not dstport22
Asyoucansee,youcanbuildqueriestofindjustaboutanythingyouneed.Thekeyistofirstfigureout precisely whatyou’relookingforandthentobuildthesyntaxtoisolatethatspecifictypeoftraffic.
Grouping
Alsokeepinmindthatwhenyou’rebuildingcomplexqueriesyoumighthavetogroupyouroptionsusingsinglequotes.Singlequotesareusedinordertotell tcpdump toignorecertainspecialcharacters—inthiscasethe“()”brackets.Thissametechniquecanbeusedtogroupusingotherexpressionssuchas host, port, net,etc.Takealookatthecommandbelow:
#Trafficthat’sfrom10.0.2.4ANDdestinedforports3389or22 (incorrect)
tcpdumpsrc10.0.2.4and (dstport
升级会员 