-
June 15th, 2003, 07:05 PM
#1
Analyzing traffic with TCPDUMP / WINDUMP Part-I
Hi everyone,
Traffic analysis plays a big role in watching intruders and tracing unwanted activity.I am going to introduce traffic analysis the home grown way using tcpdump / windump. So here we go
1. Getting Tcpdump /Windump
For linux users tcpdump generally ships with the installation if not get it from
www.tcpdump.org
for windows users get windump from
windump.polito.it/
2. Tcpdump/Windump operates by putting the network card into promiscuous mode in order
to capture all the packets going through the wire.
3. Note you have to be root or member of Admininstrative group too run tcpdump/windump.
4. open shell / command prompt type
#tcpdump
or
c:\Windump
5. If everthing goes well you will see something like the following
23:21:33.174141 IP 202.54.103.1.53 > maximus.4993: 1 NXDomain 0/1/0 (114) (DF)
23:21:33.236647 IP maximus.4994 > 202.54.103.1.53: 2+ PTR? 33.219.197.203.in-
addr.arpa. (45)
23:21:33.305759 IP 202.54.103.1.53 > maximus.4994: 2 NXDomain 0/1/0 (114) (DF)
23:21:33.309055 IP maximus.4995 > 202.54.103.1.53: 3+ PTR? 45.219.197.203.in-
addr.arpa. (45)
23:21:33.369485 IP 202.54.103.1.53 > maximus-4nikqbi.4995: 3 NXDomain 0/1/0 (114) (DF)
Without any options tcpdump displays output in the form
timestamp protocol source.port > destination.port : flags
where
(a) timestamp: it is the time at which packet is being monitored.
(b) protocol : the protocol(not very specific) being used IP,TCP,ICMP,arp-who-has etc.
(c) source.port: originating ip and port separated by a dot.
(d) > : signifies the packet flow
(e) Flags: they can be of the form
S 4183223882:4183223882(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
S 2428998098:2428998098(0)
ack 4183223883 win 8190 <mss 1460>
note
S meams a SYN packet was sent (I will expain this later)
ACK means an acknowldgement packet was recieved etc.(I will expain this later)
The numbers are tcp sequence numbers of the form(I will expain this later)
starting sequence number : ending sequence number (data bytes)
Windows size etc.
6. A few other options are
-X : Display ascii data
-v : verbose output
-vvv: very verbose
Next time detailed description of packet format,connections etc and traffic analysis.
-
June 15th, 2003, 07:12 PM
#2
Hmm, such a short tutorial on such a large subject....
-
June 15th, 2003, 11:34 PM
#3
Agreed with alittlebitnumb. I think that maybe you should throw in more info.
Note: You can get negged for this (you don't want that to happen)
-
June 16th, 2003, 10:20 AM
#4
Hey, don't be too hard to newbies... He said that he "will explain this later" and "Next time detailed description of packet format,connections etc and traffic analysis." At least he posted an original tut (afaik).
And next time make it complete, warl0ck7... You may want to read this trough:
http://www.antionline.com/showthread...hreadid=232084
Peace always,
<jdenny>
Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|