Analyzing traffic with TCPDUMP / WINDUMP Part-I

[warl0ck7]

Hi everyone,

Traffic analysis plays a big role in watching intruders and tracing unwanted activity.I am going to introduce traffic analysis the home grown way using tcpdump / windump. So here we go

1. Getting Tcpdump /Windump
For linux users tcpdump generally ships with the installation if not get it from
www.tcpdump.org
for windows users get windump from
windump.polito.it/

2. Tcpdump/Windump operates by putting the network card into promiscuous mode in order
to capture all the packets going through the wire.

3. Note you have to be root or member of Admininstrative group too run tcpdump/windump.

4. open shell / command prompt type
#tcpdump
or
c:\Windump

5. If everthing goes well you will see something like the following
23:21:33.174141 IP 202.54.103.1.53 > maximus.4993: 1 NXDomain 0/1/0 (114) (DF)
23:21:33.236647 IP maximus.4994 > 202.54.103.1.53: 2+ PTR? 33.219.197.203.in-
addr.arpa. (45)
23:21:33.305759 IP 202.54.103.1.53 > maximus.4994: 2 NXDomain 0/1/0 (114) (DF)
23:21:33.309055 IP maximus.4995 > 202.54.103.1.53: 3+ PTR? 45.219.197.203.in-
addr.arpa. (45)
23:21:33.369485 IP 202.54.103.1.53 > maximus-4nikqbi.4995: 3 NXDomain 0/1/0 (114) (DF)

Without any options tcpdump displays output in the form

timestamp protocol source.port > destination.port : flags

where

(a) timestamp: it is the time at which packet is being monitored.
(b) protocol : the protocol(not very specific) being used IP,TCP,ICMP,arp-who-has etc.
(c) source.port: originating ip and port separated by a dot.
(d) > : signifies the packet flow
(e) Flags: they can be of the form
S 4183223882:4183223882(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
S 2428998098:2428998098(0)
ack 4183223883 win 8190 <mss 1460>
note
S meams a SYN packet was sent (I will expain this later)
ACK means an acknowldgement packet was recieved etc.(I will expain this later)
The numbers are tcp sequence numbers of the form(I will expain this later)
starting sequence number : ending sequence number (data bytes)
Windows size etc.

6. A few other options are
-X : Display ascii data
-v : verbose output
-vvv: very verbose

Next time detailed description of packet format,connections etc and traffic analysis.

[alittlebitnumb]

Hmm, such a short tutorial on such a large subject....

[d00dz Attackin]

Agreed with alittlebitnumb. I think that maybe you should throw in more info.

Note: You can get negged for this (you don't want that to happen)

[jdenny]

Hey, don't be too hard to newbies... He said that he "will explain this later" and "Next time detailed description of packet format,connections etc and traffic analysis." At least he posted an original tut (afaik).

And next time make it complete, warl0ck7... You may want to read this trough:
http://www.antionline.com/showthread...hreadid=232084

Peace always,
<jdenny>