-
November 23rd, 2001, 04:45 AM
#1
Packet Sniffing(tcpdump install and first use)
Please post or message me with criticism. Or things I missed, or have written incorrectly. Constructive criticism is welcome.
I used Red Hat 7.1 as my model for this tutorial, so, you may get slightly different results with different distros.
************************************
WARNING!!!!!!! The way you choose to use this information may get you
into trouble. I am posting this simply as a learning tool, so that people
can start to look at how network protocols work in the real world.
Proceed with caution if you are part of an enterprise network(get
permission) or a university network(get permission). If you are on a
cable modem or DSL, you should not be able to see others packets anyway
due to the way their switches are set up. Dial up users, I cant help you.
*************************************
The ability to sniff packets(and understand what you are seeing) is very
usefull under many different circumstances. Packet sniffing can help you
to troubleshoot network problems(routing issues, packetstorms\, etc.),
spot intrusion attempts on a network you are responsible for, or even just
learn a lot about computers and the way in which they
communicate(protocols, etc.).
There are a number of different packet sniffing tools available, some with
gui some without, some with more flexibility, others more suited for only
a singly task(such as grabbing plaintext passwords from the ether). This
tutorial will deal with tcpdump, and open source, command line packet
sniffer for *nix. There is a windows version(called windump.exe
must be used with winpcap.exe) but lets stick with *nix. One good reason
to get familiar with tcpdump(as opposed to its GUI brothers and sisters)
is that the way tcpdump does business(filters, formats, etc)is compatible
with a powerfull open source intrusion detection system, SNORT.
In order for the install to work, you need several things, the source for
tcpdump and libpcap, root access, and an ANSI compatible c compiler(such
as gcc on my Red Hat 7.1 machine).
To start off, you need to download the source for tcpdump from
www.tcpdump.org (or one of their mirrors)
Also download the source for libpcap from the same site. I would
reccomend downloading the latest stable version, and not the beta version.
As of this writing the latest versions of the two are
tcpdump version 3.6.2
libpcap version 0.6.2
After you have downloaded the files, you will need to uncompress them, for
me the commands were:
gzip -dv tcpdump-3.6.2.tar.gz
tar -xvf tcpdump-3.6.2.tar
gzip -dv libpcap-0.6.2.tar.gz
tar -xvf libpcap-0.6.2.tar
It is possible to do the unzip and get the files out of the tarball in one
command, but I have yet to figure out what that command is.(and it wasnt
worth my time tonight to figure that one out).
Now, you should have 2 new directories in the folder which the downloaded
files were saved.
For me these are
libpcap-0.6.2
and
tcpdump-3.6.2
First we need to compile,configure and install libpcap. The scripts which
came with libpcap call your c compiler so no need to worry about
compiling, unless you are very unlucky.
Do this using the following commands from the directory libpcap-0.6.2
su
./configure
make
make install
exit
You should see an approximation of the following output...
***********************************
[ -d /usr/local/lib ] || \
(mkdir -p /usr/local/lib; chmod 755 /usr/local/lib)
/usr/bin/install -c -m 644 libpcap.a /usr/local/lib/libpcap.a
ranlib /usr/local/lib/libpcap.a
[ -d /usr/local/include ] || \
(mkdir -p /usr/local/include; chmod 755 /usr/local/include)
/usr/bin/install -c -m 644 ./pcap.h /usr/local/include/pcap.h
/usr/bin/install -c -m 644 ./pcap-namedb.h \
/usr/local/include/pcap-namedb.h
[ -d /usr/local/include/net ] || \
(mkdir -p /usr/local/include/net; chmod 755 /usr/local/include/net)
/usr/bin/install -c -m 644 ./bpf/net/bpf.h \
/usr/local/include/net/bpf.h
[ -d /usr/local/man/man3 ] || \
(mkdir -p /usr/local/man/man3; chmod 755 /usr/local/man/man3)
/usr/bin/install -c -m 644 ./pcap.3 \
/usr/local/man/man3/pcap.3
**************************************
This shows that the libpcap install has created the appropriate
directories with the appropriate rights. The latest version of the
libpcap installer has been configured to correctly put the nesscessary
files in the correct places. Previous versions did not do that, and I
spent several hours once copying files to the proper place by hand, it
wasnt fun.
OK, change directory to the tcpdump-3.6.2 directory
Enter the following commands
su
./configure
make
make install
exit
You should see an approximation of the following output.
**********************************
[ -d /usr/local/sbin ] || \
(mkdir -p /usr/local/sbin; chmod 755 /usr/local/sbin)
/usr/bin/install -c tcpdump /usr/local/sbin/tcpdump
[ -d /usr/local/man/man1 ] || \
(mkdir -p /usr/local/man/man1; chmod 755 /usr/local/man/man1)
/usr/bin/install -c -m 644 ./tcpdump.1 /usr/local/man/man1/tcpdump.1
**********************************
Assuming you recieved no error messages, it is time to try it out.
The tcpdump install defaults to installing the tcpdump binary in
/usr/local/sbin
So, lets change to that directory, and try out the command...
cd /usr/local/sbin
su
./tcpdump
Now you should have a information pulled from captured packets streaming
across the screen. Depending on the size of the network you are on,
there will be greater or lesser amounts of traffic. For learning
purposes, I would set up your machine on a private network of about 3 or
so machines, and try different configurations, and watch what happens.
I will follow up with other tutorials, on how to use tcpdump when I have
some more time. For now, read the man pages, search the net for
information about tcpdump filters and options(such as saving the data to a
file to review later, filtering out everything except one specific type of
traffic, etc.). Explore tcpdump and have fun. If you have questions
about what you are seeing there are some great resources on the web(and in
your locally bricks and mortar library/bookstore)about the way packets are
formed for the various protocols.
On of my favorites(although a bit dry for pleasure reading) is
TCP/IP illustrated by Richard Stevens I believe.
I feel obliged to warn you again, if you are doing this at work, or at
school, you could get in a lot of trouble, if you are caught capturing packets
without permission. If you set up your own private network for learning,
you should have no worries, and you can see the results of different
things that you might do with your computer. On a bigger network, that
traffic may tend to get lost.
-
November 23rd, 2001, 05:21 AM
#2
what? I cant delete my reply to my post...
Oh well..
-
November 23rd, 2001, 05:30 AM
#3
Got rid of what? A reason? Everything needs a reason...?
[HvC]Terr: L33T Technical Proficiency
-
November 23rd, 2001, 06:24 AM
#4
I just got rid of some useless text in response to a comment that someone made Terr,
heh.. it was kinda useless...
-
November 23rd, 2001, 10:25 AM
#5
Re: Packet Sniffing(tcpdump install and first use)
Originally posted by IchNiSan
It is possible to do the unzip and get the files out of the tarball in one
command, but I have yet to figure out what that command is.(
Use tar -zxvf file.tar.gz to unzip & untar in 1 command.
J.
-
October 10th, 2005, 11:42 PM
#6
packet sniffin is cool but gets LaMe after a while!!!
-
October 11th, 2005, 11:31 AM
#7
Yes, they have been informed........................Neg's box is full
Kill this one................it is "the ****" again?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|