If one truly wants to discover how specific network application works, want to know where and what kind of data it sends, or where the data is coming from, than "sniffing" of netwroking packets is absolute necessity. It's a mandatory method
used by large number of information security professionals and IT enthusiasts. One such network "sniffing" and analysis tool is
Tcpdump. It is a simple yet very useful command-line utility that can be used in learning process and for better understanding of TCP/IP protocol suite. It is free software originaly distributed on unix-like operating systems, but also other version or similar GUI programs are distributed for windows. One such also very popular GUI netwrok analyzer tool is Wireshark. On some Unix-like operating systems, to be able to use all features of tcpdump, a user must have superuser privileges.
Sniffing of network traffic
To get the list of interfaces that are available for tcpdump capture we can use this command:
linux# tcpdump -D
1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo
Once we know interfaces, capturing traffic on specific one is easy:
linux# tcpdump -i eth0
...
17:17:24.672194 IP 192.168.10.102.50676 > 192.168.10.200.ssh: Flags [P.], seq 545:597, ack 92552, win 4030, length 52
17:17:24.672325 IP 192.168.10.200.ssh > 192.168.10.102.50676: Flags [P.], seq 92552:92940, ack 597, win 403, length 388
^C
640 packets captured
640 packets received by filter
0 packets dropped by kernel
( If we wanted to get more informations from tcpdump, we could use -vv "verbos" option.) To sniff traffic from or to specific host we can use host option:
linux# tcpdump -n host 192.168.10.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:25:19.438850 ARP, Request who-has 192.168.10.100 tell 192.168.10.1, length 46
17:25:20.438912 ARP, Request who-has 192.168.10.100 tell 192.168.10.1, length 46
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
( We can also define FQDN name instead of IP address. In that case we wolud leave out -n option.) To sniff all but trafic from or to specific host we can use not syntax:
linux# tcpdump -n host not 192.168.10.1
...
17:34:00.381012 IP 192.168.10.200.22 > 192.168.10.102.50676: Flags [P.], seq 64604:64880, ack 409, win 620, length 276
17:34:00.382733 IP 192.168.10.102.50676 > 192.168.10.200.22: Flags [P.], seq 409:461, ack 64880, win 4311, length 52
17:34:00.382829 IP 192.168.10.200.22 > 192.168.10.102.50676: Flags [P.], seq 64880:65044, ack 461, win 620, length 164
^C
448 packets captured
449 packets received by filter
0 packets dropped by kernel
To sniff trafic from specific source to specific destination we can use src and dst options. We can even define protocol or port which we want to listen. For example to listen ssh:
linux# tcpdump src 192.168.10.102 and dst 192.168.10.200 and port ssh
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:47:41.598663 IP 192.168.10.102.50676 > 192.168.10.200.ssh: Flags [.], ack 1104967642, win 4071, length 0
17:47:41.906519 IP 192.168.10.102.50676 > 192.168.10.200.ssh: Flags [.], ack 149, win 4034, length 0
...
^C
11 packets captured
12 packets received by filter
0 packets dropped by kernel
( Since ssh traffic is encrypted ther is nothing much to see, but if we for example have listened to ftp traffic we could easily get users login data with password.) We can even send the captured data in a file that can be later used by other network analyzers to analyze the data:
linux# tcpdump -s0 -i eth0 dst host 192.168.10.102 -w /dump.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C42 packets captured
42 packets received by filter
0 packets dropped by kernel
( This way we can save the captured data in a ".pcap" file that can later be analysed by the GUI network analyzers as Wireshark.) To read data from the previously captured file we can use -r option:
linux# tcpdump -r /dump.pcap
reading from file /dump.pcap, link-type EN10MB (Ethernet)
18:19:40.129134 IP 192.168.10.200.ssh > 192.168.10.102.50676: Flags [P.], seq 1104998218:1104998350, ack 3215534015, win 1009, length 132
18:19:42.093016 IP 192.168.10.200.ssh > 192.168.10.102.50676: Flags [P.], seq 132:184, ack 53, win 1009, length 52
18:19:43.077015 IP 192.168.10.200.ssh > 192.168.10.102.50676: Flags [P.], seq 184:236, ack 105, win 1009, length 52
18:19:44.397016 IP 192.168.10.200.ssh > 192.168.10.102.50676: Flags [P.], seq 236:288, ack 157, win 1009, length 52
18:19:44.885002 IP 192.168.10.200.ssh > 192.168.10.102.50676: Flags [P.], seq 288:340, ack 209, win 1009, length 52
...
Comments
Post a Comment