# Network Traffic Analysis Using tcpdump Introduction to tcpdump

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:76

0
156
lượt xem
27

## Network Traffic Analysis Using tcpdump Introduction to tcpdump

Mô tả tài liệu

The objectives of this course are to introduce you to the fundamentals and benefits of using tcpdump as a tool to analyze your network traffic. We’ll start with introducing concepts and output of tcpdump. One of the most important aspects of using tcpdump is being able to write tcpdump filters to look for specific traffic. Filter writing is fairly basic unless you want to examine fields in an IP datagram that don’t fall on byte boundaries. So, that is why an entire section is devoted to the art of writing filters....

Chủ đề:

Bình luận(0)

Lưu

## Nội dung Text: Network Traffic Analysis Using tcpdump Introduction to tcpdump

1. Network Traffic Analysis Using tcpdump Introduction to tcpdump Judy Novak Johns Hopkins University Applied Physics Laboratory jhnovak@ix.netcom.com 1 All material Copyright  Novak, 2000, 2001. All rights reserved. 1
2. Table of Contents Topics Introduction to tcpdump Writing tcpdump Filters Examination of Datagram Fields Beginning Analysis Real World Examples Step by Step Analysis References 2 2
3. Course Objectives • Introduce the fundamentals of tcpdump • Explain how to write tcpdump filters • Examine fields in datagram for uses/misuses • Analyze traffic by placing it in categories • Demonstrate “real-world” analysis using tcpdump • Let you participate in the analysis process 3 The objectives of this course are to introduce you to the fundamentals and benefits of using tcpdump as a tool to analyze your network traffic. We’ll start with introducing concepts and output of tcpdump. One of the most important aspects of using tcpdump is being able to write tcpdump filters to look for specific traffic. Filter writing is fairly basic unless you want to examine fields in an IP datagram that don’t fall on byte boundaries. So, that is why an entire section is devoted to the art of writing filters. Before we start to use tcpdump to analyze traffic, we’ll examine many of the fields found in the IP datagram. This is done to familiarize you with those fields in theory and also how they might be used in practice. We’ll study how and why fields might be changed and for what purpose. Next, we’ll start the basic analysis process by looking at tcpdump output and categorizing the kind of traffic that you can see. Then, we’ll take a look at some real-world examples and of how tcpdump was used on monitored networks to discover what was happening. Next, the analysis process will be inspected step by step often with missteps to get you comfortable with it. As a note, all tcpdump output shown in this course is activity that actually occurred. Source and destination hosts/IP’s have been altered to obfuscate the true identities. 3
4. Overview • Introduction to tcpdump • Writing tcpdump filters • Examination of Datagram Fields • Beginning Analysis • Real World Examples • Step by Step Analysis 4 This page intentionally left blank. 4
5. Introduction to tcpdump • Introduction to tcpdump • Writing tcpdump Filters • Examination of Datagram Fields • Beginning Analysis • Real World Examples • Step by Step Analysis 5 This page intentionally left blank. 5
6. Objectives • Examine the strengths/weaknesses of tcpdump • Organize collection/analysis process of tcpdump data via Shadow • Examine tcpdump output • Standard • Hexadecimal • Length fields and how to convert them to bytes • Application layer • Interpretation of payload/hex output 6 This page intentionally left blank. 6
8. Strengths • Provides audit trail/historical record of network activity • Provides absolute fidelity • Universally available and used A 8 One of the most important parts of an arsenal in your security infrastructure is at least one tool or software package that captures an audit trail or a historical record of the traffic that enters or leaves your network. There will be times when you will be required to examine activity or connections that occurred in your network – not just traffic that caused an alarm to sound. For instance, what if you suspect that your packet filtering router that acts as your perimeter defense was acting strangely after some major network changes were made. You would have to examine the traffic that was allowed into your network to assist in determining the problem. That is where tcpdump is invaluable. Also, many tools - even logs from firewalls will display suspicious traffic, yet only partial data is displayed. What if you get a log of rejected traffic, but it doesn’t display or keep TCP flags? You’ll never know what kind of connection was attempted. tcpdump allows the analyst to examine all the bits and fields that are collected. If nothing is “wrong” with the connection, examination at the bit level is unnecessary. Yet, if you suspect something “foul” with the traffic, you really need access to all the data down to the bit level. And tcpdump is a tool that is universally used and very portable. If you become familiar with this software or its Windows counterpart, windump, it can be used on just about any platform to assist you in analysis of traffic. 8
16. Why Shadow? •  (free for all) • Tunable • Customize your own signatures • Change at will • Provides an audit trail of activity to/from network • Provides an intimate view of activity 16 While not the only reason to install and use Shadow, a very compelling reason is the price tag. In many cases, but not this one, you get what you pay for. Shadow is an excellent no-cost traffic analysis tool. Another benefit is that once you master Shadow, you can change it liberally at any time that you want. For instance, if you hear of a new exploit and can fashion a signature with a tcpdump filter, you can modify Shadow instantaneously. Compare this with some intrusion detection systems that do not offer the capability to change filters or signatures. You have to wait for the software company to update the filters when they get around to it and the updates may not include signatures that you would like to see. Also, since you get all the source code with Shadow, you can customize it for your whims and needs. This is highly unusual and allows you to make changes based on your proficiency of the software. Shadow uses tcpdump as its collection software. By default, you will collect most activity going into and out of your network. This can be very beneficial in providing an audit trail of activity in the network. If you ever find yourself in the midst of some kind of incident, this may be a very valuable attribute for an intrusion detection system to have. Finally, some of the more GUI kinds of intrusion detection systems do not allow the user to examine the actual traffic at the IP datagram level. Shadow, by virtue of tcpdump, will allow the user a very intimate view of the data collected. You will maintain fidelity of data and you can use all fields for interpretation and analysis. If the traffic you are analyzing is corrupted in some way, you want to be able to inspect the entire datagram. 16