Network Traffic Analysis Using tcpdump Reference Material

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:13

0
139
lượt xem
16
download

Network Traffic Analysis Using tcpdump Reference Material

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Reference Material W. Richard Stevens, TCP/IP Illustrated, Volume 1 The Protocols, Addison-Wesley Eric A. Hall, Internet Core Protocols, O’Reilly Craig H. Rowland, “Covert Channels in the TCP/IP Protocol Suite”, www.psionic.com/papers/covert/covert.tcp.txt Ofir Arkin, “ICMP Usage in Scanning”, www.sys-security.com Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting” www.insecure.org/nmap/nmap-fingerprinting-article Thomas Ptacek, Timothy Newsham, “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, www.robertgraham.com/ mirror/Ptacek-Newsham-Evasion-98.html Rain Forest Puppy, “A look at whisker’s anti-IDS tactics”, www.wiretrip.net/rfp...

Chủ đề:
Lưu

Nội dung Text: Network Traffic Analysis Using tcpdump Reference Material

  1. Network Traffic Analysis Using tcpdump Reference Material Judy Novak Johns Hopkins University Applied Physics Laboratory jhnovak@ix.netcom.com 1 All material Copyright  Novak, 2000, 2001. All rights reserved. 1
  2. References 2 This page intentionally left blank. 2
  3. Reference Material W. Richard Stevens, TCP/IP Illustrated, Volume 1 The Protocols, Addison-Wesley Eric A. Hall, Internet Core Protocols, O’Reilly Craig H. Rowland, “Covert Channels in the TCP/IP Protocol Suite”, www.psionic.com/papers/covert/covert.tcp.txt Ofir Arkin, “ICMP Usage in Scanning”, www.sys-security.com Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting” www.insecure.org/nmap/nmap-fingerprinting-article Thomas Ptacek, Timothy Newsham, “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, www.robertgraham.com/ mirror/Ptacek-Newsham-Evasion-98.html Rain Forest Puppy, “A look at whisker’s anti-IDS tactics”, www.wiretrip.net/rfp 3 This page intentionally left blank. 3
  4. Referenced Links • www.nswc.navy.mil/ISSEC/CID Site to obtain Shadow software • www.map2.ethz.ch/ftp-probleme.htm Site for list of initial TTL’s by operating system and protocol • www.phrack.com Site to find out more about the loki exploit • ftp.su.se/pub/security/security/tools/net/tcpshow Site to download source code for tcpshow • www.cisco.com/warp/public/770/nifrag.shtml Site to read about a particular denial of service using fragmentation against Cisco routers 4 This page intentionally left blank. 4
  5. Referenced Links • www.cert.org/advisories Site to read about CERT advisory concerning an inverse query exploit, ToolTalk exploit • ftp.isi.edu/in-notes/iana/ assignments/ Information about protocols, reserved address spaces • ftp.ee.lbl.gov/tcpdump.tar.Z ftp.ee.lbl.gov/libpcap.tar.Z netgroup-serv.polito.it/windump netgroup-serv.polito.it/winpcap www.tcpdump.org Sites for tcpdump and support software • www.whitefang.com/rin Site for article on “Raw IP Networking FAQ” 5 This page intentionally left blank. 5
  6. Referenced Links • www.packetfactory.net Site to obtain libnet software • www.insecure.org Site to obtain nmap software • packetstorm.securify.com Site to obtain hping2-beta54.tar.gz Site to obtain isic-0.05.tar.gz • www.sans.org/y2k/gnutella.htm Site for write-up on Gnutella • www.napster.com www.f11.org/david.weekly.org/ opennap.sourceforge.net/napster.txt Sites for write-up about napster 6 This page intentionally left blank. 6
  7. Referenced Links • www.computerworld.com/cwi/story/0,1199,NAV47_STO4680 2,00.html sites for write-up on wrapster • www.sans.org/topten.htm Site for write-up from SANS of top ten security threats • www.wiretrip.net/rfp/pages.whitepapers/whiskerids.html Site to read about whisker NID evasion tool 7 This page intentionally left blank. 7
  8. Common Services and Ports ftp-data 20/tcp ftp 21/tcp telnet 23/tcp smtp 25/tcp sendmail domain 53/udp DNS domain 53/tcp DNS bootps 67/udp tftp 69/udp finger 79/tcp pop-3 110/tcp sunrpc 111/udp rpcbind sunrpc 111/tcp rpcbind imap 143/tcp snmp 161/udp X-Server 6000/tcp 8 To find more well-known server ports, go to: http://www.isi.edu/in-notes/iana/assignments/port-numbers. 8
  9. IP Header 0 15 16 31 4-bit 4-bit IP 8-bit TOS 16-bit total length (in bytes) version header length 16-bit IP identification number 3-bit 13-bit fragment offset flags 8-bit time to live 8-bit protocol 16-bit header checksum (TTL) 20 bytes 32-bit source IP address 32-bit destination IP address options (if any) data 9 This page intentionally left blank. 9
  10. TCP Header 0 15 16 31 16-bit source port number 16-bit destination port number 32-bit sequence number 32-bit acknowledgement number 20 4-bit U A P R S F bytes reserved 16-bit window size header (6-bits) R C S S Y I length G K H T N N 16-bit checksum 16-bit urgent pointer options (if any) data (if any) 10 . This page intentionally left blank. 10
  11. UDP Header 0 15 16 31 16-bit source port number 16-bit destination port number 16-bit UDP length 16-bit UDP checksum data (if any) 11 This page intentionally left blank. 11
  12. ICMP Header 0 15 16 31 8-bit message 8-bit message 16-bit checksum type code (contents depends on type and code) Type Code Message 0 0 Echo Reply 8 0 Echo Request 12 0 Time exceeded in-transit 12 1 Reassembly time exceeded 12 This page intentionally left blank. 12
  13. Course Revision History 13 v1.0 – 10 February 2001 13
Đồng bộ tài khoản