Differences
This shows you the differences between two versions of the page.
|
ep:labs:04:contents:tasks:ex2 [2020/08/12 20:12] cristian.marin0805 |
ep:labs:04:contents:tasks:ex2 [2025/02/11 23:36] (current) cezar.craciunoiu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ==== 02. [20p] Traffic monitoring - Tcpdump ==== | + | ==== 02. [20p] Swap space ==== |
| - | + | ||
| - | <note>In most of the situations presented in all the laboratories we have already gone through, we have seen numerous tools whose output helps us to __understand the behavior__ of the system we are analyzing. Next, we choose the most used Linux utility for **analyzing transferred packets** in a __conversation between two or more systems__. | + | |
| - | </note> | + | |
| - | <note important> | + | |
| - | Tcpdump captures and prints out a **description** of the contents of **packets** on a **network interface**. | + | |
| - | Tcpdump utilises the //**libpcap**// library for packet capturing. The packet details can either be __displayed on the screen__ or __saved to files__.</note> | + | |
| - | + | ||
| - | <note tip> | + | |
| - | Supported options by tcpdump command: | + | |
| - | + | ||
| - | | **Options** | **Description** ^^ | + | |
| - | | --version | print the tcpdump and libpcap version strings and exit || | + | |
| - | | -h, --help | print the tcpdump and libpcap version strings, print a usage message, and exit || | + | |
| - | | -B buffer_size| set the operating system capture buffer size to //buffer_size//, in units of KiB || | + | |
| - | | -c count| exit after receiving //count// packets || | + | |
| - | | -D | print the list of the network interfaces on which tcpdump can capture packets || | + | |
| - | | -i interface |report the results of compiling a filter expression on //interface// || | + | |
| - | | -n | don't convert addresses (host addresses, port numbers) to names || | + | |
| - | | -s snaplen | truncate //snaplen// bytes of data from each packet rather than the default || | + | |
| - | | -t | don't print a timestamp on each dump line || | + | |
| - | | -v | produce more verbose output || | + | |
| - | | -w file | write the raw packets to //file// rather than parsing and printing them out|| | + | |
| - | | -r file | read packets from file || | + | |
| - | | -A | print each packet in ASCII || | + | |
| - | </note> | + | |
| <note warning> | <note warning> | ||
| - | * Check if **tcpdump** is installed and which **version** is installed. | + | Before starting this task, call the assistant to show him your progress. If you manage to freeze your PC, it might prove tricky to do so afterwards. |
| - | + | ||
| - | <solution -hidden> | + | |
| - | <code>tcpdump -h</code> | + | |
| - | </solution> | + | |
| - | + | ||
| - | * Check out the **network interfaces** available on your system. | + | |
| - | <solution -hidden> | + | |
| - | <code>tcpdump -D</code> | + | |
| - | </solution> | + | |
| - | + | ||
| - | * After starting a capture on all interfaces, you can always stop it using //**control + c**//. | + | |
| </note> | </note> | ||
| + | === [10p] Task A - Swap File === | ||
| - | === [10p] Task A - Understanding traffic=== | + | First, let us check what swap devices we have enabled. Check the //NAME// and //SIZE// columns of the following command: |
| - | + | ||
| - | a) Start a capture that __stops by itself__ after getting __10 packets__ on __all interfaces__. | + | |
| - | <solution -hidden> | + | |
| <code> | <code> | ||
| - | sudo tcpdump -i any -c 10 | + | $ swapon --show |
| </code> | </code> | ||
| - | </solution> | + | No output means that there are no swap devices available. |
| - | b) Have a look at the __output__. You can notice that **host names** are used instead of **IP addresses**, and commonly known port are replaced with application names. Use a command to display the **IP addresses** and port numbers instead of these names. | + | If you ever installed a Linux distro, you may remember creating a separate //swap partition//. This, however, is only one method of creating swap space. The other is by adding a //swap file//. Run the following commands: |
| - | <solution -hidden> | + | |
| <code> | <code> | ||
| - | sudo tcpdump -i any -c 10 -n | + | $ sudo swapoff -a |
| - | </code> | + | $ sudo dd if=/dev/zero of=/swapfile bs=1024 count=$((4 * 1024 * 1024)) |
| - | </solution> | + | $ sudo chmod 600 /swapfile |
| - | <note tip>Tcpdump __triggers itself DNS traffic__ as it captures, if it is ran without the //-n// option. The utility will trigger reverse or PTR DNS lookups to find __hostnames for IP addresses__ as it captures them. So, from now on, use //-n//. | + | $ sudo mkswap /swapfile |
| + | $ sudo swapon /swapfile | ||
| - | * What is the capture size? | + | $ swapon --show |
| - | <solution -hidden> | + | |
| - | <code> | + | |
| - | It's shown in the output - mine is 262144 = 256KB | + | |
| </code> | </code> | ||
| - | </solution> | ||
| - | What does this mean? It means that tcpdump will keep all those bytes for analysis. We don't need all this information for now, so change the __capture size to 96 bytes__. The __Ethernet, IP and TCP__ headers are the in the __first 64 bytes__ of the packets, so capturing 96 bytes per packet is more than enough to capture these headers. | ||
| - | </note> | + | Just to clarify what we did: |
| - | c) Do the capture again with the output limitation. | + | * disabled all swap devices |
| - | <solution -hidden> | + | * created a 4Gb zero-initialized file |
| - | <code> | + | * set the permission to the file so only //root// can edit it |
| - | sudo tcpdump -i any -c 10 -n -s96 | + | * created a swap area from the file using **mkswap** (works on devices too) |
| - | </code> | + | * activated the swap area |
| - | </solution> | + | |
| - | <note>The **TCP flags** are **SYN**, **ACK**, **RESET**, **FIN**, **URGENT** and **PUSH**. All flags are represented by the first letter, with the exception of ACK which is represented by a **dot**.</note> | + | The new swap area is temporary and will not survive a reboot. To make it permanent, we need to register it in [[https://en.wikipedia.org/wiki/Fstab|/etc/fstab]] by adding a line such as this: |
| - | d) Start a new capture only on the __interface that connects you to the internet__, without printing the timestamp on each dump line. Open a separate terminal and try to __connect through ssh somewhere__. Spot the **3-way handshake** in the capture. | + | |
| - | <solution -hidden> | ||
| <code> | <code> | ||
| - | sudo tcpdump -i enp0s3 -n -t | + | /swapfile swap swap defaults 0 0 |
| - | + | ||
| - | ssh -T git@github.com | + | |
| - | -T = Disable pseudo-terminal allocation | + | |
| </code> | </code> | ||
| - | </solution> | ||
| - | e) Repeat what you did for the previous task, but add //-S// to your tcpdump command. Figure out what has changed, and why. | + | === [10p] Task B - Does it work? === |
| - | <solution -hidden> | + | |
| + | In one terminal run **vmstat** and look at the //swpd// and //free// columns. | ||
| <code> | <code> | ||
| - | -S turns off the relative sequence numbers | + | $ vmstat -w 1 |
| </code> | </code> | ||
| - | </solution> | ||
| - | |||
| - | <note> | ||
| - | Check out the **window size** in the previous capture. Since __window scaling is enabled__, that is __not the //actual// window size__. Notice the window scaling factor (//**wscale**//) in the 3-way handshake output. The scaling factor translates in __multiplying the receive window__ by __2 to the power of wscale__. So the //real// window size is the window value shown in the capture, multiplied by 2 to the power of wscale. | ||
| - | |||
| - | The **length field** stands for packet length, and represents the __number of bytes in the layer 4 headers__, and it matches with the sequence numbers **(packet_length = larger_seq_no - smaller_seq_no)**.</note> | ||
| - | |||
| - | |||
| - | === [10p] Task B - DNS capture=== | ||
| - | If we are the victims of a possible cyber attack (DNS hijacking), the DNS request packages are investigated. | ||
| - | |||
| - | We will simulate the monitoring of all DNS packages. | ||
| - | |||
| - | a) Capture an output for a DNS request. | ||
| - | <solution -hidden> | ||
| - | <code> | ||
| - | sudo tcpdump -i enp0s3 port 53 -n | ||
| - | |||
| - | different terminal: wget www.google.com | ||
| - | It's quite a bit to explain here, but at least they can notice the redirection to google.ro. | + | In another terminal, open a python shell and allocate a bit more memory than the available RAM. Identify the moment when the newly created swap space is being used. |
| - | * A - ipv4 | + | One thing you might notice is that the value in **vmstat**'s //free// column is lower than before. This does not mean that you have less available RAM after creating the swap file. Remember using the **dd** command to create a 4GB file? A big chunk of RAM was used to buffer the data that was written to disk. If //free// drops to unacceptable levels, the kernel will make sure to reclaim some of this buffer/cache memory. To get a clear view of how much available memory you actually have, try running the following command: |
| - | * AAAA -ip v6 | + | |
| - | * for google.com: | + | <code bash> |
| - | * ipv4 - I get 6 IP addresses | + | $ free -h |
| - | * ipv6 - 1 IP address | + | |
| - | * pt google.ro: | + | |
| - | * ipv4 - 1 IP | + | |
| - | * ipv6 - 1 IP | + | |
| </code> | </code> | ||
| - | </solution> | ||
| - | b) Save a capture to a file. Use the appropriate options so that: | + | Observe that once you close the python shell and the memory is freed, //swpd// still displays a non-zero value. Why? There simply isn't a reason to clear the data from the swap area. If you really want to clean up the used swap space, try the following: |
| - | * it displays the number of packets captured | + | |
| - | * the capture stops after 30 packets | + | |
| - | <solution -hidden> | + | |
| <code> | <code> | ||
| - | sudo tcpdump -i any -w capture.pcap -v -c20 | + | $ vmstat |
| + | $ sudo swapoff -a && sudo swapon -a | ||
| + | $ vmstat | ||
| </code> | </code> | ||
| - | </solution> | ||
| - | c) Read the contents of the capture file. | ||
| <solution -hidden> | <solution -hidden> | ||
| - | <code> | + | Output here: |
| - | sudo tcpdump -n -r capture.pcap | less | + | |
| - | </code> | + | |
| - | </solution> | + | |
| - | d) Using filters helps you view just the types of traffic that you are interested in and ignore the rest. Create short captures of up to 5 packets for the following cases: | + | {{ :ep:labs:ep2017_l2_ex05.png?550 |}} |
| - | * Capture traffic just from the IP 8.8.8.8 | + | |
| - | * Capture traffic having the source IP 8.8.8.8 | + | |
| - | * Capture traffic to or from your PC on port 80 | + | |
| - | * Capture traffic to or from your PC on port 80 or port 443 | + | |
| - | <solution -hidden> | + | Free memory goes down, swap usage goes up. |
| - | <code> | + | |
| - | 1. sudo tcpdump -i enp0s3 -n host 8.8.8.8 -c5 | + | |
| - | 2. sudo tcpdump -i enp0s3 -n src host 8.8.8.8 -c5 | + | |
| - | 3. sudo tcpdump -i enp0s3 -n host <IP_PC> and port 80 -c5 | + | |
| - | wget google.ro | + | |
| - | 4. sudo tcpdump -i enp0s3 -n src "host 8.8.8.8 and (port 80 or port 443)" | + | |
| - | wget google.ro | + | |
| - | wget https://www.google.ro | + | |
| - | + | ||
| - | </code> | + | |
| </solution> | </solution> | ||
| + | Create two swap files. Set their priorities to 10 and 20, respectively. \\ | ||
| + | Include the commands (copy+paste) or a screenshot of the terminal. \\ | ||
| + | Also add 2 advantages and disadvantages when using a //swap file// comparing with a //swap partition//. | ||
