Recent changes

This is an old revision of the document!

02. [20p] Traffic monitoring - Tcpdump

In most of the situations presented in all the laboratories we have already gone through, we have seen numerous tools whose output helps us to understand the behavior of the system we are analyzing. Next, we choose the most used Linux utility for analyzing transferred packets in a conversation between two or more systems.

Tcpdump captures and prints out a description of the contents of packets on a network interface. Tcpdump utilises the libpcap library for packet capturing. The packet details can either be displayed on the screen or saved to files.

Supported options by tcpdump command:

Options Description
–version print the tcpdump and libpcap version strings and exit
-h, –help print the tcpdump and libpcap version strings, print a usage message, and exit
-B buffer_size set the operating system capture buffer size to buffer_size, in units of KiB
-c count exit after receiving count packets
-D print the list of the network interfaces on which tcpdump can capture packets
-i interface report the results of compiling a filter expression on interface
-n don't convert addresses (host addresses, port numbers) to names
-s snaplen truncate snaplen bytes of data from each packet rather than the default
-t don't print a timestamp on each dump line
-v produce more verbose output
-w file write the raw packets to file rather than parsing and printing them out
-r file read packets from file
-A print each packet in ASCII

  • Check if tcpdump is installed and which version is installed.
  • Check out the network interfaces available on your system.
  • After starting a capture on all interfaces, you can always stop it using control + c.

[10p] Task A - Understanding traffic

a) Start a capture that stops by itself after getting 10 packets on all interfaces.

b) Have a look at the output. You can notice that host names are used instead of IP addresses, and commonly known port are replaced with application names. Use a command to display the IP addresses and port numbers instead of these names.

Tcpdump triggers itself DNS traffic as it captures, if it is ran without the -n option. The utility will trigger reverse or PTR DNS lookups to find hostnames for IP addresses as it captures them. So, from now on, use -n.

  • What is the capture size?

What does this mean? It means that tcpdump will keep all those bytes for analysis. We don't need all this information for now, so change the capture size to 96 bytes. The Ethernet, IP and TCP headers are the in the first 64 bytes of the packets, so capturing 96 bytes per packet is more than enough to capture these headers.

c) Do the capture again with the output limitation.

The TCP flags are SYN, ACK, RESET, FIN, URGENT and PUSH. All flags are represented by the first letter, with the exception of ACK which is represented by a dot.

d) Start a new capture only on the interface that connects you to the internet, without printing the timestamp on each dump line. Open a separate terminal and try to connect through ssh somewhere. Spot the 3-way handshake in the capture.

e) Repeat what you did for the previous task, but add -S to your tcpdump command. Figure out what has changed, and why.

Check out the window size in the previous capture. Since window scaling is enabled, that is not the actual window size. Notice the window scaling factor (wscale) in the 3-way handshake output. The scaling factor translates in multiplying the receive window by 2 to the power of wscale. So the real window size is the window value shown in the capture, multiplied by 2 to the power of wscale.

The length field stands for packet length, and represents the number of bytes in the layer 4 headers, and it matches with the sequence numbers (packet_length = larger_seq_no - smaller_seq_no).

[10p] Task B - DNS capture

If we are the victims of a possible cyber attack (DNS hijacking), the DNS request packages are investigated.

We will simulate the monitoring of all DNS packages.

a) Capture an output for a DNS request.

b) Save a capture to a file. Use the appropriate options so that:

  • it displays the number of packets captured
  • the capture stops after 30 packets

c) Read the contents of the capture file.

:!: :!: NON-DEMO TASK

Using filters helps you view just the types of traffic that you are interested in and ignore the rest. Create short captures of up to 5 packets for the following cases:

  • Capture traffic just from the IP 8.8.8.8
  • Capture traffic having the source IP 8.8.8.8
  • Capture traffic to or from your PC on port 80
  • Capture traffic to or from your PC on port 80 or port 443

General Information

Lectures

Labs

Resources

Assignments

Table of Contents

ep/labs/04/contents/tasks/ex2.1604226040.txt.gz · Last modified: 2020/11/01 12:20 by gheorghe.petre2608
Old revisions
Media ManagerBack to top
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0