Showing posts with label Packet Sniffers. Show all posts
Showing posts with label Packet Sniffers. Show all posts

Wednesday, 4 September 2013

How to setup snort in linux

Problem: you want to set up snort, a network-intrusion detection system(NIDS)

Installation:
# tar -xvjf snort-*.tar.gz
# cd snort
# ./configure
# make
# make install

next create a logging directory, if it should not be publically readable, since it will contain potentially sensitive data,

# mkdir -p -m go-rwx /var/log/snort

Finally, install the configuration files and rules database:

# mkdir -p /usr/local/share/rules
# cp etc/* rules/* .rules /usr/local/share/rules


Packet sniffing with snort

 To format and print network trace information
# snort -v [-d|-X] [-C] [-e] [filter-expression]

To sniff packets from the network:
# snort [-i interface] [-P snap-length] [filter-expression]

To read network trace data you hae saved previously
# snort -r filename [filter-expression]

Detecting intrusions with snort

 Problem: You want to notice if your system is under attack from the network

Solution: To run as a network intrusion detection system, with binary logging, and alerts sent to the system logger:

# snort -c /usr/local/share/rules/snort.conf -b -s
To run snort in the background, as a daemon:
# snort -D [-u user] [-g group] [-m umask] -c

snort -c /usr/local/share/rules/snort.conf

The configuration file includes a large number of pattern matching rules that control logging and alerts,

Decoding snort alert messages

Consult the snort signature database at http://www.snort.org/snort-db, using the signature ID as an index, or searching based on the text message. NIDS database @ http://www.whitehats.com

Loggin with snort

want to manage snorts output and log files in a efficient, effective manner

To log network trace data for latter analysis:
# snort -b [-l logging-directory] [-L basename]

To examine the network trace data:
# snort -r logfile

To manage the logs, don't use logrotate. Instead periodically tell snort to close all of its files and restart, by sending it a SIGHUP signal,
# kill -HUP `pidof snort`

Remove all files that are older that a week,
# find /var/log/snort -type f -mtime +7 -printo | xargs -o -r rm

Remove empty sub-directories
# find /var/log/snort -mindepth 1 -depth -type d -printo | xargs -o -r rmdir -v --ignore-fail-on-non-empty

put those in chrone script....

Posted by MJ at 2:37 pm 0 comments
Labels:

How to Search for strings in Network Traffic

Problem: You want to watch network traffic, searching for strings in the transmitted data

Solution: Use ngrep

To search for packets containging data that matches a regular expression and protocols that match a filter expression:

# ngrep [grep-options] regular-expression [filter-expression]

To search instead for a sequence of binary data:

# ngrep -X hexadecimal-digits [filter-expression]

To sniff packets and save them in a file:

# ngrep -O filename [ -n count] [ -d interface] [-s snap-length] regular-expression [filter-expression]

To read and display the saved network trace data

# ngrep -I filename regular-expression [filter-expression]

Installation: # tar -xvjf ngrep-*tar.gz
# cd ngrep
# ./configure --prefix=/usr/local
# make
 and install it into /usr/local as root
# mkdir -p /usr/local/bin /usr/local/man/man8
# make install
Posted by MJ at 2:37 pm 0 comments
Labels:

Monday, 30 January 2012

How to Read Tcpdump output

Let us see how can we read the tcpdump output by checking what each term means.

Let us take a sample output of a tcpdump
20:08:41.313149 ctechz.blogspot.1086 > 192.168.0.22.80: S 1192278531:1192278531(0) win 1638

14:18:49.519284  ------------> This is the time stamp in the format of two digits for hours, two digits for minutes,  two digits for seconds, and six digits for fractional parts of a second.

ctechz.blogspot ---------------> This is the source host name. The default behavior is to resolve the hostname but you can turn it off with the tcpdump -n option.If you don't see a DNS name the IP will appear. something like IP computer name.

1086 ------> This is the source port number or port service.

> ----------> This is a marker to indicate direction flow going from source to destination.

192.168.0.22  ----------> This is the destination hostname or ip address.

80 ------------> This is the destination port number or maybe it will be translated ad HTTP.

S ---------> This is the tcp flag. The S represents a SYN Flag

1192278531:1192278531(0)  ------------> This is the beginning TCP sequence number: ending TCP sequence number(data bytes). Sequence numbers are used by TCP to order the data received. The initial sequence number(ISN)is selected as a unique number to mark the first byte of data.  The ending sequence number is the beginning sequence plus the number of bytes being sent with this TCP segment.In this case there were zero bytes sent, the beginning and the ending sequence number's are the same. It will also has an acknowledgment(ack) number.

win 1638 --------------> This is the receiving buffer size in bytes of rootwars.org for this connection.



TCP       Flag                 Flag Meaning
Flag     Representation   
        

  SYN                     S                          Session established request which
                                                      is the first part of any TCP
                                                     connection( 3 way handshake ). 

ACK                      ack                    Ack flag is generally used to
                                                   acknowledge the receipt of data 
                                                 from the sender. Might be in 
                                               conjunction with other flags.

FIN                         F                    Fin flag is generally used to
                                                    indicate the sender's intention 
                                                   to gracefully terminate the 
                                                   sending host's connection 
                                                    to the receiving host. 

RESET                    R                   Reset flag is generally used 
                                                    to indicate the sender's 
                                                  intention to immediately abort
                                                 the existing connection with the 
                                                  receiving host.

PUSH                     P                      Push flag is generally used to
                                                     immediately "push" data from the
                                                     sending host to the receiving host.
                                                    This is for application like 
                                                   telnet where response time 
                                                   is a primary concern. 

URGENT              urg                 urgent flag is generally used
                                                  to mean that there is "urgent" 
                                                data that takes precedence over
                                               other data.

Placeholder          .                      If the connection does not have a
                                                  SYN,FIN,RESET, or PUSH flag,set a 
                                                  placeholder ( a period:.) will be found 
                                                  after the destination port.

like the IP header, the TCP (Transmission Control Protocol) header stores information about the packet:


  • Source Port
  • Destination Port
  • Sequence Number
  • Acknowledgement Number
  • Data Offset
  • Flags
  • Window
  • Checksum
  • Urgent Pointer
  • Options
  • Padding
 A packet contains all these above informations.


Posted by MJ at 2:14 pm 0 comments
Labels:

tcpdump more options


Let's check some more interesting options using tcpdump.

Host 

# tcpdump host 192.168.1.22
look for traffic based on IP address (also works with hostname if you're not using -n), check the traffic of other machine using host option. 

src, dst 

# tcpdump src 192.168.1.22
# tcpdump dst 192.168.1.22
find traffic from only a source or destination (eliminates one side of a host conversation) 

net 
# tcpdump net 192.186.0.0/24
capture an entire network using CIDR notation

proto 

# tcpdump icmp
works for tcp, udp, and icmp protocols. 
port  

# tcpdump port 3389
see only traffic to or from a certain port 

src/dst, port, protocol 

# tcpdump src port 1025 and tcp
# tcpdump udp and src port 53
combine all three options . You also have the option to filter by a range of ports instead of declaring them individually. 

Port Ranges 

# tcpdump portrange 21-23
see traffic to any port in a range. 

Packet Size Filter 

# tcpdump less 32
# tcpdump greater 128
only see packets below or above a certain size (in bytes)  

tcpdump > 32
tcpdump <= 12
we can use the symbol also instead of less / greater 

Grouping 

# tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22


 
 

Posted by MJ at 1:24 pm 0 comments
Labels:

tcpdump command help

Tcpdump a packet analyzer. It allows us analyze the packets that are moving through our network and also to save the packets that are captured. We can use tcpdump command to read the saved packets. 

In network data travels as packets each data packets contains the
information that it needs to travell across the network. This information is contained in a TCP Header. A TCP Header will contain the destination and source address, state information, and protocol identifiers. The rest of the packet contains the data that is being sent. Devices that are responsible for routing reads the informations in these packets and send them to there correct destinations.

Execute tcpdump command without any option, it will capture all the packets flowing through all the interfaces.Let's check some of the option in tcpdump to analyze the packets in a network. 

* Packets from a particular interface using tcpdump -i 

# tcpdump -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:18:49.519284 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 228763333:228763445(112) ack 419799025 win 95 <nop,nop,timestamp 105976169 2745262019>
14:18:59.535351 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 112:224(112) ack 1 win 95 <nop,nop,timestamp 105976169 2745262019>
14:18:49.519359 IP 192.168.1.22.50959 > cloudcc.ctechz.blogspot.com.ssh: . ack 112 win 10 <nop,nop,timestamp 2745262160 105976169>
14:18:49.519375 IP 192.168.1.22.50959 > cloudcc.ctechz.blogspot.com.ssh: . ack 224 win 10 <nop,nop,timestamp 2745262160 105976169>
14:18:49.537559 IP cloudcc.ctechz.blogspot.com.47433 > 10.0.0.2.domain:  49926+ PTR? 22.1.168.192.in-addr.arpa. (43)
14:18:49.713921 802.1d unknown version

In this, tcpdump captured all the packets flows in the interface eth0 and displays in the standard output. 

* N number of packets using tcpdump -c 

# tcpdump -c 2 -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:55:00.837666 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 228769381:228769493(112) ack 419800865 win 95 <nop,nop,timestamp 108147932 2747433275>
14:55:10.836110 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 112:224(112) ack 1 win 95 <nop,nop,timestamp 108147932 2747433275>

* Captured Packets in ASCII using tcpdump -A 

# tcpdump -A -i eth0

14:59:15.281604 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 228771221:228771413(192) ack 419801777 win 95 <nop,nop,timestamp 108402428 2747687702>
.........._.............
.v....c.XAQ...?..vJ...o...1zx-........
14:59:15.281735 IP 192.168.1.22.50959 > cloudcc.ctechz.blogspot.com.ssh: . ack 192 win 26 <nop,nop,timestamp 2747687721 108402428>
..U....o...........C........
..c).v..
14:59:15.282197 IP cloudcc.ctechz.blogspot.com.50913 > 10.0.0.2.domain:  9309+ PTR? 22.1.168.192.in-addr.arpa. (43)
E..G..@.@.W....C
......5.3.1$]...........22.1.168.192.in-addr.arpa.....
14:59:15.821332 IP 192.168.100.50.23354 > 234.134.191.31.23354: UDP, length 53
......@. .....d2....[:[:.=.c..."....d2#......UDP.8....rac1pfx-cluster..PING.

* Captured Packets in HEX and ASCII using tcpdump -XX

# tcpdump -XX -i eth0

15:04:34.561281 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 228773525:228773717(192) ack 419802737 win 95 <nop,nop,timestamp 108721773 2748006955>
        0x0000:  c89c dc50 abd3 0080 4853 84c4 0800 4510  ...P....HS....E.
        0x0010:  00f4 b0c4 4000 4006 0586 c0a8 0143 c0a8  ....@.@......C..
        0x0020:  0116 0016 c70f 0da2 ce95 1905 ae71 8018  .............q..
        0x0030:  005f 8490 0000 0101 080a 067a f66d a3cb  ._.........z.m..
        0x0040:  422b 7997 8997 cac1 2559 79ad c095 4dbd  B+y.....%Yy...M.
        0x0050:  ae1c 1481 e5e6 0010 7651 d691 21f9 d955  ........vQ..!..U
15:04:34.561424 IP 192.168.1.22.50959 > cloudcc.ctechz.blogspot.com.ssh: . ack 192 win 33 <nop,nop,timestamp 2748006974 108721773>
        0x0000:  0080 4853 84c4 c89c dc50 abd3 0800 4510  ..HS.....P....E.
        0x0010:  0034 e425 4000 4006 d2e4 c0a8 0116 c0a8  .4.%@.@.........
        0x0020:  0143 c70f 0016 1905 ae71 0da2 cf55 8010  .C.......q...U..
        0x0030:  0021 a46c 0000 0101 080a a3cb 423e 067a  .!.l........B>.z
        0x0040:  f66d                                     .m
15:04:34.561880 IP cloudcc.ctechz.blogspot.com.53544 > 10.0.0.2.domain:  15625+ PTR? 22.1.168.192.in-addr.arpa. (43)
        0x0000:  c89c dc50 abd3 0080 4853 84c4 0800 4500  ...P....HS....E.
        0x0010:  0047 f66e 4000 4011 784a c0a8 0143 0a00  .G.n@.@.xJ...C..
        0x0020:  0002 d128 0035 0033 cc31 3d09 0100 0001  ...(.5.3.1=.....
        0x0030:  0000 0000 0000 0232 3201 3103 3136 3803  .......22.1.168.
        0x0040:  3139 3207 696e 2d61 6464 7204 6172 7061  192.in-addr.arpa
        0x0050:  0000 0c00 01                             .....

* Capture the packets and write into a file using tcpdump -w

-w option writes the packets into a given file. The file extension should be .pcap, which can be read by any network protocol analyzer.

# tcpdump -w dump.pcap -i eth0  
you can get a file called dump.pcap which stores the packet details... 

* Read the packets from a saved file using tcpdump -r 

# tcpdump -r dump.pcap 
You can read the captured .pcap file and view the packets for analysis.  

* Getting packets with IP address using tcpdump -n 

# tcpdump -n -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:20:10.725855 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 4047509964:4047510156(192) ack 1239501135 win 95 <nop,nop,timestamp 109658129 2748943040>
15:20:10.725959 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 192 win 19 <nop,nop,timestamp 2748943062 109658129>
15:20:10.726021 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 192:384(192) ack 1 win 95 <nop,nop,timestamp 109658129 2748943062>
15:20:10.726076 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 384:544(160) ack 1 win 95 <nop,nop,timestamp 109658129 2748943062>
15:20:10.726133 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 544:720(176) ack 1 win 95 <nop,nop,timestamp 109658130 2748943062>
15:20:10.726152 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 384 win 21 <nop,nop,timestamp 2748943062 109658129>
15:20:10.726161 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 544 win 23 <nop,nop,timestamp 2748943062 109658129>
15:20:10.726215 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 720:896(176) ack 1 win 95 <nop,nop,timestamp 109658130 2748943062>
15:20:10.726262 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 720 win 24 <nop,nop,timestamp 2748943062 109658130> 

* Capture packets with readable timestamp using tcpdump -tttt 

# tcpdump -n -tttt -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
2012-01-29 15:24:47.784713 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 4047514140:4047514332(192) ack 1239503055 win 95 <nop,nop,timestamp 109935245 2749220078>
2012-01-29 15:24:47.784854 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 192:400(208) ack 1 win 95 <nop,nop,timestamp 109935245 2749220078>
2012-01-29 15:24:47.784872 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 192 win 33 <nop,nop,timestamp 2749220098 109935245>
2012-01-29 15:24:47.784944 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 400:704(304) ack 1 win 95 <nop,nop,timestamp 109935245 2749220098>
2012-01-29 15:24:47.785001 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 400 win 34 <nop,nop,timestamp 2749220098 109935245>
2012-01-29 15:24:47.785043 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 704:880(176) ack 1 win 95 <nop,nop,timestamp 109935245 2749220098>
2012-01-29 15:24:47.785071 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 704 win 36 <nop,nop,timestamp 2749220098 109935245>

* Reading packets longer than N bytes
You can receive only the packets greater than n number of bytes using a filter ‘greater’ through tcpdump command.

$ tcpdump greater 1024 -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:32:23.030169 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 3533551345:3533552790(1445) ack 1677096811 win 3839 <nop,nop,timestamp 2749675305 110389966>
15:32:25.028568 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 1445:2890(1445) ack 866 win 3839 <nop,nop,timestamp 2749677304 110391966>
15:32:27.042511 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 2890:4335(1445) ack 1731 win 3839 <nop,nop,timestamp 2749679318 110393966>
15:32:29.035028 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.43819: P 189138042:189139487(1445) ack 3060416647 win 3839 <nop,nop,timestamp 2749681310 110395968>
15:32:31.009490 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 4866:6311(1445) ack 3515 win 3839 <nop,nop,timestamp 2749683284 110397968>
15:32:33.003763 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 6311:7756(1445) ack 4380 win 3839 <nop,nop,timestamp 2749685278 110399967> 

* Capturing the packets of a specific protocol type
You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. 

# tcpdump -i eth0 arp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:38:34.274572 arp who-has 192.168.0.54 tell 192.168.0.22
15:38:36.252219 arp who-has 192.168.1.201 tell 192.168.1.200
15:38:39.313602 arp who-has 192.168.1.201 tell 192.168.1.200
15:38:40.455837 arp who-has 192.168.0.109 tell 192.168.0.45
15:38:43.032395 arp who-has 192.168.1.201 tell 192.168.1.200
15:38:46.924282 arp who-has 192.168.0.109 tell 192.168.0.45 

* Reading packets lesser than N bytes
You can receive only the packets lesser than n number of bytes using a filter ‘less’ through tcpdump command 

# tcpdump less 1024 -i eth0
# tcpdump -w l_1024.pcap  less 1024 

* Capturing packets flows on a particular port using tcpdump port
all the packets received by a particular port on a machine. 

# tcpdump -i eth0 port 22

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:43:14.428293 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.46596: P 4050640844:4050641036(192) ack 1239514031 win 95 <nop,nop,timestamp 111042115 2750326627>
15:43:14.428486 IP 192.168.1.22.46596 > cloudcc.ctechz.blogspot.com.ssh: . ack 192 win 3811 <nop,nop,timestamp 2750326650 111042115>
15:43:24.427008 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.46596: P 192:400(208) ack 1 win 95 <nop,nop,timestamp 111052116 2750326650>
15:43:24.427064 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.46596: P 400:576(176) ack 1 win 95 <nop,nop,timestamp 111052116 2750326650>
15:43:24.427123 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.46596: P 576:768(192) ack 1 win 95 <nop,nop,timestamp 111052116 2750326650>
15:43:24.427144 IP 192.168.1.22.46596 > cloudcc.ctechz.blogspot.com.ssh: . ack 400 win 3811 <nop,nop,timestamp 2750336648 111052116> 

* Capturing packets for particular destination IP and Port
 The packets will have source and destination IP and port numbers. Using tcpdump we can apply filters on source or destination IP and port number.
The following command captures packets flows in eth0, with a particular destination ip and port number 22. 

# tcpdump -w xpackets.pcap -i eth0 dst 192.168.1.183 and port 22
# tcpdump -i eth0 dst 192.168.1.175 and port 22

15:56:09.554572 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2643264:2643456(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554611 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2643456:2643648(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554663 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2643648:2643840(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554710 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2643840:2644032(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554749 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2644032:2644224(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554787 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2644224:2644416(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>

 * TCP communication packets between two hosts  
If two different process from two different machines are communicating through tcp protocol, we can capture those packets using tcpdump as shown below. 

# tcpdump -w comm.pcap -i eth0 dst 192.168.1.183 and port 22 

You can open the file comm.pcap using any network protocol analyzer tool to debug any potential issues. 

* Filtering Packets using tcpdump – Capture all the packets other than arp and rarp
In tcpdump command, you can give “and”, “or” and “not” condition to filter the packets accordingly. 

# tcpdump -i eth0 not arp and not rarp
# tcpdump -i eth0 not tcp and not arp


16:02:53.965566 CDPv2, ttl: 180s, Device-ID 'CochinGate'[|cdp]
16:02:54.380054 IP 192.168.100.51.23354 > 234.134.191.31.23354: UDP, length 151
16:02:54.380746 IP cloudcc.ctechz.blogspot.com.32894 > 10.0.0.2.domain:  47635+ PTR? 31.191.134.234.in-addr.arpa. (45)
16:02:54.402986 IP 192.168.100.51.23354 > 234.134.191.31.23354: UDP, length 151
16:02:54.649980 802.1d unknown version
16:02:54.954942 IP cloudcc.ctechz.blogspot.com.50001 > 10.0.0.2.domain:  21429+ A? centos.vr-zone.com. (36)
16:02:55.246120 IP 192.168.100.50.23354 > 234.134.191.31.23354: UDP, length 53
16:02:56.665126 802.1d unknown version
16:02:56.748222 IP 192.168.100.50.23354 > 234.134.191.31.23354: UDP, length 53 

* Make stdout line buffered. Useful if you want to see the data while capturing, use -l 

# tcpdump -l > dat & tail -f dat 

* Don't print domain name qualification of host names 

# tcpdump -N -i eth0

if you give this flag then tcpdump will print "ctechz'' instead of "ctechz.blogspot.com''

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:16:17.053108 IP cloudcc.ssh > 192.168.1.22.39495: P 2722677379:2722677491(112) ack 967375163 win 95 <nop,nop,timestamp 120226620 2759508498>
18:16:27.051222 IP cloudcc.ssh > 192.168.1.22.39495: P 112:224(112) ack 1 win 95 <nop,nop,timestamp 120226621 2759508498>
18:16:17.053136 IP 192.168.1.22.39495 > cloudcc.ssh: . ack 112 win 23 <nop,nop,timestamp 2759508521 120226620>
18:16:17.053221 IP 192.168.1.22.39495 > cloudcc.ssh: . ack 224 win 23 <nop,nop,timestamp 2759508521 120226621>
18:16:17.053752 IP cloudcc.46957 > 10.0.0.2.domain:  25029+ PTR? 22.1.168.192.in-addr.arpa. (43)
18:16:17.097848 IP cloudcc.52899 > 10.0.0.2.domain:  56675+ A? centos.communilink.net. (40) 

* When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex and ASCII.

# tcpdump -XX -i eth0
# tcpdump -X -i eth0

18:21:56.413767 IP cloudcc.ctechz.blogspot.com.56294 > 192.168.1.22.squid: P 1681546479:1681547345(866) ack 3540467048 win 501 <nop,nop,timestamp 120566051 2759847333>
        0x0000:  c89c dc50 abd3 0080 4853 84c4 0800 4500  ...P....HS....E.
        0x0010:  0396 985f 4000 4006 1b59 c0a8 0143 c0a8  ..._@.@..Y...C..
        0x0020:  0116 dbe6 0c38 643a 5cef d307 3d68 8018  .....8d:\...=h..
        0x0030:  01f5 8732 0000 0101 080a 072f b123 a47f  ...2......./.#..
        0x0040:  eda5 504f 5354 2068 7474 703a 2f2f 7065  ..POST.http://pe
        0x0050:  7472 6f73 6f63 6961 6c2e 6e65 742f 6477  trosocial.net/dw

 * When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex. 

# tcpdump -xx -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:27:26.350615 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.39495: P 2722709875:2722709987(112) ack 967381147 win 95 <nop,nop,timestamp 120896055 2760177744>
        0x0000:  c89c dc50 abd3 0080 4853 84c4 0800 4510
        0x0010:  00a4 e3a3 4000 4006 d2f6 c0a8 0143 c0a8
        0x0020:  0116 0016 9a47 a249 4173 39a9 109b 8018
        0x0030:  005f 8440 0000 0101 080a 0734 ba37 a484
        0x0040:  f850 c004 7673 c572 acb5 3f36 4aa9 5ab2
        0x0050:  dc3a 34b1 5abc 22d7 afde 5f51 d785 f394 

* Display the link-level header for each packet. 

# tcpdump -e -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:40:20.378413 00:80:48:53:84:c4 (oui Unknown) > c8:9c:dc:50:ab:d3 (oui Unknown), ethertype IPv4 (0x0800), length 258: cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.44043: P 4211844806:4211844998(192) ack 1868284851 win 95 <nop,nop,timestamp 121670241 2760951707>
18:40:20.378560 c8:9c:dc:50:ab:d3 (oui Unknown) > 00:80:48:53:84:c4 (oui Unknown), ethertype IPv4 (0x0800), length 66: 192.168.1.22.44043 > cloudcc.ctechz.blogspot.com.ssh: . ack 192 win 13 <nop,nop,timestamp 2760951727 121670241>
18:40:20.379052 00:80:48:53:84:c4 (oui Unknown) > c8:9c:dc:50:ab:d3 (oui Unknown), ethertype IPv4 (0x0800), length 85: cloudcc.ctechz.blogspot.com.54043 > 10.0.0.2.domain:  7182+ PTR? 22.1.168.192.in-addr.arpa. (43)
18:40:20.413456 00:80:48:53:84:c4 (oui Unknown) > c8:9c:dc:50:ab:d3 (oui Unknown), ethertype IPv4 (0x0800), length 932: cloudcc.ctechz.blogspot.com.56294 > 192.168.1.22.squid: P 1682031477:1682032343(866) ack 3541247187 win 501 <nop,nop,timestamp 121670277 2760950219>
18:40:20.413715 c8:9c:dc:50:ab:d3 (oui Unknown) > 00:80:48:53:84:c4 (oui Unknown), ethertype IPv4 (0x0800), length 66: 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: . ack 866 win 3839 <nop,nop,timestamp 2760951763 121670277>


It's also important to note that tcpdump only takes the first 96 bytes of data from a packet by default. If you would like to look at more, add the -s number option to the mix, where number is the number of bytes you want to capture. using 0 (zero) for a snaplength, which gets everything.


Useful list of the options in tcpdump

-i any : Listen on all interfaces just to see if you're seeing any traffic.
-n : Don't resolve hostnames.
-nn : Don't resolve hostnames or port names. 
-X : Show the packet's contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop. 
-s : Define the size of the capture (use -s0 unless you are intentionally capturing less.)
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
-s : Set the snaplength, i.e. the amount of data that is being captured in bytes
-c : Only capture x number of packets, e.g. 'tcpdump -c 3'









Posted by MJ at 1:05 pm 0 comments
Labels:

Saturday, 21 January 2012

Packet Sniffer tools

Some useful Packet Sniffing tools the we need in everyday working environment

tcpdump   --------> a command-line packet sniffer

ettercap  ---------> we can see password as a plain test Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.

tshark     ---------> a network protocol analyzer.

tcpshow    -------> tcpdump-based analysis

Wireshark ------> Packet sniffer GUI

NetStumbler ---------> Netstumbler is the best known Windows tool for finding open wireless access points ("wardriving"). They also distribute a WinCE version for PDAs and such named MiniStumbler. The tool is currently free but Windows-only and no source code is provided.

 Ntop ------> Ntop shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user's terminal. In Web mode, it acts as a Web server, creating an HTML dump of the network status.

NetworkMiner ----------> NetworkMiner is a Network Forensic Analysis Tool for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network.

P0f -----------> P0f is able to identify the operating system of a target host simply by examining captured packets even when the device in question is behind an overzealous packet firewall.

Ethereal ------> Ethereal is a free network protocol analyzer for Unix and Windows.

Snort ------> Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.

Netcat ------> Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol

tcptrace ------> analyzes the dump file format generated by TCPdump and other applications

hping ------> Hping is a command-line oriented TCP/IP packet assembler/analyzer, kind of like the “ping” program

dsniff ------> DNSiff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data

Nikto ------> Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items

John the Ripper ------> ohn the Ripper is a fast password cracker,

Tripwire ------> Tripwire is a tool that can be used for data and program integrity assurance

Kismet ------> Kismet is an 802.11 wireless network sniffer - this is different from a normal network sniffer (such as Ethereal or tcpdump) because it separates and identifies different wireless networks in the area
  
saint ----------> network vulnerability assessment scanner detects vulnerabilities in your network’s security before they can be exploited.

Nessus --------->  vulnerability scanner.



Posted by MJ at 8:46 pm 0 comments
Labels:
Subscribe to: Comments (Atom)