Viewing Packet Flows with tcpdump



TCP/IP Port scanning and packet analysis

tcpdump

The tcpdump command is one of the most popular packages for viewing the flow of packets through your Linux box's NIC card. It is installed by default on RedHat/Fedora Linux and has very simple syntax, especially if you are doing simpler types of troubleshooting.

Like most Linux commands, tcpdump uses command-line switches to modify the output. Some of the more useful command-line switches are listed below:

TCPdump Switches

|tcpdump |Description |

|command | |

|switch | |

|-c |Stop after viewing count packets. |

|-t |Don't print a timestamp at the beginning of each line |

|-i |Listen on interface. If this is not specified, then tcpdump uses the lowest |

| |numbered interface that is UP |

|-w |Dump the output to a specially formatted tcpdump dump file |

|-C |Specify the size the dump file must reach before a new one with a numeric |

| |extension is created. |

By using the -w filename option you can send the entire Ethernet frame to a file, not just a brief IP information that normally goes to the screen. This can then be analyzed by graphical analysis tools such as Ethereal, which is available in both Windows and Linux, with customized filters, colorization of packet records based on criteria deemed interesting, and the capability of automatically highlighting certain error conditions such as data retransmissions:

tcpdump -i eth1 -w /tmp/packets.dump tcp port 22

By default tcpdump will attempt to determine the DNS names of all the IP addresses it sees while logging data. This can slow down tcpdump so much that it appears not to be working at all. The -n switch stops DNS name lookups and will make tcpdump work more reliably.

tcpdump -i eth1 -n tcp port 22

tcpump used to view packets on interface wlan0 to/from host 192.168.1.102 on TCP port 22 with no timestamps in the output (-t switch).

tcpdump -i wlan0 -t host 192.168.1.102 and tcp port 22

You can also add expressions after all the command-line switches. These act as filters to limit the volume of data presented on the screen. You can also use keywords such as and or or between expressions to further fine-tune your selection criteria. Some useful expressions are.

tcpdump Expressions

|tcpdump |Description |

|command | |

|expression | |

|host host-address |View packets from the IP address |

| |host-address |

|icmp |View icmp packets |

|tcp port port-number |View TCP packets with packets with either |

| |a  source or destination TCP port of |

| |port-number |

|udp port port-number |View UDP packets with either a  source or |

| |destination UDP port of port-number |

Examples:

( tcpdump used to view ICMP ping packets going through interface wlan0:

tcpdump -i wlan0 icmp

TCP/IP Port scanning and packet analysis

(t)ethereal

The tethereal program is a text version of the graphical Ethereal (Wireshark) product that is part of the Fedora Linux RPM suite (and available as a separate download under Windows). The command-line options and screen output mimic that of tcpdump in many ways but tethereal has a number of advantages.

The tethereal command has the ability of dumping data to a file like tcpdump and creating new files with new filename extensions when a size limit has been reached. It can additionally limit the total number of files created before overwriting the first one in the queue, which is also known as a ring buffer. The tethereal screen output is also more intuitive to read, though the dump file format is identical to tcpdump.

Possible tethereal Switches

|tcpdump |Description |

|command | |

|switch | |

|-c |Stop after viewing count packets. |

|-i |Listen on interface. If this is not specified, then tcpdump will use the lowest|

| |numbered interface that is UP |

|-w |Dump the output to a specially formatted TCPdump dump file |

|-C |Specifies the size the dump file must reach before a new one with a numeric |

| |extension is created. |

|-b |The size of the ring buffer when the -C switch is selected. |

tethereal Expressions

|tcpdump |Description |

|command | |

|expression | |

|host host-address |View packets from the IP address |

| |host-address |

|icmp |View icmp packets |

|tcp port port-number |View TCP packets with packets with either |

| |a  source or destination TCP port of |

| |port-number |

|udp port port-number |View UDP packets with either a  source or |

| |destination UDP port of port-number |

Example: observe an HTTP (TCP port 80) packet flow between server smallfry at address 192.168.1.102 and bigboy at IP address 192.168.1.100. The tethereal output groups the IP addresses and TCP ports together and then provides the TCP flags, followed by the sequence numbering. It may not be apparent on this page, but the formatting lines up in neat columns on your screen, making analysis much easier. Also notice how the command line mimics that of tcpdump.

tethereal -i eth0 tcp port 80 and host 192.168.1.100

nmap

You can use nmap to determine the TCP or UDP ports on which a remote server is listening. It isn't usually an important tool in the home environment, but it can be used in a corporate environment to detect vulnerabilities in your network, such as servers running unauthorized network applications. It is a favorite tool of malicious hackers and therefore should only be used to test external as well as internal servers under your control to avoid legal issues.

You can get a list of available nmap options by just entering the command without arguments at the command prompt.

Common NMAP Options

|Argument |Description |

|-P0 |Nmap first attempts to ping a host before scanning it. If the server is being protected from |

| |ping queries, then you can use this option to force it to scan anyway. |

|-T |Defines the timing between the packets set during a port scan. Some firewalls can detect the |

| |arrival of too many non-standard packets within a predetermined time frame. This option can be |

| |used to send them from 60 seconds apart with a value of "5" also known as insane mode to 0.3 |

| |seconds with a value of "0" in paranoid mode. |

|-O |This will try to detect the operating system of the remote server based on known responses to |

| |various types of packets. |

|-p |Lists the TCP or UDP port range to scan. |

|-s |Defines a variety of scan methods that use either packets that comply with the TCP/IP standard |

| |or are in violation of it. Usual options are-sT (TCP) or –sU (UDP). Lacking a specific |

| |handshake sequence, UDP scans rely on a time out and so take much longer than TCP scans. |

Example: a scan using valid TCP connections (-sT) in the extremely slow "insane" mode (-T 5) from ports 1 to 5000.

nmap -sT -T 5 -p 1-5000 192.168.1.153

There are also command linme options for “silent” or “stealth” scanning common in graphical port scanning packages.

telnet

A common tool for determining if a specific port is open is to use the telnet command. The telnet command gives you the option of connecting to any TCP port at a target IP address. This is commonly used by Network Engineers and System Administrators to determine if a specific application is running (or available from the client) on a remote server.

For example: to determine if a webserver (port 80) is available on server 192.234.16.29:

telnet 192.234.16.29 80

To determine if a SMTP server is running on 192.234.16.5:

telnet 192.234.16.29 25

To determine if a POP server is running on 192.234.16.5:

telnet 192.234.16.29 110

You can usually determine if the session connection is successful by getting a prompt from the server or issuing the netstat –an command from another window on the client to see if a session to the target system is “ESTABLISHED” (completed 3-way handshake).

After session is established you can even issue commands to applications that will understand specific input commands like FTP, HTTP or SMTP. There are common command hacking examples on the Internet for these applications.

You can also script telnet commands to provide command input and output to/from a remote system. The entire telnet input command sequence must be a single bracketed job using parentheses then “piped” to the TELNET destination. Also a “sleep” command is inserted between commands to allow for TELNET response. This can be used in combination with the xargs command to process multiple inputs.

Used in combination with application command input, this can drive “hacking” scripts from the BASH shell rather than more complex script languages like Tcl or Perl or a programming language like C that require programming directly to a specific port. A common approach used by so-called “script kiddies”.

A more sophisticated version of TELNET scripting uses NetCat as a substitute for TELNET.

Some telnet script examples:

Example1: A simple LOGIN and “clear arp” command and logout.

Notice the “sleep 1” to allow TELNET echo to function properly.

#!/bin/bash

( sleep 1; echo "userid"; sleep 1; echo "password"; sleep 1; echo "clear arp-cache"; sleep 1; \

echo "exit" ) | telnet 172.27.19.1

telnet

Example 2: A more generalized, complex interactive telnet script

#!/bin/bash -xv

function question {

( sleep 1; echo "$1"; sleep 1; echo "$2"; sleep 1; echo "enable"; sleep 1; echo \

"$3"; sleep 1; echo "$4" "$6"; sleep 1; echo "exit" ) | telnet $5

}

echo "Enter user ID:"

read userid

echo "Enter password:"

read password

echo "Enter enable password:"

read enapass

echo "Enter command:"

read command

#echo "Enter command string after IP address (or nothing):"

#read command2

echo "Enter filename of IP address list (1 per line):"

read filename

echo "Enter IP address or name of CISCO Device:"

read address

cat "$filename" | xargs -i question "$userid" "$password" "$enapass" "$command"

"$address" {}

An advantage of using TELNET for connectivity testing (other than availability) is that prior commands tcpdump, ethereal and nmap usually require root/adminsitrator authority on the system running the command; TELNET does not.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download