1 / 13

TCPDUMP

TCPDUMP. Network-Based Intrusion Detection. Description. Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring on your network. TCPDUMP provides options and filters to assist in the proper and thorough analysis of the acquired traffic.

flo
Download Presentation

TCPDUMP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TCPDUMP Network-Based Intrusion Detection

  2. Description • Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring on your network. • TCPDUMP provides options and filters to assist in the proper and thorough analysis of the acquired traffic.

  3. How to install? • For Linux • Download libpcap from http://www.tcpdump.org/release/libpcap-0.7.2.tar.gz • tar zxvf libpcap-0.7.2.tar.gz; cd libpcap-0.7.2; ./configure; make; make install • Download tcpdump fom http://www.tcpdump.org/release/tcpdump-3.7.2.tar.gz • tar zxvf tcpdump-3.7.2.tar.gz; cd tcpdump-3.7.2; ./configure; make; make install • For windows • Download winpcap.exe from http://winpcap.polito.it/install/bin/WinPcap_3_0.exe • Download windump.exe from http://windump.polito.it/install/bin/WinDump.exe • Install winpcap and execute windump.exe • For FreeBSD • bulit-in function

  4. Output format • ARP/RARP packets arp who-has [A] tell [B] arp reply [A] is-at [a] • TCP packets src > dst: flags data-seqno ack window urgent options • src: source ip address and port • dst: destination ip address and port • flags: S (SYN), F (FIN), P(PUSH), R(RST), . (no flags) • Data-seqno: describes the portion of sequence space covered by the data in the packet • Ack: sequence number of the next data • Window: the number of byte of receive buffer space • Urg: indicates there is “urgent” data in the packet • Options: tcp options enclosed in angle brackets

  5. Summary • Tcpdump and windump are powerful packet capture utilities that allow for the extraction of particular types of network traffic based on header information. They can filter any field in the IP, ICMP, UDP, or TCP header using byte offsets.

  6. Conclusion&What do you learn? • To demonstrate how to install and use tcpdump and windump and how to analyze data that is collected • To understand what the basic functionality of network-based intrusion detection. • More information about WinDump, plz visit http://windump.polito.it/docs/default.htm

  7. TCPREPLAY Replay packets from capture files

  8. Description • Tcpreplay is a tool for replaying network traffic from files saved with tcpdump

  9. basic operation • to resend all packets from input files at the spped at wich they were recorded, a specified data rate, or as fast as the hardware is capable.

  10. example

  11. Summary • By processing a cache file generated by tcpprep, tcpreplay is able to split traffic between two interfaces. This is useful for testing bridges, routers, and other gateway devices.

More Related