lab/sec/ex-2_iptables.adoc

= Network analysis !
Apostolos rootApostolos@swarmlab.io
// Metadata:
:description: Intro and Install
:keywords: sec, tcpdump
:data-uri:
:toc: right
:toc-title: Πίνακας περιεχομένων
:toclevels: 4
:source-highlighter: highlight
:icons: font
:sectnums: 

include::header.adoc[]


{empty} +


[[cheat-Docker]]
== Install swarmlab-sec (Home PC)

HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html


.NOTE
[NOTE]
====
Assuming you're already logged in
====


**tcpdump** is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. 

https://en.wikipedia.org/wiki/Tcpdump[More: wikipedia]

== Basic

=== Everything on an interface

Just see what’s going on, by looking at what’s hitting your interface.

[source,bash]
----
tcpdump -i eth0
----

=== Find Traffic by IP

One of the most common queries, using host, you can see traffic that’s going to or from 1.1.1.1.

[source,bash]
----
tcpdump host 1.1.1.1
----


=== Filtering by Source and/or Destination

If you only want to see traffic in one direction or the other, you can use src and dst.

[source,bash]
----
tcpdump src 1.1.1.1
tcpdump dst 1.0.0.1
----

=== Finding Packets by Network

To find packets going to or from a particular network or subnet, use the net option.

[source,bash]
----
tcpdump net 1.2.3.0/24
----


=== Show Traffic Related to a Specific Port

You can find specific port traffic by using the port option followed by the port number.

[source,bash]
----
tcpdump port 3389
tcpdump src port 1025
----

=== Show Traffic of One Protocol

If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well.

[source,bash]
----
tcpdump icmp
----

=== Reading / Writing Captures to a File (pcap)

It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.


[source,bash]
----
tcpdump port 80 -w capture_file
----


== Advanced


[appendix]
== How to use tcpdump


This exercise will show you how to isolate traffic in various ways—from IP, to port, to protocol, to application-layer traffic—to make sure you find exactly what you need as quickly as possible.


:hardbreaks:

{empty} +
{empty} +
{empty} 

:!hardbreaks:

'''

.Reminder
[NOTE]
====
:hardbreaks:
Caminante, no hay camino, 
se hace camino al andar.

Wanderer, there is no path, 
the path is made by walking.

*Antonio Machado* Campos de Castilla
====
ex 2 5 years ago			`= Network analysis !`
			`Apostolos rootApostolos@swarmlab.io`
			`// Metadata:`
			`:description: Intro and Install`
			`:keywords: sec, tcpdump`
			`:data-uri:`
			`:toc: right`
			`:toc-title: Πίνακας περιεχομένων`
			`:toclevels: 4`
			`:source-highlighter: highlight`
			`:icons: font`
			`:sectnums:`

			`include::header.adoc[]`


			`{empty} +`


			`[[cheat-Docker]]`
			`== Install swarmlab-sec (Home PC)`

			`HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html`


			`.NOTE`
			`[NOTE]`
			`====`
			`Assuming you're already logged in`
			`====`


			`tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.`

			`https://en.wikipedia.org/wiki/Tcpdump[More: wikipedia]`

			`== Basic`

			`=== Everything on an interface`

			`Just see what’s going on, by looking at what’s hitting your interface.`

			`[source,bash]`
			`----`
			`tcpdump -i eth0`
			`----`

			`=== Find Traffic by IP`

			`One of the most common queries, using host, you can see traffic that’s going to or from 1.1.1.1.`

			`[source,bash]`
			`----`
			`tcpdump host 1.1.1.1`
			`----`


			`=== Filtering by Source and/or Destination`

			`If you only want to see traffic in one direction or the other, you can use src and dst.`

			`[source,bash]`
			`----`
			`tcpdump src 1.1.1.1`
			`tcpdump dst 1.0.0.1`
			`----`

			`=== Finding Packets by Network`

			`To find packets going to or from a particular network or subnet, use the net option.`

			`[source,bash]`
			`----`
			`tcpdump net 1.2.3.0/24`
			`----`


			`=== Show Traffic Related to a Specific Port`

			`You can find specific port traffic by using the port option followed by the port number.`

			`[source,bash]`
			`----`
			`tcpdump port 3389`
			`tcpdump src port 1025`
			`----`

			`=== Show Traffic of One Protocol`

			`If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well.`

			`[source,bash]`
			`----`
			`tcpdump icmp`
			`----`

			`=== Reading / Writing Captures to a File (pcap)`

			`It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.`


			`[source,bash]`
			`----`
			`tcpdump port 80 -w capture_file`
			`----`


			`== Advanced`












			`[appendix]`
			`== How to use tcpdump`


			`This exercise will show you how to isolate traffic in various ways—from IP, to port, to protocol, to application-layer traffic—to make sure you find exactly what you need as quickly as possible.`







			`:hardbreaks:`

			`{empty} +`
			`{empty} +`
			`{empty}`

			`:!hardbreaks:`

			`'''`

			`.Reminder`
			`[NOTE]`
			`====`
			`:hardbreaks:`
			`Caminante, no hay camino,`
			`se hace camino al andar.`

			`Wanderer, there is no path,`
			`the path is made by walking.`

			`Antonio Machado Campos de Castilla`
			`====`