diff --git a/sec/ex-2_iptables.adoc b/sec/ex-2_iptables.adoc new file mode 100644 index 0000000..3cd77b2 --- /dev/null +++ b/sec/ex-2_iptables.adoc @@ -0,0 +1,154 @@ += Network analysis ! +Apostolos rootApostolos@swarmlab.io +// Metadata: +:description: Intro and Install +:keywords: sec, tcpdump +:data-uri: +:toc: right +:toc-title: Πίνακας περιεχομένων +:toclevels: 4 +:source-highlighter: highlight +:icons: font +:sectnums: + +include::header.adoc[] + + +{empty} + + + +[[cheat-Docker]] +== Install swarmlab-sec (Home PC) + +HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html + + +.NOTE +[NOTE] +==== +Assuming you're already logged in +==== + + +**tcpdump** is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. + +https://en.wikipedia.org/wiki/Tcpdump[More: wikipedia] + +== Basic + +=== Everything on an interface + +Just see what’s going on, by looking at what’s hitting your interface. + +[source,bash] +---- +tcpdump -i eth0 +---- + +=== Find Traffic by IP + +One of the most common queries, using host, you can see traffic that’s going to or from 1.1.1.1. + +[source,bash] +---- +tcpdump host 1.1.1.1 +---- + + +=== Filtering by Source and/or Destination + +If you only want to see traffic in one direction or the other, you can use src and dst. + +[source,bash] +---- +tcpdump src 1.1.1.1 +tcpdump dst 1.0.0.1 +---- + +=== Finding Packets by Network + +To find packets going to or from a particular network or subnet, use the net option. + +[source,bash] +---- +tcpdump net 1.2.3.0/24 +---- + + +=== Show Traffic Related to a Specific Port + +You can find specific port traffic by using the port option followed by the port number. + +[source,bash] +---- +tcpdump port 3389 +tcpdump src port 1025 +---- + +=== Show Traffic of One Protocol + +If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well. + +[source,bash] +---- +tcpdump icmp +---- + +=== Reading / Writing Captures to a File (pcap) + +It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch. + + +[source,bash] +---- +tcpdump port 80 -w capture_file +---- + + +== Advanced + + + + + + + + + + + + +[appendix] +== How to use tcpdump + + +This exercise will show you how to isolate traffic in various ways—from IP, to port, to protocol, to application-layer traffic—to make sure you find exactly what you need as quickly as possible. + + + + + + + +:hardbreaks: + +{empty} + +{empty} + +{empty} + +:!hardbreaks: + +''' + +.Reminder +[NOTE] +==== +:hardbreaks: +Caminante, no hay camino, +se hace camino al andar. + +Wanderer, there is no path, +the path is made by walking. + +*Antonio Machado* Campos de Castilla +====