test2
5 years ago
1 changed files with 154 additions and 0 deletions
@ -0,0 +1,154 @@ |
|||||
|
= Network analysis ! |
||||
|
Apostolos rootApostolos@swarmlab.io |
||||
|
// Metadata: |
||||
|
:description: Intro and Install |
||||
|
:keywords: sec, tcpdump |
||||
|
:data-uri: |
||||
|
:toc: right |
||||
|
:toc-title: Πίνακας περιεχομένων |
||||
|
:toclevels: 4 |
||||
|
:source-highlighter: highlight |
||||
|
:icons: font |
||||
|
:sectnums: |
||||
|
|
||||
|
include::header.adoc[] |
||||
|
|
||||
|
|
||||
|
{empty} + |
||||
|
|
||||
|
|
||||
|
[[cheat-Docker]] |
||||
|
== Install swarmlab-sec (Home PC) |
||||
|
|
||||
|
HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html |
||||
|
|
||||
|
|
||||
|
.NOTE |
||||
|
[NOTE] |
||||
|
==== |
||||
|
Assuming you're already logged in |
||||
|
==== |
||||
|
|
||||
|
|
||||
|
**tcpdump** is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. |
||||
|
|
||||
|
https://en.wikipedia.org/wiki/Tcpdump[More: wikipedia] |
||||
|
|
||||
|
== Basic |
||||
|
|
||||
|
=== Everything on an interface |
||||
|
|
||||
|
Just see what’s going on, by looking at what’s hitting your interface. |
||||
|
|
||||
|
[source,bash] |
||||
|
---- |
||||
|
tcpdump -i eth0 |
||||
|
---- |
||||
|
|
||||
|
=== Find Traffic by IP |
||||
|
|
||||
|
One of the most common queries, using host, you can see traffic that’s going to or from 1.1.1.1. |
||||
|
|
||||
|
[source,bash] |
||||
|
---- |
||||
|
tcpdump host 1.1.1.1 |
||||
|
---- |
||||
|
|
||||
|
|
||||
|
=== Filtering by Source and/or Destination |
||||
|
|
||||
|
If you only want to see traffic in one direction or the other, you can use src and dst. |
||||
|
|
||||
|
[source,bash] |
||||
|
---- |
||||
|
tcpdump src 1.1.1.1 |
||||
|
tcpdump dst 1.0.0.1 |
||||
|
---- |
||||
|
|
||||
|
=== Finding Packets by Network |
||||
|
|
||||
|
To find packets going to or from a particular network or subnet, use the net option. |
||||
|
|
||||
|
[source,bash] |
||||
|
---- |
||||
|
tcpdump net 1.2.3.0/24 |
||||
|
---- |
||||
|
|
||||
|
|
||||
|
=== Show Traffic Related to a Specific Port |
||||
|
|
||||
|
You can find specific port traffic by using the port option followed by the port number. |
||||
|
|
||||
|
[source,bash] |
||||
|
---- |
||||
|
tcpdump port 3389 |
||||
|
tcpdump src port 1025 |
||||
|
---- |
||||
|
|
||||
|
=== Show Traffic of One Protocol |
||||
|
|
||||
|
If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well. |
||||
|
|
||||
|
[source,bash] |
||||
|
---- |
||||
|
tcpdump icmp |
||||
|
---- |
||||
|
|
||||
|
=== Reading / Writing Captures to a File (pcap) |
||||
|
|
||||
|
It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch. |
||||
|
|
||||
|
|
||||
|
[source,bash] |
||||
|
---- |
||||
|
tcpdump port 80 -w capture_file |
||||
|
---- |
||||
|
|
||||
|
|
||||
|
== Advanced |
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
[appendix] |
||||
|
== How to use tcpdump |
||||
|
|
||||
|
|
||||
|
This exercise will show you how to isolate traffic in various ways—from IP, to port, to protocol, to application-layer traffic—to make sure you find exactly what you need as quickly as possible. |
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
:hardbreaks: |
||||
|
|
||||
|
{empty} + |
||||
|
{empty} + |
||||
|
{empty} |
||||
|
|
||||
|
:!hardbreaks: |
||||
|
|
||||
|
''' |
||||
|
|
||||
|
.Reminder |
||||
|
[NOTE] |
||||
|
==== |
||||
|
:hardbreaks: |
||||
|
Caminante, no hay camino, |
||||
|
se hace camino al andar. |
||||
|
|
||||
|
Wanderer, there is no path, |
||||
|
the path is made by walking. |
||||
|
|
||||
|
*Antonio Machado* Campos de Castilla |
||||
|
==== |
Loading…
Reference in new issue