= Network analysis ! Apostolos rootApostolos@swarmlab.io // Metadata: :description: Intro and Install :keywords: sec, tcpdump :data-uri: :toc: right :toc-title: Πίνακας περιεχομένων :toclevels: 4 :source-highlighter: highlight :icons: font :sectnums: include::header.adoc[] {empty} + [[cheat-Docker]] == Install swarmlab-sec (Home PC) HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html .NOTE [NOTE] ==== Assuming you're already logged in ==== **tcpdump** is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. https://en.wikipedia.org/wiki/Tcpdump[More: wikipedia] == Basic === Everything on an interface Just see what’s going on, by looking at what’s hitting your interface. [source,bash] ---- tcpdump -i eth0 ---- === Find Traffic by IP One of the most common queries, using host, you can see traffic that’s going to or from 1.1.1.1. [source,bash] ---- tcpdump host 1.1.1.1 ---- === Filtering by Source and/or Destination If you only want to see traffic in one direction or the other, you can use src and dst. [source,bash] ---- tcpdump src 1.1.1.1 tcpdump dst 1.0.0.1 ---- === Finding Packets by Network To find packets going to or from a particular network or subnet, use the net option. [source,bash] ---- tcpdump net 1.2.3.0/24 ---- === Show Traffic Related to a Specific Port You can find specific port traffic by using the port option followed by the port number. [source,bash] ---- tcpdump port 3389 tcpdump src port 1025 ---- === Show Traffic of One Protocol If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well. [source,bash] ---- tcpdump icmp ---- === Reading / Writing Captures to a File (pcap) It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch. [source,bash] ---- tcpdump port 80 -w capture_file ---- == Advanced [appendix] == How to use tcpdump This exercise will show you how to isolate traffic in various ways—from IP, to port, to protocol, to application-layer traffic—to make sure you find exactly what you need as quickly as possible. :hardbreaks: {empty} + {empty} + {empty} :!hardbreaks: ''' .Reminder [NOTE] ==== :hardbreaks: Caminante, no hay camino, se hace camino al andar. Wanderer, there is no path, the path is made by walking. *Antonio Machado* Campos de Castilla ====