Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Introduction to tcpdump

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
Tcpdump
Tcpdump
Wird geladen in …3
×

Hier ansehen

1 von 19 Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (19)

Anzeige

Ähnlich wie Introduction to tcpdump (20)

Aktuellste (20)

Anzeige

Introduction to tcpdump

  1. 1. tcpdump capturing network traffic Lev Walkin @levwalkin
  2. 2. What is tcpdump? Capture [Save] Filter Show and explain
  3. 3. Why tcpdump? Universal file format (.pcap) Universal filter expression Can work on remote hosts
  4. 4. Quick start “No DNS” “Hex dump” faster display display payload tcpdump -n -s 1500 -X “Packet size” fuller capture
  5. 5. Header tcpdump -Xns0 HEX ASCII (-X) (-A) ...next
  6. 6. Workflow 1: Online analysis Fast (-n), full (-s0), with dump (-X), ...and filter: tcpdump -Xns0 port 80
  7. 7. Workflow 2: Offline analysis Full (-s0), write to a file (-w), then read: tcpdump -s0 -w abc.pcap port 80 tcpdump -nXr abc.pcap host nweb30
  8. 8. Architecture tcpdump tcpdump.exe libpcap.so BPF libpcap.a /dev/bpf0 ??? BPF BSD Kernel $OS Kernel
  9. 9. BPF: Berkeley Packet Filter The human readable filter is converted to a bytecode (-d), sent to kernel. Efficient. http://www.tcpdump.org/ papers/bpf-usenix93.pdf
  10. 10. Filter language and, or port 80 host nweb30 ‘src host localhost and dst port 80’
  11. 11. Timestamp L3 protocol (-tt, -ttt, -tttt) Output (IP, GRE, etc) Relative TCP ack number src host src port dst host & port TCP Flags Relative TCP Advertised TCP (S, F, R) sequence number 1343949078.196214 IP window size 216.218.215.245.61966 > 50.18.0.102.80: Flags [P.], seq 1:473, ack 1, win 8265, options [nop,nop,TS val 808617737 ecr 1091126708], length 472 List of TCP Payload length options (e.g. wscale)
  12. 12. WTFs (0/3) tcpdump: no suitable device found Use sudo or check /dev/bpf* permissions
  13. 13. WTFs (1/3) Output is laggy? Disable DNS resolution (-n) Or save to a file (-w)
  14. 14. WTFs (2/3) Nothing happens? Select a proper interface (-i ppp0)
  15. 15. WTFs (3/3) Want to cut-n-paste HTML? Use ASCII output (-A), or save to .pcap (-r) and fire up vim.
  16. 16. RFCs IP: RFC791 TCP: RFC793, 1122 DNS: RFC1034, 1035 Many short overviews exist!
  17. 17. See also WireShark (GUI) SSLdump (decrypt HTTPS) tcpflow (split by TCP flow) libpcap (C interface) lionet.info/ipcad
  18. 18. RTFM man pcap-filter man tcpdump man pcap man bpf
  19. 19. Questions?

×