FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-03-2011, 03:00 AM
Jason Hsu
 
Default How do you use TCPDump?

I have it installed, and I can look up the parameters in the command.

What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this?

--
Jason Hsu <jhsu802701@jasonhsu.com>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110302220041.35071bf9.jhsu802701@jasonhsu.com">h ttp://lists.debian.org/20110302220041.35071bf9.jhsu802701@jasonhsu.com
 
Old 03-03-2011, 03:13 AM
Mike Viau
 
Default How do you use TCPDump?

> On Wed, 2 Mar 2011 22:00:41 -0600 <jhsu802701@jasonhsu.com> wrote:
>
> I have it installed, and I can look up the parameters in the command.
>
> What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this?
>

What kind of intrusions are you looking for? TCPDump is a packet analyze so what is analyzed is based on what filters you are looking for. TCPDump uses the libpcap library to capture packets. You can receive the packets based on the protocol type. You can specify
one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet,
tcp and udp.

You may also specify a port number to monitor which is nice if you are investigating a particular service. Or an IP address if you are interested in a specific host.

The filter may be used in combinations with and'ing / or'ing them together. I tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -nÂ* 'tcp and port 80 and dst 10.0.0.1'

One tip is to pass the -n switch when running because DNS queries slow down captures.

Hope that helps


-M



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BAY148-w174AE84D50A7F526D341E4EFC30@phx.gbl">http://lists.debian.org/BAY148-w174AE84D50A7F526D341E4EFC30@phx.gbl
 
Old 03-03-2011, 01:00 PM
Anand Sivaram
 
Default How do you use TCPDump?

On Thu, Mar 3, 2011 at 09:43, Mike Viau <viaum@sheridanc.on.ca> wrote:



> On Wed, 2 Mar 2011 22:00:41 -0600 <jhsu802701@jasonhsu.com> wrote:

>

> I have it installed, and I can look up the parameters in the command.

>

> What I don't understand is how I use it to investigate intrusions. Â*Can someone shed some light on this?

>



What kind of intrusions are you looking for? TCPDump is a packet analyze so what is analyzed is based on what filters you are looking for. TCPDump uses the libpcap library to capture packets. You can receive the packets based on the protocol type. You can specify


one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet,

tcp and udp.



You may also specify a port number to monitor which is nice if you are investigating a particular service. Or an IP address if you are interested in a specific host.



The filter may be used in combinations with and'ing / or'ing them together. I tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -nÂ* 'tcp and port 80 and dst 10.0.0.1'



One tip is to pass the -n switch when running because DNS queries slow down captures.



Hope that helps





-M







--

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: http://lists.debian.org/BAY148-w174AE84D50A7F526D341E4EFC30@phx.gbl




Tcpdump and Ethereal are very similar in terms of capture filters.Â* They both use libpcap.
 
Old 03-04-2011, 02:11 AM
Chris Jones
 
Default How do you use TCPDump?

On Thu, Mar 03, 2011 at 09:00:43AM EST, Anand Sivaram wrote:

> Tcpdump and Ethereal are very similar in terms of capture filters.
> They both use libpcap.

I believe they call it ‘wireshark’ these days..

cj


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110304031150.GB4250@pavo.local">http://lists.debian.org/20110304031150.GB4250@pavo.local
 
Old 03-04-2011, 03:45 AM
Steven Ayre
 
Default How do you use TCPDump?

There's tshark too... (part of wireshark but commandline like tcpdump, filters are identical to wireshark itself).

-Steve


On 4 Mar 2011, at 03:11, Chris Jones <cjns1989@gmail.com> wrote:

> On Thu, Mar 03, 2011 at 09:00:43AM EST, Anand Sivaram wrote:
>
>> Tcpdump and Ethereal are very similar in terms of capture filters.
>> They both use libpcap.
>
> I believe they call it ‘wireshark’ these days..
>
> cj
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20110304031150.GB4250@pavo.local
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 116381E8-8BE5-4583-AD73-EFFEC4F5D7DA@gmail.com">http://lists.debian.org/116381E8-8BE5-4583-AD73-EFFEC4F5D7DA@gmail.com
 
Old 03-04-2011, 07:30 AM
Anand Sivaram
 
Default How do you use TCPDump?

Correct, it is wireshark now.Â* Somehow I still remember that with the name ethereal

On Fri, Mar 4, 2011 at 10:15, Steven Ayre <steveayre@gmail.com> wrote:

There's tshark too... (part of wireshark but commandline like tcpdump, filters are identical to wireshark itself).




-Steve





On 4 Mar 2011, at 03:11, Chris Jones <cjns1989@gmail.com> wrote:



> On Thu, Mar 03, 2011 at 09:00:43AM EST, Anand Sivaram wrote:

>

>> Tcpdump and Ethereal are very similar in terms of capture filters.

>> They both use libpcap.

>

> I believe they call it ‘wireshark’ these days..

>

> cj

>

>

> --

> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

> Archive: http://lists.debian.org/20110304031150.GB4250@pavo.local

>





--

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: http://lists.debian.org/116381E8-8BE5-4583-AD73-EFFEC4F5D7DA@gmail.com
 
Old 03-04-2011, 10:58 AM
Chris Jones
 
Default How do you use TCPDump?

On Fri, Mar 04, 2011 at 03:30:47AM EST, Anand Sivaram wrote:

> Correct, it is wireshark now. Somehow I still remember that with the
> name ethereal

In ‘lenny’ at least, there's still a dummy ‘ethereal’ package.. That's
how I found the new name.. couldn't remember it. Anyway, I mentioned it
in case the OP needs to google for it.

cj


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110304115801.GA4176@pavo.local">http://lists.debian.org/20110304115801.GA4176@pavo.local
 
Old 03-04-2011, 12:25 PM
shawn wilson
 
Default How do you use TCPDump?

On Wed, Mar 2, 2011 at 11:00 PM, Jason Hsu <jhsu802701@jasonhsu.com> wrote:

I have it installed, and I can look up the parameters in the command.



What I don't understand is how I use it to investigate intrusions. *Can someone shed some light on this?




look at snort. it's pretty much the industry standard when it comes to ids.

also, you can either use the new snort format (which is a pita to convert to pcap format) or you can have it log 'interesting' things to a flat file and directly look it with tshark or tcpdump or scapy or whatever else you'd like.


now, what's cool, is if you see something that starts to make you wonder, you go into scapy, modify the packets and replay. fun

one last thing, learn how to write 'good' rules. just because you've got a bunch of data doesn't make it good data. in fact, too much data is bad data because someone has to look through it all, after a while complacency sets in and your analysis guy becomes useless. in this case, i suppose the analysis guy would be you *
 

Thread Tools




All times are GMT. The time now is 10:00 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org