I have it installed, and I can look up the parameters in the command.
What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this?
--
Jason Hsu <jhsu802701@jasonhsu.com>
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110302220041.35071bf9.jhsu802701@jasonhsu.com">h ttp://lists.debian.org/20110302220041.35071bf9.jhsu802701@jasonhsu.com
03-03-2011, 03:13 AM
Mike Viau
How do you use TCPDump?
> On Wed, 2 Mar 2011 22:00:41 -0600 <jhsu802701@jasonhsu.com> wrote:
>
> I have it installed, and I can look up the parameters in the command.
>
> What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this?
>
What kind of intrusions are you looking for? TCPDump is a packet analyze so what is analyzed is based on what filters you are looking for. TCPDump uses the libpcap library to capture packets. You can receive the packets based on the protocol type. You can specify
one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet,
tcp and udp.
You may also specify a port number to monitor which is nice if you are investigating a particular service. Or an IP address if you are interested in a specific host.
The filter may be used in combinations with and'ing / or'ing them together. I tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -nÂ* 'tcp and port 80 and dst 10.0.0.1'
One tip is to pass the -n switch when running because DNS queries slow down captures.
Hope that helps
-M
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BAY148-w174AE84D50A7F526D341E4EFC30@phx.gbl">http://lists.debian.org/BAY148-w174AE84D50A7F526D341E4EFC30@phx.gbl
03-03-2011, 01:00 PM
Anand Sivaram
How do you use TCPDump?
On Thu, Mar 3, 2011 at 09:43, Mike Viau <viaum@sheridanc.on.ca> wrote:
> On Wed, 2 Mar 2011 22:00:41 -0600 <jhsu802701@jasonhsu.com> wrote:
>
> I have it installed, and I can look up the parameters in the command.
>
> What I don't understand is how I use it to investigate intrusions. Â*Can someone shed some light on this?
>
What kind of intrusions are you looking for? TCPDump is a packet analyze so what is analyzed is based on what filters you are looking for. TCPDump uses the libpcap library to capture packets. You can receive the packets based on the protocol type. You can specify
one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet,
tcp and udp.
You may also specify a port number to monitor which is nice if you are investigating a particular service. Or an IP address if you are interested in a specific host.
The filter may be used in combinations with and'ing / or'ing them together. I tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -nÂ* 'tcp and port 80 and dst 10.0.0.1'
One tip is to pass the -n switch when running because DNS queries slow down captures.
Hope that helps
-M
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Tcpdump and Ethereal are very similar in terms of capture filters.Â* They both use libpcap.
03-04-2011, 02:11 AM
Chris Jones
How do you use TCPDump?
On Thu, Mar 03, 2011 at 09:00:43AM EST, Anand Sivaram wrote:
> Tcpdump and Ethereal are very similar in terms of capture filters.
> They both use libpcap.
I believe they call it ‘wireshark’ these days..
cj
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110304031150.GB4250@pavo.local">http://lists.debian.org/20110304031150.GB4250@pavo.local
03-04-2011, 03:45 AM
Steven Ayre
How do you use TCPDump?
There's tshark too... (part of wireshark but commandline like tcpdump, filters are identical to wireshark itself).
-Steve
On 4 Mar 2011, at 03:11, Chris Jones <cjns1989@gmail.com> wrote:
> On Thu, Mar 03, 2011 at 09:00:43AM EST, Anand Sivaram wrote:
>
>> Tcpdump and Ethereal are very similar in terms of capture filters.
>> They both use libpcap.
>
> I believe they call it ‘wireshark’ these days..
>
> cj
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20110304031150.GB4250@pavo.local
>
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 116381E8-8BE5-4583-AD73-EFFEC4F5D7DA@gmail.com">http://lists.debian.org/116381E8-8BE5-4583-AD73-EFFEC4F5D7DA@gmail.com
03-04-2011, 07:30 AM
Anand Sivaram
How do you use TCPDump?
Correct, it is wireshark now.Â* Somehow I still remember that with the name ethereal
On Fri, Mar 4, 2011 at 10:15, Steven Ayre <steveayre@gmail.com> wrote:
There's tshark too... (part of wireshark but commandline like tcpdump, filters are identical to wireshark itself).
-Steve
On 4 Mar 2011, at 03:11, Chris Jones <cjns1989@gmail.com> wrote:
> On Thu, Mar 03, 2011 at 09:00:43AM EST, Anand Sivaram wrote:
>
>> Tcpdump and Ethereal are very similar in terms of capture filters.
>> They both use libpcap.
>
> I believe they call it ‘wireshark’ these days..
>
> cj
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
On Fri, Mar 04, 2011 at 03:30:47AM EST, Anand Sivaram wrote:
> Correct, it is wireshark now. Somehow I still remember that with the
> name ethereal
In ‘lenny’ at least, there's still a dummy ‘ethereal’ package.. That's
how I found the new name.. couldn't remember it. Anyway, I mentioned it
in case the OP needs to google for it.
cj
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110304115801.GA4176@pavo.local">http://lists.debian.org/20110304115801.GA4176@pavo.local
03-04-2011, 12:25 PM
shawn wilson
How do you use TCPDump?
On Wed, Mar 2, 2011 at 11:00 PM, Jason Hsu <jhsu802701@jasonhsu.com> wrote:
I have it installed, and I can look up the parameters in the command.
What I don't understand is how I use it to investigate intrusions. *Can someone shed some light on this?
look at snort. it's pretty much the industry standard when it comes to ids.
also, you can either use the new snort format (which is a pita to convert to pcap format) or you can have it log 'interesting' things to a flat file and directly look it with tshark or tcpdump or scapy or whatever else you'd like.
now, what's cool, is if you see something that starts to make you wonder, you go into scapy, modify the packets and replay. fun
one last thing, learn how to write 'good' rules. just because you've got a bunch of data doesn't make it good data. in fact, too much data is bad data because someone has to look through it all, after a while complacency sets in and your analysis guy becomes useless. in this case, i suppose the analysis guy would be you *
How do you use TCPDump?
