16.13 Using tcpdump to Monitor Your LANOne of the U.S. government's energy and nuclear research laboratories, Lawrence Berkeley Lab (LBL), offers the tcpdump Linux/UNIX utility. This utility is a network sniffer, intended for System Administrators to analyze their computers and networks for both general network problems and security problems.
16.13.1 Building tcpdumpThe tcpdump program and related software may be downloaded from the laboratory and it is easy to set up and use. First, download these three files: ftp://ftp.ee.lbl.gov/libpcap.tar.Z ftp://ftp.ee.lbl.gov/pcapture-0.2.1.tar.Z ftp://ftp.ee.lbl.gov/tcpdump-3.4.tar.Z Issue the following commands to extract the files into subdirectories called libpcap-0.4, pcapture-0.2.1, and tcpdump-3.4 containing the sources: tar -xzovf libpcap.tar.Z tar -xzovf pcapture-0.2.1.tar.Z tar -xzovf tcpdump-3.4.tar.Z Then, build libpcap with cd libpcap-0.4 ./configure make cd .. ln -s libpcap-0.4 libpcap Build pcapture with cd pcapture-0.2.1 ./configure make su make install make install-man exit Finally, build and install tcpdump. cd ../tcpdump-3.4 ./configure make su make install make install-man If you are using csh, issue the rehash command. To watch ARP packets, the following is a starting point: tcpdump arp Similarly, ICMP packets can be watched with tcpdump icmp 16.13.2 Using tcpdumpSome of tcpdump's more useful flags are discussed here. The -i flag is used to specify which interface to use. The -l flag causes tcpdump to line-buffer the output even if it is not going to a tty. This is useful in the following, where immediate output to the screen is desired, as well as capture in a file for later detailed analysis. tcpdump -l other options | tee foo or tcpdump -l other options > foo& tail -f foo The -N flag chops displayed host names at the first dot. Following any flags is an optional expression that specifies which packets should be dumped. The absence of an expression will cause all packets to be dumped. If you run tcpdump over a networked telnet or X session, this I/O will be displayed. (Think "infinite loop.") An expression is similar to that in a language or the find program. Some of the "primitive" elements that may be used to build expressions include the following.
If you are suspicious about someone on the Internet trying to download your DNS information and you are the SysAdmin for Pentacorp, the following would watch for this. In this example you are watching on the PPP interface. Of course, a large company would have a larger pipe. Recall that zone transfers are done using TCP; limiting your dumps to it avoids all the single-host lookups that will be routine for those sending e-mail to your people and surfing your public Web site. tcpdump -i ppp0 dst port 53 and tcp and not src net 192.168.0.0/16 Because you are Pentacorp, in your /etc/networks file, you have the entry pentacorp.com 192.168.0.0 Three of your engineers have left recently for a startup called pieinsky.com. The big boss called you into his office and introduced you to the corporate attorney who explained that raiding is suspected; that is, they are deliberately trying to hire away a large number of your best people. They want you to monitor the corporate network for any evidence of the other company trying to contact your people. You explain that technically it is easy but that you want there to be no misunderstanding about the request and written assurance that it would be legal in your jurisdiction. The big boss hands you a dated memorandum with his signature asking you to do the monitoring and the attorney provides a written opinion that the requested action is legal. You then can issue the following command on the firewall: dig pieinsky.com Its output includes these "A" (address) records. ;; ANSWERS: pieinsky.com. 41771 A 207.46.130.149 pieinsky.com. 41771 A 207.46.130.45 pieinsky.com. 41771 A 207.46.131.137 pieinsky.com. 41771 A 207.46.131.30 pieinsky.com. 41771 A 207.46.130.14 Note that they have two class-C addresses to watch. The following should do nicely: tcpdump -l -i eth1 src net 207.46.130.0/23 and \ '(' dst port 25 or dst port 80 ')' \ > watch.log& tail +0f watch.log Use the -l flag to indicate line buffering so you can see each line as it comes in, and the -i flag to specify the interface that is connected to the Internet. Because they have class-C addresses, a /24 will select one but because they have two adjacent ones, simply ignore the low-order bit by using /23. You are looking for them to use your Web server to find your employee names, e-mail addresses, and phone numbers. (You warned management not to put this information on the Web server but management wants "convenience for the customers.") You also look for e-mail from it. You might not need to limit your searches to these two ports in this situation. However, store all packet information in the watch.log file to provide to counsel later. He explained that if such packets are found, they will be introduced into court during the motion for an injunction. The output might look like the following: tcpdump: listening on eth1 14:35:08 x.pieinsky.com.1032 > www.pentacorp.com.www: S stuff 14:35:15 x.pieinsky.com.1032 > www.pentacorp.com.www: . stuff 14:35:38 x.pieinsky.com.1032 > www.pentacorp.com.www: P stuff ... 14:37:35 x.pieinsky.com.1033 > spam.pentacorp.com.smtp: P stuff 14:38:29 x.pieinsky.com.1033 > spam.pentacorp.com.smtp: . stuff ... 14:38:33 x.pieinsky.com.1033 > spam.pentacorp.com.smtp: F stuff Someone on x.pieinsky.com came in on port 1032 and made several requests of your Web server using the www service (port 80) that might have been looking at your online employee database. About two minutes later, someone on this same system sent e-mail to someone at your company, sending to your e-mail server, called spam, using the smtp service (port 25). Note that following the destination system and port, some of the packets have "P" and some have ".". This can be very important because this is the list of TCP status bits that are set. In this example, some packets had the "P" bit (PUSH) and some had a dot, which means none of SYN, FIN, RST, or PSH are set. The tcpdump program will use the first character of the status bit name here. The names of these status bits and some common attacks are discussed in "Tunneling Through Firewalls" on page 77. This lets you look for protocol violations that a cracker might be using to illicit ends. |
Top |