Section 16.13 Using tcpdump to Monitor Your LAN

   


16.13 Using tcpdump to Monitor Your LAN

One of the U.S. government's energy and nuclear research laboratories, Lawrence Berkeley Lab (LBL), offers the tcpdump Linux/UNIX utility. This utility is a network sniffer, intended for System Administrators to analyze their computers and networks for both general network problems and security problems.

I also have found tcpdump quite useful in debugging during development of client/server software. I received a phone call one Saturday evening saying that the server (that I had jointly created with Larry Gee) was not responding to certain client requests. The client-side engineer was convinced that it was not his code and he was very good.

With the promise of free dinner, I drove to the client. In under five minutes, tcpdump (from a third system) proved that the server was sending the proper reply. Later, the bug was determined to be in Win 9x, which was not delivering the packets.


16.13.1 Building tcpdump

The tcpdump program and related software may be downloaded from the laboratory and it is easy to set up and use. First, download these three files:

 
 ftp://ftp.ee.lbl.gov/libpcap.tar.Z ftp://ftp.ee.lbl.gov/pcapture-0.2.1.tar.Z ftp://ftp.ee.lbl.gov/tcpdump-3.4.tar.Z 

Issue the following commands to extract the files into subdirectories called libpcap-0.4, pcapture-0.2.1, and tcpdump-3.4 containing the sources:

 
 tar -xzovf libpcap.tar.Z tar -xzovf pcapture-0.2.1.tar.Z tar -xzovf tcpdump-3.4.tar.Z 

Then, build libpcap with

 
 cd libpcap-0.4 ./configure make cd .. ln -s libpcap-0.4 libpcap 

Build pcapture with

 
 cd pcapture-0.2.1 ./configure make su make install make install-man exit 

Finally, build and install tcpdump.

 
 cd ../tcpdump-3.4 ./configure make su make install make install-man 

If you are using csh, issue the rehash command. To watch ARP packets, the following is a starting point:

 
 tcpdump arp 

Similarly, ICMP packets can be watched with

 
 tcpdump icmp 

16.13.2 Using tcpdump

Some of tcpdump's more useful flags are discussed here. The -i flag is used to specify which interface to use. The -l flag causes tcpdump to line-buffer the output even if it is not going to a tty. This is useful in the following, where immediate output to the screen is desired, as well as capture in a file for later detailed analysis.

 
 tcpdump -l other options | tee foo 

or

 
 tcpdump -l other options > foo& tail -f foo 

The -N flag chops displayed host names at the first dot. Following any flags is an optional expression that specifies which packets should be dumped. The absence of an expression will cause all packets to be dumped. If you run tcpdump over a networked telnet or X session, this I/O will be displayed. (Think "infinite loop.") An expression is similar to that in a language or the find program.

Some of the "primitive" elements that may be used to build expressions include the following.

  • type

    This is something of a misnomer, selecting by host, net, or port. Each of these takes a specifier, for example, host name or IP address. The net primitive will accept address/bits, where address is an IP address and bits is the number of high-order bits to match. Thus, to match Pentacorp's class-B network, use

     
     net 192.168.0.0/16 
  • direction

    These allow you to specify what direction of packets are of interest. Values include src, dst, src or dst, and src and dst.

  • prototype

    These include tcp, udp, arp, rarp, ether, ip, decnet, and lat.

  • special

    These include broadcast, gateway, less, and greater. The broadcast primitive matches broadcast packets. The gateway primitive means that the Ethernet address (not the IP address) matches but that this system's IP address is neither the source nor the destination.

  • booleans

    The and, or, and not booleans are recognized, as are &&, ||, and !.

  • relations

    These operations allow testing bits and bytes within the protocol. They can be used to look for fragmented packets and some corrupted packets that might be an attack. They are discussed in the man page.

  • parentheses

    The ( and ) parentheses escaped from the shell.

If you are suspicious about someone on the Internet trying to download your DNS information and you are the SysAdmin for Pentacorp, the following would watch for this. In this example you are watching on the PPP interface. Of course, a large company would have a larger pipe. Recall that zone transfers are done using TCP; limiting your dumps to it avoids all the single-host lookups that will be routine for those sending e-mail to your people and surfing your public Web site.

 
 tcpdump -i ppp0 dst port 53 and tcp and not src net 192.168.0.0/16 

Because you are Pentacorp, in your /etc/networks file, you have the entry

 
 pentacorp.com  192.168.0.0 

Three of your engineers have left recently for a startup called pieinsky.com. The big boss called you into his office and introduced you to the corporate attorney who explained that raiding is suspected; that is, they are deliberately trying to hire away a large number of your best people. They want you to monitor the corporate network for any evidence of the other company trying to contact your people. You explain that technically it is easy but that you want there to be no misunderstanding about the request and written assurance that it would be legal in your jurisdiction. The big boss hands you a dated memorandum with his signature asking you to do the monitoring and the attorney provides a written opinion that the requested action is legal. You then can issue the following command on the firewall:

 
 dig pieinsky.com 

Its output includes these "A" (address) records.

 
 ;; ANSWERS: pieinsky.com. 41771 A 207.46.130.149 pieinsky.com. 41771 A 207.46.130.45 pieinsky.com. 41771 A 207.46.131.137 pieinsky.com. 41771 A 207.46.131.30 pieinsky.com. 41771 A 207.46.130.14 

Note that they have two class-C addresses to watch. The following should do nicely:

 
 tcpdump -l -i eth1 src net 207.46.130.0/23 and \   '(' dst port 25 or dst port 80 ')' \   > watch.log& tail +0f watch.log 

Use the -l flag to indicate line buffering so you can see each line as it comes in, and the -i flag to specify the interface that is connected to the Internet. Because they have class-C addresses, a /24 will select one but because they have two adjacent ones, simply ignore the low-order bit by using /23. You are looking for them to use your Web server to find your employee names, e-mail addresses, and phone numbers. (You warned management not to put this information on the Web server but management wants "convenience for the customers.") You also look for e-mail from it.

You might not need to limit your searches to these two ports in this situation. However, store all packet information in the watch.log file to provide to counsel later. He explained that if such packets are found, they will be introduced into court during the motion for an injunction. The output might look like the following:

 
 tcpdump: listening on eth1 14:35:08 x.pieinsky.com.1032 > www.pentacorp.com.www: S stuff 14:35:15 x.pieinsky.com.1032 > www.pentacorp.com.www: . stuff 14:35:38 x.pieinsky.com.1032 > www.pentacorp.com.www: P stuff ... 14:37:35 x.pieinsky.com.1033 > spam.pentacorp.com.smtp: P stuff 14:38:29 x.pieinsky.com.1033 > spam.pentacorp.com.smtp: . stuff ... 14:38:33 x.pieinsky.com.1033 > spam.pentacorp.com.smtp: F stuff 

Someone on x.pieinsky.com came in on port 1032 and made several requests of your Web server using the www service (port 80) that might have been looking at your online employee database. About two minutes later, someone on this same system sent e-mail to someone at your company, sending to your e-mail server, called spam, using the smtp service (port 25). Note that following the destination system and port, some of the packets have "P" and some have ".". This can be very important because this is the list of TCP status bits that are set. In this example, some packets had the "P" bit (PUSH) and some had a dot, which means none of SYN, FIN, RST, or PSH are set. The tcpdump program will use the first character of the status bit name here. The names of these status bits and some common attacks are discussed in "Tunneling Through Firewalls" on page 77. This lets you look for protocol violations that a cracker might be using to illicit ends.


       
    Top


    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    ISBN: N/A
    EAN: N/A
    Year: 2002
    Pages: 260

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net