Monitoring Traffic with tcpdump

   

Monitoring Traffic with tcpdump

The first utility that we'll look at for monitoring network traffic is tcpdump . tcpdump outputs the headers of all packets seen by your network interface. It features a sophisticated filter language for limiting the output to a specific host, source, destination, subnet, or any combination thereof.

The most simple use of tcpdump is to start it (as root or with sudo) via the command line with no arguments:

[View full width]
 
[View full width]
# tcpdump 1: tcpdump: listening on en1 2: 15:42:28.853450 client0.poisontooth.com.49295 > carrot3.poisontooth.com.domain: graphics/ccc.gif 51668+ CNAME? www.cnn.com. (29) 3: 15:42:28.869908 carrot3.poisontooth.com.domain > client0.poisontooth.com.49295: graphics/ccc.gif 51668* 1/4/4 CNAME cnn.com. (217) 4: 15:42:28.870331 client0.poisontooth.com.49295 > carrot3.poisontooth.com.domain: graphics/ccc.gif 30577+ A? www.cnn.com. (29) 5: 15:42:28.913477 carrot3.poisontooth.com.domain > client0.poisontooth.com.49295: 30577 graphics/ccc.gif 9/4/4 CNAME cnn.com.[domain] 6: 15:42:28.914158 client0.poisontooth.com.49295 > carrot3.poisontooth.com.domain: graphics/ccc.gif 48116+ AAAA? www.cnn.com. (29) 7: 15:42:28.940969 carrot3.poisontooth.com.domain > client0.poisontooth.com.49295: 48116 graphics/ccc.gif 1/1/0 CNAME cnn.com. (124) ... 8: 15:42:33.440973 client0.poisontooth.com.49209 > www3.cnn.com.http: S 4139514020: graphics/ccc.gif 4139514020(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 34160 0> (DF) [tos 0x10] 9: 15:42:33.494618 www3.cnn.com.http > client0.poisontooth.com.49209: S 1497469520: graphics/ccc.gif 1497469520(0) ack 4139514021 win 5840 <mss 1460> 10: 15:42:33.494767 client0.poisontooth.com.49209 > www3.cnn.com.http: . ack 1 win 33580 ( graphics/ccc.gif DF) [tos 0x10] 11: 15:42:33.525710 client0.poisontooth.com.49209 > www3.cnn.com.http: P 1:8(7) ack 1 win graphics/ccc.gif 33580 (DF) [tos 0x10] 12: 15:42:34.497076 client0.poisontooth.com.49295 > carrot3.poisontooth.com.domain: graphics/ccc.gif 56757+ PTR? 1.1.0.10.in-addr.arpa. (39) 13: 15:42:34.499827 carrot3.poisontooth.com.domain > client0.poisontooth.com.49295: graphics/ccc.gif 56757* 1/1/1 PTR[domain] 14: 15:42:34.687262 client0.poisontooth.com.49209 > www3.cnn.com.http: P 1:13(12) ack 1 graphics/ccc.gif win 33580 (DF) [tos 0x10] 15: 15:42:34.734041 www3.cnn.com.http > client0.poisontooth.com.49209: . ack 13 win 5840 16: 15:42:36.568825 www3.cnn.com.http > client0.poisontooth.com.49209: FP 1:148(147) ack graphics/ccc.gif 13 win 5

For TCP packets (most of what you'll see), the output of the tcpdump can be read as

[View full width]
 
[View full width]
Time Source-IP.Port > Destination-IP.Port TCP-Flags Segment-Number ack window(receive graphics/ccc.gif buffer) <tcp options>

UDP traffic, including name server resolution, is slightly different, as are other transport layer protocols. The tcpdump man page defines the output format for several different protocols and is required reading if you want to fully exploit the software.

In the example output, tcpdump shows a connection between client0.poisontooth.com and carrot3.poisontooth.com , where client0 is requesting a DNS lookup on the www.cnn.com domain (lines 2-7). After receiving a response, client0 proceeds to open a connection with www3.cnn.com and begin communicating (lines 8-16). Note that the port is shown as the actual protocol being used, such as http instead of 80 . This substitution is made automatically by tcpdump when possible.

A more useful example of how tcpdump can be used is with a filter to limit the traffic to a specific type. For example, rather than viewing everything on the network, how about simply watching all HTTP communications coming from a given host (in this case client0.poisontooth.com )? You do this by adding the filter expression src host client0.poisontooth.com and dst port 80 to the command. This example also introduces the “q flag to hide extraneous protocol information:

[View full width]
 
[View full width]
# tcpdump q src host client0.poisontooth.com and dst port 80 tcpdump: listening on en1 18:29:54.063689 client0.poisontooth.com.49659 > www1.cnn.com.http: tcp 0 (DF) 18:29:54.114376 client0.poisontooth.com.49659 > www1.cnn.com.http: tcp 0 (DF) 18:29:54.120766 client0.poisontooth.com.49659 > www1.cnn.com.http: tcp 518 (DF) 18:32:54.259702 client0.poisontooth.com.49659 > www1.cnn.com.http: tcp 0 (DF) 18:29:54.459999 client0.poisontooth.com.49659 > www1.cnn.com.http: tcp 0 (DF) 18:29:54.660246 client0.poisontooth.com.49659 > www1.cnn.com.http: tcp 0 (DF) 18:29:54.860469 client0.poisontooth.com.49659 > www1.cnn.com.http: tcp 0 (DF) ... 18:30:41.777607 client0.poisontooth.com.49638 > www.apple.com.http: tcp 0 (DF) 18:30:41.783227 client0.poisontooth.com.49638 > www.apple.com.http: tcp 267 (DF) 18:30:41.919682 client0.poisontooth.com.49638 > www.apple.com.http: tcp 0 (DF) 18:30:42.088209 client0.poisontooth.com.49638 > www.apple.com.http: tcp 0 (DF) 18:30:42.097456 client0.poisontooth.com.49638 > www.apple.com.http: tcp 0 (DF) 18:30:44.857696 client0.poisontooth.com.49638 > www.apple.com.http: tcp 0 (DF) 18:30:44.987351 client0.poisontooth.com.49638 > www.apple.com.http: tcp 0 (DF) ... 18:30:50.089552 client0.poisontooth.com.49653 > a209-249-123-244.deploy. graphics/ccc.gif akamaitechnologies.com.http: tcp 0 (DF) 18:30:50.141997 client0.poisontooth.com.49653 > a209-249-123-244.deploy. graphics/ccc.gif akamaitechnologies.com.http: tcp 0 (DF) 18:30:50.204663 client0.poisontooth.com.49653 > a209-249-123-244.deploy. graphics/ccc.gif akamaitechnologies.com.http: tcp 445 (DF) 18:30:50.415602 client0.poisontooth.com.49653 > a209-249-123-244.deploy. graphics/ccc.gif akamaitechnologies.com.http: tcp 0 (DF)

Here, tcpdump reports that HTTP requests originating from client0.poisontooth.com have been made to the hosts www1.cnn.com , www.apple.com , and a209-249-123-244.deploy.akamaitechnologies.com .

The Boolean expression to filter traffic can be built using and ( && ), or ( ), and not ( ! ) and the constructs given in the tcpdump man page. The most useful of these expression primitives are reproduced for your reference in Table 7.1.

Table 7.1. tcpdump Expression Primitives

Primitive

Use

dst host <host/ip>

Match packets headed to a hostname or IP.

src host <host/ip>

Match packets to or from a hostname or IP.

host <host/ip>

Match packets to or from a given hostname or IP.

ether dst <ethernet address>

Match packets to a given ethernet address.

ether src <ethernet address>

Match packets from an ethernet address.

ether host <ethernet address>

Match packets to or from an ethernet address.

gateway <host/ip>

Match packets by using the given host or IP as a gateway.

dst net <network>

Match packets headed to a given network.

src net <network>

Match packets from a specified network.

net <network>

Match packets to or from a specified network.

net <network> mask < netmask >

Specifies a network by using an address and a 4-octet netmask.

net <network/mask>

Specifies a network by using an address followed by a / and the number of bits in the netmask.

dst port <port>

Match packets to a specific port.

src port <port>

Match packets from a specific port.

port <port>

Match packets to or from a specific port.

less <length>

Match packets less than the given size .

greater <length>

Match packets greater than a given size.

ip proto <name/number>

Match packets of IP named or numbered (as in /etc/protocols ), such as tcp , udp , icmp , and so on.

ether broadcast

Match ethernet broadcast packets.

ip broadcast

Match IP broadcast packets.

ether multicast

Match ethernet multicast packets.

The capability to create custom filter expressions is one of the most powerful features of tcpdump and other utilities that use libpcap . You may find a number of additional flags and switches useful, all accessed via the tcpdump syntax: tcpdump [options] [expression] . The common switches are provided in Table 7.2.

Table 7.2. Common tcpdump Switches

Option

Description

  -a  

Convert network numbers to names .

-c <packet count>

Exit after receiving the specified number of packets.

  -n  

Don't convert numbers to names.

-F <filter file>

Use the contents of the named file as the filter expression.

-i <interface>

Listen on the named network interface.

  -l  

Buffer standard out.

  -q  

Quick/Quiet output. Leave out most extra information beyond source, destination, and ports.

-r <filename>

Read packets from file (see -w ).

  -t  

Don't print a timestamp on each line.

-v , -vv , -vvv

Increasingly verbose output.

-w <filename>

Write packets to a file for later analysis (see -r ). This is better than trying to analyze a high-bandwidth/high-activity network in real time, which is likely to result in packet loss.

As you've seen, tcpdump can provide extremely targeted or very general information about your network traffic. It fits the definition of a sniffer but does provide tools for attacking a network; its purpose is to help you uncover activity that may violate your network policy or diagnose unusual network communication problems. A Mac OS X GUI for tcpdump (MacSniffer) can be downloaded from http://personalpages.tds.net/~brian_hill/macsniffer.html.

TIP

If you'd like to try a somewhat fun use for tcpdump , download TrafGraf from http://trafgraf.poisontooth.com/. This is a simple network traffic graphing that will present a visual snapshot of the communications on your network and help identify high-volume hosts. I wrote it almost four years ago, but, as long as you install the Perl modules mentioned in the readme, it will work fine on Mac OS X 10.2.

HOW CAN I DETECT A SNIFFER?

Sadly, it is next to impossible to detect sniffers on a modern network because they are designed to be completely passive. Errors existed in earlier versions of Linux and Windows that allowed administrators to probe for interfaces in promiscuous mode. Unfortunately, these are long gone. (See http://www. securiteam .com/tools/AntiSniff_-_find_sniffers_on_your_local_network.html for details.)

To test to see whether your machine may be running a sniffer (and is thus compromised), use ifconfig to display the information for your active network interface. For example:

[View full width]
 
[View full width]
% /sbin/ifconfig en1 en1: flags=8963<UP,BROADCAST,SMART,RUNNING, PROMISC ,SIMPLEX,MULTICAST> mtu 1500 inet6 fe80::230:65ff:fe12:f215%en1 prefixlen 64 scopeid graphics/ccc.gif 0x5 inet 10.0.1.101 netmask 0xffffff00 broadcast 10.0.1.255 ether 00:30:65:12:f2:15 media: autoselect status: active supported media: autoselect

Here you can see the PROMISC flag for en1 , indicating that this interface is in promiscuous mode.

Although sniffers are tough to find and remove, the use of secure protocols (SSL, IPSec, etc) can foil most sniffers easily.


   
Top


Mac OS X Maximum Security
Maximum Mac OS X Security
ISBN: 0672323818
EAN: 2147483647
Year: 2003
Pages: 158

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net