Network Traffic Analysis Using tcpdump Introduction to tcpdump

The objectives of this course are to introduce you to the fundamentals and benefits of using tcpdumpas a tool to analyze your network traffic. We’ll start with introducing concepts and output oftcpdump. One of the most important aspects of using tcpdump is being able to write tcpdump filtersto look for specific traffic. Filter writing is fairly basic unless you want to examine fields in an IPdatagram that don’t fall on byte boundaries. So, that is why an entire section is devoted to the art ofwriting filters....
Nội dung trích xuất từ tài liệu:
Network Traffic Analysis Using tcpdump Introduction to tcpdump Network Traffic Analysis Using tcpdump Introduction to tcpdump Judy Novak Johns Hopkins University Applied Physics Laboratory jhnovak@ix.netcom.com 1All material Copyright  Novak, 2000, 2001. All rights reserved. 1 Table of Contents TopicsIntroduction to tcpdumpWriting tcpdump FiltersExamination of Datagram FieldsBeginning AnalysisReal World ExamplesStep by Step AnalysisReferences 2 2 Course Objectives • Introduce the fundamentals of tcpdump • Explain how to write tcpdump filters • Examine fields in datagram for uses/misuses • Analyze traffic by placing it in categories • Demonstrate “real-world” analysis using tcpdump • Let you participate in the analysis process 3The objectives of this course are to introduce you to the fundamentals and benefits of using tcpdumpas a tool to analyze your network traffic. We’ll start with introducing concepts and output oftcpdump. One of the most important aspects of using tcpdump is being able to write tcpdump filtersto look for specific traffic. Filter writing is fairly basic unless you want to examine fields in an IPdatagram that don’t fall on byte boundaries. So, that is why an entire section is devoted to the art ofwriting filters.Before we start to use tcpdump to analyze traffic, we’ll examine many of the fields found in the IPdatagram. This is done to familiarize you with those fields in theory and also how they might beused in practice. We’ll study how and why fields might be changed and for what purpose. Next,we’ll start the basic analysis process by looking at tcpdump output and categorizing the kind oftraffic that you can see.Then, we’ll take a look at some real-world examples and of how tcpdump was used on monitorednetworks to discover what was happening. Next, the analysis process will be inspected step by stepoften with missteps to get you comfortable with it.As a note, all tcpdump output shown in this course is activity that actually occurred. Source anddestination hosts/IP’s have been altered to obfuscate the true identities. 3 Overview • Introduction to tcpdump • Writing tcpdump filters • Examination of Datagram Fields • Beginning Analysis • Real World Examples • Step by Step Analysis 4This page intentionally left blank. 4 Introduction to tcpdump • Introduction to tcpdump • Writing tcpdump Filters • Examination of Datagram Fields • Beginning Analysis • Real World Examples • Step by Step Analysis 5This page intentionally left blank. 5 Objectives • Examine the strengths/weaknesses of tcpdump • Organize collection/analysis process of tcpdump data via Shadow • Examine tcpdump output • Standard • Hexadecimal • Length fields and how to convert them to bytes • Application layer • Interpretation of payload/hex output 6This page intentionally left blank. 6 Introduction 7This page intentionally left blank. 7 Strengths • Provides audit trail/historical record of network activity • Provides absolute fidelity • Universally available and used A 8One of the most important parts of an arsenal in your security infrastructure is at least one tool orsoftware package that captures an audit trail or a historical record of the traffic that enters or leavesyour network. There will be times when you will be required to examine activity or connections thatoccurred in your network – not just traffic that caused an alarm to sound. For instance, what if yoususpect that your packet filtering router that acts as your perimeter defense was acting strangely aftersome major network changes were made. You would have to examine the traffic that was allowedinto your network to assist in determining the problem. That is where tcpdump is invaluable.Also, many tools - even logs from firewalls will display suspicious traffic, yet only partial data isdisplayed. What if you get a log of rejected traffic, but it doesn’t display or keep TCP flags? You’llnever know what kind of connection was attempted. tcpdump allows the analyst to examine all thebits and fields that are collected. If nothing is “wrong” with the connection, examination at the bitlevel is unnecessary. Yet, if you suspect something “foul” with the traffic, you really need access toall the data down to the bit level. ...