数据包的捕获与分析
2009-03-20 00:28
183 查看
###LinuxCBT Packet Capture | Analysis Edition###
Topics of coverage:
1. Topology
2. Features of Ethereal
3. Explore Interface
4. TCPDump - default format and capture filter syntax (BPFs) used in Ethereal
5. Snort NIDS - produce TCPDump-compliant binary file
6. Sun Snoop - comes with Solaris
7. Capture ARP, Layer-2(MAC), ICMP and ICMPv6 with Ethereal and analyze
8. Capture UDP for IPv4 & IPv6 and analyze
9. Capture TCP for IPv4 & IPv6 and analyze
10. Analyze captures using 'Display Filters' - used during post-processing of packets
11. Statistics
12. Capture packets using Tethereal - TTY version - used in shell
13. Capture and analyze Intranet & DMZ traffic
14. Capture and analyze Internet traffic
15. Capture and analyze wireless traffic
16. Ethereal Windows 2003 Server
Topology Overview:
Primary Host: 192.168.75.15 - linuxcbtsuse1 - linuxcbtsuse1.linuxcbt.internal
Common DNS Suffix: linuxcbt.internal
Internal Subnet IPv4: 192.168.75.0/24
DMZ Subnet IPv4: 10.10.10.0/24
Both subnets (Internal(Intranet)/DMZ) are RFC-1918 compliant
Note: linuxcbtsuse1 box has a dedicated sniffing/port monitoring interface - eth1
Note: eth0 can be used simultaneously to sniff traffic linuxcbtsuse1
Identify connections router of various boxes:
Steps:
1. SSH or connect to router/switch
2. list ports using - sh int status
3. Match server to port - sh mac-address-table address 0011.435A.BCE5
4. Navigate to global config mode - config t
5. Navigate to interface configuration mode - int fa5
6. Assign a description to the interface - Description linuxcbtsuse1 eth0
Ethereal Features:
rpm -qa | grep -i ethereal - lists whether Ethereal is installed
rpm -ql ethereal
1. Modular - functionality can be added via modules
2. Provides primary 'ethereal' binary - GUI
3. Runs multiple platforms:
a. Linux
b. Unix - Solaris, AIX, FreeBSD, OpenBSD
c. Windows
4. Supports over 750 networking protocols - i.e. IPv4, TCPv4, UDPv4, ICMPv4, ICMPv6, IPv6, IPX/SPX, Netbeui, NETBIOS, AppleTalk, Ethernet
5. Captures Packets - However, excels at analyzing packets
6. Supports Berkeley Packet Filters (BPFs) - uses primitives to parse traffic
8. Supports binding to specific or all interfaces
9. Ability to display packets as they're captured - use when packet-loss is not an issue
Note: subject to packet loss
10. Supports 'Display Filters' language for post-processing packets
11. Includes an expression builder to help build 'Display Filters'
12. Ability to save expressions(Display Filters) for reuse
13. Displays packets in fractions of a second:
a. Second
b. Decisecond - tenth - 3.5
c. Centisecond - hundredth - 3.55
d. Millisecond - thousandth - 3.555
e. Microsecond - millionth - 3.654321
f. Nanosecond - billionth - 3.987654321
14. Provides numerous statistics
15. Color-codes protocols in the packet list display
16. Reconstructs TCP sessions - i.e. connecting to an FTP server
17. Ability to spread captured data across multiple files based criteria
a. Useful in long-term capturing
18. Ability to stop capture based criteria:
a. packet count - i.e. stop capture after 500 packets
b. size of capture
c. Time (min,hour,days)
19. Performs name resolution at various OSI layers:
a. Layer-2 (MAC) - i.e. 00:11:43:5A:BC:E5
b. Layer-3 (IPv4/IPv6) - i.e. 192.168.75.15 -> linuxcbtsuse1.linuxcbt.internal - /etc/hosts or DNS
20. Imports 3rd party captures:
a. TCPDump
b. Sun Snoop - Solaris
c. Sniffer
d. MS Network Monitor
21. Ability to import GZ compressed captures - requires Zlib library
22. Exports captures to 3rd party formats - i.e. Sun Snoop
23. Ability to merge capture files - i.e. import multiple dump/capture files
24. Ability to print captures in TXT or Postscript formats
25. Includes the text/TTY version - Tethereal - used from shell
26. Extensible via plug-ins
27. Highly-customizable GUI
Explore Etheral GUI:
Launch using: ethereal - which is located in /usr/bin
Note: MUST be root to place network interface(s) into promiscuous mode, providing a view of packets NOT destined for sniffing system
Note: You may sniff packets without promiscuous mode, however, will ly obtain traffic sourced or destined to sniffing host
Note: MUST alter X.org permissions to permit 'root' to write to ethereal to screen
execute from shell: 'xhost +' - permits ALL users to write to current screen
Main GUI Components:
1. 3 Display windows
a. Packet List - reveals the chronological order of captured packets
b. Packet Details - reveals details of packet
c. Packet Bytes - reveals the actual HEX sent/received across the wire
TCPDump:
Note: TCPDump is the default supported format of Ethereal
Features:
1. Captures, by default, packets to and from the machine default eth0 interface
2. Able to sniff in promiscuous mode if root or equivalent invokes it
Usage:
1. tcpdump -v - capture ALL packets to and from the machine in verbose mode
Note: captures to screen usually yield dropped packets
2. tcpdump -v -w tcpdump.capture.all.1.out - writes output of ALL layers to file
3. tcpdump -D - returns usable interfaces
4. tcpdump -v -c 50 - captures 50 packets and then exits
5. tcpdump -i eth1 | lo | eth0 | any | interface_name - binds tcpdump to a specific interface
6. tcpdump -n - disables layer-3 name resolutions (/etc/hosts and/or DNS)
Berkeley Packet Filters (BPFs)
Terminology:
1. Define Qualifiers (3 Exist):
a. Type - host|net|port - i.e. host 192.168.75.15 OR net 192.168.75.0 OR port 21
b. Dir - src, dst, src or dst, src and dst -i.e. src and dst 192.168.75.15
c. Proto - ip, ip6, icmp, icmp6, tcp, udp, ether, etc.
Usage:
1. tcpdump -w tcpdump.capture.SSH.1.out src host 192.168.75.10 and dst port 22
2. tcpdump -w tcpdump.capture.FTP.2.out dst port 21
WinDump:
Features:
1. TCPDump for Windows
2. Supports virtually identical switches to TCPDump
Requires:
1. WinPcap
2. WinDump.exe - EXE
Note: Use CTRL-C to kill
Usage:
1. windump - binds to default interface and sniffs ALL packets
2. windump -D - returns usable interfaces
3. windump -i 2
4. windump -i 2 dst port 80
5. windump -w filename -i 2 dst port 80
Snort NIDS:
Features:
1. Packet Logger
2. Packet Sniffer
3. NIDS
Requirements:
1. pcre-devel*
2. GCC - c compiler
3. libpcap
Download: www.snort.org
1. snort*gz - contains source code
2. MD5SUM - confirms integrity
3. SIG file - confirms integrity
4. download and import P/GPG key used to sign the latest release of Snort
Note: Copy and paste appropriate key after running: 'gpg --import'
5. Verify SIG downloaded: gpg --verify snort*sig snort*.gz
6. Confirm MD5SUM: md5sum snort*gz
Compile & Install Snort:
1. tar -xzvf snort*gz
2. ./configure - checks for pre-requisites
3. make - creates the binaries - including 'snort'
4. make install - as 'root' - to copy binaries to public directories - /usr/local/bin
Note: Snort supports Berkeley Packet Filters (BPFs)
Usage:
1. snort -v - binds to default 'eth0' interface
2. snort -v -i lo - binds to non-default interface
3. snort -v -b -l ./ -L snort.capture.SSH.5.out src host 192.168.75.10 and dst port 22
4. snort -v -b -l ./ -L snort.capture.FTP.6.out dst port 21
Note: when logging using binary logging, Snort captures ALL OSI layers
Note: use CTRL-C to terminate
Sun Solaris Snoop:
Features:
1. Packet Capturing
2. Replays captured packets
3. Snoop supports a language similar to BPFs
4. Supports writing output to binary, Snoop file - parseable by Ethereal
Usage:
1. snoop - sniffs ALL traffic in promiscuous mode - similar to tcpdump
2. snoop -o output_file tcp port 22
3. snoop -o output_file tcp port 80
4. snoop -o output_file tcp port 21
5. snoop -o output_file host 10.10.10.2 tcp port 21
Ethereal Capturing - ARP, Layer-2(MAC), ICMP and ICMPv6, IP6 Multicast
ARP - relies upon broadcasts to ALL FFs address, which ALL hosts listen to:
1. ether broadcast
Ethereal returns useful information in its 3 main windows:
1. packet number - Packet List window
2. Frame number - Packet Details window
3. OSI layers are represented from frame(layer-1) to Application(layer-7)
a. This is a representation of the Protcol Data Unit (PDU)
Layer-2
1. ether host mac_address ; ethere host 0:e:a6:1e:61:53 - sniffs where MAC is in packet
ICMPv4
1. icmp
2. icmp and src host 192.168.75.5
ICMPv6
1. icmp6
UDP Traffic:
Network Time Protocol (NTP):
Features:
1. Same source and destination port number (123)
2. Synchronizes clocks
DNS:
TCP Captures for IPv4 & IPv6:
Note: The overwhelming majority of packets any LAN/WAN consists of TCP packets because more applications are designed to use TCP
Features:
1. Guaranteed delivery of packets
a. Acknowledgements
b. Connection-oriented services
Capture Filter Usage:
1. ip - captures ALL IP packets: ICMPv4, IP, TCP, UDP, SSH, FTP, HTTP
2. ip and tcp - captures IPv4 and TCPv4
3. tcp
Note: Pseudo-device 'any' does NOT operate in promiscuous mode because e of its members does NOT have real network access: lo = loopback adapter, which is an in-memory device
Note: Ethereal supports TCP streams reassembly - 'Follow TCP Streams'
Note: Follow TCP Stream allows you to track:
1. bytes used from client to server
2. bytes used from server to client
3. total bytes betwen client and server - in both directions
Note: 'Follow TCP Stream' builds a 'Display Filter'
Note: TCP sessions employ a 3-way handshake:
1. SYN - synchronization - Client
2. SYN-ACK - synchronization acknowledgement - Server
3. ACK - acknowledgement - Client
Display Filters:
Features:
1. The ability to post-process packets, providing filtration
2. Includes a GUI expression builder
3. Ability to save display filters in profiles
General Syntax:
1. protocol.field search criteria
a. ip.src == IP_ADDR - i.e. ip.src == 192.168.75.15
Note: 3 methods are available to define useful 'Display Filters':
1. Manually
2. Context menu in 'Packet List' view
3. Using the expression builder
Usage:
1. tcp.port == 21
2. udp.port == 53
3. tcp.port == 80 - filters based HTTP traffic
4. tcp.dstport == 21 - filters where destination port is equal to 21
Note: Display Filters can NOT be used to capture traffic
Ideal Data Capturing/Analysis Strategy:
1. Define useful capture filters: i.e. using BPFs
2. Apply capture filters to the utility: Snort, Snoop, TCPDump, WinDump, Ethereal
3. Post-process data with Ethereal, using Display Filters
Statistics:
Features:
1. Myriad statistics or views of data that's listed in the 'Packet List' window
Summary:
a. Provides myriad info. related to capture; i.e. filename, length, duration, etc.
Protocol Hierarchy Statistics:
1. Represents OSI layers from 1(Physical) to 7(Application);
Layer-1 - Frame
Layer-2 - Ethernet
Layer-3 - Internet Protocol
Layer-4 - TCP | UDP
Layers 5-7 - FTP | HTTP | etc. - Represents Packet Payload
Tethereal:
Note: Execute 'tethereal' as 'root' to be able to capture data
Note: 'root' access is NOT required to post-process data
Features:
1. Ability capture
2. Ability post-process (Analyze) data
3. Default behaviour is to capture data default 'eth0' interface
4. Defaults to creating dump file (TCPDump-compliant) in '/tmp/ether*'
Usage:
1. tethereal - defaults to capturing data 'eth0'
2. tethereal -D - dumps usable interfaces
3. tethereal -i interface_name - i.e. tethereal -i lo
4. tethereal -w file_name - dumps data to file AND screen
5. tethereal -c packet_count - captures n number of packets
6. tethereal -f udp
7. tethereal -r capture_file - reads supported capture file
8. tethereal -r capture_file -R "display_filter" - reads supported capture file and post-processes using display filter
Intranet Snooping/Sniffing:
Note: Switched traffic can ly be intercepted if the following is true:
1. Traffic is unicast - traffic to and fro the sniffing box
2. Traffic is broadcast - Switches flood broadcasts to all VLAN members
3. Port mirroring/SPAN is enabled layer-2 switch - permits the copy of traffic from source(port or VLAN) to destination(port or VLAN)
4. Hub
Configure port mirroring for 'eth1' SUSE10 box:
Steps:
1. Configure interface to be up SUSE10 box
a. ifup eth1 - brings interface up and makes it usable by programs (Snort/TCPDump/Ethereal)
b. tcpdump -D OR tethereal -D or ethereal -D
Note: Configure 'eth1' and other sniffing interfaces to NOT use TCP/IP
2. Confirm the configuration of the Cisco Router/Switch
a. sh int status - returns interface status
b. config t
c. monitor session 1 source interface fa6 both
d. monitor session 1 destination interface fa9
3. Begin sniffing using - Ethereal, Snort, TCPDump, etc.
Internet Snooping/Sniffing:
Configure port mirroring for 'eth2' SUSE10 box:
Steps:
1. Configure interface to be up SUSE10 box
a. ifup eth2 - brings interface up and makes it usable by programs (Snort/TCPDump/Ethereal)
b. tcpdump -D OR tethereal -D or ethereal -D
Note: Configure 'eth2' and other sniffing interfaces to NOT use TCP/IP
2. Confirm the configuration of the Cisco Router/Switch
a. sh int status - returns interface status
b. config t
c. monitor session 1 source interface fa2 both
d. monitor session 1 destination interface fa8
3. Begin sniffing using - Ethereal, Snort, TCPDump, etc.
Wireless Capturing - WLAN
Features:
1. Support is included by indicating correct adapter
2. wlan display filters provide reports
Note: 192.168.75.190 - is a dual-homed machine
a. Wired connection - eth0 - 192.168.75.190
b. Wireless connection - eth1 - unconfigured
ssh -X root@192.168.75.190 - this will redirect X11 to our local system
ifup eth1 - brings wireless, eth1 interface up remote system
/etc/sysconfig/network - stores configuration files for NICs
iwconfig - provides configuration information and configuration of wireless interfaces
Ethereal Windows:
Features:
1. Same features, for the most part, as Nix-based Ethereal
www.ethereal.com
本文出自 “RHCSS系统安全架构师” 博客,请务必保留此出处http://rhcss.blog.51cto.com/672018/140622
Topics of coverage:
1. Topology
2. Features of Ethereal
3. Explore Interface
4. TCPDump - default format and capture filter syntax (BPFs) used in Ethereal
5. Snort NIDS - produce TCPDump-compliant binary file
6. Sun Snoop - comes with Solaris
7. Capture ARP, Layer-2(MAC), ICMP and ICMPv6 with Ethereal and analyze
8. Capture UDP for IPv4 & IPv6 and analyze
9. Capture TCP for IPv4 & IPv6 and analyze
10. Analyze captures using 'Display Filters' - used during post-processing of packets
11. Statistics
12. Capture packets using Tethereal - TTY version - used in shell
13. Capture and analyze Intranet & DMZ traffic
14. Capture and analyze Internet traffic
15. Capture and analyze wireless traffic
16. Ethereal Windows 2003 Server
Topology Overview:
Primary Host: 192.168.75.15 - linuxcbtsuse1 - linuxcbtsuse1.linuxcbt.internal
Common DNS Suffix: linuxcbt.internal
Internal Subnet IPv4: 192.168.75.0/24
DMZ Subnet IPv4: 10.10.10.0/24
Both subnets (Internal(Intranet)/DMZ) are RFC-1918 compliant
Note: linuxcbtsuse1 box has a dedicated sniffing/port monitoring interface - eth1
Note: eth0 can be used simultaneously to sniff traffic linuxcbtsuse1
Identify connections router of various boxes:
Steps:
1. SSH or connect to router/switch
2. list ports using - sh int status
3. Match server to port - sh mac-address-table address 0011.435A.BCE5
4. Navigate to global config mode - config t
5. Navigate to interface configuration mode - int fa5
6. Assign a description to the interface - Description linuxcbtsuse1 eth0
Ethereal Features:
rpm -qa | grep -i ethereal - lists whether Ethereal is installed
rpm -ql ethereal
1. Modular - functionality can be added via modules
2. Provides primary 'ethereal' binary - GUI
3. Runs multiple platforms:
a. Linux
b. Unix - Solaris, AIX, FreeBSD, OpenBSD
c. Windows
4. Supports over 750 networking protocols - i.e. IPv4, TCPv4, UDPv4, ICMPv4, ICMPv6, IPv6, IPX/SPX, Netbeui, NETBIOS, AppleTalk, Ethernet
5. Captures Packets - However, excels at analyzing packets
6. Supports Berkeley Packet Filters (BPFs) - uses primitives to parse traffic
8. Supports binding to specific or all interfaces
9. Ability to display packets as they're captured - use when packet-loss is not an issue
Note: subject to packet loss
10. Supports 'Display Filters' language for post-processing packets
11. Includes an expression builder to help build 'Display Filters'
12. Ability to save expressions(Display Filters) for reuse
13. Displays packets in fractions of a second:
a. Second
b. Decisecond - tenth - 3.5
c. Centisecond - hundredth - 3.55
d. Millisecond - thousandth - 3.555
e. Microsecond - millionth - 3.654321
f. Nanosecond - billionth - 3.987654321
14. Provides numerous statistics
15. Color-codes protocols in the packet list display
16. Reconstructs TCP sessions - i.e. connecting to an FTP server
17. Ability to spread captured data across multiple files based criteria
a. Useful in long-term capturing
18. Ability to stop capture based criteria:
a. packet count - i.e. stop capture after 500 packets
b. size of capture
c. Time (min,hour,days)
19. Performs name resolution at various OSI layers:
a. Layer-2 (MAC) - i.e. 00:11:43:5A:BC:E5
b. Layer-3 (IPv4/IPv6) - i.e. 192.168.75.15 -> linuxcbtsuse1.linuxcbt.internal - /etc/hosts or DNS
20. Imports 3rd party captures:
a. TCPDump
b. Sun Snoop - Solaris
c. Sniffer
d. MS Network Monitor
21. Ability to import GZ compressed captures - requires Zlib library
22. Exports captures to 3rd party formats - i.e. Sun Snoop
23. Ability to merge capture files - i.e. import multiple dump/capture files
24. Ability to print captures in TXT or Postscript formats
25. Includes the text/TTY version - Tethereal - used from shell
26. Extensible via plug-ins
27. Highly-customizable GUI
Explore Etheral GUI:
Launch using: ethereal - which is located in /usr/bin
Note: MUST be root to place network interface(s) into promiscuous mode, providing a view of packets NOT destined for sniffing system
Note: You may sniff packets without promiscuous mode, however, will ly obtain traffic sourced or destined to sniffing host
Note: MUST alter X.org permissions to permit 'root' to write to ethereal to screen
execute from shell: 'xhost +' - permits ALL users to write to current screen
Main GUI Components:
1. 3 Display windows
a. Packet List - reveals the chronological order of captured packets
b. Packet Details - reveals details of packet
c. Packet Bytes - reveals the actual HEX sent/received across the wire
TCPDump:
Note: TCPDump is the default supported format of Ethereal
Features:
1. Captures, by default, packets to and from the machine default eth0 interface
2. Able to sniff in promiscuous mode if root or equivalent invokes it
Usage:
1. tcpdump -v - capture ALL packets to and from the machine in verbose mode
Note: captures to screen usually yield dropped packets
2. tcpdump -v -w tcpdump.capture.all.1.out - writes output of ALL layers to file
3. tcpdump -D - returns usable interfaces
4. tcpdump -v -c 50 - captures 50 packets and then exits
5. tcpdump -i eth1 | lo | eth0 | any | interface_name - binds tcpdump to a specific interface
6. tcpdump -n - disables layer-3 name resolutions (/etc/hosts and/or DNS)
Berkeley Packet Filters (BPFs)
Terminology:
1. Define Qualifiers (3 Exist):
a. Type - host|net|port - i.e. host 192.168.75.15 OR net 192.168.75.0 OR port 21
b. Dir - src, dst, src or dst, src and dst -i.e. src and dst 192.168.75.15
c. Proto - ip, ip6, icmp, icmp6, tcp, udp, ether, etc.
Usage:
1. tcpdump -w tcpdump.capture.SSH.1.out src host 192.168.75.10 and dst port 22
2. tcpdump -w tcpdump.capture.FTP.2.out dst port 21
WinDump:
Features:
1. TCPDump for Windows
2. Supports virtually identical switches to TCPDump
Requires:
1. WinPcap
2. WinDump.exe - EXE
Note: Use CTRL-C to kill
Usage:
1. windump - binds to default interface and sniffs ALL packets
2. windump -D - returns usable interfaces
3. windump -i 2
4. windump -i 2 dst port 80
5. windump -w filename -i 2 dst port 80
Snort NIDS:
Features:
1. Packet Logger
2. Packet Sniffer
3. NIDS
Requirements:
1. pcre-devel*
2. GCC - c compiler
3. libpcap
Download: www.snort.org
1. snort*gz - contains source code
2. MD5SUM - confirms integrity
3. SIG file - confirms integrity
4. download and import P/GPG key used to sign the latest release of Snort
Note: Copy and paste appropriate key after running: 'gpg --import'
5. Verify SIG downloaded: gpg --verify snort*sig snort*.gz
6. Confirm MD5SUM: md5sum snort*gz
Compile & Install Snort:
1. tar -xzvf snort*gz
2. ./configure - checks for pre-requisites
3. make - creates the binaries - including 'snort'
4. make install - as 'root' - to copy binaries to public directories - /usr/local/bin
Note: Snort supports Berkeley Packet Filters (BPFs)
Usage:
1. snort -v - binds to default 'eth0' interface
2. snort -v -i lo - binds to non-default interface
3. snort -v -b -l ./ -L snort.capture.SSH.5.out src host 192.168.75.10 and dst port 22
4. snort -v -b -l ./ -L snort.capture.FTP.6.out dst port 21
Note: when logging using binary logging, Snort captures ALL OSI layers
Note: use CTRL-C to terminate
Sun Solaris Snoop:
Features:
1. Packet Capturing
2. Replays captured packets
3. Snoop supports a language similar to BPFs
4. Supports writing output to binary, Snoop file - parseable by Ethereal
Usage:
1. snoop - sniffs ALL traffic in promiscuous mode - similar to tcpdump
2. snoop -o output_file tcp port 22
3. snoop -o output_file tcp port 80
4. snoop -o output_file tcp port 21
5. snoop -o output_file host 10.10.10.2 tcp port 21
Ethereal Capturing - ARP, Layer-2(MAC), ICMP and ICMPv6, IP6 Multicast
ARP - relies upon broadcasts to ALL FFs address, which ALL hosts listen to:
1. ether broadcast
Ethereal returns useful information in its 3 main windows:
1. packet number - Packet List window
2. Frame number - Packet Details window
3. OSI layers are represented from frame(layer-1) to Application(layer-7)
a. This is a representation of the Protcol Data Unit (PDU)
Layer-2
1. ether host mac_address ; ethere host 0:e:a6:1e:61:53 - sniffs where MAC is in packet
ICMPv4
1. icmp
2. icmp and src host 192.168.75.5
ICMPv6
1. icmp6
UDP Traffic:
Network Time Protocol (NTP):
Features:
1. Same source and destination port number (123)
2. Synchronizes clocks
DNS:
TCP Captures for IPv4 & IPv6:
Note: The overwhelming majority of packets any LAN/WAN consists of TCP packets because more applications are designed to use TCP
Features:
1. Guaranteed delivery of packets
a. Acknowledgements
b. Connection-oriented services
Capture Filter Usage:
1. ip - captures ALL IP packets: ICMPv4, IP, TCP, UDP, SSH, FTP, HTTP
2. ip and tcp - captures IPv4 and TCPv4
3. tcp
Note: Pseudo-device 'any' does NOT operate in promiscuous mode because e of its members does NOT have real network access: lo = loopback adapter, which is an in-memory device
Note: Ethereal supports TCP streams reassembly - 'Follow TCP Streams'
Note: Follow TCP Stream allows you to track:
1. bytes used from client to server
2. bytes used from server to client
3. total bytes betwen client and server - in both directions
Note: 'Follow TCP Stream' builds a 'Display Filter'
Note: TCP sessions employ a 3-way handshake:
1. SYN - synchronization - Client
2. SYN-ACK - synchronization acknowledgement - Server
3. ACK - acknowledgement - Client
Display Filters:
Features:
1. The ability to post-process packets, providing filtration
2. Includes a GUI expression builder
3. Ability to save display filters in profiles
General Syntax:
1. protocol.field search criteria
a. ip.src == IP_ADDR - i.e. ip.src == 192.168.75.15
Note: 3 methods are available to define useful 'Display Filters':
1. Manually
2. Context menu in 'Packet List' view
3. Using the expression builder
Usage:
1. tcp.port == 21
2. udp.port == 53
3. tcp.port == 80 - filters based HTTP traffic
4. tcp.dstport == 21 - filters where destination port is equal to 21
Note: Display Filters can NOT be used to capture traffic
Ideal Data Capturing/Analysis Strategy:
1. Define useful capture filters: i.e. using BPFs
2. Apply capture filters to the utility: Snort, Snoop, TCPDump, WinDump, Ethereal
3. Post-process data with Ethereal, using Display Filters
Statistics:
Features:
1. Myriad statistics or views of data that's listed in the 'Packet List' window
Summary:
a. Provides myriad info. related to capture; i.e. filename, length, duration, etc.
Protocol Hierarchy Statistics:
1. Represents OSI layers from 1(Physical) to 7(Application);
Layer-1 - Frame
Layer-2 - Ethernet
Layer-3 - Internet Protocol
Layer-4 - TCP | UDP
Layers 5-7 - FTP | HTTP | etc. - Represents Packet Payload
Tethereal:
Note: Execute 'tethereal' as 'root' to be able to capture data
Note: 'root' access is NOT required to post-process data
Features:
1. Ability capture
2. Ability post-process (Analyze) data
3. Default behaviour is to capture data default 'eth0' interface
4. Defaults to creating dump file (TCPDump-compliant) in '/tmp/ether*'
Usage:
1. tethereal - defaults to capturing data 'eth0'
2. tethereal -D - dumps usable interfaces
3. tethereal -i interface_name - i.e. tethereal -i lo
4. tethereal -w file_name - dumps data to file AND screen
5. tethereal -c packet_count - captures n number of packets
6. tethereal -f udp
7. tethereal -r capture_file - reads supported capture file
8. tethereal -r capture_file -R "display_filter" - reads supported capture file and post-processes using display filter
Intranet Snooping/Sniffing:
Note: Switched traffic can ly be intercepted if the following is true:
1. Traffic is unicast - traffic to and fro the sniffing box
2. Traffic is broadcast - Switches flood broadcasts to all VLAN members
3. Port mirroring/SPAN is enabled layer-2 switch - permits the copy of traffic from source(port or VLAN) to destination(port or VLAN)
4. Hub
Configure port mirroring for 'eth1' SUSE10 box:
Steps:
1. Configure interface to be up SUSE10 box
a. ifup eth1 - brings interface up and makes it usable by programs (Snort/TCPDump/Ethereal)
b. tcpdump -D OR tethereal -D or ethereal -D
Note: Configure 'eth1' and other sniffing interfaces to NOT use TCP/IP
2. Confirm the configuration of the Cisco Router/Switch
a. sh int status - returns interface status
b. config t
c. monitor session 1 source interface fa6 both
d. monitor session 1 destination interface fa9
3. Begin sniffing using - Ethereal, Snort, TCPDump, etc.
Internet Snooping/Sniffing:
Configure port mirroring for 'eth2' SUSE10 box:
Steps:
1. Configure interface to be up SUSE10 box
a. ifup eth2 - brings interface up and makes it usable by programs (Snort/TCPDump/Ethereal)
b. tcpdump -D OR tethereal -D or ethereal -D
Note: Configure 'eth2' and other sniffing interfaces to NOT use TCP/IP
2. Confirm the configuration of the Cisco Router/Switch
a. sh int status - returns interface status
b. config t
c. monitor session 1 source interface fa2 both
d. monitor session 1 destination interface fa8
3. Begin sniffing using - Ethereal, Snort, TCPDump, etc.
Wireless Capturing - WLAN
Features:
1. Support is included by indicating correct adapter
2. wlan display filters provide reports
Note: 192.168.75.190 - is a dual-homed machine
a. Wired connection - eth0 - 192.168.75.190
b. Wireless connection - eth1 - unconfigured
ssh -X root@192.168.75.190 - this will redirect X11 to our local system
ifup eth1 - brings wireless, eth1 interface up remote system
/etc/sysconfig/network - stores configuration files for NICs
iwconfig - provides configuration information and configuration of wireless interfaces
Ethereal Windows:
Features:
1. Same features, for the most part, as Nix-based Ethereal
www.ethereal.com
本文出自 “RHCSS系统安全架构师” 博客,请务必保留此出处http://rhcss.blog.51cto.com/672018/140622
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Wireshark数据抓包教程之认识捕获分析数据包
- 数据包捕获与分析
- Wireshark数据抓包教程之认识捕获分析数据包
- (计算机网络)用Wireshark捕获并分析数据包
- golang使用gopacket包进行数据包捕获,注入和分析
- TruthTracerUtilities-SysWatcher进程/模块管理/网络流量/数据包捕获、分析工具集V0.11
- ARPSpoofing教程(四) - 捕获并分析数据包
- 一步一步尝试在MFC下开发基于winpcap的数据包捕获和分析软件.(开发总结,建议先看)
- Wireshark 认识捕获的分析数据包(及各个分层协议的介绍)
- Wireshark 认识捕获的分析数据包(及各个分层协议的介绍)
- 关于高效的数据包捕获实验---丢包分析
- [网络分析] 3 不用回调的方式捕获数据包
- 网络安全架构师必修课)生产环境下的 wireshark 数据包捕获,过滤,分析技巧与实战
- (网络安全架构师必修课)生产环境下的 wireshark 数据包捕获,过滤,分析技巧与实战
- Wireshark数据抓包教程之认识捕获分析数据包
- Wireshark数据抓包教程之认识捕获分析数据包
- Wireshark 数据抓包教程之认识捕获分析数据包
- Wireshark数据抓包教程之认识捕获分析数据包
- 如何在 Linux 上使用 tcpdump 命令捕获和分析数据包
- MFC下开发基于winpcap的数据包捕获和分析软件