Presentation on theme: "TCPDUMP Network-Based Intrusion Detection. Description Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring."— Presentation transcript:
Description Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring on your network. TCPDUMP provides options and filters to assist in the proper and thorough analysis of the acquired traffic.
How to install? For Linux Download libpcap from http://www.tcpdump.org/release/libpcap-0.7.2.tar.gz tar zxvf libpcap-0.7.2.tar.gz; cd libpcap-0.7.2;./configure; make; make install Download tcpdump fom http://www.tcpdump.org/release/tcpdump-3.7.2.tar.gz tar zxvf tcpdump-3.7.2.tar.gz; cd tcpdump-3.7.2;./configure; make; make install For windows Download winpcap.exe from http://winpcap.polito.it/install/bin/WinPcap_3_0.exe Download windump.exe from http://windump.polito.it/install/bin/WinDump.exe Install winpcap and execute windump.exe For FreeBSD bulit-in function
Output format ARP/RARP packets arp who-has [A] tell [B] arp reply [A] is-at [a] TCP packets src > dst: flags data-seqno ack window urgent options src: source ip address and port dst: destination ip address and port flags: S (SYN), F (FIN), P(PUSH), R(RST),. (no flags) Data-seqno: describes the portion of sequence space covered by the data in the packet Ack: sequence number of the next data Window: the number of byte of receive buffer space Urg: indicates there is “ urgent ” data in the packet Options: tcp options enclosed in angle brackets
Summary Tcpdump and windump are powerful packet capture utilities that allow for the extraction of particular types of network traffic based on header information. They can filter any field in the IP, ICMP, UDP, or TCP header using byte offsets.
Conclusion&What do you learn? To demonstrate how to install and use tcpdump and windump and how to analyze data that is collected To understand what the basic functionality of network-based intrusion detection. More information about WinDump, plz visit http://windump.polito.it/docs/defaul t.htm