Presentation on theme: "TCPDUMP Network-Based Intrusion Detection. Description Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring."— Presentation transcript:
TCPDUMP Network-Based Intrusion Detection
Description Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring on your network. TCPDUMP provides options and filters to assist in the proper and thorough analysis of the acquired traffic.
How to install? For Linux Download libpcap from tar zxvf libpcap tar.gz; cd libpcap-0.7.2;./configure; make; make install Download tcpdump fom tar zxvf tcpdump tar.gz; cd tcpdump-3.7.2;./configure; make; make install For windows Download winpcap.exe from Download windump.exe from Install winpcap and execute windump.exe For FreeBSD bulit-in function
Output format ARP/RARP packets arp who-has [A] tell [B] arp reply [A] is-at [a] TCP packets src > dst: flags data-seqno ack window urgent options src: source ip address and port dst: destination ip address and port flags: S (SYN), F (FIN), P(PUSH), R(RST),. (no flags) Data-seqno: describes the portion of sequence space covered by the data in the packet Ack: sequence number of the next data Window: the number of byte of receive buffer space Urg: indicates there is “ urgent ” data in the packet Options: tcp options enclosed in angle brackets
Summary Tcpdump and windump are powerful packet capture utilities that allow for the extraction of particular types of network traffic based on header information. They can filter any field in the IP, ICMP, UDP, or TCP header using byte offsets.
Conclusion&What do you learn? To demonstrate how to install and use tcpdump and windump and how to analyze data that is collected To understand what the basic functionality of network-based intrusion detection. More information about WinDump, plz visit t.htm
TCPREPLAY Replay packets from capture files
Description Tcpreplay is a tool for replaying network traffic from files saved with tcpdump
basic operation to resend all packets from input files at the spped at wich they were recorded, a specified data rate, or as fast as the hardware is capable.
Summary By processing a cache file generated by tcpprep, tcpreplay is able to split traffic between two interfaces. This is useful for testing bridges, routers, and other gateway devices.