1. TCPDUMP Network-Based Intrusion Detection

2. Description  Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring on your network.  TCPDUMP provides options and filters to assist in the proper and thorough analysis of the acquired traffic.

3. How to install?  For Linux Download libpcap from http://www.tcpdump.org/release/libpcap-0.7.2.tar.gz tar zxvf libpcap-0.7.2.tar.gz; cd libpcap-0.7.2;./configure; make; make install Download tcpdump fom http://www.tcpdump.org/release/tcpdump-3.7.2.tar.gz tar zxvf tcpdump-3.7.2.tar.gz; cd tcpdump-3.7.2;./configure; make; make install  For windows Download winpcap.exe from http://winpcap.polito.it/install/bin/WinPcap_3_0.exe Download windump.exe from http://windump.polito.it/install/bin/WinDump.exe Install winpcap and execute windump.exe  For FreeBSD bulit-in function

4. Output format  ARP/RARP packets arp who-has [A] tell [B] arp reply [A] is-at [a]  TCP packets src > dst: flags data-seqno ack window urgent options src: source ip address and port dst: destination ip address and port flags: S (SYN), F (FIN), P(PUSH), R(RST),. (no flags) Data-seqno: describes the portion of sequence space covered by the data in the packet Ack: sequence number of the next data Window: the number of byte of receive buffer space Urg: indicates there is “ urgent ” data in the packet Options: tcp options enclosed in angle brackets

7. Summary  Tcpdump and windump are powerful packet capture utilities that allow for the extraction of particular types of network traffic based on header information. They can filter any field in the IP, ICMP, UDP, or TCP header using byte offsets.

8. Conclusion&What do you learn?  To demonstrate how to install and use tcpdump and windump and how to analyze data that is collected  To understand what the basic functionality of network-based intrusion detection.  More information about WinDump, plz visit http://windump.polito.it/docs/defaul t.htm

9. TCPREPLAY Replay packets from capture files

10. Description  Tcpreplay is a tool for replaying network traffic from files saved with tcpdump

11. basic operation  to resend all packets from input files at the spped at wich they were recorded, a specified data rate, or as fast as the hardware is capable.

12. example

13. Summary  By processing a cache file generated by tcpprep, tcpreplay is able to split traffic between two interfaces. This is useful for testing bridges, routers, and other gateway devices.