Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 24: Network Primer 7/16/2003 CSCE 590 Summer 2003.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 24: Network Primer 7/16/2003 CSCE 590 Summer 2003."— Presentation transcript:

1 Lecture 24: Network Primer 7/16/2003 CSCE 590 Summer 2003

2 tcpdump Packet capture and analysis utility Default number of bytes captured: 68 –Change with the snaplength option –S 1518 –If a packet is truncated, “|” symbol is used in output Does not show frame header by default –To enable that, -e To see hexadecimal output: -x To see hexadecimal output with ASCII sidebar: -X

3 tcpdump To write trace to a file instead of standard output, use –w filename To read from a trace file, use –r filename To choose a network interface to sniff traffic from, use –i inteface To force tcpdump not to resolve machine names with DNS, use –n To force it to also not translate TCP/UDP service port number from /etc/services file, add an ‘n’: -nn

4 tcpdump Filters There are given keywords or macros for commonly accessed headers in filtering To reference a type of header in a packet: –ip, tcp, icmp, udp To reference a particular byte within that header, use a byte displacement with type: –ip[0] – first byte offset of IP header (numbering starts from zero) –tcp[13] - tcp header length

5 Filters vs. Macros Macros are predefined filters Must use filters where there are no macros Filter format – [offset:length] Macro format – Example: –ip[9] = 1 –Ninth byte of IP header is Protocol type, and a value of 1 = ICMP –Icmp

6 More Examples tcp[0:2] < 53 –Starting at byte 0 of the TCP header, for 2 bytes (source port field) with a value less than 53 –tcp and src port < 53 (NOT!!!) can’t do relational with macros, only give it a value udp[6:2] != 0 –? Your turn icmp[0] = 8 –? Your turn

7 Common Macros host net (129.252) port src can modify host, net, and port dst can modify host, net, and port icmp tcp Udp Also: and (&&), not (!), or (||)

8 Bits and Bytes Sometimes you don’t want a whole byte (looking at just a flag) So we turn to bit masking (math, eeeww!) “AND” unwanted bits with 0 to clear them “AND” wanted bits with 1 to keep them tcpdump works in hexadecimal however, so there is some conversion involved

9 Bit Masking Example Let’s check for the TCP ACK bit turned on It is byte 13 so we have tcp[13] From our TCP header: Byte 13 = 0x12 = 0 0 0 1 0 0 1 0 AND _ _ _ _ _ _ _ _ mask 0 0 0 1 0 0 0 0= 0x10 Complete filter: (tcp[13]&0x10) != 0 tcpdump -i eth0 -s 1518 ‘(tcp[13] & 0x10) != 0‘ What kind of packets with: (tcp[13] & 0x10) = 0 1213 URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Hdr LenReserved

10 Bit Masking Examples What do these masks check for? –(tcp[13] & 0x02) != 0 –tcp[13] = 0xff –(ip[6] & 0x20) != 0 Write one to check for either the SYN or FIN bit set

11 Another Game of What’s Weird? 22:08:38.495489 dns.querier.1745 > dns.nl.53: 42371+ (31) 22:08:48.150706 dns.nl > dns.querier: (frag 63694:30@400) 22:08:48.154481 dns.nl.53 > dns.querier.1745: 42371 6/8/8 (72) (frag 63694:80@0+) 22:08:48.154481 dns.nl > dns.querier: (frag 63694:80@320+) 22:08:48.154490 dns.nl > dns.querier: (frag 63694:80@240+) 22:08:48.156737 dns.nl > dns.querier: (frag 63694:80@160+) 22:08:48.156745 dns.nl > dns.querier: (frag 63694:80@80+) 22:09:08.612886 dns.querier > dns.nl: icmp: ip reassembly time exceeded [tos 0xc0]

12 What’s Weird? 2:19:30.481578 somewhere.nl > 129.252.176.255: icmp: echo request (ttl 246, id 5134) 2:19:31.478737 somewhere.au > 129.252.176.255: icmp: echo request (ttl 246, id 5134) 2:19:32.478824 somewhere.de > 129.252.176.255: icmp: echo request (ttl 246, id 5134) 2:19:33.478916 somewhere.edu > 129.252.176.255: icmp: echo request (ttl 246, id 5134)

13 What’s Weird? 23:12:26.100485 hostA.48776 > machineB.25:. ack 0 win 2048

14 Another Trace 23:30:32.704057 beav.32772 > www.sc.edu.33435: [udp sum ok] udp 10 [ttl 1] (id 20523, len 38) 23:30:32.707533 beav.32772 > www.sc.edu.33436: [udp sum ok] udp 10 [ttl 1] (id 20524, len 38) 23:30:32.707760 beav.32772 > www.sc.edu.33437: [udp sum ok] udp 10 [ttl 1] (id 20525, len 38) 23:30:32.708017 beav.32772 > www.sc.edu.33438: [udp sum ok] udp 10 (ttl 2, id 20526, len 38) 23:30:32.712804 beav.32772 > www.sc.edu.33439: [udp sum ok] udp 10 (ttl 2, id 20527, len 38) 23:30:32.713351 beav.32772 > www.sc.edu.33440: [udp sum ok] udp 10 (ttl 2, id 20528, len 38) 23:30:32.713961 beav.32772 > www.sc.edu.33441: [udp sum ok] udp 10 (ttl 3, id 20529, len 38) 23:30:32.719796 beav.32772 > www.sc.edu.33442: [udp sum ok] udp 10 (ttl 3, id 20530, len 38) 23:30:32.720618 beav.32772 > www.sc.edu.33443: [udp sum ok] udp 10 (ttl 3, id 20531, len 38)

15 What’s This? 23:49:23.440874 host.57839 > fozzie.32787: udp 0 23:49:23.440901 host.57839 > fozzie.32775: udp 0 23:49:23.440932 host.57839 > fozzie.32788: udp 0 23:49:23.440943 host.57839 > fozzie.32789: udp 0 23:49:23.440986 host.57839 > fozzie.32791: udp 0 23:49:23.441009 host.57839 > fozzie.32799: udp 0 23:49:23.441027 host.57839 > fozzie.32774: udp 0 23:49:23.441059 host.57839 > fozzie.32781: udp 0 23:49:23.441072 host.57839 > fozzie.32772: udp 0 23:49:23.441080 host.57839 > fozzie.32789: udp 0 23:49:23.441105 host.57839 > fozzie.32800: udp 0 23:49:23.441215 fozzie > host: icmp: fozzie udp port 32788 unreachable (DF) 23:49:23.441269 fozzie > host: icmp: fozzie udp port 32791 unreachable (DF) 23:49:23.441288 fozzie > host: icmp: fozzie udp port 32781 unreachable (DF) 23:49:23.441310 fozzie > host: icmp: fozzie udp port 32789 unreachable (DF)

16 And This? 23:46:40.529581 map.edu.39344 > 129.252.41.16.143: S 698192483:698192483(0) win 8192 23:46:41.509678 map.edu.39345 > 129.252.41.15.143: S 698735981:698735981(0) win 8192 23:46:53.518688 map.edu.39378 > 129.252.41.14.143: S 698654463:698654463(0) win 8192 23:46:53.923679 map.edu.39379 > 129.252.41.13.143: S 699129230:699129230(0) win 8192 23:46:53.970672 map.edu.39639 > 129.252.41.11.143: S 699129300:699129300(0) win 8192 23:46:53.989649 map.edu.39777 > 129.252.41.10.143: S 699129740:699129740(0) win 8192 23:46:53.994699 map.edu.39791 > 129.252.41.12.143: S 699129768:6991292768(0) win 8192 23:46:53.999670 map.edu.39812 > 129.252.41.9.143: S 699129901:699129901(0) win 8192

17 What’s Weird? 23:46:40.529581 map.net.0 > 129.252.41.99.110: SF 698192483:698192483(0) win 512 23:46:41.509678 map.net.0 > 129.252.41.27.110: SF 698192483:698192483(0) win 512 23:46:53.518688 map.net.0 > 129.252.41.56.110: SF 698192483:698192483(0) win 512 23:46:53.923679 map.net.0 > 129.252.41.33.110: SF 698192483:698192483(0) win 512 23:46:53.970672 map.net.0 > 129.252.41.119.110: SF 698192483:698192483(0) win 512 23:46:53.989649 map.net.0 > 129.252.41.76.110: SF 698192483:698192483(0) win 512 23:46:53.994699 map.net.0 > 129.252.41.200.110: SF 698192483:698192483(0) win 512 23:46:53.999670 map.net.0 > 129.252.41.15.110: SF 698192483:698192483(0) win 512

18 What’s Strange? 23:46:40.529581 ack.org.23 > 129.252.41.99.23:. ack 698192483 win 512 23:46:41.509678 ack.org.23 > 129.252.37.4.23:. ack 698192483 win 512 23:46:53.518688 ack.org.143 > 129.252.41.99.143:. ack 698192483 win 512 23:46:53.923679 ack.org.143 > 129.252.37.4.143:. ack 698192483 win 512 23:46:53.970672 ack.org.110 > 129.252.41.99.110:. ack 698192483 win 512 23:46:53.989649 ack.org.110 > 129.252. 37.4.110:. ack 698192483 win 512 23:46:53.994699 ack.org.23 > 129.252.33.7.23:. ack 698192483 win 512 23:46:53.999670 ack.org.23 > 129.252.4.213.23:. ack 698192483 win 512

19 Anything Unusual? 23:46:40.529581 scan.net.25820 > 129.252.41.76.23: S 698192483:698192483(4) win 4096 23:46:41.509678 scan.net.25820 > 129.252.136.76.23: S 698197881:698197881(4) win 4096 23:46:53.518688 scan.net.47521 > 10.20.98.76.23: S 378192499:378192499(4) win 4096 23:46:53.923679 scan.net.25820 > 129.252.11.76.23: S 69821387:69821387(4) win 4096 23:46:53.970672 scan.net.47521 > 10.20.54.76.23: S 378212490:378212490(4) win 4096 23:46:53.989649 scan.net.47521 > 10.20.223.76.23: S 378212787:378212787(4) win 4096 23:46:53.994699 scan.net.25820 > 129.252.209.76.23: S 69822345:69822345(4) win 4096 23:46:53.999670 scan.net.47521 > 10.20.90.76.23: S 37827658:37827658(4) win 4096

20 What’s Scary? 23:46:40.529581 scanner.net > dns.my.edu: ip-proto-54 44 23:46:41.509678 scanner.net > dns.my.edu: ip-proto-54 44 23:46:53.518688 scanner.net > dns.my.edu: ip-proto-54 44 23:46:53.923679 scanner.net > firewall.my.edu: ip-proto-54 44 23:46:53.970672 scanner.net > firewall.my.edu: ip-proto-54 44 23:46:53.989649 scanner.net > firewall.my.edu: ip-proto-54 44 23:46:53.994699 scanner.net > ids.my.edu: ip-proto-54 44 23:46:53.999670 scanner.net > ids.my.edu: ip-proto-54 44 23:46:53.999691 scanner.net > ids.my.edu: ip-proto-54 44 (ip-proto-54 = usually ATM: Next Hop Resolution Protocol) But that’s beside the scary point.

21 Huh? router1.com > 129.252.49.0: icmp: time exceeded in-transit router1.com > 129.252.21.0: icmp: time exceeded in-transit router1.com > 129.252.78.0: icmp: time exceeded in-transit router1.com > 129.252.52.0: icmp: time exceeded in-transit router2.com > 129.252.109.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.1.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.243.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.43.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.66.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.31.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.200.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.212.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.79.0: icmp: time exceeded in-transit [tos 0xc0] router3.com > 129.252.55.0: icmp: time exceeded in-transit router3.com > 129.252.111.0: icmp: time exceeded in-transit router3.com > 129.252.83.0: icmp: time exceeded in-transit router1.com > 129.252.16.0: icmp: time exceeded in-transit router1.com > 129.252.156.0: icmp: time exceeded in-transit

22 WinNuke nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)

23 And This? 3:46:41.529581 dos.com > 129.252.49.0: (frag 54190:1480@4440+) 3:46:41.579678 dos.com > 129.252.49.0: (frag 54190:1480@2960+) 3:46:53.518688 dos.com > 129.252.49.0: (frag 54190:1480@1480+) 3:46:53.923679 dos.com > 129.252.49.0: (frag 54190:1480@1480+) 3:46:53.970672 dos.com > 129.252.49.0: (frag 54190:1480@2960+) 3:46:53.989649 dos.com > 129.252.49.0: (frag 54190:1480@5920+) 3:46:53.994699 dos.com > 129.252.49.0: (frag 54190:1480@1480+) 3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@2960+) 3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@4440+) 3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@1480+) http://www.cisco.com/warp/public/770/nifrag.shtml

24 Bad Network Traffic in Other places Web logs Traffic monitoring graphs Firewall logs Intrusion detection systems Router syslogs I even see attempts against my SSH tunnels!

25 Slammer 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0]

26 Nimda 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 – 129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET /scripts/..%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -

27 Firewall Logs

28 Intrusion Detection Systems

29 References Highly recommend: http://www.sans.org/resources/tcpip.pdf

Download ppt "Lecture 24: Network Primer 7/16/2003 CSCE 590 Summer 2003."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
COEN 252 Computer Forensics Tools for Package Analysis.

COEN 252 Computer Forensics Tools for Package Analysis.
Lecture 25: Network Primer 7/17/2003 CSCE 590 Summer 2003.

Lecture 25: Network Primer 7/17/2003 CSCE 590 Summer 2003.
Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 -

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -
TCPDUMP Network-Based Intrusion Detection. Description  Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring.

TCPDUMP Network-Based Intrusion Detection. Description  Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring.
Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.

Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.
Leon-Garcia & Widjaja: Communication Networks Copyright ©2000 The McGraw Hill Companies A Little More on Chapter 7 And Start Chapter 8 TCP/IP.

Leon-Garcia & Widjaja: Communication Networks Copyright ©2000 The McGraw Hill Companies A Little More on Chapter 7 And Start Chapter 8 TCP/IP.
Tcpdump Traceroute Ping. A packet tracing tool  Works on various host platforms  Captures packets going through a certain network interface  Shows.

Tcpdump Traceroute Ping. A packet tracing tool  Works on various host platforms  Captures packets going through a certain network interface  Shows.
Network Layer Packet Forwarding IS250 Spring 2010

Network Layer Packet Forwarding IS250 Spring 2010
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP)
1 Internet Networking Spring 2002 Tutorial 4 ICMP (Internet Control Message Protocol)

1 Internet Networking Spring 2002 Tutorial 4 ICMP (Internet Control Message Protocol)
Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.

Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.
1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.

1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.
Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.

Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.
Lecture 20: Network Primer 7/8/2003 CSCE 590 Summer 2003.

Lecture 20: Network Primer 7/8/2003 CSCE 590 Summer 2003.
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.

ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.

Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.

CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.

Similar presentations

Ads by Google