Presentation on theme: "Using tcpdump. tcpdump is a powerful tool that allows us to sniff network packets and make some statistical analysis out of those dumps. tcpdump operates."— Presentation transcript:
tcpdump is a powerful tool that allows us to sniff network packets and make some statistical analysis out of those dumps. tcpdump operates by putting the network card into promiscuous mode in order to capture all the packets Using tcpdump we have a view on any TCP/UDP connection establishment and termination
Using tcpdump Flags can be any of the list S -> SYN (Synchronize sequence numbers Connection establishment) F -> FIN (Ending of sending by sender - Connection termination) R -> RST (Reset connection) P -> PSH (Push data) (No flag is set) ACK -> Acknowledgement URG -> Urgent
Using tcpdump The three way handshake The client sends a SYN segment with the port number of the server it wants to connect to and the client's initial sequence number (Line 1). The server responds with its own SYN segment containing its initial sequence number (Line 2). This segment also contains an ack flag. So this segment acknowledges the client SYN (segment 1412042008 +1). The client acknowledges this SYN from the server by sending another segment containing the "." flag and ack (Line 3).
Using tcpdump Some examples: tcpdump -n tcpdump -n host 192.168.0.21 tcpdump -n host 192.168.0.21 port 80 tcpdump -n host 192.168.0.21 port 80 or 443 tcpdump -n host 192.168.0.21 and not port 22 Other switches -i specify the network interface -f send results to -ccapture until specified number of packets are captured
What is a Process? A process is an instance of a running program. A process consists of A process ID An owner who created the process A program counter that keeps track of where you are A copy of the stack and registers used by the process An address space (Chunk of Memory) that contains Text Segment - executable instruction Data segment - all the data used by the program User segment - process ID information
Unix is a Multitasking OS In multitasking the OS loads several processes into memory and switches rapidly amongst them. This keeps the processor busy. The processor switches processes when: A program terminates A program has to wait for IO A program has used up its time allotment The challenge of multitasking is scheduling which process should run at any given moment. The kernel is responsible for managing all of the processes.
The Life of a Process 1. The user enters a command at the shell 2. The shell examines the command, finds the program file, and invokes the loader. 3. The loader examines the file and loads the instructions and data into main memory. 4. A process control block (PCB) is created and placed into a ready queue. 5. The CPU scheduler chooses processes from the ready queue and executes them. 6. The process get selected and is loader by the dispatcher. 7. The process runs until it has to wait. After waiting it goes back in the ready queue. 8. Repeat 5-7 until the process terminates.
Parent and Child Processes Every process, save one, has a parent process that created it. Thus, every process is a child of another one. Processes cannot be orphaned, at the very least they belong to the first process, the root process, created when the system booted. All processes have an ancestory, a hierarchy of process between it an the root process. vicat shell1 pine Shell2 root process
Process Creation Functions fork() - processes are created by the fork system call. This call creates a new process that is identical to its parent but has its own ID. exec() - loads a copy of the program to be executed over the address space it currently has. This overwrites the text and data areas of the process with the new code and data. wait() - waits for a child process to end
The Init Process The init process is the ultimate parent of most processes on the computer. It is the second process created by the computer and has a pid of 1. Remember, numbering starts at 0. The following process shows how a shell is run. 1. When the computer boots up it switches into multiuser mode. 2. Upon switching, init forks and executes getty for every terminal port 3. Getty prints a login prompt at each port and then sleeps 4. When user tries to log in getty executes login (overlays itself) 5. Login verifies user info and executes the shell (overlays itself) 6. Init is left as the only parent of the shell 7. When the shell dies, init forks and executes getty again. Thus, the process repeats for a new user.
The Shell Process The shell is a child process of init and is the first process available to the user. The shell runs other processes that are its children. These processes may include another shell or a program. When the primary shell dies, the user is logged out. The shell keeps the same PID for the entire time you are logged in. If you kill this PID, you kill your login session.
Shell Commands for Manipulating Processes The shell provides several commands that allow it to manipulate its child processes. Child processes may execute in the foreground or the background. When run in the foreground, the shell waits for the program and displays its output. When run in the background, the process runs and the shell keeps running and can continue to process commands. The following keys manipulate processes: cntrl-z suspends the foreground processes cntrl-c kill the foreground process
Shell Commands for Manipulating Processes Cont. In addition to keys, the bash shell includes the following commands: bg puts a process (pid) in the background fg puts a process (pid) in the foreground jobs lists active jobs for the shell kill kill a process (pid) stop suspend a background process (pid) wait wait for background processes to finish If a pid is not given for bg or fg, it assumes the process most recently suspended from the foreground. Placing a & after a shell command will run it in the background. Note, that you cannot logout until process ends.
The nohup Command The & option provided by the shell will not allow a background process to run if the shell is killed or the user logs out. Therefore, you cannot logout until all background processes have been dealt with. The nohup command gets around this issue by guaranteeing that the command that follows it will not cause these hangup. If the shell dies, the ppid of the process transfers to 1, the init process. Example nohup sort emp.lst & Standard output from this command may be redirected to nohup.out
Listing Process Status The ps [options] command is used to list the status of all processes. Common ps options a list all processes associated with the current terminal -u user list processes of a particular user (usr) -e list everything including system processes f get a full listing with parent’s ID listed (ppid) l give a long list with memory information Note that the ps options may differ by system. For example, Linuz uses “ax” instead of “e”.
Killing a Process The kill [options] pid command is used to terminate a process. A process can only be killed by its owner or by someone with administrative permissions. The kill command has the following options: l lists all of the signals kill can send 9 sends a special kill signal that cannot be caught
at - Controlling Job Execution The at [options] time command can be used to set a job to run at a later time. The at command takes commands from standard input. You enter the at command, hit enter, type the command to run, and then hit cntrl-D. Examples: at 15 runs the command at 3:00 PM at 5pm runs the command at 5:00 PM at noon runs command at noon At now + 1 year run command a year from now At 15 + 1 day run command at 3:00PM tomorrow At 9am tomorrow run command at 9:00AM tomorrow
at and batch at continued The -l option will list all jobs placed in the at queue and their job number The -r # option will remove the job with the provided number from the queue Batch Command The batch command will run a series of commands when time is available on the system. It does not take a time argument. Typically you enter the commands into a file and redirect that file into standard input. For example, batch < cmnds.txt Batch places jobs into the at queue and they can be listed and removed using “at -l” and “at -r” Or use atq or atrm
Cron - Scheduling Periodic Jobs Cron is a complex program that allows you to schedule jobs/processes for periodic execution. For example, if you want to check the file system or run a virus checked each day. Cron requires you to create a file with the commands and times and notify the cron daemon using crontab -e. This creates a file with the user’s name in /var/spool/cron/crontabs