Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.

Slides:

Advertisements

Similar presentations

Discussion Monday ( ). ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier header checksum time to live.

Advertisements

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA.

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

TCPDUMP Network-Based Intrusion Detection. Description  Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring.

SYSTEM ADMINISTRATION Chapter 19

Tcpdump Traceroute Ping. A packet tracing tool  Works on various host platforms  Captures packets going through a certain network interface  Shows.

Lab 4: Simple Router CS144 Lab 4 Screencast May 2, 2008 Ben Nham Based on slides by Clay Collier and Martin Casado.

1 Capturing & Analyzing Network Traffic: tcpdump/tshark and Wireshark EE 122: Intro to Communication Networks Vern Paxson / Jorge Ortiz / Dilip Anthony.

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

Tcpdump Tutorial EE122 Fall 2006 Dilip Antony Joseph, Vern Paxson, Sukun Kim.

Network Analyzer Example

CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.

Precept 5 Router & Assignment 2 1 Peng Sun. How VNS works Just informational You don’t have to know it to finish assignment 2.

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Linux Networking Commands

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

TCP/IP Networking sections 13.2,3,4,5 Road map: TCP, provide connection-oriented service IP, route data packets from one machine to another (RFC 791) ICMP,

1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 

1 Ethereal.  Freeware sniffing tool.  Captures live network traffic.  The user interface separates it from other sniffers.

University of Calgary – CPSC 441.  Wireshark (originally named Ethereal)is a free and open-source packet analyzer.  It is used for network troubleshooting,

Packet capture and protocol analysis 1. Content TCP/IP Networking Review Packet Capture Protocol Analysis 2.

Adapted from: Computer Networking, Kurose/Ross 1DT066 Distributed Information Systems Chapter 4 Network Layer.

CPSC 441 Tutorial TA: Fang Wang The content of these slides are taken from CPSC 526 TUTORIAL by Nashd Safa (Extended and partially modified)

Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.

Mr. Mturi Elias University Computing Centre SYSTEMS ADMIN TRAINING WORKSHOP.

PA3: Router Junxian (Jim) Huang EECS 489 W11 /

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

1 Tutorial 6: Networking Utilities & Firewall. 2 Internet Control Message Protocol (ICMP) designed to compensate for the deficiencies of IP protocol.

Day 14 Introduction to Networking. Unix Networking Unix is very frequently used as a server. –Server is a machine which “serves” some function Web Server.

1 TAC2000/ LABORATORY 117 Analyzing SIP Call Flows Dr. Quincy Wu National Chiao Tung University

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Linux Networking and Security

CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2014.

© 2010 Cisco Systems, Inc. All rights reserved. 1 CREATE Re-Tooling Exploring Protocols with Wireshark March 12, 2011 CREATE CATC and Ohlone College.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.

Practice 4 – traffic filtering, traffic analysis

Sniffer, tcpdump, Ethereal, ntop

Network Analyzer :- Introduction to Wireshark. What is Wireshark ? Ethereal Formerly known as Ethereal GUINetwork Protocol Analyzer Wireshark is a GUI.

Monitoring Troubleshooting TCP/IP Chapter 3. Objectives for this Chapter Troubleshoot TCP/IP addressing Diagnose and resolve issues related to incorrect.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Linux Operations and Administration Chapter Eight Network Communications.

COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.

Review of IPv4 Routing Veena S, MCA Dept, PESIT Mar 09-10, 2013.

Chapter 4: server services. The Complete Guide to Linux System Administration2 Objectives Configure network interfaces using command- line and graphical.

Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.

Network Analyzer :- Introduction to Ethereal Computer Networking (Graduate Class)

Traffic Analysis– Wireshark

CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2016.

Lab 2: Packet Capture & Traffic Analysis with Wireshark

Intro to Ethical Hacking

Network Commands 2 Linux Ubuntu A.S.

A Quick Guide to Ethereal/Wireshark

COMP2322 Lab 1 Wireshark Steven Lee Jan. 25, 2017.

Introduction to Networking

Setting Up Firewall using Netfilter and Iptables

Network Analyzer :- Introduction to Wireshark

TCP Protocol Analysis Access UMKC Home Page.

Network Analyzer :- Introduction to Wireshark

COEN 252 Computer Forensics

16EC Computer networks unit II Mr.M.Jagadesh

Computer Networks Protocols

Presentation transcript:

Practical Networking

Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and display packets transmitted/received on a network  Filters used to restrict analysis to packets of interest

Network Interfaces  Linux box:  Show interfaces by “ifconfig”  Look at routing table by running “netstat -r”  IP addresses are 32 bits  Network number, IP within the network  Next hop determined by longest prefix match on the IP address

TCPDUMP  Tool for examining packets on the ethernet/wireless mediums  Need superuser access on machine  Allows you to examine packets -- all of them!  Too much data, so you can employ filters  Simplest case: just specify interface to snoop on

Example Dump  00:03: IP c hsd1.wa.comcast.net > danakil-1.dyn.cs.washington.edu.ssh:. ack win  00:03: IP c hsd1.wa.comcast.net > danakil-1.dyn.cs.washington.edu.ssh: P 49:97(48) ack win  00:03: IP c hsd1.wa.comcast.net > danakil-1.dyn.cs.washington.edu.ssh:. ack win  00:03: IP danakil-1.dyn.cs.washington.edu.ssh > c hsd1.wa.comcast.net.49735: P 68720:69152(432) ack 97 win 3584  00:03: IP danakil-1.dyn.cs.washington.edu.ssh > c hsd1.wa.comcast.net.49735: P 69152:69712(560) ack 97 win 3584  Ran tcpdump on the machine danakil-1.dyn  First few lines of the output:

Source host name 01:46: IP danakil.cs.washington.edu.ssh > adsl dsl.pltn13.pacbell.net.2481: : (1380) ack win TimestampThis is an IP packet Source port number (22) Destination host name Destination port number TCP specific information  Different output formats for different packet types What does a line convey?

Demo 1 – Basic Run  Syntax: tcpdump -n -i eth1 [filter expression]

Filters  We are often not interested in all packets flowing through the network  Use filters to capture only packets of interest to us

Demo 2 1. Capture only udp packets tcpdump “udp” 2. Capture only tcp packets tcpdump “tcp”

Demo 2 (contd.) 1. Capture only UDP packets with destination port 53 (DNS requests) tcpdump “udp dst port 53” 2. Capture only UDP packets with source port 53 (DNS replies) tcpdump “udp src port 53” 3. Capture only UDP packets with source or destination port 53 (DNS requests and replies) tcpdump “udp port 53”

Demo 2 (contd.) 1. Capture only packets destined to barb.cs.washington.edu tcpdump “dst host barb.cs.washington.edu” 2. Capture both DNS packets and TCP packets to/from barb.cs.washington.edu tcpdump “(tcp and host barb.cs.washington.edu) or udp port 53”

How to write filters  Refer cheat sheet slides at the end of this presentation  Refer the tcpdump man page

Other tools  Ethereal  Easy to use graphical interface   IPsumdump  Summarize tcpdump output into human/machine readable form   For instructions to use IPsumdump on EECS instructional accounts, see slide “Appendix: IPsumdump on EECS instructional accounts”

Security/Privacy Issues  tcpdump allows you to monitor other people’s traffic  WARNING: Do NOT use tcpdump to violate privacy or security  Use filtering to restrict packet analysis to only the traffic associated with your program. The following is one way to ensure that you see only traffic associated with your client:  tcpdump –s 0 –r all_pkts.trace “ –w my_pkts.trace “port 12345”  where is the ephemeral port which your echo_client uses to talk to the echo_server.

Cheat Sheet – Commonly Used Options  -n Don’t convert host addresses to names. Avoids DNS lookups. It can save you time.  -w Write the raw packets to the specified file instead of parsing and printing them out. Useful for saving a packet capture session and running multiple filters against it later  -r Read packets from the specified file instead of live capture. The file should have been created with –w option  -q Quiet output. Prints less information per output line

Cheat Sheet – Commonly Used Options (contd.)  -s 0 tcpdump usually does not analyze and store the entire packet. This option ensures that the entire packet is stored and analyzed. NOTE: You must use this option while generating the traces for your assignments.  -A (or –X in some versions) Print each packet in ASCII. Useful when capturing web pages. NOTE: The contents of the packet before the payload (for example, IP and TCP headers) often contain unprintable ASCII characters which will cause the initial part of each packet to look like rubbish

Cheat Sheet – Writing Filters (1)  Specifying the hosts we are interested in  “dst host ”  “src host ”  “host ” (either source or destination is name/IP)  Specifying the ports we are interested in  “dst port ”  “src port ”  “port ”  Makes sense only for TCP and UDP packets

Cheat Sheet – Writing Filters (2)  Specifying ICMP packets  “icmp”  Specifying UDP packets  “udp”  Specifying TCP packets  “tcp”

Cheat Sheet – Writing Filters (2)  Combining filters  and (&&)  or (||)  not (!)  Example:  All tcp packets which are not from or to host quasar.cs.berkeley.edu tcpdump “tcp and ! host quasar.cs.berkeley.edu ”  Lots of examples in the EXAMPLES section of the man page