For a network administrator or someone in a production environment who gets paranoid about whether anybody is snooping on the network, tools such as tcpdump act as a reassurance, as they help to counter such threats. This article discusses the processing and analysis of packets that have been captured by tcpdump or Wireshark.
When it comes to network security, the first thing that people should be taking care of is their own network. This can be achieved by analysing your data and making sure that no one is intruding on your network. The name PCAP comes from the two words, packet capture. The type of file is the Ethernet packet sniffer, which means that this file format is used by the tools that analyse the network traffic. In this article, I will start with the basics so that even a newbie can easily analyse the data, using the tools mentioned.
The basics Anyone who is new to network security needs to have a good grasp of the various types of networks. The basic types are TCP (Transmission Control Protocol) and IP (Internet Protocol). We do have many versions of IP and the address varies with the type. This understanding is necessary because, with the help of the IP address, we can determine the location of someone who is mounting an attack. I would suggest you visit some of the links below, which will be helpful to get an understanding of the basics of networking.
http://en.wikipedia.org/wiki/Network_security http://cse.hcmut.edu.vn/~minhnguyen/NET/Computer%20Networks%20-%20A%20Tanenbaum%20-%205th%20edition.pdf http://www.cert.org/historical/tech_tips/home_networks.cfm The best way to get a strong foundation on the subject would be to Google for information, instead of just reading many books. It is better to concentrate on a single book and try out various tools to get a good command over them.
Tools Many tools are available for the analysis of packets, the most basic and most powerful one being tcpdump. It can be installed or updated by using the following command:
Many open source tools are available to us but none match tcpdump. It is the best tool to capture and filter packets using a basic C code something that I will discuss briefly, subsequently. For Windows, there are many tools such as Wireshark and WinPcap. The links are given below. http://www.winpcap.org/install/default.htm http://wiki.wireshark.org/Tools You can get a list of all the tools in open source from here. http://www2.opensourceforensics.org/tools/network Everything can be done in the terminal with the help of tcpdump. The remaining tools give us easy access, some benefits and some ready-made features.
Figure 1 : Installing tcpdump
Capturing ones own data Its very easy to capture your data in Linux by using the terminal (Ctrl+Alt+T) and typing the following command:
sudotcpdump -w capture.pcap
This command invokes the tool tcpdump and writes the data into the file name capture.pcap (remember .pcap is the extension for the packets captured). This goes on until you give it a keyboard interrupt (Ctrl+C) or temporarily stop the job with Ctrl+Z. Packet capture can be resumed by giving the command fg which is the same as the normal command. Packet capture can also be done by using online tools such as Wireshark. Have a look at the man page of tcpdump before going ahead with the article.
Analysis I assume that you have a good knowledge of commands (such as | and *) used in the terminal, for this section. If not, here are some links to tutorials that will teach you the basics. http://linuxcommand.org/lc3_learning_the_shell.php http://ss64.com/bash/ http://www.pas.rochester.edu/~pavone/particle-www/telescopes/ComputerCommands.htm The best way to learn about them is to refer the man page when you have a doubt about a particular command. Count of packets To determine the count of packets in the file, we use the following command:
tcpdump -nn -r capture.pcap | wc-l
Since the file usually contains a large amount of data, instead of using the cat command, it is better to pipe the file to head so that we can get a clear view of it. This can be achieved by using the following command:
tcpdump -nn -r capture.pcap | head
The fields of the PCAP file would be in the following order: 1. Time 2. Network protocol 3. Source IP 4. Source Port 5. Destination IP 6. Destination Port To concentrate on one of the above fields, remove some of them by using commands for piping and filtering. For example, the following command is used to get only the source IP address and its Port:
To filter the file to get TCP/IP and exclude the Layer 2 traffic, add the option tcp or udp at the end of the command:
tcpdump -nn -r capture.pcap tcp or udp | cut-f 3 -d | head
To get only the IP address without the Port, just cut the other columns starting from .
tcpdump -nn -r capture.pcap tcp or udp | cut-f 3 -d | cut-f 1-4 -d . | head
Figure 2 : Using tcpdump to capture data
The uniq command The uniq command can be used to remove repeated lines in the PCAP file, because we are not interested in the same source and destination twice. This command saves you a lot of time and avoids repetition:
tcpdump -nn -r capture.pcap tcp or udp | cut-f 5 -d | cut- f 1-4 -d . | sort| uniq| head
The code below gives the top 10 destination IP addresses. -nr gives the IP address in descending order:
tcpdump -nn -r capture.pcap tcp or udp | cut-f 5 -d | cut- f 1-4 -d . | sort-c | uniq-nr | head
Figure 3 : Count of packets
You can try every option available and get your work done easily.
Web tools If you have a PCAP file you want to analyse but dont have the tools or the sudo password to do so, try online tools such as Wireshark. I am using the small example file which was used for the challenge in picoCTF, where we need to find the destination of the ship from the conversation between the robot and the spaceship. This is a very easy challenge and can be addressed by having a clear look at the conversation (https://www.cloudshark.org/captures/bc1c0a7fae2c). The alternatives for the cloud shark are given in the following urls. http://www.wireshark.org/ http://canyouseeme.org/ http://www.lovemytool.com/ http://www.yougetsignal.com/ http://sectools.org/ You can try any of the tools from the above links. Some of them provide tools from the browser itself.
Open Source Software: The Mega List A jaw-dropping 1,000+ open source software tools. Open source software for, well, everything: Desktop, security, multimedia, small businesses, enterprises, education....
December 19, 2012
By Cynthia Harvey
Throughout the year, Datamation publishes guides to open source software in a variety of different categories, such as security, cloud computing, big data, small businesses, mobility and even games. It's become an annual tradition to compile all those open source apps we've featured into one gigantic list.
Our 2012 guide is longer than ever before with a jaw-dropping 1000+ open source apps in all. As usual, we've divided the list into categories and then alphabetized the projects within each category.
Whether you're a long-time Linux fan or a Windows or OS X user who's curious about the open source phenomenon, you're sure to find something new, interesting and useful.
1. Edoceo Imperium
Designed for small and mediu…
Mengenal Fungsi Dan Komponen Panel Listrik Panel Listrik – Electrical switchboard atau lebih kita kenal dgn panel listrik terbentuk berdasarkan susunan komponen listrik yg sengaja disusun dalam sebuah papan control, sehingga dapat memudahkan penggunaanya. Tuk lebih mengenal fungsi dari panel listrik kita telebih dahulu mengenal komponen- komponen panel listrik dan harus memahami fungsi dari bagian-bagaian listrik itu sendiri Berikut beberapa komponen panel listrik beserta fungsinya yang perlu anda ketahui:
MCB, yg singkatan dari ( Miniature Circuit Board) merupakan komponen panel listrik yang berfungsi sebagai switch pembatas arus akibat dari kenaikan daya /tegangan yg melebihi batas dan atau hubung singkat. Komponen panel listrik ini biasanya terbatas pada arus nominal kecil sampai dgn kurang dari 100 Ampere. Bentuknya ada yg satu pole (satu input dan satu output), ada yg dua pole, tiga pole hingga empat pole.
MCCB, MCCB singkatan dari Moulded Case Circuit Breaker. Circuit Breaker pemb…
Membangun Ruang Server merupakan kegiatan yang tidak dapat dianggap remeh. Untuk sebagian kita menganggap ruang server hanyalah tempat dimana perangkat server disimpan dengan baik. Tapi pada dasarnya, ruang server adalah ruangan yang bisa dikatakan merupakan juga data center dalam ukuran kecil, maka seyogyanya kita juga mengikuti standar untuk pembangunan ruang data center.
Ukuran ruang server umumnya akan sangat bergantung dari kegunaan dan kapasitas penampungan yang direncanakan. Oleh karena itu, ruang server dapat berukuran dari sangat kecil (minimal 2 meter x 2 meter) hingga ruang yang cukup besar.
Kalau kita bicara kegunaannya, umumnya ruang server digunakan untuk :
Menampung perangkat server (baik ukuran tower / rackmounted). Server bisa diasumsikan PC Server juga.Menampung perangkat jaringan, umumnya dalam hal ini minimal switch yang digunakan untuk koneksi ke server atau koneksi ke user.Menampung perangkat sumber daya catuan cadangan (atau kita mengenal istilah UPS)