Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download TCPdump
Document related concepts
Distributed firewall wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Airborne Networking wikipedia , lookup
Internet protocol suite wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Network tap wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Serial digital interface wikipedia , lookup
Wake-on-LAN wikipedia , lookup
TCP congestion control wikipedia , lookup
Real-Time Messaging Protocol wikipedia , lookup
Deep packet inspection wikipedia , lookup
Transcript
TCPDUMP Network-Based Intrusion Detection Description Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring on your network. TCPDUMP provides options and filters to assist in the proper and thorough analysis of the acquired traffic. How to install? For Linux For windows Download libpcap from http://www.tcpdump.org/release/libpcap-0.7.2.tar.gz tar zxvf libpcap-0.7.2.tar.gz; cd libpcap-0.7.2; ./configure; make; make install Download tcpdump fom http://www.tcpdump.org/release/tcpdump-3.7.2.tar.gz tar zxvf tcpdump-3.7.2.tar.gz; cd tcpdump-3.7.2; ./configure; make; make install Download winpcap.exe from http://winpcap.polito.it/install/bin/WinPcap_3_0.exe Download windump.exe from http://windump.polito.it/install/bin/WinDump.exe Install winpcap and execute windump.exe For FreeBSD bulit-in function Output format ARP/RARP packets arp who-has [A] tell [B] arp reply [A] is-at [a] TCP packets src > dst: flags data-seqno ack window urgent options src: source ip address and port dst: destination ip address and port flags: S (SYN), F (FIN), P(PUSH), R(RST), . (no flags) Data-seqno: describes the portion of sequence space covered by the data in the packet Ack: sequence number of the next data Window: the number of byte of receive buffer space Urg: indicates there is “urgent” data in the packet Options: tcp options enclosed in angle brackets Summary Tcpdump and windump are powerful packet capture utilities that allow for the extraction of particular types of network traffic based on header information. They can filter any field in the IP, ICMP, UDP, or TCP header using byte offsets. Conclusion&What do you learn? To demonstrate how to install and use tcpdump and windump and how to analyze data that is collected To understand what the basic functionality of network-based intrusion detection. More information about WinDump, plz visit http://windump.polito.it/docs/defaul t.htm TCPREPLAY Replay packets from capture files Description Tcpreplay is a tool for replaying network traffic from files saved with tcpdump basic operation to resend all packets from input files at the spped at wich they were recorded, a specified data rate, or as fast as the hardware is capable. example Summary By processing a cache file generated by tcpprep, tcpreplay is able to split traffic between two interfaces. This is useful for testing bridges, routers, and other gateway devices.
