Tcpdump Lab: Wired Network Traffic Sniffing



Similar documents
Monitor and Secure Linux System with Open Source Tripwire

Lab VI Capturing and monitoring the network traffic

Packet Sniffing and Spoofing Lab

Introduction to Analyzer and the ARP protocol

Practical Network Forensics

Information Security Training. Assignment 1 Networking

Introduction to Network Security Lab 1 - Wireshark

Attack Lab: Attacks on TCP/IP Protocols

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

Network Security: Workshop

Host Configuration (Linux)

Introduction to Passive Network Traffic Monitoring

Packet Sniffers. * Windows and Linux - Wireshark

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Network Packet Analysis and Scapy Introduction

VM-Series Firewall Deployment Tech Note PAN-OS 5.0

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

A Research Study on Packet Sniffing Tool TCPDUMP

Figure 1. Wireshark Menu Bar

Packet Sniffer Detection with AntiSniff

netkit lab MPLS VPNs with overlapping address spaces 1.0 S.Filippi, L.Ricci, F.Antonini Version Author(s)

OpenCPN Garmin Radar Plugin

EE984 Laboratory Experiment 2: Protocol Analysis

How to monitor network traffic inside an ESXi host

Detection of Promiscuous Nodes Using ARP Packets

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

BASIC ANALYSIS OF TCP/IP NETWORKS

LAB THREE STATIC ROUTING

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

Metasploit Lab: Attacking Windows XP and Linux Targets

Forensic Network Analysis Tools

Packet Sniffing with Wireshark and Tcpdump

Modern snoop lab lite version

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

NetFlow Subinterface Support

VisuSniff: A Tool For The Visualization Of Network Traffic

Network Traffic Analysis

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

NETFORT LANGUARDIAN INSTALLING LANGUARDIAN ON MICROSOFT HYPER V

TCP Packet Tracing Part 1

netkit lab static-routing Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group

TCP/IP Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Environment Setup. SEED Labs TCP/IP Attack Lab 1

6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS

Lab Diagramming Intranet Traffic Flows

A DIY Hardware Packet Sniffer

Lab 5 Explicit Proxy Performance, Load Balancing & Redundancy

How To Monitor And Test An Ethernet Network On A Computer Or Network Card

Monitor network traffic in the Dashboard tab

Network Security. Network Packet Analysis

Network Probe User Guide

A Protocol Based Packet Sniffer

netkit lab two-hosts Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group

Computer Networks I Laboratory Exercise 1

Network Forensics Network Traffic Analysis

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

IP network tools & troubleshooting. AFCHIX 2010 Nairobi, Kenya October 2010

Unix System Administration

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

AlliedWare Plus OS How To Use sflow in a Network

Network Administration and Monitoring

Lab 1: Introduction to the network lab

Overview. Packet filter

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

Ethernet. Ethernet. Network Devices

VIA CONNECT PRO Deployment Guide

Technical Support Information Belkin internal use only

bigbluebutton Open Source Web Conferencing

ACHILLES CERTIFICATION. SIS Module SLS 1508

WiFi Security Assessments

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

tcpdump: network traffic capture

1.0 Basic Principles of TCP/IP Network Communications

Deploy the ExtraHop Discover Appliance on a Linux KVM

CS197U: A Hands on Introduction to Unix

Pre-lab and In-class Laboratory Exercise 10 (L10)

ProSafe Plus Switch Utility

Linux Routers and Community Networks

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Trend Micro Encryption Gateway 5

Lab 1: Packet Sniffing and Wireshark

Host Fingerprinting and Firewalking With hping

Promiscuous Monitoring in Ethernet and Wi-Fi Networks

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

DNS Pharming Attack Lab

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)

Project Overview and Setup. CS155: Computer and Network Security. Project Overview. Goals of the assignment. Setup (2) Setup

Installing an Omnicast System Omnicast version 3.5

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

Lab Diagramming External Traffic Flows

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Virtual Systems with qemu

BASIC TCP/IP NETWORKING

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Homework 3 TCP/IP Network Monitoring and Management

TCP/IP Network Essentials. Linux System Administration and IP Services

Transcription:

Cyber Forensics Laboratory 1 Tcpdump Lab: Wired Network Traffic Sniffing Copyright c 2012 Hui Li and Xinwen Fu, University of Massachusetts Lowell Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation. A copy of the license can be found at http://www.gnu.org/licenses/fdl.html. 1 Lab Overview This lab provides students an introduction to a powerful network packet TCP/IP sniffer, tcpdump, and its basic usage within a virtualized environment. Students are assumed to be comfortable using a command line interface. Students will work on four tasks: Extract packet arrival time, source IP address, destination IP address and port. Extract source MAC address and destination MAC address. Get inter-arrival time while capturing packets. Draw a chart with inter-arrival time versus the order of sequence number. This lab uses a virtualized environment, the modified version of Wenliang Du s SEEDUbuntu. It is available at http://ccf.cs.uml.edu/ Before continuing, students should have their network within the visualized environment set up and be ready to get on websites. Please note that this lab assumes VMWare Workstation is being used. The principles are the same among other virtualization software, but terminology and features may change. Some alternatives to VMWare Workstation include Virtualbox, VMWare Player, and Microsoft Virtual PC. 2 Tcpdump Introduction Tcpdump, like wireshark and many other sniffers, is usually used to capture packets and analyze network protocols. The network card of a computer drops packets if the packets are not addressed to the system. However in the promiscuous mode, the network card forwards all packets reaching the card to the operating system so that tcpdump can capture them, regardless of their (MAC) addresses. Using tcpdump in the promiscuous mode can exam all traffic through the interface, extract sensitive information and thereby sniffer the network. For example, if Computer A and a few other computers are inter-connected by a hub, which broadcasts packets it receives to all connected computers, Computer A in the promiscuous mode will be able to capture all packets going through the hub. A computer not in the promiscuous mode is able to capture packets addressed to itself and its outgoing packets. Root privilege is required to use tcpdump for sniffing. 3 Tcpdump Installation Tcpdump can be downloaded from http://www.tcpdump.org/#latest-release for the latest version which now is tcpdump-4.3.0, and installed using following commands:

Cyber Forensics Laboratory 2 root@seed-desktop:/home/seed# tar xvfz tcpdump-4.3.0.tar.gz root@seed-desktop:/home/seed# cd tcpdump-4.3.0 root@seed-desktop:/home/seed/tcpdump-4.3.0#./configure root@seed-desktop:/home/seed/tcpdump-4.3.0# make root@seed-desktop:/home/seed/tcpdump-4.3.0# make install 4 Switch Network to Promiscuous Mode Turn on promiscuous mode with command: root@seed-desktop:/home/seed# ifconfig eth7 promisc then use command: root@seed-desktop:/home/seed# ifconfig -v grep -i promisc to check if the network is in promiscuous mode or not. Here we use flag -v (or -a) to display information about all surfaces. If promiscuous mode is on, the output should be like this: root@seed-desktop:/home/seed# ifconfig -v grep -i promisc UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 To turn off promiscuous mode, use command: root@seed-desktop:/home/seed# ifconfig eth7 -promisc Please note that here eth7 is the ethernet name of the system. Students should use the ethernet names of their own systems to replace eth7 in all commands from this lab instruction. 5 Lab Tasks Please follow the instructions below and complete the task. Use screen shots to demonstrate the success of every task. To gain a deep understanding of network protocols as well as the usage of tcpdump, students must explain what each screen shot means. 5.1 Task 1: Extract Packet Arrival Time, Source IP Address, Destination IP Address and Port. Use command: root@seed-desktop:/home/seed# tcpdump -n to listen to default ethernet surface and show IP address instead of names, or use command: root@seed-desktop:/home/seed# tcpdump -n -i eth7 to filter to a particular ethernet surface to listen to, which here is eth7. The result shows arrivial time, source IP address, destination IP address and port in the form of [arrivial time][source IP].[port]>[destination IP].[port]. Example: First use command:

Cyber Forensics Laboratory 3 root@seed-desktop:/home/seed# ifconfig -v eth7 grep inet addr inet addr:192.168.81.128 Bcast:192.168.81.255 Mask:255.255.255.0 to show the IP address of ethernet on our machine, which here is 192.168.81.128. Then run command: root@seed-desktop:/home/seed# tcpdump -n -i eth7 Open website http://www.uml.edu/sciences/computer-science/default.html to make some network traffic, meanwhile check out the output of tcpdump: 20:35:52.323220 IP 192.168.81.128.56846 > 129.63.176.200.80: Flags [P.], seq 205727 20:35:52.323605 IP 129.63.176.200.80 > 192.168.81.128.56846: Flags [.], ack 509, wi 20:35:52.325159 IP 129.63.176.200.80 > 192.168.81.128.56846: Flags [P.], seq 1:247, above is part of the result. If flag -n is not used in command, the result will show names instead of IP address, like this: root@seed-desktop:/home/seed# tcpdump 21:23:33.038075 IP seed-desktop.local.42268 > umlweb.uml.edu.www: Flags [P.], seq 4 21:23:33.038275 IP umlweb.uml.edu.www > seed-desktop.local.42268: Flags [.], ack 50 21:23:33.039607 IP seed-desktop.local.43124 > 192.168.81.2.domain: 9979+ PTR? 200.1 Please use tcpdump to extract packet arrival time, source IP address, destination IP address and port information in the student s environment. Students can browse some website such as yahoo.com to generate network traffic so that tcpdump can capture it. Note: run tcpdump before browsing. 5.2 Task 2: Extract Source MAC Address and Destination MAC Address. Use command: root@seed-desktop:/home/seed# tcpdump -e to get ethernet header and show source MAC address as well as destination MAC address in result instead of showing IP addresses. Or use command: root@seed-desktop:/home/seed# tcpdump -e -i eth7 to listen to a specific ethernet surface and output source MAC address and destination MAC address. root@seed-desktop:/home/seed# tcpdump -e -i eth7 Then open website http://www.uml.edu/sciences/computer-science/default.html to make some network traffic, meanwhile check out the output of tcpdump: 03:07:38.141541 00:0c:29:6f:1d:db (oui Unknown) > 00:50:56:e7:00:28 (oui Unknown), 03:07:38.141927 00:50:56:e7:00:28 (oui Unknown) > 00:0c:29:6f:1d:db (oui Unknown), 03:07:38.143512 00:50:56:e7:00:28 (oui Unknown) > 00:0c:29:6f:1d:db (oui Unknown),

Cyber Forensics Laboratory 4 In the result, source MAC address and destination MAC address is shown in following form: [source MAC address] > [destination MAC address] Please use tcpdump to extract source MAC address and destination MAC address information in the student s environment. Students can browse some website such as yahoo.com to generate network traffic so that tcpdump can capture it. Note: run tcpdump before browsing. 5.3 Task 3: Get Inter-Arrival Time While Capturing Packets. Command: root@seed-desktop:/home/seed# tcpdump -ttt allows you to capture packets and show inter-arrival time instead of arrival time in result. root@seed-desktop:/home/seed# tcpdump -ttt Then open website http://www.uml.edu/sciences/computer-science/default.html The output of tcpdump should be similar to the following: 00:00:00.000000 IP seed-desktop.local.33720 > umlweb.uml.edu.www: Flags [P.], seq 3 00:00:00.000371 IP umlweb.uml.edu.www > seed-desktop.local.33720: Flags [.], ack 50 00:00:00.001412 IP umlweb.uml.edu.www > seed-desktop.local.33720: Flags [P.], seq 1 00:00:00.000018 IP seed-desktop.local.33720 > umlweb.uml.edu.www: Flags [.], ack 24 Please use tcpdump to get inter-arrival time while capturing packets information in the student s environment. Students can browse some website such as yahoo.com to generate network traffic so that tcpdump can capture it. Note: run tcpdump before browsing. 5.4 Task 4: Draw A Chart with Inter-Arrival Time and Order of Sequence Number. This task can be easily done within following steps: 1. Capture packets which shows inter-arrival time and save the output to a table. 2. Save rows that have the same port number from the previous table to new a new table. 3. Sort rows in the new table according to sequence number. 4. Draw a chart with order of sequence numbers as the horizontal axis and inter-arrival times in microseconds as the vertical axis. root@seed-desktop:/home/seed# tcpdump -ttt > tcprecord.csv to capture packets, show inter-arrival time in result and save result to file tcprecord.csv. Here the result is saved as a csv file so that it can be opened and manipulated by Microsoft Excel later. Watch a video on youtube to make some network traffic. use Ctrl+c to finish capturing packets and save result. Then run command:

Cyber Forensics Laboratory 5 root@seed-desktop:/home/seed# less tcprecord.csv to view result, which in this case is the following: 00:00:00.000000 IP seed-desktop.local.38498 > iad23s05-in-f7.1e100.net.www: Flags [ 00:00:00.000329 IP iad23s05-in-f7.1e100.net.www > seed-desktop.local.38498: Flags [ 00:00:00.031206 IP seed-desktop.local.44043 > 192.168.81.2.domain: 16048+ PTR? 7.22 00:00:00.002229 IP 192.168.81.2.domain > seed-desktop.local.44043: 16048 1/0/0 PTR 00:00:00.000188 IP seed-desktop.local.46731 > 192.168.81.2.domain: 13589+ PTR? 128. 00:00:00.003589 IP 192.168.81.2.domain > seed-desktop.local.46731: 13589 NXDomain 0 00:00:00.137418 IP seed-desktop.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 128.81.1 00:00:00.000924 IP seed-desktop.local.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0 (Cach 00:00:00.001256 IP seed-desktop.local.57732 > 192.168.81.2.domain: 12594+ PTR? 2.81 00:00:00.002379 IP 192.168.81.2.domain > seed-desktop.local.57732: 12594 NXDomain 0 00:00:00.070966 IP iad23s05-in-f7.1e100.net.www > seed-desktop.local.38498: Flags [ 00:00:00.000022 IP seed-desktop.local.38498 > iad23s05-in-f7.1e100.net.www: Flags [ 00:00:00.001035 IP iad23s05-in-f7.1e100.net.www > seed-desktop.local.38498: Flags [ The record contains traffic through difficult ports, then let us draw a chart from a random port, like 38498. Run command: root@seed-desktop:/home/seed# grep 38498 tcprecord.csv grep seq > 38498.csv Please use the introduced commands above and import the data into excel. Draw a curve of inter-arrival time versus packet sequence number. Calculate the mean and standard deviation of the inter-arrival time samples that the student collected.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information