How To Monitor packet flow using tcpdump

Similar documents
Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Introduction to Analyzer and the ARP protocol

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

EXPLORER. TFT Filter CONFIGURATION

Innominate mguard Version 6

EE984 Laboratory Experiment 2: Protocol Analysis

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Practical Network Forensics

Routing concepts in Cyberoam

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Solution of Exercise Sheet 5

IP Filter/Firewall Setup

Network Packet Analysis and Scapy Introduction

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Introduction to Network Security Lab 1 - Wireshark

Securing Networks with PIX and ASA

Network Traffic Analysis

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

How To Configure Syslog over VPN


How To Configure Virtual Host with Load Balancing and Health Checking

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Unix System Administration

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Packet Sniffing with Wireshark and Tcpdump

IP network tools & troubleshooting. AFCHIX 2010 Nairobi, Kenya October 2010

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

PIX/ASA 7.x with Syslog Configuration Example

How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key

Linux Routers and Community Networks

AppGate Personal Firewall 2.5.0

Host Discovery with nmap

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

CSE 127: Computer Security. Network Security. Kirill Levchenko

Cisco Configuring Commonly Used IP ACLs

Technical Support Information Belkin internal use only

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Chapter 8 Security Pt 2

How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key

Protecting and controlling Virtual LANs by Linux router-firewall

CS5008: Internet Computing

Network Security - ISA 656 Firewalls & NATs

WiNG 5.x How-To Guide

TCPdump Basics. TCPdump and WinDump are available at: &

Introduction of Intrusion Detection Systems

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewalls. Chapter 3

Host Fingerprinting and Firewalking With hping

Unverified Fields - A Problem with Firewalls & Firewall Technology Today

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Networking Test 4 Study Guide

Linux Network Security

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Lab Objectives & Turn In

tcpdump: network traffic capture

Broadband Phone Gateway BPG510 Technical Users Guide

OS/390 Firewall Technology Overview

Linux MDS Firewall Supplement

Firewall Examples. Using a firewall to control traffic in networks

Laboratory work 4. Application of Windows OS Built-in Networks Diagnostic Tools

About Firewall Protection

CS Computer and Network Security: Firewalls

Internet Security Firewalls

VisuSniff: A Tool For The Visualization Of Network Traffic

Load Balance Router R258V

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

Firewall VPN Router. Quick Installation Guide M73-APO09-380

General Network Security

CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK

Packet Monitor in SonicOS 5.8

Computer Networks/DV2 Lab

Chapter 8 Network Security

Multi-Homing Dual WAN Firewall Router

Understanding and Configuring NAT Tech Note PAN-OS 4.1

Firewalls. Chien-Chung Shen

Network Configuration Settings

TCP Performance Management for Dummies

Firewalls. Ahmad Almulhem March 10, 2012

Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek,

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

CS Computer and Network Security: Firewalls

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Transport Layer. Chapter 3.4. Think about

Application. Transport. Network. Data Link. Physical. Network Layers. Goal

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Vanguard Applications Ware IP and LAN Feature Protocols. Firewall

FIREWALLS & CBAC. philip.heimer@hh.se

Network Forensics Network Traffic Analysis

Lab 1: Packet Sniffing and Wireshark

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

20. Switched Local Area Networks

Transcription:

How To Monitor packet flow using tcpdump tcpdump prints out the headers of packets on a network interface that match the Boolean expression. tcpdump is a packet capture tool that allows to intercept and capture packets passing through a network interface, making it useful for understanding and troubleshooting network layer problems. It will help to monitor packet flow coming on interface, response for each packet, packet drop, and ARP information. This utility will not be of much help to identify and troubleshoot problems related to Application, hence before using this tool try to understand the behavior of the problem. Usage Use from Cyberoam Telnet Console, option 4 Cyberoam Console How to view traffic of the tcpdump command Example specific host tcpdump host <ipaddress> tcpdump host 10.10.10.1 specific source host tcpdump src host <ipaddress> tcpdump src host 10.10.10.1 specific destination host tcpdump dst host <ipaddress> tcpdump dst host 10.10.10.1 specific network tcpdump net <network address> tcpdump net 10.10.10.0 specific source network tcpdump src net <network address> tcpdump src net 10.10.10.0 specific destination network tcpdump dst net <network address> tcpdump dst net 10.10.10.0 specific port tcpdump port <port-number> tcpdump port 21 specific source port tcpdump src port <port-number> tcpdump src port 21 specific destination port tcpdump dst port <port-number> tcpdump dst port 21 specific host for the particular port the specific host for all the ports except SSH specific protocol tcpdump host <ipaddress> and port <port-number> tcpdump host <ipaddress> and port not <port-number> tcpdump proto ICMP tcpdump proto UDP tcpdump proto TCP tcpdump arp tcpdump host 10.10.10.1 and port 21 tcpdump host 10.10.10.1 and port not 22 paritcular interface tcpdump interface <interface> tcpdump interface eth1 specific port of a particular interface tcpdump interface <interface> port <port-number> tcpdump interface eth1 port 21 Note: Expression can be combined using logical operators AND or OR and with NOT also. Make sure to use different combinations within single quotes.

Port Mapping Appliance 50i, 100i, 250i, 500i Port A B C D Physical Interface eth0 eth1 eth2 eth3 Appliance 1000i, 1500i Port A B C D E F G H Physical Interface eth6 eth7 eth8 eth9 eth0 eth1 eth2 eth3 Analyzing tcpdump output corporate> tcpdump 'port 21' Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 12:29:33.860721 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: S 4023323694:4023 323694(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) 12:29:33.860769 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: S 4023323694:402 3323694(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) 12:29:33.861293 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: S 1587918290:158 7918290(0) ack 4023323695 win 5840 <mss 1460> (DF) 12:29:33.861324 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: S 1587918290:1587 918290(0) ack 4023323695 win 5840 <mss 1460> (DF) 12:29:33.861530 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp:. 1:1(0) ack 1 win 65535 (DF) 12:29:33.861567 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp:. 1:1(0) ack 1 win 65535 (DF) 12:29:34.872070 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: P 1:65(64) ack 1 win 5840 (DF) 12:29:34.872114 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: P 1:65(64) ack 1 win 5840 (DF) 12:29:34.977585 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp:. 1:1(0) ack 65 win 65471 (DF) 12:29:34.977623 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp:. 1:1(0) ack 65 win 65471 (DF) 12:29:45.885899 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: P 1:17(16) ack 65 win 65471 (DF)

12:29:45.885937 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: P 1:17(16) ack 65 win 65471 (DF) 12:29:45.886350 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633:. 65:65(0) ack 17 win 5840 (DF) 12:29:45.886369 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633:. 65:65(0) ack 17 win 5840 (DF) 12:29:46.280547 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: P 65:133(68) ack 17 win 5840 (DF) 12:29:46.280567 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: P 65:133(68) ack 17 win 5840 (DF) 12:29:46.444599 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp:. 17:17(0) ack 133 win 65403 (DF) 12:29:46.444639 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp:. 17:17(0) ack 133 win 65403 (DF) 12:29:52.568606 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: P 17:31(14) ack 133 win 65403 (DF) 12:29:52.568638 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: P 17:31(14) ack 133 win 65403 (DF) 12:29:52.569079 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633:. 133:133(0) ack 31 win 5840 (DF) 12:29:52.569097 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633:. 133:133(0) ack 31 win 5840 (DF) 12:30:00.428258 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: P 133:181(48) ack 31 win 5840 (DF) 12:30:00.428289 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: P 133:181(48) ack 31 win 5840 (DF) 12:30:00.627489 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp:. 31:31(0) ack 181 win 65355 (DF) 12:30:00.627532 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp:. 31:31(0) ack 181 win 65355 (DF) 12:30:07.696901 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: P 31:37(6) ack 181 win 65355 (DF) 12:30:07.696937 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: P 31:37(6) ack 181 win 65355 (DF) 12:30:07.698430 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633:. 181:181(0) ack 37 win 5840 (DF) 12:30:07.698450 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633:. 181:181(0) ack 37 win 5840 (DF) 12:30:08.133574 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: P 181:227(46) ack 37 win 5840 (DF) 12:30:08.133593 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: P 181:227(46) ack 37 win 5840 (DF) 12:30:08.272170 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp:. 37:37(0) ack 227 win 65309 (DF) 12:30:08.272205 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp:. 37:37(0) ack 227 win 65309 (DF) 12:30:08.526813 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: P 227:293(66) ack 37 win 5840 (DF) 12:30:08.526832 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: P 227:293(66) ack 37 win 5840 (DF) 12:30:08.526981 eth1 < 161.114.22.105.ftp > 192.168.13.40.1633: FP 293:370(77) ack 37 win 5840 (DF) 12:30:08.527006 eth0 > 161.114.22.105.ftp > 172.16.16.81.1633: FP 293:370(77) ack 37 win 5840 (DF) 12:30:08.527221 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp:. 37:37(0) ack 371 win 65166 (DF) 12:30:08.527248 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp:. 37:37(0) ack 371 win 65166 (DF) 12:30:08.536286 eth0 < 172.16.16.81.1633 > 161.114.22.105.ftp: F 37:37(0) ack 371 win 65166 (DF) 12:30:08.536312 eth1 > 192.168.13.40.1633 > 161.114.22.105.ftp: F 37:37(0) ack 371 win 65166 (DF) 1 st line: Brown color shows timestamp of the packet Green color shows the incoming interface Blue color shows source address who originates the request Red color shows destination IP address Orange color shows services which is being accessed Pink color shows flag of particular packet. This is new connection originated by 172.16.16.81 IP address & destined for 161.114.22.105 to access FTP services. This is first packet so flag is set to Sync S 3rd line: As three ways handshaking needs to be complete, second packet is the response coming back from server with Ack for Sync packet. This is nothing but Syn-Ack packet. 4th Line: Ack packet sent by source for Syn-Ack. For any tcp connection first three lines are like Source to Destination-- Sync Destination to Source-- Sync-Ack Source to Destination Ack

5 th to 40 th Line: Push packet (Data Packet) because of P &. Flag 41st and 42nd Line: Termination of FTP connection because F flag Flag Information: S Sync packet for new connection S Sync packet with ack P Push packet containing Data. -- No data information, only ack F FIN packet which provides information of termination of connection R Reset packet, Packet which dropped in between somewhere at firewall end Advanced Usage View packet contents in hexadecimal notations corporate> tcpdump hex Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 13:49:04.438097 eth0 > 192.168.13.40.telnet > 172.16.16.81.1916: P 831812622:831 812624(2) ack 616504356 win 5840 (DF) 4500 002a 4841 4000 4006 685b c0a8 0d28 ac10 1051 0017 077c 3194 740e 24bf 1c24 5018 16d0 13a6 0000 0d0a 13:49:04.545219 eth1 B arp who-has 192.168.2.30 (Broadcast) tell 192.168.2.31 0001 0800 0604 0001 0003 ba29 8f63 c0a8 021f ffff ffff ffff c0a8 021e 0000 0000 0000 0000 0000 0000 0000 0000 0000 13:49:04.553181 eth0 < 172.16.16.81.1916 > 192.168.13.40.telnet:. 1:1(0) ack 2 win 65523 (DF) 4500 0028 3c3b 4000 8006 3463 ac10 1051 c0a8 0d28 077c 0017 24bf 1c24 3194 7410 5010 fff3 3794 0000 0000 0000 0000 13:49:04.553217 eth0 > 192.168.13.40.telnet > 172.16.16.81.1916: P 2:538(536) ack 1 win 5840 (DF) 4500 0240 4842 4000 4006 6644 c0a8 0d28 ac10 1051 0017 077c 3194 7410 24bf 1c24 5018 16d0 058f 0000 4b65 726e 656c 2066 696c 7465 722c 2070 726f 746f 636f 6c20 414c 4c2c 2064 6174 6167 7261 6d20 7061 636b 6574 2073 6f63 6b65 740d 0a74 6370 6475 6d70 3a20 6c69 7374 656e 696e 6720 6f6e 2061 6c6c 2064 6576 6963 6573 0d0a 3133 3a34 393a 3034 2e34 3338 3039 3720 13:49:04.662912 eth1 B arp who-has 192.168.13.4 tell 192.168.13.5 0001 0800 0604 0001 000c 29ca 2f1e c0a8 0d05 0000 0000 0000 c0a8 0d04 0000 0000

0000 0000 0000 0000 0000 0000 0000 13:49:04.674536 eth1 B arp who-has 192.168.1.93 tell 192.168.1.206 0001 0800 0604 0001 0008 a132 e4f0 c0a8 01ce 0000 0000 0000 c0a8 015d 5d00 0100 0001 0000 0000 0000 046a 6973 7000 View packet contents with Ethernet or other layer 2 header information corporate> tcpdump llh Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 13:49:51.785823 eth1 B 0:3:ba:29:8f:63 Broadcast arp 60: arp who-has 192.168.2.3 0 (Broadcast) tell 192.168.2.31 13:49:51.868616 eth1 B 0:11:43:56:7d:7a Broadcast ip 92: 192.168.1.23.netbios-ns > 192.168.15.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 13:49:51.930139 eth0 < 0:11:11:93:47:9b 0:0:0:0:0:1 ip 60: 172.16.16.81.1916 > 1 92.168.13.40.telnet:. 616504364:616504364(0) ack 831819683 win 65281 (DF) 13:49:51.930177 eth0 > 0:0:0:0:0:0 0:10:f3:9:cf:da ip 412: 192.168.13.40.telnet > 172.16.16.81.1916: P 1:359(358) ack 0 win 5840 (DF) 13:49:52.131308 eth0 < 0:11:11:93:47:9b 0:0:0:0:0:1 ip 60: 172.16.16.81.1916 > 1 92.168.13.40.telnet:. 0:0(0) ack 359 win 64923 (DF) 13:49:52.131339 eth0 > 0:0:0:0:0:0 0:10:f3:9:cf:da ip 345: 192.168.13.40.telnet > 172.16.16.81.1916: P 359:650(291) ack 0 win 5840 (DF) 13:49:52.165068 eth1 B 0:10:f3:a:a5:fd Broadcast arp 60: arp who-has 3.3.3.1 tel l 3.3.3.3 13:49:52.328476 eth1 B 0:13:20:dc:d0:63 Broadcast ip 110: 192.168.4.51.netbios-n s > 192.168.15.255.netbios-ns:NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST 13:49:52.328986 eth1 B 0:13:20:dc:d0:63 Broadcast ip 110: 192.168.4.51.netbios-n s > 192.168.15.255.netbios-ns:NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADC AST 13:49:52.332491 eth0 < 0:11:11:93:47:9b 0:0:0:0:0:1 ip 60: 172.16.16.81.1916 > 1 92.168.13.40.telnet:. 0:0(0) ack 650 win 64632 (DF) 13:49:52.332519 eth0 > 0:0:0:0:0:0 0:10:f3:9:cf:da ip 741: 192.168.13.40.telnet > 172.16.16.81.1916: P 650:1337(687) ack 0 win 5840 (DF) 13:49:52.370134 eth1 B 0:7:e9:2e:6c:c1 Broadcast arp 60: arp who-has 192.168.1.1 6 (Broadcast) tell 192.168.1.16 Generate binary file of traffic log generated with custom parameters Cyberoam also supports to save and download the tcpdump output in a binary file from Telnet Console. File tcpdump contains the troubleshooting information useful to analyze the traffic with advanced tool like ethereal for Cyberoam Support team. To save the output in the downloadable file, log on to Telnet Console: Go to Option 4 Cyberoam Console At the command prompt, issue the command: tcpdump <criteria> filedump Cyberoam saves this file under the name tcpdump.out Download from http://<cyberooam_ip>/documents/tcpdump.out and mail this file to Cyberoam Support team at support@cyberoam.com

Monitoring VPN traffic Cyberoam will automatically configure VPN IPSec interface for each WAN port configured. For example, if Port B and Port C are configured as WAN ports then Cyberoam will configure ipsec0 and ipsec1 for Port B and Port C respectively. Use these ipsec ports to monitor VPN traffic e.g. tcpdump -i ipsec0 Document Version: 2.0-24/09/2007

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information