|
TCP DUMP
========================================================
TCPDUMP
=======================================================
When we do not have access to a GUI, we can use something like the tcpdump utility.
Lets look at what happened in the password_crackng_filtered.pcap file.
#tcpdump -r password_crackng_filtered.pcap
TCPDUMP - Filtering Traffic
The output is overwhelming at first so let's try to get a better understanding of the IP addresses and ports involved by using the ask and sort commands.
#tcpdump -n -r password_cracking_filtered.pcap |awk -F" " '{prnt $3}' |sort -u |head
We can easily filter for destination or source IPs and ports with syntax similar to the following:
#tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap
#tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap
#tcpdump -n port 80 -r password_cracking_filtered.pcap
We proceed to dump the actual traffic captured in the dump file in hex format, to see if we can glean any additional information fom the data that was transferred:
#tcpdump -nX -r password_crackng_filtered.pcap
In this example we are able to see what looks like http traffic on port 81 with a user agent of teh forest lobster.
TCPDUMP - Advanced Header Filtering
Tcpdump has some advanced header filtering options that can aid us with our pcap analysis.
We wold lke to filter out and display only the data packets in the dump which have the PSH and ASK flags turned on. As can be seen in the diagram on pae 73 of the manual, the TCP flags are defined in the 14th byte of TCP header.
To calculate the correct filter to use, we turn on the bits for the specific flags we need, n this example. the ACK and PSH flags - A & P respectively.
CEUAPRSF
00011000 = 24 in decimal
Our command would look similar to the following - specifying that the 14th byte in the packets displayed should have ACK or PSH flags set.
#tcpdump -A -n 'tcp[13] = 24' -r password_cracking_filtered.pcap
|
|
|
|
