Tcpdump – The ultimate tool for traffic analysis

by Syska 9. March 2010 14:50

Hello, so the other day I say that out external IP address was black listed on some black list … I used:
http://www.dnsbl.info/dnsbl-database-check.php
http://rbls.org/
http://whatismyipaddress.com/staticpages/index.php/is-my-ip-address-blacklisted

They are all similar, but maybe they show different result, if there database are outdated or the site could be down. Always a good idea to control the IP address against more sites.

So … we were black listed … but why. Back to the console on the firewall.

eth0 is my internal interface on the 172.17.4.0 network.

tcpdump -i eth1 net 172.17.4
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
08:23:01.219395 IP x.x.x.x.dynamic.altibox.net.63486 > 172.17.4.251.distinct32: . ack 142967821 win 256
08:23:01.335626 IP 172.17.4.113.53814 > 93.152.158.87.47834: . 272803351:272804803(1452) ack 3427659943 win 16139 08:23:01.871096 IP pool-x-x-x-x.chi01.dsl-w.verizon.net.50129 > 172.17.4.251.distinct32: . ack 3979841491 win 62356 <nop,nop,timestamp 14764517 2569468>

This showed way to much information … back to reading the “man” pages for tcpdump. Then I saw that I could use logical operators and bit masking … now its getting fun. Also possible to look in the ip, tcp or udp package.

The DHCP server here only serves address from 100 and up … and as there are SMTP servers below that, we need to filter them out … looking at Figure 1, the source address is the 12byte and the next 4. We got the net address already …not we need to filter on the 4 octet.

tcpdump -i eth1 net 172.17.4 and \(ip[15] \>= 100\)

We can filter the port in 3 ways … either look at the tcp package or use “port 25” or “port smtp” in the name are located in the /etc/services file.

Doing the first … and looking at figure 2, we can see that we need read 2 bytes and have an offset of 2. Like “tpc[offset:bytes] = 25” and append it to the command we end up with the following.

tcpdump -i eth1 net 172.17.4 and \(ip[15] \>= 100\) and tcp[2:2] = 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

This gives endless options … you can detect anything. Look in the data package … I’m amazed, this was not the first time using it, but probably the first time I understand all the options and possibilities it gives you.

Happy tcpdump’ing … :-)

Figure 1. IPv4 header

MJB-IP-Header-800x576

Figure 2. TCP header

MJB-TCP-Header-800x564

Tags: , , ,

Unix/Linux

Submit to DotNetKicks...
Permalink | Comments (0)

About the brain

Mikael SyskaMikael Syska

Student at the Engineering College of Aarhus.

Microsoft Student Partner ( MSP )

On this blog I will primarily write about .NET, MSSQL & projects I'm working on ... and of course there will some off topic posts :-)