lecture 24: network primer
DESCRIPTION
Lecture 24: Network Primer. 7/16/2003 CSCE 590 Summer 2003. tcpdump. Packet capture and analysis utility Default number of bytes captured: 68 Change with the snaplength option –S 1518 If a packet is truncated, “|” symbol is used in output Does not show frame header by default - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/1.jpg)
Lecture 24: Network Primer
7/16/2003
CSCE 590
Summer 2003
![Page 2: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/2.jpg)
tcpdump
• Packet capture and analysis utility• Default number of bytes captured: 68
– Change with the snaplength option –S 1518
– If a packet is truncated, “|” symbol is used in output
• Does not show frame header by default– To enable that, -e
• To see hexadecimal output: -x• To see hexadecimal output with ASCII sidebar: -X
![Page 3: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/3.jpg)
tcpdump
• To write trace to a file instead of standard output, use –w filename
• To read from a trace file, use –r filename• To choose a network interface to sniff traffic from,
use –i inteface • To force tcpdump not to resolve machine names
with DNS, use –n• To force it to also not translate TCP/UDP service
port number from /etc/services file, add an ‘n’: -nn
![Page 4: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/4.jpg)
tcpdump Filters
• There are given keywords or macros for commonly accessed headers in filtering
• To reference a type of header in a packet:– ip, tcp, icmp, udp
• To reference a particular byte within that header, use a byte displacement with type:– ip[0] – first byte offset of IP header (numbering starts
from zero)
– tcp[13] - tcp header length
![Page 5: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/5.jpg)
Filters vs. Macros
• Macros are predefined filters• Must use filters where there are no macros• Filter format
– <protocol header>[offset:length] <relation><value>
• Macro format– <macro> <value>
• Example:– ip[9] = 1– Ninth byte of IP header is Protocol type, and a value of 1 =
ICMP– Icmp
![Page 6: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/6.jpg)
More Examples
• tcp[0:2] < 53– Starting at byte 0 of the TCP header, for 2 bytes (source
port field) with a value less than 53
– tcp and src port < 53 (NOT!!!) can’t do relational with macros, only give it a value
• udp[6:2] != 0– ? Your turn
• icmp[0] = 8– ? Your turn
![Page 7: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/7.jpg)
Common Macros
• host• net (129.252)• port• src can modify host, net, and port• dst can modify host, net, and port• icmp• tcp• Udp• Also: and (&&), not (!), or (||)
![Page 8: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/8.jpg)
Bits and Bytes
• Sometimes you don’t want a whole byte (looking at just a flag)
• So we turn to bit masking (math, eeeww!)
• “AND” unwanted bits with 0 to clear them
• “AND” wanted bits with 1 to keep them
• tcpdump works in hexadecimal however, so there is some conversion involved
![Page 9: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/9.jpg)
Bit Masking Example• Let’s check for the TCP ACK bit turned on• It is byte 13 so we have tcp[13]• From our TCP header:• Byte 13 = 0x12 =0 0 0 1 0 0 1 0 AND_ _ _ _ _ _ _ _ mask0 0 0 1 0 0 0 0 = 0x10• Complete filter: (tcp[13]&0x10) != 0• tcpdump -i eth0 -s 1518 ‘(tcp[13] & 0x10) != 0‘• What kind of packets with: (tcp[13] & 0x10) = 0
12 13
URG
ACK
PSH
RST
SYN
FIN
Hdr Len Reserved
![Page 10: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/10.jpg)
Bit Masking Examples
• What do these masks check for?– (tcp[13] & 0x02) != 0
– tcp[13] = 0xff
– (ip[6] & 0x20) != 0
• Write one to check for either the SYN or FIN bit set
![Page 11: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/11.jpg)
Another Game of What’s Weird?
22:08:38.495489 dns.querier.1745 > dns.nl.53: 42371+ (31)
22:08:48.150706 dns.nl > dns.querier: (frag 63694:30@400)
22:08:48.154481 dns.nl.53 > dns.querier.1745: 42371 6/8/8 (72)(frag 63694:80@0+)
22:08:48.154481 dns.nl > dns.querier: (frag 63694:80@320+)
22:08:48.154490 dns.nl > dns.querier: (frag 63694:80@240+)
22:08:48.156737 dns.nl > dns.querier: (frag 63694:80@160+)
22:08:48.156745 dns.nl > dns.querier: (frag 63694:80@80+)
22:09:08.612886 dns.querier > dns.nl: icmp: ip reassembly time exceeded [tos 0xc0]
![Page 12: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/12.jpg)
What’s Weird?
2:19:30.481578 somewhere.nl > 129.252.176.255: icmp: echo request (ttl 246, id 5134)
2:19:31.478737 somewhere.au > 129.252.176.255: icmp: echo request (ttl 246, id 5134)
2:19:32.478824 somewhere.de > 129.252.176.255: icmp: echo request (ttl 246, id 5134)
2:19:33.478916 somewhere.edu > 129.252.176.255: icmp: echo request (ttl 246, id 5134)
![Page 13: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/13.jpg)
What’s Weird?
23:12:26.100485 hostA.48776 > machineB.25: . ack 0 win 2048 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol>
![Page 14: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/14.jpg)
Another Trace23:30:32.704057 beav.32772 > www.sc.edu.33435: [udp sum ok]
udp 10 [ttl 1] (id 20523, len 38)
23:30:32.707533 beav.32772 > www.sc.edu.33436: [udp sum ok] udp 10 [ttl 1] (id 20524, len 38)
23:30:32.707760 beav.32772 > www.sc.edu.33437: [udp sum ok] udp 10 [ttl 1] (id 20525, len 38)
23:30:32.708017 beav.32772 > www.sc.edu.33438: [udp sum ok] udp 10 (ttl 2, id 20526, len 38)
23:30:32.712804 beav.32772 > www.sc.edu.33439: [udp sum ok] udp 10 (ttl 2, id 20527, len 38)
23:30:32.713351 beav.32772 > www.sc.edu.33440: [udp sum ok] udp 10 (ttl 2, id 20528, len 38)
23:30:32.713961 beav.32772 > www.sc.edu.33441: [udp sum ok] udp 10 (ttl 3, id 20529, len 38)
23:30:32.719796 beav.32772 > www.sc.edu.33442: [udp sum ok] udp 10 (ttl 3, id 20530, len 38)
23:30:32.720618 beav.32772 > www.sc.edu.33443: [udp sum ok] udp 10 (ttl 3, id 20531, len 38)
![Page 15: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/15.jpg)
What’s This?23:49:23.440874 host.57839 > fozzie.32787: udp 023:49:23.440901 host.57839 > fozzie.32775: udp 023:49:23.440932 host.57839 > fozzie.32788: udp 023:49:23.440943 host.57839 > fozzie.32789: udp 023:49:23.440986 host.57839 > fozzie.32791: udp 023:49:23.441009 host.57839 > fozzie.32799: udp 023:49:23.441027 host.57839 > fozzie.32774: udp 023:49:23.441059 host.57839 > fozzie.32781: udp 023:49:23.441072 host.57839 > fozzie.32772: udp 023:49:23.441080 host.57839 > fozzie.32789: udp 0 23:49:23.441105 host.57839 > fozzie.32800: udp 023:49:23.441215 fozzie > host: icmp: fozzie udp port 32788
unreachable (DF)23:49:23.441269 fozzie > host: icmp: fozzie udp port 32791
unreachable (DF)23:49:23.441288 fozzie > host: icmp: fozzie udp port 32781
unreachable (DF)23:49:23.441310 fozzie > host: icmp: fozzie udp port 32789
unreachable (DF)
![Page 16: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/16.jpg)
And This?
23:46:40.529581 map.edu.39344 > 129.252.41.16.143: S 698192483:698192483(0) win 8192
23:46:41.509678 map.edu.39345 > 129.252.41.15.143: S 698735981:698735981(0) win 8192
23:46:53.518688 map.edu.39378 > 129.252.41.14.143: S 698654463:698654463(0) win 8192
23:46:53.923679 map.edu.39379 > 129.252.41.13.143: S 699129230:699129230(0) win 8192
23:46:53.970672 map.edu.39639 > 129.252.41.11.143: S 699129300:699129300(0) win 8192
23:46:53.989649 map.edu.39777 > 129.252.41.10.143: S 699129740:699129740(0) win 8192
23:46:53.994699 map.edu.39791 > 129.252.41.12.143: S 699129768:6991292768(0) win 8192
23:46:53.999670 map.edu.39812 > 129.252.41.9.143: S 699129901:699129901(0) win 8192
![Page 17: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/17.jpg)
What’s Weird?
23:46:40.529581 map.net.0 > 129.252.41.99.110: SF 698192483:698192483(0) win 512
23:46:41.509678 map.net.0 > 129.252.41.27.110: SF 698192483:698192483(0) win 512
23:46:53.518688 map.net.0 > 129.252.41.56.110: SF 698192483:698192483(0) win 512
23:46:53.923679 map.net.0 > 129.252.41.33.110: SF 698192483:698192483(0) win 512
23:46:53.970672 map.net.0 > 129.252.41.119.110: SF 698192483:698192483(0) win 512
23:46:53.989649 map.net.0 > 129.252.41.76.110: SF 698192483:698192483(0) win 512
23:46:53.994699 map.net.0 > 129.252.41.200.110: SF 698192483:698192483(0) win 512
23:46:53.999670 map.net.0 > 129.252.41.15.110: SF 698192483:698192483(0) win 512
![Page 18: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/18.jpg)
What’s Strange?
23:46:40.529581 ack.org.23 > 129.252.41.99.23: . ack 698192483 win 512
23:46:41.509678 ack.org.23 > 129.252.37.4.23: . ack 698192483 win 512
23:46:53.518688 ack.org.143 > 129.252.41.99.143: . ack 698192483 win 512
23:46:53.923679 ack.org.143 > 129.252.37.4.143: . ack 698192483 win 512
23:46:53.970672 ack.org.110 > 129.252.41.99.110: . ack 698192483 win 512
23:46:53.989649 ack.org.110 > 129.252. 37.4.110: . ack 698192483 win 512
23:46:53.994699 ack.org.23 > 129.252.33.7.23: . ack 698192483 win 512
23:46:53.999670 ack.org.23 > 129.252.4.213.23: . ack 698192483 win 512
![Page 19: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/19.jpg)
Anything Unusual?
23:46:40.529581 scan.net.25820 > 129.252.41.76.23: S 698192483:698192483(4) win 4096
23:46:41.509678 scan.net.25820 > 129.252.136.76.23: S 698197881:698197881(4) win 4096
23:46:53.518688 scan.net.47521 > 10.20.98.76.23: S 378192499:378192499(4) win 4096
23:46:53.923679 scan.net.25820 > 129.252.11.76.23: S 69821387:69821387(4) win 4096
23:46:53.970672 scan.net.47521 > 10.20.54.76.23: S 378212490:378212490(4) win 4096
23:46:53.989649 scan.net.47521 > 10.20.223.76.23: S 378212787:378212787(4) win 4096
23:46:53.994699 scan.net.25820 > 129.252.209.76.23: S 69822345:69822345(4) win 4096
23:46:53.999670 scan.net.47521 > 10.20.90.76.23: S 37827658:37827658(4) win 4096
![Page 20: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/20.jpg)
What’s Scary?
23:46:40.529581 scanner.net > dns.my.edu: ip-proto-54 44
23:46:41.509678 scanner.net > dns.my.edu: ip-proto-54 44
23:46:53.518688 scanner.net > dns.my.edu: ip-proto-54 44
23:46:53.923679 scanner.net > firewall.my.edu: ip-proto-54 44
23:46:53.970672 scanner.net > firewall.my.edu: ip-proto-54 44
23:46:53.989649 scanner.net > firewall.my.edu: ip-proto-54 44
23:46:53.994699 scanner.net > ids.my.edu: ip-proto-54 44
23:46:53.999670 scanner.net > ids.my.edu: ip-proto-54 44
23:46:53.999691 scanner.net > ids.my.edu: ip-proto-54 44
(ip-proto-54 = usually ATM: Next Hop Resolution Protocol)
But that’s beside the scary point.
![Page 21: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/21.jpg)
Huh?
router1.com > 129.252.49.0: icmp: time exceeded in-transit
router1.com > 129.252.21.0: icmp: time exceeded in-transit
router1.com > 129.252.78.0: icmp: time exceeded in-transit
router1.com > 129.252.52.0: icmp: time exceeded in-transit
router2.com > 129.252.109.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.1.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.243.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.43.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.66.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.31.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.200.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.212.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.79.0: icmp: time exceeded in-transit [tos 0xc0]
router3.com > 129.252.55.0: icmp: time exceeded in-transit
router3.com > 129.252.111.0: icmp: time exceeded in-transit
router3.com > 129.252.83.0: icmp: time exceeded in-transit
router1.com > 129.252.16.0: icmp: time exceeded in-transit
router1.com > 129.252.156.0: icmp: time exceeded in-transit
![Page 22: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/22.jpg)
WinNuke
nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)
nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)
nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)
nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)
nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)
nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)
![Page 23: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/23.jpg)
And This?
3:46:41.529581 dos.com > 129.252.49.0: (frag 54190:1480@4440+)
3:46:41.579678 dos.com > 129.252.49.0: (frag 54190:1480@2960+)
3:46:53.518688 dos.com > 129.252.49.0: (frag 54190:1480@1480+)
3:46:53.923679 dos.com > 129.252.49.0: (frag 54190:1480@1480+)
3:46:53.970672 dos.com > 129.252.49.0: (frag 54190:1480@2960+)
3:46:53.989649 dos.com > 129.252.49.0: (frag 54190:1480@5920+)
3:46:53.994699 dos.com > 129.252.49.0: (frag 54190:1480@1480+)
3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@2960+)
3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@4440+)
3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@1480+)
3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@1480+)
http://www.cisco.com/warp/public/770/nifrag.shtml
![Page 24: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/24.jpg)
Bad Network Traffic in Other places
• Web logs
• Traffic monitoring graphs
• Firewall logs
• Intrusion detection systems
• Router syslogs
• I even see attempts against my SSH tunnels!
![Page 25: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/25.jpg)
Slammer
02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0]
![Page 26: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/26.jpg)
Nimda129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /msadc/..%255c../..%255c../..%255c/..
%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 –129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -
![Page 27: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/27.jpg)
Firewall Logs
![Page 28: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/28.jpg)
Intrusion Detection Systems
![Page 29: Lecture 24: Network Primer](https://reader034.vdocuments.mx/reader034/viewer/2022051622/5681504f550346895dbe4da5/html5/thumbnails/29.jpg)
References
• Highly recommend:
• http://www.sans.org/resources/tcpip.pdf